File: blk00281.txt
Mined by AntPool bj5 u=https://cpr.sm/uaNTr36TPy Cbtcchina.com | tomatocc: Mined by AntPool usa1 Mined by AntPool bj6 ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER Mined by AntPool usa1 Mined by digcoinwgs3 ASCRIBESPOOLREGISTER Mined by AntPool sc182 u=https://cpr.sm/-ds-HKG8mL Mined by AntPool bj6 Mined by AntPool sz0 Mined by AntPool bj6 u=https://cpr.sm/KiCI-nd7CT u=https://cpr.sm/KiCI-nd7CTp ASCRIBESPOOLREGISTER Mined by AntPool bj7 ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER 4BTCChina Pool | Charity Engine is changing the world Mined by digcoinwgs3 Mined by AntPool bj7 Mined by AntPool bj5 u=https://cpr.sm/Qs2L9twANeX u=https://cpr.sm/_8CMgAha0U u=https://cpr.sm/Qs2L9twANe Mined by AntPool sc0 Mined by AntPool usa1 Mined by AntPool bj5 Lgu=http%3A%2F%2Fbit.ly%2F1QcNaes&sha256=18cce3463f4a1b1e1fe581cabe99c81d25d948c560e5dcbb4469605aad211b30uR! Mined by AntPool sc182 Mined by metabank0050 u=http://t0.com/asset-s3.json First test on main block chain. *j(This example stores 47 bytes in the bloc0 ASCRIBESPOOLREGISTER u=https://t0.com/asset-osd.json u=https://t0.com/asset-usd.json Mined by AntPool bj6 Mined by AntPool bj6 u=https://coloredcoin.io/dmt Mined by AntPool sc0 Mined by AntPool bj5 "j Second test on main block chain. u=https://coloredcoin.io/dmtp ASCRIBESPOOLREGISTER (j&rs5AnvGhjFtoiDuBRAc3DWnRfL7fQSM8ny:usd :btcchina.com | Happy Birthday to BTCChina from Pixelmatic! ASCRIBESPOOLREGISTER Mined by AntPool bj5 u=https://cpr.sm/bgSYRXFgGT u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2kP u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2kH u=http%3A%2F%2Fbit.ly%2F1drFy5R u=http%3A%2F%2Fbit.ly%2F1QmE9zu u=http%3A%2F%2Fbit.ly%2F1drFy5R u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2kx u=https://cpr.sm/5KeCHU_E2k u=https://cpr.sm/5KeCHU_E2k Lgu=http%3A%2F%2Fbit.ly%2F1QcNaes&sha256=bb2937664e5da32422408dd50956d16a35555d6527909e5e93375136f8e8466euR! Mined by AntPool usa1 9BTCChina Pool | jsyzgaoyou: u=https://cpr.sm/XTu3tJFLic u=https://cpr.sm/nfedCIYrV0 Mined by AntPool sc182 Who is Variety Jones? 22:45 < warren> jgarzik: if you aren't near one of the consulates there are some companies that will charge you money to do it... 22:47 < HM3> gmaxwell, the schnorr construction is just cleaner algebraically, and I like that you can't do public key recovery 22:48 < gmaxwell> ::shrugs:: Not really more than anything else that does the same thing, and its compatible. 22:48 < gmaxwell> HM3: yea, sure, I like schnorr too, but randomness isn't an argument for it. 22:49 < HM3> the lack of a need for a perfect RNG during signing is 22:50 < gmaxwell> HM3: DSA and Schnorr are the same in that regard. You derandomize them both under the same method 22:50 < HM3> sure but schnorr requires that construction to work 22:51 < gmaxwell> HM3: no they don't, go look at the schnorr patent. It's described using a random k. 22:52 < HM3> no I mean Schnorr is H(m||rG) and during verification you have to compute the candidate rG and recalculate H(m||rG) 22:52 < warren> "go look at the * patent" told to another engineer is wise? 22:53 < HM3> in DSA you just check, if i remember correctly, that sG is correct 22:53 < gmaxwell> warren: it's expired. Also, you need to go turn in your JD if you think it's not, see in re seagate. :) 22:54 < gmaxwell> (otherwise my response would have been "forget about it, it's patented") 22:55 < HM3> anyway. keeping DSA has no more merit than replacing it if you you plan on breaking compatibility anyway. but it's a fair point that you can derandomize DSA if you don't 22:55 < jgarzik> warren, yep, like Travisa ;p 22:55 < jgarzik> warren, communist state was never destined to make life easy and efficient 22:55 < warren> jgarzik: oh, they do F visas? didn't see that option 22:56 < warren> jgarzik: I like how easy and efficient things are here. 22:57 < gmaxwell> HM3: hm, why do you say that recovery isn't possible in Schnorr? I believe it is, in fact. 22:57 < HM3> doubtful 22:58 < HM3> sipa agreed with me months ago when i asked him as well :P 22:58 < HM3> Appeal to authority! appeal to authority 22:59 < HM3> s = k - xe 22:59 < HM3> sG = kG - xeG 22:59 < HM3> you know eG and sG but not kG (which is r) 23:00 < HM3> and you know e = H(M||r) 23:00 < HM3> and obviously not xG (the key you're trying to recover) 23:01 < gmaxwell> HM3: You know r. 23:01 < HM3> nah, r isn't part of the sig 23:01 < gmaxwell> pray tell how you compute H(M||r) without it in the verifier? 23:02 < HM3> you calculate candidate r 23:02 < HM3> then compute H(M||r) and compare with e, which = H(M||r) 23:02 < warren> Don't worry, only *hard* math is patentable subject matter. Not abstract ideas. 23:02 < HM3> I don't know why Wikipedia uses such silly letters 23:03 < HM3> r should be for the randomly selected number damnit 23:03 < gmaxwell> HM3: ah right, you recover r. 23:03 < HM3> gmaxwell, right, but you need the public key you're verifying against to do it 23:04 < HM3> in DSA you s = (1/k) * (H(M) + xr) 23:04 < HM3> and r = kG anyway 23:04 < gmaxwell> well thats a bummer then, minus one for Schnorr signatures. :P 23:04 < HM3> so it's fairly redundant 23:04 < HM3> gmaxwell, but DSA is broken if there's a collision on your hash function :P 23:06 < gmaxwell> so is schnorr, I take your signature and rebind it onto M' where H(M'||r) == H(M||r). :P 23:06 < HM3> if you were stupid and used a raw SHA instead of HMAC, then trick you in to signing 2 length extended messages such that there was a collision, I can work out your privy 23:06 < HM3> gmaxwell, yes but it wouldn't reveal the private key like DSA would 23:07 < HM3> even your derandomized DSA would if you used H(priv || H(M)) instead of H(priv || M) for the rerandomization bit 23:08 < gmaxwell> Fair enough. I'm not going to argue that you don't need to bother with the private key if you can just rebind, because, I realize that collisions in reality are never quite that freeform. :) 23:09 < HM3> nobody has broken anything decent collision wise yet anyway have they? 23:09 < warren> gmaxwell: thanks for in re seagate, not sure how I didn't see this before. 23:11 < gmaxwell> HM3: sure, md5, though not second-preimages on a arbritaryly selected input. 23:12 < gmaxwell> HM3: I'm busy chastizing myself because I'm usually irritated by people who refuse to distinguish theoretical security from pratical security, and I did almost make that counterargument to you in earnest. 23:13 < HM3> I saw that SHA-3 got knocked down a bit during recent standardisation 23:14 < gmaxwell> HM3: IIRC Schnorr also has nice threshold signatures, alas. 23:14 < HM3> they cut some bit lengths 23:14 < gmaxwell> HM3: yea, they changed the input rate. Which was kinda surprising, because capacity was specifically cited as a reason to exclude cubehash from the final round. 23:15 < HM3> did they give a reason? 23:15 < gmaxwell> Sure, speed. 23:15 < HM3> Pish 23:15 < gmaxwell> Its not entirely unreasonable. 23:15 < gmaxwell> But I was surprised. 23:16 < gmaxwell> DJB did some saber rattling on the NIST list to adjust the capacity to a fixed 576 bits (so a constant 1024 bit input rate) which is sort of a middle ground (more security for the orignal proposal at 256 bits output, less than the original proposal for 512 bit output). Doesn't sound like NIST or the Keccak team like the proposal. .. but NIST went quiet with the government shutdown. 23:17 < gmaxwell> For small inputs (e.g. <1024 bits) it doesn't matter. 23:19 < HM3> maybe when they reopen they'll forget they made the change 23:19 < gmaxwell> it's kinda irritating that the NIST list is closed-access. I see that the wikipedia sha-3 article mentions this discussion but has no citation. 23:19 < gmaxwell> well the change apparently was proposed by the Keccak team, which is totally believable the original capacity was the minimum nist required. 23:19 < gmaxwell> DJB basically said FUCK YOU to that requirement and refused to meet it in his proposal, and... well. :P 23:20 < gmaxwell> the other hashes met the requirement but many of then whined. 23:20 < HM3> Good old DJB 23:20 < HM3> I find his written material very accessible 23:21 < gmaxwell> esp having 512 bits of preimage security for the 512 bit hash required >1024 bits of state (in addition to the update state) which was getting a bit burdensome. 23:22 < gmaxwell> the DJB proposed modification to sha3 would have the nice side effect of making it always process 1024 bits at a time, regardless of the output size. On that basis I like it. 23:22 < HM3> and presumably that allows for optimisation 23:23 < gmaxwell> (currently it does something like 1344 bits at a time for 256 bit output, and 1088 bits at a time for 512 bit output) 23:23 < gmaxwell> well it simplifies implementations at least, might also make hardware versions that do both sizes easier. 23:24 < HM3> 1337 bits would have been better 23:24 < gmaxwell> I am imagining millions of duck sized engineers stabbing you in the foot. 23:26 < HM3> ah well, i must retire to bed 23:26 < HM3> i'll take that duck sized engineer thing with me --- Log closed Tue Oct 15 00:00:11 2013 --- Log opened Tue Oct 15 00:00:11 2013 02:12 < warren> sipa: http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/00000/2000/300/2318/2318.strip.gif 02:16 < sipa> let me guess 02:16 < sipa> yup :) 02:26 < warren> sipa: just as likely as my one time pad 05:36 < wumpus> https://github.com/bitcoin/bitcoin/issues/3090 CodeBug : should compare return value from memcmp with zero. 05:36 < wumpus> wrong channel 08:45 < HM3> since Bitcoin already uses boost you could use boost array instead of 'vch' in CKey 08:45 < HM3> would have got operator== for free 09:56 < petertodd> BlueMatt: from the point of view of a SPV node, verifying that a block header is correct is verifying it fully, so relaying that header (or even full block) to other SPV nodes does no harm. 09:57 < sipa> well, you would at least want to announce that you did not verify transactions in that case 09:57 < petertodd> BlueMatt: anyway, I put that in the BIP to show how NODE_BLOOM should be thought of "I'm willing to apply bloom filters to stuff I relay to you" and nothing more 09:57 < petertodd> sipa: which you do because you didn't set NODE_NETWORK (in that case) 09:58 < sipa> right, NODE_BLOOM is orthogonal to what you are relaying 09:58 < petertodd> sipa: exactly 09:59 < petertodd> You could (uselessly) say NODE_BLOOM and !NODE_* just means I'm willing to apply bloom filters to the nothingness I will relay to you; if you implement this I suggest you apply for an art grant. 09:59 < sipa> perhaps apply it to addr or alert messages :p 10:00 < petertodd> With an extended NODE_BLOOM definition that makes a lot of sense. 14:41 < gmaxwell> uh. Michael Gronager has ... um. not quite sure what to call it: https://bitcointalk.org/index.php?topic=310954 14:43 < petertodd> looks fixable to me, though ugly 14:44 < gmaxwell> yea, it's apparently already fixed. 14:45 < gmaxwell> 50% drop in namecoin exchange rate though. 14:45 < petertodd> good example of how blockchains can separate proof-of-data distribution, global consensus on ordering, and the actual rules themselves... 14:45 < petertodd> ha, yeah, I should have quickly bought some at the low point :P 15:07 < warren> amusing to see the deniers in the thread 15:10 < amiller> does anyone know who first created namecoin 15:10 < sipa> vinced? 15:15 < K1773R> gmaxwell: (namecoin) holy, thats horrible... i wonder why nobody looked at it :S 15:16 < sipa> i suppose because nobody competent cared? *ducks* 15:16 < amiller> but no one has heard from vinced in a long time? 15:17 < petertodd> K1773R: namecoin isn't getting used for anything yet; it just hasn't caught on 15:17 < petertodd> K1773R: well, other than speculators... 15:18 < K1773R> petertodd: i used it as backup solution for important stuff 15:18 < sipa> eh? 15:18 < petertodd> K1773R: backup? how so? 15:18 < K1773R> your aware its just a simple key/value storage? 15:19 < sipa> yes 15:19 < sipa> but there are certainly easier ways 16:17 < amiller> jtimon, ok well fair enough, that is indeed a good way to do it, but you probably also need a way of discouraging utxo bloat 16:18 < jtimon> amiller I advocate for explicit colors 16:18 < amiller> jtimon, yes i advocate for it too, i just don't see what the solution is for discouraging utxo bloat now that you add a functionality that increases it 16:19 < jtimon> if nobody has to store the full utxo, utxo bloating is not that much of a problem 16:20 < maaku_> amiller: this doesn't result in any utxo bloat... 16:20 < amiller> do coins have at most 1 color or something? 16:20 < maaku_> scripts are in the txin, not out 16:20 < killerstorm> amiller: color tag is just a hash of genesis transaction or something like that. ~32 bytes per UTXO won't hurt. 16:20 < maaku_> amiller: yes 16:21 < amiller> ok that sounds pretty nice. 16:21 < amiller> adding that single op code and that single change to UTXO is by far the simplest way of getting fairly scalable colored coins usage. 16:22 < killerstorm> jtimon: there is no difference between OP_CHECKCOLORVERIFY and explicit colors. OP_CHECKCOLORVERIFY can be in scriptSig. 16:22 < amiller> i'd be really interested to see that 16:22 < jtimon> killerstorm: in fact, in the next version of freimarkets specs, you can save the tag, by ommiting it you mean "the same color as the previous output" 16:22 < killerstorm> jtimon: I mean I'm not aware of any practical difference. 16:22 < amiller> that sounds pretty great to me 16:22 < amiller> how about a reference impl that deviates minimally from satoshi client? 16:24 < maaku_> amiller: what scheme are you talking about? 16:24 < killerstorm> Well I've heard iXcoin guys are interested in implementing this, but they lack developers. (Essentially it is just the guy who does the marketing...) 16:24 < killerstorm> I've outlined the spec although I'm not sure about some decisions. 16:25 < jtimon> saposhi nasakyoto I think (I can't believe ixcoin is alive, and there's still people who say MM kills altcoins...) 16:29 < jtimon> but yeah, why not use it to experiment 16:30 < jtimon> is already MM, it's in a great position to be used for this things 16:31 < killerstorm> It got new life: new PR/marketing team :) 16:32 < killerstorm> MM means that it is 100% controlled by ghash.io 16:32 < jtimon> killerstorm, how do you implement per-asset interest/demurrage with OP_CHECKCOLOR ? 16:32 < jtimon> only ghash.io merge-mines it? 16:33 < killerstorm> No, ghash.io has 40% of bitcoin hashpower and is mining alt-coins. Since some Bitcoin miners do not do merged mining, this means that ghash.io hash more than 50% of hashpower of Namecoin and IXCoin 16:34 < petertodd> killerstorm: +1 wish people realized that earlier 16:39 < warren> http://en.wikipedia.org/wiki/Savitch's_theorem 16:39 < warren> (for those thinking of memory hard to hash but easy to validate PoW, would this theoretical limit apply?) 16:42 < petertodd> I'm not seeing the connection 16:49 < jtimon> I don't see why memory hard is better 16:50 < warren> I didn't say it was. 16:50 < warren> people were discussing it here in past months 16:50 < petertodd> jtimon: the theory is memory hard targets memory, which is most likely to be an availalbe commodity product and thus escapes the ASIC centralization trap 16:51 < petertodd> jtimon: however, practical memory hard that really is ASIC-hard appears to be a very difficult problem 16:51 < petertodd> jtimon: reasonably easy to do in cases where the work to be done in non-parallizable, but crypto-consensus systems must be parallelizable 17:01 < jtimon> I don't see why ASICs are worse 17:05 < warren> IMHO, mining pool centralization is the real problem, not ASIC's. 17:07 < jtimon> warren, agreed, and I thought that was solved with trustless pools (p2pool, eligious...) 17:07 < petertodd> jtimon: ASICs centralize control in the hands of a very small number of chip fabs 17:08 < maaku_> petertodd: meh, coordinated quality control could mitigate that 17:08 < petertodd> jtimon: and p2pool and getblocktemplate don't "solve" the problem because there's no incentive to use either 17:08 < petertodd> maaku_: huh? 17:08 < maaku_> petertodd: a scanning electron microscope is not hard to get access to 17:09 < petertodd> jtimon: they *do* help with "non-selfish" actors, but they fall short of the security ideal where bitcoin is secure in the presense of selfish actors 17:09 < maaku_> there should be efforts to take asic chips at random from batches and do SEM scans of their circuits 17:09 < maaku_> then anyone with tools can verify that they are not backdoored 17:09 < petertodd> maaku_: the problem isn't hardware that's bugged, the problem is getting hardware at all - those chip fabs can easily *publicly* control the bitcoin network 17:10 < jtimon> can't the operator of a centralized pool cheat you somehow? 17:10 < maaku_> jtimon: out of your shares, yes 17:10 < jtimon> or decide for you what transactions to, say censor? 17:11 < petertodd> jtimon: they can cheat you in lots of ways, that doesn't change the fact that per unit hashing power they'll be more profitable in many scenarios 17:11 < maaku_> jtimon: using GBT you can choose your own transactions 17:11 < petertodd> jtimon: after all, they might own the hashing power too you know in which case cheating doesn't even come into it - ghash.io owns much of their physical hashing power 17:11 < petertodd> maaku_: in theory, in practice pools don't allow that - very high bandwidth cost 17:12 < maaku_> well, eligius does 17:12 < jtimon> maybe centralized operators aren't being as malevolent as they "should" 17:12 < petertodd> maaku_: yes, and eligius is being operated by alturistic people 17:12 < petertodd> jtimon: who cares? what matters is that our security isn't as good if we have to rely on that 17:13 < maaku_> meh, i would say that eligius is operated by knowlegable people/person 17:13 < sipa> it's my theory that if every actor started out as malevolent/selfish/rational, bitcoin would never have worked 17:13 < sipa> it's an experiment in building a system that doesn't need trust in many actors 17:13 < maaku_> as bitcoin matures i expect more pools to act like Luke-Jr 17:13 < sipa> but we'll need to get there step by step 17:13 < jtimon> sipa you're probably right, the start was incredible difficult 17:14 < maaku_> or maybe the causality is reversed - bitcoin will never mature unless more pools act like Eligius does 17:14 < maaku_> either way once it happens, it happens 17:14 < jtimon> I mean, I wasn't around, but...it's surely the hardest part 17:15 < petertodd> sipa: yes, we got incredibly lucky there 17:16 < petertodd> fact of the matter is that relying on alturism is dangerous and subject to sudden changes 17:16 < petertodd> never mind the fact that what were were talking about, ASIC-hardness, has nothing to do with alturism 17:17 < sipa> yup, but removing much it suddenly is equally dangerous 17:17 < petertodd> sipa: what do you mean by "removing" it? 17:17 < petertodd> sipa: no-one is proposing removing anything 17:17 < sipa> oh, i'm not saying that 17:18 < sipa> but if suddenly many people/miners/whatever started acting selfishly, i'm sure it could hurt bitcoin's survival chances 17:18 < sipa> +suddenly 17:18 < petertodd> oh sure, but the fact that it would hurt just shows that bitcoin is poorly designed 17:18 < sipa> i'd say it just isn't evolved enough :) 17:19 < petertodd> heh, equally true statement 17:19 < petertodd> though the ugly thing is changing the design is probably an economic change so... 17:20 < petertodd> anyway, as I said about the selfish miner attack, these attacks are real, and we're damn lucky that for now the big players are acting alturisticly, take advantage of that time to study alternatives so we'll have them ready when they're needed 17:20 < jtimon> come'on miners have to attack MM chains because "the good of their coin is their good", but they cannot trustless mine because "it is not selfish enough"? 17:21 < petertodd> jtimon: what do you mean by trustless mine? 17:21 < jtimon> p2pool, eligious 17:21 < sipa> p2pool/gbt? 17:21 < jtimon> yes 17:21 < petertodd> jtimon: remember, my point re MM attack was that if you have a big pool, then your MM chain is in a dangerous position 17:22 < petertodd> jtimon: my point with trustless mining is that it *costs more* than just pointing your hashing power at ghash.io 17:22 < jtimon> my point now is to apply your same "for the future of the coin" reasoning for miners to use p2pool/gbt 17:22 < petertodd> after all, this all came up with mastercoin when I got hired to analyze what type of blockchian they should use, and the result was "Why use anything less secure?" 17:23 < petertodd> jtimon: that's a very bad comparison - you're comparing the behavior of a large pool to a small hasher 17:24 < jtimon> a large pool is composed of small hashers 17:25 < jtimon> if anything, they should be more stupid in groups, no? 17:25 < petertodd> not at all, think in terms of incentives to defect and do what's better for you, but worse for the group 17:25 < petertodd> IE, I earn more money for less work if I hash at ghash.io 17:26 < petertodd> vs. "I'm a 30% pool and killing off FooCoin is cheap and easy and the public doesn't like it anyway so the PR will be good for me." 17:26 < petertodd> (especially relevant in my advice to mastercoin you know...) 17:26 < jtimon> IE, I earn more money for less work if I MM instead of attacking a "competing" coin 17:26 < petertodd> oh piss off, scale makes the incentives very different 17:26 < sipa> merge mining a tiny currency doesn't gain you anything significant 17:27 < jtimon> your advice to mastercoin was to use your proof of sacrifice design draft? 17:27 < jrmithdobbs> jtimon: you're failing to control for internet assholes 17:27 < jtimon> sipa how much you lose by gbt vs ghash.io ? 17:27 < jrmithdobbs> "Some men just like to watch the world burn." 21:18 < petertodd> what? satoshidice? 21:19 < Luke-Jr> yes 21:19 < petertodd> ok, go to a jurisdiction where gambling is legal and or replace that example with another business 21:20 < Luke-Jr> I don't see a court accepting the basis that I am forced to do business with <other business> 21:20 < petertodd> Or heck, lets say I write an Android app called "Rip off zeroconf merchants!" that automates the process, and give Eligius 10% of the stolen funds in terms of fees. 21:20 < Luke-Jr> even outside of bitcoin, I have the right to choose who I do and don't do business with 21:20 < petertodd> This has nothing to do with who you choose business with - no-one is making you mine those transactions. 21:21 < petertodd> We're just forcing you to follow standard good practice and accept them into your mempool so double-spends can be detected and not mined. 21:21 < gmaxwell> well be careful to distinguish civil liability and criminal. 21:21 < gmaxwell> I think making a criminal claim out of anything in this space would be very hard. 21:21 < gmaxwell> It's too easy to deny intent. 21:21 < Luke-Jr> petertodd: accepting them into my mempool is forcing me to provide a service to them 21:21 < petertodd> gmaxwell: indeed, and civil is majority, which is a much lower bar... 21:21 < gmaxwell> (except in cases like ghash.io where they were directly and obviously profiting from it) 21:22 < petertodd> gmaxwell: I brought up the app example because it could be used in court to infer conspiracy to commit a crime. 21:22 < Luke-Jr> petertodd: why should I be forced to provide conflict detection services for <your business>? 21:22 < gmaxwell> In a civil claim, its almost sufficient to just show someone was harmed and that you were on the critical path. 21:22 < petertodd> Luke-Jr: what gmaxwell said... 21:22 < petertodd> Luke-Jr: you are being forced to take the minimal accepted prudent action 21:23 < gmaxwell> It's uncertian what the standards people would be held to in the future. 21:23 < petertodd> gmaxwell: +1 - Reality is this is all uncertain. 21:23 < Luke-Jr> petertodd: especially in the case of a spammer, who is abusing these exact resources 21:23 < gmaxwell> Basically as petertodd says. Doing something unusual that is responsible for someone else losing money, which you could or should have foreseen, may leave you with civil liablity. 21:23 < gmaxwell> _may_ 21:23 < gmaxwell> In the case of these gambling services its totally moot. 21:24 < Luke-Jr> gmaxwell: even if they know they can lose money? 21:24 < petertodd> gmaxwell: yup, which is why defacto-zeroconf scares me a lot - the other half of it is "something unusual" might just mean you didn't invest as much money in network bandwidth 21:24 < gmaxwell> Their services are very likely unlawful in any jurisdicition that you care about being exposed to, and so they don't get to enjoy relief from the courts. 21:24 < gmaxwell> Luke-Jr: sure, and in defense someone being accused of a civil claim here would point to the fact that everyone knows zeroconf is unsafe. 21:25 < petertodd> Luke-Jr: "Every knows zeroconf is unsafe? Why we have the Lead Developer of Bitcoin on record saying it's safe for low-value transactions and that no pool would mine double-spends to preserve the value of their Bitcoins." 21:25 < gmaxwell> Luke-Jr: most of the US uses https://en.wikipedia.org/wiki/Comparative_negligence in deciding these things... 21:26 < gmaxwell> It's possible to get a decision that "yea, they should have known it was unsafe, so you're only 5% at fault" 21:26 < petertodd> Yup, and 5% of tens of thousands might still bankrupt you. 21:27 < gmaxwell> more importantly, you really just want to not be in a position where someone can bring a claim to court.... just defending is very expensive. 21:27 < petertodd> nor do you want to be in a position where some regulator is actually working behind the scenes to make the case happen 21:28 < Luke-Jr> all sounds like more reason to remove any sense of "defaults" from bitcoind 21:28 < gmaxwell> well, the right case happening wouldn't be so bad. 21:28 < petertodd> Luke-Jr: that I agree with mostly 21:29 < phantomcircuit> gmaxwell, boy is it 21:29 * petertodd brb, starting a fake ringtone company to set precedent 21:30 < gmaxwell> you really want the precident setting defrauded site to be that girls gone wild guy 21:31 < petertodd> ha, ok, "pay by the minute barely legal live BDSM porn" 21:31 < Emcy> cant you just ensire tor mining is a thing for the foreseeable and preclude all this nonsense 21:32 < petertodd> Emcy: "As a major pool, you should put a stop to this nonsense by discouraging blocks with double-spends." <- I've seen this as a suggest way too many times 21:32 * warren is anyone else creeped out by that guy? 21:33 < petertodd> warren: which guy? 21:34 < Emcy> whats wrong with discouraging double spends 21:34 < petertodd> Emcy: by that I mean if you see a block with a double-spend in it, you delibrately orphan it 21:34 < petertodd> Emcy: is very dangerous for consensus 21:34 < Luke-Jr> nOgAnOo: yes; no 21:35 < Emcy> i didint know you could get a double spend into the same block 21:35 < petertodd> Emcy: block would double-spend a tx in the mempool in this case 21:35 < Emcy> that seems bund 21:50 < gmaxwell> Does anyone offer abortions for bitcoin? Now there would be your double feature test case. 21:50 < gmaxwell> catholic abets a double spend fraud of a payment for an abortion. 0_o 21:54 < Luke-Jr> gmaxwell: you didn't think that through ;) 21:54 < Luke-Jr> I'm not about to aide someone seeking a murder for hire 21:57 < warren> Luke-Jr: now sure how you'd code that into eligius ... 21:58 < gmaxwell> Luke-Jr: no thats exactly the point. 21:58 < gmaxwell> Luke-Jr: someone accepts payments for abortions. You, as expected, block the transactions if you can. 21:58 < gmaxwell> They get ripped off via a double spend as a result. 21:59 < warren> gavinandresen: sent 21:59 < gmaxwell> Now they sue you claiming that you're culpable for the theft. You defend saying that it would be unconscionable to demand that you knowingly aid their enterprise. 22:00 < Luke-Jr> hmm, in that case I'd have to figure out a way to blacklist the coin ;) 22:01 < gmaxwell> I didn't mean it seriously in any case, its a thought expirement about miner culpability. (and what a perrilous route it is) 22:02 < gavinandresen> petertodd: zero-confirmation transactions can be made "safe-enough" for in-person low-value transactions where there is some trust that the person standing in front of you isn't colluding with a miner to double-spend. 22:03 < gavinandresen> trust/safety are not booleans 22:04 < warren> does the android wallet tell you about double spends? 22:05 < gmaxwell> petertodd: does android wallet still hide (some?) confirmed nlocktime payments? 22:05 < Luke-Jr> it doesn't even get normal spends right, so I doubt it 22:06 < Luke-Jr> btw, anyone here know an accountant into bitcoin? 22:06 < gmaxwell> TD[away]: Were you ever able to get android wallet to compile? 22:11 < BlueMatt> gmaxwell: huh? the android wallet is easy to compile 22:11 < BlueMatt> or are you talking about a branch? 22:14 < gmaxwell> derp right it was multibit that had the issue, now AW. 22:16 < warren> nOgAnOo: You are not being helpful here. 22:37 < jrmithdobbs> Is there a testnet chain big enough for io subsystem fuzzing? 22:38 < jrmithdobbs> I want 100k or so blocks I can throw at n bitcoind instances in parallel for parsing/indexing 22:39 < warren> testnet3 has over 100k blocks 22:39 < warren> not very big though 22:40 < jrmithdobbs> Guess I can jus use the real chain. 22:41 < jrmithdobbs> Actually. Tesnet3 may be ideal 22:41 < jrmithdobbs> Less CPU choking on smaller blocks and more io thrashing 22:43 < jrmithdobbs> Someone have it in a < .8 && <= bdb 4.8 format somewhere? 22:45 < Luke-Jr> uh? 22:45 < Luke-Jr> blockchains don't use db formats 22:47 < jrmithdobbs> The Indra 22:47 < jrmithdobbs> Index 22:48 < jrmithdobbs> Guess could just reindex it, forget how non-intensive test net processing is. ;p --- Log closed Thu Nov 21 00:00:50 2013 --- Log opened Thu Nov 21 00:00:50 2013 00:42 < petertodd> gmaxwell: no, it's even worse now: looks like anything other than standard nSequence=max and nLockTime=0 just doesn't show up in the wallet at all 00:43 < gmaxwell> petertodd: wow, so setting locktime to other values will hose them, even if the sequence was always max? :-/ 00:43 < petertodd> gmaxwell: yup 00:43 < petertodd> gmaxwell: how do people fuck this shit up? 00:43 < petertodd> gmaxwell: the previous behavior was *better* than that 00:46 < gmaxwell> petertodd: thats the kinda question you can only answer by looking at commits. 00:51 < petertodd> gmaxwell: it's probably something to do with edf37998ca6c47c31a72271db136ac94ce2a6a13 in bitcoin 00:52 < gmaxwell> bitcoinj* 00:52 < petertodd> er, right 00:54 < petertodd> gmaxwell: sheesh, it's some new "risk analyzer" thing to try to analyze the risk of double-spends - I should submit a patch that replaces all that stupid code with a single simple calculation that always returns NaN 00:55 < gmaxwell> the logic in the commit message sounds like the bitcoin-qt wallet behavior, its not insane. 00:56 < petertodd> gmaxwell: my point is the thinking behind it 00:56 < petertodd> gmaxwell: anyway, it's probably just that the API changed and somehow it ended up with default off - there's no reference to any of it in bitcoin-wallet 05:18 < TD> gmaxwell: the android wallet? sure. it was multibit that was the problem, right? jim said he fixed that a couple of weeks ago but i didn't try building it since 05:18 < TD> gmaxwell: i had to spend time trying to make bitcoin-qt compile again 05:18 < TD> compiling sucks 05:20 < TD> i guess we should try and keep normal dev stuff in #bitcoin-dev though 05:20 < warren> TD: you use mac? 05:21 < TD> otherwise all we managed is to split one dev channel into two. let's keep #wizards for researchy stuff 05:51 * Luke-Jr facepalms 13:57 < adam3us> amiller: yes... well and by a public constant multiplication 13:57 < adam3us> amiller: so you can actually do ratios also from that 13:58 < amiller> help me understand the range proof 13:58 < amiller> start with notation for like, one input and two outputs 13:59 < adam3us> amiller: its knarly :) the basic idea is you need to prove v from vG+xH with v < 2^m 14:00 < amiller> i'll be happy if i can understand that a) ZK proof that the sum of outputs = sum of inputs, without overflow, b) the receiver learns one of the output values, but not the other output or the input, and c) both outputs are in a form suitable to be used in subsequent transactions 14:00 < adam3us> amiller: its schoenmakers protocol, I just optimize the application of it 14:00 < adam3us> amiller: yes 14:00 < adam3us> amiller: so call the bits of v = v_m ... v_1 14:01 < adam3us> now you prove separately that v_i is either 0 or 1 using generic ZKP of OR which is to introduce a degree of flexibility where the prover can intentionally forge one of the two proofs (but not both) as c=H(params), c1 = random, c2 = c xor c1 prove wrt those 2 challenges 14:03 < amiller> ahhhhh 14:04 < adam3us> amiller: and the rest is basically to obscure it and then there's a verification relation involving 2^j and the random values committed to and showing sum xi = x and you're good to go :) 14:04 < amiller> i think i remember how to do ZK of OR... 14:04 < adam3us> amiller: then i optimized the heck out of the serialization, and what needs to be unique, can be derived from a seed, reused, computed (pub key from sig with schnorr) etc 14:05 < adam3us> yeah you just forge the one that is wrong and choose c1 as a result of that computation then set c2 = c-c1 mod n and do a real proof on that ne 14:08 < adam3us> amiller: the way you avoid the sender knowing too much about the receivers secrets is you create a null value 0G+x0*H aka x0*H (and prove that is true using a schnorr sig) and then the sener adds the payment to it, and yet the sender does not know x0 14:09 < adam3us> amiller: so eg the sender could send 5*G+x1*H and the result is 5*G+(x1+x0)*H and the sender doesnt know x0; sender has to send 5, x1 to recipient out of band or encrypted 14:11 < adam3us> amiller: you can also do proofs of equivalence of discrete log and auditable encryptin so I think you could probably validate that E(5),E(x1) matched the coin, though I didnt work out the details on that and it doesnt seem necessary because the recipient doesnt have to use the input 14:13 < adam3us> petertodd: "is that linear with the number of txouts?" yes; you do a range proof on each output, but you dont need to when you use teh output as the input to a following transaction as its already done 14:14 < adam3us> petertodd: "does it handle any combination of # of txins and # of txouts?" yes, and some of them can be unencrypted optionally (eg the fee) 14:16 < petertodd> adam3us: ok, sounds like this is a bit of an issue with large transactions, as there's a trade-off between "publish the whole tx" as your fraud proof, and having more complex merkle trees 14:16 < petertodd> see, we were thinking of doing merkle sum trees extending into the transaction txins and txouts, which is cheap with un-hidden values, not so cheap with a homeomorphic system 14:19 < adam3us> petertodd: "yes, but the only thing stopping it is that it's possible to mine outside of government control! Reality is with the current system, even with TXO commitments and fraud proofs, at some point a large blocksize will lead to that scenario." i think we have problems like that, and seemingly a number of people dont recognize it yet; I am also not sure such an asic friendly mining function is good either 14:20 < adam3us> petertodd: in an ideal world one could remove miners, and everyone with whatever power can direct mine for their respective tiny reward 14:20 < petertodd> yes, ASICs are very much the other part of that problem.... 14:22 < adam3us> petertodd: you can do better than scrypt(iter=1) - I saw some folks on the forum were proposing a mix of 16 aes and 16 sha3 finalists to increase chip layout; also something dynamic could help; apparently dan kaminsky has some idea about a x86 proof of work which would be inefficient on non x86 14:23 < petertodd> adam3us: If I were to design bitcoin 2.0, I'd design a system where you lose 1% of the value of your coins every year to pay for security, mining can't be outsourced via some type of scheme where rewards can be stolen by whomever did the mining, mining could be done on a small scale, (aka what p2pool does for bitcoin, though probably not that mechanism) and the pow function was commodity hardware friendly (hopefully no worse than 2x or 3x less cost effective than custom asics) 14:23 < adam3us> petertodd: so about that (no mining pools) is there some way to rely only on a time-stamp server or beacon without having miners validate anything 14:23 < petertodd> yeah, I'm dubious about anythign that targets a chip architecture, too easy to just make an asic that optimizes the architecture, and archs change over time anyway 14:23 < petertodd> I think only mem-hard mining has any hope of working 14:24 < adam3us> petertodd: yes - i think the people who defend hashcash-sha256^2 have some point which is that hardware ALWAYs wins, and if its complicated or dynamic algorithm the only people with the hw will be people with $100m+ to play with 14:25 < adam3us> petertodd: then we'll see centralization in an even harder to combat form - anther idea is to kick start a not-for-profit open hardware sha256 asic mining manufacturer 14:26 < petertodd> adam3us: see, I strongly disagree on principle because computer ram is stupidly optimized for it's task; design a good ram-hard pow and the custom part of a potential asic will be small enough that at worst it becomes a cottage industry where the custom parts are relatively easy parts like custom pcbs 14:26 < petertodd> adam3us: problem is I haven't figured out how to actually do that... 14:26 < adam3us> petertodd: i dont know much about hw but that seems like a good idea, as butterfly et al are suspected of premining or fatal incompetence 14:26 < adam3us> petertodd: apparently thre's another one called ROMix by the Scrypt author 14:26 < petertodd> adam3us: you mean an open hardware asic mining designer... we're probably never goign to have decentralized IC manufacturing due to the nature of the business 14:26 < petertodd> adam3us: having open designs doesn't help 14:27 < petertodd> *much 14:27 < adam3us> petertodd: Scrypt itself is time-memory tradeable as it was a non-requirement to fix it 14:27 < petertodd> adam3us: yup 14:27 < adam3us> petertodd: yes i agree its not so uch the openness as the ready availability shipped on payment (not 1 year later when its barely profitable) 14:28 < petertodd> See, at a high level, we can do interactive proof-of-storage, but we can't do non-interactive proof-of-storage. (specifically I mean you had some ram that was dedicated to a task for a given amount of time) 14:29 < petertodd> We can do proof-of-memory-bandwidth, but that doesn't appear to be ASIC hard: commodity ram *does* have various trade-offs between total storage, and bank bandwidth, and if you proof bandwidth * time, you can make an ASIC targetting that. (or your algorithm's constants become obsolete over time) 14:29 < petertodd> proof-of-memory-bandwidth also has the annoying habit of being symmetric, computation and validation are both expensive. (litecoin's been optimizing their scrypt implementation to speed up block header validation) 14:30 < adam3us> petertodd: i was wondering if many-ported ram could be a problem too (eg dual ported gfx ram to its logical conclusion eg 16-ports, 128ports) 14:31 < petertodd> adam3us: that's exactly what I mean! for instance I had a scheme for an asymmetricly validatable proof-of-work function with merkle trees where the size of the proofs was directly related to the parallelism possible, and commodity ram had way less parallelism than optimal 14:31 < adam3us> more high level though is there a way to base transaction ordering on a distributed timestamp server or distributed beacon without so much having the miners digging into the tx details 14:32 < petertodd> sure, but how do we keep the timestamp/beacon system secure? 14:32 < adam3us> yes; again hardware ALWAYS does better - its like a rule of physics or something 14:33 < adam3us> petertodd: well for example everyone mines timestamp commitments for reward 14:33 < adam3us> petertodd: thats nearly what committed tx looks like really 14:33 < petertodd> adam3us: no it's not! not pragmatically anyway, sure it'll always be at least some epsilon better, but we can live with ASICs being, say, 2x or 3x more cost efficient - basically that just makes tx's that people want to censor some reasonable amount more expensive. Not perfect, but we can live with that. 14:33 < adam3us> petertodd: the miner doesnt learn much except its ordering something opaque 14:34 < petertodd> As I've said over and over, those schemes are nice, but there is no way they can fully prevent censorship. 14:34 < petertodd> They're plausible deniability really. 14:34 < adam3us> petertodd: agree the scale is critical, 2-3x as you say would be fantastic compared to where we are now 14:34 < petertodd> adam3us: yes, right now we've got more like 1000x 14:36 < adam3us> petertodd: i was thinking one stepping stone towards reducing need for mining pools and miner understanding eg is that you could mine to get voting rights and then use the voting rights to vote on transactions 14:36 < petertodd> Also, keep in mind there's variations of this stuff too: assuming FPGA's are always available as commodity is a weaker assumption, but it's better than nothing. On that basis it might be a lot easier to make mem-hard work. 14:36 < adam3us> petertodd: eg you mine your public key repeatedly for 10mins, everyone does 13:08 < adam3us> musing about organizing private keys as some kind of merkle-tree, if I had Q=dG where d is the root of the tree, then Q=Q1+Q2 where Q1=d1G, Q2=d2G d=d1+d2 mod n, and so on for Q1..Qk for some number. now say leaf nodes in this tree are worth some standardized unit, 1uBTC. now you can combine public keys to form a new public key Q0=Q1+Q1' (from Q1 prime another users input) 13:09 < adam3us> to prove authority to sign you must show a merkle path from a public key to the root, and sign it, the depth of the path and the number of leaves you can control proves the amount you are spending 13:10 < adam3us> maybe a block can add all the public keys in it, and then all transactions in it are implicitly mixed 13:11 < adam3us> maybe even all utxo public keys can be implicitly mixed analogously 14:22 < maaku> adam3us: isn't that similar to how lamport signatures work? 14:22 < adam3us> yes kind of but with hashes 14:23 < maaku> adam3us: the problem is bitcoin doesn't use ecdsa sigs, it uses scripts (which have, among other things, ecdsa opcodes) 14:46 < adam3us> maaku: yes its a bit of a blue sky thought 14:47 < adam3us> maaku: wondering if bitcoin used a key per unit like zerocoin, what you could do, it seems that if there is a unique key per unit, there is less meaning to the linking - its meaningless to the network 14:47 < adam3us> maaku: so then i was wondering can you combine lots of keys efficiently into a signature 14:49 < adam3us> maaku: where the verifier cant tell which input signature to the whole block (or even whole utxo) it came from 14:52 < adam3us> seems to me like you need 1 thread per hyperthread 14:52 < adam3us> eg 4 core i7, then 8 threads 14:53 < adam3us> wow m512 is quite a bit faster 14:54 < adam3us> sorry wrong window on the cores and threads 14:56 < gmaxwell> maaku: yea, I've wagged my finger at adam3us with ugly optimizations that layer violate and special case for specific cryptosystems. but man, they can be very attractive. 14:56 < petertodd> adam3us: some of my blue-sky blockchain proposals work well with single-sized coin values too 14:57 < gmaxwell> careful that you don't dance back into the space of academic cryptography that isn't actually pratically useful due to limits like that. :) 14:57 < petertodd> gmaxwell: heh, well, if such a limit enables something else, the tradeoff may be worth it... 14:58 < adam3us> petertodd: my thought experiment started hmm maybe zerocoin is silly - its one coin size, if bitcoin had that there would be no change and no meaningful linkage from the network analysis perspective either 14:58 < petertodd> adam3us: yup, it's a good idea - basically what you are doing is making it more bandwidth efficient 14:58 < adam3us> petertodd, gmaxwell: and that seems to be true no? the only person who knows which coin set is linked is the sender & recipient, other than like timing of sending them 14:59 < petertodd> adam3us: thing is, so maybe the trade-off is less bandwidth efficient per tx, but more scalable, in which case the single-sized coin values actually has a very attractive side-effect I hadn't thought of 14:59 < adam3us> petertodd: yes so then i thought ok so going the other way can you represent a big batch of sigs extremely compactly 14:59 < gmaxwell> adam3us: it's correct. if there is no splitting, merging, or address reuse, bitcoin is an anonymous currency upto timing analysis. 15:00 < adam3us> gmaxwell: that would actually meet my idealized definition almost: that only the sender & recipient could link (via subpoena etc) 15:00 < gmaxwell> and even timing analysis is .. meh, it's not like the time someone sends to you implies you are online. 15:00 < adam3us> gmaxwell: community policing 15:00 < adam3us> gmaxwell: exactly - "good enough" 15:00 < adam3us> gmaxwell: if you're not in a hurry spray them out a bit 15:01 < gmaxwell> News at 11: Mixmaster has a purpose again! 15:01 < petertodd> heh 15:01 < gmaxwell> adam3us: but yea, this isn't lost on me, but ISTM I'd never convince anyone of it. 15:01 < gmaxwell> Even the coinjoin stuff I was yabbering about that forever but couldn't get anyone to talk about it until I had a _name_ for it (thanks Peter) 15:02 < petertodd> it's too bad we don't have a "numerical addition" signature type, so you could just make multiple SIGHASH_ANYONECANPAY | SIGHASH_ADDITIVE txin signatures and gradually combine them e.g. for donations 15:02 < adam3us> gmaxwell: bah - let the people who understand jgarzik triangle deal with that 15:02 < petertodd> gmaxwell: heh, and they never thought I'd do anything useful with that art degree... 15:02 < sipa> ISTM? 15:02 < gmaxwell> it seems to me 15:02 < adam3us> petertodd: yes the schnorr sig and it turns out bernsteins EdDSA *is* ec schnorr (thanks gmaxwell for pushing me to read it) 15:03 < adam3us> petertodd: schnorr you can add sigs and keys 15:03 < petertodd> adam3us: right, I was actually thinking of something a lot simpler! 15:05 < gmaxwell> petertodd: did you see my lament about multisig and anonymity groups? 15:05 < petertodd> gmaxwell: nope 15:05 < gmaxwell> petertodd: if we used schnorr than 2 of 2 multisig txn would be indistingushable from regular transactions. 15:05 < adam3us> gmaxwell: re layering violations - when you're out of luck, bend the rules :) we can patch it up best we can afterwards 15:05 < petertodd> gmaxwell: ah, yeah that'd be a good thing... 15:05 < gmaxwell> so the anonymity set for protocols based on them (e.g. coinswaps) would be basically all txn. 15:06 < gmaxwell> adam3us: well, of course, things snapping togeather nicely is sometimes a sign that you understand the problem space... 15:06 < petertodd> gmaxwell: the one good thing about multisig is that at least it's conceivable that what gets actually used will be a relatively small set of versions of it, 2-of-2's, 2-of-3's etc. 15:06 < adam3us> gmaxwell: i love elegance, and bitcoin has a huge amount of it 15:07 < gmaxwell> petertodd: sure sure, still, kinda sad that they're distinguishable. 15:07 < adam3us> petertodd: see also there's a leakage with multisig it tells you how many sigs there are and if its k of n or n of n, with schnorr you have no idea 15:07 < adam3us> petertodd: and it takes the space of 1 sig also 15:07 < petertodd> adam3us: yup, like a fine hyper-optimized sports car - though I feel bad for the mechanic trying to change the oil filter... 15:08 < gmaxwell> in any case, I only brought it up because while the size and flexiblity advantages were old news to me, I hadn't considered the privacy impact. 15:08 < adam3us> petertodd: it also has simple efficient blind sigs 15:08 < TD> good evening 15:09 < adam3us> petertodd: blind sig with EC DSA is not efficiently possible afaik, even with DSA blind sig is horrendous (damgard jurik homomorphic adition in n^5) 15:10 < petertodd> adam3us: I'll pretend I understood what you said :P 15:10 < petertodd> adam3us: by n^5 you mean O(n^5)? 15:10 < adam3us> TD: 'evening we re musing about blue-sky crypto, and lastly aout the wonderful things you could do with schnorr (instead of dsa) adn it turns out which i didnt realize that djb's EdDSA actually is schnorr 15:11 < TD> i haven't looked at EdDSA 15:11 < TD> it's not the same as ed25519? 15:11 < adam3us> petertodd: no i mean the calculations need to be done in a group of size n^5 where n is a like 3072 bit RSA key so like 15360 bit ops 15:11 < adam3us> TD: yes it is 15:11 < petertodd> adam3us: ah, so it's a size issue? 15:12 < adam3us> TD: i mean i always assumed without reading the paper, that it was a diff curve for DSA, but its actually a tweaked verion of EC schnorr sigs which s cool 15:12 < TD> oh 15:12 < TD> interesting 15:12 < TD> yeah i thought that too 15:12 < TD> although they're quite similar aren't they 15:12 < adam3us> petertodd: the intermediate results between the two users, the final result is a normal dsa sig 15:13 < TD> re-reading the schmorr wiki page, it's still based on discrete log and a group of prime order 15:13 < adam3us> TD: yes very, i think dsa wouldn't have existed if not for schnorr's patent (expired 2008) 15:13 < petertodd> adam3us: ah ok, so final sig size is reasonable, but the intermediate state isn't? 15:13 < adam3us> TD: but schnorr has many flexibility, security, size, advantaages 15:13 < TD> sigh. patents. 15:13 < TD> is there anything they can't screw up 15:13 < adam3us> petertodd: yes, the intermediate uses a ton of experimental rade stuff 15:13 < TD> looks like to understand schnorr i will have to learn more maths first 15:13 < adam3us> petertodd: and probably moderately cpu heavy too 15:14 < petertodd> adam3us: right - I was gonna say I think I've got a possible solution to the "data hiding" problem in my txin commitments scheme 15:14 < adam3us> TD: if you understand DSA you'll get it... just djb papers are hard to decipher look at https://en.wikipedia.org/wiki/Schnorr_signature 15:15 < petertodd> adam3us: again, trade-off bandwidth for scalability 15:15 < TD> yeah i'm reading that but i need to [re] learn the definitions of things like "set of congruence classes modulo q" 15:15 < adam3us> TD: basically the only diff is you dont need to invert k 15:15 < TD> this rings bells from a-level maths but i forgot it 15:16 < TD> ed25519 is definitely on my hard-fork wishlist 15:16 < TD> the performance improvement is immense 15:18 < petertodd> adam3us: basically, remember how I was talking about "sharding" the txin space in the scheme with a binary tree? you could make the mining protocol be such that there's a way to force a lower part of the tree to either be revealed, or that part of the chain would backtrack. *If* the data is actually available, the chain shouldn't backtrack, so it's still secure. If on the other hand the data isn't, well, that was the txout owners ... 15:18 < petertodd> ... responsibility so tough luck. :) 15:18 < petertodd> adam3us: Not exactly a fully-fleshed out idea, but the approach could work. 02:22 < gmaxwell> but I don't think an obvious greedy algorithim exists. 02:23 < andytoshi> so, for the joiner's calculation, it needs to know if certain inputs are obviously linked 02:23 < andytoshi> and "obviously linked" does not sound well-defined to me 02:24 < andytoshi> would it suffice to assume the inputs are independent, and just look at the entropy of the mixer's input-to-output mapping 02:24 < andytoshi> ? 02:25 < andytoshi> that's nice because it's context-independent -- you give me any rawtx and i can compute that without even a network 02:26 < gmaxwell> andytoshi: you can assume the inputs are independant after doing the trivial preprocessing to merge ones with duplicate scriptpubkeys. 02:27 < gmaxwell> if that raw tx is signed you can still do it by looking at the scriptsigs ... most of the time. 02:28 < gmaxwell> andytoshi: the other weird thing is that this 'plausable' metric is kinda odd in that any funnybusiness at all results in a misestimation of 0 entropy. 02:29 < gmaxwell> which actually suggests that it's worth thinking about how we can enable that kind of funny business because just like the argument for CJ existing if the funny business exists with enough frequency, an attacker is forced to assume any txn might involve funny bussiness. 02:29 < andytoshi> can you give an example of this? 02:30 < gmaxwell> andytoshi: yea, sure, say you and I do a coinjoin. But I actually happened to owe you money, and so the real mapping isn't a 'plausable' one because it transers some of my coin to you. 02:30 < andytoshi> oh, i get what you mean 02:31 < gmaxwell> concretly e.g. you put in 1 and I put in 5, and then you get out 2 and I get out 4. all that we've discussed above would decide the maximal users there was 1. 02:31 < andytoshi> right, that's great, and it's not at all hard to do now .. if you owe me money, i'd say "let's get in on the next join session" 02:31 < andytoshi> (and with me personally you could even use the donation output 02:32 < andytoshi> ) 02:32 < gmaxwell> yea, even outside of the context of a specific coinjoin: you can do this generally for payments as a way to consoldate change. E.g. if I want you to pay me, I could give you some extra inputs to include.. then you sign and give me the half signed txn. 02:32 < andytoshi> ah, that would require better tool support 02:32 < gmaxwell> Yea, but it could just be an addon in the payment protocol pretty easily. 02:33 < gmaxwell> "Add these extra inputs to the transaction and pay them to me, thanks" 02:34 < gmaxwell> the interesting question is that once you've relaxed the defintiion of 'plausable' to include the possiblity of payments.. I think _any_ mapping is possible. 02:34 < gmaxwell> and the entropy of the coinjoin is basically log2(inputs*outputs) 02:35 < andytoshi> yeah, i think that's correct, which is pretty cool 02:35 < gmaxwell> as there is an auxiliary table of users paying other users. 02:35 < andytoshi> now, perhaps nsa with its psychologists can get information out that we can't 02:35 < gmaxwell> but the problem is that if no one ever does this then it doesn't matter. An attacker isn't really constrained to consider corner cases. 02:35 < andytoshi> but that's probably not a threat model we can do anything about 02:35 < andytoshi> right, exactly 02:36 < andytoshi> for now our definition of 'plausible' is good, so let's work with that 02:36 < gmaxwell> oh sure, not all payments are equally likely. For example, I can say that as a prior that auxliary payment table is probably _sparse_ e.g. that it has a low l_0 norm. 02:36 < gmaxwell> and that non-sparse payment tables are very much less likely than sparse ones. 02:36 < gmaxwell> even in a world where people use this frequently. 02:37 < andytoshi> that seems plausible, though it's hard to say in the presence of fees 02:37 < andytoshi> maybe people only want to do transactions if they need to do transactions 02:37 < gmaxwell> well, its just unlikely that you could find N people who all want to pay a bit to each other, for N>2 :P 02:38 < andytoshi> oh, yeah :P 02:38 < gmaxwell> cut-throughs also add some interesting analysis wrinkles, again if they actually existed. 02:39 < andytoshi> now, here's a silly question: our definition of coinjoin entropy as "entropy of the mixer's knowledge" .. is it monotonic? 02:39 < andytoshi> monotonic wrt the number of transactions 02:39 < gmaxwell> you mean the number of contributors to a mix? 02:39 < andytoshi> so if my joiner says "there's a 10-bit transaction in here", can somebody put in a transaction which reduces the entropy? 02:39 < gmaxwell> No, it must go up. 02:39 < andytoshi> yeah 02:39 < gmaxwell> (or stay the same) 02:39 < andytoshi> is that obvious? 02:41 < gmaxwell> I think so, otherwise I could just grab a random unrelated txn, add it to a transaction I was analyizing "assume this was joined in" and magically know more about the original transaction. :P 02:41 < andytoshi> i like that argument :) 02:42 < gmaxwell> The understanding that it was monotonic is why I've favored including poorly mixing transactions too, if thats all thats available. 02:43 < gmaxwell> likewise it would be useful to join coinjoins. e.g. if you had a 1 BTC mix and a 0.5 btc mix going on, might as well make the final txn contain both of them. Maybe you'll get lucky and some change will be ambigious. 02:43 < gmaxwell> And if the attacker is forced to the N^2 model (where people are paying people) then the entropy increases enormously. 02:44 < andytoshi> cool, this all sounds good 02:45 < andytoshi> i'll spend some time trying to compute this entropy 02:45 < andytoshi> maybe i can compute the entropy of output values, and say "the highest-entropy output is XXX" rather than "the most popular output is XXX" 02:46 < andytoshi> i'm not sure if there's a good way to define such a thing.. 02:46 < gmaxwell> hm. I wonder what the entropy impact is if you limit the aux matrix to a maximum column L_0 norm of 2. uhh. like "You can may at yourself and at most one other party", or futher "optionally yourself and optionally one other party, and if you are paying that other party, that other party pays no one else" 02:46 < andytoshi> it'd be awesome if i could make the transaction entropy be the sum of the output values' entropy 02:47 < andytoshi> my guess is, it'd reduce the attacker's search space from N^2 to 2N 02:47 < andytoshi> or somethin 02:47 < andytoshi> something drastic* 02:48 < gmaxwell> e.g. a realistic use of the non-admissable coinjoins is one where at most half the participants are each paying up to one additional other participant (who isn't paying anyone but themselves) 02:49 < gmaxwell> I guess one interesting thing when you allow payments is, in fact, that you add up to 'outputs' worth of 'shadow' inputs that provide 0 in. 02:49 < andytoshi> yeah, my guess is that this would be the most common case, after admissable coinjoins, by -far- 02:50 < gmaxwell> well it generalizes all transactions too.. e.g. a regular payment to you with change fits this model now. 02:50 < andytoshi> oh yeah 02:52 < gmaxwell> in any case, a whole bunch of neat papers could come out of this, but I think so long as coinjoins are more acadmic than reality any attacker will just go "lets assume that never happens and we'll sort it out if we do ever find a case where it did" 02:52 < andytoshi> agreed, for now i will compute the entropy assuming no funny business 02:53 < andytoshi> link to a short document explaining the calculation and how to do funny business which makes the tx safer than claimed 02:57 < gmaxwell> BlueMatt: will the pulltester still run if I close a pull? 03:10 < BlueMatt> gmaxwell: no 03:12 < gmaxwell> BlueMatt: seeing things like this pass is always not a happy moment: https://github.com/bitcoin/bitcoin/pull/3469 03:12 < gmaxwell> but as expected since regtest overrides. 03:13 < gmaxwell> but ... reasons I don't love regtest being a seperate mode 03:15 < BlueMatt> true, though pull-tester is designed to test subtle bugs, not head-smacking bugs 03:16 < BlueMatt> it fails at both, but still 03:18 < gmaxwell> Ideally we should be able to test pulltester by inserting head-smacking bugs though, and making sure that every possible headsmacking bug we can think to insert fails... (The reason being that headsmacking bugs are easy to insert and be sure that they're actually bugs and not equally okay changes) 03:18 < BlueMatt> agreed 03:18 < BlueMatt> feel free to code it :p 03:37 < sipa> dang: http://bitcoin.stackexchange.com/questions/19455/searching-for-the-comprehensive-guide-to-creating-crypto-currency 03:39 < warren> sipa: we need someone to actually write the clonecoin generator that we all threatened to write. 03:39 < sipa> yeah 03:39 < warren> option: Set exchange bribe amount [minimum 100 BTC] 03:40 < warren> checkboxes for various bad ideas 03:49 < warren> sipa: would others fund this? I can get one of my students to do this. 03:49 < warren> I can throw in some money. 03:50 < gmaxwell> heck, if done right (costs a small bitcoin payment to make it build) it can be revenue producing. 03:50 < warren> hahah 03:51 < warren> don't release source for the generator. make it a web app that outputs everything. 03:51 < gmaxwell> oh absolutely. 03:51 < gmaxwell> heck, you could even charge more to get source out with your binaries (take care not to violate the LGPL, it needs to be relinkable) :P 03:52 < warren> checkbox: "Steal sunnyking's proprietary source for centralized broadcast checkpoints. Will he sue?" 03:52 < warren> haha 03:54 < gmaxwell> [ ] set your own alert key [....] {+.1 BTC} 03:56 < midnightmagic> lol 03:56 < midnightmagic> that would be so much win 03:56 < midnightmagic> + seednode code generator 03:56 < gmaxwell> yea, it needs to also provide a standalone miner and pool setup. which is kinda a pita. 03:57 < gmaxwell> the miner isn't so bad so long as it uses sha256 / scrypt / primecoin but the pool setup is more of a pain. 16:18 < gmaxwell> let y = x as uint works in rust. I'm not sure why you would do let y: uint = x as uint; .. but I don't know that much about rust and haven't written anything other than total toyes in it. 16:19 < HM> well i pulled the example from the tutorial on the rust-lang.org site 16:19 < gmaxwell> HM: it's very likely that each of these things has a reason that someone considers good... or if you really believe they don't then hell: post to the list! they are still _actively_ changing the syntax in a way that breaks code. And if crap like that is actual oversight then they would fix it. 16:20 < HM> Nah 16:21 < HM> It's too established to change now 16:21 < HM> that's the style they've chosen 16:21 < gmaxwell> If nothing else they should write a FWTFS that explains these things that apparently offend some on first blush. 16:21 < HM> I'm not talking about quirks, i dislike the overall style 16:23 < gmaxwell> well, many of the things you've complained about here are outright quarks, and I know some are well justified, e.g. the function syntax prevents type ambiguity and the AA BB(CC) problem. 16:24 < HM> ok 16:24 < HM> riddle me this 16:25 < HM> if the Rust function declaration syntax looks a lot like a C++11 lambda 16:25 < HM> why does the Rust closure syntax look completely different? 16:26 < HM> I guess because "fn" is an abbreviation for "function name" 16:26 < HM> seems more like a hint to the compiler than to make it more readable for the programmer 16:27 < HM> let square = |x: int| -> uint { x * x as uint }; 16:27 < HM> i would probably expect this to be 16:28 < HM> they use the ||'s for the for each syntax 16:28 < HM> it's just weird 16:29 * HM goes to watch GoT 16:33 < HM> apologies for flooding :S --- Log closed Tue Apr 09 00:00:18 2013 --- Log opened Tue Apr 09 00:00:18 2013 --- Log opened Tue Apr 09 03:13:39 2013 08:28 < HM> Just gone through a paper gmaxwell posted on bitcointalk 08:29 < HM> double blinded ECC signatures - 2010 paper by some folks at Tunghai University 08:29 < HM> i'm glad to say I followed all the algebra 08:30 < HM> it's very cool 08:33 < HM> one of the few papers i read where too much algebraic detail made it harder to follow. kept expanding terms instead of grouping them :S 09:12 < HM> hmm 09:12 < HM> this scheme doesn't prevent colusion between requester and signer 09:20 < HM> also if the signer ever sees a copy of the message it can use its database to discover who requested the signature 09:30 < HM> unless I'm mistaken Chaum's "BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS" proposal doesn't protect you against colusion between payer and signer either 09:31 < HM> "Wei Dai" has a proposal that prevents colusion, but a third party can't verify tokens 09:31 < HM> I haven't seem a scheme that prevents both colusion and allows 3rd party verification 10:26 < gmaxwell> HM: for some protocols you can just have ALL of the participants blind sign. 10:26 < gmaxwell> e.g. for a vote. 10:29 < HM> i'm obviously thinking about digital cash 10:30 < HM> the simplest scheme i've seen has the issuer multiply a random point on a curve by their private key, for a fee. That's easy to blind but a payee can't verify the 'signature' (not really a signature) is legit 10:32 < HM> the 2010 paper you linked to on bitcointalk from Tunghai uni allows that but the signer can never be allowed to see the message again or they can figure out who asked for it to be signed.. and of course to verify the signature you need the message (or a hash of it) 10:33 < HM> so the question, how do you create a signature a 3rd party can verify but you can be sure hasn't been watermarked? 22:03 < warren> jgarzik: gmaxwell: Litecoin-0.8 might easily cut down its UXTO set from the week of spam in November 2011 because the attacker used the same addresses repeatedly. Just declare all those addresses unspendable. 22:04 < warren> (yes, there is no similar simple solution for bitcoin) 22:09 < gmaxwell> warren: uh didn't the litecoin attacker send 1e-8 litecoin to like every litecoin address? 22:13 < warren> gmaxwell: perhaps in a different part of the attack, I will find out. I will scan it thoroughly to make sure declared unspendable UXTO are the right ones. there appear to be a great many that are concentrated in a small number of addresses now. 22:15 < gmaxwell> warren: if you're going to do that in litecoin, why not add utxo aging? 22:15 < warren> gmaxwell: is that written anywhere? 22:15 < amiller> add a utxo rental price 22:15 < amiller> when the parking meter runs out of time, kick out the utxo 22:16 < warren> amiller: more like a purchase price, which I've been suggesting for weeks now. 22:16 < warren> oh ... time limit, I like it. 22:16 < gmaxwell> warren: meh, it's not a purchase price if you can't redeem it. 22:16 < amiller> rental vs purchase 22:16 < warren> I see, rental. 22:16 < amiller> also like a parking meter, you (anyone) can put more coins in 22:16 < amiller> to keep it around longer 22:16 < warren> by spending it 22:16 < amiller> you can have a bitcoin parking meter fairy 22:16 < amiller> that fixes other peoples coins that are about to expire 22:16 < warren> uh 22:17 < gmaxwell> amiller is on the moon right now, leave a message after the beep 22:17 < amiller> just follow your nose starting at 'rental price' and you'll get mostly good ideas. 22:18 < warren> Everyone has to reindex with 0.8.x anyway. a tiny proportion of those users will have 1e-8 disappear 22:19 < gmaxwell> warren: and then one of those gets spent and the network forks forever. 22:19 < warren> gmaxwell: the network is hardforking anyway 22:19 < gmaxwell> For what? 22:19 < gmaxwell> warren: in any case, it's stupid to solve it one time, 22:19 < warren> (mainly because they don't understand that an immediate fork isn't needed) 22:19 < amiller> people hate the idea of their bitcoins getting forgotten, or getting 'inflated' by demurrage but they'll come around to the idea of safety deposit boxes - those are reasonable 22:20 < gmaxwell> And the, as I illuded to in #bitcoin people involved in the project will have a weaker position when some authority _orders_ them to edit the utxo set in the future. 22:20 < gmaxwell> alluded* 22:21 < warren> It's an agnostic UXTO change. If txo < tiny number, just declare it gone. 22:22 < gmaxwell> warren: so generalize that and say a UTXO lives for 51840*ceil(log10(value)) blocks or something like that. 22:22 < warren> rather: If txo < tiny number prior to block X, just declare it gone. When <mumble>coin is worth $10 million dollars each in the future it will be usable again. 22:23 < gmaxwell> uh. then all nodes still have to retain the data forever 22:23 < warren> at least it won't be in the UXTO set? 22:25 < amiller> how about when the 'value' changes, then previous utxos are credited proportionally for their time 22:26 < warren> gmaxwell: This might not be needed anyway, literally all of the litecoin spam is in a week during November 2011. I suspect the simplest and least risky plan is just to figure out which addresses concentrate the most spam UXTO and just eject that. 22:26 < warren> (scanning to be damn sure it effects nobody else) 22:27 < gmaxwell> warren: so you do that and then shortly there after someone just floods you again. 22:28 < warren> gmaxwell: they're welcome to pay the ridiculously high fees 22:28 < gmaxwell> Hell, it would be worth doing that just to make you feel stupid. :P 22:28 < warren> litecoin has two fees, a regular high fee, and an added fee for dust values 22:30 * warren still doesn't have <any>coins. This is just interesting to think about. 23:03 < gmaxwell> So P2SH^2 am I awesome or what? Best idea I've had all month. 23:14 < BlueMatt> is it really worth implementing though? 23:17 < gmaxwell> I .. think! so. --- Log closed Wed Apr 10 00:00:06 2013 --- Log opened Wed Apr 10 00:00:06 2013 02:14 < warren> gmaxwell: the super high fees are not an adequate deterrent? (genuinely confused) 08:28 < HM> Bitcoins Law: when hashing doesn't solve your technical problem, you're not hashing hard enough 13:38 < warren> HM: I'm running the hamster wheel as hard as I can. 14:17 < HM> warren: ? 14:17 < warren> <HM> [02:28:38] Bitcoins Law: when hashing doesn't solve your technical problem, you're not hashing hard enough 14:18 < HM> oh right 14:38 < warren> gmaxwell: how do I obtain voice in -otc? 14:38 < gmaxwell> warren: ask gribble to voice you 14:39 < warren> <gribble> Error: You don't have the #bitcoin-otc,voice capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 14:41 < gmaxwell> be sure that you are identified 14:42 < warren> I did 14:42 < warren> ;;everify right? 14:42 < gmaxwell> Yes. 14:42 < warren> yes, verified 14:43 < warren> assuming ";;voice #bitcoin-otc warren" is the right command 14:44 < gmaxwell> no, ;;voiceme 14:44 < gmaxwell> IIRC 14:44 < gmaxwell> voice is to voice other people. 14:45 < warren> ah, thanks 16:53 < warren> during the panic "/mode +q $~a" was quite useful. 16:54 < warren> Mute everyone who isn't logged into nickserv. 17:55 < gmaxwell> well any method that stops people from talking lowers volume... 17:57 < gmaxwell> Though I boggle that people who'd been in the channel for an hour were still "SELL SELL SELL" as I was kicking people at a rate of about 0.5-1 per _second_ for doing that crap, I really do wonder if some of these people aren't bots. 18:05 < warren> One guy in the channel was encouraging people to change to a safer currency like Terracoin. 18:06 * warren facepalm 18:12 < gmaxwell> I am hans and this is frans and we are here to PUMP YOU UP. 23:28 < jrmithdobbs> does anyone have any idea how to get a CVE reserved for something not in debian or redhat? 23:28 < jrmithdobbs> I emailed cve-assign@mitre.org this morning but no response 23:34 < warren> jrmithdobbs: it isn't in Fedora either? 23:34 < jrmithdobbs> nope 17:10 < adam3us> gavinandresen: "but my lesson learned was "don't mine"" yeah i wasnt expecting to get much more than recoup cost out of it, but i for one missed the GPU mining fun era completely - despite receiving email from satoshi in sep 2008 and feb 2009 saying go check out the client, so this is my variant of that 17:11 < gmaxwell> Mining has done well for me. ::shrugs:: 17:12 < gavinandresen> adam3us: if it is any consolation, I did the math in 2010 and found it was less expensive to buy bitcoins than mine on my CPU. 17:12 < sipa> i think i profited moderately from both gpu and asics 17:13 < sipa> though never large scale 17:13 < sipa> and now i've stopped 17:13 < gmaxwell> wuss. :P 17:14 < adam3us> yes so its just an amusing thing to try, mining, and if i slightly help decentralization so its fine to just leave it on at elec break even 17:15 < gmaxwell> even at break even, it's a nice highly anonymous way to buy coins from the power company, assuming you have the hardware. :P 17:16 < adam3us> gmaxwell: well in fact i was thinking you might earn enough to pay fees on hidden (aka committed) tx which are perfectly unlinkable ;) 17:16 < gmaxwell> though it's still nowhere near break even now.. at current diff and $350 exchange your power would have to cost $1.1578/kwh to make avalons merely break even for power costs. 17:17 < phantomcircuit> gmaxwell, assuming what daily increase in network hash rate? 17:17 < adam3us> gmaxwell: that was partly why i was thinking it'd be interesting to have lower gpu self-mine without pools ie some kind of part-block payout 17:17 < gmaxwell> phantomcircuit: thats _right now_. I mean, I can turn them off in under a minute... 17:17 < phantomcircuit> gmaxwell, right 17:18 < phantomcircuit> you're already made capital costs right? 17:18 < gmaxwell> phantomcircuit: yea, they paid back their initial price in usd on the third day, and the initial price in bitcoin in about 2 weeks. 17:19 < phantomcircuit> gmaxwell, yeah people buying now are going to have a much harder time doing that 17:19 < phantomcircuit> even if you can get delivery tomorrow 17:19 < gmaxwell> indeed, people ask me if they should buy mining hardware and I dunno, the future is hard to predict. 17:19 < gmaxwell> There are optimistic predictions which are nuts, and pessimistic predictions which are slightly less nuts but still nuts. The truth, who knows? 17:20 < MC1984> youd have had to have junked them by now if the price didnt keep skyrocketing 17:20 < adam3us> right - i guess if its cheaper to buy coins just buy coins however 17:20 < phantomcircuit> yeah i mean the knc boxes are entirely sold out i think for months 17:20 < gmaxwell> MC1984: they's still be profitable over power costs at $100/btc, though not very much. 17:21 < adam3us> so i wonder - if the supply problems with asics do finally get resolved 17:21 < adam3us> difficulty will spike, and profitability will sink to electricity cost 17:21 < gmaxwell> adam3us: I dunno miners are different now than in the past, in the gpu days when my (at 6.5cts/kwh power) operation was 2:1 return on power cost hashrate was dropping. 17:21 < MC1984> gmaxwell, i think that just goes to show how ridiculously stinking profitable they were at the beginning 17:22 < adam3us> wonder if that will cause miners to switch off, or bitcoin exchange rate to go up 17:22 < gmaxwell> MC1984: there was a guy who had a chart showing how much money a batch 1 avalon has made, I'm glad he's taken it down. 17:22 < adam3us> (switch off and stop buying more) 17:23 < gmaxwell> adam3us: well, I'm planning on moving my avalons someplace where the power is cheaper. 17:23 < adam3us> see there are two parameters to network hash rate: speed/energy efficiency per unit, and availabiity of units, seems like the asic so far have improved the speed a lot, but the availability is thin 17:24 < gmaxwell> adam3us: availablity has always been ~0 when the profitablity has been high. 17:25 < MC1984> gonna put your boxes into hosting? 17:25 < adam3us> gmaxwell: in theory more availability is good for decentralization (now the litecoin argument) and the counter-argument was sha256 is easy lots of people will make tem 17:26 < adam3us> gmaxwell: not happening that well so far, though i live in hope 17:26 < gmaxwell> it has been happening, but the demand is pretty awesome when the devices are spitting out a ton of coin... 17:26 < MC1984> havent heard a peep out of asicminer for ages though 17:26 < MC1984> i bet they are hiding thier power level 17:30 < gmaxwell> if they're not crazy they've sold their first gen hardware to other suckers^wpeople by now... but who knows. 17:30 < gmaxwell> That whole model was really crappy. I mean, good for them at suckering people to finance them but .. ::shrugs:: 17:30 < MC1984> the pie charts says 1% 17:30 < MC1984> and a nice chunk of unknown too 17:31 < MC1984> im actually more pleased that p2pool is holding at 1% 17:31 < MC1984> its not quite oblivion 17:32 < gmaxwell> p2pool is pretty much where its always been. it sagged a bit when the avalons didn't initially work on it.. 17:32 < maaku> MC1984: as long as its not decreasing 17:33 < MC1984> i wonder if that more or less represents a percentage of people who give a shit about mining consolidation 17:33 < MC1984> whats the ratio for altruists to stop a system turning to poop? 17:33 < gmaxwell> MC1984: or more like some mixture of that and paranoid about pool op theft, and who are willing to go through the trouble. 17:34 < MC1984> hm yeah 17:34 < MC1984> its not too much trouble though. i set up a p2pool node once 17:34 < MC1984> i just didnt have anything to mine against it 17:35 < adam3us> why doesnt everyone p2pool? 17:36 < gmaxwell> Some number of people are convinced that all the pool operators are theives... e.g. cypherdoc on the forums. He claims to solo-mine, though based on his comments I would be a little surprised if it were true. 17:36 < gmaxwell> so you don't have to care about decenteralization to prefer to not use the centeralized pools. 17:36 < MC1984> they could be thieves 17:36 < gmaxwell> they could be, in fact I'm sure some have been. 17:36 < gmaxwell> but you can't tell. 17:37 < MC1984> why so much trust around still 17:37 < maaku> adam3us: it's a hog, you can lose more than the average pool fee on a high-latency connection, variance is super-high, etc. 17:37 < adam3us> help centralization, spread rumors about miners 17:37 < MC1984> some pool ops have been straight guys though 17:37 < adam3us> decentralization i meant 17:37 < midnightmagic> maaku: Mm.. that's not quite true. 17:38 < gmaxwell> For some definition of high, though you also lose pool income on high latency connections too. 17:38 < gmaxwell> though p2pool somewhat more. 17:38 < midnightmagic> adam3us: The statistics as shown make it easier to infer that p2pool is *wasting* mining effort up to 16% or so. 17:38 < gmaxwell> Which isn't the case, but that doesn't stop people from claiming it. 17:38 < maaku> midnightmagic: it's my experience running a p2pool node.. although I haven't synced with forestv's sources in some months 17:39 < gmaxwell> maaku: the time between shares was upped to 30 seconds, which greatly reduced the latency dependance. its still higher, but this isn't entirely bad. 17:39 < maaku> it was much worse under 10s shares (it's now 30s right?) 17:39 < maaku> yeah 17:39 < midnightmagic> adam3us: It requires local knowledge and setup and maintenance of a bitcoind, and a p2pool instance running on either the same machine or another one. I suspect it's mostly just misunderstandings that people don't want to clear up, and the fact that it's got a 15-hour block turnaround time. 17:40 < midnightmagic> there was a spike a few times where the orphan rate just shot right up like crazy with a huge influx of hashrate. I don't know what was going on there. It looked as though someone was trying to mine with smoething big and gave up on it. 17:40 < amiller> i've been thinking about mining and asics and for the moment, equipment costs totally dominate power costs 17:40 < adam3us> as i recall i tried it once and it was like really nothing just just p2pool instead of eligius 17:40 < gmaxwell> P2Pool has roughly 1/10th the orphaning rate of eligius, for example. ... why? beyond the relaying advantages, ... it makes miners fix their latency (or drives away slow miners) 17:41 < adam3us> and my reactin was woah why doesnt everyone do that! 17:41 < amiller> but we alos aren't at the full curve of the chip development cycle, the 65nm chips are coming out now, but once we get to like 20 or whatever intel does, it totally levels off and then there's going to be hardly anymore improvement in hashes per second per dollar-spent-on-chips 17:42 < gmaxwell> adam3us: if you're already running bitcoin-qt / bitcoind and have a reasonable host.. it's easy. Otherwise, its actually a lot of work. People show up in #p2pool "halp on my atom with drum memory I get 60% effiency!" 17:42 < maaku> lol drum memory 17:42 < gmaxwell> amiller: well, KNC is 28nm but its using structured asic. 17:42 < MC1984> structured? 17:42 < sipa> aka glorified fpga 17:43 < amiller> structured cell arrays are sort of gateway asic, much cheaper than fpga, but still sort of general purpose and less efficient than standard cell array 17:43 < gmaxwell> yea, it's in between a hardcopy fpga and a real asic. 17:43 < MC1984> whats the point of that 17:43 < gmaxwell> lower upfront costs, potentially faster time to market. 17:43 < gmaxwell> The downside is higher marginal costs (per hashrate ... but this is actually really low in any case) and higher power consumption. 17:44 < MC1984> isuppose right now the time to mrket thing makes it worth it 17:45 < MC1984> whats that nifty state about how long it would take current hashrate to recreate the whole chain 17:45 < MC1984> i bet its down to like a week now 13:30 < petertodd> sipa: like, imagine if the payment protocol is widely deployed, and merchants use out-of-band payments extensively to get their zero-fee payments from their customers mined: p2pool wouldn't be able to earn fees at all 13:31 < adam3us> petertodd, sipa: i was noticing when playing with committed transactions, that you dont need to send the values, nor recipients to the miners; only a commitment to them (hash) and a commitment to the senders address 13:31 < petertodd> sipa: I've got what appears to be a pretty good way to do decentralized out-of-band payments though, but it's way more complex than the centralized way :( 13:31 < amiller> jgarzik, uh, well i'm not exactly sure i understand what you mean by oracles / agents there 13:32 < amiller> jgarzik, i guess you just mean semi-trusted parties that aren't the end-users who the protocol actually benefits, but like a server with limited capabilities 13:32 < adam3us> petertodd, sipa: reduces attacks if the miners know as little as possible about what is going on 13:32 < jgarzik> amiller, pretty much 13:34 < amiller> i still feel like calling them autonomous agents or oracles is misleading language that deliberately conveys some kind of additionally trustworthiness that isn't warranted 13:34 < amiller> </monthlyscheduledrant> 13:34 < petertodd> adam3us: ooh, reminds me re: commited txs: I've got an idea where you'd make transactions have commitments of previous ones with a merkle-mountain-range-like scheme so you could efficiently reference any previous transaction up to the genesis block. This is easiest to understand if transactions can only have linear history, but a dag history is doable too. Anyway, wallet software would receive that history to know the coins are valid, thus pushing validation directly to the users. Obviously some way of pruning that history is important, SCIP is heavy-weight and complex but could work. 13:35 < sipa> thus pushing v[...] 13:35 < petertodd> adam3us: yes, but nothing other than intertia prevents miners from demanding that users reveal enough info to let them know what transactions actually are; again, it's easy to imagine governments regulating mining pools and forcing them to do this. 13:37 < petertodd> adam3us: you really need to keep it possible to mine by small parties to keep that balance towards decentralization - helps the larger pools resist regulation too if they can point out that the smaller miners that can't easily be regulated will just out-compete them if the government forces the larger ones to do things like 51% attack the non-censoring miners 13:37 < petertodd> *government tries to force 13:38 < adam3us> petertodd: it reduces bandwidth if you can send commitments only to the block chain, because ok to send previous tx history back to the last snapshot (or to genesis) is a bit of a privacy leak, its still better than now; and its more efficient to send that to each recipient than broadcast it to everyone 13:38 < adam3us> petertodd: yep, that was exactly the motivation for committed tx - users can yank a 51% miners chain causing him to lose money all day long 13:38 < petertodd> adam3us: yup, commitments with compact proofs of any part of the previous tx history are one form of sharding validation effort. 13:39 * petertodd needs to come up with a good directed acyclic graph version of merkle mountain ranges 13:41 < petertodd> adam3us: wait, explain to me how users "yank a 51% miners chain"? 13:41 < adam3us> petertodd; y'know with homomorphic encrypted values & committed transactions combined, at least the privacy invasion of the full tx history revealed to each recipient is less - you dont see how much money each user has 13:41 < petertodd> adam3us: good point 13:41 < adam3us> petertodd: ah so lets see how did that go, ah yes so you want to make a payment and you're wikileaks (canonical example of unpopular extra-legal blocking) 13:42 < adam3us> petertodd: so you make your payment, wait a few blocks, reveal it; now the 51% miner has to discard 2 blocks of profit and compete against himself; rinse & repeat 13:43 < petertodd> right, and my point is always the government response is to target public bitcoin users and first demand that even though the system is private, they use this new modification of the bitcoin protocol that also sends enough information along-side a transaction to always reveal the contents 13:43 < adam3us> petertodd: that assumes you ever reveal the tx to the network, you could let them circulate in committed form in which case no one not in the tx history knows who paid who 13:44 < amiller> adam3us, suppose you had aribtrary zero knowledge and two party computation or whatever 13:44 < amiller> can we come up with an idealized definition for a private public ledger? 13:44 < amiller> i've been trying to think of a good way to explain this, regardless of the actual implementation efficiency 13:44 < petertodd> then you start getting the pools you can control to apply preferential treatment to non-anonymous transactions, for isntance you only mine ones like that, but still extend blocks otherwise. rinse and repeat, until you get to the point where the pools can do direct 51% attacks on the ones that don't. 13:44 < amiller> no one should need to know anyone's transaction balances 13:44 < adam3us> petertodd: well its not that private in the sense that anyone in the payment chain can reveal stuff that came before, so they are free to make a subpoena, most random merchants and users have no incentive to protect privacy of an actual crime with victims 13:44 < petertodd> it's only the inability of government to control at least 50% of the hashing power that prevents that stuff 13:44 < amiller> a transaction between two people should change their balances in a way that both know, but neither should learn the balances of the other 13:45 < amiller> but everyone should learn the transaction is valid 13:45 < amiller> can you do that even abstractly? 13:45 < petertodd> adam3us: yup. the unhiding data could be done by requiring it to be broadcast encrypted to a government controlled pubkey 13:46 < petertodd> adam3us: "Nothing to fear! You're tx's are private unless a court-order is served and the priv-key is used to decrypt them." 13:46 < adam3us> amiller: maybe zerocoin with homomorphic values? (with fixed value is stupidly inefficient send 1,000,000 1c coins to send $10k?) 13:46 < amiller> btw there's a fully open source alternative to pinocchio/tinyram out https://github.com/srinathtv/pantry/ 13:46 < adam3us> petertodd: screw that :) 13:47 < amiller> adam3us, well homomorphic values isn't enough i don't think 13:47 < amiller> because homomorphic encryption uses a single key 13:47 < adam3us> petertodd: we see where that ends, apriori wire tap and data fishing on everyone on the planet in utah; even the EU is right now voted to block SWIFT data sharing 13:48 < petertodd> adam3us: yes, but the only thing stopping it is that it's possible to mine outside of government control! Reality is with the current system, even with TXO commitments and fraud proofs, at some point a large blocksize will lead to that scenario. 13:48 < amiller> perhaps if i want to send you some money and we want ot prove it's valid to everyone else but we don't want to reveal our balances to each other, we could use a two-party computation that computes the homomorphic function or something 13:48 < adam3us> amiller: yes you can do that (encrypted values add up, without learning other balance) see thread on homomorphic value using schoenmakers range proof 13:49 < adam3us> amiller: it works because there are two values in a pederson commitment c1 = v1*G + x1*H 13:49 < adam3us> v1 is the value, x1 is a key that is not revealed 13:49 < adam3us> amiller: no one knows DL(G,H) 13:50 < adam3us> https://bitcointalk.org/index.php?topic=305791.msg3277431#msg3277431 13:51 < petertodd> adam3us: so how much larger would transactions be with this homeomorphic stuff? 13:51 < adam3us> its not really encrypted as such, just committed in a extened-schnorr provable form (bi DH form) 13:51 < adam3us> petertodd: well like I said on the thread best I got so far was 1K-2K per value depending n the precision of the coin vaue 13:52 < amiller> i still don't see how you get the range proof 13:52 < petertodd> petertodd: ok, so that's 1K-2K per txout then basically right? is that linear with the number of txouts? 13:52 < amiller> but i'll read more and try to undersatnd it 13:52 < petertodd> does it handle any combination of # of txins and # of txouts? 13:53 < adam3us> its 3+2m values where m is the number of bits of mantissa (precision) of the bitcoin value and a value is 256-bit/32-byte 13:53 < petertodd> (although I guess you could use a merkle-sum-tree to combine txin values and split txout values) 13:53 < adam3us> so I suggested eg 20-bits (1665bytes) or 27-bits 2016bytes 13:54 < amiller> ok so you do a range proof with roughly one value per bit 13:54 < adam3us> petertodd: amusingly i think you could even validate the entire ledger, add it all up and check it comes to however many coins issued so far 13:54 < adam3us> amiller: yes 13:54 < amiller> how do you communicate the value transferred to the other party? 13:54 < adam3us> no 2 values 13:55 < adam3us> 3+2m 13:55 < adam3us> just tell them 13:56 < adam3us> amiller: out-of-band or encrypted to public key if using the block as a store-and-forward channel 13:56 < amiller> okay 13:56 < adam3us> amiller: the fee is public, rest homomorphic 13:56 < amiller> (i apologize i have a hard time parsing all your posts but i think the idea works out) 13:57 < adam3us> amiller: well actually you can mix encrypted & clear values 13:57 < amiller> the pedersen commitments are only homomorphic with respect to addition aren't they 13:57 < adam3us> amiller: eg if you want to hide the value of your balance, but dont care much to hide the actual payment amount 03:48 < gmaxwell> And likewise, scorched earth is only applicable for things where the reciever would be pissed about an unconfirmed doublespend. 03:48 < gmaxwell> Its not unsolvable, but its an unfortunate complication. 03:48 < petertodd> gmaxwell: yeah, I wrote on the forum about how the payment protocol re: coinjoin should work where you actually give the merchant a non-coinjoin, and coinjoin, version of the tx 03:49 < gmaxwell> it makes me think that perhaps there really should be a signal which says "I swear on my mothers grave that I will not doublespend this transaction {within x time}" 03:49 < gmaxwell> since there are plenty of cases where doublespends are totally legit, and you don't want unconfirmed acceptance in any case. 03:50 < gmaxwell> and also cases where you want unconfirmed acceptance and any doublespend is fraud. 03:50 < petertodd> heh, well, like I say, you give the merchant the non-CJ version, the CJ version, and heck, in some cases even more versions because you've done multiple payments in a row and don't know what will get mined 03:50 < gmaxwell> and its only in the latter where scorched earth is the right strategy. 03:50 < gmaxwell> sure. 03:51 < petertodd> thing in, scorched earth has even more requirements, because the sending tx has to be basically minimal size, so that the sender can't double-spend it with a *smaller* tx 03:56 < Luke-Jr> do C++ or boost have a key-only map type? 03:56 < petertodd> Luke-Jr: you mean a set? 03:56 < Luke-Jr> maybe 03:57 < Luke-Jr> unordered set? 03:57 < petertodd> could be? not familiar with boost 03:58 < Luke-Jr> petertodd: looks like these are both standard C++, thanks 03:58 < Luke-Jr> although.. C++11 04:01 < gmaxwell> Luke-Jr: we use stl sets in varrious places in the codebase. 04:01 < Luke-Jr> but not unordered 04:01 < petertodd> Luke-Jr: does it matter? 04:01 < Luke-Jr> shrug 04:01 < Luke-Jr> I'll use unordered and see if anyone complains XD 04:02 < petertodd> behind the scenes sets get implemented in an ordered fashion often 04:03 < gmaxwell> Luke-Jr: ordered is fine here, they're not in insertion order, they're in whatever search order (based on the comparator of the underlying type) the datastructure needs to make lookups fast. 04:04 < Luke-Jr> I guess I assume std::set is going to be slower than std::unordered_set.. 04:04 < petertodd> Luke-Jr: often enough it's all trees behind the scenes anyway... 04:05 < petertodd> Luke-Jr: with C++ that's quite likely because there's no obj.__hash__() like in Python 04:06 < gmaxwell> petertodd: there is actually a generic hash template thing. 04:06 < gmaxwell> petertodd: and I think the unordered set template needs it to work on your type. 04:07 < petertodd> gmaxwell: oh cool, guess I'm wrong 04:19 < Luke-Jr> well, my compiler doesn't have it :< 04:20 * Luke-Jr can't wait for autoconf_pt3 to get merged so the warning on every compile goes away 05:06 < adam3us> y'know the aim of bytemaster birthday hash is amusing - i briefly looked at it in 1997 for hashcash, i actually started my thought process by looking at birthday hashes, but that lasted all of 10min :); it is not progress free so cant fairly be used in a first past the post race 05:07 < adam3us> (his aim is to have fast verify (3 hashes, though he could've easily done it with 2) and yet memory hardness - however he has killed progress freedom, and other more simple issues) 05:09 < adam3us> so its not quite true that it doesnt achieve anything that scrypt does - it achieves memoryless verification, however it has tmto with n^2 advantage, and progress so its broken 05:10 < adam3us> also because of the n^2 advantage custom hardware could dominate it way worse than asic, triple fail :) 05:10 < gmaxwell> adam3us: Their earlier stuff was not a collision problem, I wasn't aware that they switched to that in their latest incarnation as their response on the first one I broke convinced me to never look at their stuff again. 05:11 < gmaxwell> and yea, we had a conversation at collision's for memory hardness in here before, and indeed the advantage for faster miners was brought up, also that you can eliminate the memory hardness with a tradeoff for more computation. 05:11 < adam3us> gmaxwell: someone mining pts got me to look at it 05:11 < adam3us> gmaxwell: yes the problem is the n^2 advantage for memory 05:12 < adam3us> gmaxwell: and the progress, and the tmto they mistakenly thought didnt exist 05:15 < adam3us> u can see it someone using 50 GHz cores (cores x ghz) got bday 180H/min, vs 30 Ghz cores got 50H/min -fast enough processor, for RAM 05:15 < sipa> adam3us: i cannot parse your last sentence 05:16 < adam3us> sipa: because its birthday attack, if your cpus can fill your RAM within the 5mins block interval, the more ram you have the more birthday hashrate n^2 to amount ofram 05:18 < adam3us> what its computing i think is H(cb, a) for random a, coinbase cb; where H finds a 26-bit hashcash (like bitcoin but small difficulty as a pre-screen) 05:18 < adam3us> then they store those values (h1,...h_n) = {H(cb,a),H(cb,b),...} 05:19 < adam3us> and look for 50bit birthday collisions on h_i values, (using a hashtable rather than memory scan) 05:20 < adam3us> finally for each H(cb,a)==H(cb,b) the test if H(cb,a,b) < target 05:21 < adam3us> (the code i found unreadable, the paper vague and stale... talking about scrypt and other ideas; its actually using hashcash-sha512-26 ie partial preimage wth 26-bits of leading 0 using sha512 hash function) 05:21 < gmaxwell> adam3us: if you have super fast logic but gates for memory are costly you can also run near memoryless (like pollard rho w/ period finding), so if you really believe the argument that needing lots of memory is a great enhancement, well, not so much. 05:21 < adam3us> for the H function 05:22 < adam3us> gmaxwell: yes i agree - i said 3 problems, tmto (2 types actually), progress, and n^2 memory advantage 05:23 < gmaxwell> but besides that it's awesome! 05:23 < adam3us> the other tmto is to use a hashtable which is unreliable but more compact 05:23 < adam3us> gmaxwell: lets not mince words - its triply broken :) 05:23 < gmaxwell> I hadn't decoded tmto to time memory trade off for some reason. 05:24 < gmaxwell> I'm waiting for them to think you can use hamming distance instead of prefix matching to prevent that. 05:24 < adam3us> gmaxwell: but the usual cycle method doesnt work i think on partial birthday, only on full birthday, because the cycled finds are almost cetainly of unrelated values 05:24 < gmaxwell> (you can't) 05:25 < gmaxwell> adam3us: sure it does, you just need a function that reads only from the partial chunk for the next step. 05:25 < gmaxwell> (whats even more awesome is you can make this work well for hamming distinct thresholds too... with some mild complication) 05:26 < adam3us> gmaxwell: i dont think so, some proposed the cycle method on the bitshares forum and it got shotdown (not that they know much), but I dont think you can define a meaningful cycle 05:27 < adam3us> gmaxwell: he was forced to py out his $5000 bounty to to forum people, i held off saying anything :) 05:28 < adam3us> (mostly for the unreliable hashtable so it fits in gpu unit L2 cache) 05:28 < gmaxwell> well I haven't looked at their thing, but this does generally work for finding n-bit prefix matches in hash functions. There is a paper I like on it that also goes into the hamming threshold case. 05:30 < adam3us> gmaxwell: its possible i am wrong but what i am thinking is if you find cycle one of r_1, ... r_k, ... and another cycle r'_1,... r'_k the problem i see is that r_{k-1} is unrelated to r'_{k-1} and so on 05:30 < adam3us> (where r_k == r'_k) 05:34 < adam3us> the objective isnt stupid though - i thought of that too - to find an scrypt variant where you can verify without memory. i believe its challenging without introducing progress 06:31 < adam3us> btw TD: something else wrong with uploading batches of deterministc addresses, they are uncertified. the payment protocol certifies them, but with an SSL key in server memory. Obvious attack point 06:35 < adam3us> TD: if the base address is static it can be certified by an offline X509 key, or simply verified with out of band static information 06:42 < TD> no 06:42 < TD> the payment protocol does not specify any kind of "server" or "client". whoever generates the payment request can sign it. SSL or not is irrelevant. 06:42 < TD> so if you have a private key, your wallet would just upload pre-signed payment requests 06:42 < TD> however most individuals do not have a certificate. so, i suspect we'll end up with a different PKI for end users. 06:42 < TD> (and to start with, none at all) 07:23 < adam3us> TD: i imagine any business web site accepting payments has an x509 cert (for SSL associated with the server domain), so if they bother to sign the payment requests, they wold probably reuse the one they already have. you are right though that they could sign it with en x509 email cert, or a sub-domain cert 07:23 < TD> yes, business websites don't need to batch upload anything. they can generate them on the fly with the ssl key indeed. sorry i thought we were still talking about personal usage 07:23 < adam3us> TD: but there may be expectation issues - surey the relying party should expect a signature from bobsparts.com, not from bob@hotmail.com 07:25 < adam3us> TD: yes. i am not saying i have a solution, eg the bloombait so far seems to likely have issues but will see what it can do; however at requirements level mostly i am saying it would be nice if were static, then it could be on a business card, brochure, shop window, with zero possibility for web site hacking address redirection 07:26 < TD> people can have their wallets be compromised as well. then it's impossible to recover 07:26 < adam3us> TD: (because signing with the site SSL key is also vulnerable to address hacking) 07:26 < TD> if a web site gets hacked, it can be re-sealed 22:39 < amiller> i actually think that higher variance mining makes more sense here 22:39 < gmaxwell> GIGAVPS, asicminer, "cloud mining" are all examples of hosted mining, and there will be many more. Buzzdave (megabigpower) and BFL have their own hosted mining offerings, etc. 22:40 < amiller> a mining operation that has a lottery interface on one side to its clients and does bitcoin mining on its other would really want low variance 22:40 < amiller> because it could easily promise more money than it can afford to payout 22:40 < gmaxwell> Basically even though the current technical scaling factors strongly discourage big datacenter operations, there are social factors that encourage them. "derp derp I'm too dumb to run a miner, but I have money and want to make profit mining!" 22:40 < gmaxwell> amiller: you can just make your customers take the mining risk. 22:41 < amiller> right 22:41 < amiller> so that's where the trapdoor thing comes in 22:41 < amiller> i should make it so that any attempt to tie a customer's outcome to the outcome of a particular attempt at mining on the chain 22:42 < HM> the startup risk is large, if you get no customers then you've invested a lot for buggar all 22:42 < amiller> involves a trapdoor that makes it really easy to obscure the actual probability distribution of the chain's payout 22:43 < gmaxwell> HM: sadly preorders in the bitcoin world are ubiquitous, asicminer was entirely funded by selling hundreds of thousands of dollars in shares on the bct forum. They then rigged it up so they'd continue to own a ~majority of the shares. used the funds they raised to fab asics.. and put them online. 22:43 < HM> heh 22:43 < gmaxwell> HM: a lot of the other hosted offerings leave it to the customers responsibility for the mining hardware to show up at their door. Once its their they rack and stack and configure and start sending the user coins. 22:44 < gmaxwell> amiller: okay so your solution is basically to make it so that the hosting company can very easily hide their income, so they can steal from the miners. 22:44 < amiller> yes that's right 22:45 < gmaxwell> amiller: the challenge I see here is that the mining has an expected income, so the amount they can steal is bounded by that probability distribution model. I would also point out that _none_ of these services do any kind of proof at all that they aren't stealing, even though they could today, people don't ask for it. 22:45 < gmaxwell> E.g. ASICMINER could have easily built 50% more chips than they claim to have, and could be running them not as asicminer and no one would know. 22:46 < amiller> sure, i guess they only have shares 22:46 < amiller> my assumption is that a client pays a fixed price for a certain payoff distirbution 22:46 < amiller> like i pay for 10 shares some fraction of them should win 22:46 < amiller> but suppose there is a high variance option 22:47 < amiller> like one out of every hundred blocks wins an extra large amount of bonus or something like that 22:47 < amiller> then you can steal that bonus without raising much suspicion 22:47 < amiller> because it happens very infrequently anyway 22:48 < gmaxwell> Yea, I mean you could send shares to the cutomers to prove that their device was trying to mine in a publically validatable way. But no one asks for that today. And yes, shares + high variance would make the miner's secure against cheating. (make the shares frequent enough that if the host was stealing more than a tiny amount of work it would be obvious) 22:48 < amiller> i agree no one asks for that today, but they should, perhaps in the future they will 22:48 < gmaxwell> but okay I get the idea. So if there were big bonus blocks periodically... that were blinded.. then the users couldn't tell if they were being robbed. 22:48 < amiller> after people start implementing encryption correctly etc 22:49 < HM> Don't datacenters typically charge by the amp? or say 1 U = X amps and then charge mostly on power consumption? 22:49 < amiller> yeah that's the idea 22:49 < gmaxwell> amiller: I'm ... very concerned they won't. but thats an aside. We can't cure humanity, lets fix the technology at least. 22:50 < amiller> yeah. also etc etc it helps promote general confidence in cryptocurrency to have technical answers especially to the big questions, like, does rational behavior inevitably trend towards centralization, etc. 22:50 < amiller> even if the technical answers to that involve things that aren't even close to implemented yet 22:50 < gmaxwell> (in particular, miners could be using BFGminer with their centeralized pools and BFGminer will prevent a pool from ever "eating its own tail": it will refuse to mine a fork against work the pool had it previously do. Totally kills a broad class of pool-op network attack. But basically no miners deploy bfg for this purpose (many use it but for other reasons)) 22:51 < gmaxwell> amiller: a lot of users really have absolutely no clue about the security model, or they're wrong about it in frightening ways. E.g. they think that only the miners validate transactions, and that the miners can pay to whomever they want, however much they want. E.g. a model where there would be no incentive alignment at all. 22:51 < gmaxwell> And I think this kind of misunderstanding is nearly the majority understanding or not too far from it. Yet they use bitcoin anyways because of, presumably, social proof. 22:52 < gmaxwell> (they also use other altcoins like ppcoin where the developer broadcasts checkpoints that select the network state) 22:52 < gmaxwell> (ppcoin is nominally POS but for "extra security" it has checkpoints broadcast in the network by its creator for ~every block which ultimately dominates the consensus) 22:54 < amiller> people also trust service providers unconditionally for all sorts of stuff 22:54 < HM> amiller, example? 22:54 < amiller> passwords in google docs? 22:55 < gmaxwell> right, part of the problem there is that you can get away with trusting paypal or ebay like that, they have conspicious assets you can send to jail if they cheat and regulation. But people also trust $anonymous_pool_operator because they don't reason about why it's okay to trust ebay. 22:55 < amiller> sure, so i admit that this is a construction of theoretical interest mostly 22:55 < gmaxwell> worse, since even when everything is vulnerable attacks tend to be somewhat rare.... when the shit does hit the fan they blame the specifics rather than the general practices. but oh well. 22:56 < gmaxwell> yea, sorry for the tangent. 22:56 < gmaxwell> We can't fix the social problems unless there are technical solutions in any case. 22:56 < amiller> i agree with 100% of the content of the tangent 22:56 < amiller> but yeah 22:56 < gmaxwell> I just get a bit depressed because even where the technical solutions exist we're not using them yet.. if ever. 22:56 < HM> amiller, the kind of people who put passwords in google docs are likely ignorant of the risk 22:57 < HM> or dismissive of the consequences 22:57 < HM> i wouldn't call that trust 22:58 < amiller> HM the way i think of it is that everyone who ignorantly or whatever is willing to make themselves fully vulnerable to a cloud provider or whatever, i just assume they've already done so 22:58 < amiller> and i effectively treat that as one wealthy entity 22:59 < amiller> the thing to aim for is people who are making rational risk-aware decisions 22:59 < gmaxwell> HM: people leave large amounts of bitcoin in blockchain.info mywallet, which is protected only by the users password, which can be bruteforced by bc.i (or anyone with access to the user's email), at >10 million passwords per second per gpu (and there is no salt, so bc.i or their hacker could attack all customers at once) 22:59 < gmaxwell> and BC.i wallets could be stolen at login time by anyone who injects JS in the pages. 22:59 < amiller> who will take the offer if it's cheaper and they have a good guarantee, in particular regardless of the 'systemic' risk of centralization which affects bitcoin as a whole but doesn't make you earn less 22:59 < gmaxwell> And yet they have hundreds of thousands of users. 22:59 < HM> bc.i don't need to bruteforce the wallets 22:59 < HM> they can just take them 23:00 < gmaxwell> HM: BC.i is a bit misleading about the threat model there, because the private keys are "only in the browser" ... until they give you some JS injection and take them or attack the password. I mention the password attacks because even if you believe their misleading claims the password stuff is upheld. 23:01 < HM> yes, it's the same with MEGA with files 23:01 < HM> but tangents... 23:01 < gmaxwell> I mean I can go on all day there is countless amounts of misplaced trust. 23:02 < HM> well that's why the financial system being full of systemic risk is a *good* thing 23:02 < HM> everyone knows when it reaaally gets bad, something will be done 23:03 < HM> and nobody cares if it's good as long as everybody suffers 23:04 < HM> if the majority of people use blockchain.info then the impact on Bitcoin as a whole if the entire site vanished would be so huge as to effect us all anyway 23:08 < HM> It's kinda like email. Gmail has something like half a billion monthly active gmail accounts 23:09 < HM> some people don't even realise that email is a decentralised thing anymore 23:09 < gmaxwell> it's not even decentralised so much anymore. if you host your own email you have major major problems with anti-spam filters. 23:10 < HM> right 23:10 < gmaxwell> a lot of corporations have been moving to having msft or google host their domains for this reason alone... the other savings are just a perk. 23:11 < gmaxwell> (amusingly, I understand that Mike Hearn may have some personal culpability in this outcome ... :P ) 23:11 * sipa whistles 23:11 < HM> lol what? 23:12 < gmaxwell> another googler. Though I don't know that sipa works on anti-spam. :P 23:12 < HM> ah bitcoin and bitcoinfoundy.org are both Gapps 12:54 < adam3us> petertodd: bitcoin already has a signing system, and a key to do the signing, i am just saying use it 12:55 < petertodd> adam3us: anything less means users who *don't* have any reason to dick around manually checking bullshit just because they want to buy a tee-shirt will end up with a less secure system 12:55 < petertodd> adam3us: and a signing system is useless without gobs of infrastructure 12:55 < adam3us> petertodd: the web app level is far less dangerous if the worst you can do is pay money ot the wrong merchant address (as opposed to the attacker direct) 12:56 < petertodd> adam3us: huh? the attacker swaps out the addresses after crackng the site and steals a million bucks from 10,000 users 12:56 < adam3us> petertodd: i am not saying people who are buying t-shirts will care to check it 12:56 < petertodd> adam3us: right, which means you have to have that code in the trezor... so use it 12:56 < adam3us> petertodd: no because the addresses are signed, and users who bother to check, can see hey something is wrong with tshirtsrus 12:56 < petertodd> adam3us: paranoid level gets to have the PGP fingerprints displayed prominently 12:56 < adam3us> petertodd: their TOFU account number just changed?? 12:57 < adam3us> petertodd: even a browser plugin handling payment requests could check that 12:57 < petertodd> adam3us: there is no difference between checking "signed addresses" and "CA fingerprint matches up", zero. 12:57 < adam3us> petertodd: you realize how tricky it is to get any sense out of pgp wot? latest version of gpg is all but unintelligible to me 12:58 < adam3us> petertodd: screw wot, i just mean a self-certified tofu hd wallet base key and expecting transaction numbers (one-use addresses) to be signed with it 12:58 < petertodd> adam3us: where did I say you'd be using WoT for this? most paranoid users would want to verify fingerprints with manual mechanisms, some could use WoT, but we're *much better* if we encourage an ecosystem that doesn't fragment things 12:59 < petertodd> adam3us: and like I keep sayng, making it PGP lets you do useful things like have known ways to send your merchant an encrypted email 12:59 < petertodd> adam3us: you are *not* thinking about second order effects here 12:59 < adam3us> petertodd: i just think its more useful to the careful user to have a tofu account number to read off and compare. than a string of (to him) uncorrelated random one-use addresses - that tell shim precisely nothing 13:00 < adam3us> petertodd: and the web level browser level and client machines are like swiss cheese and will get rampantly exploited 13:00 < petertodd> adam3us: yes, and using a PGP code-path for that use-case is better and encourages good practices across the board, rather than a bunch of highly specific shit that doesn't do anyone any good 13:00 < adam3us> petertodd: there are no second order effects - if you're buying t-shirts and you dont care dont look at the account number alright 13:01 < adam3us> petertodd: bullshit - how is throwing pgp at the poor user going to help anything 13:01 < petertodd> adam3us: damn right there is, now there's no transition path between low, medium, and high security, that's very bad 13:01 < adam3us> petertodd: so i think the low to medium level is done via payment request as is 13:02 < petertodd> adam3us: we want a system where the average user goes and gets the green CA-certified box saying "TeeShirt Company", then when they become a distributor of said company is told "Hey, go check that the fingerprint matched up ok? Just to be safe." now you've gone from low to high security seemlessly. 13:02 < adam3us> petertodd: problem is if the server is compromised someone can undetectably to users swap out the pool of one-use addresses 13:02 < gmaxwell> petertodd: so what we need to do is introduce the things pgp lacks to pgp and to fix it, rather than go off seperately or pretend that pgp as is .. is a solution. 13:02 < petertodd> adam3us: No, as I said before, you add a mechanism *to the payment protocol* to have a separate CA key (as a subdomain) sign a root address under the hood 13:02 < adam3us> petertodd: the web site will happily sign them with its SSL key (or subdomain key) and facilitate robbing itself 13:03 < petertodd> adam3us: and that's why it's a fucking subdomain, so you *don't* need to keep it online! 13:04 < petertodd> adam3us: you're not getting the payment request from that subdomain, the software just expects the request to be signed by that magic subdomain, and shows the user the address one level up 13:04 < adam3us> petertodd: well wait the payment request includes a description of what ou're buying and amount it cant be offline 13:05 < adam3us> petertodd: whereas one use addresses in the hd wallet derivation method can be pre-generated offline and uploaded as a batch, they could be signed offline, but there is currently a missing part to do that (thats basically all i was trying to say) 13:05 < petertodd> adam3us: sure it can, as I said before, you have two payment protocol-related certs here: one to sign requests semi-online, another to sign long-term root keys 13:06 < petertodd> adam3us: now you have a system that has pretty good security in the default case, *and* can be easily upgraded to paranoid level by a manual check 13:06 < adam3us> petertodd: but the message to be signed is different: one is a one-use address (offline) and the other is a description of your order (online) 13:06 < petertodd> adam3us: rather than creating balkanized shit 13:07 < petertodd> adam3us: yes, and what's wrong with that? users wallet is programmed to expect both, and barfs if it doesn't see what it expects 13:07 < adam3us> petertodd: so then you're saying teh same thing except ou like x509 and i dont. i think for something as compact, simple, direct nd bitcion meaningful as a proof of hd wallet ownership should be a 64 byte thing on the one use address, not a few KB of asn1 13:07 < petertodd> adam3us: if not all merchants use this, just make the UI in the wallets have a silly golden shield or something for the extra-high-security version, and make it easy to check fingerprints manually 13:08 < petertodd> adam3us: sure, but the code *has to be implemented on the wallet anyway*, so use a mechanism that allows for nice user-friendly transparent upgrades 13:08 < adam3us> petertodd: yeah i think e have some ux and naming to fix up, but i would call the merchant HD wallet base address the merchant account number, and the one-use address the invoice number 13:09 < adam3us> petertodd: seems a bit ugly to say oh yeah, and that account number, bitcion has a key, but it chose to delegate that to a web app, a untrusted third party (CA) and browser to tinker with 13:09 < petertodd> adam3us: heck, you see what I'm doing here? what I'm really doing is extending the merchant's identity that you usually transact with to verify a HD wallet base - you're strongly arguing to only do the latter which is silly 13:10 < petertodd> adam3us: we're not delegating it to anything - hardware wallets and offline wallet software *has* to implement CA certs for the 95% use-case 13:11 < adam3us> petertodd: i dont think CA are good model, ca infrastructure is rooted, 100s of dodgy CAs, hacked CAs, hostile govt operated CAs by govts of various shades . that way lies account seizure 13:11 < petertodd> adam3us: who cares? CAs are a better model than nothing. Reality is 95% of users will outsouce their security - there is nothing we can do about that. 13:11 < adam3us> petertodd: you can sign extra stuff with x509 while you're signing the payent request - why not, but i think its simpler to also independently and natively sign the one-use addresses 13:12 < adam3us> petertodd: its not either or. sign the account numbers with the hd wallet master. and sign everything best effort on the web app layer with the payment request 13:12 < adam3us> petertodd: what i am saying is like a checksum on a credit card digit 13:13 < petertodd> adam3us: no it's not - a hd wallet seed signed once by a long-term identity cert means that some theif can't do anything more interesting than blackhole funds in the worst case - in the better case you use a derivation system that's deterministic enough to always recreate the key(s) 13:13 < adam3us> petertodd: what you are saying is like maybe SET (doomed credit card web security protocol) 13:14 < petertodd> adam3us: nah, it's silly to be signing shit, remind yourself how HD wallets work... you don't need to sign addresses derived from them, spendability only with the HD seed is guaranteed anyway 13:14 < adam3us> petertodd: i think this is an instructive analog: banks do not use third party auth (openid, CA issued certs without pinning, or site enrolment) becaus tehy want to control their own security 13:15 < petertodd> also if you are signing stuff, then that encourages you to keep your keys online, which is bad... 13:15 < petertodd> adam3us: yes, and then they can tell their customers their PGP fingerprint and do it that way... 13:15 < adam3us> petertodd: not signing data just the one-use address 13:15 < petertodd> adam3us: yes, and given HD seed S and nonce n S+n is a one-use address that only S' can spend 13:22 < adam3us> petertodd: yes this is true, but only if the site and user share a sub-wallet & chain code (which they can do, and maybe should do for recurring biz) 13:22 < adam3us> petertodd: but i was thinking maybe with a signature on the one-use address, whch the user can strip before using on the network, you get that kind of spender simple tofu verification 13:25 < petertodd> adam3us: timo's pay-to-contract makes a lot of sense there you know... yeah, now maybe you really do what a address that can't be proven to have anything to do with the hd seed, but why not extend that initial thing to sign a bunch in advance? again, you don't want to encourage keeping that long-term-id key online often 16:39 < nanotube> to soon? :P 16:43 < nanotube> ... slowly getting my connection count back after node restart. up to 88 now. 16:57 < HM3> why aren't node addresses stored persistently? 16:57 < sipa> they are 16:57 < sipa> peers.dat 16:59 < HM3> ah 17:54 < nanotube> what's the default expiration of errors? i'm still seeing the 'check date and time' error in getinfo, though my timeoffset has settled to 0. (probably initially caused by my initial peer set being significantly off, i recall gmax mentioning something about there being some mistimed peers out there.) 18:00 < gmaxwell> nanotube: some error never go away (unless replaced by another one), thats one of them. 18:01 < nanotube> doh 18:02 * nanotube thinks it should go away once timeoffset drops below some threshold 18:02 < nanotube> though... it's rather immaterial. 18:07 < nanotube> well would you lookit this, a live bitcoin node counter: http://getaddr.bitnodes.io/ 18:08 < HM3> cool site 18:08 < gmaxwell> yea, except the numbers on the front page are pure bullshit. 18:08 < gmaxwell> (they're counting addr messages) 18:08 < gmaxwell> if you click through to the report, e.g. http://getaddr.bitnodes.io/194/ 18:09 < gmaxwell> the field "nodes_version (version)" is how many they actually connected to. 18:09 < HM3> i don't know why that is bad 18:09 < HM3> what is nodes_getaddr? 18:10 < gmaxwell> how many unique IPs they got from address messages. 18:10 < gmaxwell> which includes scads and scads of never-reachable addresses, due to god knows what. 18:11 < HM3> but those nodes may be connected out right? 18:11 < gmaxwell> Some, but most? Unlikely, considering the addresses include e.g. huge ranges of sequential numbers. 18:11 < nanotube> gmaxwell: oh... crap. and there i was being happy we have 100knodes. 18:12 < HM3> so probably people with dynamic IPs 18:12 < gmaxwell> HM3: out only nodes don't announce themselves in any case. 18:12 < HM3> stale messages 18:12 < HM3> ah 18:12 < gmaxwell> HM3: and moronic dos attacks, and misconfigured firewalls, and who knows what. 18:13 < sipa> my crawler tracks 66k addresses now 18:13 < sipa> of which it considers 3.8k "good" 18:13 < nanotube> what's 'good', how many have been reachable within the past 30days? 18:13 < sipa> it has also banned 730k addresses for being consistently bad :p 18:13 < nanotube> heh 18:13 < sipa> the rules are fuzzy and too complex 18:14 < sipa> go read the source :p 18:15 < nanotube> haha well, 'really roughly' 18:16 < HM3> so probably bigger than Tor in terms of relay nodes, but probably smaller than the number of skype users who signed off in the time it took me to type this. 18:16 < nanotube> lol yea 18:16 < gmaxwell> well, in particular, it means we're dangerously close to runing out of sockets. 18:17 < gmaxwell> (even absent an attack) 18:17 < HM3> what? 18:17 < gmaxwell> as 4000*125/8 = 62500 ... so it means that we can only support 62500 nodes with good listeners (including bitcoinj nodes and such that would never announce) 18:18 < nanotube> hm well, it seems we're not /that/ close. after a day-ish of uptime, i'm only at 83 connections out of 512. 18:18 < gmaxwell> nanotube: 83 is 66% of the normal capacity. 18:18 < nanotube> if we were really close, i presume my slots would fill up much faster. 18:18 < gmaxwell> (I think 2/3 is not super comfortable) 18:19 < gmaxwell> (and the /16 limitation means that we're not very equally distributed) 18:19 < sipa> nanotube: https://github.com/sipa/bitcoin-seeder/blob/master/db.h#L103 18:19 < nanotube> sure, i dig. 18:19 < gmaxwell> It's not urgent yet, but it seems we have a trend that isn't good either. 18:19 < HM3> what's this socket limit about? 18:20 < nanotube> HM3: listener nodes allow 125 max inbound connections by default. 18:20 < gmaxwell> HM3: we have memory usage per peer, so there is a limit to the number of concurrent peers. Right now the default limit is 125 (and few nodes adjust that) 18:20 < nanotube> non-listener nodes try to make 8 outbound. 18:21 < HM3> oh i see 18:22 < gmaxwell> Obviously one path is to try to really get the per peer resources down so we could have nodes with a thousand peers or whatever... but thats resource heavy, and still leaves the network more DOS vulnerable than one with just more nodes. 18:22 < HM3> so you need a listening node to out node ratio of 125:8 18:22 < nanotube> though 4k listening nodes at 125 each suggests that we should have 500k open slots. 18:22 < HM3> with perfect meshing 18:23 < gmaxwell> nanotube: yes, but nodes use 8 slots... sooooo. at 62k we start to saturate. 18:23 < HM3> err 8 : 125 18:24 < gmaxwell> of course, this is absent attacks. One issue with this model is that an attacker with a single IP can use 1/slots of the whole network's capacity, even if we implement kicking off duplicate connections. (thus conversations about things like proof of storage and private bloom queries) 18:24 < nanotube> gmaxwell: yea, but if we put in your logic about randomly dumping peers based on some scoring criteria, thus ensuring node churn, being at 62k nodes won't be a big problem. 18:25 < nanotube> but yes, certainly it's something we need to think about before it becomes a problem. 18:25 < gmaxwell> nanotube: or at least less of one, if the order of nodes drops too far the risk of partitioning increases. (though thats a reason e.g. to priortize peers that give you novel transactions and blocks) 18:26 < nanotube> mm 18:26 < nanotube> anyway.. foodtime. o/ 18:26 < HM3> Why is there a high memory cost to a connection? 18:26 < sipa> buffers 18:27 < HM3> I mean I have a Bittorrent client that maintains hundreds of connections 18:27 < sipa> and quite some state 18:27 < HM3> still uses less memory than bitcoind 18:27 < gmaxwell> HM3: most of bitcoinds memory is not connections right now. 18:29 < HM3> any thoughts on how you'll solve it? 18:30 < sipa> adding a builtin solitaire in bitcoin-qt may increase the number of fullnodes? 18:30 < gmaxwell> We need more nodes regardless, we could do things to scale up the connection count... but I think thats less important simply because if we have only a couple thousand nodes its too trivial to dos them regardless of their max connection counts. 18:30 < gmaxwell> Once we have headers first and pruning there should be less disavantage to running full nodes. 18:31 < gmaxwell> It may also be that we can't solve it before a major outage happens, because right now users don't think they have any personal reason to take the costs of running a full node. :( 18:32 < HM3> bundling. integrate bitcoind in to a popular torrent client so people can tip seeders :P you'll have millions overnight 18:33 < gmaxwell> and then someone implements another version that uses a SPV node instead, and you'll lose millions overnight. 18:34 < HM3> well then you play the starving hacker card and say serving "Linux ISOs" is a team sport 18:34 < gmaxwell> If that worked, then we could use Bitcoin users who presumably already have more skin in keeping bitcoin running. 18:35 < sipa> fancy graphs! 18:35 < sipa> and some animations 18:35 < sipa> how the chain is being built 18:35 < sipa> matrix-style 18:35 < HM3> defrag style 18:35 < HM3> coloured blocks 18:36 < sipa> yeeeees 18:39 < HM3> how many fullnode implementations are there out there now? 18:40 < gmaxwell> correct ones? who the fuck knows. I have very little confidence in the other teams, most of them have not even run and passed the block tester. 18:40 < gmaxwell> It's a very hard task. 18:40 < sipa> bitcoinj has one (certainly incomplete), btcd, bitsofproof, ... 18:40 < sipa> no idea how correct they are 18:40 < sipa> i'm sure there are a ton other attempts 18:40 < HM3> i think btcd guy said he had passed some of your tests? 18:40 < gmaxwell> btcd talked a good talk but was trivially forked. 18:40 < sipa> but those are certainly near-complete 18:41 < HM3> ah 18:41 < sipa> gmaxwell: which rule did they miss? 18:41 < gmaxwell> sipa: they were evaluating validity in untaken branches in scripts. 18:41 < sipa> ah 18:41 < gmaxwell> (and their response was to try to report it as a bug and suggest we fix it) 18:42 < HM3> lol 18:42 < gmaxwell> ::shrugs:: 18:42 < HM3> please do, i might be richer on that fork :P 18:42 < sipa> do they even understand the concept of a hardfork? 18:42 < sipa> or rather, the distinction between soft and hard forks 18:42 < gmaxwell> I don't know. I can't tell. They're eager to please. 18:42 < gmaxwell> So everything I say they agree with. 18:44 < gmaxwell> (which I suppose is better than arguing with everything) But I just don't know how hard they're working at it. They've not discovered any surprising behavior on their own, which is my normal benchmark, but that only works for so long. 18:44 < gmaxwell> (eventually I become all knowing and so no implementations can tell me something I didn't know. :P) 18:45 < sipa> which, ironically, makes you the #1 person capable of writing an alt fullnode 18:45 < jgarzik> maxcoin? 18:45 < sipa> i wonder how well i'd do implementing bitcoin from scratch, only looking up constants and opcodes and stuff 18:47 < sipa> BlueMatt: seems the comparisontool jar you gave me doesn't even accept current bitcoind... 18:47 < sipa> as in git head, pre-headersfirst 18:48 < gmaxwell> There are degrees of knowing. I knew how the evaluation logic worked, but I might have made the same evaluation mistake even though I "knew" better. 18:49 < HM3> it's probably easier to make a specification for the post-hardfork version 18:50 < sipa> HM3: i've been wanting to write a bitcoin-like thing from scratch for a while, with all sillyness (in my opinion, of course) fixed :p 18:50 < gmaxwell> well, don't think a good spec magically makes this stuff easy. It just makes it slightly less awful. 18:50 < HM3> sure, and nobody follows specs anyway 18:50 < sipa> finding time for that is obviously a joke 18:51 < jgarzik> a good spec is simply Knuth's semantic programming 13:59 < gmaxwell> HM_: yea, I'd like to think of some examples that don't involve breaking the law. But I don't know that there really are any: if your trade is not likely to bring fire, you can use a trust public mediator for an escrow. 13:59 < HM_> if it's expensive to verify it has to be expensive to generate as well though 13:59 < HM_> otherwise you can flood the network with candidate solutions and DDoS the whole thing? 14:00 < gmaxwell> HM_: you can use hashcash to solve that. (or make candidates pay you a small amount of bitcoin) no problem. 14:00 < HM_> hmm yeah 14:01 < HM_> so it's a C subset? 14:01 < gmaxwell> The validation is actually cheap for this kind of thing... but still slower than ecdsa in practice.. which would keep us from putting the validator directly in bitcoin, 14:02 < gmaxwell> they invented a mips like register based machine language, and made GCC (dragonegg/llvm) able to compile to it. It doesn't have floating point IIRC. 14:02 < realazthat> mmm 14:02 < realazthat> fp can be done on top 14:02 < gmaxwell> sure. 14:02 < realazthat> thats really cool hehe 14:03 < realazthat> mmm I'd want to play with that 14:03 < gmaxwell> Or you just write fixed point code. No biggie. The bigger problems is that it's not fast and needs lots of ram on the prover side. 14:03 < gmaxwell> But it sounds efficient enough to be actually usable for _something_ now. 14:03 < gmaxwell> And they've actually implemented it. 14:04 < realazthat> yeah, I just wanna play with it external to bitcoin 14:04 < realazthat> are they to release the codes? 14:04 < realazthat> I hope so 14:11 < gmaxwell> Yes. They were talking about setting up a github page and such. 14:11 < gmaxwell> and, it sounded like they were willing to make it available in advance to bitcoin wizard types interested in working with it. 14:12 < gmaxwell> I haven't asked for it yet simply because I do not have enough bandwidth to do something with it in the next few days.... 14:12 < gmaxwell> But I'd really like to actually execute that protocol I described, and make a zero knoweldge contingent payment. Just need to figure out something to buy thats sexier than a cracked password. 14:13 < gmaxwell> (I wish the xkcd thing were ongoing, I could buy a solution to that! :P ) 14:15 < realazthat> lol 14:18 < gmaxwell> Ah. Perhaps I could buy the infinitely good solution from Randall Munroe. (and get him to reopen submissions, so that 'Bitcoin' could be the top of the list) 14:19 < realazthat> mmm 14:19 < realazthat> can you explain the xkcd reference? 14:22 < gmaxwell> http://www.explainxkcd.com/wiki/index.php?title=1193:_Externalities 14:26 < gmaxwell> http://almamater.xkcd.com/ (I'm xiph.org with the 392 score) 14:27 < gmaxwell> Only tied with stanford :( 14:27 < realazthat> oh the hashing competition :D 14:28 < gmaxwell> Randall actually knows the preimage. (or at least, he indicated that he did in IRC) 14:29 < realazthat> haha 14:29 < realazthat> do you need that to use it as a challenge? 14:30 < gmaxwell> 'that'? 14:30 < realazthat> the preimage 14:31 < gmaxwell> No, he could have made a challenge with a random target (or a target of all zeros). The fact that the target had 'high entropy' suggests that he knows the preimage... and as I said, he said that he did. 15:17 < BlueMatt> gmaxwell: or...just make it so no one has to download the chain ever again... 15:17 < BlueMatt> "but the chain is 100GB" go fuck yourself, just use computational integrity 15:19 < gmaxwell> I said that " for example, you could use these techniques to produce checkpoints that can't cheat." 15:19 < BlueMatt> well, you dont expect me to read the whole scrollback, do you? 15:20 < gmaxwell> BlueMatt: it's not realastic yet... well, I joked that if we got all of google's computing power for a week perhaps we could compute a CI signature. :P 15:20 < gmaxwell> er realistic. 15:20 < BlueMatt> yea, I know, I just keep hoping 15:20 < gmaxwell> At least the naive way of doing it... really the biggest problem is all the state needed in validation to track unspent coins. 15:25 < BlueMatt> yea, maybe when we all have 512GB ram in every machine... 15:25 < gmaxwell> BlueMatt: not even 'every' ... the validation side doesn't sound terrible. 15:26 < BlueMatt> ahh, well then we just need to find a computer to do the original signing... 15:26 < BlueMatt> lets get TD/sipa to do it... 15:29 < BlueMatt> I wonder how much it has to go back over the data during the signing (or if swapping it out to an ssd would actually work) 15:30 < gmaxwell> Right. TD had mentioned some unrelated work on garbled circuits was intractable until some software engineers had a go at it and reorged the algorithim to work in a streaming-from-disk manner. 15:31 < gmaxwell> The other problem with this stuff is that getting people convinced that the process is sound might be hard. Apparently their work has something like 400 pages of dense mathmatical proofs behind it. 15:31 < BlueMatt> ahhhh 15:32 < BlueMatt> well, I dont know that I would really trust it immediately (or for the next few years) anyway... 15:32 < gmaxwell> But of course, actually _using_ it for something would make good incentives to attack it! 15:32 < BlueMatt> still, the idea that it will clearly be possible in the immediate future means the argument that the chain is growing too fast (and not the utxo set) is invalid 15:33 < sipa> gmaxwell: but will verifying the proof be cheaper than just verifying the chain? 15:34 < gmaxwell> For some size of the chain it should be. The complexity is polynomial on the size of the program (the rules) you're validating. 15:34 < gmaxwell> (complexity of validating) 15:34 < sipa> ic 15:34 < sipa> magic :S 15:34 < BlueMatt> as long as its similar and you can throw out the chain data itself instead of still having to distribute the chain in the form of input data 15:35 < gmaxwell> BlueMatt: I don't agree. You're streaching. You still need the bandwidth to recieve blocks to actually use the network in real time. It just means the history bloat will be less of an issue perhaps. 15:35 < gmaxwell> stretching*. 15:35 < BlueMatt> yes, thats my point 15:35 < BlueMatt> its just blocks/time instead of total blocks 15:35 < BlueMatt> (in data) 15:35 < gmaxwell> I don't think anyone has argued that the history is an issue. Mostly people are willing to ignore the bootstrap time/cost. (maybe thats unwise too) 15:36 < BlueMatt> Ive heard it once or twice 15:37 < gmaxwell> well you've heard me say it wrt pruning and needing to be really careful about how we handle it (e.g. that I want to have addr message signal that nodes have random subsets of the chain in addition to just the most recent few thousand blocks).. but thats still true, since this stuff probably won't be pratical for bootstrap for a couple years at best. 15:37 < gmaxwell> But thats not a scaling concern... it's a pruning concern specifically. 15:38 < BlueMatt> meh 15:39 < gmaxwell> I don't want the network to depend on having archive nodes to bootstrap. Esp when there will be plenty of users happy to donate more disk space but not as much as a full archive. Archive nodes, if thats all we have, will be quite costly to operate... and I can reliably predict people will start saying "more people should use SPV nodes" as an answer to archive nodes being totally saturated. 15:40 < gmaxwell> People should be able to pick the disk space they donate to the network continuously from utxo only all the way up to archive. 15:41 < BlueMatt> not sure we need /that/ much flexibility, but chunks of tens of thousands of blocks yea 15:42 < BlueMatt> would be interesting to split that off into a separate bootstrap network 15:44 < gmaxwell> yea, I just want node to be able to signal a single range in addition to a range from top. 15:44 < gmaxwell> More ranges would be nice but I don't think they're important. 15:46 < gmaxwell> e.g. a service flag that says it keeps the last 2016, and a range that it has 120000-160000. 15:47 < petertodd> warren: keepbitcoinfree.org 15:48 * BlueMatt :( 15:48 * BlueMatt isnt opposed to making most bootstrap on some 3rd party network 15:48 < petertodd> BlueMatt: btw you may want to argue over email with me - I won't be on irc much in the next week 15:49 < BlueMatt> meh, we clearly fundamentally disagree 15:49 < BlueMatt> not sure arguing helps any there 15:49 < petertodd> not surprising 15:49 < petertodd> after all, it's not a technical decision, it's about what you value in bitcoin 15:49 < BlueMatt> not really 15:49 < BlueMatt> well, at least not the way that video presented it 15:49 < BlueMatt> in the extreme, sure 15:50 < gmaxwell> BlueMatt: just be really careful that you're not treating "other network" as magic. There are reasons why you can do this better with integration with our network, as well as by knowing about the data you're working with. 15:50 < BlueMatt> gmaxwell: meh, its easier to treat it as magic... 15:50 < petertodd> it was really interesting being at the developer round table, talking about scalability stuff, and when it was over a half dozen argentinian investors surrounded me with questions - they were extremely concerned about centralization and anonymity 15:50 < BlueMatt> but, no, yea it makes more sense on our network, but it would have to be half-separated 15:51 < BlueMatt> petertodd: I have no doubt that scare-videos scare people... 15:51 < gmaxwell> BlueMatt: our trackerless torrent hardly works requires a weakly trusted party to give you the torrent ID (and wastes your time/bandwidth if its wrong). External network doesn't make it trivial for bitcoin participants to turn a knob to control their contribution level, unless we bundled the third party network software and increase our attack surface. File trading protocols get people banned from some networks for reasons unrelated t 15:52 < BlueMatt> gmaxwell: yes, this is why it does actually make more sense to put it on a standard bitcoin p2p network 03:43 < Taek42> I was wondering if it would be possible to build a higher-level lanugage on bitcoin script 03:43 < Taek42> right 03:43 < Taek42> Image a C-like that output bitcoin-script instead of assembly 03:43 < stonecoldpat> michagogo|cloud: jesuscoin i love it 03:43 < justanotheruser> Yes, it wouldn't be turing complete, but it would allow for turing complete scripts that get cut off if they run too long (so pseudo-turing-complete) 03:44 < justanotheruser> well not cut off, but only be accepted if they have a limited run time 03:44 < Taek42> As long as you have a reliable way of measuring where the scripts get cut off 03:44 < Taek42> because all hosts would need to agree if a script took too long to terminate 03:44 < justanotheruser> Taek42: it would be like measuring where transactions get cut off. The miners determined it 03:44 < justanotheruser> (in terms of size) 03:45 < Taek42> hmmm 03:47 < justanotheruser> The transactor could say how many cycles the script should take in the header. If it takes more than that, then the miner can spend the transaction themselves maybe? (This is the best way I can think of preventing DoSing miners with large scripts 03:47 < justanotheruser> I suppose that would limit the ability to give people scripts that they can spend later though 03:48 < justanotheruser> well actually nvm the statement directly above this 03:48 < justanotheruser> you should build these scripts so they can't run arbitrarily longly, otherwise someone will donate the tx to miners 03:49 < justanotheruser> nsh: Are you saying this system would hurt stability of the price? 03:50 < nsh> not necessarily, just that things tend toward instability as the degrees of freedom increase 03:51 < justanotheruser> nsh: when you say degrees of freedom do you mean it in the mathematical sense, or could I substitute degrees with amount? 03:51 < Taek42> nsh I'm not sure I agree with that 03:52 < nsh> mathematical, but perhaps i'm wrong 03:52 < nsh> certainly in mechanical dynamic systems you are more likely to exhibit chaotic behaviour when you have more (dynamically coupled) degrees of freedom 03:52 < justanotheruser> nsh: could you explain what a degree of freedom is in these terms then? 03:53 < nsh> "In mechanics, the degree of freedom (DOF) of a mechanical system is the number of independent parameters that define its configuration. It is the number of parameters that determine the state of a physical system" 03:53 < justanotheruser> nsh: Are you saying bitcoin price would be more stable if it didn't have p2sh? 03:53 < nsh> no 03:54 < justanotheruser> doesn't p2sh add a DOF? 03:54 < nsh> the price stability derives from the network stability, which derives from everyone's behaviours being constrained (by "enlightened self-interest") to keep things working in some defined manner 03:55 < nsh> yes, but you're making stronger assertions :) 03:55 < Taek42> depends on what you mean by network 03:56 < justanotheruser> nsh: Does another DOF hurt network stability? 03:56 < Taek42> bitcoins price instability derives from the fact that the volume in circulation can't adjust to the demand 03:56 < Taek42> and the demand has been all over the map 03:56 < nsh> justanotheruser, depends 03:56 < nsh> what i proposed was that as the number of DoFs increases then the entire system _tends_ towards more unstable behaviour 03:57 < justanotheruser> hm 03:57 < nsh> to go from that to saying adding one DoF neccessarily increase instability requires some additional evidence 03:57 < justanotheruser> I'm not sure if I agree with you. I don't think it makes in less stable unless it makes it less secure 03:57 < nsh> and anyway, i'm probably just smoking crack 04:00 < justanotheruser> Another advantage I see in this is a limit on CPU intensive scripts. No longer will we have to worry about transactions that take a long time to validate but are inexpensive because they take up little physical space 04:19 < sipa> the reason why turing complete scripts are a bad idea is because you cannot determine the cost of running without running 04:19 < sipa> even if it's not actually turing complete and limited to some high amount of cycles 04:21 < nsh> which means easy DoS attacks? 04:22 < Taek42> If you had it in a sterile environment (no malware issues), I would think that the only problem would be large scripts (too much data) or long scripts (too much runtime) 04:23 < Taek42> wouldn't limiting the cycles prevent that? 04:27 < sipa> if one transaction costs 1000 times more to validate than another, you need pretty good policying to make sure it is deincentivized 04:31 < Taek42> or you could charge each transaction equal to the theoretical limit on how expensive it is 04:31 < Taek42> then the miners will be happy 04:31 < Taek42> or you could wait to charge until you know how many clock cycles were spent validating it 04:35 < sipa> the problem is that mining is constrained by size, so will end up picking transactions with sufficient fee per byte 04:35 < sipa> if you want the same incentive for execution, you need a hard limit per block on validation cost 04:35 < sipa> which complicates optimal transaction selectiom 09:40 < petertodd> sipa: I really don't see what the big deal is; you have to execute the script anyway yourself to validate that the transaction is valid. Adding opcode counters to Eval() isn't a big deal. 09:40 < petertodd> sipa: sure there's some theoretical static analysis stuff you could do, but it's consensus critical - keep it simple and stupid 09:53 < andytoshi> petertodd: suppose i make a script which has fee for 100000 iterations, but runs for 100001, so it can't validate 09:53 < andytoshi> is there a nice way to prevent a DoS along those lines? 09:54 < petertodd> andytoshi: probably not, but at least that's a local DoS attack - lots of those 09:55 < petertodd> andytoshi: anyway, a csript can't exceed the limit for a whole block by definition, and block propagation has to be fast, thus it can't be that much of an issue 09:55 < andytoshi> yeah, fair enough, i guess people are free to make IsStandard reject anything that might take too long for their system 09:55 < andytoshi> also a good point 09:55 < petertodd> andytoshi: yup 09:56 < petertodd> andytoshi: and static analysis is all well and good, but like I say, it'd be in consensus critical codepaths... 09:57 < andytoshi> yeah, perhaps it's a meta-problem that people will try to do it if they see a benefit 09:57 < petertodd> lol! 09:58 < andytoshi> the real problem i see with turing-completeness is that the block limits you'd have to put on it are too stringent for anything cool to be done 09:58 < andytoshi> OTOH if we could do snark-validation so only one person (potentially the transactors themselves) ever have to compute it, i'd be happy with it 09:58 < petertodd> yeah, but like I say, until we get SCIP you have to have limits because you have to actually run the code to validate! turing completeness has nothing to do with that 10:22 < gmaxwell> andytoshi: certantly the block limits you'd have to have would be too stringent to do anything interesting if the instruction set weren't very high level, and if we had to assume execution via a very dumb interperter. 10:22 < gmaxwell> the latter is probably true, the former not so much. 10:23 < gmaxwell> This isn't to say I'm necessarily a fan of turing complete script. I do think getting an execution counter right is hard. 10:23 < petertodd> gmaxwell: just do a MAST design and make sure your MAST hash function is more costly than anything else... 10:24 < adam3us> btw about pegged side-chain, i think the actual spv proven side->main protocol would not need to be run. its just a threat that it could be run. cross chain-atomic swaps can do the actual swap. and market makers can do it. if volume dries up or mkt maker low on funds he can clear via side->main spv proof. 10:24 < nsh> petertodd, what's MAST? 10:24 < gmaxwell> adam3us: it needs to be run some, but perhaps not much. 10:24 < petertodd> nsh: merkleized abstract syntax tree 10:25 < nsh> ah, ty 10:25 < gmaxwell> petertodd: I don't think it would be efficient to force every branch to be mast, besides loops with unknown depth can't be seperately mast-ed. 10:25 < adam3us> gmaxwell: yes. it depends on the willingness of mkt maker to hold btc funds someone with big long term btc holdings anyway would be willing to mkt make all-day-long for 0.1% or whatever, its near free risk free money for executing a script. its a form of interest for btc holdins 10:26 < petertodd> gmaxwell: which is my serious point: turing completeness often gives you more efficient code in cpu and code size 10:26 < gmaxwell> adam3us: I mean, you'd need to have at least one execution to get funds there in the first place. 10:27 < gmaxwell> petertodd: certantly low level opcodes do not. 10:27 < gmaxwell> adam3us: but yea, that was part of my point when we previously discussed. It can be expensive because it's not a primary daily mechenism. 10:27 < adam3us> gmaxwell: agreed. mkt makers might need to do rare large tx in which ever direction is leading to a liquidity exhausting direction. but the mkt maker spread should be tiny as anyone holding btc can do it, and they can do it with airgap security if they want trezor/armory so there should be lots of security 10:28 < adam3us> gmaxwell: agreed. i think everything i just said was in the original thread. just emphasizing how cool that is :) 10:29 < gmaxwell> sipa: I think you could perhaps resolve the selection complication by just counting each byte as one instruction too, and have only an instruction limit. Then at least the optimization can remain in one dimension. 10:29 < gmaxwell> I still think implementors will totally screw up their instruction counting, esp when slower scripts start driving them ot JIT. 10:30 < gmaxwell> it might help if every signature needed to have its final instruction count with it, and they're forced to match exactly. 05:02 < maaku> by reorg attack you mean 51% / 100% attack? 05:02 < petertodd> maaku: oh! actually, this is perfect: voting on the inflation rate naturally has an opposed set of incentives - set a minimum rate, and let people proof-of-stake vote increases in it. 05:02 < petertodd> maaku: or really s/inflation/demurrange/ to make it PR acceptable 05:02 < EasyAt> maaku: I'm curious what warren means by reorg attack 05:03 < petertodd> maaku: which is perfect because demurrange is the only sane way to fund mining long-term (+ tx fees, but never only tx fees) 05:03 < warren> maaku: lots of the little pure PoW coins seem to come under reorg attacks often 05:03 < warren> but I never hear of it happening to freicoin 05:04 < petertodd> maaku: I suspect with rates like 0.1% to 3-5% the loss per year is low enough that users may be willing to vote it up, which is fine, and gives some agility to attacks that might do soem good. 05:05 < EasyAt> petertodd: Is it still demurrange implies the value is being redstributed to miners whether the currency is tranferring or now. 05:05 < maaku> petertodd: we haven't found a way to auto-regulate demurrge rates, or voting scheme which doesn't assume the electorate is alturistic macroeconomics professionals 05:05 < EasyAt> As in you have a tax just for holding and not moving currency 05:06 < EasyAt> inflation essentially 05:06 < maaku> hence the fixed 4.9% ... a fluctuating rate would actually be ideal, but I don't know how to do that securely and safely 05:06 < maaku> EasyAt: no, it's a fee on all money, fullstop. moving or hoarding doesn't make a difference. 05:06 < EasyAt> intersting 05:06 < EasyAt> So no penalty whether you move or hold 05:07 < maaku> well, the same penalty i guess 05:07 < maaku> warren: we've not really been subject to such attacks 05:07 * maaku knocks on wood 05:07 < maaku> but really it makes no difference what pow algorithm you use 05:07 < warren> I know 05:07 < maaku> i assume you're talking about 51% attacks 05:07 < warren> yes 05:07 < petertodd> maaku: right, but my point being, the worst outcome is the rate drops down to some low minimum value hopefuily high enough to keep attackers at bay indefinitely. The best outcome is that if it looks like miners do need more incentive, human alturism can do some good. Will that happen? Who knows, but the downside is just technical risk. 05:07 < EasyAt> Is a reorg attack a 51% attack? or something very similar 05:08 < maaku> warren: long term, we're moving to merged mining 05:08 < EasyAt> maybe less hash stake then 51% but getting lucky and reoring in your favor? 05:08 < warren> EasyAt: You don't need 51% to do a "51%" attack. 05:08 < EasyAt> warren: that's what i mean 05:09 < EasyAt> maybe less hash stake then 51% but getting lucky and reoring in your favor? 05:09 < EasyAt> is what i said 05:09 < maaku> petertodd: if the goal is just to provide limited income to miners, that's a good strategy. i could see it reaching steady-state at the security & profit break-even point (but maybe there are some game dynamics at play too) 05:09 < maaku> but with freicoin, the desire is 0% basic interest, which I don't believe such a scheme would achieve 05:11 < maaku> warren: we have done the easy stuff (fix time traveller bug, no asymmetrical diff adjustment, etc.), but also we have a much faster acting (but stable!) FIR-filter difficulty adjustment algorithm 05:11 < maaku> so that also helps 05:13 < petertodd> maaku: thing is you don't care about profit, you just care that a given % of the total value of the coin goes to paying for hashing power guaranteed. 05:13 < petertodd> maaku: I'm not seeing how that turns into game dynamics assuming reasonable decentralization 05:16 < maaku> petertodd: so in freicoin there are two knobs to tweak: (1) the demurrage rate, and (2) how much of that goes to the miners (vs other distribution mechanisms, such as the above-mentioned 'republicoin' proof-of-stake voting) 05:17 < petertodd> maaku: right, where I'm proposing a system with just knob #1 05:17 < maaku> i can see how a secure voting mechanism could lead to the latter (although I don't have such a protocol, yet), but not the former 05:17 < maaku> yeah i figured you don't care about the other aspect, but that's the context in which I'm working on this 05:17 < petertodd> no, I think it's the other way around, because the former have opposite incentives than the latter, guaranteed. (assuming no external attack threat) 05:18 < petertodd> after all, miners can always refuse to mine a transaction due to too-low fees - refusing to mine because of too-low % vote is not much different 05:18 < petertodd> and if anything, that's much less likely to be gamed in many senses 05:18 < maaku> i think that's what I meant - it's late here, i must have switched them in my mind 05:18 < petertodd> ah good 05:19 < petertodd> speaking of, I proof-of-stake vote all the demurrange to myself 05:20 < maaku> i expect you could construct a voting scheme for regulating the rate of income given to miners, I don't think a voting scheme would work to set demurrage rate at what is necessary to achieve 0% basic interest 05:20 < petertodd> "0% basic interest"? 05:21 < maaku> petertodd: do you have majority stakeholder vote? 05:21 < petertodd> maaku: not yet, but the moment I do it's a tipping point... 05:21 < maaku> we're anticipating that if we structure the elections properly, we will have competing factions that form governments, and the real-world outcome is that you won't get 51% votes to "pay ourselves" 05:22 < maaku> i'd like to formalize that argument before we deploy though 05:22 < petertodd> yeah, probably true enough 05:22 < maaku> hence the name "republicoin" 05:22 < petertodd> I'd sure as hell formalize it - just look at all the screwy things with incentives that have been found lately 05:22 < maaku> yeah 05:23 < maaku> basic interest == liquidity preemium, when we're talking about currency 05:23 < petertodd> rght 05:23 < petertodd> *right 05:27 < maaku> Gesell wrote several monographs showing how the parasitic behavior of the financial industry and government, and the ruinous effect that has on society is due to the liquidity preemium 05:27 < maaku> https://www.community-exchange.org/docs/Gesell/en/neo/ 05:28 < maaku> so the experiment of freicoin is: set the liquidity preemium = 0%, and see if that helps create positive economic incentives, as predicted 05:29 < petertodd> ...and the experiment you actually have wound up running, is will cryptocoin people ever adopt anything with demurrange? 05:30 < maaku> haha, suprisingly the answer is a mild yes 05:30 < maaku> but no, we've been targetting groups outside of bitcoind 05:30 < petertodd> indeed, and I wasn't saying that in a negative way! I'm quite happy to see *that* experiment happen even if I don't give a damn about economic theory :) 05:31 < maaku> while most freicoin users may have heard of, downloaded, and maybe used bitcoin, most of them did not become active until they got involved with freicoin 05:31 < maaku> and we've mainly been reaching out to monetary reform groups, which suprisingly haven't heard of or done anything with bitcoin either 05:31 < petertodd> there were some occupy types adopting it or something similar IIRC? 05:32 < petertodd> and agreeing to use a decentralized demurrange cryptocurrency is wonderfully democratic 05:32 < maaku> we framed the original crowdfund campaign in the language of occupy, but suprisingly there was very little interest 05:32 < maaku> we've seen interest peak the most in the regional/community currency movement 05:32 < petertodd> huh, too abstract maybe 05:33 < maaku> possibly, or maybe even too concrete. the problem with occupy is that they all have agreement on the problems, but 100 protestors have 101 different solutions in mind 05:33 < maaku> this wasn't the solution any of the occupy people we talked to had in mind ;) 05:34 < petertodd> did they add it to their mental solutions list? because if so you added to the problem :P 05:35 < petertodd> you know, one of the annoying things about crypto-currencies is how the basic dynamics of proof-of-foo make experimentation hard - normally a small currency experiment might be worthless, but it is secure 05:36 < maaku> you'd think it'd be a perfect match though - occupy prime problem is the banks that contol directly or indirectly so much of our society. gesell's basic thesis is that ilquidity preemium is the root cause of that. problem identified, solution provided... 05:36 < petertodd> "wtf is liquidity preemium? sounds like something a banker would talk about" 05:36 < maaku> heh 05:37 < petertodd> I'm glad that you're self-aware enough to laugh at that! 05:40 < maaku> Well I (and Gesell) are not anti-banker - gasp! Gesell is totally a free-market capitalist, and so am I. 05:40 < maaku> What Gesell is against is the unfair advantage banks have, and how they naturally use that advantage to ill gain 05:41 < maaku> He then goes to considerable length in showing how that advantage is exactly equal to "basic interest" - that interest which remains after you subtract out the risk preemiums, time preference, etc. 05:41 < petertodd> yeah, of course, monetary issues aside, understanding credit risk is something where scales leads to bigger profits 05:41 < maaku> So neutralize that, and you've got a level playing field - banks want to loan to you just as much as you need them 05:42 < petertodd> rick preemiums aren't easy to measure after all 05:42 < petertodd> *risk 05:42 < maaku> yeah they're not 05:43 < maaku> but people who have money should be entitled to the reward of taking that risk 05:43 < maaku> they just shouldn't be entitled to that reward... + 5% for absolutely no reason 05:44 < petertodd> right, otoh if the cost of figuring out that premium works out to be 5%, well, what's the diference exactly? 05:44 < petertodd> real world-will be somewhere in between, but it might not make such a big difference is my point 03:27 < petertodd> I had a scar for ages myself on my thumb due to a photoflash circuit... 11:19 < jgarzik> petertodd, random note, perhaps obvious: USB and PCI traffic may be observed, just like ethernet traffic 11:19 < jgarzik> (recalling conversation a while ago) 19:57 < petertodd> So I think you can do compact NI proofs of colored coins: suppose I have a tx with two colored coin inputs, each worth 1BTC. 19:58 < petertodd> I just need to select one of those txins randomly, and prove (via a proof back to genesis) that it's a real colored coin txin. 19:58 < petertodd> Now if I try to make a false tx proof, with only one real input, I have a 50:50 chance of destroying my colored coin output by spending it to an invalid transaction that doesn't have a valid proof, so when you add it all up I can't get ahead. 19:59 < petertodd> The same applies for n inputs, and equally inputs that aren't equal in value provided I select the inputs in a weighted random fashion. 20:00 < petertodd> As for the random number, the best I can think of is to take the next n blockshashes, computer hash % n, and take the mode to select the input I prove. 20:00 < gmaxwell> meh, it's 50:50 for the cheater though. He doesn't care if four steps down the new NI proof catches the cheating. 20:01 < petertodd> Well, this is the thing: every proof is a full path all the way to genesis of one txin - I don't think I can do better than that. But at least it's just one path, O(n) size. 20:02 < gmaxwell> right but the cheater has 50/50 odds of winning in their cheat. 20:02 < petertodd> Sure, but their expected return is still zero. 20:02 < petertodd> slightly negative including fees 20:03 < gmaxwell> oh because it destroys their coin if they lose. 20:03 < petertodd> exactly 20:08 < petertodd> Now, see this works especially well with mastercoin, because every tx sends a fee to the exodus address.... :/ 20:10 < gmaxwell> I think it only does that because ... thats basically the only mental tool that they have available to identify the mastercoin transactions. 20:11 < petertodd> yeah.... as you may have guessed I'm the guy who offered to write them a proper spec 20:11 < petertodd> I don't have high hopes :/ 20:15 < gmaxwell> Well, I think you hurt their feelings, since I got a PM saying asking for feedback on their crazy checkmultisig stuff saying that you were demanding a lot of money to tell them the flaws in it. :P 20:15 < sipa> heh, i got the same mail :) 20:15 < petertodd> I'm not exactly surprised. Though he's remarkably friendly to me. 20:15 < sipa> they told me it was you 20:16 < petertodd> Lol, technically I haven't talked about money yet... 20:17 < petertodd> I'm *really* not happy with how he's going about it all, on the other hand, I don't think he's a bad guy, just naive and clueless. 20:17 < petertodd> Not his fault the community is crazy. 20:17 < sipa> he certainly doesn't strike me as a scammer 20:18 < petertodd> Me neither, but I also don't think he's going to wind up making something worth a half million... 20:24 < gmaxwell> sipa: they told you it was me? or that it was peter? 20:24 < sipa> peter 20:25 < sipa> they didn't tell you? 20:25 < gmaxwell> oh yea, sure, and I didn't disbelieve it. I think I said that I wasn't super inclined to give them free consulting as I viewed what they were doing was harmful to and competative with bitcoin. 20:28 < petertodd> gmaxwell: I told him I wasn't as worried about UTXO harm, as I was about the whole thing blowing up and going no-where because it's a bad idea. 20:29 < gmaxwell> That was also my conclusion after it was mentioned they were using a bc.i wallet... I dunno if I said that on the forum. I feel really bad, I suspect everyone involved is just hopeful but misguided. 20:30 < petertodd> Yup. I was pretty harsh in my first post - I wouldn't have in another situation - but given the money involved it deserved bluntness I think. 20:30 < midnightmagic> International journal of network security & its applications is the shittiest online journal I've ever had the displeasure of grovelling through. 20:30 < midnightmagic> (sorry for the interruption) 20:37 < gmaxwell> Yea, indeed, that fact that they were solicitcing (and recieved) a ton of money also reduced my typically overwhelming level of charm. 20:38 < petertodd> And amount of money that makes me more than happy to ask for some too. 21:03 < gavinandresen> "give me money and I'll tell you why your idea sucks" is never going to make friends, though. 21:04 < petertodd> Meh, what I was offering to design wasn't his idea actually. (the tx encoding) 21:26 < jgarzik> hah 21:26 < petertodd> jgarzik: ...says a lot about the project... 22:06 < warren> didn't ecocoin offer money for a security audit? 23:31 < amiller> hm. 23:34 < amiller> you know, my approach would basically end pooled mining 23:34 < amiller> anyway, i have been struggling with this zero knowledge proof of work signature thing 23:34 < amiller> all the straightforward things i came up with just using discrete log tricks don't really work 23:35 < amiller> the ones you can do zero knowledge over directly aren't good crypto hash functions 23:35 < jgarzik> amiller, ending pooled mining would be fine, though it will never happen due to intertia ;p 23:36 < amiller> jgarzik, well if my doom&gloom prediction comes true and hosted mining starts to catch on... 23:36 < amiller> it would be good to have a solution in store! 23:36 < amiller> anyway so i know i can use Pinocchio (or TinyRAM) to do zero knowledge proofs of work generically 23:36 < amiller> the downside is it takes a long ass time to construct the proof, even if verification is pretty efficient 23:37 < amiller> so... 23:37 < amiller> the clever way out is that the use of this zk proof of work is really only needed as a special device to prevent hosted mining 23:37 < amiller> you have to have the "option" of doing a zk PoW, but ordinary users wouldn't actualy have to take that option 23:37 < amiller> you can decide after the fact 23:38 < amiller> empirically it would take about 1 minute to produce the zk PoW for 2xSHA256 using pinocchio 23:38 < amiller> it could be parallelized too 23:38 < amiller> if it's only meant to prevent cloud mining, then it only has to be plausible for a cloud service provider to take that option! 23:40 < nanotube> people already trust pools not to skim/steal. what people /won't/ trust is other miners not to steal. so to really end pooled mining you have to enable other miners to appropriate more than their fair share (or steal entire blocks) 23:41 < amiller> stealing entire blocks is exactly what i'm suggesting 23:41 < nanotube> stealing by pool operator, or by fellow peer miners? 23:41 < amiller> by fellow peer miners 23:41 < nanotube> ah, in that case... carry on. :) 23:42 < nanotube> i just saw you said that a "cloud service provider" can do something, so i assumed that wouldn't include a random fellow miner. 23:42 * nanotube hasn't really been reading this discussion :) 23:43 < amiller> normally you commit to your transactions before you do the mining 23:43 < amiller> but to prevent outsourcing, i want to make it possible to bind to transactions after the fact 23:44 < amiller> also to use the proof of work without revealing anything about the nonce or extranonce you used, all of which might make the work 'detectable' 23:44 < amiller> to prevent outsourcing, there has to be a "perfect temptation" for the miner to claim the work for itself without any risk of getting caught! 23:45 < amiller> basically i'm recommending using the TinyRAM or Pinocchio zero-knowledge-proofs-for-C things 23:45 < amiller> as an alternate way of claiming the work 23:45 < warren> nanotube: solution withholding attacks already happen on pools 23:45 < amiller> warren, solution withholding isn't as good a threat as solution-stealing 23:47 < nanotube> warren: yes, but you don't get any money if you withhold. 23:47 < nanotube> and griefing with no profit (or even a small monetary loss) is practically speaking not a realistic threat. 23:48 < warren> nanotube: it works on competing PPS pools 23:49 < nanotube> well, define 'works'. does anyone actually make any money out of it? :) 23:49 < nanotube> sure you can drive a pool out of business with this. but that's about it. 23:50 < nanotube> amiller: yea, miner being able to grab a solution for himself by ex-post attaching himself as payout would be just right. :) 23:50 < warren> nanotube: I'm just saying that's what happens 23:51 < nanotube> well sure, but as an individual miner, i don't have to care about it. if my pool goes out of business, i just move on. 23:51 < nanotube> (as long as i set up autopayouts to be relatively frequent :) ) 23:52 < warren> an interesting phenomenon now is "switch mining" 23:52 < warren> all the coins using the same hash have pools that transparently switch to a different chain that is more "profitable" at that moment 23:52 < warren> causes huge swings of strip mining and stagnation 23:53 < nanotube> hehe nice 23:54 < warren> forget about "51%".... 5000% can be pointed at a target 23:55 < warren> that's why you see them deploying centralized broadcast checkpoints now 23:56 < nanotube> so in other words, being a latecomer with the same hash, you can no longer be decentralized like bitcoin eh 23:56 < nanotube> talk about first mover advantage eh 23:57 < warren> there's a great many scrypt clones based on 0.6.3 now 23:58 < nanotube> hmm 23:58 < warren> and others are deploying with scrypt-jane or other hashes 23:58 < nanotube> the floodgates have opened --- Log closed Tue Sep 17 00:00:46 2013 --- Log opened Tue Sep 17 00:00:46 2013 00:04 < amiller> the sad thing is i'd like to actually support pooled mining 00:04 < amiller> like if people's motivation is to lower their variance, there's nothing bad about that 00:04 < amiller> especially if they have their own hashpower 00:04 < amiller> it actually supports decentralization to support something like that 05:37 < gmaxwell> mappum: not at all, in fact. go try fetching the bitcoin blockchain torrent with no trackers. 05:37 < petertodd> gmaxwell: I've got enough older friends to be scared shitless in an exestential way already... 05:39 < mappum> interesting 05:42 < gmaxwell> mappum: bittorrent dht is mostly fail, it works .. kinda.. for very large swarms that can also do peer exchange, but mostly it just ends up helping people find other trackers. For small swarms it'll often spin finding nothing even when its not getting attacked. 05:42 < gmaxwell> It made sense in the bittorrent model because it was just enough more to make it so that you couldn't kill one (or a couple) original trackers and take out a swarm. 05:43 < midnightmagic> lol 05:43 < midnightmagic> you're never getting away from dhts are you 05:43 < gmaxwell> http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/16#l1334585717 05:44 < mappum> sorry, i didn't know it was such a hot button D: 05:44 < midnightmagic> haha 05:45 < gmaxwell> meh, it's not a hot button, it's just .. common. Well, not in #wizards. 05:45 < gmaxwell> But there was a period of time when we couldn't go days without someone joing #bitcoin-dev and responding to the very first thing they heard with USE A DHT. 05:45 < midnightmagic> mappum: the endless, endless stream of users who come in to #bitcoin and insist we adopt dht rather than dns/irc for initial peer discovery is really astounding. it's jsut a running joke is all. no worries man. 05:46 < petertodd> mappum: pro-tip: suggest fidelity bonds instead, like a fidelity-bonded DHT 05:46 < gmaxwell> or instead of *, you name a technical challenge we've had in the bitcoin ecosystem and someone has suggested a DHT to solve it. 05:46 < gmaxwell> Signature validation slow? Use a DHT. etc. 05:47 < mappum> well i'm glad, i hadn't thought about the vulnerabilities. i'll have to think about making mine sybil-proof and manipulated-hash-proof 05:48 < gmaxwell> in your case, I don't see how a dht ID helps you. the pool would just store all the data for all the dht IDs. and could just produce work for any of them (assuming there was even an incentive in the system to not just have one ID) 05:48 < mappum> right, i realized that's not the solution, i'm just too tired to do the thinking right now 05:48 < gmaxwell> The nearest thing I've seen to a strong DHT system is cjdns. 05:48 < gmaxwell> and it uses the 'dht' only for routing. 05:49 < gmaxwell> maybe freenet, though freenet is ... uh.. really lossy. 05:49 < petertodd> gmaxwell: yeah, though being lossy is part of how they handle spam 05:49 < gmaxwell> and freenet opennet is not secure, while freenet darknet and cjdns are rather similar in many respects. 05:50 < gmaxwell> right, freenet works, but mostly because it doesn't promise very much. :P 05:50 < petertodd> gmaxwell: though freenet opennet is not secure in the same sense that tor isn't all that secure either... 05:50 < petertodd> gmaxwell: underpromise and... deliver 05:51 < gmaxwell> petertodd: I mean, opennet has some trivial sybil vulnerabilties. Tor doesn't but only because of the centeralized directory authorities. 05:51 < gmaxwell> darknet freenet loses the sybil risk for the same reason cjdns does. the users are expected to not select sybil peers. 05:52 < petertodd> gmaxwell: right, although I'm not sure the directory authorities actually help that much - they can't know if someone is logging 05:52 < petertodd> gmaxwell: they are only able to keep the system safe from sybils attempting to make Tor not function 05:57 < petertodd> gmaxwell: oh, speaking of, i2p has hashcash on their todo list: http://www.i2p2.de/todo 05:58 < gmaxwell> hashcash, in java, tm. 05:59 < petertodd> gmaxwell: heh, Bitcoin sacrifice is the only sane way to do it 06:10 < adam3us> btw sdl (sergio damien lerner) claims to have an efficient unpublished anonymity solution https://bitcointalk.org/index.php?topic=305791.msg3733685#msg3733685 which he has not published for year for "ethical reasons"?? 06:11 < petertodd> SDL is weird... 06:13 < adam3us> petertodd: my response "I'd sure publish it immediately if I had figured it out and feel I did a good thing for society." and "Personally I think gambling has far more ethical worries than users being able to transact privately with something approaching the analogous already existing levels of privacy in other systems. For some people gambling becomes a near ruining addiction." 06:13 < petertodd> adam3us: you're doing well with these responses lately you know 06:14 < gmaxwell> adam3us: s/some/many/ 06:14 < gmaxwell> it's shocking. 06:14 < adam3us> petertodd: (his phd thesis is about fair poker) and i think he looked at anonymity because he wanted to reduce scope for gaming collusion where you can cheat 06:14 < gmaxwell> in any case, IIRC the appecoin thing was he basically proposes you make the entire txout set a reencryption mix and every miner reencrypts it every block or something. 06:15 < petertodd> adam3us: was eye opening a few months ago when I mentioned that satoshidice wanted to hire me for some analysis to my boss, and he thought doing so was totally unethical based on it being gambling - he wouldn't have raised an eyebrow if I'd told him DPR wanted to hire me 06:15 < gmaxwell> (which is a protocol you'd expect from a guy who did research on mental poker) 06:15 < adam3us> gmaxwell: hmm that doesnt sound so good for end2end privacy, its trust me privacy with the current random block winner? 06:16 < gmaxwell> (e.g. the same way that you shuffle in some poker schemes) 06:16 < adam3us> gmaxwell: y'know maybe i vaguely read that in something he wrote now you mention it 06:16 < gmaxwell> adam3us: well sort of, they shuffle the _whole_ utxo set, so even though each block winner knows his mix, the set of all block winners is presumably strong. 06:16 < gmaxwell> unless mining has become 100% centeralized. 06:17 < gmaxwell> (or unless people are bribing miners for permutation lists) 06:17 < petertodd> gmaxwell: needs to be some way to make releasing the permutation list risky, like if you could somehow use that info to steal the block reward 06:17 < gmaxwell> but of course, reshuffling the whole utxo every block (or even every N blocks) is completely unrealistic. 06:18 < gmaxwell> and the cut and choose proofs required to show that the shuffle was fair wouldn't be small. (well perhaps, I did post some optimizations which might help, at the cost of making them expensive to verify) 09:04 < adam3us> gmaxwell: yes i think having shuffling miners do a provable encrypted shuffle of utxo (or a subset of it) is interesting, i meant its not as secure as blinding like zercoin which can be unconditionally secure anonymity (and doesnt rely on trust of a random, though growing over time, collection of miners) 17:07 < phantomcircuit> gmaxwell, *cough* https://github.com/mycelium-com/wallet/issues/9 17:10 < gmaxwell> phantomcircuit: thanks, bleh. https://github.com/mycelium-com/wallet/issues/9#issuecomment-29424301 17:10 < gmaxwell> I don't understand why this particular BIP got a firestorm of attention recently. 17:11 < gmaxwell> phantomcircuit: on that subject, your commentary on https://bitcointalk.org/index.php?topic=258678.0 would be helpful. 17:11 < gmaxwell> jrmithdobbs: as would yours. 17:14 < phantomcircuit> gmaxwell, im not sure my understanding of ECDSA is strong enough to usefully comment on it but i'll give it a read anyways 17:14 < gmaxwell> phantomcircuit: it's all symetric crypto. 19:42 < midnightmagic> btw, the public domain assertion in that hd wallets-with-optional-encryption is a potential law-bomb. 20:06 < sipa> ? 20:15 < midnightmagic> sipa: there are many places where assigning something to the public domain isn't possible, and doesn't serve as a disclaimer of rights. apparently. it has to be something more, like "this work can be used for any purpose, by anybody, forever. also at your own risk blah blah. also we grant you royalty-free use of any of our applicable patents blah blah we promise not to patent-troll you later blah blah." 20:15 < midnightmagic> it's why OSI rejected the copyright commons 0-license 20:19 < gwillen> midnightmagic: er, the whole point of the commons-0 license is to have that wording in it 20:19 < gwillen> where you put it in the public domain if you can, and if not you grant all rights to everybody forever etc. etc. 20:20 < midnightmagic> gwillen: The lack of patent language killed it. http://opensource.org/faq#public-domain 20:20 < gwillen> midnightmagic: I'm reading the faq right now, it appears that the opposite is true 20:20 < gwillen> midnightmagic: what killed is is that there _was_ patent language 20:20 < gwillen> that specifically said patent rights are _retained 20:21 < gwillen> and apparently OSI thought that was worse than licenses that don't mention patents at all 20:22 < midnightmagic> Right. 20:22 < midnightmagic> "We retain the right to sue you into oblivion whenever we want." 20:22 < gwillen> *shrugs* 20:22 < gwillen> it seems like a minor thing to me 20:23 < gwillen> since it's very likely that patent rights are in fact retained when using an actual public domain dedication, where possible 20:23 < gwillen> or a simple open source license 20:23 < gwillen> e.g. when using the MIT license which I think has no mention of patents at all 20:28 < phantomcircuit> http://hackingdistributed.com/2013/11/27/bitcoin-leveldb/ 20:29 < phantomcircuit> warren, gmaxwell ^ 20:30 < warren> yeah 20:32 < phantomcircuit> if that's really leveldbs mmap strategy 20:32 < phantomcircuit> that is retarded 20:34 < cfields> phantomcircuit: agreed. It seems very inefficient and dangerous to me. 20:34 < phantomcircuit> tbh most everything about the implementation of leveldb seems insane to me 20:34 < phantomcircuit> such as journal entries not having sequence numbers 20:34 < gwillen> it does seem odd to me that munmap doesn't flush 20:34 < gwillen> that's really weird behavior 10:36 < pigeons> well i know a few miners who see the control they exert as protecting the network from things like spam transactions 10:36 < adam3us> jtimon: so even their reward would be lost 10:37 < pigeons> and things like the address-reuse deprioritization wouldnt be possible i suppose 10:37 < jtimon> how and why would users ignore censor miners and how they find out what blocks are censored? 10:38 < adam3us> pigeons: the fact that we have pools at all people seem to think was an unfortunate unforseen technology limitation. 10:39 < jtimon> well, my argument is the same that with the ghash.io topic p2pool/eligious pools are not a problem 10:39 < adam3us> jtimon: well thats the objective, to arrange that this would happen. for it to happen unfortunately i think only committed-tx can be considered valid. or all clients have a button in them or a switch over mechanism that public tx can be disable in event of widescle problems 10:39 < adam3us> jtimon: its a technical insurance policy or threat. 10:40 < jtimon> I think inputs-only transactions would have a similar anonymity effect and they seem more scalable to me 10:40 < pigeons> its a shame it seems like its not technical limitations keeping p2pool adoption from increasing as much as places like ghash 10:40 < jtimon> and also more "compatible" with regular txs 10:40 < adam3us> jtimon: how does that work? do u mean where the output is p2sh so the miner cant tell who it is being paid to? 10:41 < pigeons> and its not technical limitations why stratum is much more widepread than gbt 10:41 < pigeons> but yeah the limitations existed at the time pools emerged and grew 10:41 < adam3us> pigeons: ghash also has lots of hw in their datacenter. but the herd mentality that gets people to give % of their mining reward to miners when it is not necessary is strange yes. 10:43 < adam3us> jtimon: if inputs-only means output addr is obscured via p2sh i think its significantly weaker mechanism. most of the policy relates to history not static receipt address censor. its easy to make new addresses (or sender derived address like stealth) 10:43 < jtimon> adam3us: this is ptertodd's very open design https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html 10:44 < jtimon> but let me summarize the way I see it integrated with regular transactions 10:45 < jtimon> transactions only include inputs, not outputs, and miners only include them if none of the inputs they contain have been seen (you need expiries in the TXI set for scalability) 10:46 < jtimon> the inputs may actually be garbage, refer to outputs that don't even exist 10:46 < jtimon> and all the history of the outputs is transmitted directly between users, it doesn't touch the chain 10:46 < jtimon> makes sense? 10:47 < jtimon> well, I haven't really though much about interoperate with regular transactions (going from private back to public) 10:48 < jtimon> the main problem here seems to be: how fees are paid? 10:48 < jtimon> and the only answer seems to be pow fees 10:48 < jtimon> petertodd doesn't go beyond that 10:48 < jtimon> I think you could have a regular blockchain 10:49 < jtimon> and optional pow fees 10:49 < jtimon> which miners can somehow "add" to their per-block PoW 10:50 < jtimon> maybe you want ot combine it with the "orphan blocks count for the total pow of a given chain" thing on that academic paper 10:50 < adam3us> jtimon: btw the first half of that writeup was stuff i summarized to petertodd (the entanglement, timestamp/namespace/minimum validation required) he could've mentioned it... i didnt read the rest of it before to see the txin proposal. it seems like a subset of comitted tx 10:51 < jtimon> yeah, seems very similar 10:53 < adam3us> jtimon: he could've alternately written "hey here's some stuff adam told me he explored, and i have another idea why dont we tweak committed tx to expose the txin" :) i think that is a more accurate summary of what he wrote. 10:54 < adam3us> jtimon: the thing is as i said above probably the bulk of the policy risk is based on the history. the thing about passing history around off-chain was in the committed-tx writeup 10:55 < jtimon> if he had done that I would have explained the txin proposal to you much faster ;) 10:56 < adam3us> jtimon: and to include clear txt tx-in exposes history. or alternatively if the txin is unlinkable because its never published (its ambiguous at the end) then what he wrote IS committed-tx 10:56 < adam3us> jtimon: (yeah sorry i was reading the post so i didnt see your explanation above until you wrote quite a bit you were writing while i was reading) 10:57 < jtimon> np 10:58 < adam3us> jtimon: i think gmaxwell said in the committed-tx thread it might nearly but not quite be implementable with script. 10:58 < jtimon> that post of him, reminded me a discussion Ryan and I had about a txid-only chain for one of our ripplecoins 10:59 < jtimon> we wanted to put the powin transactions 10:59 < jtimon> if you made the pow on top of another transaction, the pow was "summed up" (we didn't thought in detail about that PoW addition operation) 11:00 < jtimon> so people will commit their transaction on top of the longest chain they see 11:01 < jtimon> and then we needed a git-like merge 11:01 < adam3us> jtimon: yes i was wondering about something like that. i had a PoW variant with addition, however it is very approximate addition and has variance reduction so creates mining fairness issues. 11:01 < jtimon> but we realize that didn't prevented doublespendings ;( 11:02 < jtimon> adam3us: ok, but it's good to know that it's not completely impossible 11:03 < adam3us> jtimon: well ghost protocol could reduce sensitivity to how long it takes to reach consensus (ie not so concerned about orphan rate anymore). 11:03 < jtimon> I think it started here? https://bitcointalk.org/?topic=4382.0 11:05 < jtimon> disclaimer: we were mainly interested in ripple, so we just really wanted a minimal p2p timestamping mechanism 11:05 < adam3us> jtimon: i was thinking of something related that ideally you would like to allow users to direct mine for small reward without pools and ended up with something ghost-like. i was thinking its too complicated and the incentives looked like they could work but wre also more complicated rules, and maybe more bandwidth a bit. so i thought this is too inellgant. seemingly the ghost authors thought it ok. 11:05 < jtimon> if this tx id gets into the chain before expiry, all the sub-txs in it are valid, otherwise none is valid 11:06 < adam3us> jtimon: i see in the rfugger thread u linked that you and he had a similar idea about building on non-conflicting orphans. why not indeed, link them all in by reference. 11:06 < jtimon> sorry don't know ghost 11:07 < jtimon> my latest idea as said was that miners added the user's tx-pow to their block pow 11:07 < adam3us> jtimon: there is an academic paper. they claim if you dont ignore orphans but hash into the coinbase non-conflicting orphans and change a few things you can have faster block interval without convegence problems 11:08 < jtimon> oh, that's ghost? yeah, that's what I meant by "" maybe you want ot combine it with the "orphan blocks count for the total pow of a given chain" thing on that academic paper "" earlier 11:09 < adam3us> jtimon: see it seems to me desirable that a user can claim anytime during the 2week retarget period any work of even small value. then we have less centralization risk. now a way to do that is separate reward from voting. 11:10 < jtimon> the users reward is getting their transaction into the block, why would they get anything else? 11:10 < adam3us> jtimon: so why not mine on a public key that you use to vote.. then the voting power of the public key is related to the amount of pow on it. and you can use it with a sort of PoS like vote 11:10 < adam3us> jtimon: i mean not specifically about your per tx pow, but that i wanted to be able to solo mine say 0.01 btc and claim it relyably without needing pools 11:11 < jtimon> what's the purpose? 11:11 < adam3us> jtimon: dislike of mining pool cenrtalization risk :) 11:11 < jtimon> the purpose of mining is validation not distribution 11:12 < adam3us> jtimon: so i tried to explore how could i solo mine. one answer is to be able to mine for smaller amounts. 11:12 < jtimon> but if you're mining old stuff, why should the network reward you? 11:12 < adam3us> jtimon: agreed. but maybe it can be a two stage process. stage 1 mine for small coinbase-like reward, stage 2 use PoS on the coinbase reward to vote for fee reward 11:13 < jtimon> I tend to distrust PoS 11:13 < adam3us> jtimon: u would be mining only your public key. its a kind of micro-level PoS within the 2 week retarget interval only or something 11:14 < jtimon> in freicoin the retargetting is 9 blocks and if bitcoin ever hardforks I would suggest to update to our filter too 11:14 < adam3us> jtimon: agreed PoS is not economically attractive. centralization of vote via money instead. not pretty. and many PoS have actual protocol defect to allow mining on multiple candidate block sin parallel so devolve to PoW 11:15 < jtimon> "mining only your public key" how do you mine "on a public key"? 11:15 < adam3us> jtimon: my idea is not at a working stage, this was just as close as i got . 11:15 < jtimon> oh, I see 11:16 < justanotheruser> Do you think PoS could ever work in a currency? 11:16 < adam3us> jtimon: the idea is mining is like to get the right to vote on what the next block is. so i though well why cant i mine on a signature key, and then use the signature key to cast a weighted voted. maybe i can get the same feature but with more flexibility in minimum mining contribution and minimum reward. and so less dependence on pools. 11:17 < adam3us> jtimon: but it tends to have problems. could i sell the vote. could i save up voting power for one transaction to double spend it etc. 11:17 < jtimon> ok, now I get the point 04:09 < adam3us> gmaxwell: i guess would could impose some sanity eg reward < 50 as fees are << reward for now - no good thing can come. i know someone could accidentally spend > 1btc fee but that is probably a mistake 04:10 < adam3us> gmaxwell: local submission could be good for that reason 04:10 < gmaxwell> adam3us: there are blocks with subsidy >> 50 04:10 < adam3us> gmaxwell: but surely thats a costly mistake rather than anything good 04:10 < gmaxwell> I think the record holder is something like 350 or something like that. 04:10 < maaku> people have accidentally spent 100's btc fees 04:11 < adam3us> maaku: right, but its a mistake - you could usefully declare such transactions invalid (some simple heuristic) 04:11 < gmaxwell> in any case, limiting inflation to 25 BTC from space doesn't really help that much. Esp since you can create inflation against spv clients simply by spending inputs that never existed. 04:11 < maaku> adam3us: does it matter? if you don't claim it some other pool will 04:11 < adam3us> maaku: as i understand it miners were gracious enough to refund it, but they would not have to 04:12 < maaku> at least if you claim it you can be kind and offer it back 04:12 < adam3us> maaku: well if its invalid its not even forwarded, your client should reject even sending it - mistakes were people lose large amounts of money are not good 04:14 < adam3us> see its an interesting thing - many people have views and things to say in support of decentralization - maybe there are simple things that could be done to support decentralization (like get users to chose their own block) while using pools to even out luck; or just encourage p2pool if it can take the load 04:15 < gmaxwell> adam3us: well thats the "coinbase only pooling" user chooses their own block, pooling only for the payment. But it needs some software work: A new GBT extension to say "send me only a coinbase", miner support to merge work from two sources, and poolserver work to accept shares. ... plus its becoming increasingly hard to get miners to even run bitcoind/bitcoin-qt 04:17 < gmaxwell> (at least coinbase only mining would decouple the choice of policy with choice of income-pooling, even in a world where hashers were still blindly handing over their votes to quasianonymous parties on the internet) 04:17 < adam3us> gmaxwell: that latter thing i was thinking could be combated without a full node, eg get people to get a coinbase feed from somone else (anyone other than a pool) 04:19 < adam3us> gmaxwell: in principle picking a coinbase at random from non-pool entities could be better, though that is sybil attackable. eg why not pick one from a power user you know who is running a full node, thats far better than trusting a pool; and also i like encouraging that the client locally submit to disrupt selfish stuff 04:19 < gmaxwell> it could be, yes, it's still handing over control... but without the barriers to entry where we seem to always have a mining oligarchy due to the obvious improvements to variance from being with a large pool in a world where miners really have few objective things to guide their decisions. 04:19 < adam3us> gmaxwell: i wonder if people like pools like a form of team-play, leaderboard thing 04:20 < gmaxwell> yes, to some extent, though I think that has mostly passed. It was certantly a big thing in the pre-asic times. 04:22 < gmaxwell> adam3us: I think that a lot of the hashers are basically just "mental bandwidth limited" are are picking "safe" popular choices, and that why you see them paying remarkably high fees. But I'm guessing. No one is studying this... and I'm not sure how you'd go about doing it. 04:22 < adam3us> was there ever a conclusion to cex.io investigation of the double spend attack? 04:22 < gmaxwell> adam3us: they said they'd look into it, no further comments. Subsiquently ghash.io dropped their fees from 3% to 0%. 04:22 < adam3us> (on the satoshi-dice clone) 04:23 < gmaxwell> Just keeping up with the hardware vendors, new products and which thing is the scam of the week could easily be a full time job. 04:25 < gmaxwell> (and ghash.io is the largest pool now, with 27.23% of the hashpower, though its impossible to know how much of that is actually public miners vs just cex itself, or how much of CEX mining power is "owned" by the public, vs internally owned) 04:26 < gmaxwell> In other news, 50btc still claims to have 3.2TH/s, and I think they stopped paying people over two months ago now. 04:27 < adam3us> gmaxwell: so cex.io is both a hosted mining (with public ownership or lease) and a publicly accessible pool? 04:27 < adam3us> gmaxwell: 50btc LOL ha ha 04:28 < gmaxwell> Yea, so the same party owns cex.io and ghash.io. Ghash.io is their mining pool which is available to the public (via a somewhat unfriendly registration process that involves making a cex.io account) 04:29 < adam3us> gmaxwell: bitcoin .. like swift, but where half federated nodes are run by people who dont care, dont read instructions, dont update software 04:30 < gmaxwell> cex.io is a large initially privately owned mining farm, which then created a trading market for selling hashpower to the public (and allowing the public to trade the hashpower between each other). In theory you can pay CEX to derack your hashpower and send you hardware, I'm not aware of anyone having done this. All cex.io hashpower is pointed at ghash.io. 04:31 < gmaxwell> adam3us: they might have cared but they just got scammed by three hardware vendors and are too busy rebooting their rasberry pis and praying that they'll break even. 04:31 < adam3us> gmaxwell: i am just thinking one could separate the luck pooling from the vote pooling. then any big players keen to disavow centralization could show statistics of where the vote is being used 04:32 < gmaxwell> adam3us: yes, thats the idea behing the "coinbase only pooling" I mentioned before. It's technically simple, just needs some software development, and perhaps some bludgoning to convince pool ops that they should support it, and miners that they should use it. 04:32 < adam3us> gmaxwell: so terminology coinbase = the pools reward address? 04:33 < warren> adam3us: coinbase tx pays out to any defined address(es) 04:33 < gmaxwell> Coinbase being the reward transaction. 04:33 < adam3us> gmaxwell, warren: ok 04:34 < warren> adam3us: I think only eligius and p2pool payout directly to miners in coinbase tx 04:34 < gmaxwell> The idea is that the pool would just give you the transaction (plus flags for which modifications you were allowed to make to it), and you'd submit shares back. 04:34 < gmaxwell> Other pools have in the past, I'm not sure if any others do right now. 04:35 < adam3us> gmaxwell: well my way of thinking is to be aghast that the pool thinks it has any say - ie the block should contain the pools reward addr (the coinbase) and the rest should be chosen freely by the miner :) 04:36 < warren> gmaxwell: did you already mention the huge coinbase tx issue? 04:36 < gmaxwell> sure, and it could have been that way today, except no one thought of it in 2010. ... back then the example protocol was getwork. 04:36 < adam3us> gmaxwell: i guess its a transfer of the hashcash logic - the coinbase is the resource address, the rest is miner chosen 04:37 < gmaxwell> And a lot of miners even pool operators have only a very limited understanding of how this stuff actually works, so the idea that you could split up the decisions from the payment pooling was not obvious to people. 04:37 < adam3us> *** depressing state of affairs, tolerated with cynical dark humor by all 04:37 < gmaxwell> (or that you could make decenteralized pools) 04:37 < gmaxwell> and now we have intertia _plus_ centeralized systems are always easier. 04:39 < adam3us> i wonder if there could be an engineered dis-economy of scale, just enough to disrupt stupidity, centralized 04:39 < gmaxwell> adam3us: Well there is amiller's anti-cloud-hashing idea, but it's a bit rocket sciency, both economically and technically. 04:40 < adam3us> gmaxwell: it didnt quite work also if i recall 04:40 < nsh> (also in the sense that it uses rocket engines) 04:41 < gmaxwell> Amiller suggests that if the network would accept instead of a block you submit a zero knoweldge proof that you know of a block at this position and would like to instead pay some other address. .. so anyone running a miner can trivially steal solutions. 04:42 < gmaxwell> I think it would "work" ... but it runs into problems like right now people happily give money to cloud hasing places without any evidence at all that the cloud place isn't robbing them blind. 04:42 < adam3us> gmaxwell: i wonder if momentum could work (the proof of work based on birthday collisions) we laughed at its failures but perhaps it is fixable 04:43 < adam3us> gmaxwell: seemingly a defacto proof that technical approaches have limited effect on the stupid or careless shall we say 04:43 < gmaxwell> e.g. amiller's design would totally kill pooled mining, with a possible outcome of all hashing being cloud hashing... because at least a huge centeralzied place has a reputation to protect. 04:47 < adam3us> so about momentum briefly. i could find no proper description of it but basically the idea is the entries in the memory table are themselves small proofs of work (25-bit?), and then the task is to find H(a)=H(b) and finally H(a,b) < target now i think the thing is the target is high enough that memory is filled quickly 04:47 < adam3us> (though i see no reason restricting memory) 04:47 < adam3us> otherwise it suffers from quadratic advantage in fast cpu & ram 04:48 < adam3us> as well as compact storage 04:48 < adam3us> (eg lossy storage like bloom filter to do a tmto to fit it into a gpu) 04:48 < gmaxwell> I'm not sure how this helps anything. I follow that you can probably set the parameters so that it doesn't create an advantage for being a larger hasher. 23:48 < midnightmagic> petertodd: they measured that which was measurable: mathematics improvements between entry and exit grades for schools 23:48 < midnightmagic> .. lol now now. the research they do is better than forming opinions in a vacuum 23:48 < petertodd> midnightmagic: ah, so they measured improvements, who had the higher scores exiting? 23:49 < gmaxwell> petertodd: not all opportunities are equal to all. I mean sure, some child of some inner city gang bangers could have traveled 4 mi the the nearest library with internet access back in 2010, and joined #bitcoin and written some bad poetry for a thousand bitcoin and be a millionaire now. But none did. 23:49 < midnightmagic> petertodd: public schools had grrater improvements when co paring identical students with identical backgrounda. 23:49 < petertodd> midnightmagic: just as easily you can explain that as private school kids started off smart and couldn't be educated much farther, or more importantly, they had better things to do with their time than focus on math improvements 23:50 < midnightmagic> petertodd: nope. they selected those ones out 23:50 < justanotheruser> midnightmagic: are you saying that schools should be segregated by income? 23:50 < gmaxwell> justanotheruser: they are already segregated by income. 23:50 < midnightmagic> as much as it's possible to know such things, there's now basically zero reason to think private schools provide a better education 23:50 < justanotheruser> gmaxwell: they bus students from poor schools to rich schools in some states 23:51 < midnightmagic> justanotheruser: nope. i'm saying private schools are lying when they claim to provide superior education 23:52 < petertodd> gmaxwell: heh, well, OTOH I know a guy from nairobi who did something not unlike that... moral of the story is raw opportunities actually don't do much in the face of culture and parents, and those are likely strongly geneticly related in many ways anyway. 23:53 < gmaxwell> okay, sure, I was also binning culture and parents in with opportunities. It's not like its your fault what parrents you had. 23:53 < midnightmagic> yes. adoptions help a lot with those kinds of studies too. 23:53 < midnightmagic> pretty fascinating how much people seem to be screwed if born to poor parents. 23:54 < petertodd> gmaxwell: yup, my point being blaming "society" for that kind of thing is misguided - we already do a tremendous amount 23:54 < gmaxwell> ::shrugs:: part of creating an optimally successful society is providing the infrastructure that helps people achieve their capability even if they're born into a dysfunctional family (and help family dysfunction not exist). 23:54 < petertodd> midnightmagic: gee, might have something fundemental going on... 23:55 < midnightmagic> petertodd: yeah, probably not straight genetics. some is, but parentage makes up for a lot of that. i.e. the success breeds overconfidence false loop 23:55 < petertodd> gmaxwell: yup, and frankly I *do* think we do a very good job of that and it's hard to figure out how to actually do a better job of it in most situations. I also think our effects, especially in schools, to further level the playing field are counter-productive - e.g. closing gifted programs in favor of yet more money at the lowest scoring percentile. 23:56 < midnightmagic> imo that kind of nonsense is b-s 23:56 < midnightmagic> closing gifted student programs?! wtf 23:57 < gmaxwell> well you are in canada. So perhaps things are better done there. :) 23:57 < midnightmagic> i'll let you know. i personally appear to be one of those weird outliers. 23:58 < gmaxwell> midnightmagic: "no child left behind" (a 2001 piece of education legislation and the resulting programs) in the US is often wryly refered to as "no child gets ahead" 23:58 < petertodd> midnightmagic: well, that's how the politics of it works. I know the people running the program where I lived then fought for years to keep it open, and always had to be very careful as to how it was portrayed - specifically they stressed heavily how the kids who were in the program statisticly did *worse* than the general population for a lot of different metrics, such as university admissions. 23:58 < midnightmagic> lol 23:59 < petertodd> midnightmagic: basically anything to avoid looking elitist 23:59 < midnightmagic> s art kids need a challenge or their study habits are nonexistent. yeah that makes sense what you're saying. 23:59 < gmaxwell> Se also: http://en.wikipedia.org/wiki/No_Child_Left_Behind_Act#Effects_on_school_and_students 23:59 < gmaxwell> er see* --- Log closed Wed Jan 15 00:00:03 2014 --- Log opened Wed Jan 15 00:00:03 2014 --- Day changed Wed Jan 15 2014 00:00 < petertodd> midnightmagic: heh, well with a challenge that was true too, but anyway :P 00:00 < andytoshi> gmaxwell: i can say from personal experience that public schools in BC are not run effectively, they are very much "no child gets ahead" and they were an absolute hell to get through 00:00 < midnightmagic> hehe 00:00 < gmaxwell> I know a number of _good_ high-school teachers who left teaching due to the effects of that legislation. 00:00 < petertodd> gmaxwell: can't blame them, that stuff is just depressing to deal with 00:00 < midnightmagic> andytoshi: you think so? i had the exact opposite experience in BC 00:01 < andytoshi> midnightmagic: i was in cloverdale, it is the cowboy town beside langley, they had no gifted programs 00:01 < midnightmagic> vancouver. interesting. 00:02 < andytoshi> midnightmagic: i finished every hs math class by the end of grade 9, then no more math. 'science' was watching bill nye videos and doing handouts, i was typically done the work for the day in about 15 minutes, then 6 hours or so of staring at walls 00:02 < midnightmagic> i was in the interior, they specifically pushes the smart kids into beneficial grade programs for university entrance. 00:02 < andytoshi> midnightmagic: eventually i found some good teachers who helped me game the system, and i got out 18 months early 00:02 < petertodd> andytoshi: ha, ironic how my highschool was a "inner city" one with a population of almost entirely recent immigrants, very pool, with significant gang violence and... I had a much better experience 00:03 < andytoshi> 2 years early* i stuck around to finish my phys. ed. requirements :P 00:03 < andytoshi> so i don't count that semester as hs 00:03 < petertodd> andytoshi: and then my brother was in a hs in one of the richest parts of the city, upper-upper-middle-class, and... actually lots of gang violence *in* the school, and shit academics. 00:03 < andytoshi> petertodd: fascinating 00:04 < andytoshi> there is a lesson here about anecdotal evidence i'm sure :) 00:04 < midnightmagic> my hs teachers did the optional calculus prep stuff. probably for my specific benefit actually, the rest of the kids were rolling their eyes. 00:04 < andytoshi> maybe we should apologise to midnightmagic for calling his sociologists stupid 00:04 < petertodd> andytoshi: hehe, toronto is not a good source of typical demographic data :) 00:04 < midnightmagic> lol a.k.a. my wife. 00:04 < midnightmagic> no apology necessary, it's a well studied ohenomena. 00:04 < midnightmagic> er.. *non 00:05 < petertodd> andytoshi: over 50% of the toronto population wasn't even born in canada 00:06 < midnightmagic> well, without immigration our pop would be shrinking. :-) 00:06 < midnightmagic> would suck if canada died. 00:06 < andytoshi> petertodd: this is true of vancouver as well, though probably not in cloverdale where i was 00:06 < gmaxwell> Oh I GEDed out of school the moment it was permitted, in florida by statute the GED is absolutely equivalent to a highschool diploma you even get the same paper the normal graduates get. Was kind of of no brainer. I took the test cold two days after my birthday (earliest time offered) scored a 99th percentile. It was trivial stuff. ::shrugs:: I understand that it wasn't too uncommon to do this in the 70s but the schools fought ... 00:06 < gmaxwell> ... back against it with a bunch of FUD because it was draining them of their most academically capable students. 00:06 < andytoshi> oh, cloverdale is right above white rock, from silk road hitman fame :) 00:07 < andytoshi> so i'll stop saying 'near vancouver' here 00:07 < petertodd> andytoshi: what's the kind of immigrants that vancouver gets anyway? asia? middle-east? 00:07 < midnightmagic> andytoshi: i'm confident nobody thinks you're that guy lol 00:07 < midnightmagic> ha ha ha awesome 00:07 < midnightmagic> petertodd: asian, then east indian 00:07 < gmaxwell> I was impressed by the density of asian people in vancouver. 00:07 < andytoshi> petertodd: east asia, mostly china and phillipines, then india 00:08 < petertodd> gmaxwell: sheesh, that kinda sucks that you were in a position where that made sense 00:08 < midnightmagic> richmond doesn't even have english signage in some places. 00:08 < petertodd> andytoshi: oh, interesting, toronto seems to get much more from the middle east 00:09 < midnightmagic> gmaxwell: how old were you re: GED? 00:09 < midnightmagic> (wife is curious) 00:09 < gmaxwell> 16. 00:09 < petertodd> andytoshi: OCAD had a *tonne* of Iranians for instance 00:09 < midnightmagic> nice. 00:09 < andytoshi> gmaxwell: that's awesome, i wish i had that option 00:09 < andytoshi> maybe i did, it didn't occur to me 00:10 < midnightmagic> i skipped a grade, grad'd at 17. skipping a grade was really horrible. not recommended. 00:10 < midnightmagic> petertodd: what's OCAD? 00:10 < andytoshi> petertodd: interesting, i've only met one iranian 00:10 < petertodd> midnightmagic: I think one of the things the gifted program did a good job at was giving kids reasons not to skip grades... 00:10 < midnightmagic> I love Iranians they're awesome 00:10 < petertodd> midnightmagic: http://www.ocadu.ca/ <- art school I went too 16:45 < amiller> it says that the inputs are all linked together because they're in the same wallet 16:46 < amiller> that really isnt true, coinjoin makes use of the fact that's not true, you can sign a tx if you know one of the txinputs without knowing the other keys 16:46 < amiller> nor is it the case that the output is linked to the input 16:46 < amiller> coinjoin relies on that too 16:47 < gmaxwell> Yes, this was written by someone who didn't know about CoinJoin 16:47 < amiller> the only advantage of this thing is the incrementalness and that's kind of irrelevant 16:47 < gmaxwell> As a pure anonymity tool I think this is not very helpful over coinjoin. Agreed. 16:48 < gmaxwell> it's a little helpful because its more loosly coupled. 16:48 < gmaxwell> But the anti-censorship, pro-relaying, and compression properties are potentially more interesting. 16:49 < gmaxwell> my reply points out that its not that interesting for anonymity. 16:49 < gmaxwell> "I'm glad to see someone with an aggregate signatures proposal. From an anonymity perspective, I believe a cryptographic approach is unnecessary, and they are very difficulty to deploy, but still may useful in the future." 16:52 < gmaxwell> amiller: one sort of annoying property is that in some cases this can't achieve anonymity as good as coinjoin! 16:53 < gmaxwell> E.g. all the users for this block join a coinjoin, they use a SMPC sort to distribute their requested output addresses among each other. 16:54 < gmaxwell> There is no way to achieve that level of anonymity with this one way aggregation scheme. 16:56 < gmaxwell> amiller: you could reply to that thread and point out they got the linking stuff wrong. :) 16:56 < amiller> *am already doing so* 16:58 < gmaxwell> (I didn't even notice, I'm so used to _everyone_ getting that wrong) 17:01 < jgarzik> http://io9.com/a-new-digital-world-is-emerging-thats-too-fast-for-us-1286428447 17:01 < jgarzik> The problem, however, is that this new digital environment features agents that are not only making decisions faster than we can comprehend, they are also making decisions in a way that defies traditional theories of finance. In other words, it has taken on the form of a machine ecology one that includes virtual predators and prey. 17:01 < jgarzik> Consequently, computer scientists are taking an ecological perspective by looking at the new environment in terms of a competitive population of adaptive trading agents. 17:01 < jgarzik> " 17:03 < gmaxwell> jgarzik: did you ever see the textbook on amazon that was a billion dollars? 17:04 < jgarzik> heh, saw a screenshot 17:05 < jgarzik> one of the many Themes Garzik Harps On is that computer scientists should be looking at biology for models, theories, and correlations 17:06 < jgarzik> distributed computing, especially decentralized computing, is all about organic behaviors like herds, infections and inoculations, swarms, emergent behaviors, ... 17:07 < jgarzik> Just like human beings, they stop being purely predictable engineering systems behaving within set parameters and become organic feedback systems 17:08 < jgarzik> A really fun problem is decentralized auctions, eBay-style 17:08 < jgarzik> How to fairly handle the final few seconds of a real time auction? 17:09 < jgarzik> sniping is a DoS of sorts 17:09 < gmaxwell> yea, "don't hold that kind of auction" 17:09 < gmaxwell> if you do sealed bid auctions the problem goes away. 17:09 < jgarzik> or Dutch 17:13 * jgarzik wonders the name for this style of auction: wait X duration after last bid, then close auction. if someone bids, timeout clock resets to X. 17:18 < jgarzik> How to integrate bitcoin with a sealed bid auction, in a least-trust method? Is there any way to (a) prove you will spend the funds if you are the winner while (b) not spending the failed bids? 17:18 < gmaxwell> yes, make all the bid transactions conflict a single input. Only one can make it into the blockchain. 17:18 < jgarzik> Certainly an auction robot could accept bids, then refund the losers. Any way to avoid the robot stealing the funds from the failed bids? 17:19 < jgarzik> conflict? 17:19 < gmaxwell> They all spend input X. 17:19 < gmaxwell> (and other inputs to pay for their bid) 17:19 < jgarzik> seems vulnerable to griefing 17:20 < gmaxwell> easy to fix. 17:20 < gmaxwell> (I think). 17:21 < gmaxwell> The person selling the thing has 1 BTC. You are a bidder ... you write a transaction spending that 1 BTC and he signs for it. 17:21 < jgarzik> My naive scheme: robot announces "private key for 1 satoshi is $this" to channel, and everyone writes a transaction that spends a satoshi + their auction bid input 17:21 < gmaxwell> if the signature is a SIGHASH_SINGLE then he doesn't have to see your bid. 17:21 < jgarzik> but a griefer might just spend the bitcoin outside of the loop 17:22 < jgarzik> ah, duh 17:22 < jgarzik> no need to give out the private key, just have auctioneer sign it. understood. 17:23 < jgarzik> neat 17:23 < jgarzik> auctioneer announces the anchor transaction for the auction (the input everyone spends), and people bid from there 17:26 < jgarzik> This would be a fun demo to write. A little HTTP-based auction server, modeled after bittorrent trackers. Just keep track of abstract metadata on the auction, zero content (for privacy / deniability). 17:27 < gmaxwell> now a tricker thing to do is to make it into a secure _second price_ auction.. now that I don't know how to do. :P 17:27 < gmaxwell> (thats a sealed bit auction where the highest bidder pays the next highest price) 17:29 < jgarzik> I think the "bid-extends-timeout" solves the game theory motivation to DoS in the final seconds of the auction 17:30 < jgarzik> unfortunately, IIRC, bid-extends-timeout was also used on a couple notable click-lottery "buy a plasma TV for $75!" pseudo-auction sites. 17:31 < gmaxwell> I think either sealed bids or bid extends timeout solves the dos. sealed bids also discourage self dealing. (e.g. the seller bids up the bidders to try to get them to bid more, if he accidentally wins, oh well, no biggie) 17:32 < jgarzik> petertodd, I need to get a little demo website going, that helps people timestamp their SINs 17:32 < jgarzik> for a tiny fee, of course 17:32 < jgarzik> gmaxwell, good point 17:33 < jgarzik> gmaxwell, from my reading it sounds like sealed-bid and Dutch might tend towards a slightly lower final price than eBay style 17:33 < jgarzik> so economics might pull sellers towards ebay-style / bid-extends 17:34 < jgarzik> -EFAMILY. Might write that HTTP server tonight, hmmm :) *poof* 17:34 < gmaxwell> The economics wanks will tell you that the sealed bid second price auction is the optimal thing. They even gave someone a nobel prize for it. 17:35 < gmaxwell> But since I dunno how to make a direct bitcoin one of those... simpler is probably better. :P 17:59 < gmaxwell> This stanford pairing based crypto library is pretty nice. 18:30 < gmaxwell> Okay, I've successfully got that signature scheme working. 18:51 < maaku> jgarzik: except for some minor warts ebay is a Vickrey auction, which is ideal for both buyer and seller (the proof won Vickrey the nobel prize gmaxwell alluded to) 18:56 < maaku> jgarzik: you might also be intersted in : http://www.eecs.harvard.edu/~shieber/Biblio/Papers/icec06.pdf 19:04 < gmaxwell> maaku: hm? how is ebay a vickrey auction? it's not sealed, the winner is the highest price and pays their offered price. 19:05 < nanotube> gmaxwell: nope. you can set a max bid of 1000, but you'll only pay a bit above second highest. 19:05 < nanotube> and nobody will learn what your sealed bid is, until you're outbid. 19:05 < gmaxwell> oh! of course, that proxy biding makes it effectively second price (plus bid increment) 19:05 < nanotube> so you /could/ use it as a plain second-price sealed bid auction - just post your maximum, walk away. 19:06 < nanotube> that people don't and try to snipe and crap is just how people are. :P you don't have to join them. 19:06 < gmaxwell> maaku: nanotube: thanks, I didn't realize that before. (You can tell I haven't used ebay much ever and not at all recently) 19:07 < nanotube> mm :) 19:07 < gmaxwell> okay, well, I dunno how to do that with bitcoin without a trusted party or non-trival multiparty computation. 19:07 < gmaxwell> a simple auction where people throw out bids and only one happens is easy however. 19:08 < nanotube> what's your scheme, briefly, for doing th latter 19:10 < gmaxwell> nanotube: Alice holds an auction, alice advises everyone of some bitcoin she holds and an address to pay to. You want to bid. You write a transaction spending some of your coins and alice's coin that pays to alice (and if any chance back to you). You sign it and give it to alice. 19:10 < gmaxwell> all the other bidders do the same. 19:10 < gmaxwell> When alice gets bored, she signs and announce the transaction. 19:11 < nanotube> ah, cute! and obv there's no way to force alice to sign second highest bid rather than highest.... 19:12 < gmaxwell> well you want the highest bidder to pay the second price. :P 19:12 < gmaxwell> it's easy to do with a semitrusted oracle. 19:13 < gmaxwell> e.g. Oscar the observer watches the bids and his signature is required for the auction to be completed. 19:13 < gmaxwell> and then oscar can enforce whatever rules he likes. 19:13 < nanotube> well, the good part is that theory says (as i recall) that the expected proceeds are the same from a second price or a first price auction 19:13 < gmaxwell> I though first price encouraged bidders to underbid? 19:13 < nanotube> in expectation, in a second price auction people have the incentive to bid their true value. in first price, bidders shade their bids 19:14 < nanotube> but "on average" they should produce the same outcome, price-wise 19:14 < nanotube> at least if i recall my auction reading correctly. been a while :) 16:11 < andytoshi> nsh: you can always study set theory if this dichotomy bothers you ;) 16:13 * nsh smiles 16:14 < nsh> (set-theoretical approches, e.g. fuzzy logic, are still fundamentally predicated upon bivalent membership identity, and can do more than concealing the dichotomy at a lower level of analysis) 16:16 < nsh> (a really non-binary system of logic has values that are qualitatively different to truth and falsity, rather than shades of the two) 16:18 < andytoshi> i meant, you can reject the law of excluded middle and do logic that way.. 16:19 < andytoshi> i don't know what field those people claim to be part of 16:19 < andytoshi> without making any claims as to what's in the middle 16:20 < andytoshi> hmm, you're still right, it's either true or not --- and false or not 16:20 < andytoshi> perhaps you should study zen then 16:24 < nsh> it's not just the law of the excluded middle. that's one pillar of bivalence. the other is the law of non-contradiction. every A is A, no A is not-A 16:25 < nsh> it's difficult to imagine a system without the law of non-contradiction. whether this is a reflection of a universal truth [sic] or a result of our historical mathematical/logical/linguistic enculturation is an open question :) 16:25 < jtimon> A + 0 = A, A + 1 = 1 16:27 < andytoshi> you don't need much in the way of axioms for a single contradiction to imply every statement is true.. 16:28 < andytoshi> so it's definitely baked pretty hard into historical logic 16:28 < andytoshi> i'm not familiar with the attempts to fix this non-robustness 16:29 * nsh nods 16:31 < nsh> there is a body of work due to Lukasiewicz but it's accompanied by an unfortunate tendency of later thinkers to reduce it back to bimodality 16:33 < nsh> More recently A. S. Karpenko. it's my occasional hobby to casually read up on it, but more slips past me than sticks, as with most matters 16:35 < nsh> discussed in some detail here: http://www.oocities.org/m_valuedlets/tranche4.html but unless you have predilection to wading through schizoform word salad it might not be much use to you :) 16:36 < andytoshi> 'fraid not :) 16:36 < nsh> fair enough 16:52 <@gmaxwell> pigeons: I thought beertoken was backed by some promise to deliver beer (not just one bottle, but some larger quantity as set by some kind of board or something) 16:59 <@gmaxwell> jtimon: I've seen a number of pretty concerning technical behaviors from coinbase, so I'd believe any random thing. 17:58 < pigeons> gmaxwell: there wasn't a beertokens comittee, it was just steve, and yes like all these things from silver certificates to mtgox usd it ultimately comes down to a promise 17:58 < pigeons> the promise was to redeem each beertoken for one bottle of a specific type of beer that steve liked and was common in thailand where he lived 17:59 < pigeons> but he didnt buy the beer and refrigeration and storage, he backed it with bitcoins, which brought up a problem as bitcoins decreased in value a lot from when he set them aside 17:59 < pigeons> he ended up buying more coins to make up the difference 18:01 < pigeons> and guys, BigDataBorat says "My contact at Coinbase say use of MongoDB strictly for reason of give client plausible deniability." 18:01 < pigeons> https://twitter.com/BigDataBorat 18:01 <@gmaxwell> what the heck does that mean? 18:02 < pigeons> "Estimate of MongoDB's value vary, one replica say $700m, one replica say $1.2 billion, one replica say 1.5 billion." 18:02 <@gmaxwell> "when we stole all the coins we could plausably deny it being theft?" 18:02 < pigeons> yes that's what it means 18:03 < Luke-Jr> lol 18:04 < nsh> hi orperelman. i liked your work on the poincare conjecture 18:04 < nsh> thanks for inventing bitcoin :) 18:05 < nsh> (i'm not personally sure ricci flow with surgery is a valid technique, but i'm not a topologist) 18:48 < maaku> andytoshi: isn't that constructivist math? (removing the law of excluded middle) 19:06 < andytoshi> maaku: yeah, that's the name for doing mathematics that way (e.g. rejecting proofs by contradiction) 19:07 < andytoshi> there are subsets of logic (which i have ~0 knowledge of) which do things like fuzzy logic and try to make this concrete 19:08 < andytoshi> my girlfriend was into constructivist math for a short while, not believing in anything that wasn't computable 19:08 < andytoshi> but it's nearly impossible to do a lot of classical mathematics that way 19:22 < nsh> depends how you define "doing mathematics" 19:22 < nsh> :) 19:23 < nsh> as a pursuit of noble platonic truths, or as a means towards solving practical problems... 19:24 < nsh> i'm not sure there are many engineering artifacts that are based predominently on an existential proof 19:24 < nsh> hmm, not so sure, now i think about it a bit more 19:53 <@gmaxwell> they're not unrelated. 19:53 <@gmaxwell> if you find some totally abstract "noble platonic truth" it can be a bridge that solves a pratical problem. 19:53 * nsh nods 19:55 <@gmaxwell> e.g. there is a bunch of NP proof stuff where you can show a proof system is sound by reducing it to a 2d graph coloring problem, and then show that if the system is unsound it would contradict four coloring, which otherwise is kinda useless trivia. 19:56 < nsh> right, came across that recently in a talk, funnily enough 21:44 < maaku> but ultimately you have to reduce it to be constructivist to enter the realm of engineering 21:45 < maaku> e.g. if you look at real numbers constructively, you get this funny think called numerical analysis ... 21:47 < nsh> analysis was pretty practical when it came to aiming canon :) 21:48 < nsh> computers are still named after the art of ordinance in french... 21:55 < nsh> (philosophically, it fascinates me that the assumption of the continuum, even though actual algorithmic infinities are avoided, yields such powerful results in anaylsis. we can calculate things in continuuous sets that would suffer combinatoric explosion over discrete structures...) 21:56 <@gmaxwell> Stirling's approximation <3 21:57 < phantomcircuit> wtf 21:57 <@gmaxwell> being able to answer questions like from an infinite distribution of 50/50 true/false how likely is it you'd draw 30 and get 5 true... answering it combinitorically is impossible. 21:57 < phantomcircuit> i just noticed google wallet is still using checkout.google.com 22:00 * nsh nods --- Log closed Sun Dec 22 00:00:17 2013 --- Log opened Sun Dec 22 00:00:17 2013 03:36 < Emcy> ccc.de tls 1.0 1024bit rsa 03:36 < Emcy> and my browser doesnt trust the CA anyway :/ 03:37 < Emcy> "Besides the usual digital infrastructure with Wifi, telephone etc., 30C3 will feature for the first time a pneumatic tube system, with the pretty name Seidenstrasse." 03:37 < Emcy> wut 03:39 <@gmaxwell> oh fun, something BIP32 like cannot be used with ed25519. 03:40 <@gmaxwell> or rather, not with standard implementations. 03:40 <@gmaxwell> they rig the multiplier so that the most significant bit must always be 1. 03:41 < Emcy> whats ed25519 again 03:50 < maaku> Emcy: DJB's crypto 03:51 < maaku> gmaxwell: can ed25519 be easily modified to make it work? 04:06 <@gmaxwell> maaku: the curve is fine, the constant time multipler implementation 04:21 <@gmaxwell> y'all see the deck of cards secret key agreement thing? brillant. 04:24 <@gmaxwell> Take a regular deck of cards. Shuffle it. Then split the deck in half. I give you one half, I take the other. Tada. We now have a ~51 bit shared secret each card either ended up with you or me (we lose a bit from the definition of who is 1/0 being arbritary) 04:31 < maaku> gmaxwell: yeah i posted in the armory thread that a shuffled deck of cards makes a good inconspicous private key 04:31 < maaku> and 51 bits for a shared secret is plenty good enough for many protocols 04:33 <@gmaxwell> maaku: damn, and when I moved I think I tossed a box with like 50 decks of cards in it. (marketing swag from my prior employer, two corporate brandings old) 04:33 < maaku> if i ever worked border security, i'd shuffle any deck of cards I come across 04:33 <@gmaxwell> the shuffling isn't required! 04:33 <@gmaxwell> if you split a deck then just membership in one person's side or the other is the data! not the permutation! 04:36 <@gmaxwell> works with two decks too. e.g. take two decks shuffle and split. then membership in one side or another is the key though you lose a quite a few bits there due to dupes. (e.g. log2(3^52)=82.4 minus 1 bit for parity... three states, because both cards ended up on one side, or both on the other, or each person had a card) 04:37 <@gmaxwell> and the permutation doesn't matter. 04:39 <@gmaxwell> the bummer is that cards aren't printed on both sides. if they were inputting your key would be easy: just spew the cards out on a table and take a picture. 04:47 < maaku> gmaxwell: reverse theorientation of one deck 04:48 < maaku> or use different colored back 04:52 <@gmaxwell> yea, that gets you some more bits, but I guess it's not so hard to place all the cards face up for photographing. 04:55 < petertodd> also worth considering that there are tonnes of common games in card format that can be used for this stuff, IE magic the gathering cards have well-defined "multiverseid's" worth at least a few bits each, and a deck's contents can be turned into the key based on a sorted list of all such card ids 04:55 < petertodd> though the border guards would probably be wondering why a guy as cool looking as myself has MTG cards; I'd have to explain it was for a friend 04:56 <@gmaxwell> petertodd: the thing that I found neat was just that you could convey so many bits by which side got the card, and be completely robust to ordering 04:57 <@gmaxwell> it means that I can keep a stack of sealed cards in by bag. meet you, totally unprepapred, open the cards shuffle split, and we walk away with a relatively easily entered shared secret that doesn't look too conspicious 01:33 < andytoshi> so if we can efficiently loop through these partitions we can brute-force the problem from here ... provided we have fewer than, say, 45 inputs and 45 outputs 01:33 < gmaxwell> there is probably some trivial greedy preprocessing that can be done. 01:34 < gmaxwell> Obviously you should merge all inputs with the same scriptpubkey and all outputs with the same scriptpubkey. 01:34 < gmaxwell> and force any input/output pair with the same scripubkey to be connected, perhaps, (e.g. just remove the output and deduct the input) 01:35 < andytoshi> oh, this is true .. coinjoin already merges outputs, but it doesn't have knowledge of the inputs 01:35 < gmaxwell> well your coinjoin does, but of course I was thinking in terms of an abstract tool that could be run on any transaction. 01:36 < CodeShark> are we talking generalized coin selection optimization? 01:36 < gmaxwell> then there may be other outputs which are forced which I think can be found in a greedy way. 01:36 < gmaxwell> hm. 01:36 < CodeShark> or is this some specific problem? 01:37 < andytoshi> CodeShark: we are looking at "given some transaction, what is the maximum possible number of participants?" 01:37 < gmaxwell> CodeShark: no, talking about taking a transaction and identifying the maximum number of coinjoin participants under reasonable constraints. 01:37 < gmaxwell> (reasonable constraints like the CJ participants not giving away their money) 01:38 < gmaxwell> CodeShark: e.g. what is the largest plausable number of participants in this transaction: https://blockchain.info/tx/a0350aa856b77edeaa08ae9df5047855d487c40490d11713461d200ea70b09c6 01:39 < CodeShark> so the minimum is obviously one, the maximum is the number of inputs with distinct redeemscripts, yes? 01:40 < andytoshi> well, if there are fewer outputs than inputs, then the total number of outputs could be the maximum 01:40 < gmaxwell> CodeShark: nah, because there may be no plausable flow. For example, say you had 10 distinct inputs.. and 1 output. There is only one participant (under reasonable constraints) 01:41 < CodeShark> ok, so maximum = min(distinct input scripts, output scripts) 01:41 < gmaxwell> nah, because if you constrain them to not throw away values you must look at the values. 01:42 < andytoshi> no, there still might not be a plausible flow .. eg if there are 10 inputs and 10 outputs 01:42 < gmaxwell> Say you have 50,.5,.5 in and 25,25,1 out. 01:42 < andytoshi> and one input is massive, all the others are 0.1, and every output is 0.2 01:42 < gmaxwell> In that case you have a maximum of 2. 01:42 < CodeShark> right, my bounds were very weak 01:43 < gmaxwell> yea, you're giving loose bounds, we want the tight maximum bound. As its a measure of privacy the coinjoin provides. 01:43 < andytoshi> it would be nice if 1 wasn't always plausible :) 01:44 < andytoshi> even a lower bound would be useful if it was nontrivial 01:44 < CodeShark> what if we simply required all inputs to be the same value? then each participant would first have to create outputs of specific denominations 01:44 < CodeShark> and join a transaction of a particular denomination 01:44 < gmaxwell> 1 being plausable is good because its also what makes ordinary txn look potentially like CJs. :P 01:44 < CodeShark> yeah, ok :) 01:45 < andytoshi> CodeShark: well, that makes CJ's stand out, and it's also easy to work around by just going back one layer in the transaction dag 01:46 < gmaxwell> andytoshi: hm. interestingly, I think the maximal maximal count may not always have the highest entropy! 01:46 < andytoshi> and then you've even got free association information from the homogeonizing transactions 01:46 < andytoshi> gmaxwell: that is interesting, and that feeling is why i don't think we can do this 100% greedily 01:46 < andytoshi> but for me, for now, it is just a feeling .. 01:48 < CodeShark> I'm not even entirely clear on coin selection optimization within a single wallet, let alone coinjoin :p 01:48 < andytoshi> well, coin selection (to evade this analysis) is an even harder problem, i think 01:49 < CodeShark> if we want coinjoin to be obscure, we want it to mimic typical coin selection strategies for common wallets 01:49 < gmaxwell> can't goals are to different, instead wallets should mimic coinjoins. :) 01:49 < gmaxwell> s/to/too/ 01:49 < gmaxwell> coinjoins can't be fully obscure simply because >2 outputs are rare. 01:51 < CodeShark> yeah, true - and while there's a good use case for sendmany from servers, for typical interactive users, these use cases are more rare 01:52 < gmaxwell> andytoshi: e.g. there may be some mapping that gives you N users but is unique, e.g. only 1 N user path between inputs and outputs. But then there is some <N mapping where it is non-unique. 01:53 < andytoshi> oh, fascinating 01:53 < andytoshi> what on earth can we say about that? 01:53 < andytoshi> about its anonymity* 01:54 < gmaxwell> well for a coinjoin over all you could just count all plausable mappings (for all possible N) and the coinjoin's entropy is log2(that). 01:55 < gmaxwell> e.g. 50,.5,.5 in and 25,25,1 out has an entropy of 1 bit. 01:55 < andytoshi> hmm, if that is the most useful metric than it saves us the trouble of doing all this optimization 01:56 < gmaxwell> I dunno that it does, because you still have to reject impluausable mappings. 01:56 < andytoshi> if we loop over every possible mapping, that's easy, just a bunch of addition 01:57 < gmaxwell> Finding the maximum N is just a subset of the problem.. it's just the highest N for which there remain any plausable mappings. 01:58 < andytoshi> yeah, but we can use a weak upper bound for N in this case 01:59 < andytoshi> i wonder if we want to compute something sharper: the entropy of the individual outputs 01:59 < andytoshi> (it's really not clear to me how to define that) 02:00 < gmaxwell> the interesting thing about output entropy is that it's not independant. 02:01 < gmaxwell> e.g. output X could have come from input 2 if and only if output Y didn't. 02:02 < andytoshi> we can arrange these possibilities in a giant decision tree, and compute some sort of entropy on that.. 02:03 < andytoshi> there is also something called mutual information 02:03 < gmaxwell> I guess measuring per output has some useful properties.. since in a wallet you'd want to know e.g. which of your inputs are tainted. 02:03 < andytoshi> http://mathoverflow.net/questions/88364/is-this-a-situation-where-triple-mutual-information-is-always-non-negative 02:04 < gmaxwell> andytoshi: I'm trying to come up with a "conservative" version of it which isn't trivial. 02:04 < andytoshi> (this was a question my supervisor asked about whether he could apply some tool called 'diversities' (i have a single-author paper on the analytic properties of these) to computing mutual information 02:04 < gmaxwell> E.g. assume the attacker knows "a lot" about the other outputs, what is your entropy. The problem with that is that the obvious form of a lot is "knows all the other outputs" in which case the entropy is 0 02:05 < andytoshi> now, what this tells you is that "all the other outputs" is strongly coupled to your output 02:05 < andytoshi> maybe you want to know, how strongly are my various outputs coupled to each other? 02:06 < gmaxwell> andytoshi: multial infomation is just the joint entropy minus the conditional entropies. 02:07 < gmaxwell> andytoshi: well I'd like to be able to answer how tightly my keys (inputs or outputs) are coupled after a transaction. So that I can decide to group the keys and freely merge them in future txn if they are too tightly coupled. 02:07 < nsh> hmm 02:08 < andytoshi> yeah, so this is a more useful thing to wonder about than "how tightly coupled are all the outputs of this specific transaction" 02:08 < gmaxwell> interestingly, even when paying someone without coinjoin the number of players is 2 and we can talk about the coupling in the change output(s). 02:09 < gmaxwell> though the most entropy we can have in a single output when there are only two players is 1 bit. 02:10 < andytoshi> here is a selfish question: if we take the definition of diversity from page 2 of http://arxiv.org/pdf/1307.1897.pdf , can we describe this coupling as a diversity? 02:10 < andytoshi> (it is selfish because if the answer is yes, then i can perhaps finangle a publication while still doing something useful for bitcoin) 02:12 < andytoshi> describe some measure of coupling* 02:13 < gmaxwell> I must confess, the first sentence of the abstract triggered turboencabulator-detection for me. 02:14 < gmaxwell> ( https://www.youtube.com/watch?v=rLDgQg6bq7o ) 02:15 < andytoshi> hahaha 02:16 < andytoshi> what is meant by that claim is, "this is used by biologists for some tree-calculation something", which is true but not anything i know anything about 02:16 < andytoshi> i admit, the core of that paper is almost cartoonishly "mathematicians inventing problems for no reason except to have fun solutions" 02:19 < andytoshi> but here is a paper relating this stuff to flow problems: http://arxiv.org/abs/1312.5408 02:19 < andytoshi> so i am not blowing smoke when i suggest that it's applicable :) 02:20 < gmaxwell> I think for any of this stuff you could imagine some hypothetical 'mixer' with perfect knoweldge of the inputs to output mapping, and just measure the entropy of his knoweldge. It gets more interesting when you consider graphs with many coinjoins. 02:20 < gmaxwell> esp if the many coinjoins are not wired up like a switching network, so that the inadmissablity of multiple inputs later deanonymizes earlier coinjoins. 02:20 < andytoshi> yeah, i think that's the most useful thing for the joiner itself to output 02:21 < andytoshi> but if, for example, some output always winds up matched to a certain input, the owner of that output would like to know this 02:22 < gmaxwell> yea. indeed. though at least that can be solved purely locally. 05:59 < gmaxwell> I mean, I think I now have a mental model to predict miner behavior somewhat... which mostly seems to work. But it basically starts with the premise that miners are uninformed and somewhat lazy. When they try to get informed they get overloaded quickly. 05:59 < warren> I haven't been paying attention to the Bitcoin pools. The first and only bitcoin pool I ever used was p2pool. The issue preventing Litecoin pools from spreading hashrate out more is there is a tiny quantity of competent pool operators capable of keeping their software secure against exploits and robust against DDoS attacks. 06:00 < warren> There existed a few massive pools in the past who killed themselves with a payout bug 06:01 < warren> and a few just don't recover from a DDoS attack 06:01 < gmaxwell> The algorithim for selecting a pool looks like: look at the pie chart on bc.i. Compare a couple of the biggest pools. Find nothing really distinguishing between them, pick the largest. 06:01 < warren> The survivors could be behind killing their competition. We have no way of knowing. 06:02 < adam3us> its puzzling indeed that there appears no model to get financing for core dev work that must happen for bitcoin to progress, despite there being $3b resting on it 06:02 < gmaxwell> p2pool almost doubled in size in the weeks following convincing bc.i to stop hiding p2pool on their chart. 06:02 < warren> percentage wise of global hashrate, how much did it peak at before? 06:02 < adam3us> gmaxwell: cant people run multiple independent instances of p2pool to scale it? 06:03 < gmaxwell> adam3us: sure, actually in the past some people have run it privately. But there shouldn't /need/ to be multiple ones to scale it. 06:03 < warren> adam3us: Litecoin Dev raised $xxk in donations, we're spending a portion of that on various things, mostly security related development that could benefit Bitcoin too. 06:03 < adam3us> (you guys should be sleeping btw:) 06:03 < warren> I know =( 06:04 < adam3us> warren: esp you if youre in hawaii 06:04 < adam3us> but yeah about dev its really rubbish and disappointing the rate of progress and funding .. 06:05 < adam3us> eg colored coin i though has a lot of potential and yet the progress has been really slow; there are some people trying to get professional funding now (company, biz plan etc) so maybe that'll create something open 06:06 < gmaxwell> the people getting funding are doing mostly terrible things, see also: mastercoin 06:06 < warren> https://bitcointalk.org/index.php?topic=320695.0 <---- Bitcoin 0.8.5 + Litecoin 0.8 patches (minus the litecoin protocol) 06:06 < adam3us> (though coloring in a way that creates bitcoin dust is something i am not keen on; must be a better way to do it with side-chains if they just thought about it) 06:06 < gmaxwell> adam3us: thinking gets in the way of spending time on posts and fundraising. :) 06:06 < adam3us> warren: that is bitcoin omg link? yes i was hyped when i saw that 06:06 < warren> gmaxwell: omg, and quite a lot of funding with zero code 06:07 < gmaxwell> warren: I liked it when I asked them to use OP_RETURN instead of their garbage addresses and got told that they couldn't because they were currently creating all their mastercoin transactions by hand in a bc.i web wallet. 06:07 < adam3us> mastercoin, yes that was terrible, and it surely will fail because of the negative regard people will hold the premine in 06:08 < gmaxwell> (I stopped complaining in public about it at that point... "okay, this is going to fail on its own") 06:08 < TD> i concluded that ages ago 06:08 < TD> the whitepaper was nonsensical 06:08 < warren> gmaxwell: they tried to hire me to work on client software. I told them to do the majority of their crap off-chain... 06:08 < adam3us> but they actually got money in a way which is disreputable 06:08 < adam3us> an yet the people doing reputable things seemingly do not 06:08 < gmaxwell> yea I ignored it initially because the whitepaper was nonsensical, then I suddenly started seeing lots of dust transactions on the network, and went searching for the cause. 06:09 < adam3us> so this is going to drive more disreputable things unless msc crashes and burns 06:09 < TD> it seems to hit the sweet spot where it seems technically credible enough to pull in a lot of suckers, but not quite credible enough to actually work 06:09 < warren> TD: pets.com 06:10 < TD> lol 06:10 < gmaxwell> adam3us: yea, look at all the altcoins (not even talking about ltc here, the zillions of other ones)... some of them have managed to monitize pretty well on the exchanges with patches that did little more than change the name of the software... its really depressing. 06:10 < adam3us> TD: to my reading the msc paper was a list of noble aspirations with no indication of how or even if they could be achieved technically, plus the disreputable invest now for big discount, limited time offer like say timeshare sales 06:11 < adam3us> the protoshares by bitshare is barely better 06:11 < gmaxwell> Or _usefully_ achieved technically. E.g. "p2p replacement for mtgox!" uhhhh.. 06:11 < TD> i try to stay positive. what this shows is there's tremendous demand for cryptocurrency technology that works 06:12 < gmaxwell> s/ that works// 06:12 < TD> yes. but there's even more demand for stuff that works! 06:12 < gmaxwell> There is a tremendous demand for promises of future riches. 06:12 < adam3us> pts are not even anything, just a bitcoin alt-coin as a place holder until / if they finish coding their bitshare system, iwth a promise that you own 10% of bitshares, but they screwed up their params almost as badly as terracoin and mined 1/4 of issue in 1 week that was designed to take 3months 06:12 < gmaxwell> Something which works but due to honesty and understanding can't promise future riches... not clear there is much demand. 06:12 < TD> yeah. well. that's certainly one possibility. 06:13 < adam3us> TD: i am not sure, i had a look at the pts irc channel an it seems most of the miners had no clue why or what it is, they just wanted in early in case it went somewhere 06:13 < TD> i think people get hyped due to second order effects though. "i want this cool tech because it will make bitcoin more useful and thus more valuable: 06:13 < TD> but it's MUCH harder to build it than just promise the moon 06:13 < adam3us> the guy bytemaster? bitshares cto - was slapping out unsigned binaries on non SSL - very scary 06:13 < gmaxwell> TD: both bitshares and mastercoin have directly traded on that thinking even where it made no sense. 06:14 < gmaxwell> (claiming that they were enhancements to bitcoin, where in the case of esp bitshares I am unable to find any relationship with bitcoin at all except them exploiting the name in their marketing) 06:14 < adam3us> gmaxwell, TD: oh yes and when pts params failed, they put out misleading info saying you HAD to upgrade under somethreat to a massively revised param set; if the users had cludes they'd have forked the code and said no 06:15 < gmaxwell> adam3us: well realsolid already proved that what you can get away with is nearly boundless. An amazing history there that you missed. 06:15 < TD> yes these schemes are just ridiculous 06:15 < TD> what i mean is that whenever i go to a conference, i get mobbed by people asking "where's the contracts apps" 06:15 < adam3us> seems to me it'd be nice to get i dunno some salary equiv to what y'all can pull in industry to sit i a bitcoin lab not-for-profi 06:16 < gmaxwell> (guy created an altcoin and kept revising the rules over and over again, ... making me pretty much convinced it was an expirement in how disreputable you could make a cryptocurrency and still have users) 06:16 < TD> so i mean there's definitely a population of people that isn't just bandwagon jumping but _really_ want to see all the cool exotic features that were discussed come true 06:16 < adam3us> which'd take say $5mil/year or something to hoover up the top brains and make somewhere nice for them to work 06:16 < warren> adam3us: "slapping out unsigned binaries on non SSL - very scary" ... like cgminer! 06:16 < TD> a big part of mastercoin's marketing is claiming that the reason bitcoin doesn't have $FEATURE is that the core developers are too conservative, scared, not well funded enough, whatever 06:16 < TD> and that mastercoin resolves this problem thus bringing such features faster 06:17 < TD> warren: cgminer is AFAIK detected as a virus by now, by most AV systems :( 06:17 < gmaxwell> TD: except, you know, $FEATURE, seldom needs anything in core software. 06:17 < adam3us> TD: yes this is why i keep harping on about bitcoin staging 06:17 < TD> yes, all this stuff is obvious to us, but much less so to other people 06:17 < adam3us> and why i was psyched to see warren made a step towars it with bitcoin omg release :) 06:17 < warren> toward what? 06:17 < adam3us> bitcoin staging could keep the rapid dev within the bitcoin brand 06:17 < TD> luke used to maintain a "bitcoin next". dunno if he still does 06:17 < adam3us> bitcoin staging 06:17 < gmaxwell> And even if it did need it, you can test it without deploying it.... of course that requires writing something, or even figuring out in detail how it might work. 06:17 < adam3us> hmm link? 06:18 < gmaxwell> Luke still does. 06:18 < warren> adam3us: it isn't really staging, it was "I put all this work into litecoin, might as well make a bitcoin client" 06:18 < TD> gmaxwell: the good news is, someone stepped up to take over PayFile from me last week, and he seems to be credible - is already produced pull reqs. so I am hoping that quite soon we will have perhaps the first easy to use gui micropayments (contracts) based app 06:18 < TD> that people can actually download real binaries of, run, and use for something useful 06:18 < adam3us> i know but apart from the peg mechanism you did the work that i thought would need to be done 06:48 < TD> you mean, working on scalability, other than maintaining an entire SPV implementation ... :) 06:49 < petertodd> the real problem there is "worse is better" and things like inputs.io already exist, so even incremental imrpovements become hard 06:49 < petertodd> adam3us: meh, you can audit off-chain stuff easily. 06:49 < adam3us> petertodd: right, i think its pressing problem even if bitcoin scales for a few years, because momentum "good enuf" will push everyone onto inferior centralized solution 06:49 < petertodd> adam3us: again, an auditable, decentralized base is what you build on. 06:50 < adam3us> petertodd: right, but how 06:50 < petertodd> adam3us: yes, either "good enough" will be the worst possible off-chain solutions with no auditing at all, or SPV clients with no auditing of the blockchain and a small number of centralized full-nodes/miners 06:51 < adam3us> petertodd: if coinbase and 20 more like them rule 99.99% of tx in a few years, and they settle between them on the block chain at $1mil at the end of the day.. how is that bitcoin 06:51 < petertodd> adam3us: at least with the former you can bolt-on auditng at any time 06:51 < adam3us> petertodd: they'd just as well settle with a wire transfer 06:51 < petertodd> adam3us: simple example, you can audit that backing funds exist with merkle sum trees 06:51 < adam3us> petertodd: agree, auditability is good 06:51 < petertodd> adam3us: heck, have you read any of my fidelity bonded banking stuff? not only can you audit, you can punish fraud 06:52 < petertodd> adam3us: that's bitcoin because for $10 or $100 or whatever it ends up being you can pay that tx fee too and have equal access that anyone else does. 06:53 < adam3us> petertodd: alternatively you can add auditability to banking networks, they probably will at some point as its more secure than firewall and fiat balance in a db - at that point its all the same thing 06:53 < petertodd> adam3us: Bitcoin isn't about making things *free*, it's about making barriers to entry be based on proof-of-work and nothing else. 06:53 < adam3us> petertodd: i think what you lose is the bearer / ecash property 06:53 < petertodd> adam3us: auditability is much less interesting than decentralization of control 06:53 < adam3us> petertodd: agreed 06:54 < petertodd> adam3us: the issue isn't banks committing fraud, it's banks commiting *legal* fraud. Everyone knows currencies are inflated, it's not a secret. 06:54 < adam3us> petertodd: i made a claim that ecash is not ecash unless its irrevocable and unseizeable/unfreezable 06:54 < adam3us> petertodd: and i'm more interested in ecash that ripple iou networks which are just papalizing banking networks and will revert to form in 5 years 06:55 < petertodd> Well, worst case with 1MB blocks forever and the dumbest possible off-chian solutions is that you can make your savings irrevocable and unseizable/unfreezable. That's pretty damn good. 06:55 < petertodd> With fidelity bonded banking, you're savings are much harder to revoke or seize, because the moment you do so you can prove to the world that has happened, and the world can chose to go to another bank. 06:56 < adam3us> petertodd: yes two things: digital scarcity is a new commodity class, and separately ecash is better than a claim on a balance on a server with its bitcoin denominated or usd, block chain audited or not 06:56 < petertodd> Right, but the onus is on you to figure out how you can have your cake and eat it too, because in it's current form Bitcoin is fundementally unscalable. The "solutions" to scability are all to introduce more centralization. 06:57 < adam3us> petertodd: are you sure your funds are unseizable in a $10k dust rule network with coinbase model? you dont even have your private key... 06:57 < adam3us> petertodd: what if you dont have enough funds to pay the min fee 06:58 < petertodd> adam3us: The first $10k of your funds got seized, but your other $100k didn't. That's a huge improvement over the whole lot being seized because Bitcoin mining has long sicne become a regulated activity with blacklists. 06:58 < adam3us> petertodd: "The "solutions" to scability are all to introduce more centralization." yes so far and that is a negative and worrying tren d for bitcoins meaningful continued existence 07:00 < adam3us> petertodd: i thought chris odom opentx model showed promise as a direction; his voting pool tx servers are auditable and rebuildable by users using the sum of the tx receipts they receive 07:00 < petertodd> BTW, lets suppose Bitcoin is worth 100 trillion, and 1% of that amount every year goes to miners in the form of fees. That works out to $20/kilobyte transaction fees, rather affordable!) 07:01 < adam3us> petertodd: not bd, but how many Gbps is a full node feed ;) 07:01 < petertodd> no, I'm saying we keep 1MB blocks in that example. 07:02 < adam3us> petertodd: probably need satellite network for globalbroadcast or the interwebs will melt with many full nodes 07:02 < petertodd> Why? 07:02 < adam3us> petertodd: n^2 everyone on the planets cup of 2nd cup coffee 07:03 < adam3us> petertodd: whats the famous canadian coffee shop? maybe it was timhortons ; 07:04 < adam3us> petertodd: clearly it can scale to some extent but its less interesting if its a clearing network than a direct user network 07:04 < petertodd> oops, I got that calculation wrong... lol, $20,000/kilobyte tx fees, not so affordable. However, lets say 100 billion valuation, 1 billion a year to miners, and you're at $20/KB. 07:04 < adam3us> petertodd: if it gets that large i expect the people running the show could just as well turn off their miners and sign clearing agreements 07:05 < petertodd> (right now tx's cost about $20 already in fact due to the inflation subsidy...) 07:05 < adam3us> petertodd: yeah thats kind of scarcy... hidden cost.. people say btc costs 2c but its actually 1000x worse 07:06 < petertodd> Fucking hell, who cares how "interesting" it is for your morning coffee? What's important is that we have a solid decentralized store of value with a decent way to move it around. We can improve upon that later, but don't fuck up the base. 07:06 < petertodd> Fundemetnally we have to figure out how to make validation scale. 07:06 < petertodd> Second fundemental is we have to figure out how to make transaction selection scale. 07:07 < adam3us> petertodd: u mean validation scale is reduce the broadcast bandwidth feed fr a full node? or cpu? 07:07 < petertodd> CPU isn't very interesting, don't focus on that. Bandwidth is what's interesting because censorship-resistant bandwidth is hard to come by. 07:08 < petertodd> Censorship-resistant CPU power is availble at stores around the country... 07:09 < adam3us> petertodd: yes;; so a ultra-crude what-if is say divide the n^2 into 1000 subgroups, payments are then either in-subgroup or cross subgroup, and mergemine subgroups 07:09 < adam3us> petertodd: cross subgroup takes 2 tx but thats stil smaller than 1 tx broadcast 1000x wider 07:10 < petertodd> yup, I proposed that one a few months ago 07:11 < adam3us> petertodd: yes i think multiple people proposed the same what-if 07:11 < adam3us> petertodd: I did, vitalk did also probably others... but its not clear how well that could work 07:12 < petertodd> AFAIK I was first :P The issue actually comes up with fidelity bonded banking, because you need to ensure that proof-of-fraud can be effectively published, and you need to have proof that you know about all fraud published for some given domain. 07:13 < petertodd> Anyway, I hope we agree that until a viable system for subgroups is proposed, and it's possible to mine blocks in a decentralized fashion, it's deeply dangerous to tinker with the scalability of Bitcoin. 07:15 < adam3us> petertodd: i'm not sure - you're saying dont change anything until we know the best longer term scaling approach or the scalability patches might actually make things worse? 07:15 < adam3us> petertodd: decentralized mining... yes i think that could be a nice partial win if that could be figured out 07:15 < petertodd> adam3us: remember that we've got people in this community who want to remove blocksize limits entirely while leaving the rest of the system as-is. 07:16 < petertodd> That's the idiotic opposition you're up against, not people who have a deep understanding of Bitcoin. 07:17 < adam3us> petertodd: gotcha, yes i agree with your previous arguments that upping he bw requirements aggressively is dangerous for decentrailzation (and also why i said i'm not sure i buy the "bitcoin scales to visa" type of hand-waving - oh yes, how and at what cost) 07:18 < petertodd> adam3us: With sufficient trust you can make any pig fly. :P 07:18 < adam3us> petertodd: u know i hear swift itself is nominally p2p 07:18 < petertodd> Ha, yup! 07:18 < adam3us> petertodd: so if the way we reach visa scaling is to run 50 bitcoin nodes on a closed network contrlled by big banks i am not so intereste 07:19 < petertodd> Exactly. And in between now and that, there's a lot of trade-offs. 07:19 < petertodd> 10MiB blocks aren't so, bad, 100MiB kinda iffy etc. 07:20 < adam3us> petertodd: we need something fundamental new insight .. the picture so far is moderately clear, but no clear path forward is in sight 07:20 < petertodd> Now where the "just remove the limits entirely" thing is so obnoxious is that the basic idea, just let miners chose, is such a fundemental misunderstanding of the nature of validation and trust in Bitcoin. 07:21 < petertodd> of course there's no clear path forward, every path has different costs to different people! 07:22 < adam3us> petertodd: u might wonder if there is some moderate incremental scalability gain lurking in using accumulator tree vs hashtree 07:22 < petertodd> heck, there's a decent enough chance that nothing at all will happen and Bitcoin will remain, technically, identical to it's current form for a long, long time. 15:40 < phantomcircuit> i stand corrected 15:40 < phantomcircuit> that's actually pretty huge 15:40 < petertodd> Yup, it's was also the original blocksize limit. 15:40 < petertodd> which makes me think satoshi hadn't planned for one at all... 15:44 < sipa> petertodd: gavin fixed what? 15:44 < midnightmagic> ^^ by the way, gavin, if you use as the freenode IRC server password your nickserv authentication details you don't get the changing host thing. 15:44 < petertodd> sipa: his original rejection message patch let an attacker put fake entries into your log file 15:45 < petertodd> sipa: didn't filter out newlines :/ 15:45 < gavinandresen> midnightmagic: how do i "use the freenode IRC server password" 15:46 < gavinandresen> IRC passwords are still a mystery to me, is there a clear explanation of which password does what somewhere? 15:46 < midnightmagic> gavinandresen: One sec.. 15:46 < MoALTz> midnightmagic: edit server, server password in xchat right? 15:47 < midnightmagic> Yes. The IRC server password. You construct it like so: NickName:NickservPassword 15:47 < gavinandresen> midnightmagic: okey dokey. What is the Username then? 15:47 < midnightmagic> http://freenode.net/faq.shtml 15:47 < midnightmagic> No username. There should just be a password field. 15:48 < midnightmagic> http://freenode.net/faq.shtml#nicksetup <-- there it is. 15:49 < midnightmagic> In plain irssi, for example, you would connect with: /connect chat.freenode.net 6667 mquin:uwhY8wgzWw22-zXs.M39p or your deets in place of.. 15:49 < midnightmagic> there you go. I think that did it. 15:50 < MoALTz> midnightmagic: what happens if your zombie hasn't disconnected yet? 15:50 < gavinandresen> mmm. Colloquy UI is confusing, it gives me Username and Password for server connection 15:50 < midnightmagic> MoALTz: It's not foolproof. In the event of a netsplit I think something weird happens then. 15:50 < gavinandresen> and isn't smart enough to do the nickname:password thing, I guess 15:50 < midnightmagic> nah it's a freenode-ism I think. 15:51 < gavinandresen> that was my mistake, then-- looking at IRC help instead of FREENODE help.... 15:51 < midnightmagic> MoALTz: Also I don't know what happens with zombies.. 15:52 < midnightmagic> gavinandresen: znc, the bouncer I use, also uses that style to authenticate individual users and log them in to a user session. In znc, the server configuration line just has something like this: 2610:150:2c68::d0:dab:1de5 +6697 midnightmagic:MyNickServPasswordItsALongOne 15:56 < warren> Luke-Jr: jgarzik: it is not only ACK'ed things, it tests not-yet-approved things if we think it's a good idea and we tested it. 15:58 < amiller> MyNickServPasswordItsALongOneAlsoHighEntropyEjKRUaOJPo 15:59 < phantomcircuit> gavinandresen, colloquy like most os x software makes it impossible 15:59 < warren> well crap, someone reports the OMG build still corrupts on macos x 16:00 < gavinandresen> warren: mmm. I got corruption running git HEAD, so that doesn't surprise me 16:01 < petertodd> warren: sheesh, I ran a bitcoin node for months on a computer with such flaky ram I couldn't get firefox to work for more than an hour at a time and it never corrupted the blockchain once :/ 16:01 < warren> gavinandresen: corrupted even after a clean shutdown of bitcoin? 16:02 < gavinandresen> warren: was probably a dirty shutdown 16:02 < petertodd> warren: maddening how some stupid fs sync crap has a bigger effect than that ram 16:04 < sipa> petertodd: i doubt the corruption problems we're seeing are related to flaky hardware 16:04 < sipa> or at least, some 16:05 < petertodd> sipa: exactly my point; hardware/os lying about syncing is more of a threat than the hardware not working at all 16:06 < warren> It isn't clear if the corruption is only on certain versions of the OS. 16:06 < warren> I've seen most reports on 10.8+ 16:06 < warren> one report on 10.7 16:07 < warren> none on 10.6, which might mean nobody is using 10.6? 16:08 < petertodd> warren: any chance the people on 10.6 are using different hardware than 10.7? (dunno nuthin about macs myself) 16:08 < gavinandresen> warren: I'm running 10.7 16:09 < petertodd> FWIW I did a SSD write corruption test a few years back at work, and I did find a SSD drive brand that lied about data syncing, so it's quite possibly a hardware thing related to some choice Apple made. 16:11 < warren> indeed, some brands of SSD are notorious 16:13 < warren> gavinandresen: what hardware? apple provided HD/SSD? 16:13 < warren> gavinandresen: FWIW, our mac dev and coblee have *never* experienced corruption 16:13 < petertodd> warren: yup, and sadly this could just be some choice Apple has made that's far from easy for us to deal with. 16:13 < gavinandresen> warren: I have no idea, I bought this mac used. I got corruption on both the SSD and the spinning disk. 16:18 < warren> gavinandresen: at this point are we willing to post a bounty on this? "Reproduce corruption on demand, explain why it is happening." and separately "provide a fix that passes bitcoin dev approval"? 16:18 < gavinandresen> warren: sure, if you're willing to hold the money and judge the 'approval' go for it 16:19 < petertodd> gavinandresen: re: relay first double spend, you relaying the whole double-spend tx? 16:19 < warren> gavinandresen: where can the money come from? we can pledge some from our funds 16:20 < gavinandresen> petertodd: yes, relaying the first double-spend as if it were the first spend 16:20 < sipa> with a different message? 16:20 < petertodd> gavinandresen: what happens if the first double-spend was a 200byte tx, and the second a 100KiB tx? 16:21 < gavinandresen> petertodd: then 100,200 bytes get relayed across the network 16:21 < gavinandresen> assuming that both pass the IsStandard tests. 16:21 < petertodd> ugly... 16:21 < gavinandresen> simple 16:22 < petertodd> 500x cheaper to DoS the network. OTOH I like how this makes it easy to do replace-by-fee. 16:22 < gavinandresen> sipa: what do you mean, "with a different message" ? No, just a normal inv / tx 16:22 < gavinandresen> (inv / getdata / tx) 16:22 < sipa> hmm, but without taking it into the mempool 16:23 < gavinandresen> petertodd: 500x ??? You can broadcast 100K transactions now. This will make it at most 2x times easier to try to DoS the network. 16:23 < sipa> i'm not sure it's advisable to relay a transaction we're not considering valid ourself 16:23 < petertodd> gavinandresen: No, 500x, because I'm only paying for the bandwidth of the 200 byte tx. (or actually, even smaller than that is possible) 16:23 < gavinandresen> sipa: right, does not go into the mempool 16:24 < gavinandresen> sipa: the whole point is to broadcast it so that accepting-payment-in-person merchants will see the invalid transaction and can react 16:24 < petertodd> gavinandresen: Probably not an issue in practice, because someone will do replace-by-fee mining, but then that kinda defeats the purpose in a way... 16:24 < sipa> gavinandresen: right, which is why i'd use a different message 16:25 < warren> gavinandresen: is the foundation willing to add funds to such a bounty? 16:25 < gavinandresen> sipa: that just complicates the code unnecessarily 16:25 < warren> we can ask for public donations too 16:25 < sipa> to 1) make it clear that we're not actually considering this one valid and 2) make old nodes ignore it 16:25 < sipa> then again, nothing prevents someone from taking a faketx message and broadcasting it as a t 16:25 < sipa> as a tx 16:26 < gavinandresen> sipa: exactly, the code you'd write is exactly the same 16:26 < petertodd> sipa: Interesting thought: I can use this to broadcast a replacement, and because it's a standard inv, any miner who didn't get it the first time for some reason, and doesn't have it in their mempool, will get the second one. If the second one is a higher fee, maybe this time they'll accept it! 16:27 < sipa> yes, it may have unintended replacement effects 16:27 < sipa> giving a double spend higher chances for being mined than before 16:27 < gavinandresen> again, the reason for doing this is 0-confirmation transactions for merchants monitoring the chain. 16:27 < sipa> that's why i'd prefer not doing it the same way 16:27 < gavinandresen> err.. monitoring the network.... 16:27 < sipa> i'm pretty sure it will lead to double-spends becoming easier :) 16:28 < gavinandresen> Easier-but-easier-to-detect is fine 16:28 < petertodd> sipa: Yeah, e.g. it makes it even easier to double-spend by broadcasting a, say, satoshidice tx, then waiting for my reply, then broadcasting a double-spend that doesn't involve satoshidice - I havea 10% chance of it getting mined by eligius without even needing to contact them directly. 16:28 < petertodd> Heh, funny thing I'm definitely going to ACK that patch because it's a step towards replace-by-fee and pure-profit-driven mining. 16:29 < sipa> petertodd: i'm in the middle about that, but imho the client should try to get peers to do the same 16:29 < sipa> so if you're doing replace-by-fee, i'm perfectly fine with it being the same tx message 16:29 < petertodd> sipa: get peers to what exactly? 16:30 < petertodd> sipa: ah, yeah, replace-by-fee would definitely use the same tx message 16:30 < gavinandresen> sipa: 0-confirmation double spends are pretty easy today. I'm completely convinced early detection is more important than trying to prevent them. 16:30 < sipa> but if you're explicitly not considering a transaction valid, i don't like making it seem to others that you do 16:30 < sipa> gavinandresen: fair enough, i agree there 16:30 < gavinandresen> Lets debate replace-by-fee separately... 16:31 < warren> crap, two reports of corruption after a clean shutdown... 16:31 < warren> this makes no sense 16:31 < petertodd> gavinandresen: Well, the beauty of this is it lets miners decide for themselves given they now can easily get the replacement with no effort. 00:23 < gmaxwell> maaku: "You can spend these coins if you solve my puzzle" "psyche... I just spent them out from under you even though the code said I couldn't because I can create false proofs for this verification key." 00:24 < gmaxwell> amiller: the upside is removing the CRS the downsides are that the proofs are much larger (tens of kilobytes) and the zero-knoweldge is no longer perfect. 00:25 < amiller> i see. 00:26 < gmaxwell> amiller: well I'm glad your koolaid tap on the CRS stuff ran out. I dunno why everyone thinks its so acceptable.. it is in some cases, not others. 00:26 < gmaxwell> What they're talking about doing in zerocash I think its completely unacceptable. 00:26 < gmaxwell> then again, for that application 20kbyte signatures is probably also unacceptable. 00:27 < amiller> how far do you think they can smear around the anytrust kind of setup 00:27 < gmaxwell> (and for that matter, q-power knoweldge of exponent, bilinear pairing stuff is by itself probably unacceptable) 00:27 < amiller> that was a question someone asked, matt green answered affirmatively, i didn't seek any details 00:28 < gmaxwell> What was? 00:28 < amiller> whether you could distribute the setup among N parties 00:28 < gmaxwell> yea, I think thats half BS 00:28 < amiller> where any of the N parties has to delete their data 00:28 < amiller> okay 00:29 < gmaxwell> I don't know of any systems for _active_ secure MPC that don't themselves require a zk-snark, certantly none that are implemented. 00:29 < gmaxwell> (you can take any semi-honest-secure MPC scheme and make it active secure if you make all the players do their work under ZK-proof that they're obeying with the protocol) 00:29 < maaku> gmaxwell: i see 00:30 < gmaxwell> It's possible in theory at least. But what does N need to be? and where is even a beginning of an implementation? even with just three parties it would be the largest MPC task ever attempted. 00:30 < amiller> yeah everything attempted in practice so far has been semi honest 00:30 < amiller> afaik 00:31 < gmaxwell> Yes, as far as I can tell. And I think we have a chicken and egg problem here. We have almost pratically efficient snarks actually implemented but in the CRS model. 00:31 < gmaxwell> You could, in theory, make the CRS with MPC. .. but active secure MPC that looks remotely pratical is a passive MPC + SNARKS. 00:32 < gmaxwell> and the CRS computation isn't horrible but there is a lot of it ... for zerocoin they're talking about 1.6GByte prover keys (which actually sounded small to me). 00:33 < gmaxwell> So somehow you've got N party active secure MPC and you're going to compute 1.6 gbytes of CRS in it? 00:33 < gmaxwell> And realistically I think N can't just be 3. Start talking about 30 and thats more interesting. 00:33 < amiller> yeah. i came to that conclusion pretty quickly too 00:34 < amiller> sell tickets to the big setup phase MPC as your fundraiser gimmick! 00:35 < gmaxwell> I mean there are neat things you can do... one of the mpc nodes should be in a faraday cage in a bunker filled with C4. And you should exploide it when the computation is finished. People would pay to see that. :P 00:36 < amiller> david blaine could do one too 00:36 < gmaxwell> the undetectable compromise part is part of what makes this so bad for ZC where it wouldn't be an issue elsewhere. 00:37 < gmaxwell> lots of room for fud. 00:37 < gmaxwell> "NSA supercomputer cracked the crypto to recover the key whole cloth, and now the US government can print unlimited coins! Prove me wrong!" 00:38 < gmaxwell> at least if it were detectable you could freeze new spends and deploy another ZK proof system (perhaps a less efficient one) 00:39 < amiller> i learned about a formalism called "covert security" that's weaker but promises detection like that... 00:39 < amiller> but i couldn't find any trace of someone actually getting any cheaper construction that way 00:40 < gmaxwell> well the GGPR12 stuff is super brittle to knowing the CRS. Its easier to compute a fake proof than validate a proof if you know the CRS. 00:41 < gmaxwell> and I think the way the perfect zero knoweldge is achieved it must be that way. 00:42 < gmaxwell> (because you can basically show that for any set of passing input group elements some CRS exists thats makes those element a valid proof, regardless of the statement being true or not) 00:44 < gmaxwell> In any case, Iddo has given me the impression that I'm not the only person who's seen the limitations of the CRS model. 00:46 < amiller> i've seen some modifications to CRSs to make them more useful and composable but not that get rid of the trusted/private state somehow 00:47 < amiller> i don't have any idea what comes next 00:52 < gmaxwell> amiller: why not post to the http://www.scipr-lab.org/ mailing list and whine about the CRS trust assumptions and ask what they're going to do about them? :P 00:52 < gmaxwell> As I said, I /think/ they're also working on a backend without one. But I don't know anything about it as it's not mentioned in their papers on their tinyram work. 03:01 < nsh> gmaxwell, if it helps, didactically, you can compare the security of the CRS model to the security of DUAL_EC_DRBG.... 03:06 < gmaxwell> Hm! 03:06 < gmaxwell> point. 06:17 < adam3us> gmaxwell: so while i agree that H(nonce)[rand(32)] ^ prefix is an interesting incremental improvement of raw prefix, with an example 8-bit prefix, and [] being byte index, ^=xor, it still publicly allows elimination. ie with probability (255/256)^32=88% it eliminates you as a payee of any given reusable payment. 06:17 < adam3us> gmaxwell: (posted this and related on bitcoin-dev) 07:56 < jtimon> somebody claimed here (I don't know if it was you maaku), that some people were suspicious about scrypt being GPU mined from the beginning 07:57 < jtimon> does anybody have any reference to that? 08:04 < jtimon> hmm, is this it? https://bitcointalk.org/index.php?topic=63365.0 08:04 < jtimon> I'm considering mentioning rumors about it and putting a link on an article about p2p currencies I'm finishing 08:07 < jtimon> I don't know...wasn't coinhunter a scammer? 08:07 < jtimon> "Artforz publicly admitted to creating a GPU miner for litecoin numerous times" any link to this? 08:08 < jtimon> I'll keep searching, just browsing out loud in case anybody can give me some clues or a better link 09:17 < Emcy> hmm apparently GCHQ couldnt crack truecrypt with the password "$ur4ht4ub4h8" 09:17 < Emcy> they had to sling the guy in jail and sweat it out of him 09:18 < Emcy> isnt that a weak password? Is that a bit surprising. 09:18 < adam3us> jtimon: ha thats pretty interesting the guys claim seems quite plausible. casts coblee / artforz in a bad light if so. i was before now supposing the failure of scrypt params chosen to be yet another alt param fail on their part. but maybe it was a "fail" ie not real! they designed it that way and exploited it to the max until someone else figured it out 09:18 < adam3us> Emcy: yeah i saw that.. my thoughts also, we have nothign to worry about :) combined might of GCHQ cant crack that short/low entropy password.. chortle. 09:19 < adam3us> Emcy: what we dont know however is the program used. maybe it has some memory hard stretching or something preventing fpgas or whatever gchq has 09:19 < Emcy> and yet a skilled cracker with a good custom dictionary and a handful of radeons might 09:20 < adam3us> Emcy: if it was unstretched, for sure; lot of former gpu miners coul crack that with their own cards! 09:21 < Emcy> ok i assume it was truecrypt 09:22 < Emcy> http://www.bbc.co.uk/news/uk-25745989 look hes got a beard so hes probably up to no good! 09:22 < adam3us> jtimon: analogously i was similarly suspicious of dan larimer with his momentum hash and protoshares. that no GPU status fell pretty fast though he fought the claim all the way down 09:23 < Emcy> adam3us isnt it fairly common knowledge that someone was mining LTC rather faster than should have been possible early on 09:23 < tacotime_> I recall artforz had mentioned he implemented it on GPU And it was slower 09:24 < tacotime_> The algo itself is slower on GPU if you don't use the TMTO trick (only store every other value in the memory pad and look up the others on the fly) 09:25 < tacotime_> There's a little bit of reason to believe that solar designer and artforz may have been the same person, but I won't eloborate 09:25 < adam3us> Emcy: I dont know wasnt paying attention at the time. tacotime_: the thread jtimon posted above says their programmer spent 4hrs and made something 150x faster than artforz claimed best. 09:26 < tacotime_> You honestly trust something coinhunter said? 09:26 < tacotime_> The guy who has stolen hundreds (probably thousands) of BTC from the community over the past 2 years? ;) 09:26 < adam3us> tacotime_: solar designer is pretty crypto sharp, he posts on cpunks/crypto lists a lot and seems to have clues. seems to me if that is artforz alter ego he'd have the sharps to do a little TMTO 09:27 < adam3us> tacotime_: yeah i heard of solid coin by infamy/reputation only wasnt paying attention back then. he's that guy? 09:27 < tacotime_> yeah 09:27 < tacotime_> RealSolid/CoinHunter, same person 09:28 < tacotime_> http://www.openwall.com/lists/crypt-dev/2013/03/21/1 09:28 < adam3us> tacotime_: apparently his antics were so stupid/evil/greedy as to remain the subject of lore 3 years later :) thats how i heard about solid coin at all 09:28 < tacotime_> I'm not sure where mtrlt was updated to the desynchro/TMTO trick though 09:29 < tacotime_> Or if pooler had first picked it up when optimizing his LTC miner 09:30 < adam3us> tacotime_: i think i saw solar designers TMTO experiments, he mustve cross posted to one of the crypto lists 09:30 < tacotime_> yeah 09:31 < tacotime_> mtrlt also ran off with a load if bitcoins after claiming he would implement primecoin miner on gpu 17:56 < gmaxwell> jtimon: if you don't download the whole chain then miners participants in the past before you joined could have cheated and freely written themselves blank checks. Its very nice today that when people ask about this (which they frequently do) I can give them a very strong answer: No, your software audits against that, and you can audit its code (or have someone else do so) to make sure that it does. 17:56 < adam3us> gmaxwell: committed tx would be your only remaining defense against policy, you can still do a few things, notice when they make changes etc, but with less power to do anything about it 17:56 < maaku> gmaxwell: our approach is to move more transactions off-chain onto private servers, and use the public concensus mechanism only when necessary (e.g. cross-server trade) 17:57 < gmaxwell> adam3us: sipa has a great argument that goes: At one extreme blocks are maximally small and no one can transact but everyone can validate and so the system is centeralized because so few can transact. At the other extreme the blocks are enormous and everyone can transact but no one can validate, so the system is again centeralized because we must trust the few validators. The ideal behavior is somewhere in between. 17:57 < adam3us> maaku: in a way thats mirroring bitcoin activity, most mtgox,bitstamp trades are in server 17:58 < adam3us> gmaxwell: sounds like sipa's block chain triangle:) 17:58 < maaku> adam3us: yes, but we'd like to do it in a way where your 'off-chain wallet' contains similar security gurantees - server can't spend your coins without your sig, and any modification of the spend history is detectable, etc. 17:58 < jtimon> gmaxwell, with maaku's UTXO index hashed on every block, it's just a matter of how long in the past you want to go 17:58 < gmaxwell> Sipa Circumflex of Centeralization. 17:59 < jtimon> back to genesis? to the last checkpoint? 17:59 < maaku> similar to OT in that regard, but using bitcoin structures for interoperability 17:59 < gmaxwell> jtimon: allow me to be offended while you lecture one of the first people to suggest committed utxo on the subject of them... 17:59 < adam3us> maaku: i agree its the holy grail of off chain transactions " we'd like to do it in a way where your 'off-chain wallet' contains similar security gurantees - server can't spend your coins without your sig, and any modification of the spend history is detectable, etc." 18:00 < maaku> ok well read the paper and give us your feedback 18:00 < gmaxwell> jtimon: regardless not validating the rules is a break in the security model, and its one that may have weird interactions with incentives. Today a miner that does a bit reorg can only reorder transactions, in an enviroment where many nodes don't validate deeply, they can write themselves a blank check. 18:01 < maaku> we're implicitly assuming some form of tx commitment though (not mentioned in the paper), which is the source of some of the security protections 18:01 < adam3us> maaku: not saying i have a solution, though like presumably many others its occupied my thoughts for some time 18:01 < gmaxwell> This isn't to say that its not a good tradeoff, but its not clear that its a free one. 18:01 < jtimon> sorry, gmaxwell, and yes, I've heard that potential problem, I think from retep 18:02 < adam3us> maaku: on loose idea is to use the bitcoin block chain to timestamp the merkle root of the offchain servers transaction log 18:02 < gmaxwell> I suppose its a change which actually could be made in bitcoin because basically none of the users have a mental model of the security that makes any sense... though its kinda sad that it wouldn't be controversial to revise the security model in such a substantial way. 18:04 < adam3us> gmaxwell: i'm with you on this one, the assurances of immutability are the strongest feature of bitcoin 18:04 < jtimon> the way I see it, it's configurable security, you can still be a full node, miners should be prepeared for very big reorgs 18:04 < gmaxwell> jtimon: moral hazard. 18:04 < gmaxwell> If you're in a minority you're actually worse off setting security higher than other people. 18:05 < jtimon> I see 18:05 < gmaxwell> And if you can reduce your costs and let some other sucker take the work of making the security promises good? oh well. 18:05 < gmaxwell> (worse off because it's a consensus system: it's often more important to agree than to be right 18:05 < maaku> ... which is why i'm staunchly against probabalistic validation 18:06 < gmaxwell> maaku: if its over old history that you wouldn't have validated anyways? and your response it to just shut down and nag the user? I don't worry about that. It's just a backstop that means that manual intervention would kill an attack that depended on a historical rule validation. 18:06 < adam3us> gmaxwell: agree vs right; I agree: it seems to me that other than SPV, miners could indirectly facilitate consistent distributed arbitration of a random decision, so long as its immutable 18:06 < gmaxwell> Likewise, the fraud notices stuff would make probablistic validation not a consensus risk. ... (though a software engineering risk... :( ) 18:08 < adam3us> gmaxwell: just based on timestamping, no other validation; full node users could do committed tx fine with that assumption 18:09 < adam3us> if there is a way to shard activity within a timestamp tree, you might be able to scale that further than a miner validated blockchain (the miners in this model would just be timestamping merkle roots) 18:10 < jtimon> so you just timestamp things and the validation comes later, no? 18:10 < gmaxwell> maaku: the other question is: if your choice is "only google does the validation" vs "lots of parties do probabalistic validation with some risk of consensus failure" I don't think that it's a hard decision. There are lots of nice centeralized systems out there, I don't think bitcoin is really competition for them. And I do think in the long run some compromises will be the matter of effectively centeralizing the whole ball of wax ... 18:10 < gmaxwell> ... or not. 18:10 < gmaxwell> adam3us: the incentive model is goofed up though if unfaithful validation doesn't make your 'work' wasted. 18:11 < gmaxwell> e.g. say it's constructed so you could timestamp multiple orthorgonal consensuses ... you might as well timestamp a zillion of them just in case one is preferred over another. 18:11 < gmaxwell> (this is the problem proof of stake has) 18:12 < adam3us> jtimon: yes committed tx are validated by users (including full tx history) and in this timestamping only use of it peers would need to be full nodes, but maybe it can be sharded to eg freimarket servers for the merkle root 18:14 < jtimon> it reminds me to a "crap serializer" idea I had, but mine was centralized 18:14 < adam3us> gmaxwell: so the hypothetical would be have lots of OT like servers as supernodes (but still peers) they participate in the timestamp consensus 18:14 < jtimon> how do you agree on the p2p serialization? do you have a thread? 18:15 < adam3us> gmaxwell: users transact on a given server with receipts, if anything goes wrong they switch servers; the server cant undo things because its transaction merkle root is timestamped 18:17 < gmaxwell> adam3us: how do you prevent supply doubling where users clone themselves and start transacting on two servers in parallel? 18:17 < adam3us> users, servers audit other servers ot be sure they never put conflicting statements in their tx tree 18:20 < adam3us> gmaxwell: possibly (or so i was loosely thinking) each asset has a home server that is the authority on ordering transactions involving it - the idea is distributed consensus is hard but individual consensus is trivial, and mining timestamping prevents revisionism, and audit detects problems, and then you need some migration property where you can move the asset to a new home using receipts (but only after timestamp validates the move) 18:21 < adam3us> gmaxwell: say it costs higher fees to move via the timestamp chain to another server, so there is a disincentive to move unless actual problem; and servers cant cheat as they are audited and the system reacts to cheating 18:22 < adam3us> gmaxwell: its basically OT + blockchain timestamping for merkle root timestamping, and reward (coin mining via blockchain timestamping) and to validate the movement of an asset to a new home 18:24 < adam3us> it becomes simpler to change mining details also when it is only doing timestamping eg as its low bandwidth, doesnt deal with 0-confirm ordering, nor validation of transaction details, nor fee collection 18:25 < gmaxwell> adam3us: this is starting to tread into the space I was talking about with the coinwitness stuff (using non-interactive zero knoweldge proofs to delegate coins to external transacript producing systems and eventually pull them back) 18:25 < gmaxwell> transcript* 18:27 < maaku> gmaxwell: I think if we move a lot of things off-chain (including day-to-day payments), and start using the chain mostly for global concensus over multi-server trades, we won't have to scale bitcoin much 18:27 < adam3us> gmaxwell: have to re-read that, while i thoght scip/snark interesting i mentally put it in the 'future crypto' bucket to keep an eye on 18:28 < adam3us> maaku: yes, but a bit of an open question how that can be done while preserving the bitcoin properties 18:28 < maaku> so fears about needing "google-scale" are not yet convincing, imho 18:29 < gmaxwell> maaku: personally I hope so, but that comes with another worry. Say we jack way up the block size, and the things move off to other systems (for things like instant confirmation) ... will bitcoin be able to support itself on fees with the enormous block sizes but most txn off chains? hell would it be able to support adequate security with fees even with current blocksizes? Petertodd gave a vision of the future where those ... 16:09 < amiller> i want to talk about p2ptradex 16:09 < amiller> you guys read this post? https://bitslog.wordpress.com/2013/05/20/p2ptradex-back-from-the-future/ 16:25 < gmaxwell> amiller: what about it? ... results in enormous transactions to have any real degree of cross chain proof, and even then only gets you spv security. 16:25 < amiller> i don't think any of that is necessarily true 16:25 < amiller> first of all it doesn't have to be about transaction size, proof size can be amortized for many transactions 16:26 < gmaxwell> The first is true so long as headers are a singly linked list. 16:26 < amiller> under normal conditions, two blockchains are perhaps roughly synchronized 16:26 < amiller> you could merkle tree over the headers and go down to log 16:26 < gmaxwell> The second is true so long as you don't comingle the consensus of the two chains. 16:26 < amiller> you don't have to do full validation 16:26 < gmaxwell> amiller: only by changing the headers. 16:26 < amiller> the thing is you can be asymmetric in two ways 16:26 < amiller> like if i am trading my bitcoins for your litecoins 16:27 < amiller> i don't really care if the bitcoin side gets canceled 16:27 < gmaxwell> amiller: no, but I sure do. 16:27 < amiller> i'm only concerned that the bitcoin side goes through and litecoin gets canceled 16:27 < amiller> right 16:28 < amiller> so i am happy if the bitcoin side just trusts litecoin at face value 16:28 < gmaxwell> I mean the _whole_ point of doing anything fancy there is to control the cancelation behavior, otherwise you can just do joint secret locked outputs. 16:28 < amiller> i don't care if the bitcoin chain only does spv validation of litecoin because i'm going to be just as vulnerable to litecoin anywa 16:28 < amiller> likewise you'll be happy if litecoin does only spv validation of bitcoin 16:29 < amiller> because you're going to end up with bitcoins anyway and if spv isn't good enough then something horrible has happened 16:29 < gmaxwell> amiller: say we're going to trade 1000 BTC worth of coins and I can buy computing power at near mining cost rates on the open market. 16:30 < gmaxwell> how big must the transactions be before its not cheaper to mine bogus blocks instead of completing the transaction? 16:31 < amiller> right so the tricky case is when there's a big disparity in mining power between the two chains 16:31 < amiller> but lets say we agree on the price 16:31 < amiller> it's proportionally a much bigger transaction on the tiny litecoin chain 16:31 < amiller> so i should correspondingly wait much longer before i'm sure 16:32 < gmaxwell> just assume it's 'bitcoin to bitcoin' if you will. I still think the result ends up ugly. 16:32 < amiller> the proof doesn't all have to be in the transaction, i think sdlerner's particular solution is wrong and ugly but the key idea works 16:34 < amiller> like assume you can use something like the hash-value-highway to get a concise aggregate sample of work 16:34 < gmaxwell> even a cut and choose compression of the headers ends up being quite large. 16:34 < amiller> basically since there are tiny trivial litecoin blocks so frequently, it would suck to try to say that bitcoin has to validate two weeks worth of ltc blocks before comitting the transaction 16:35 < gmaxwell> amiller: I think the bitcoin bitcoin case sucks too, as mentioned. even when you get to dozens of headers the transaction is rather enormous. 16:35 < amiller> but if i'm going to end up with litecoin anyway, i'm okay if bitcoin only does concise work-sampling validation 16:35 < amiller> if there is a lot of volume of btc to litecoin trades then we can all amortize the validation 16:35 < amiller> there's no reason each individual transaction has to repeat the whole process 16:36 < amiller> there's maybe a scheduling/batching challenge in there 16:36 < gmaxwell> and any subsetting case will still need n bits of selection where n is fairly large compared to work. 16:36 < amiller> that's not true i don't see why you'd say that? 16:36 < gmaxwell> amiller: yes if you comingle the consensus algorithim, and effectively merge the chains requiring all full validators to validate both, it obviously works. 16:36 < amiller> no i'm saying it doesn't require full validation 16:37 < gmaxwell> amiller: because if your sample is just one point then a single lucky block can rob all concurrent spends. and also may take forever to come, leaving the transactions stuck for a long time. 16:38 < gmaxwell> amiller: if it's not full validting that surprise its just spv security. And SPV is quite weak when you have an information hiding risk. 16:38 < gmaxwell> So you need a lot of header proof to make SPV with a hiding risk not laughably bad. 16:38 < amiller> what do you mean 16:38 < amiller> i don't follow what you mean by informtion hiding 16:38 < amiller> if you mean errors in transactions then header doesn't solve that anyway so i don't know what you mean 16:39 < gmaxwell> As I said before, consider a 1000 BTC trade "bitcoin to bitcoin" via this mechenism. Say you require 12 headers. I can buy that computation for about 300 BTC. A big profit to cheat. The inner validation only knows what you tell it, it can't go out and discover that there is a longer chain far ahead of that one. 16:40 < amiller> that's true of any btc transaction with the threat of double spending 16:40 < gmaxwell> No, it's not because you can find out that there is a longer chain, so that someone spending weeks to produce a 12 header stub does no good, as the whole world has moved along. 16:41 < gmaxwell> SPV in information isolation requires only energy. SPV when there is no isolation requires energy at high power. 16:42 < gmaxwell> I think this is a tangent in any case. 16:42 < amiller> the rules for applying include an amount of work in both chains 16:42 < amiller> so it's not just 12 headers at any time 16:42 < amiller> but 12 bitcoin headers before say 60 headers of litecoin 16:42 < amiller> 60+epsilon 16:43 < gmaxwell> you can't be guaranteed any particular processing speed especially for your jumbogram transaction. 16:43 < amiller> if i'm confident i'm going to learn about 60 litecoin headers before you learn about 12 bitcoin headers, then i'm okay 16:44 < amiller> the point is we are both taking bets about the rate of proof-of-work of the chain we're going to end up on 16:44 < amiller> and any substantial change in that would make us vulnerable to double spends where we end up anyway 16:44 < gmaxwell> And this accomplishes exactly what? 16:45 < gmaxwell> A _trivial_ protocol already reduces this problem to pure holdup risk. 16:45 < amiller> right so i'm solving the holdup risk for a cross-chain transaction, up to the same security guarantee we have against double-spending in an individual chain 16:46 < gmaxwell> except you're not. Because the transactions cannot be mined atomically in both. 16:47 < gmaxwell> The rates of the two chains might be a nice constant ratio, but the _start time_ has no particular reason to have a non-zero offset in the two chains. 17:26 < amiller> ok i almost worked it out 17:26 < amiller> difficult to explain, this may take a few tries 17:27 < amiller> i'm giving you my bitcoins and you're giving me your litecoins, but suppose i'm able to produce a short proof that the the litecoin chain has moved on several blocks *without* having your end of the transaction on it 17:27 < amiller> i should be able to present that proof to the bitcoin chain and use it to cancel my sending bitcoins to you 17:31 < gmaxwell> right, okay, so you need a UTXO proof, plus headers. 17:31 < amiller> not full headers, less than spv 17:31 < amiller> just a work sample 17:31 < amiller> that can be seriously small 17:32 < gmaxwell> Be concrete. I know ways to reduce enormous amounts of work to merely large, but I'm not seeing how you actually get something compact. 17:32 < gmaxwell> and a utxo proof is log(total utxo) 17:34 < gmaxwell> (the two ways I know to reduce enormous amounts to large is the hash highway method, and hash highway I think you need a header format change or you can't show the headers are related, or non-interactive cut an choose) 17:34 < amiller> header format change yes 17:34 < amiller> the noninteractive cut and choose isn't necessary 17:35 < amiller> basically i don't need to assert that the header samples form a valid chain 17:36 < gmaxwell> you do need to assert they came after the utxo proof connected header. 17:36 < amiller> i just have to show that they are very unlikely to be constructed without the minimum amount of work, and that they all occurred after some deadline (meaning there's some path of preimages that leads to some origin point of interest) 17:36 < gmaxwell> s/came after/ are connected to. 17:39 < gmaxwell> amiller: otherwise I mine a single fake litecoin block with a fake utxo committment and give you that and a dozen real litecoin headers. 17:40 < amiller> hm, right, so i should check that the utxo commitment associated with each block couldn't have had data in it that contradicts my claim (that the transaction i care about has not shown up) 17:41 < gmaxwell> yea... so 800 bytes per block... :( 17:43 < amiller> if that's the only thing to grimace at i'm happy 17:43 < amiller> imo this is a building-block for not-necessarily-global blockchains 17:43 < gmaxwell> by per block I mean per block in your proof. 17:44 < amiller> yes i know 17:44 < amiller> if there's a lot of volume of btc to ltc transactions then we can all amortize the validation of work 17:44 < gmaxwell> well the utxo membership proofs can't really be substantially combined. 17:45 < amiller> yes but i only need it on the last one if there are canonical litecoin headers already 17:45 < gmaxwell> canonical litecoin headers implies full nodes validating litecoin blocks. 17:46 < amiller> either way this is just a possible optimization 10:26 < amiller> instead, if you built in something like this feature i'm describing, any attempt to tweak the rules to let in an extra million, even "only just this once", would require porting over everyone's signatures to some new thing all at once 10:27 < amiller> easily? 10:28 < petertodd> amiller: yeah, just make it possible to steal block rewards given proof of fraud 10:28 < amiller> i'm more optimistic the other way around... if i have a good definition, i can find someone who can do the relevant crypto, or i can wait 5 years and pinocchio or tinyram will be fast enough 10:28 < amiller> to steal anyone's block rewards? 10:28 < amiller> i don't think that solves it 10:28 < amiller> because it's still a simple "tweak" to the rules to make one particular fraud not count 10:29 < amiller> i'm not talking about someone sneaking in a deviant block undetected 10:29 < amiller> i'm talking about publicly getting everyone to agree to tweak a rule and then just accepting it 10:29 < petertodd> ah, hmm... sounds like magic :) 10:30 < petertodd> anyway, if everyone agrees, they can just as easily agree to change the rules to turn your system off 10:31 < amiller> right but then it's all or nothing 10:31 < amiller> this is meant to prevent tiny rule changes 10:31 < amiller> that otherwise preserve the system in tact 10:31 < petertodd> they had to agree to change validation... 10:31 < amiller> which makes it more plausible that you could convince everyone to agree to go along with it 10:31 < amiller> which means the system could plausible evolve over time 10:31 < amiller> if you actually wanted to bake in certain rules permanently then you could use this technique 10:33 < petertodd> well, anyway, if you figure out how to I'll be impressed all the same 10:33 < amiller> i think the trick is to relate signatures to block validation 10:34 < amiller> the signature scheme would have to be able to use knowledge of a violated rule as an alternate way of being accepted 10:35 < amiller> this means if a miner can include a block that violates a rule, he can also sign anyone's signatures 10:35 < amiller> the point is you could still just switch to another blockchain, but you would have to leave everyone's keypairs behind 10:36 < amiller> another way of putting it is that when you generate a spending keypair, you'd be making that keypair affixed to particular set of constitutional rules 11:00 < gmaxwell> petertodd: http://www.reddit.com/r/Bitcoin/comments/1pjiv4/coinswap_a_transaction_protocol_to_trade_coins/ 11:00 < petertodd> nice 11:00 < petertodd> although, I suspect the headline won't be understood as to me teleporting value... 11:08 < gmaxwell> Well, I added: http://www.reddit.com/r/Bitcoin/comments/1pjiv4/coinswap_a_transaction_protocol_to_trade_coins/cd2xqif 11:09 < petertodd> that looks better 12:30 < adam3us> amiller: so for example say by modifying the constitution you are allowed to add a factor of our chosing to the coin public keysand hence to know the discrete log and spend them 12:31 < amiller> i think - something like that 12:31 < adam3us> amiller: or alternatively people seem really scared of even soft forks ;P, so maybe its not essential in pracitce, but its an interesting question 12:32 < amiller> it's easier for me to think of this in terms of generic zero knowledge and circuits 12:33 < amiller> a public key is like the SNARK for a circuit that is valid if *either* the signature for the transaction is correct *or* you have evidence that the previous block hash contains an invalid rule 12:33 < adam3us> amiller: so what i mean is if the factor you add during your mining in constitutionally valid ways (no variation) are definitoinally things you cant know the discrete log of (as they are hash outputs eg) 12:33 < adam3us> amiller: gotcha actually thats sort of generic ZKP or model 12:34 < adam3us> amiller: and yet by varying u get more freedom in the factor so could chose it maliciously 12:35 < adam3us> amiller: thats not actually the same of course, what you are saying via ZKP or is that not only could you be malicious if inclined, but you definitinally create teh risk by introducing an OR zkp 12:36 < amiller> yes 12:36 < amiller> it's tricky though because 12:37 < adam3us> amiller: i could ctually see that working no? 12:37 < amiller> transactions ordinarily just refer to the transaction graph, separately from blocks 12:37 < adam3us> amiller: yes there is a block / tx mismatch, that is quite inconvenient 12:37 < amiller> so i don't see immediately how to rule out that you could still just change the protocol and keep using the same public keys 12:38 < amiller> this doesn't have the desired effect if you could just interpret the existing signing keys with a different validation circuit 12:38 < amiller> the approach should be to somehow make the signing keys totally useless except in the context of valid blocks 12:38 < adam3us> amiller: right; seems like that might need something more sophisticated concept 12:39 < adam3us> amiller: like all sigs are based on SCIP/SNARK but bound to the constitution hash so that if its varied the proofs no longer are valid 12:39 < amiller> i still think this is definable just using zero knowledge and arranging things carefully 12:39 < amiller> yeah exactly 12:39 < amiller> it would turn "small one-time-only tweaks/exceptions" into suddenly *everyone's* problem that has any coins 12:41 < adam3us> amiller: yes the use-case is clear; prevents special pleadings by governments as now - bending constitutional rules due to political expediency ina time of financial difficulty 12:41 < amiller> right 12:41 < adam3us> amiller: if the cost is everyones money goes up in smoke, thats clearly worse; financial armageddon 12:42 < amiller> as it concerns bitcoin, i believe that currently people *overestimate* the relatively ease of convincing everyone to go along with an incrementally rule-bending change that doesn't really affect them and might as well go with the flow 12:42 < amiller> at the same time, even a tool like this isn't a perfect solution to everything 12:42 < amiller> the ability to change rules through consensus is actually a pretty positive thing so far 12:43 < adam3us> amiller: i was just talking with petertodd about even well meaning short-termism creating problems through lack of focus on the big picture (upthread) 12:43 < amiller> i can imagine having some rules baked in this way and other rules able to change like currently through hardfork 12:43 < amiller> it seems like it would be clearly a useful tool to add but it's not obvious how best to apply it 12:44 < adam3us> amiller: yes; probably the main risk is bitcoin has a quite entangled hard to modify design, and code bug could screw core value up; would be useful if there was a way to finalize core value protection and do other higher level features separately without risking it 12:45 < adam3us> amiller: 21mil coin cap & mining production rate function are good candidates 12:46 < amiller> yeah, 21mil coin cap definitely the most fun one to aim at with this 13:00 < adam3us> amiller: so what if u made each ecdsa sig instead zkp of knowledge of DL of Q (bound to H(tx) aka ECDSA(tx) OR NOT (reward ==25 || epoch==2 & reward==12.t ...) 13:01 < adam3us> amiller: if you make a soft fork on reward, suddenly everyone will be able to spend anything 13:02 < adam3us> amiller: thats even a compact proof using representation problem (extended schnorr) 13:02 < adam3us> amiller: brands stuff can prove ==, NOT (aka !=) and OR is generic 13:04 < adam3us> amiller: could be more simply referring to currentReward() 13:50 < gmaxwell> Man, dealing with users is hard: http://0bin.net/paste/e6R8Cv8TJEdr-Fq0#c36UxiHSURdA06LPQPNiCvyiOIQ++XGScvPoTvJ/lEg= 14:47 < K1773R> gmaxwell: those ppl deserve loosing their coins S: 14:47 < gmaxwell> K1773R: we need those people happily using bitcoin to make it have a functioning economy. :) 14:48 < K1773R> gmaxwell: unfortunately yea 14:49 < amiller> adam3us, so actually.... the trick must be to allow the miner to hide the tranasction signature 14:50 < amiller> if the user submits an actual signature, then the miner can construct a ZKP that hides either (the attached signature is valid OR the prev block hash is bad) 14:50 < amiller> uh hm that still has that problem that you could give a different ZK proof for the same signature :/ 14:51 < amiller> this isn't a clean change but you could require that all transactions are interactive and the tx itself requires a signature of the most recent block 15:02 < amiller> this would sort of be a general approach to having a non-reusable signature scheme 15:02 < amiller> normally signatures can be taken out of context 15:03 < amiller> i could be participating in a game where i use my gpg key to sign chess moves 15:03 < amiller> but someone else could pick some new protocol that also uses my signatures and maybe they conflict in some way 15:24 < MC1984> oh this is real..... 15:35 < sipa> is this the real life? 15:40 < gmaxwell> Or is this fantasy? 15:40 < gmaxwell> ^just 16:35 < gmaxwell> joining #eligius right now may be good for popcorn. The operator of betcoin.tm waynetbarclay is mad about eligius blocking his (SD style) 'dice' transactions and appears to be making veiled threats of DDOS attacks. 16:39 < warren> pastebin log? 17:43 < sipa> maaku: the name compactisgnature actually comes from the fact that not using DER is more compact 17:43 < maaku> ah 17:44 < sipa> adding the recovery bit was later i think 18:24 < gmaxwell> petertodd: Luke-Jr apparently wasn't aware that the DBG transaction wasn't getting mined. 18:25 * Luke-Jr figured petertodd figured out a way around it :p --- Log closed Thu Oct 31 00:00:27 2013 --- Log opened Thu Oct 31 00:00:27 2013 --- Day changed Thu Oct 31 2013 02:47 < warren> hmm, I see next-test didn't integrate Coin Control and watch only either. 05:53 < HM2> hmm 18:37 < shesek> so I guess Satoshi is now heavily invested in Jesuscoin? :) 18:37 < shesek> he should own a pretty large chunk of it 18:39 < shesek> given his large ownership in the early bitcoin blocks 18:39 < sipa> ...? 18:40 < maaku> shesek: yes, but unfortunately he Ascended into heaven in 2010 without leaving any of his public keys to his disciples :\ 18:40 < maaku> /public/private/ 18:40 < sipa> someone should create a Nakamotocoin - dedicated to The Ascended One 18:41 < sipa> by mocking his Creation 20:19 < justanotheruser> thanks andytoshi 20:22 < gmaxwell> From #p2pool: 20:22 < gmaxwell> 17:20 < owowo> gmaxwell: can you explain why ppl are mining on those BIG pools? 20:22 < gmaxwell> 17:21 < owowo> I don't get it, they must get more coin there. 20:23 < gmaxwell> oh he says he was kidding now. 20:23 < gmaxwell> dude just nearly dodged getting face-stabbed. 20:27 < shesek> bigger pools could operate on lower margins, so miners could benefit from the lower fees 20:27 < shesek> I'm not really familiar with pools though, so I'm not sure if that's true in practice 20:27 < gmaxwell> shesek: except that there are smaller 0 fee options (including p2pool) 20:28 < gmaxwell> the biggest pools have historically had the highest fees. 20:29 < gmaxwell> (the exception being ghash.io, and thats weird on a couple levels including the that its widely understood that the owners of ghash.io own a majority of the hashpower on their pool) 20:29 < shesek> doesn't ghash's hashpower comes mostly from cex? 20:30 < gmaxwell> shesek: yes, common ownership. 20:30 < shesek> which is physically owned by them, but should be "owned" by other people 20:31 < shesek> though as long as they have physical ownership over the hardware, its really a matter of trusting them 20:31 < gmaxwell> yea, no clue how much of cex is "owned" by other people they don't disclose that, the prices are off the charts. 20:32 < gmaxwell> in any case, ignoring ghash.io it's always been the case that the largest pools had the highest fees, almost nearly in order. 20:32 < shesek> btw, about p2pool, doesn't it have a much higher orphan rate that would really effect payouts for the worse? 20:32 < gmaxwell> wow 20:32 * gmaxwell cries 20:32 < gmaxwell> shesek: no, P2pool's orphan rate is lower than other pools by an order of magnitude. 20:32 < shesek> sorry, I'm really not familiar with p2pool and pools in general, I'm just asking to educate myself better :) 20:33 < gmaxwell> My crying is because it's just a replay of the constant fud that circulates and has no basis in reality. :( It's not your fault the whole world is dumb. 20:33 < shesek> so it seems like a lot of people are misinformed about that, I've read that in multiple places 20:34 < shesek> and I wonder how it worked out like that with the pools fees 20:34 < shesek> and why people keep joining the bigger pools if that's the case 20:35 < shesek> it might be psychological, where people think that bigger pools are better for some reason 20:35 < shesek> they face a choice paralysis when they need to pick one, and go after the largest one hoping that its somewhat better 20:35 < gmaxwell> back in early 2012 there was a span when p2pool had a somewhat high orphan rate, it's not clear if it was just bad luck or a real problem but major work was done to improve it. The end result has in the last several months had only 2 orphans against like 1627 blocks. Compared to, say, eligius which has had somewhat more than 1% orphans (also typical for other pools) 20:36 < gmaxwell> Overall p2pool has solved about 107% of the blocks you would have expected based on its observed work done. 20:37 < gmaxwell> shesek: oh a lot of people misunderstand why pooling exists, they think that mining is a race and in a race the fastest party always (or almost always) wins. 20:37 < gmaxwell> They talk about needing an X TH miner in order to "keep up" and things like that. 20:37 < gmaxwell> Following that logic, the biggest would be best. sooo. 20:38 < gmaxwell> also explains the inverse fee relationship. They think the biggest is best but attempt without the aid of math or understanding to balance that against fees. 20:38 < shesek> educating miners better could definitely help here, some more official resources about that could do some good 20:39 < shesek> an "introduction to mining" on bitcoin.org or something 20:40 < shesek> I do think there's some choice paralysis in play here too. Miners don't really have any effective way to pick a pool, which makes that choice somewhat hard... I guess that some just pick the biggest by default 20:40 < gmaxwell> yes, "so many other people choose it, it has to be good" 20:41 < gmaxwell> we've also seen some "large pool cycling" where the second or third largest pool gets a lucky run and shows up at the top of the charts... and then it becomes the largest pool. 20:42 < gmaxwell> P2pool has a bunch of UX stupidity that doesn't help even feeds into the misunderstandings. 20:42 < shesek> perhaps something that helped pick a pool, with a weighted random based on the inverse popularity 20:42 < gmaxwell> there really is only one pool we should be recommending, p2pool. It's the only suriving pool thats a decenteralized system. 20:42 < shesek> could be marketed as "help save Bitcoin from centralization by using this!" 20:43 < gmaxwell> warren has been trying that. 20:44 < shesek> setting up an "whatpoolshouldipick.com" that simply gave one pool in a big font with a link, explaining how the selection works, could be nice 20:44 < shesek> and help overcome that choice paralysis 20:44 < shesek> but yeah, long term, p2pool is much better 20:45 < shesek> but its still somewhat inaccessible to users and requires setting up a full node 20:45 < shesek> I saw a thread about this on bitcointalk, it would really help if they setup a nice looking website with instructions and easier way to get it up and running 20:45 < gmaxwell> 'they' 20:46 < gmaxwell> it's not like there is a P2pool company. 20:47 < shesek> well, yeah, it should really be a community effort 20:47 < shesek> not really "they", more like "we" 20:47 < gmaxwell> At the moment setting up a full node is so burdensom that its sort of the long poll in the tent. Sync really needs to be fixed. 20:49 < shesek> what are your current thoughts on the best way to address this? 20:50 < gmaxwell> It's addressed by sipa's headers first sync work. 20:50 < gmaxwell> But the code is immature. 20:52 < shesek> sipa closed https://github.com/bitcoin/bitcoin/pull/2964 saying that he's working on something better, is it public yet? 20:52 < shesek> can't seem to find a newer pull request / issue 20:54 < gmaxwell> shesek: he has been pipelining the changes since it seemed to be a bit much at once. https://github.com/bitcoin/bitcoin/pull/3370 21:02 < shesek> cool, I haven't really kept up with developments on that front, looks like a good solution 21:05 < shesek> gmaxwell, what do you think about that website I suggested? I think it could be pretty cool as a go-to solution for picking a pool 21:05 < shesek> can even be provably fair by basing the "random" choice on the user's ip and user agent --- Log closed Wed Jan 08 21:14:13 2014 --- Log opened Wed Jan 08 21:19:30 2014 --- Log closed Thu Jan 09 00:00:17 2014 --- Log opened Thu Jan 09 00:00:17 2014 01:17 < justanotheruser> Has anyone made any proposals for anonymity networks upon which things like coinjoins and coinswaps could take place? 01:22 < michagogo|cloud> I left the Jesuscoin-killing script (replaying the Bitcoin blockchain) running overnight 01:23 < michagogo|cloud> Only gotten as far as block 234853 01:25 < justanotheruser> michagogo|cloud: nice, you actually made the magic changing thing 01:26 < michagogo|cloud> justanotheruser: I actually tweaked linearize.py to do that 01:26 < justanotheruser> michagogo|cloud: does jesuscoin have a community at all? 01:26 < michagogo|cloud> But before I actually ran it, I realized that I didn't need to 01:26 < michagogo|cloud> This script also works: http://0bin.net/paste/OFWqJ7Lj0k0GO0o4#Rd6uP8VFxwv3SEO4HQAwtF+Vy5M3ZtaUrrKC9m3qI+w= 01:26 < michagogo|cloud> justanotheruser: Not really, afaik 01:27 < justanotheruser> michagogo|cloud: Is this only possible because jesuscoin has all bitcoins defaults? 01:27 < michagogo|cloud> justanotheruser: Yes 01:27 < michagogo|cloud> It's a 100% clone of Bitcoin 01:27 < michagogo|cloud> Specifically the genesis block and parameters 01:29 < wyager> Oh my god 01:29 < wyager> that is so stupid 01:29 < wyager> And hilarious 01:31 < justanotheruser> heh 01:31 < justanotheruser> I wonder why no one did this for ixcoin or i0coin 01:31 < justanotheruser> well I guess ixcoin had a premine, but i0coin it might be possible 01:58 < justanotheruser> Bitcoin currently only allows turing incomplete scripts. Please tell me why an altcoin that has a limit on both block size and cycles executed to verify a blocks transaction (allowing turing complete scripts) is a bad idea. 03:35 < nsh> justanotheruser, it's not a bad idea, experimentally. it might be a foolhardy store of value 03:36 < justanotheruser> nsh: why? 03:37 < nsh> because there's no explicit incentive analysis that guarantees behaviour converges towards the subset of actions that preserve integrity 03:38 < nsh> there could be weird effects that stop people self-interestedly cooperating to keep value stable 03:38 < nsh> (there could also not) 03:38 < Taek42> technically, if you limit the number of cycles then it's not turing complete 03:41 < justanotheruser> Taek42: the scripts were never turing complete 03:42 < justanotheruser> and there can only be a limited number of scripts per block, therefore the blocks were never turing complete 03:42 < Taek42> I know that, was just knit-picking 03:43 < justanotheruser> Taek42: oh, I misunderstood. You were referring to my original statement where I said this could be turing complete. 07:26 < TD> if your addresses become compromised and they are on business cards, etc, you're hosed 07:26 < adam3us> TD: well they either need cold wallets, or air gapped armory-style deterministic wallets 07:27 < adam3us> TD: yes. it would only make sense to publish a static address really with an offline wallet for the disaster recovery reason you gave 09:07 < phantomcircuit> TD, that's a good point 09:24 < adam3us> phantomcircuit, TD: i guess the certification model extends the other way also: if you put on your biz card the master offline business/user identity pub key address, you could have the blockchain timestamp the signed subwallet deterministic address, as an analog to certifiate transparency in x509 world, and ask any full node for SPV validation this identitys address. 09:25 < TD> i'm much more interested in ways to link keys/payreqs to social networks 09:25 < TD> as that is what people seem to use these days 09:26 < adam3us> phantomcircuit, TD: kind of complicated however. ideally you want to be able to support scenarios where the wallet is offline, but connected to the network via the merchange only, without them getting ripped off via the unspecified change 09:26 < TD> i mean even email seems to be in its death throes for a lot of people 09:26 < TD> the number of times i try to email someone and discover their entire online presence exists only on various social networks or via stupid online forms is .... irritating 09:26 < TD> twitter is not a replacement for a public, non-obfuscated email address! 09:26 < TD> but this is the trend of our times 09:26 < phantomcircuit> TD, people or companies? 09:26 < adam3us> TD: i share your frustrations :) 09:27 < TD> people 09:27 < phantomcircuit> TD, bizarre 09:27 < TD> companies still use it as much as ever, AFAICT 09:27 < TD> email is still the best for "serious" communication 09:27 < adam3us> there maybe some aspect of scale - if you are going to wire a company a lot of money, you want to be sure you have the right address/account number in this analog 09:27 < phantomcircuit> TD, personally i avoid email for company <-> customer communication as much as possible 09:27 < TD> but a lot of people don't really engage in a lot of serious conversation online. it's all short messages and social networks are better for that 09:27 < phantomcircuit> it's enormously difficult to keep straight who you're dealing with 09:28 < adam3us> TD: i just engaged in some research q about hashcash for udp/ip anti-DoS with a fellow who seemed to want to do it over twitter; twitter even dropped msgs, lots of htem, so i had to go search for them 09:28 < TD> ugh 09:29 < TD> yeah i can't believe anyone wants to use twitter for anything approximating work. but now i feel like i'm getting old and i'm not yet 30 09:29 < TD> some years ago the gmail team did a lot of research that scared the crap out of the entire division 09:29 < TD> it basically said that an entire generation didn't use email at all. period. 09:29 < TD> the only reason they had an email address was to register at sites 09:29 < TD> and/or because their university/school insisted on one 09:29 < adam3us> TD: I mean i recognize the guys handle he's been on cpunks for years, and i believe he's highly competent in host security circles, but holy moly that is not a topic for twitter 09:29 < TD> it had been 100% killed by facebook 09:29 < TD> now facebook is getting killed by WhatsApp 09:30 < TD> so, trying to keep up with how people organise and communicate is a waste of time. much better to find a way to be general about this and coattail it 09:30 < TD> hence my interest in steganographically encoding short URLs where you can find a payreq into profile pictures 09:31 < TD> that's one thing all these mediums have in common (er, except email, but email has attachments) 09:31 < phantomcircuit> TD, gotta love whatsapp's security 09:31 < TD> "startup code". though i think they improved it since 09:31 < phantomcircuit> lol duplex rc4 streams with the same key 09:31 < adam3us> TD, sipa: btw re discussion yesterday about why people are confused that an address is static, i presume you may've come across living in zurich, with swiss private banks if you ask for a private payment, they send the transfer only with a transaction number, not a sending account number - its rather similar to bitcoin, but most people dont know about that or how it works 09:32 < phantomcircuit> adam3us, it would probably be easier to explain to people as a single use credit card number but for the mechant 09:32 < phantomcircuit> (maybe) 09:33 < adam3us> phantomcircuit: yes that is a good analog, just amused me that in some ways bitcoin addresses are a reinvention of swiss banking privacy technique, on use transaction numbers in place of accounts 09:34 < TD> heck i live in switzerland and have never encountered that 09:34 < TD> swiss banks are like any other bank as far as I can see. except, reasonably competent 09:34 < TD> (in terms of their user-facing stuff) 09:34 < TD> (not their investment decisions) 09:34 < BlueMatt> or their signup requirements for americans..... 09:34 < adam3us> TD: you'd have to request it, see people with swiss private bank accounts are sensitive about other people learning their account number 09:36 < TD> well that's not their fault 09:36 < TD> anyway their signup requirements are mostly very simple. "you cannot be american". doesn't get simpler than that! 09:36 < BlueMatt> heh 09:36 < phantomcircuit> TD, well you can be american, but you have to basically allow them to give you entire account history to anybody who asks for it 09:37 < phantomcircuit> also you needs lots of money 09:37 < BlueMatt> (and prove residency) 09:37 < TD> no quite a few banks just forbid US citizens period 09:37 < TD> some will do it and handle the requirements yes 09:37 < phantomcircuit> TD, those bans are always dependent on how much you want to deposit 09:37 < adam3us> btw Ian Grigg/systemics with their sox protocol ran for a time a payments server demo with one-use, or user-controlled creation of multiple account numbers. he was the guy who also operated egolds transaction server under contract somewhere in the caribbean - its ananlogous to the swiss private banking privacy model, and the bitcoin model 09:38 < adam3us> phantomcircuit: $500k min deposit i think 09:39 < phantomcircuit> adam3us, yeah i guess 09:39 < phantomcircuit> but i dont see why anybody would bother unless they actually lived in .ch 09:39 < adam3us> Ian Grigg actually wanted to use chaum/brands signing but couldnt get a license due to the chaum patent getting locked up in a patent holding company and other similar issues 09:41 < adam3us> phantomcircuit: well its private is the point (financial privacy) and .ch has some nice AAA rated banks (the US doesnt have any) also if you live in spain, cyrpus, much of europe its a great way to avoid getting an involuntary depositor haircut 09:41 < phantomcircuit> adam3us, for a us citizen there isn't really much more privacy 09:42 < phantomcircuit> so really what you're getting is a competent bank in the .eu 09:42 < adam3us> phantomcircuit: its orthogonal from taxes - you have to declare it or get taxed anyway if you have a european passport also. there is also asset protection. they do not seize funds without a swiss court seeing evidence and it passing their legal standard 09:43 < TD> it looks like there's going to be a referendum on FATCA actually 09:43 < TD> which worries me a great deal 09:43 < TD> that could lead to "interesting times" for sure ... 09:44 < adam3us> TD: grr facta, wipo etc. i wish the chinese would just say no, hire falkvinge as advisor, and start a counter-veiling force 09:44 < TD> i quite like switzerland. i hope it doesn't end up engaged in a bloody fight it's too small to win 09:45 < TD> it's fat-ca not facta, though the former is much harder to say 09:45 < TD> well unfortunately the nature of how fatca works mean no one country by itself can stop it. that's rather the nature of empire, see, conquered lands are forced to join the army and fight the next one 09:45 < TD> until nobody is able to stop the conquering army and you end up with rome 09:46 < TD> it takes *simultaneous* opposition 09:46 < TD> that isn't going to happen. 09:47 < phantomcircuit> adam3us, theoretically that provides some level of protection 09:48 < phantomcircuit> in practice however very few us citizens with funds in swiss banks would benefit from that in a meaningful way 09:50 < adam3us> TD: yes fatca is the equivalent of viral licensing. they are trying to take over and unify. its a very bad trend because it precludes jurisdictional competition and societal exploration of conventions pulls everyone down to the lowest denominator (whatever american politicans are paid by lobbyists to think) 09:50 < TD> i would put it more simply: it is the end of independent countries and the formal start of the american empire 09:50 < BlueMatt> hah, yep, welcome to us banking regulation (and others, ie trade sanctions...) 09:50 < BlueMatt> we own the world, screw everyone else 09:51 < adam3us> TD: agreed. the only hope I see is the rise of asia ecomic and geopolitical influence 09:51 < BlueMatt> and yet even americans have a fundamental hate for their politicians.... 09:51 < BlueMatt> one would hope the eu would be large enough and willing to compete, but that clearly isnt gonna happen 09:51 < TD> yes it's quite an unstable situation, where you have a tiny number of people in washington who are despised by nearly everyone including the people they claim to represent 09:52 < adam3us> TD: and the meteoric rise of rick falkvinge & pirate party, still an outlier but growin 09:52 < TD> the only thing keeping a lid on it, is the fact that technically they were "voted" for, but i wonder how long that will continue to placate people 09:52 < TD> BlueMatt: well, compete in what sense? 15:29 < adam3us> jtimon: so long as the contracts catalog that you consider as your benchmark are implementable in a turing completeness sense, with the current script language, maybe its better to focus on a translator from psuedo-legalese to script. and add minimal script extensions to cover any gaps rather than going for eval like generality and trying to contain the damage 15:29 < gmaxwell> jtimon: Yes. It's not about "dumb" it's about having forced choice. 15:29 < jtimon> maybe maaku and I are too optimistic but to me it seems an exhageration 15:30 * adam3us is loathe to repeat that long thread 15:30 < jtimon> "having forced choice"? I don't understand 15:30 < gmaxwell> sure you could _choose_ to refuse to do business with this or that, or refuse to accept this or that coin. You could also choose to live in a cardboard box under the freeway. 15:30 < gmaxwell> Not all choices are meaningful, even in the presence of perfect information. 15:30 < jtimon> who forces you to accept amlcoins? who forces you to turn your btc into amlcoins? 15:30 < maaku> jtimon: well, we're also thinking about this in the context of having 5% of the monetary base refreshed annually 15:31 < adam3us> adam3us: but in summary as the regulators have much control over the gateways to banking infra, a viral amlcoin enforced at exchanges would already be enough i think 15:31 < jtimon> maaku and they think it from the perspective that deflation doesn't matter, so 1% of the current btc will be ok, and 0.1%, 0.001%... 15:32 < adam3us> jtimon: anyone who only accepts amlcoins that you have a poor choice with (no service or amlcoin, amlcoin as change because of the payment integrator they are using etc) 15:33 < jtimon> the way you talk about it, is like if btc would be dommed if bitpay and gox stopped accepting bitcoin and moved to ltc... 15:33 < andytoshi> adam3us: it occurs to me re your 'redcode' scenario that this is exactly what happened in the real global financial system in 2008 15:34 < andytoshi> ie the legalese that contracts for derivatives are written in is turing complete, and extrospection capabalities are determined by a regulatory regime that did not do cogent incentive analysis 15:34 < adam3us> andytoshi: haha yes. the system was virus prone. the fintech/bankster boys dreamed up viral make-money fast schemes that are doomed to crash with OPM 15:34 < andytoshi> which led to things like, eg the cds market hitting a 4 quadrillion cap :P 15:34 < jtimon> " amlcoin enforced at exchanges" you mean prohibiting bitcoin exchanges? 15:35 < adam3us> andytoshi: fascinating analogy. and we think we can protect that by restricting the contract language? (probably not) 15:35 < gmaxwell> jtimon: it's much harder politically to shut down bitcoin exchanges when to do so you're suppressing bitcoin. Much easier where "on no bitcoin exchanges are fully permitted! they just have to comply with the law 15:36 < andytoshi> adam3us: so this is very cool, there is potential here for us to describe the horrible subtlety of financial regulation, in the context of cryptosystem currencies (which i have mentioned before, lets us do a lot of spherical-human economic analysis thanks to trustlessness) 15:36 < adam3us> jtimon: much was said upthread but yes exchanges already comply with aml, if bitcoin supports viral aml, regulaor will say "ok so use it or shutdown" and users will say ok i want to buy $100k btc i can spend a month on bitcoin-otc (coffee shops for cash) or put u with amlcoin etc 15:36 < jtimon> adam3us: I just don't believe all countries will prohibit bitcoin exchanges 15:36 < andytoshi> and have a very simple-to-describe but very precise "here is where the thinking went wrong" explanation of that whole situation 15:37 < jtimon> " users will say ok i want to buy $100k btc " wasn't your assumption that the users weren't able to get btc out of the exchange anymore, just amlcoins? 15:37 < adam3us> jtimon: i think if the world was as sure as you are about financial regulation and bitcoin the price would be $100k/coin already :D i thnk oneof the main things holding bitcoin back is just that - uncertaintly about regulation! its not that there havent been multiple non-basket case jurisdictions that have behaved erratically with bt regulation 15:38 < andytoshi> adam3us: re "restricting language", maybe that is exactly what we want to do, combined with maaku's "provably nonviral" ideas 15:38 < adam3us> jtimon: right. thats what would happen to any exchange that was forced by regulation to use amlcoin covenants 15:38 < andytoshi> because we've seen in real life that pasting "don't act in bad faith" policies onto a turing complete system lets people do weird destructive things 15:39 < adam3us> andytoshi: i dunno sounds like halting problem^2 in hardness 15:39 < gmaxwell> adam3us: no, because as maaku pointed out, you can fail-safe. 15:39 < gmaxwell> If the static analysis can't prove your transaction sufficiently non-viral, its just not valid. 15:39 < andytoshi> adam3us: the result would be basically a whitelist of policies, and if people can prove that new things are safe maybe they could post a SNARK showing that or something, so the hard analysis is on them 15:39 < adam3us> andytoshi: BUT what we can do and i pushed this thought to a few offline people, is have auditable insurance coverage through the insurer, the reinsurer, the assets, the companies balance sheet, revenue, dividendes etc. 15:42 < adam3us> gmaxwell: maybe. now security depends on a few more components including a theorem prover's comprehension vs virus writers 15:42 < adam3us> andytoshi: nice to have a fast to verify compact proof yes. 15:43 < andytoshi> adam3us: we could maybe put these proofs in the blockchain along with a unique identifier, then require all txes to reference the proof that they are safe 15:43 < nsh> we're on to viral transactions now? great... 15:43 < andytoshi> obviously this is a half-baked idea, as you say theorem proving is not developed enough to do such high-consequence real-world stuff 15:44 < adam3us> andytoshi: maybe. or we could amuse ourselves with what we can do with non-extrospection languages 15:44 < andytoshi> yeah, i'm really impressed and surprised with what you guys have found to be possible 15:44 < nsh> i'd like to see a fully darwinian transactosphere... 15:45 < adam3us> nsh: suggest looking at ethereum. will be interesting to spectate :) 15:45 * nsh nods 15:47 < nsh> had a very unbaked and thoroughly handwavey idea about a DSA-authorized capabilities-based distributed computational system over a blockchain with costed access to scripts and (computational) inputs somehow marked to market by utility or complexity 15:48 < nsh> not sure exactly what all those words means though so it'll probably remain pretty deep in my imagination :) 15:49 * adam3us wonders if its considered part of redcode game to write ethereum stealing viruses? 15:49 < andytoshi> that's interesting, if you can infect a majority of hashpower you can "hack the matrix" so to speak :P 15:50 < nsh> (it's always part of the metagame to cheat in ways that haven't be considered and thus explicitly prohibited) 15:50 < andytoshi> i guess i mean, if you can infect almost all the validating nodes 15:51 < gmaxwell> I think I mentioned before, some of these altcoins basically appear to have no nodes... even 'widely' used ones: people just mine directly to exchange accounts. 15:51 < gmaxwell> so you've got a couple of pools, a couple of exchanges, an odd geek or two, and thats it. 15:52 < adam3us> nsh, andytoshi: i was thinking there could be two levels of viral ethereum progrms. a) within the interpreted execution space, eg viral covenants etc; b) escape the interpreter via sandbox escape. i wonder though, they probably wouldnt find it funny even if you did 15:52 < gmaxwell> and these are things where there is no huge cost to running a node... the chains are small because there are few txn. 15:53 < adam3us> gmaxwell: ha not only no tx, no wallet, but not even any full nodes. 15:53 < nsh> hmmm 15:54 < gmaxwell> well there are some levels of transactions, but no real reason for someone to run a node. So thats the kind of outcome I'd expect for ethereum, particularly because running a node would be expensive. 15:54 < adam3us> gmaxwell: i was thinking beyond coingen.io why not virtualize the whole thing. pay for virtual VPS, virtual ASIC hardware,... maybe you can make that provably fair like central but fair dice; i mean what the difference its only a tulip/pryamid coin anyway. people can speculate on synthetic nothing without wasting eletricity then 15:55 < gmaxwell> adam3us: you could call it "mastercoin" 15:55 < adam3us> gmaxwell: minioncoin. many someone should fork mastercoin and put it on top of dogecoin 15:56 < gmaxwell> Every dog has his master. 15:56 < gmaxwell> Many leashes. Such dogwalk. 15:56 < gmaxwell> the "exodus" needs to be DogCarRide 15:57 < adam3us> gmaxwell: please can 2014 be the year of the death of tulip coins? 16:00 < kinlo> heh, to see gmaxwell talk dogetalk made me laugh :) 16:03 < michagogo|cloud> andytoshi: Erm, you've given me an error I've never seen before 16:03 < michagogo|cloud> http://imgur.com/ZTcyCyR,kwBmvFO 16:04 < michagogo|cloud> andytoshi: Is the file I got broken? 16:04 < michagogo|cloud> 3836c0fef1bffbb4ed7c35564dbb23ad51295a74df7bc53b234b13e198bf4264 */cygdrive/c/Users/Micha/Downloads/cj-windows.zip 16:04 < gmaxwell> kinlo: that meme was a favorite in my household two months ago. dogecoin is kinda overplaying it at this point. 16:04 < michagogo|cloud> (sha256) 16:04 < maaku> "maybe. now security depends on a few more components including a theorem prover's comprehension vs virus writers" <-- there's no way you'd want the therom prover to be part of consensus 16:04 < maaku> i was suggesting it as part of the IsStandard check and wallet code 11:52 < TD> i am rather skeptical about widespread coinjoining. small scale joining gives you a small modicum of deniability .... how much privacy it gives you is rather an open question at this point 12:00 < petertodd> Emcy: in the short term my main thinking is to use coinjoin with two-party-mixes as a way to thoroughly break the idea that transactions are authored by a single person. There's a lot of work to do beyond that, but breaking that assumption is a very important first step. 12:01 < petertodd> Emcy: e.g. naive two-party-mixes leak information with regard to the values on the txins and txouts, but subsequent efforts can help plug that leak by, for instance, using value-matching techniques where one party to the transaction delibrately matches the values of the other party's txouts 12:03 < petertodd> Emcy: this also ties into merge avoidance: if txins are not always merged into a single txout to make a payment you have a lot more flexibility in making coinjoins that don't give external observers useful information. equally that people are doing merge-avoidance with coinjoin means that even when you don't use that feature, transactions have solid plausible deniability 12:08 < petertodd> Emcy: example: I want to pay you, and you've told me you'll accept up to two txouts for that payment. I do a two-party CJ mix with someone who needs a specific output value, and I use one of those txouts to match their value, the other to send you the balance of the payment, and I have a third txout with my change. 12:19 < petertodd> Hmm... and come to think of it, rather than calling it "merge avoidance", the idea is better described as "merge flexibility" - the receiver of funds is saying "here's how many txouts I'm willing to accept, use that to better optimize how you merge the txouts you are using to pay me to balance privacy and cost per transaction". Using CoinJoin in conjunction with merge flexibility is a win because it lets you get away with fewer txouts - more ... 12:19 < petertodd> ... merging - at the same privacy level. In short, it's cheaper for a given level of privacy. 12:22 < Emcy> petertodd i fear it will take much more. Youre assuming rationality about how the system works. 12:23 < petertodd> Emcy: explain? 12:23 < Emcy> consider how bad IP addresses are for identifying individuals vis a vis the war on bittorrent 12:23 < Emcy> they do it anyway, no one seems to care much that they get it wrong all the time 12:24 < petertodd> Emcy: oh sure, don't get me wrong, I'm not saying this is easy. The fact that "merge avoidance" seems to have been proposed as a way to let blacklists still function shows how hard this will be. 12:24 < petertodd> Emcy: But we can only respond by making better privacy as cheap and easy as possible and trying to get as many people using it as possible. 12:24 < Emcy> it seems like you have to stop the idea that some sort of convenient data can ID a person and what they do before people get it into thier heads, never mind that it might be completely wrong anyway 12:24 < petertodd> Emcy: even blockchain.info's centralized coinjoin implementation is a huge win in that regard 12:25 < Emcy> thats why convalidation makes me worry even as it is now 12:25 < petertodd> same, but again, sitting around and complaining won't fix things. 12:27 < Emcy> do you really think mikes merge avoidance thing was really proposed specifically to let blacklists get a foot in the door? 12:27 < Emcy> I thought it was more CJ + merge thing complementing each others weaknesses 12:28 < petertodd> Emcy: yes. from the article on medium: "Merge avoidance doesn t interfere with coin tracing." 12:28 < petertodd> Emcy: the original proposal was merge avoidance as a complete replacement for coinjoin; fortunately it complements coinjoin very nicely 12:29 < petertodd> Emcy: notably everything that makes merge avoidance possible to use without coinjoin can be re-used to use it with coinjoin. 12:29 < Emcy> can you link? I thought i read it. maybe that went right over my head 12:29 < petertodd> Emcy: https://medium.com/p/7f95a386692f 12:29 < petertodd> Emcy: it's at the bottom of the article 12:30 < petertodd> Emcy: the article is very misleading about coinjoin as well, giving lots of reasons not to use it 12:31 < Emcy> i really want to believe hes playing devils advocate like it was a 10 pence a go street fighter arcade cabinet in 1989 12:32 < petertodd> Emcy: FWIW merge avoidance isn't new either - the first time I heard of the concept was from adam back pointing out how pervasive merge avoidance gives privacy properties very similar to zerocoin. (if coins are always fixed in size) 12:33 < petertodd> Emcy: lol! 12:36 < Emcy> it just seems like there are quite a few people confusing pragmatism with submitting fully to the usual strictures requested on disruptive new techs without a fight 12:38 < Emcy> if you cant imagine something better than the way things basically already are with a new coat of paint then why the fuck are you here frankly..... 12:39 * nsh subscribes to Emcy's newsletter 12:39 < petertodd> lol 12:39 < Emcy> yeah i completely missed that last paragraph of that article somehow 12:40 < petertodd> Emcy: heh, the interesting thing is how that paragraph was in there in the first place - nicely transparent 12:40 < petertodd> Emcy: anyway, we're lucky that good solutions appear to exist; hopefully as they are implemented we don't find show-stopping problems 12:42 < Emcy> hopefully hes wrong about mergepurge being in lieu of coinjoin, and people realise they work better together...........but he might be right 12:43 < petertodd> the laws around this stuff are certainely still in flux 12:43 < Emcy> i have a heavy suspicion there are LOTS of people in bitcoin who would betray it utterly to The Man if it means the price keeps going up, which it preatty much will as long as its not banned or somthing 12:43 < petertodd> agreed 12:44 < Emcy> right, and if that happens then the uncomfortable conclusion is that every other shitty and irrational thing in the world is the way it is because it has to be, because we suck. 12:45 < Emcy> perhaps thats my projecting though 12:45 < TD> Emcy: it works for bittorrent because basically all IPs that participate in a particular torrent are all doing the same thing (i.e. violating copyright). you can't generalise from that to bitcoin. 12:46 < andytoshi> Emcy: a lot of people here are dimly aware that "bitcoin is decentralized" but simply cannot imagine anything else .. only recently have people started talking about this stuff like it's something normal people should be doing 12:46 < TD> i don't think my article is misleading about coinjoin. it balances other things that were written about it by pointing out some obvious problems. 12:46 < andytoshi> so we'll see an improvement as awareness increases 12:46 < TD> which were not being adequately covered elsewhere 12:47 < petertodd> TD: cj will be soon implemented without centralized servers, so you can correct that, you can also correct the long waits as the plan is to combine users who want txs to go through now with ones who are willing to wait 12:47 < TD> if/when those things happen i would amend the article. however it's not misleading to describe the world as it is now. 12:47 < andytoshi> TD's article also talked about how cj is not a panacea .. i agree, this was not really mentioned elsewhere 12:48 < petertodd> TD: coinjoin isn't implemented now, so talking about a theoretical bad implementation isn't honest 12:48 < TD> somehow you don't believe what genjix or blockchain did is coinjoin? 12:48 < petertodd> TD: note how bc.i's implementation uses techniques to negate most of those concerns 12:49 < petertodd> TD: genjix is a quick prototype. anyway, it's dishonest to talk about what merge avoidance might be unless you are willing to compare it to what coinjoin just as plausibly might be 12:50 < TD> i don't think there was any dishonesty in my article at all, it correctly reflected the issues that exist with implementing both approaches. but i'm tired of arguing about this. you will continue to paint me as dishonest and somehow part of a conspiracy regardless of what i write, because that's what you do. 12:50 < petertodd> TD: if you don't want to be painted as dishonest, then don't write stuff that leads to that conclusion 12:51 < TD> see? i haven't. it's just you. 12:51 < petertodd> TD: this conversation isn't going to be very productive for either of us 12:51 < maaku> TD: genjix and blockchain.info (and andytoshi's) are not the protocol described in gmaxwell's original posting 12:51 < TD> correct 12:52 < petertodd> maaku: yup. more to the point, coinjoin is a whole family of techniques, with different tradeoffs. I'm pushing two-party-mixes because I believe that the tradeoffs are useful, but other approaches (like yours!) have tradeoffs that make more sense in different circumstances. 12:54 < petertodd> TD: anyway, please do work on merge avoidance - as I say above it'll really help make coinjoin more useful 12:55 < TD> lots of other things to do first. like actually get the payment protocol launched and used. 12:58 < petertodd> TD: seems to me that a good first step would be to define an output range in the Output message in the payment protocol: "optional <something> amount_range = 3;" 12:59 < TD> well, you can do some merge avoidance with the v1 protocol as specified 12:59 < Emcy> TD no the point is that you cant link an IP to a person to any sort of acceptable evidentiary standard, for the act of infringment. But it happens anyway. 12:59 < TD> which is no surprise because i designed it that way from the start 12:59 < petertodd> TD: sum of all outputs must == sum of all amounts 12:59 < TD> Emcy: of course you can. Find a torrent that is for a movie. Find all participants in that Torrent. They're all distributing the movie. Open/closed case, right? 10:30 < adam3us> gmaxwell: its the missing part of my hypothesis that a 1-way peg is already close to plausible for mkt maker to fill the gap, if there is eg some long term chain migration plan. in this way no migration is necessary. 10:32 < adam3us> gmaxwell: pay per cycle. yes seems plausible, but may create lumpy work load for nodes. maybe processing with in a given time-frame becomes critical to the semantics of the tx even. the point of TC would be to use it as a meta-programming language to define new coins and rules. eg in this kind of system something like p2sh change is just a script with no system code changes. a script can define a new concept 10:33 < gmaxwell> yea, I'm still not arguing letting validation become expensive is a good idea. :P Just filling out the idea. 10:34 < adam3us> gmaxwell: but u have to wonder about the safety of that. btc script is intentionally constrained and even then people were value scared enuf to disable most of it. general script are even disabled right (only certain pre-cooked ones allowed)? this on the other hand may allow a clever set of scripts to attack each other, and 10:35 < gmaxwell> Implementers currently get script execution all wrong and it's already quite simple. 10:35 < adam3us> gmaxwell: so somone creates a btc/usd call option, and someone else creates another script to do something else or a competing call option and it steals all the money from the other call options. its like redcode 10:36 < petertodd> adam3us: I don't think we're ready to have scripts run on thier own - creates consensus issues about when a script is supposed to run! 10:38 < adam3us> gmaxwell: even if the interpreter is correct (single implementation = spec satoshi style) i am not sure about the redcode game issue 10:38 < petertodd> redcode game? 10:39 < adam3us> petertodd: never played it but http://en.wikipedia.org/wiki/Core_War 10:39 < petertodd> adam3us: ah! yeah that's a classic 10:39 < adam3us> petertodd: users battle for control of the cpu with hostile code 10:40 < petertodd> Interesting thought: transactions and the blockchain are a way of stringing multiple bits of code together in a DAG. 10:41 < gmaxwell> adam3us: certantly that kind of ecosystem would create greater incentives for reorgs. 10:42 < andytoshi> petertodd: i have thought about making a blockchain-based haskell-like language 10:42 < andytoshi> sadly, i could see no point to it 10:43 < petertodd> andytoshi: I had the similar idea of doing a HSM with merklized forth actually - pretty much the exact opposite direction in terms of implementation complexity 10:45 < andytoshi> hsm == Hierarchical storage management ? 10:45 < gmaxwell> hardware security module 10:46 < andytoshi> gmaxwell: ah, that's what i thought, but i didn't see the connection to merklized forth 10:46 < adam3us1> gmaxwell: but even if (hypothetically) the incentives worked, and the interpreter escape issue was magically solved, and program counter issues avoided... i am still wondering if its fundmentally unprovably dangerous 10:46 < petertodd> andytoshi: it's more because forth is incredibly simple, so it's more likely you'd actually get the implementation right 10:47 < adam3us1> gmaxwell: see i mean it defines a language for writing bitcoin functions, new script functions, new semantics for value transfer or whatever, its fully general; but in such an environment would u not be in a core-war / redcode scenario is my point 10:47 < petertodd> andytoshi: yet forth still can do lisp-like tricks by doing data as code 10:48 < andytoshi> petertodd: oh, i see 10:48 < andytoshi> i should've looked up forth instead of hsm :P all i know is 'stack-based language' 10:48 < gmaxwell> adam3us1: I'm not sure if it would be core-war or not. If resource constraints work they'd be fighting the resource constraints not each other. Certantly lots of people would lose money by writing dumb code that can be tricked. "LOL I integer overflowed your transaction and took all your monies!" 10:49 < adam3us1> gmaxwell: its almost but not quite, like you linked a remote execution of java byte code for fees and feature extension ito the bitcoinj - in theory flexible - in practice dangerously generic 10:49 < gmaxwell> and yes, I think it would be very very hard to make safe in a single implementation, and exceptionally hard to safely reimplement. 10:50 < adam3us1> gmaxwell: i mean that one could just take your private key and be done. but yes exactly, the question is beyond that even competently written script extensions written in a generic jvm bytecode kind of level be systematically safe from any other byte code string that could be later run in the competing ecosystem 10:50 < gmaxwell> This is why I prefer the path of using SNARKs of some kind for more complex scripts. 10:50 < andytoshi> it seems that any instance of 'breaking out of the sandbox' would be a forking scenario, since it'd probably depend on the memory layout of the targets 10:51 < gmaxwell> adam3us1: I mean, right now eligius isn't using a multisignature address for the emergency pool address because they don't know how to go forward on making sure their prefered script formulation is safe. 10:51 < adam3us1> gmaxwell: well snarks just mean that u dont run the code, you run the verifier on the proof the code was run; it still vulnerable if it is as self-extensible as TC arbitrary vm bytecode level code 10:52 < petertodd> gmaxwell: you mean they don't have the tools to just go make a scriptSig to try spending it? 10:52 < gmaxwell> andytoshi: maybe, overwriting the behavior of one other opcode might be possible just with a constant offset. 10:53 < gmaxwell> petertodd: they want to have a {a and b} or {{a or b} and 2 of 3{c,d,e}} sort of script. They came up with one, but were not completely confident that their coding was flawless (or if unexpected behavior in op_if would let funds get stolen) 10:54 < gmaxwell> adam3us1: at least there is no "code escape" bug in the snark case. Or consensus-criticial-implementation-consistency bugs. 10:54 < andytoshi> adam3us1: are you talking about finding bugs in the snark circuit (which is commited to in the preprocessing stage) itself? 10:54 < petertodd> gmaxwell: ah, did they do the "op_if" as "select block of code" style? 10:54 < gmaxwell> only the risk that you write a bad script. 10:54 < adam3us1> gmaxwell: i am thinking it may have even some mathematical provability limits. if u consider the near infinite (finite because of program counter limit per time-slice) set of computable functions how can you generically prove that there exists no other function that can damage teh intended properties of the former extension function when used by anyone. 10:55 < adam3us1> gmaxwell: correct on the code ecsape and interpretation fork 10:55 < gmaxwell> petertodd: they did two checksigs and accumulator to count how many worked, and if its not two, they drop into an op_if block that checks the accumulator for one, and runs a check multisig. 10:55 < adam3us1> andytoshi: no i am just saying if each and every user can go wild and create bitcoin script language extensions dynamically how do u know the resulting ecosystem will be safe after each dynamic new feature is added. it is maybe mathematically undecidable 10:56 < gmaxwell> adam3us1: sure, or "You can steal my coins if you can find the discrete log of 0xdeadbeef" 10:56 < andytoshi> adam3us1: oh, gotcha, still on the redcode scenario 10:57 < petertodd> gmaxwell: right, see I would do that as op_if 2 a b checkmultisig else if a checksigverify else b checksigverify endif 2 c d e 3 checkmultisig endif 10:57 < adam3us1> gmaxwell: but these TC extensions are stateful. so if there is any rational logic to disabling simple things like XOR script, this is like letting anyone define new opcodes and higher level functions running arbitrary byte code. how is that safe in comparison 10:58 < petertodd> gmaxwell: spend with sig_a sig_b 1, or with: sig_c sig_d (sig_a or sig_b) 1/0 0 10:58 < petertodd> gmaxwell: no accumulator needed 10:58 < gmaxwell> petertodd: well that form repeats the pubkeys a fair bit. 10:59 < petertodd> gmaxwell: yes, but it's very simple to understand 10:59 < gmaxwell> adam3us1: yea, I can't justify stateful things. 10:59 < gmaxwell> petertodd: but ... we want to both have and eat the cake. 11:00 < petertodd> gmaxwell: lets see if we can succesfully eat a muffin without losing tens of thousands of dollars 11:00 < gmaxwell> petertodd: in any case, it's an issue that the ability to safely use fancier scripts is that they're moderately risky. 11:01 < gmaxwell> but (1) my comment was also an existance proof that people are actually smart enough to realize this (2) it's sort of their own problem if they don't. 11:01 < petertodd> gmaxwell: well that's just inherent to doing complex things 11:01 < andytoshi> i thought the rationale for having disabled opcodes is that they could screw with the people running the code (i.e. everyone) to cause either DoS attacks of some form, or worse, forks 11:01 < gmaxwell> (It wasn't me who pointed out that script was risky either, I think) 11:01 < andytoshi> but in case of snarks, everybody is just verifying that a specific (TC-complete) circuit was run 11:02 < gmaxwell> andytoshi: we disabled the op_codes because lshift was exploitable to crash nodes. 11:02 < petertodd> andytoshi: the rational was "oh shit! lets be super cautious now" 11:02 < gmaxwell> It turns out that some of the other disabled ones had other bugs too. 11:02 < petertodd> andytoshi: lshift could have been fixed, but just disabling was easy 11:02 < petertodd> andytoshi: back then I don't think people fully understood how hard re-enablingthem would be 11:03 < adam3us1> gmaxwell: what next. google nacl (sandbox execution of x86 binaries). activex for bitcoin :) 11:03 < andytoshi> well, i'd hope that we donet have OP_OPENNETWORKPORT ;) 22:32 < gmaxwell> e.g. who cares if you use dollars as your daily spending money. Gold exists and is 'deflationary' (maybe, ignoring your collapse argument)... so if the argument is true why isn't the economy collapsing due to people rapidly converting every free dollar they have to gold? 22:33 < andytoshi> the claim is that once people have their gold, they stop converting anything to anything.. 22:33 < andytoshi> which is arguably even sillier 22:36 < gmaxwell> I think a lot of this ultimately stems from the fact that there are inherent unfairnesses and inefficiencies in the whole concept of durable money. 22:36 < gmaxwell> But the notion that money itself is a purely artificial construct and perhaps not perfect in every way, is so far outside of peoples thinking that they get stuck in weird dissonance. 22:38 < gmaxwell> At least in the US our society has placed money in a position of existing as a kind of independant good decoupled from the productivity and happiness of people that we just don't really have the right perspective needed to critically question the behavior and role of money in our society. 22:39 < gmaxwell> In perhaps the same way that societies with slavery seemed to have a generally difficult time reasoning about the pratical and ethical implications of it. 22:40 < andytoshi> what is interesting is that if you look at most any society throughout history, they always come up with some sort of currency, and these currencies are so similar that we recognize them today as money 22:40 < andytoshi> perhaps the same is true of slavery 22:41 < andytoshi> it is more than ordinary can't-think-outside-the-box dissonance because this really does seem baked into human thinking 22:42 < andytoshi> the problem of finding a consistent measure of value is universal, and money solves this extremely well .. 22:42 < andytoshi> and then it is represented by some physical good or token, so it naturally assumes a reality of its on 22:42 < andytoshi> own* 22:43 < andytoshi> bitcoin is fascinating because it is not physical and acts in highly non-physical ways, but it still solves the problem that money does 22:44 < gmaxwell> Yea, I don't mean to suggest that we shouldn't have money. Money enables a lot of awesome stuff, but it has a bunch of odd behavior too. 22:45 < gmaxwell> E.g. with durable money you can do things like do one really useful thing, and then never do anything useful again and have society provide for you... in a way which is highly non-linear, e.g. doing N x 1/N useful things is in no way assured to do anywhere near as well for you esp if the GDP is growing. 22:46 < gmaxwell> simply because you can get a bunch of money, and then loan it out to get exponentially more. 22:47 < andytoshi> otoh, when you invest it or lend it out, even though society is supporting you, the wealth they are throwing at you does not act like your wealth 22:48 < andytoshi> so even though you are (unfairly) becoming very wealthy, there is a larger efficiency gain for society 22:48 < andytoshi> in principle, anyway 22:48 < gmaxwell> which is an effect which is _entirely_ decoupled from the whole idea of wanting to be able to do "barter at arms length"... maybe a good effect or a bad effect, but it seems like an inherent effect in money as our societies have envisioned it. 22:48 < andytoshi> this is true, these things are very hard to decouple mentally 22:49 < andytoshi> that, i think, is ordinary human dissonance 22:50 < gmaxwell> yea, I'm not good at it myself, and personally ... perhaps I'm not a great person to question this system because I've benefited from it tremendously, at least if I measure my wellbeing relative to most of the world. 22:51 < andytoshi> mm, myself as well 22:52 < andytoshi> and tbh i think very little about the function of money, despite thinking about bitcoin a lot ... my economic curiosity mostly lies in what happens when machines are able to exchange value 22:52 < andytoshi> suppose we actually had a market with rational actors -- and these actors never needed to sleep or relax 22:53 < andytoshi> the -wizards discussions are fascinating, because maybe they could even be 100% evilly selfish, and even so they could trust each other 22:53 < gmaxwell> yea, well, most of my thinking only really extends to the realization that it's actually more complicated then we take for granted. 22:55 < andytoshi> i think humans avoid a ton of the complexity by relying on biological impulses to trust each other 22:55 < andytoshi> and on the police :) 22:55 < gmaxwell> andytoshi: well, yea, but also somewhat scarry too if you go too wizards-wank about it. Imagine now that you have uploaded minds in computers... then everything you're thinking about also applies to "people" too, at least in theory. Which sounds neat, but then you wonder about the social implications of things like ZK-SNARKS meaning that it could actually be physically impossible to tell a convincing lie, no matter how good the ... 22:55 < gmaxwell> ... justification. 22:57 < andytoshi> wow, i have not considered that ... i need to write some scifi about this, try to explore the social implications 22:58 < andytoshi> (not good scifi, or even anything i'd publish .. just something to organize my own thoughts) 23:00 * andytoshi grabs another beer 23:02 < gmaxwell> the nearest I've seen to touching any of these matters is in the latter half of "Rapture of the Nerds" (Doctorow, Stross both of whom I think are crappy writers, but I enjoy their books) there is a part where the people enter into a bar which is I/O isolated from the rest of the universe, the reason for this is because the bar implements a contracts system where violating the rules is impossible (if you violate the rules the bar ... 23:02 < gmaxwell> ... rewinds state to undo the violation) 23:03 < gmaxwell> most of this stuff hasn't been touched in scifi because the authors just really have no clue it's possible. PCP theorm is still pretty recent and the implications really haven't percolated all that far. 23:05 < andytoshi> i just encountered its philosophy today in 'quantum computing since democritus', i don't have a clear idea of it yet --- Log closed Mon Dec 30 00:00:39 2013 --- Log opened Mon Dec 30 00:00:39 2013 00:59 * andytoshi-logbot is logging 00:59 < andytoshi> <.< 01:04 < pigeons> there is a book called The Anarchistic Colossus by A E van Vogt where immediate punishment from "Kirlian computers" enables an anarchistic society, perhaps "weak" and ripe for alien invasion... 01:28 < gmaxwell> heh xkcd "Extremely Strong Goldbach conjecture" 01:31 < BlueMatt> gmaxwell: lol 01:45 * midnightmagic CHEERS for comment about Stross + Doctorow being crappy writers!! 01:45 < midnightmagic> i couldn't even fnish the atrocity archives. 01:49 < gmaxwell> they really are, also rudy rucker is a crappy writer too.. but again some neat ideas. 01:51 < midnightmagic> Snow Crash couldn't been a short story. He has these brilliant oases of ideas and diction in the middle of whole empty deserts of shitty prose 01:52 < midnightmagic> *could've 01:56 < midnightmagic> .. which pretty much defines most modern scifi these days. Oh Stephenson, how your cryptonomicon disappointed. 01:57 < gmaxwell> I'm mostly fine with Neal Stephenson's writing. He's long winded, and well, perhaps I'm not the person you should look to for criticism of that. 01:57 < gmaxwell> it does annoy me that I can't ever recommend his books to most people because they're simply too long. 01:57 < gmaxwell> If you can't read a long (say 80kword) novel in a single sitting then you basically can't enjoy his books. 02:08 < midnightmagic> I read Tommyknockers in basicaly one sitting. 02:19 < midnightmagic> I gots staying power. Blindsight in one sitting. 50+ chapters of HPMoR in one sitting. Greg Bear's blood music in one. Herbert's Hellstrom's Hive and Dune, Chalker's old Wellworld novels, Four Lords of the Diamond, Stross' Friday ripoff (Saturn's Children I think? I'm trying to forget,) and entire collections of Lovecraft even though it was written at the turn of the century and is clunky. 02:21 < andytoshi> nice -- i've had neuromancer and cryptonomicon sitting on my HD for several years now 02:21 < midnightmagic> Neuromancer was an easy couple hours. Heck I can read comp sci textbooks in one go (makes studying them later easier) 02:22 < andytoshi> i can read textbooks for hours on end, with fun books i always feel like i ought to be doing something useful if i'm gonna stare at text for several hours 02:22 < andytoshi> ...and yet, i have no problem with IRC... 02:22 < midnightmagic> But Snow Crash. Damn. Half that stuff didn't even belong in there. Or Gaiman's American Gods. What the hell man. Thunderbird's super-powerful but the christian deities don't make an appearance? 02:22 < midnightmagic> bah 02:24 < midnightmagic> Nooooo they're making a series out of it 02:33 < nsh> American Gods was pretty consistently good reading for me 03:35 < maaku> andytoshi, money has not taken consistent form over time 03:35 < maaku> that is to say what we call 'money' has been changing in nature time after time throughout human history 03:35 < maaku> with measurable effects 03:38 < gmaxwell> (there was a reason that I qualified my statements with 'durable money', tough perhaps thats not the best definition for the effects I was talking about) 03:39 < maaku> yeah you know my bias on that, but even so it's not like historical money can be put in just two categories 03:40 < maaku> its weird and bizaare how many fundamentally different systems we used for the same function, and retroactively we tend to think what we use now has always been the case 03:43 < gmaxwell> not just always been the case, but is the only kind that can exist. 03:43 < maaku> yeah 03:43 < gmaxwell> which is also somewhat amusing because we currently do use other kinds of money too, we just don't reconize it as such. 18:17 < TD> probably. TPM runs on the LPC bus, traditionally. 18:18 < TD> though you may already have a TPM without knowing? 18:18 < Luke-Jr> I guess I should look at the header.. 18:18 < TD> did you actually check? 18:18 < Luke-Jr> yes 18:18 < Luke-Jr> it was on my "list of things I lose in this upgrade" 18:18 < TD> i mean, there might be one integrated into some other chip 18:18 < TD> did you check if the kernel can see one? 18:18 < Luke-Jr> ASRock Z87 Extreme4 18:19 < Luke-Jr> not sure what I'd be looking for there 18:22 < TD> i think on some systems there is a /proc/tpm 18:22 < TD> but i dunno if that's always true 18:22 < TD> it might require a modprobe tpm first 18:22 < TD> not that it really matters if you have a hard disk 18:23 < TD> it's only an issue for people with log-structured file systems or SSDs 18:25 < maaku> TD: so long as it remains computable on consumer hardware, no such thing as overkill 18:25 < Luke-Jr> maaku: but you'll slow down my compiles! 18:25 < Luke-Jr> <.< 18:26 < Luke-Jr> TCSD TDDL ERROR: Could not find a device to open! 18:26 < Luke-Jr> guess I have none 18:29 < Luke-Jr> Newegg has no TPM stuff it seems 18:34 < gmaxwell> ebay. 18:39 < Emcy> pond reads similar to bitmessage 18:42 < maaku> Emcy: similar, but better imho 18:43 < Emcy> that means its less likely to catch on 18:44 < maaku> Emcy: ? I don't think bitmessage has any significant mindshare to speak of 18:44 < TD> it's not very similar 18:44 < maaku> if anything Pond is probably more well known (outside of bitcoin community) 18:45 < Emcy> just a joke. the good stuff gets passed up for the first thing that sort of works all the time 18:46 < Emcy> http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon decent overview 18:46 < Emcy> "weaponised" is a fair way to put it 19:09 < adam3us> jgarzik said on the zc thread "would rather see automatic mixing and privacy built into every client." you know actually that would be quite a reasonable fungibility fix in the face of coin validation fungibility risks - if its generally default and non-opt-in feature. then the default reaction of biz will be to reject coin validation or they lose sales 19:11 < Emcy> if its not ubiquitous then using such measures automatically makes you the target you never wanted to be 19:11 < Emcy> so better that it is 19:17 < warren> I might have set a trap in the Litecoin code months ago that breaks in an obscure way if used with feathercoin's parameters... 19:18 < warren> but they are having trouble getting the ordinary functionality to work 19:18 < Emcy> heh 19:18 < Emcy> what does feathercoin do anyway 19:19 < warren> Emcy: copy > rename > add new logo > pump with lots of videos 19:19 < Emcy> also why dont you play with scrypt until gpu mining is actually infeasible, as claimed at the beginning 19:20 < sipa> i don't think many litecoin users still value that idea 19:20 < warren> or rather, it isn't broken with feathercoin's parameters, just becomes exploitable 19:20 < warren> I might have done this. 19:22 < Emcy> that was litcoins whole conceit though 19:22 < Emcy> to run on all those shitty semprons in bitcoin mining rigs 19:22 < warren> Emcy: Litecoin - sponsored by AMD 19:23 < Emcy> a-are you joking 19:24 < warren> maybe 19:24 < sipa> after AMD bought ATI, suddenly litecoin became viable on GPUs 19:24 < sipa> it all makes sense! 19:26 < Emcy> shiiiiiiiiiit 19:26 < Emcy> wonder how it goes on those APUs 19:26 < warren> not too well. relies on memory bandwidth 19:27 < Emcy> so with ddr3 2500 or whatever then 19:27 < warren> might be decent on a PS4, if it were hackable 19:27 < Emcy> thats still well below gddr i suppose 19:32 < Emcy> i wonder what hardware security the new consoles will have 19:32 < Emcy> might make decent miner as you say if someone can break it 19:33 < Emcy> or a nice little PC 19:36 < warren> I was joking earlier, and a lot of this isn't wizards material. 21:52 < Luke-Jr> [00:24:48] <sipa> after AMD bought ATI, suddenly litecoin became viable on GPUs <-- hahahahaa 23:41 < warren> https://bitcointalk.org/index.php?topic=337294 23:41 < warren> anything to edit/add? --- Log closed Mon Nov 18 00:00:00 2013 --- Log opened Mon Nov 18 00:00:00 2013 --- Day changed Mon Nov 18 2013 00:54 < Luke-Jr> warren: it's not clear that doing just the first item gets some reward 00:55 < Luke-Jr> nor that 2 and/or 3 might be done without 1, in case 1 is impossible 00:55 < Luke-Jr> 3 should probably be split up between writing a fix, and getting it merged 00:55 < Luke-Jr> ie, someone who writes a fix but doesn't have the patience for getting stuff merged should still get something 00:55 < warren> Luke-Jr: devs have power to decide apportionment, so whatever. 00:56 < Luke-Jr> warren: yes, but people might see the list and give up because they don't know how to code 00:56 < Luke-Jr> it should be clear that non-developers can contribute toward 1 for part of the bounty 18:11 < petertodd> so... headers first 18:12 < sipa> i was discussion this with petertodd 18:12 < sipa> and this question came up 18:12 < sipa> what if you know about multiple header chains whose tips are better than what you currently have 18:13 < sipa> perhaps there's this situation: A-B-c, A-B-d-e 18:13 < sipa> eh wait 18:13 < petertodd> no, that's correct 18:13 < sipa> A-B-c and A-d-e-f 18:13 < sipa> and you have A and B, but not c d e f 18:14 < sipa> do you only try to fetch blocks for d e f, or do you also try to fetch c? 18:14 < petertodd> and the same problem *is* present on A-B-c, A-B-d-e 18:15 < sipa> agree, but the case with a reorganization is more revealing probably 18:15 < petertodd> so my scenario was, suppose we have an attacker who is mining blocks, but decided to withhold the actual contents. with headers first you'll find out abotu the headers, and hence the chain, but I argue you have to try to download all tree tips simultaneously, so that you can advance your fully verified tree so the majority of hashing power can move forward 18:16 < sipa> if the case becomes A-B-c vs A-d-e-f-g-h-i-j-k-l-m 18:16 < sipa> then it's probably easier to see that you should fetch c too, just to keep up with a potentially best chain, while you're fetching the potentially even better one 18:17 < petertodd> right, because d could be invalid, as an example 18:17 < sipa> indeed 18:17 < sipa> though you did already verify PoW, so that is very unlikely 18:17 < petertodd> well... :) 18:18 < petertodd> could be all sorts of crazy economic incentives, for instance if you figures out how to get the other hashing power trying to extend different tips 18:18 < sipa> we shouldn't assume it's valid of course 18:18 < petertodd> main thing is we want an algorithm that's going to get everyone to come to consensus about what fully validated chain tip to continue mining on, regardless of what crazyness is going on with the headers 18:19 < sipa> yup 18:19 < petertodd> like, suppose we had a bug where a block somehow made the networking code crash, leaving a connection in a state of limbo 18:19 < petertodd> plausible with threads for instance 18:20 < petertodd> oh, shit, this makes the blockwithholding strategy even worse you know: 18:21 < petertodd> suppose we have A-B-C-d-e-f-g-h-i, and we have fully verified up to i and are trying to make j 18:21 < petertodd> now, if there's ever any slowdown in block distribution, we could wind up with hashing power split on A-B-C, A-B-C-D, A-B-C-D-E etc. 18:23 < sipa> well the best rational strategy is probably to mine empty blocks on top of the best header chain you know 18:24 < petertodd> yes unfortunately, modulo fees 18:24 < sipa> and never build on blocks when you know there's better header chains 18:24 < sipa> modulo fees indeed 18:24 < petertodd> but that means if someone ever loses a block entirely, we're screwed 18:25 < sipa> ewww 18:25 < petertodd> lovely 'eh? 18:26 < petertodd> also, suppose we have a fork: A-B-c and A-B-d, now bandwidth is split 50:50 downloading c and d, which makes it more likely someone will create block e, which divides the bandwidth again... 18:27 < sipa> well, if block propagation is even comparable in speed to mining speed, there is certainly a problem 18:27 < sipa> headers-first doesn't change that 18:28 < sipa> but the fact that someone could create a header, announce it, and never announce the block... worries me 18:28 < petertodd> not in general no, but in this specific case yes because of how the code would now download blocks simultaneously - that wouldn't happen before 18:28 < petertodd> although, actually, "relay all blocks including orphans" may have this affect 18:28 < petertodd> s/affect/effect/ 18:29 < sipa> right, but since you *know* the header strucutre already, you can make smarter decisions in what to download 18:29 < petertodd> well, but are they actually smarter decisions? 18:29 < sipa> than what? 18:30 < petertodd> then simultaneous - again, thinking about the possibility of attack or network affecting bugs 18:32 < petertodd> for instance, suppose you always tried to download the next block in the longest chain first, and then switch to another block on a timeout, but kept mining in case the next block was invalid - if you found a block, other miners doing the same thing wouldn't build upon it because it wasn't the longest chain 18:34 < petertodd> you could have 90% of the hashing power wasting it's time, while 10% is extending a slightly longer chain just by making all your nodes artifically slow down the download of the blocks in your extension 18:47 < warren> http://www.reddit.com/r/Bitcoin/new/ please vote up "Can you fix the LevelDB database corruption bug affecting Bitcoin-Qt on some platforms? 5+ BTC bounty." 18:49 < Emcy> if you guys can find it why do you think anyone else can 18:49 < Emcy> and if they can, why are they not already here 18:49 < theymos> You don't need to be a Bitcoin wizard to find a bug in a database library. 06:47 < jtimon> exactly, you deserve to receive something in exchange for whatever you previously provided to society 06:47 < deantrade> But for as long as you just hold the money, its like you just did all of that work in exchange for nothing, so the rest of society benefited at your expense 06:47 < jtimon> but why society must allow you to think what you want in exchange for as long as you want with no cost? 06:48 < deantrade> There is no gauruntee the money will have the same market purchasing power in the future. 06:48 < deantrade> There is no one forcing anyone to accept some amount of money for anything, its free trade 06:49 < jtimon> yeah, if many savers hoard, it will have an even greater market value in real terms 06:49 < jtimon> I'm assuming monetary monopoly all along 06:49 < jtimon> for example, a gold standard 06:49 < deantrade> Unless a new form of money is created that has better features, then the old money becomes worthless 06:49 < jtimon> there's some force here 06:50 < deantrade> Monetary monopoly: money monopolies do not last either. They have lasted long time durations, but not forever. 06:50 < jtimon> with a free monetary market edflation is not that harmful because trade and investment can just occur in other currencies 06:51 < jtimon> with a free monetary market, let's say real capital yields drop to 1% 06:51 < deantrade> I agree, people can just chose to invest in whatever they want. It would just be fraudulent to create a currency where you say it will have one inflation plan, and then later to do some different plan. 06:51 < jtimon> savers don't lend or invest bitcoins anymore 06:52 < jtimon> it doesn't matter, other savers will be happy to lend their frc at 0%interest 06:52 < deantrade> How was the gold standard forced? Or do you mean in our current situation there is force? 06:52 < jtimon> in our current situation there is force, yes 06:53 < jtimon> and in the gold standard was the same monpoly 06:53 < jtimon> the legal tender was 1 gold mark or whatever 06:53 < deantrade> Savers only options right now is [US Tresuries, Stocks, or Land], gold, bitcoins, what else? (In brackets = in a bubble) 06:53 < jtimon> dependin on the country 06:54 < jtimon> real capital 06:54 < deantrade> What did that mean though "legal tender"? At one time it just meant "You can only call it a dollar if it is this many ounces of gold". 06:54 < jtimon> stocks could be counted as real capital, but I agree they're probably still in bubble prices 06:55 < jtimon> the problem is when you can only trade using thalers, whatever the quantity of silver that defines them 06:55 < deantrade> In a free market where banks/money was not a monopoly, "banks" would not be protected from default (their owners would be held liable to pay up), and banks would offer higher interest rates to money market accounts 06:56 < jtimon> interest rates would not be manipulated 06:56 < deantrade> But in the world as it is now, banks just print money and lend out at way lower interest rates than savers would be willing to accept. 06:56 < deantrade> And then banks offer pretty much 0% interest rate to savers. 06:57 < deantrade> So savers are stuck having to invest in US Treasuries, stocks, land (and gold/bitcoins for the smart ones) 06:57 < jtimon> but I think that with enough mutual credit currencies (usually 0% interest) and demurrage currencies like freicoin interests would tend to zero in a free market 06:58 < jtimon> I agree the current situation sucks 06:58 < jtimon> I believe it will end up just as Gesell predicted: hyperinflation 06:58 < deantrade> This is also Austrian Economist's prediction. 06:58 < jtimon> https://www.community-exchange.org/docs/Gesell/en/neo/part3/13.htm 06:59 < jtimon> Gesell, studied bohem-bawerk, he has more to do with Menger than with Keynes 07:00 < jtimon> in fact, he's closer to Menger than Mises in certain senses, like rejecting the notion of so called "intrinsic value" 07:00 < deantrade> Factories and farms etc... they don't just exist and produce the same amount of products at the same efficiency no matter the owner. 07:00 < jtimon> a dogma very often widespread among "austrians" 07:00 < deantrade> I reject "intrinsic value". 07:01 < deantrade> Value is only relative to one who acts to attain goals. 07:01 < jtimon> but the markets forces the operators of the "unefficient capitals" to change hands 07:02 < jtimon> that's good, unfortunately many goldbugs (and even bitcoiners) don't think like you 07:02 < deantrade> Right... and poor people who prove to be capable of operating them, but don't have the capital to buy them at the moment will look for a loan. 07:02 < jtimon> yes 07:03 < deantrade> And there are many rich people who die, and their children blow the money on drugs etc. 07:03 < jtimon> yes 07:04 < jtimon> there's no need to redistribute wealth from rich to poor, but it's completely necessary to stop redistributing wealth from the poor to the rich 07:04 < deantrade> So productive people live and die. And when a poor productive person sees that they could vastly improve their life by just loaining some amount of money at some interest rate, then they will take the offer. 07:04 < jtimon> the problem is that some monetary systems impede that interest rate to be zero 07:05 < jtimon> which would represent optimal prosperity: maximum capital accumulation for society 07:06 < jtimon> would be the best position possible for workers (comparatively with capital) 07:07 < jtimon> well, negative itnerest rates would be "unfair for capital" but they're not natural even with demurrage 07:08 < deantrade> Interest rates should simply be chosen by the market. Interest rates are chosen by two people who come together with differing resources and contracts to deliver at a later time, and fully mutually voluntary acceptence of the contract. 07:08 < jtimon> interest rates are voluntary and determined by the market with freicoin too 07:09 < jtimon> nobody forces you to dodge the demurrage fee by lending or investing 07:09 < deantrade> I'm not disagreeing with that. I'm disagreeing with the idea that somehow having a money supply that is decreasing is necessarily bad, particularly when that money is just one competing currency when there are many others to chose from. 07:10 < jtimon> I think it's bad only if it's the only money 07:11 < jtimon> I don't think bitcoin will hurt society with its deflation because it will never be monopoly money 07:11 < jtimon> it just won't be as useful to society as it could be if it had demurrage 07:12 < deantrade> Useful to attain what? 07:12 < jtimon> economic development and prosperity 07:12 < deantrade> Economic development and prosperity of which group of people? 07:14 < jtimon> for everyone that produces and consumes 07:14 < jtimon> the higher the itnerest rates, the more everyone pays for what he consumes 07:15 < deantrade> Not necessarily. 07:15 < jtimon> the higher the interest rates the lower the precentage of good prices come from worker wages 07:15 < jtimon> name a single consuming good that doesn't include interest in its final selling price 07:17 < jtimon> for some that % is as high as 50% 07:17 < deantrade> When you pay over time with high interest rate, if the money supply is increasing more rapidly than the interest rate, then later when you pay the interest you potentially have to exchange a lower market value than what the money was worth when you agreed to the deal. 07:18 < jtimon> that's why the inflation premium is a compenent of interest 07:19 < jtimon> sadly inflation indexes are usually manipulated nowdays 07:19 < deantrade> 2% CPI haha 07:20 < deantrade> Fred Monetary Base has been increasing at >30% per year for 5 years now (since 2008 housing financial crisis) 07:20 < jtimon> what I mean is that most people pay far more interests than they receive, even when they haven't borrowed any money 07:20 < wumpus> no matter the economic arguments for it, no one would have bought into bitcoin if it had demurrage; many people were already not taking it seriously for being "virtual", let alone if your holdings magically evaporate over time 07:21 < jtimon> wumpus yes, probably something like bitcoin was destined to be the first crypto 07:21 < wumpus> a future cryptocurrency could do it differently, but bitcoin had to be like this to work 07:21 < jtimon> there was a time when people believed that money couldn't be made of paper, now some people doubt that it can be made of bits 07:21 < wumpus> for example freicoin, had it not included the strange centralized contribution for every mined block 07:22 < jtimon> probably the first p2p currency had to have fully p2p distribution too, no matter how wasteful that is 07:23 < deantrade> Wasteful? 07:23 < jtimon> in terms of real resources, yes 07:23 < jtimon> it's subsidizing security 07:23 < deantrade> How is giving out practically worthless bitcoins (initially worthless) wasteful? 07:24 < wumpus> decentralized systems are by definition less efficient than centralized systems, but compensate for this with added robustness 07:24 < jtimon> no, mining like we're doing now is wasteful 07:24 < jtimon> wumpus, but when the 21 M are issued, fees should provide enough security 07:25 < deantrade> Mining is essential. Prove of work that you earned the money. You'd rather the bitcoins were handed out willy nilly like helocopter Ben? 07:25 < wumpus> I have decided for myself that I like the robustness more than the efficiency, but your opinion may vary 07:25 < jtimon> I prefer that they're are given to noprofits you freely decide to donate to like in freicoin, obviously 07:26 < jtimon> http://foundation.freicoin.org/ 07:26 < jtimon> by the way, crypto-currencies related projects can be listed too even if they're not legally non-profits 07:27 < deantrade> You say "robustness", as if that doesn't also make it efficient. Bitcoin is an extremely efficient value storage and value ownership transfer system. 05:53 < HM2> article floating around praising Satoshis choice of the k1 curve over r1 05:53 < HM2> currently top of HN 05:53 < HM2> I thought the parameters to r1 were selected deterministically 05:54 < HM2> oh well 06:06 < sipa> HM2: with a 20-byte seed 06:06 < sipa> making the whole deterministic part quite suspicious :) 06:11 < HM2> You'd think NIST would have revealed the seed in light of recent events 06:16 < sipa> the seed isn't secret 06:16 < sipa> it is just long 06:16 < sipa> meaning it can have been selected by a brute force search for vulnerable parameters 06:17 < HM2> why couldn't they have gone for the classic value of pi 06:19 < sipa> or the string "5" or something 06:21 < HM2> sipa, how's your secp256k1 project coming along? 06:21 < HM2> has it reached peak performance? 06:41 < sipa> haven't worked on it for a while 06:56 < warren> HM2: crazy litecoin users are using it 06:58 < HM2> good good 07:26 < adam3us> HM2: nist probably dont know the real seed its probably in an HSM at NSA 07:26 < adam3us> HM2: i think its basically confirmed that it was backedoored; werent some of hte snowden docs published or seen by schneier and greenwald including the internal project summary bragging of th successful backdooring of nist process 07:31 < HM2> There haven't actually been any proof that NIST standards have been backdoored. 07:31 < HM2> I think the NSA presentations made a very strong indication that that was the case 07:32 < HM2> even the EC based RNG that is 'backdoored' is only a 'could be' backdoor (which is enough not to use it) 07:32 < HM2> for all we know the private parameters used to seed that could be lost and not in the hands of the NSA 07:33 < HM2> at least as far as I'm aware 07:33 < HM2> it's hard to keep a aprised of all the revelations concisely. 07:33 < HM2> *apprised 07:34 < HM2> the NSA has no reason to brag about their capabilities though, so it's very likely everything is as feared 07:35 < adam3us> HM2: so basically as i understood it from skimming the news over time, the level of confirmation was there were internal nsa docs in the snowden trove, that were read as indicating yes ec dbrng was backdoored 07:36 < HM2> no, not exactly. it gave a year 07:36 < adam3us> HM2: and particularly as the design seemed very contrived, and the backdoor potential was identified by ferguson et al at microsoft and published some years back, thats pretty much the end of it 07:36 < HM2> and the EC RNG was released that year 07:37 < adam3us> HM2: how does that confirm or refute the strong indication that could is actually was (backdoored)? 07:37 < HM2> I'm not sure who the target audience for the slides released was 07:37 < HM2> if your target is politicians you might want to brag 07:37 < HM2> if your target is foreign ally agencies maybe you want to brag 07:38 < HM2> maybe not 07:38 < HM2> they were all very vague, sadly not a single specific cryptocapability has been leaked afaik 07:38 < adam3us> HM2: i think its internal, but there was seeming lots of internal bragging, as it is about vying for recognition and internal project funding and kudos etc 07:39 < HM2> right 07:39 < adam3us> HM2: snowden made some relatively specific statements about crypto capacities that are lacking - ie public key crypto is good, if no impl mistakes and no hw / sw backdoors 07:40 < adam3us> is this channel logged publicly.. i found a petertodd amazon hosted log fragment; is there a full log searchable? 07:40 < HM2> there was mention of a 'major breakthrough' a few years back that hinted at cracking capability 07:41 < HM2> no idea 07:41 < HM2> you should assume it's all logged and kept in my personal blockchain 07:42 < HM2> in order for me to quickly fake something you said 3 months ago, i'd need a computer the size of jupiter ;) 07:45 < adam3us> is warren hand here the warren togami founder of fedora? 07:45 < adam3us> seems potentially apt that he could start bitcoin staging - the fedora to bitcoins rhel/centos 07:46 < adam3us> (tho he seems attached to making litecoin work in that role at present) 07:46 < HM2> I don't know. They're all faceless ninjas to me. 07:48 < adam3us> i read some old wired article that mentioned charles lee, and that warren togami had stepped in as lead dev of litecoin... then it occurred to me, hey that probably was warren who was talking about litecoin dev speed and healthy competition to bitcoin pushing chnges into bitcoin indirectly yesteray :) 07:49 < adam3us> it'd be easy enough to fork litechoin and put hashcash-sha256^2 and more work but defined method to put in the 1:1 one way peg allowing bitcoin transfer in place of mining 07:50 < jgarzik_> adam3us, yes, warren == warren togami of Fedora. He and I both worked at Red Hat on Fedora, too. 08:12 < adam3us> erm so patents - has anyone tried to think about a model for preventing/deterring bitcoin related startups from patenting obvious and core things? 08:14 < adam3us> starting to rear its really ugly head unfortunately and i am pissed; people may not know the history but crytpocurrency ecash was littered with mothballed patents stifling products - i personally know a solid biz ecash guy who was blocked from doing something chaum related due to that patent 08:14 < jgarzik_> adam3us, bitcoin is a laggard in this area 08:15 < adam3us> particularly when digicash went bankrupt the VC type investors sold the patents to a random big co infospace that sat n them until they expired 08:15 < jgarzik_> adam3us, coming from Linux, we were really proactive about registering trademarks and patents for open stuff, then donating those to a foundation, preemptively 08:16 < adam3us> jgarzik_: i was thinking the same, maybe bitcoin founation can do something lke the IBM anti-patent abuse pool 08:17 < adam3us> jgarzik: the patent pool could have teeth in that anyone who tries to assert a patent outside of the pool, is denied use of any patent in the pool; but free for everyone else 08:17 < jgarzik_> adam3us, http://www.openinventionnetwork.com gathers patents from many sources, licenses them royalty-free, and can be used for patent defense through Mutually Assured Destruction 08:18 < jgarzik_> MAD: company A and company B cross-license each other's patents. If a violation occurs, the other party revokes the patents they licensed 08:18 < adam3us> jgarzik: good, ibm mad like approach (microsoft was scared of accidentally tripping on IBM mad which is a good sign that its a good approach) 08:18 < jgarzik_> works with patent pools too 08:18 < jgarzik_> IBM is a fscking patent behemoth 08:19 < jgarzik_> surprisingly they are pretty benevolent in the software patent space, compared to many others, even though they don't have to be 08:19 < adam3us> jgarzik: they also have some kind of MAD scheme going that microsoft were more scared of than GNU 08:19 < adam3us> jgarzik: so whether its bitcoin foundation or the open thing you mentioned, or IBM: my point is there are no bitcoin patents in an open pool 08:20 < adam3us> jgarzik: and the various bitcoin startups are probably right now creating a raft of them to be "defensive" which is actually lethal 08:21 < HM2> it's not really lethal 08:21 < adam3us> jgarzik_: as when some of them start to go under the VCs that care more about money than bitcoin will sell them to the highest bidder 08:21 < HM2> mutually ensured destruction generally works quite well 08:21 < adam3us> HM2: viz digicash history and infospace 08:21 < adam3us> HM2: yes but there is no MAD, and bitcoin foundation has no patents 08:22 < jgarzik_> for MAD to work, you have to have patents others want 08:22 < HM2> Isn't the foundation just a benevolent observor/advisor? 08:22 < adam3us> jgarzik_: i think its past time the foundation or someone suggest strongly to all the bitcoin startups that they form a MAD pool, to preclude their patents falling into the wrong hands if they go out of business 08:22 < HM2> It doesn't even own the trademark does it? 08:23 < jgarzik_> yeah TM is an issue too, though I think MagicalTux was working on getting the TM for community benefit 08:23 < adam3us> jgarzik_: bitcoinFOO startup may have a patent for "defensive" reasons, bt when it goes under and is sold to a patent troll, it becomes offensive ... good intentions of bitcoinFOO no longer count 08:23 < jgarzik_> adam3us, agreed 08:23 < HM2> the Linux Foundation springs to mind 08:24 < adam3us> jgarzik_: or imagine worse things; US government seizes patents from the foundation as part of a court judgement, and asserts patent to make bitcoin-qt infringing 08:25 < jgarzik_> adam3us, so unlikely it's not worth worrying about 08:25 < adam3us> jgarzik_: patents should be abolished, but until then a bitcoin MAD pool should be created and probably should be held by an international, mulit-jurisdictional entity 08:27 < adam3us> jgarzik_: debatable, weak point on my part; main point bitcoin community probaby defensively needs a MAD pool in the hands of someone trustworthy and aligned with the community; i cant say more probably but i expect anyone with involvement with a commercial bitcoin entity has seen moves to patent something "defensively" 08:27 < jgarzik_> adam3us, agreed 08:27 < jgarzik_> adam3us, agreed (RE abolished + MAD pool) 08:28 < HM2> I'd worry more about the trademark 08:28 < adam3us> jgarzik_: so me = crypto guy, who could chase that down in foundation terms and make it happen? 08:28 < jgarzik_> adam3us, patrick murck, maybe 08:28 < HM2> someone could just buy it up the TM and just stick the name on whatever centralised currency they wish 08:28 < HM2> buy up the* 08:29 < jgarzik_> adam3us, tell him I pointed you to http://www.openinventionnetwork.com as an example 08:29 < jgarzik_> HM2, well like patent's concept of prior art, there is a way to show TM land grabs by third parties 08:29 < adam3us> jgarzik_: maybe a topic for this xgbtc list - didnt accept the list invite yet 08:29 < HM2> sure 08:29 < jgarzik_> adam3us, never heard of xgbtc 12:51 < jtimon> what fees? 12:51 < jtimon> bitcoin fees? 12:51 < petertodd> remember, ripple is all about optimizing who owes who, but why do you care exactly? 12:51 < jtimon> that's what money is all about 12:52 < jtimon> "bitcoin is about who has what, but why do you care?" I don't understand your point 12:52 < petertodd> what money is about doesn't matter for the end-user, they just want to solve a business problem 12:52 < adam3us> petertodd: freimarket includes real-ripple as a sub-component so freicoins that are IOU based can interop with frecoins that are mined (minus demurrage) 12:53 < jtimon> seriously I don't get your point about not caring 12:53 < jtimon> how would you don't care about who owes you and who you owe too? 12:53 < adam3us> petertodd: i think its a logical and self-consistent system, remains to be seen on adoptions. some of adoption is first to market, network effects etc. 12:54 < jtimon> petertood: you don't see any value in a ripple network or in credit in general? 12:54 < petertodd> jtimon: because my *business* problem is "I want to make money, and I can make money if I sell icecream, and if my icecream distributor loans me some stock, I'll pay him back and we'll both make money." 12:54 < adam3us> jtimon: i think petertodd is still on competition & adoption, his q. why would someone prefer freimarket IOU freicoin over btc 12:54 < petertodd> jtimon: The "meaning" of money means absolutely nothing to either party in that transaction. 12:55 < jtimon> petertodd: people don't want money, people want the stuff they buy with it 12:55 < adam3us> jtimon: its also a value store i guess. 12:55 < jtimon> it's not about preferring, you have your wares that by definition you don't want and want to sell 12:55 < petertodd> jtimon: and that's the thing, "I'm an icecream mfg, I need milk, now if you farmers give me some milk, I'll give you some money once I sell my icecream" - that's another business relationship 12:56 < jtimon> exactly 12:56 < jtimon> that can be done with "money" or credit 12:56 < petertodd> jtimon: ripple says "hey! this forms a cool graph when we add the customers into a big decentralized distributed database!" and can make those credit relationships magically collapse when the customer buys the icecream or soemthing 12:57 < jtimon> the important stuff is are the icecream and the milk, the rest are just numbers to make that happen 12:57 < petertodd> jtimon: meanwhile the business say "Who cares? Doing it the old way is plenty efficient and the new way requires a bunch of software and buy-in from a zillion parties." 12:57 < jtimon> that's the ideal situation in ripple, try to come back to the b2b stage 12:57 < jtimon> you sell icecream in summer 12:58 < jtimon> I go to you and say "do you accept ourtown's local currency for the ice cream" 12:58 < jtimon> you say "no, I prefer bitcoin" 12:58 < jtimon> "ok, ?I don't have bitcoin, keep your icecream" 12:59 < jtimon> if you want milk and you can buy it with both local credit currency and bitcoin, why reject any of the two? 12:59 < petertodd> and that's the problem, any real business will say "Why the hell do I care about these local currencies? Let someone else figure out how to convert FooDollars to and from Bitcoin so we can focus on making icecream, our core competency." 13:00 < jtimon> hehe, you remind me to people talking about real businesses and bitcoin a while back... 13:00 < petertodd> You might not be aware of this, but one of the reasons Net 30 day works is because there exist third party credit rating agencies that specialize in figuring out whether or not your counterparty will pay you back. 13:01 < jtimon> the magic of ripple is that you will only ever receive the currencies you accept 13:01 < petertodd> ...and when those agencies aren't good enough, the reason why Net 30 day works is because often suppliers have special insights into their customer's businesses, and thus credit worthyness, that is otherwise really hard to get. 13:01 < jtimon> and the payer doesn't need to bother about conversions neither: the system does them 13:01 < jtimon> yes, I'm aware 13:01 < petertodd> jtimon: That's not magic at all. 13:01 < jtimon> no, it's not magic 13:01 < jtimon> it's tech 13:02 < petertodd> jtimon: That's the magic of "I price my icecream in dollars." 13:02 < adam3us> petertodd: well i guess bitcoin doesnt do it 13:02 < petertodd> jtimon: You don't need ripple for that 13:02 < adam3us> petertodd: bitpay et al let you though, ok 13:02 < jtimon> you can say "I price my icecream in gbp, I accept btc, bristol pounds or gbp" 13:03 < petertodd> adam3us: Exactly! bitpay, and the exchanges they work with, managed to outsource all that highly specialized work related to figuring out how to convert bitcoins to dollars 13:03 < jtimon> I go there with frc and sevillan pumas 13:03 < adam3us> petertodd: probably where a difference comes in is its hard to take out btc denominated loans because its volatile and trending up in price. 13:03 < jtimon> I push "pay 1 gbp to this merchant" the system says "want to pay X frc or Y pumas? 13:04 < jtimon> what's the unconvenience? 13:04 < jtimon> petertodd: a ripple network can do what bitpay does!! 13:04 < petertodd> jtimon: the unconvenience is that you needed this big ripple thing with a zillion credit relationships for it to work, when the alternative is to let some specialist handle it for you 13:05 < jtimon> no, I said the merchant just accepted 3 currencies, that's 3 credit relationships 13:05 < petertodd> jtimon: See, if tx fees to and from sevillan pumas are low, then you're customer, or you, can just as easily use that specialist to convert it for you. 13:06 < petertodd> jtimon: That's a *low overhead* solution to the problem that doesn't require much adoption to work. Ripple is the exact opposite. 13:06 < jtimon> but the point of the system is unite the infrastructure of the different currencies NOT TO NEED the specialist 13:06 < jtimon> whatever, I don't think I can convince you 13:06 < petertodd> jtimon: Modern economics has realized over and over again that specialists are excellent solutions to most problems. 13:07 < jtimon> so please, answer my previous question "you don't see much value in a ripple network or in credit in general?" 13:07 < petertodd> I see lots of value in credit, because people use credit all the time. Ripple, not much value at all. 13:07 < jtimon> petertodd, argument of authority fallacy, your authority: "modern economics" 13:08 < jtimon> Ripple = credit 13:08 < petertodd> jtimon: No, ripple is a way to manage credit. There are other ways to manage credit. 13:08 < jtimon> it's just the same thing with a more convenient infrastructure 13:08 < petertodd> jtimon: You think it's more convenient, I don't for a whole host of reasons. 13:09 < jtimon> what's the difference between an international payment and a ripple transaction? 13:09 < jtimon> transitive credit, it's the same thing 13:09 < petertodd> And the biggest problem with Ripple is the value of it is network effect dependent, so if only a small network of people use it it has very little value. That's a enormous bootstrapping problem on top of all the other problems of it. 13:09 < jtimon> you know, banks took all that overhead of trusting each other 13:09 < adam3us> jtimon: if u really lend people money in small amounts, often you dont get it back. thats my experience. and lending money to friends & family generally is not a good idea. when something goes wrong it leads to problems. 13:10 < petertodd> jtimon: yes, and banks are specialists at that task. Ripple is asking everyone to get in the business of doing that, which goes against the tendency in modern economies to specialise. 13:11 < petertodd> adam3us: yup, it's worth noting that Net 30 day credit relationships are declining as businesses become more complex and transactions more convenient. 13:11 < jtimon> I'm saying it won't start with personal credit, but with b2b, local currencies, p2p markets gateways... 13:11 < adam3us> petertodd: i think the notional advantage of ripple.com is that they can cancel out some debts and so reduce the fees 13:11 < jtimon> the small participants can join later 13:11 < petertodd> adam3us: yup, which means it's in competition with every solution that reduces fees... and there are a huge number of ways to do that 13:12 < jtimon> just to be clear, I'm talking about ripple the concept not ripple.com 13:12 < petertodd> jtimon: doesn't work that way, often those small participants are what make the ripple network loops happen that let credit relationships get canceled out - the core thing that ripple does 13:12 < adam3us> petertodd: actually ripple.com is very poorly explained online. i am not sure if it also has issued values other than iou values mixing on its network. 13:12 < petertodd> adam3us: ripple.com is an abomination and we shall not refer to it again 13:12 < jtimon> the way you trust in ripple.com is very risky for users 13:12 < adam3us> jtimon: yes. thats why i put ripple.com when i wanted to refer to them 13:12 < jtimon> because it assumes 1 aaaUSD = 1 bbbUSD 13:13 < adam3us> petertodd: hehe the R-word. 13:13 < jtimon> that's not necessarily true in 2PC ripple or freimarkets 13:14 < maaku> jtimon: replacements can be used for microchannel payments (e.g. utility bill) 13:14 < petertodd> See, fidelity bonded banks are an excellent example of something where ripple can work very well, and one of the reasons that works is because the whole point is to keep tx fees low, 1 aaaBTC == 1 bbbBTC, and all the logic about the trust relationships can be handled in software (talking about the ideal fidelity bonded bank stuff here) 13:15 < petertodd> But that's a crazy-specialized example, and the whole concept of fidelity bonded banking is just as likely to get pushed out by other ways of getting low tx fees. 13:15 < jtimon> aaaBTC/bbbBTC should be just a market like any other 18:57 < jtimon> antonopolous was that guy that got himself filmed having dinner, drinking wine and talking about bitcoin in a restaurant? 18:57 < jron> jtimon: yes 18:57 < jtimon> I didn't watched the whole video but that was kind of odd 19:01 < jtimon> does this make any sense? https://bitcointalk.org/index.php?topic=430705.msg4715291#msg4715291 19:01 < jtimon> isn't getBlock template the same thing as GBT ? 19:02 < sipa> yes 19:03 < sipa> i assume it's a typo, but i've no idea for what 19:25 < andytoshi> ;;later tell nsh i did the talk, didn't get to any wizards stuff, it was very boring, sorry 19:25 < gribble> The operation succeeded. 23:10 < tt_away> It's late and I'm tired and going through ProtoShares source code; does PTS only use SHA512 as a hash function? It mentions sCrypt in the white paper, but I'm not seeing it. 23:10 < tt_away> Also these indentations ahhhhhHHHH --- Log closed Sat Feb 01 00:00:14 2014 21:10 < warren> https://togami.com/~warren/archive/2013/example-bitcoind-dos-mitigation-via-iptables.txt (with a limit that is not quite this small) 21:10 < jgarzik> network attacks against bitcoin have best ROI today </standard refrain> 21:10 < nanotube> <gmaxwell> Today you can fill up all connection slots on the bitcoin network with 1 IP. <- i thought current code prevented multiple connection from same subnet ? 21:11 < gmaxwell> nanotube: no, we won't make outbound connections to the same netgroup (/16 for ipv4) but inbound is unrestricted. And it should be since otherwise it would be somewhat hard to connect from some universities and countries. 21:12 < nanotube> hmm 21:12 < gmaxwell> (instead, when we fill up instead of turning away new connections we should see if there is a less attractive old one to punt, e.g. punt the duplicate IPs preferentially) 21:12 < gmaxwell> But we don't right now. 21:12 < nanotube> huh, so we don't even block the same ip from connecting twice? 21:12 < warren> nope 21:12 < jgarzik> code it up and PR it ;p 21:12 < nanotube> at the very least, /that/ seems like a low-cost thing. 21:13 < gmaxwell> nope And if we did, as I said, that would cause some problems. 21:13 < nanotube> no country/university has only one ip :) 21:13 < warren> nanotube: and that isn't a good defense if you think about ipv6 21:13 < gmaxwell> nanotube: actually several countries connect entirely from a single IP. 21:13 * nanotube avoids thinking about ipv6 >_> 21:13 < gmaxwell> E.g. Qatar IIRC. 21:13 < nanotube> but heh the private bloom filters bit is pretty cool. 21:13 < nanotube> heh really? wow. 21:14 < nanotube> so quatar just has one giant country-wide NAT ? 21:14 < gmaxwell> yea. 21:14 < nanotube> lol >_< 21:14 < gmaxwell> Things you learn being a Wikipedia admin. "oops you just blocked Qatar. Again" "Opps you just blocked univsity of foo. Again." 21:14 < nanotube> well, all of qatar probably has 2 bitcoin users. they'll manage. 21:14 < nanotube> hehe 21:15 < gmaxwell> I accidentaly the whole qatar. 21:15 < nanotube> is it deliberate, or were they just not allocated any ips? 21:15 < gmaxwell> In any case, it would be pretty easy to make the node-full behavior turn into kick out some old peer based on some priority thing. I would have done it already but there really is no end to the amount of thinking you can do behind the priortization scheme. 21:15 < gmaxwell> speaking of that.. I should probably just PR my dont-use-get-my-ip patch, since it seems no one is going to review the idea without a PR... 21:16 < gmaxwell> :P 21:16 < gmaxwell> but first, dinner. 21:16 < gmaxwell> nanotube: I assume it's more or less deliberate. 21:17 < warren> is there one state owned ISP? 21:17 < nanotube> probably 21:18 < gmaxwell> I would assume, I never looked into it. Thats the case in a lot of those places. 21:19 < gmaxwell> not exactly that most important use cases, but I'd rather not make the system gratitiously hostile. there are a bunch of reasons why you generally want to allow multiple connects from the same IP. E.g. my local nodes addnode each other.. and if we were limited to 1 they'd get rejected... even from nodes that don't listen on the public internet. 21:20 < warren> local nodes would have RFC1918 addresses? 21:20 < gmaxwell> mine don't. Not everyone is behind n-layers of nat, esp on ipv6. 21:21 < warren> especially with ipv6, limiting per IP probably isn't going to work 21:22 < gmaxwell> In any case, go look in the logs here I described my thinking on this, I think there should be a set of priortization which protects some nodes from being dropped and then randomly drops based on a score for the rest, the score could include things like being in the same ipv6 /48 as other peers. 21:22 < gmaxwell> (or even the same /32) 21:28 < warren> hm, "BitcoinJ always bootstraps from DNS seeds." 21:30 < jgarzik> indeed 21:31 < jgarzik> bitcoinj-based Bitcoin Wallet does not rotate keys for each transaction 21:31 < jgarzik> bitcoinj-based Bitcoin Wallet does not support P2Sh 21:35 < warren> multibit also appears to not tell you how many peers you have 21:35 < warren> seems rather insecure for the default client on bitcoin.or 21:35 < warren> org 21:40 < gmaxwell> warren: I think multibit only connects to 4 too, but I also thought that about android wallet and sipa demonstrated otherwise. 21:41 < gmaxwell> IIRC bitcoinj also only queries a single dns seed at random. e.g. instead of doing something like taking one peer from each round robbin. (though not like its hard for a network attacker to intercept DNS) 21:42 < gmaxwell> I dunno if you saw the last round of snodwn papers but it looks like the NSA has a DNS race interception infrastructure.. e.g. use passive taps to see dns queries and then respond faster. 21:42 < warren> wouldn't you see two responses if you were the victim of that? 21:42 < gmaxwell> sure, but you take the first one. 21:42 < warren> and nobody is watching for the second 21:43 < gmaxwell> (I have a friend that runs a really big DNS GSLB infrastructure that works that way too: you query for their domain, they forward the query to all their clusters, and then when the NTP clock strikes the next 100ms interval they all respond at the same time) 21:43 < jgarzik> interesting 21:44 < jgarzik> I know ISC does a lot of anycast 21:44 < jgarzik> anycast works much better for UDP than TCP ;p 21:44 < gmaxwell> hehe indeed. 21:45 < jgarzik> For at least a decade, F root was the most distributed DNS setup by 10x, IIRC 21:46 < jgarzik> At least one other root went distributed years ago, hopefully the others have followed by now 21:46 < jgarzik> Google's new database consensus/sync stuff relies on accurate clocks 21:47 < jgarzik> as 'time' is fundamentally distributed and (in theory) always synchronized 21:47 < jgarzik> relying on that become then an expensive hardware problem of "getting the right time, always" 21:47 < jgarzik> *becomes --- Log closed Sun Oct 13 00:00:05 2013 --- Log opened Sun Oct 13 00:00:05 2013 01:27 < warren> who is the primary person behind pull tester? 02:25 < sipa> warren: bluematt 07:13 < gmaxwell> petertodd: I just thought up another storage hard function. This one is super simple. 07:14 < gmaxwell> Say you have a tree structured pseudorandom function: e.g H(seed) = {Left half, Right half} ... H(Left half) = {Left half, Right half} and so on so a single seed can expand to a ginormous tree. 07:14 < gmaxwell> Server gives the client a random seed and the tree size. The client goes and computes the leafs of the tree and stores the results. 07:15 < gmaxwell> Then the server can challenge the client: The server randomly picks a leaf, evaluates it itself.. and says to the client "tell me what the index is for the leaf with value X" 07:16 < gmaxwell> the only efficient way for the client to answer would be to have computed a hashtable over the results... otherwise it has to recompute the whole tree. 07:35 < gmaxwell> yippie. 07:43 < gmaxwell> unrelayed: http://cryptome.org/2013/10/homo-crypto-sym.pdf claims fully homorphic encryption with much better performance and only linear plaintext expansion. (factor of 16) 13:19 < amiller> i sort of have a wrench in the works as far as consensus theory goes 13:19 < amiller> i normally say something like 'every valid transaction is eventually included' 13:19 < amiller> but 'valid' is a moving target and can change, for example in a double spend when one transaction invalidates another 13:20 < amiller> suppose there were an opcode that let you refer to the current blocks' transaction height 13:20 < amiller> and you could make a transaction that was only valid every 1000th block 13:20 < amiller> would that transaction be guaranteed to get committed eventually? 13:21 < amiller> this is basically about whether a sub-50% attacker can consistently snipe a particular block as long as it's not too oftne 13:21 < sipa> well the script system is designed such that a transaction that is once valid, is never invalidated (except for double spending) 13:21 < amiller> well with multisigs the doublespend might not be in your control 13:21 < sipa> it is never in your control 13:21 < amiller> also this is specifically about a hypothetical new opcode 13:22 < amiller> it's in your control if you kept your private key private and don't do it 13:22 < sipa> one of your predecessors may double-spend 13:22 < amiller> good point 13:22 < amiller> hm 13:22 < sipa> it's why software doesn't allow you to spend without confirmations 13:23 < sipa> because it's not enough to trust coins you receive; you must also trust that they're unlikely to be reverted by the senders of the senders 13:24 < amiller> there's other related things like sd_lerner's suggestion to have 'invalid after <date>' opposite of locktime 13:26 < sipa> it does mean a receiver needs to track recent (all?) history of its inputs, to judge how likely they are to become permanently unspendable 13:27 < sipa> as a reorg of a transaction right at the border it very risky 13:27 < amiller> if it's safe to wait 6 blocks anyway, then that's enough 13:28 < amiller> like if you wait long enough that the last guy can't revert it, then no one before can either 13:28 < sipa> true 13:28 < amiller> but still my question is about the other direction 13:29 < amiller> how quickly can you get a tx in a block 13:29 < sipa> i wouldn't say it's always guaranteed that you can 13:29 < sipa> it depends on economic factors 13:29 < amiller> if someone wants to prevent you from getting a tx in even 1/1000 blocks, can they? 13:30 < sipa> assuming miners are greedy/rational and choose transactions with the highest fee/byte ratio 13:31 < sipa> all that's needed is someone constantly creating transactions with higher fee than yours 15:29 < HM3> or they could take your family hostage and threaten to beat them if you make said transaction. 16:39 < nanotube> or put a bounty of 80kUSD on the head of any miner who mines it into a block. >_> 09:31 < azariah4> adam3us1: hmm, did you see the op (59) EXTRO in the current version of the paper? 09:32 < adam3us1> azariah4: ethereum paper? no. i did describe the extrospection viral goo risk to vitalik tho :) 09:33 < azariah4> ah yes, now I reached your post in the thread talking about it :) 09:33 < adam3us1> azariah4: maaku_ was discussing it for freimarket too and he figured he could somewhat contain it by disabling extrospect on basic coins (non contract) 09:35 < azariah4> well, even if one could prove the language itself has no extrospection, the fact that it has a form of persistent storage could be a issue in practice 09:36 < azariah4> e.g. one specific impl of a ethereum node has overflow/bounds bug in its impl, enabling a script to read outside its defined persistent storage 09:36 < adam3us1> azariah4: it seems interesting to me however to look at contracts you can build by composing dependent and hash-locked non-extrospection bitcoin scripts or other composing methods. while it seems at first laborious to not be able to express these in a single contract, so long as its functionally equivalent an all the intereting useful things can be built, without adding extrospection i think that can be enuf, and suspect it might be a des 09:37 < adam3us1> azariah4: yes. i think they have sparse storage tho. maybe the address space was like 2^128 or something vast if i recall 09:39 < azariah4> yepp [0 ... 2^256-1] for both temp and persistent storage 09:40 < azariah4> hopefully they can post some updates about these risks before their fundraiser starts in a week 10:11 < Ursium> azariah4: i'm not sure there's anyone from the core dev team on this channel (i could be wrong) - is that something you could raise on forum.ethereum.org? 10:14 < azariah4> I could, but I need to read more about it first to properly understand it :> 10:57 < adam3us1> azariah4: didnt they already write about security risk soewhere? vitalik wrote an article on bitcoinmagazine recently also (didnt read it all yet) 13:26 < maaku_> azariah4: the scripting language would have to be perfectly sandboxed, yes 13:27 < maaku_> but we are talking about a language that could be as small as a dozen or so opcodes, 2-3 types, and an implementation measured in the hundreds of lines of C++ code 13:28 < maaku_> these can be made safe. it could even be proven safe, if you have the resources to do so 13:29 < maaku_> well, i'm talking about my language here, not etherium's 13:29 < TD> maaku_: there were exploits in bitcoin script even though that's tiny. so ..... this stuff is hard :) 13:30 < maaku_> TD: bitcoin's scripting language is more complex than a minimal turning complete language 13:30 < maaku_> and was not given appropriate care and attention 13:37 < maaku_> what i'm saying is there's nothing magical about writing a scripting interpreter that makes it dangerous in itself 13:38 < maaku_> compared to say, the network stack, which is quite a bit larger and also has to be free of remote exploits 14:23 < gmaxwell> maaku_: sure there is, the script interperter is procol normative in a way the net code isn't. It doesn't just have to be free of "remote exploits" it has to be free of consistency failures. So that adds a number of additional constraints and makes it fixing it hard. 14:24 < gmaxwell> maaku_: and of course all that "just a couple hundred lines of code" stuff fails if you then need to make it fast and implementers find that they're pratically required to employ a JIT compiler for it. 14:27 < TD> the world has a poor track record when it comes to sandboxing malicious code --- Log closed Mon Jan 27 00:00:02 2014 --- Log opened Mon Jan 27 00:00:02 2014 05:07 < _ingsoc> :/ 05:31 < grazs> a what 08:18 < warren> http://www.identitymind.com/company/partners/ "There are about 10 Billion devices in the world that are connected to the Internet and BlueCava aims to identify all of them." 08:18 < warren> frightening 08:20 < brisque> wonder what they're using to distinguish devices. surely most embedded linux devices all have the same public fingerprint, there's barely anything to distinguish them. 08:21 < warren> more bitcoin devices than humans in the world 08:22 < nsh> s#bitcoin#tcp/ip# 08:23 < TD> i am skeptical about the 10 billion figure 08:24 < TD> having worked in the field myself i am a lot MORE skeptical about identifying all of them being a remotely realistic goal 08:26 < brisque> their goal seems to be attempting to correlate users between devices. matching one browser fingerprint with another, rather than trying to uniquely identify devices. 08:28 < TD> yes of course 08:28 < TD> it's still rather hard 08:29 < TD> well, assuming you "play the game" normally of course 08:30 < brisque> I doubt any of these companies do. if google is using browser bugs to track Safari devices against their cookie settings, you can be pretty sure these companies are going even dirtier. 08:31 < TD> ah, well you don't know the story of that bug. 08:31 < TD> there is a long explanation of it here: http://lauren.vortex.com/archive/000937.html 08:31 < TD> tl;dr that was actually a bug in safari and google got the blame for it. nice, huh 08:32 < TD> by "play the game" i meant, try and do it all in the browser. if i had a really compelling product to sell for credit cards i'd ask the user to download and run a native app 08:33 < TD> you can get a lot more scammers that way, of course 08:34 < brisque> TD: that's interesting, i heard the noise around the time but the followup must not have had quite the journalistic merit. 08:35 < TD> the "story" was revealed by the wall street journal at a time when Murdoch was giving speeches about how Google was destroying the newspaper business and it'd be saved by the iPad 08:36 < TD> and it went downhill from there 08:37 < brisque> that bluecarva.com thing seems reasonably standard. it does the usual, user agent, plugin version, installed fonts, all the normal fingerprinting stuff. attempts to put cookies and lcoalstorage cookies everywhere, and that's about the end of it. 08:38 < brisque> comes with a big scary warning about how the source they're presenting is confidential and secret, but that's about the end of it. 08:39 < TD> yeah that's typical 08:39 < TD> of course carders know about all of that 08:39 < brisque> coinbase uses all of those too, interestingly enough. 08:44 < brisque> looks like bluecarva tries to use clock skew as a fingerprint too, that's one I hadn't thought of before. 09:16 < aksyn> you can probably fingerprint a browser version based on rendering time of certain DOM elements 09:17 < aksyn> and yeh, shotgun crap into cookies, localstorage, flash cookies etc. to identify users 09:18 < aksyn> market seems busy for a monday night 09:18 < aksyn> on huobi at least 11:57 < tacotime_> http://www.businessinsider.com/report-ceo-of-major-bitcoin-exchange-arrested-2014-1 11:57 < tacotime_> whoops 12:00 < grazs> but he looks so honest 12:01 < tacotime_> Popped on those charges for just a mil too, sucks. 12:02 < gmaxwell> Guess the folks who were hoping to get coins back from him, http://bitinstant.info/ are out of luck. 12:14 < sipa> gmaxwell: get coins back? 12:18 < gmaxwell> sipa: right before bitinstant shut down apparently they bought BTC from a number of parties and never paid. see the link. 12:23 < sipa> ewww 12:26 < pigeons> SHREM is also charged with one count of willful failure to file a suspicious activity report, which carries a maximum sentence of five years in prison. 12:27 < sipa> and the site is gone 12:28 < tacotime_> I'm guessing maybe they dug up the silk road stuff after getting subpoenas/warrants related to fraud. 12:33 < phantomcircuit> tacotime_, yeah or you know they're reading all of the silkroad message system messages 12:33 < phantomcircuit> im thinking that one 12:33 < _ingsoc> Highly unlikely they'd arrest someone high profile without a solid case that'll probably end up in a successful prosecution. 12:34 < krl> having messages in cleartext on a site like that... 12:36 < tacotime_> krl: You really think someone would do that? Just go on illegal marketplace sites on the internet and use cleartext to communicate? :yaranaika face: 12:36 < home_jg> TorMail data was also seized in its entirety 12:36 < home_jg> as part of the Freedom Hosting takedown 12:36 < krl> people will unless you force them not to 12:37 < home_jg> at _ingsoc implied, arrests at the federal level are not usually made unless they are convinced they have a strong case. 12:38 < home_jg> successful prosecution rate is > 90%. They also overcharge, hoping to negotiate down to a guilty plea that sticks 12:39 < home_jg> will make the NY hearing _very_ interesting. It appears that was the intention (just my supposition...) 12:40 < sipa> what hearing? 12:41 < tacotime_> http://www.coindesk.com/charlie-shrem-to-banks-we-want-to-work-with-you/ 12:41 < tacotime_> I guess maybe he should have been working with Swiss banks. 12:41 < home_jg> sipa, https://twitter.com/BenLawsky/status/426431501115211776 etc. 12:41 < home_jg> NYDFS is holding hearings, similar to the US senate hearings. 12:42 < home_jg> Lawsky is the "you should have BitLicenses" guy at NY-DFS 12:42 < sipa> New York... depth first search? 12:42 < home_jg> Dept Financial Services 12:42 < home_jg> NY regulator of money transmitters 12:42 < sipa> got it 12:43 < home_jg> I think these hearings will be much more harsh than the US Senate hearings 12:55 < gmaxwell> home_jg: well the 90% conviction rate is in part because damn near everyone pleds guilty because its so stacked against you. 13:10 < michagogo|cloud> Um 13:10 < michagogo|cloud> Did bitinstant market to SR users or something? 13:11 < pigeons> not like the charge would imply 13:49 < TD> michagogo|cloud: read the criminal complaint 13:49 < TD> michagogo|cloud: the dude is almost certainly going to spend a long time behind bars 19:42 < jtimon> but with prefixes, can't you just ask for more info than you need? 19:42 < petertodd> jtimon: that's the whole point of prefixes! 19:43 < jtimon> I know, more bandwidth 19:43 < petertodd> jtimon: gah, have you read that paper of mine? 19:43 < jtimon> my point is I don't see the bad side, with prefixes you can have the best privacy of them all at the cost of bandwith 19:44 < petertodd> jtimon: ah, well, that's why I'm pushing the idea :) sounds like we're in agreement 19:44 < jtimon> sorry, no 19:44 < petertodd> jtimon: you should, because everyone loves debating this without actually reading the damn thing and why I think it's worth making these tradeoffs 19:44 < petertodd> jtimon: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03612.html 19:45 < petertodd> I mean, hell, it's paragraph three where I outline that my threat model is an attacker controlling a reasonable number of the nodes you're SPV client is going to connect too... which is a *very* reasonable attack model. 19:46 < petertodd> Again, saying this because I've actually done this personally by throwing some cash at Amazon EC2 19:46 < jtimon> yes, I don't understand adam's objections, yet I don't know what's the alternative, but yes, as said earlier to adam you shouldn't bother much explaining me this because I haven't read steakth addresses yet, really my fault for trying to follow again, sorry 19:46 < petertodd> jtimon: thanks 19:47 < CodeShark> jtimon: there's so much stuff going on in this space right now you'd be excused for not reading absolutely everything :) 19:47 < adam3us> petertodd: btw backing up a bit time-lock and stego, i dont think consensus is affected by unavailibility of the key, and the key can be encrypted for the recipeint and stored in the block chain 19:47 < petertodd> adam3us: no, the recipient is the public 19:47 < adam3us> petertodd: so then its simple matter if people do not reveal the key, they cant respend 19:47 < petertodd> adam3us: that's got nothing to do with it 19:48 < CodeShark> the recipient's key is already a hash of a pubkey 19:48 < adam3us> petertodd: yes for your other use case. but then make it available from all nodes (its validatable against the ciphertext) 19:48 < petertodd> adam3us: the problem is that miners who know a tx is part of some consensus scheme may want to censor the tx and not mine it, yet the tx data *must* be guaranteed to be made public to everyone for a consensus scheme to work, thus, use timelock to force miners to either delay *all* transactions, or give up trying to censor 19:48 < jtimon> CodeShark yes, that's why I was "passing on stealth addresses for now", as a filter, but then I shouldn't try to follow the discussions about it intervening in them 19:49 < petertodd> adam3us: there is no way to prove publication unless you can guarantee that the data can be decrypted 19:50 < CodeShark> whether or not keys are encrypted has no effect on privacy as long as the keys (encrypted or not) can be associated with a wallet 19:50 < adam3us> petertodd: i guess you are assuming a network where 90% of miners and nodes hate msc spam and want to kill it ;) so then you cant rely even on relaying and it maybe difficult to find a node with the key? 19:50 < petertodd> adam3us: consider a key:value(s) consensus system: if it's just encrypted, I could hold onto the key, then release it after the fact, changing the consensus suddenly 19:51 < petertodd> adam3us: that's the whole fucking point of it: how to make an embedded consensus system that's uncensorable unless miners implement whitelists 19:51 < petertodd> adam3us: of course I'm assuming that - if I wasn't it wouldn't be much of a result 19:52 < petertodd> adam3us: I mean, hell we've got an existance proof that if only some miners hate you you can still get your tx's mined... 19:53 < adam3us> petertodd: ok then; it a bit slow tho time-lock. maybe you can find a subnet of msc-relaying nodes 19:54 < petertodd> adam3us: well sure, but that's not unlike making the block time longer - perfectly acceptable for a lot of applications 19:55 < petertodd> adam3us: I'm not claiming mastercoin should go and implement it right now - I'm pointing out that they could 19:56 < adam3us> petertodd: yep. i have some more stego end-game ideas. still holding them back :) 19:56 < adam3us> petertodd: meaning i dont disagree the steganographer wins. in the en game 19:57 < petertodd> adam3us: meh, do everyone some good and just publish them so people stop making shitty assumptions about scalability 19:58 < adam3us> petertodd: they are not so interesting, just silly things you could do if you had to (if bandwidth was no obstacle). you probably already thought of them. 19:59 < petertodd> adam3us: ah, well if they're less efficient don't bother 20:00 < petertodd> adam3us: anyway, the interesting thing is how to make crypto-currencies where utxo bloat and so on doesn't matter, and I think we're close to solving that pretty thoroughly 20:00 < adam3us> petertodd: cant u get get consensus by time-stamping and using a separate msc-only network for the data? 20:00 < petertodd> adam3us: consensus isn't just time-stamping 20:01 < petertodd> adam3us: proof-of-publication matters, and it's really not trivial 20:01 < petertodd> adam3us: heck, maybe there is no general solution to it 20:01 < adam3us> petertodd: well i mean if you tolerate jamming. just have nodes stop if they cant obtain a full explanation of the time-stamp merkle tree. 20:02 < petertodd> adam3us: the point of proof-of-publication is to tolerate jamming you know... 20:03 < adam3us> petertodd: hmm so you want to send the (time-lock) encrypted msg in the chain because then its atomically delivered so either you get it or you dont. 20:03 < petertodd> adam3us: frankly I think many in the bitcoin community are letting their desire to keep data out of the chain blind them to how fucking hard it is to make these things secure 20:03 < adam3us> petertodd: stego wins. i know it :) 20:04 < adam3us> petertodd: even if you have to use like morse code in the lsbit! 20:04 < petertodd> adam3us: it's not about "stego winning" - it's that people keep pushing MM and similar schemes not because it's better for the consensus system in question, but because it's better for bitcoin 20:05 < petertodd> adam3us: and whenever those consensus schemes take that advice, we bitcoin devs fool ourselves 20:05 < adam3us> petertodd: oh diff meaning. ok well given the scalability limitations, absent a robust scalability fix, as you said sharding seems better. so a MM chain is a crude form of sharding. if security is important buy some kncminers to tip the balance. or work on educating users to not use big pools etc. 20:05 < petertodd> adam3us: and you know, unless you honestly look at the incentives and attacks possible, you're not going to come up with MM schemes that *actually* work 20:06 < adam3us> petertodd: sure. 20:06 < petertodd> "educatiing users" fuck off 20:06 < petertodd> we've got a system where you *earn more money* mining at a big pool 20:06 < petertodd> that's fundemental to how bitcoin works and isn't going to change 20:06 < adam3us> petertodd: there are other ways to "educate" users you know. that may require tor for the educators safety... 20:07 < petertodd> adam3us: all solutions that don't help *decentralized consensus systems* 20:07 < adam3us> petertodd: i wonder if any o fthem are selfish mining 20:07 < maaku_> petertodd: currently, you earn more money mining p2pool... 20:07 < petertodd> maaku_: not if you take your time into account for many miners... 20:07 < adam3us> maaku_: yes. this is very puzzling to me. 20:07 < adam3us> petertodd: but its just as easy to pick p2pool from the list 20:08 < maaku_> adam3us: you don't pick p2pool from a list, you run a local daemon 20:08 < petertodd> maaku_: like it or not we probably have to get to the point where pools *can't* exist, and simultaneously fix scalability 20:08 < maaku_> but i've found it to be very stable at least 20:09 < adam3us> maaku_: i htought one of the miners i tried seemed to support p2pool out of the box (if it ran a daemon itself maybe) 20:09 < maaku_> petertodd: i like getting rid of pools. i don't like the negative side effects i've seen come attached to such proposals 20:09 < petertodd> adam3us: did you have a full node? if not you weren't using p2pool 20:09 < adam3us> petertodd: i did yes 20:09 < petertodd> maaku_: meh, just means you have to keep working on the proposals 20:09 < maaku_> adam3us: that'd be great if it does, but it probably just connected to a public p2pool node 20:10 < maaku_> which is really no different than a centralized pool as far as this conversation is concerned 20:10 < petertodd> maaku_: don't think I'm saying I have a perfect solution yet, I'm just saying we're incredibly naive in this community thinking stuff like p2pool is much of a fix 20:10 < petertodd> heh, heck, adam not knowing exactly what his hashing power was doing is a great example of why this is hard... 20:10 < adam3us> warren: maybe in your p2pool fixing budget you could try get a shiny nice UX GPU / ASIC scrypt/hashcash miner that bundles p2pool and makes it the default 20:11 < petertodd> adam3us: meh, that shiney p2pool bundle is an easy thing that people are already working on for free 20:11 < warren> adam3us: p2pool requires high CPU and disk i/o performance to be efficient =( 20:11 < adam3us> petertodd: i think the UX might be the key though. if someones doing it for fre fine 20:12 < maaku_> warren adam3us: really all you need to do is bundle up a py2exe virtual environment for p2pool with gitian builds of bitcoind and bfgminer 20:12 < petertodd> warren: I set my p2pool node to mine very small blocks for that reason 20:12 < maaku_> let bfgminer --p2pool set up the services 20:12 < petertodd> warren: I think it's set to like 0.01BTC/KB fee or something 22:24 < andytoshi> yeah, but it's easy to get an endorsement in academia 22:25 < andytoshi> also if you had an account before they started doing endorsements 22:25 < andytoshi> i think you're free 22:25 < Mike_B> http://arxiv.org/find/cs/1/au:+Yakhontov_S/0/1/0/all/0/1 22:25 < Mike_B> heh 22:25 < Mike_B> his first paper was some other random thing 22:26 < Mike_B> he probably was like "can you endorse me for this algorithms paper?" and the guy was like "sure" 22:26 < Mike_B> second paper after that: "P = NP" 22:26 < Mike_B> i'd be pissed if i was the endorser 22:28 < andytoshi> lol yeah, i'd be annoyed 22:28 < andytoshi> tbh i'd probably never bother to find out :P 22:39 < gmaxwell> we find out later it was just created as an effort to manipulate bitcoin prices. 22:40 < gmaxwell> Mike_B: meh, give him an easy one, ask for an md5 second preimage of the all zeros md5sum. 22:41 < Mike_B> ha 22:44 < Mike_B> i wonder how security would change if you replaced the usual 10m blockchain confirm with the following process 22:45 < Mike_B> 1) set difficulty so that each miner can solve the problem in (some shorter amount of time, like 10s) 22:45 < Mike_B> 2) wait for N miners to have declared a solution 22:46 < Mike_B> (assuming N is large) 22:46 < gmaxwell> not progress free. 22:46 < Mike_B> 3) have those miners come to consensus 22:46 < Mike_B> "progress free"? 22:46 < gmaxwell> A large miner has an unfair advantage. 22:46 < gmaxwell> He will mine with his large hashpower, claiming to be M small miners. 22:47 < Mike_B> right but is that just the same 51% vulnerability? 22:47 < gmaxwell> and his partial results for himself, and then come to consensus with himself, and by keeping his partial results to himself he gets a superlinear speedup. 22:47 < gmaxwell> At the extreme the fastest miner always wins. 22:47 < gmaxwell> no its not. 22:49 < Mike_B> so say you have an expected solving time of s, and you need N miners for a quorum, so that s*N = 10 minutes 22:49 < gmaxwell> imagine the extreme version where every hash is a winner. I am 4gh/s you are 3gh/s. Target is 40giga-shares to solve a block. How many blocks will you solve? 22:50 < Mike_B> what do you mean by "giga-shares?" 22:50 < gmaxwell> hashes. 22:51 < Mike_B> if every hash is a winner, doesn't that mean the target is 1 hash to solve a block? 22:51 < gmaxwell> I mean every hash meets your lower criteria. 22:51 < gmaxwell> I'm using an extreme example where the ratio of the lower criteria to the block criteria is very large. 22:51 < gmaxwell> In those cases mining becomes a race and the fastest miner ~always wins. 22:52 < gmaxwell> it's true when the ratio isn't large, but the advantage is somewhat less. 22:53 < gmaxwell> The method you're describing (breaking up the hashcash into N smaller hashcashes) is suggested in some hashcash papers to reduce variance, but it has the property that it's not progress free, which is why we don't use it. 22:53 < Mike_B> don't understand what you mean by "lower criteria" and "block criteria" 22:53 < gmaxwell> lower criteria is your "solving criteria" 22:54 < gmaxwell> Mike_B: in your own language set N to a large value like a billion. 22:55 < Mike_B> ok, and now what 22:55 < Mike_B> N is a billion, s is tiny, N*s = 10m 22:57 < gmaxwell> now you have some miners and one a good amount faster than the others. instead of sharing his partial solutions he hordes them (or at least hordes them unless he learns of someone else having too many of them). 22:59 < Mike_B> ok 23:05 < Mike_B> gmaxwell: i still don't see the issue, sorry 23:05 < Mike_B> you're talking about a case where a miner has a plurality of hashpower but not a majority? 23:07 < gwillen> Mike_B: I haven't fully understood the issue, but consider that _any_ scheme here you have a threshold of "N miners" can do something by consensus, there's something wrong 23:07 < gwillen> Mike_B: because one miner can always claim to be N miners for any value of N 23:07 < gwillen> so either the threshold is not necessary, or it's broken 23:08 < gwillen> I don't know which is the case here 23:10 < Mike_B> gwillen: i mean N verified proofs of work 23:10 < Mike_B> could be the same miner more than once 23:11 < gwillen> okay, N distinct proofs of work, that defeats my objection 23:11 < gwillen> I don't understand gmaxwell's well enough to know what it does to his 23:12 < gwillen> oh, I think I see 23:12 < gwillen> when it's a single share you need, everybody has a chance proportional to their hashpower, but it's high variance 23:13 < gwillen> if you need N smaller shares, you reduce the variance, but you also reduce the chance of people with low hashpower and increase the chance of people with high hashpower 23:13 < gwillen> if you need 1 share that takes a million seconds on average, winning is proportional to hashpower 23:14 < gwillen> if you need a million shares that take 1 second on average, the guy with the most hashpower will win every time 23:14 < gwillen> (if I'm thinking about this right) 23:14 < gmaxwell> Thats what I'm arguing, yes. 23:14 < gwillen> ok. 23:14 < gmaxwell> It's nor progress free. As you find shares you're making progress. 23:14 < gwillen> oh, interesting 23:14 < gwillen> progress-freedom makes it a poisson process 23:15 < gwillen> and only a poisson process has the right statistics for winning to be proportionate to hashpower 23:15 < Mike_B> gmaxwell, can you link me to a paper that describes this 23:17 < Mike_B> if you're saying one exists, anyway 23:18 < Mike_B> gwillen: what i'm trying to figure out is what the analogue of the 51% vulnerability is as N changes 23:18 < gmaxwell> I thought there was, but I'm not finding it at the moment, I'll look more after dinner. :) 23:18 < gwillen> Mike_B: as I understand it, you could indeed compute an analogous percentage as a function of N 23:18 < gwillen> but I don't know how off the top of my head 23:19 < Mike_B> gmaxwell: alright, well i'd much appreciate it if you do find anything 23:19 < gwillen> I could probably work it out but I have real work I need to be doing 23:20 < Mike_B> gwillen: fair enugh 23:20 < Mike_B> enouh 23:20 < Mike_B> god damn it 23:20 < Mike_B> :( 23:21 * Mike_B "enoughghghghghghghghghghghghg" 23:23 < gmaxwell> new lenovo keyboard? 23:24 < Mike_B> no, i just developed a neuromuscular disorder that lasted 2 seconds 23:26 < gmaxwell> It's been known to happen to bitcoiners. :( 23:27 < Mike_B> bitcoin-related finger tremor 23:28 < Mike_B> ok, so i see your objectionnow 23:28 < Mike_B> so you're saying the target is 0xfffff.... 23:28 < Mike_B> so every hash wins, but you need a trillion hashes or whatever 23:29 < Mike_B> so if you have double the hashpower I do, you generate hashes twice as fast 23:30 < Mike_B> and i guess you're saying there's a strategy where you can hoard hashes and i, the poor unsuspecting sap, just broadcasts them to the network 23:30 < Mike_B> is that right? 23:31 < Mike_B> i guess i'm just not sure how you'd use hoarding hashes to have influence more than your hashpower 23:31 < Mike_B> you'd have to wait for me to pass some threshold and thend ump --- Log closed Thu Dec 05 00:00:32 2013 --- Log opened Thu Dec 05 00:00:32 2013 01:01 < amiller> gmaxwell, what do you think of the transaction notation in the "mpc on bitcoin" paper 01:01 < amiller> is it easy to read? 01:02 < amiller> it's a pretty sound compromise between the current academic notation and how we're used to looking at them, i think 01:03 < amiller> i guess i should try writing something else out in that style 08:21 < jtimon> maaku I'm still on page 5, but this P = NP paper looks very good 08:22 < jtimon> I thought you believed this was possible since you tried it yourself 08:28 < fagmuffinz> jtimon, link? 08:28 < jtimon> <maaku> supposid proof of P=NP : http://arxiv.org/pdf/1208.0954.pdf 08:28 < jtimon> <maaku> dubious of a proof that's only 24 pages long 08:38 < t7> can you express the problem in coq or agda? 08:46 < _ingsoc> For a second I thought it was this guy: https://en.wikipedia.org/wiki/Sergei_Yakhontov 08:46 < _ingsoc> I would have been like, damn, that's badass. 08:52 < iddo> jtimon: it's not new, it's revised from 2012, see http://arxiv.org/abs/1208.0954 and http://www.win.tue.nl/~gwoegi/P-versus-NP.htm 08:53 < nsh> what was the problem in 2012? 08:53 < nsh> shouldn't a constructive proof of P=NP leads pretty directly to an efficient algorithms/reductions for All The Problems 08:54 < nsh> ? 08:54 < TD> huh 08:54 < TD> it's funny to see a list of papers along with claims "This paper proves P=NP" followed by "This paper proves P/=NP" 08:55 < nsh> yeah 08:55 < nsh> -- 08:55 < nsh> [Equal]: In September 2012, Sergey V. Yakhontov proved that P=NP. The proof is constructive, and explicitly gives a polynomial time deterministic algorithm that determines whether there exists a polynomial-length accepting computational path for a given non-deterministic single-tape Turing machine. The paper is available at http://arxiv.org/abs/1208.0954. 08:55 < nsh> (Thanks to Ricardo Mota Gomes for providing this link.) 08:55 < nsh> -- 08:55 < iddo> nsh: serious people stopped trying to look for problems in non-peer-reviewed papers like this, e.g. http://www.wisdom.weizmann.ac.il/~oded/p-vs-np.html 08:56 < nsh> (constructively determining the existence of something is not constructive) 08:56 < TD> isn't looking for problems rather what peer review means? 08:56 < sipa> nsh: there are classes above NP that would be unaffected (ExpTime, ...) 08:56 < nsh> sipa, right 08:56 < sipa> also, polynomial does not imply efficient by any real-world standard 08:56 < sipa> (assume it was polynomial in the 100th degree?) 08:58 < nsh> have there been many cases of polynomial algorithms being found but only with high exponents? 08:58 < nsh> i have the impression (but i don't know how reliable it is) that generally relatively efficient algorithms are found where they exist at all 18:53 < adam3us> btw it would be super embarasising if the thing which over took bitcoin if it happened was esentially a lame param tweak 18:53 < gmaxwell> PPC would be interesting to me if it weren't sullied with that stupid block signing. 18:53 < maaku> the pun on "free market" was just too good to pass up 18:54 < maaku> geistgeld, my favorite. 15 second blocks 18:54 < maaku> that actually was useful 18:54 < maaku> and appropriately, now dead 18:54 < gmaxwell> the scrypt expirement ran its coarse and failed as an expirement: It failed its stated goal, and it's had negative side effects (making initial (/spv) sync slow). Double sad is that many people (myself included) predicted exactly this outcome. 18:54 < adam3us> sipa: yes litecoin main claim was giving gpu miners something to play with when asics came 18:55 < sipa> i wonder, with PPC, can you mine on both branches of a block chain fork at once, without loss? 18:55 < jtimon> wasn't geistgeld the first one with scrypt? 18:55 < gmaxwell> maaku: I liked "liquidcoin" the one with the difficulty set to a fixed level... it rapidly turned into a thousand seperate currencies as nodes could never manage to converge. 18:55 < adam3us> sipa: well even that was unintended if i caught up correctly it aimed for cpu preference and failed, luckily for it asics came along 18:56 < gmaxwell> sipa: with PoS you can indeed, thats why PoS is sad. PPC arbritrates forks with a special altert message that adds a checkpoint, run by the developer. 18:56 < jtimon> I dream with a SCIP/spark-based pow 18:57 < sipa> gmaxwell: i keep reading "PoS" as "piece of shit" 18:57 < adam3us> he he 18:57 < petertodd> gmaxwell, maaku: working on a paper analyzing profitability of tx fees - results are looking pretty ugly w/ centralizing mining having at best linear improvements in profitability. 18:58 < sipa> gmaxwell: oh, so that is actually why the checkpoints are needed 18:58 < adam3us> gmaxwell: scrypt spv problem being higher hash validation cost? 18:58 < petertodd> gmaxwell, maaku: you can very quickly construct a proof that in any circumstance mining is something where increased hashing power gives you more profits per unit work 18:58 < sipa> gmaxwell: i thought it was to prevent tons of SHA256 power working against it 18:58 < petertodd> gmaxwell, maaku: which we knew... but it looks like under certain circumstances the implications of that are really ugly. 18:58 < gmaxwell> adam3us: no it wasn't, LTC's claim was that it was cpu only (gpu resistant) :P 18:58 < adam3us> gmaxwell: yes i read that 18:59 < sipa> < adam3us> sipa: yes litecoin main claim was giving gpu miners something to play with when asics came <-- unsure what you mean here 18:59 < gmaxwell> sipa: most of PPC blocks is PoS mining now, the SHA256 difficulty is quite high. 18:59 < adam3us> gmaxwell: "and it's had negative side effects (making initial (/spv) sync slow)." was referring to that ... scrypt spv problem being higher hash validation cost? 18:59 < petertodd> bbl 19:00 < jtimon> the theory now is that ASICs = centralization = less security: I think bitshares offers an "even-harder-to-asic" pow 19:00 < gmaxwell> sipa: the first version of PPC PoS was super vulnerable, by throwing CPU at the POS you could find a path of solutions where your coins were the lucky POS cons for every block. 19:00 < adam3us> sipa: never mind, i just meant that it would've probably died if asic mining hadnt freed up lots of gpus, when its failed attempt to be better on cpu failed 19:00 < sipa> adam3us: ic 19:00 < sipa> adam3us: ironic :) 19:01 < gmaxwell> sipa: they stopped the majority attack by the alert lockins and then did a hardfork to change the PoS so that the stake is selected using POW blocks to prevet that kind of fork and search to favor your own stake. 19:01 < adam3us> sipa: litecoin investors made money from a failure that succeed for random reasons outside of its authors control or expectation 19:02 < gmaxwell> but you can still mine all possible forks, and its rational to do so... you just can't use doing that to make yourself mine all the blocks. :P 19:02 < jtimon> I guess atlantis had a lot to do with ltc success too 19:02 < gmaxwell> (unless you also have a lot of hashpower) 19:02 < adam3us> sipa: but it is kind of interesting that the value of a coin is partly fom the fun that can be had in the act of mining it... if you take away peoples toys by removing gpu mining and asics being hard to get, then thats what happens 19:03 < adam3us> jtimon: atlantis? 19:03 < jtimon> was another silk road that accepted both btc and ltc 19:03 < gmaxwell> adam3us: litecoin mining was really weird for a long time, e.g. it was net unproftable over power for a very long time until GPU mining took off. 19:04 < adam3us> btw i had a look at bitshares protocoin mining run and they very badly screwed their params, but the psychology of the miners on the #protoshares channel was interesting... they mostly didnt understand what it was or why they were mining it, just it was fun, and they were early and getting discount/jump on a timelimited offer 19:05 < gmaxwell> adam3us: yea, mining all the new things blindly has been at times very profitable. 19:05 < adam3us> (they hard forked their params with no warning to the alarm of users who prepaid for like hosting services on a month basis that bitshares was taking referral commission on) 19:05 < adam3us> i was too late to encourage their users to reject and not upgrade! 19:06 < gmaxwell> adam3us: nothing can compete with with all the crazy stuff solid coin did. 19:06 < adam3us> (they put a message n their site to say you have to upgrde or else, but the threat w incorrect - if the miners revolted that wouldve been the end of th param change plan) 19:06 < gmaxwell> I'm pretty sure you could do a hardfork of a moderately successful altcoin where you just moved half the users balances to yourself, and they'd take it. 19:06 < midnightmagic> gmaxwell: I wonder if that's the anonymous developer who wants to add in all that new stuff to an altcoin fork. 19:06 < jtimon> gmaxwell, do you have more on your interactive hashtree proof besides this thread? https://bitcointalk.org/index.php?topic=284194.0 19:07 < gmaxwell> jtimon: the block cut and choose idea at the bottom is applicable to any fiat shamir style non-interactive proof, it just potentially makes them smaller for a given security level. 19:08 < gmaxwell> midnightmagic: hm? 19:08 < adam3us> gmaxwell: btw about your aside about patent trolls, i did send a mail to the foundation lawyer guy and matonis, and they replied to say yes they were working on a defensive shared patent pool 19:09 < gmaxwell> midnightmagic: realsolid hardly did anything original 19:09 < sipa> he was perhaps the first to use floating point in consensus-critical code :) 19:09 < gmaxwell> adam3us: uhh. that the foundation would own? danger danger. 501(c)(6) assets can be taken in bankrupcy to creditors, and bankrupcy transfers can sever otherwise perpetual licenses. 19:10 < midnightmagic> gmaxwell: The ideas lists were collected from others' hardfork wishlists 19:10 < adam3us> gmaxwell: but yeah i dont know.. i suggested such risks to jgarzik who was on the thread here and he seemed less worried 19:10 < gmaxwell> midnightmagic: well ideas are a dime a dozen, sit down I'll pump out another gross of them for you. 19:10 < midnightmagic> :) 19:10 < adam3us> it seemed to me a risk that the foundation could be legally attacked and the patents seized 19:12 < adam3us> but the current alternative is not fantastic either that each new bitcoin startup probably patents half a dozen defensive things, that sooner or later will get bought by a troll, or sol to a big co that does nothing with it apart from park it in a 5000 patent defensive pool 19:12 < adam3us> it happened with chaums digicash patents, until they expired 19:14 < gmaxwell> adam3us: SFLC considers that kind of risk significant, for codec patents we've used a complicated interlocking scheme with multiple 501(c)(3) (which have special asset disposition rules which prevent them from being taken in a bankrupcy), e.g. mozilla filed patents and then assigned them to Xiph.Org under an agreement controlling the dispostion of the patents should Xiph.Org go away., and we still consider it generally risky as ... 19:14 < gmaxwell> ... opposed to pure defensive publication. (but the risk was necessary because we had to be able to force other potential patent holders to adopt licensing terms we specified and thus needed negotiating leverage) 19:15 < adam3us> i see - maybe you should fwd that to the lawyer guy & matonis 19:15 < gmaxwell> The biggest problem in true defensive patenting is that under current caselaw in the US a bankrupcy court can disolve _any_ licensing agreement, and they do. 19:16 < gmaxwell> (this is also why things like the twitter patent pledge thing are nice in spirit but may not work in practice) 19:16 < adam3us> i was thinking it would be nice to have some way to defnesively avoid patents becoming troll material 19:17 < gmaxwell> the next best idea was to embed trapdoor misconduct in the patent application process, so that our patents were trivally invalidatable but only to us.. uh.. I hope that expresses how hard we considered the process to be. :) 19:17 < adam3us> that bitcoin startups have; maybe they can own them but they revert to the foundation - far out of my depth other than hating patents with a vengence and seeing too many fo them through consulting on crypto for people and wanting to avoid seeing the digicash patent endgame 19:18 < adam3us> if there was a safe way to have defensive pool, it would be good to have something to pressure bitcoin startups to assign their patents too so they can be forced to be sincere about their defensive plans 21:35 < gmaxwell> at some point I believe we'll add some (or multiple) kinds of finite resource priority peers can use to get slots if they're having problems. I've got a couple ideas for that. 21:49 < nanotube> hm, that's interesting 21:52 < nanotube> mem was stable at 16conn, restarted with 128. --- Log closed Wed Sep 11 00:00:26 2013 --- Log opened Wed Sep 11 00:00:26 2013 00:11 < nanotube> 27 peers, 13 tor. 269/598M ram. (vs 268/585 at 16 peers) 00:11 < nanotube> jrmithdobbs: maybe something changed in a month, but i'm definitely seeing plenty of tor peers. 07:35 < nanotube> 27 tor out of 52. 302/591 mem. 07:35 < nanotube> that /is/ pretty small mem impact per connection, it seems. 07:36 < gmaxwell> it used to be much larger, but, yea, that mostly should have been fixed. 16:21 < nanotube> also, 33 out of 57 connections are tor. definitely some popularity there. 16:37 < nanotube> we could probably use sipa's crawler to get a rough estimate of how many torcoin nodes there are... 17:54 < sipa> nanotube: i crawl tor 20:34 < nanotube> sipa: ah cool. so got any rough estimate? :) 20:35 < sipa> there's 31 onion peers in my database 20:40 < nanotube> heh, i have 35 tor peers right now as we speak. >_< 20:42 < nanotube> but those are people connecting to me, so maybe they are not running a hidden service --- Log closed Thu Sep 12 00:00:29 2013 --- Log opened Thu Sep 12 00:00:29 2013 01:16 < gmaxwell> nanotube: exactly, we're short of short on onion peers. :( 08:39 < nanotube> there seems to be a decent list on https://en.bitcoin.it/wiki/Fallback_Nodes 10:03 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=292857.0 someone proposes a composable signature scheme based on pairing crypto. 10:05 < gmaxwell> e.g. you have a bunch of pubkeys, and values signed... and you can't tell which signed which. bonus: they seem to be claiming the aggregate is constant size. 10:06 < gmaxwell> (though they make some claim about the security model essential to the size being constant and not linear in the number of signatures which I don't understand) 11:44 < petertodd> gmaxwell: broken link 11:45 < petertodd> Sounds promising though! 11:52 < gmaxwell> petertodd: sorry, I moved around some posts: https://bitcointalk.org/index.php?topic=290971.0 11:53 < gmaxwell> In any case, you start of with a bunch of {key, message, signature} and can aggregate one way into a {N x key, N x message, signature} such that you can't tell which key signed for which message. The final signature may be constant in length. 11:53 < gmaxwell> (may because they had some security handwave I didn't follow, otherwise its linear) 14:04 < amiller> i really think i've figured out the economics of bitcoin 14:04 < amiller> it has to be unprofitable for everyone 14:06 < amiller> we have to assume it's always more efficient for large corporations to mine, because of economies of scale etc etc 14:07 < amiller> this is the underlying reason why people panic about the trend of bitcoin towards centralized mining 14:07 < amiller> and it's compelling 14:08 < amiller> if it's unprofitable for some people to mine and profitable for others, then unfortunately it's likely to be profitable only for people with the biggest investments 14:08 < amiller> but this lottery theory is totally a way around that 14:09 < amiller> the solution is basically to make it unprofitable for everyone, including the potentially enormous miners 14:10 < amiller> and in fact the motivation to participate, despite it being unprofitable, is most applicable to the small users and not to the biggest players 14:11 < jgarzik> One argument I've always made is that larger corporations, if they decide to buy into bitcoin mining, will be willing to mine even at a loss 14:11 < amiller> i think the opposite 14:11 < amiller> maybe if they have some external reason as well, like political influence i suppose? 14:12 < jgarzik> amiller, you may obtain several opportunities of ancillary value from mining 14:12 < jgarzik> amiller, mining your own transactions, slowing down your competitors, strategic value, etc. 14:12 < jgarzik> amiller, general network security, lessening dominance of others 14:13 < jgarzik> amiller, laundering (the 110% PPS case) 14:13 < amiller> i see 14:13 < amiller> that's not detrimental, it doesn't necessarily imply the winner take all case 14:13 < jgarzik> agree 14:14 < jgarzik> not trying to rebut your argument, just noting all the value that may be extracted even if the mining itself is notionally unprofitable 14:14 < amiller> sure, fair enough 14:14 < amiller> some of that almost counts as altruistic model as well, basically you've described like a bitcoin stewarding company 14:15 < amiller> it would be disconcerting if a potentially strictly-greedy newtork-ambivalent cost-cutting company could get more and more profitable just by mining and accumulating compute power 14:16 < amiller> so i'm really comfortable now with this decision theory called Cumulative Prospect Theory 14:16 < amiller> it's a generalization of the standard Expected Utility version 14:16 < amiller> EU says that no one ever participates in lotteries, CPT accounts for that 14:17 < amiller> i'm really confident now that modeling bitcoin miners as CPT-rational agents is the way to go 14:19 < amiller> it's not inherently irrational to play a lottery with -ev 14:19 < amiller> which is a nice observation because we know that people do 14:19 < amiller> what's neat is that a lot of people of ordinary wealth may be very excited about the potential of winning like $2500 by mining a block 14:20 < amiller> when the potentially reward is tuned right, basically the most amount of people will participate and the ev will drop 14:21 < amiller> yet $2500 is nothing to a big company, and they're less and less likely to get a big enough jackpot to make it worth participating 14:24 < jgarzik> not necessarily stewarding -- I was thinking to myself of an idealized "bitcoin bank", or an HSBC/Goldman bank that wants to participate with bitcoin 14:24 < jgarzik> If you want to participate in the network, there is value in helping to defend it 14:25 < jgarzik> another thought, the most dfficult problem to solve: how to compensate people for joining the network and relaying transactions 14:26 < jgarzik> otherwise we quickly degenerate into only miners running full nodes (which, admittedly, Satoshi described as an end game) 14:37 < jgarzik> amiller, compare price of hardware versus likely expected payoff 14:37 < jgarzik> amiller, it's expensive hardware for a low-payoff lottery, right now 14:38 < jgarzik> any hardware within the reach of normal people will on average produce 1 block every 10 years or so 14:38 < jgarzik> and it seems like that trend will continue 14:38 < amiller> one thing i found is that the cost is totally dominated by equipment rather than power 14:38 < amiller> it surprises me whenver i do that calculation 14:38 < jgarzik> indeed 14:39 < jgarzik> though my $300/month power bill increase was painful today :) 14:39 < jgarzik> 2x Avalon, 2x BFL 14:39 < jgarzik> (need to get that other Av back up) 14:39 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=290971.msg3139004#msg3139004 14:39 < amiller> i'm interested in the structure of bitcoin's reward 14:39 < amiller> like if there were bigger jackpots 14:40 < amiller> perhaps sometimes you could win a thousand bitcoin bonus 14:40 < amiller> that would change the way in which people participate 14:40 < amiller> even if somehow the expected profit was fixed 14:40 < amiller> that's my point overall i guess is that i'm moving away from an expected-profit-centric analysis of the rewards 14:40 < gmaxwell> 11:19 < amiller> what's neat is that a lot of people of ordinary wealth may be very excited about the potential of winning like $2500 by mining a block 14:41 < gmaxwell> ^ doesn't explain why most people won't solo mine, even in small amounts... even with a positive ev. :P 14:42 < gmaxwell> amiller: a significant fraction of miners think mining is a race, and that you get super linear rewards from big aggregates. "So much for rational agents" .. so perhaps thats what explains the prevailance of pooling, it doesn't seem to explain the near absense of solomining. 14:42 < gmaxwell> jgarzik: 11:25 < jgarzik> another thought, the most dfficult problem to solve: how to compensate people for joining the network and relaying transactions 14:43 < gmaxwell> So, there was just a "anonymity" proposal that resolves that as a side effect. 14:43 < amiller> gmaxwell, i have two responses, one is that it could easily be something that happens later as people learn to understand the economics better, the other is that perhaps the $2500 is even too steep and people would like to have a small chance at winning like $20 or something 14:44 < amiller> there are tons of studies on lottery design, and its' well known that lottery designs typically have lots of different prizes 14:44 < jgarzik> Explaining the near absence of solo mining: There is a rather large chance you will /never/ get paid for that noisy, loud hardware you had to fight to obtain. 14:44 < amiller> i found one paper that looks at optimal lottery design for a market of CPT agents in partiuclar, and basically concludes that an optimal lottery has a continuous prize distribution, not just finite prizes 14:44 < jgarzik> The motivation to help the network is not nearly so strong. 14:44 < amiller> bitcoin has exactly one prize 14:44 < amiller> for bigger prizes, you have to go to satoshi dice 14:44 < amiller> for smaller prizes, you have to go to satoshi dice 14:45 < gmaxwell> jgarzik: I mean back when CPU mining was still profitable (postive EV over power costs) but not very, I had basically no luck convincing now gpu miners to spin up their cpus laying around solo mining. 11:58 < jtimon> petertood: "reduce the consensus "size"", that's what I meant here " though the most promising scalability improvements can only come from more data being directly exchanged between parties without toughing the chain" 11:58 < petertodd> TD: ha, for once we're on agreement on scalability (at least on what we should do in the short/medium term) 11:59 < jtimon> TD ok I get your point 11:59 < TD> i'll go out and celebrate tonight :) 11:59 < jtimon> TD but that's assuming no merged mining :( 11:59 < petertodd> TD: and for long-term, we can probably agree that we don't know yet becaues the research hasn't been done :) 12:00 < TD> the scaling issues with bitcoin aren't really mining, they're to do with management of the chain/transaction rates/etc. so merged mined altcoins are fine. 12:00 < TD> indeed! 12:00 < jtimon> yeah, maybe I'm just envisioning the worst-case scalability scenario, and still future looks bright 12:00 < petertodd> jtimon: ah, well depends on your definition of "the chain" - I think long-term we can create systems where, very roughly speaking, you have multiple chains where the "timestamping" PoW is all merged, but the proof-of-publication isn't 12:01 < petertodd> jtimon: so your tx on *a* blockchain might be subject to consensus by an audience of 10,000 or whatever, but the "audience" timestamping it may be millions 12:02 < petertodd> jtimon: and most likely the tech will be such that the more valuable transactions end up paying higher (absolute) fees, and are "seen" by a larger audience 12:02 < adam3us> TD: i'm more excited about pegged side-chains (aka alts but with bitcoin price pegging in lieu of new scarcity races) as a building block to explore sharding and other features. then each guy with a crazy idea can go knock himself out on a side chain without creating dust on bitcoin main meta-coin style, and without creating a new tulip coin with scarcity race sales-hook being his "feature" 12:02 < jtimon> petertodd: I just don't know how you're going to do that 12:02 < petertodd> jtimon: the open research problems are all related to how does security work there 12:03 < jtimon> petertodd: as said some kind of sharding would be very nice 12:03 < petertodd> jtimon: well, I've got some ideas - day before yesterday I outlined one on -wizards 12:03 < jtimon> yeah you half-explained me one, but I was unconvinced 12:04 < petertodd> adam3us: yeah, merge-mined sharding w/ pegged value is probably a reasonable way to upgrade bitcoin 1.0 to this kind of technology 12:04 < jtimon> I'm happy that you're thinking about these things though 12:04 < petertodd> adam3us: but as I say, the specifcs are an open question right now 12:04 < adam3us> anyway its not doom & gloom, we're not all out of ideas, maybe petertodd is full of it or maybe he finds the magic formula :) 12:05 < jtimon> petertodd: one idea I had in mind was partitioning the sequencing itself 12:05 < helo> sharding is sending bitcoin to an unspendable bitcoin addresses to mint altcoin? 12:05 < adam3us> petertodd: right exactly. so lets build pegged side-chain and let a dozen people and startups go try see if they can figure it out 12:05 < jtimon> but I haven't found a way to make it p2p 12:05 < adam3us> helo: no sharding is generic... just means split up the volume somehow 12:06 < helo> ok 12:06 < adam3us> helo: pegged side-chain involves proof of transfer (you can move the coin back too, not destroyed as such) 12:06 < petertodd> adam3us: heh, worst comes to worst all my off-chain stuff *does* work just fine subject to the semi-centralization involved, and it has the enormous advantage that implementations of it can fail and won't take down the whole system with it 12:06 < jtimon> helo: like having half transactions in one chain and the other half in another chain 12:07 < jtimon> helo: I meant that for sharding 12:07 < adam3us> petertodd: it is highly likely that at least one person will try to claim solving it via a centralized server. well we have open transactions even :) federated but auditable, and rebuildable from receipts 12:07 < petertodd> jtimon: yeah, atomicicity of transactions in sharded systems is a really interesting question 12:08 < petertodd> adam3us: yup, my actualy claim to fame in that space is only better systems of auditing and fraud punishment - the idea itself is so simple as to get reinvented constantly 12:08 < petertodd> adam3us: *actual 12:08 < jtimon> let me explain how would it work "centralized", maybe you can come up with a way to make that p2p 12:08 < adam3us> petertodd, jtimon: so pegged side chain, like 100 of them merge mined, coins moved via SPV proof of move or atomic cross chain swap. seems not implausible 12:08 < jtimon> or someone else 12:09 < petertodd> jtimon: see fidelity bonded banks where the machine readable fraud proofs are what makes it possible to do it p2p 12:09 < jtimon> adam3us: that still requires fat validation miners 12:09 < petertodd> jtimon: no it doesn't, mining is scalable because miners don't have to validate all chains 12:09 < jtimon> petertodd you don't know what I'm going to say yet 12:10 < adam3us> jtimon: it merged mined, but maybe some model can be found for mining without having all 100 full tx feed. its not like most mining power right now is even looking at the tx... 12:10 < jtimon> petertodd: there was no sharding in adam3us not implausible comment 12:11 < jtimon> "pegged side chain, like 100 of them merge mined, coins moved via SPV proof of move or atomic cross chain swap. seems not implausible" 12:11 < adam3us> anyway we dont have to solve it today... more worried about how to provably preventing someone sneaking fractional reserve into a side-chain at this moment. 12:11 < adam3us> jtimon: yeah is just a definitional thing. you could consider the 100 side chains 100 shards 12:12 < petertodd> adam3us: well, like I said above, the trick is to separate timestamping form the proof-of-publication - merge-mined side chains can naturally work that way if they are genuinely merge-mined, as opposed to just a soft-forking change 12:12 < adam3us> petertodd: yes this is a kind of open transactions argument. i buy that as a plausible thing to explore. 12:12 < jtimon> well, since we don't know how to shard yet and you didn't explicitly mentioned it, I thought you meant we could still scale doing that without sharding 12:13 < adam3us> jtimon: i was thinking of a use-case of (multiple identical) pegged side-chains as a mechanism for sharding 12:13 < petertodd> jtimon: well, remember my thought example of the tree-like consensus system? if your top node in that tree is the bitcoin blockchain, then the two leaves logically are your merge-mined side-chains 12:14 < petertodd> jtimon: which is why coming up with a backwards-compatible upgrade is actually fairly plausible - ugly, but feasible 12:15 < jtimon> adam3us: but the pegging thing is to solve the "exchange rate" problem TD mentions 12:15 < adam3us> petertodd: its the beauty of pegged side-chain, the side chain (or lots of them, or competing lots of them) can go do experiments while retaining bitcoin main fungibility 12:15 < petertodd> adam3us: yup 12:16 < jtimon> adam3us: I'm saying I don't know a technical solution for merged mining + sharding in the first place, seem kind of incompatible to me 12:16 < adam3us> jtimon: right. but pegged side-chains also form security firewalled experiment zones for interesting things, like sharding, freimarket script extensions, utxo compaction, zerocoins, comitted tx... anything within reason 12:17 < adam3us> petertodd: the limitation is oniy i think it has to be not too alien for bitcoin to not be able to consume the side-chains SPV proof of move 12:18 < jtimon> adam3us: security firewalled? what in pegcoin makes it more attractive to merge mine than say, devcoin? 12:18 < petertodd> adam3us: nah, I'd say the bigger limitation is that long-term PoW security needs to be paid for by fees, and the basic economic model is screwy there and has a high potential of failure 12:18 < adam3us> jtimon: incentive you mean? ask petertodd he's the incentive / game-theory gur ;P 12:18 < petertodd> adam3us: it's the think with off-chain stuff: it becoming too effective is a huge risk in the long-term! 12:19 < petertodd> adam3us: now that's like, 10 years away long term hopefully, but it's a problem that needs solving eventually 12:19 < adam3us> petertodd: it seems like the biggest open q about it really. incentives. but its not like that solved in main. $25k/block or $150k/6-block is the price to admission (x the failure rate to build a chain long enough) 12:20 < jtimon> petertodd are you suggesting off-chain technology working nicely and securely is a "huge risk"? what do you mean? 12:21 < adam3us> petertodd: Maybe its a TD thing. we (humans) want and need this to work, so maybe most honest people will do it and that will carry the day 12:21 < petertodd> adam3us: yup, currently my best guess is per-tx PoW schemes (and actually, maybe per *txin* PoW schemes) with anti-pooling stuff and PoW algorithms more resistant to ASIC centralization is what'll work, but those are all -wizard level questions and lots of research to be done 12:21 < adam3us> jtimon: he's worried about an incentive break down leading to attacks 12:22 < jtimon> adam3us well I ask you because you made the firewall claim, but I'm happy receiving an explanation from anybody 12:22 < petertodd> adam3us: in the meantime, honesty and other non-ideal second order effects will help the existing system limp along for a lot longer than it deserves too 12:22 < petertodd> jtimon: yes, in the long term the PoW security needs to be paid for, and one of the few reasonable ways to do it is transaction fees, no-txs == no pow security in many very plausible future models 19:32 <@gmaxwell> at some point this should get built, even if its just a toy insecure form. 19:33 <@gmaxwell> people were talking in #bitcoin-offtopic about building an IRC micropayment bot... 19:33 <@petertodd> Did you read my bonded ledgers thing? 19:33 <@gmaxwell> You send it 1btc.. then you can bot: pay petertodd 0.012345 btc and eventually petertodd can checkout if he likes. 19:33 <@petertodd> The idea of focusing on making a ledger who you are only holding to not allow double-spends to happen is nice. 19:34 <@gmaxwell> Not secure, not private, etc. But it would be insanely useful. It would do micropayments instantly in a way bitcoin cannot, it would avoid blockchain bloat and transaction fees.. etc. Even the weakest forms of your chaum bank stuff would be better than "just trust the bank" 19:35 <@gmaxwell> the bonded ledgers was just the OP code for double spends? 19:35 <@petertodd> Yeah, and if it's just a ledger, you could re-use all the Bitcoin transaction machinery, including machinery to do double-spend proofs. 19:35 <@petertodd> Pretty much, and if the scripting system was just slightly more powerful, you probably wouldn't even need a dedicated opcode. 19:36 <@gmaxwell> I wonder how you could construct its transactions to make the proof of doublespending maximally small? 19:37 <@petertodd> Basically decompose CHECKSIG, allow for string manipulation, and provide a way to constraint was the txout set of a scriptPubKey spend is. 19:37 <@gmaxwell> though I suppose ideally it would work on bitcointransactions so you could use it for both on and off chain doublespending prevention. 19:37 <@gmaxwell> though that presupposes a public ledger which is lame. 19:37 <@petertodd> Well, one key thing would be for signatures to use a hash tree to generate the hashes. You just have to show that the inputs were the same both times, not the outputs. 19:38 <@gmaxwell> yea, I've wanted to define a transaction format that is tree structured for other reasons: to build altchains that don't validate burried signatures. 19:38 <@petertodd> Public ledger is the easiest, but you don't have to do that. One way would be to use a crypto accumulator ont he set of all txins spent. 19:39 <@petertodd> So you would challenge the ledger periodicly to prove they didn't double-spend your transactions. 19:39 <@petertodd> hmm... actually, that could work very nicely... 19:40 <@petertodd> You do need the ledger to publish some type of "state of the ledger" publicly, in a way that can be retrieved anonymously, but, for instance, that could be done with the ledgers deposit and withdrawl transactions as a smalldata. 19:41 <@petertodd> Basically, for any tx the ledger ever makes, if you find the ledgers signature on it you can simple say "OK, so that's the state of the ledger, now prove to me that you didn't double-spend my input" 19:41 <@gmaxwell> the advantage, e.g. of an irc paybot is better scale for microtxn, and improved privacy (basically privacy more like IRCs: not cryptostrong but ephemerial so long as everyone is playing nice) 19:42 <@petertodd> And when you accept a transaction from the ledger, ask for *that* transctions history, back to where it came from in the blockchain. 19:43 <@petertodd> I assume you've seen reddit's bitcointip right? 19:44 <@gmaxwell> yes. pretty horrible in that it makes a bitcoin txn per tip or at least it did. 19:44 <@gmaxwell> "worst of all worlds: insecure, slow, and non-scalable" 19:44 <@petertodd> Pretty sure it still does; it's blockchain.info based. 19:44 <@petertodd> Especially given the tiny size of tips. 19:45 <@gmaxwell> Yea, b.i doesn't even have a facility for internal transactions. 19:45 <@petertodd> OK, so there's a goal: an library for auditable off-chain transactions. 19:45 <@petertodd> Well, how could b.i and still meet it's security promises? 19:46 <@gmaxwell> by allowing you to have some portion of your balance with b.i instead of in your wallet, of course. 19:46 <@petertodd> Well, sure, but then they need my auditable off-chain tx library. :P 19:46 <@gmaxwell> :) 19:46 <@gmaxwell> mtgox seems to do fine without one. 19:47 <@petertodd> mtgox is big enough to have credibility, of coruse, so is b.i 19:47 <@gmaxwell> What would the audits prove? 19:47 <@petertodd> The audits *could* prove fraud, if caught. 19:47 <@gmaxwell> I mean what kind of fraud. 19:47 <@petertodd> Well, lets say the ledger is internally doing a full blockchain basically, one tx per block. 19:48 <@petertodd> Each block is signed by the ledger, and the blockchain is linked by a merkle mountain range hash system. 19:48 <@petertodd> You also have a UTXO proof system basically. 19:49 <@petertodd> So, one valid query would be to ask "Give me a full transaction history from my tx back to the on-chain tx" 19:49 <@gmaxwell> Right, how do you avoid the proofs not becoming exponential as coins split and merge? 19:49 <@petertodd> It's a good question, likely the ledger can only say "proofs will never be more than 1MiB" or something. 19:50 <@gmaxwell> basically, I'm thinking this hidden blockchain model imposes some performance limits on the dumb-irc-bot-bank that would be unfortunate. 19:50 <@petertodd> I mean, heck, just make the whole thing downloadable, and every year or so just throw it away and start fresh. 19:50 <@petertodd> Yeah, it's a tough one. 19:51 <@petertodd> Double-spend fraud in the ledger is detectable enough, with a spent-UTXO accumulator. 19:51 <@gmaxwell> well what do we really need to prove: that the users balances sum to the deposits, right? What else for that application? 19:51 <@petertodd> Yes, I think that's the biggest one. 19:52 <@petertodd> The other thing is proving that the ledger isn't giving me my money back, although for now that doesn't need to be automatic. 19:53 <@gmaxwell> So, the bot publishes an anonmized list of accounts and their balances. And it publishes sigmessages showing it holds an equal amount of bitcoin. You can see your balance in the public list, 19:53 <@petertodd> Hmm... well if every transaction is in a chain, and updates a balance sum, that helps. At least all the transactions to and from the ledger can be easily audited. (to deposit the ledger would sign your deposit tx as well) 19:55 <@petertodd> Do we need balances, or scriptPubKey txout hashes? 19:55 <@petertodd> (with merkle summing) 19:55 <@gmaxwell> if your balance changes on you and you don't agree... you publish a "fuck you, bot stole my balance"--account key. which people hash to get the anonmized account key, and the bot publishes a list of all the txn to your account, and all withdraws should be signed by you. 19:56 <@gmaxwell> and if the bot can't produce a transaction log that matches the balance sheet, we know it robbed that person. 19:57 <@petertodd> That works easy enough. 19:57 <@gmaxwell> initial deposits into the system could basically be handled by the payment protocol type non-repudation. 19:58 <@petertodd> So basically, the bot can't inflate the balance, provided that every user checks that their balance is shown in the public ledger. 19:58 <@petertodd> The ledger balance must match up to the on-chain balance. 19:58 <@gmaxwell> You go to deposit in, bot says "okay, I'll add 1 btc to account H(pubkey), iff you pay address 1unrelated" --bot ... and if you don't get credited you can cry foul on that too. 19:59 <@petertodd> Yes, my fidelity-bonded ledger thing even had a special UTXO out query opcode for that, to use internally with the ledger. 19:59 <@gmaxwell> I don't think that on chain deposits would actually go in directly. Instead the system would be started off with one account: "bank" and a balance owned by the bank. Payments into the system would go into the bank owner's private wallet, and he'd move funds from the bank internal balance to the user mostly. 20:00 <@petertodd> OK, that's reasonable, and as you say, the deposit includes the promise to move the balance from the bank balance to your one. 20:00 <@gmaxwell> (of course the balance balance could be increased over time, but there wouldn't need to be a 1:1 match. This would also enable people to buy space in the bank using chaum tokens, mtgox codes, or whatever they want since deposit inside the bank and on the chain are decoupled) 20:01 <@gmaxwell> well whatever they want subject to how automated fraud handling should be. 20:01 <@petertodd> It's still very reliant on that public ledger of all balances, but seems doable. 20:01 <@gmaxwell> the public leger would need to be delayed somewhat, I expect. 20:01 <@petertodd> For privacy? 20:01 <@petertodd> Delaying is fine provided it includes some type of hash linking back to your tx's. 20:02 <@petertodd> You want to be able to prove that a tx you performed should have been included in the master published ledger hash, but wasn't. 20:03 < ielo> hello helo 20:03 < ielo> ielo helo 20:05 <@amiller> i think this use of proving txs is only useful if there's osmething automated that happens 20:05 <@amiller> but this is a good reason to want the big bitcoin blockchain to be capable of metavalidation of other chains 20:05 <@amiller> because something like a doublspend in a minor chain can trigger an insurance payout in a larger chain 20:05 <@petertodd> amiller: This is the toy system - we'll implement automated proofs later. 20:06 <@petertodd> amiller: Basically this is Mt. Gox redeem codes + some auditing. 20:13 <@gmaxwell> petertodd: I guess the balance sheet really ought to be a Merkle-sum-tree.. this way they only publish the root, and only allow users to query their own balance. 20:14 <@gmaxwell> if the whole balance sheet is public you can grok out whos transacting with who by observing matching changes in balance. 20:14 <@gmaxwell> with a Merkle-sum-tree deanonymization requires the users to cooperate to deanonymize each other. 20:58 <@gmaxwell> I also have a related proposal, which needs a new transaction format, that I call checkpoint-transactions where users specify checkpoints in their transactions and the fees can only be recovered (completely?) in chains where the checkpoint matches. 20:58 < amiller> petertodd, fair enough but i think that's not interesting and/or not a reason to try to understand the behavior of optimal miners better 20:59 <@gmaxwell> amiller: I don't think your solution is stable. There will just be an incentive to reduce that fee via whatever other means are available. External fees, promoting locked/checkpointed txn/ etc. 20:59 < amiller> so you are saying that i acn do it cheaper 20:59 < amiller> by paying someone out of band 21:00 <@gmaxwell> I think so. 21:00 < petertodd> amiller: sure, and this is -wizards, but remember there is value in fixing the problem for 95% of the cases 21:00 < amiller> i don't see why that's any chaeper or more effective than broadcasting the remainder as af ee 21:01 <@gmaxwell> amiller: because unless the fee you take is zero there still exists some orphaning incentive. 21:01 <@gmaxwell> and unless the fee you give away is zero there is some incentive to take fee move to another way. 21:01 < amiller> i think the optimal amount to take is exactly the fair cost of the work 21:02 < amiller> like that would an equilibrium point because anyone else would be indifferent to mine above or below you 21:02 < amiller> which would be good, like it would be good if such a stable equilibrium existed 21:02 <@gmaxwell> But I want moar. and I can get moar if I just arrange to pay in a way other than fees. 21:03 < amiller> what other ways are there and how do i include them in this model so i can argue about under what conditions they're cheaper 21:03 < amiller> pay per shares? 21:03 < amiller> i just claimed that the equilibrium is taking eactly the cost of thew ork 21:03 < amiller> meaning exactly the same as what it would take to purchase mining shares 21:04 < amiller> so those are the same equilibriums 21:04 <@gmaxwell> I'm not talking about purchasing mining shares. 21:04 <@gmaxwell> okay, we're not communicating and I have work to do. 21:06 < amiller> "you send me shares and I pay you with regular bitcoin transactions" 21:07 < amiller> that's why i assumed that's what you were talking about 21:10 <@gmaxwell> amiller: Ah, I see how I wasn't clear. I mean that I pay you for proof that you're attempting to work on my transactions, I dont give a hoot for the rest of the block, I'm not paying you for that, just the fees for mine. 21:10 <@gmaxwell> I'm not running the mining infrastructure or anything else. 21:10 <@gmaxwell> you could do the same work and send proof to hundreds of parties. 21:13 < amiller> ok well i still don't see why that would be a cheaper way to get mining power to work on your transactions 21:13 < amiller> i have to afk a bit so i'll try to work out what you might mean and you can work :o 21:34 <@gmaxwell> amiller: it's cheaper simply because the parties you pay don't have to give any of it away to avoid the risk of being orphaned to steal it. 22:31 < amiller> ah ok so yeah my premise that this begins with someone paying extraordinary fees is silly because there's no good reason for anyone to pay such a fee 22:33 < petertodd> amiller: fidelity bonds 22:33 < amiller> oh yeah hm 22:33 < petertodd> amiller: although if the fidelity bond fee is high enough to create weird incentives, it's not working correct 22:34 < amiller> if there was a time that there were more rational miners that were prepared to take advantage of opportunities like that 22:34 <@gmaxwell> you can make the fidelity bond into a transaction chain easily enough. 22:34 < amiller> then i think it would be better to remove the coinbase maturity limit 22:34 < amiller> i think i don't understand what it's there for anyway 22:35 < petertodd> gmaxwell: yeah, my protocol is designed to make that easy 22:35 <@gmaxwell> It prevents a reorg for making honest people into thieves. 22:35 < petertodd> gmaxwell: in part for that reason 22:36 < petertodd> yup, like imagine no maturity, someone spreads a coinbase tx to hundreds of people, and then it gets reorged 22:36 < petertodd> even on a technical level that's ugly 22:36 <@gmaxwell> It also reduces the boom-and-bust incentive where you get a bunch of hashpower to majority attack the chain for a bit then quickly sell the coin before anyone notices you've been attacking. Though I think this is just a side benefit. 22:37 < amiller> i don't see how that is unique to coinbase as opposed to any other transaction 22:37 < petertodd> amiller: any other transaction can be put in another block 22:38 < petertodd> (modulo tx mutability) 22:40 < amiller> i see, so it's like a double spend, except a) it's easier to pull off because it will definitely work because it can't be spent in another block (that's the important part) and b) the attacker doesn't get his coins back 22:41 < amiller> that doesn't seem compelling to me because it's still caveat emptor as far as waiting for 6 blocks before believe you own the coin 22:41 < petertodd> yeah, that's one way of looking at it. I mean the main thing is just that it creates horridly ugly accounting problems 22:41 < petertodd> I doubt satoshi thought too hard about nash equilibriums for weirdly high fees - heck, I found an email from him dated nov 2008 where he wasn't even sure if bitcoin would have tx fees at all 22:42 < amiller> (tbh it's not really that i'm so concerned with high tx fees but i'm trying to get a good grasp of this and it's a toehold, and i have so few others!) 22:43 < petertodd> it'd be good to understand it better before people start making crazy fidelity bond sacrifices... 22:48 < amiller> it's possible that a weird high-tx fee attempt could make a double-spend attack cheaper 22:49 < amiller> my new fantasy prediction is that a stylized "rational mining pool" will eventually become predominate and shortly nearly everyone else will follow 22:50 < amiller> you know, that and the 'auto-double spend' feature gets built into every client so that in the case of a huge fork, no one wants to be the guy with the hot potato that gives up a windfall to the scumbag after you who has it enabled 22:51 < petertodd> heh, you'd like my mempool rewrite... 22:52 < amiller> i'm afraid i'm going to dislike it only because it will make this network-mapping project i'm about to try not work so well 22:52 < petertodd> lol, what's this project? 22:52 < amiller> i want to probe the network to see which peers are actually connected with sockets 22:52 < amiller> the simple case is i want to see if node A and node B share a connection 22:53 < petertodd> ah, I better develop some alt-p2p info distribution systems quick... 22:53 < amiller> i create two conflicting txs Tx0 and Tx1, I send Tx0 to both A and B, and simultaneously send Tx1 to everyone else i can connect to 22:53 < petertodd> interesting 22:53 < amiller> now A and B are logically isolated from everyone else 22:53 < amiller> I can send Tx0' to A and see if B relays it 22:53 < amiller> if so, i know they're connected, or at most they're connected via a dark pool dude 22:54 < amiller> because no one else will relay Tx0' because it conflicts with Tx0 22:54 < amiller> this can be improved in pretty straightforward ways to do a lot of mapping in fewer passes 22:54 < petertodd> and you can use that to trace back connections to individual mining pool nodes 22:54 < amiller> it breaks if people relay conflicting transactions or use different rules for mempool 22:55 < petertodd> yeah, replace-by-fee isn't a problem, but the totally different mempool behavior could be 22:55 < petertodd> still, just pay a reasonably high fee to get high priority, and make the profitability equal for both txs 22:55 < amiller> yeah 22:55 < amiller> well lmk if you start to propose something that would braek this 22:56 < amiller> because i think it's probably better for everyone if they obscure their connections but it would defeat my attempt at glory 22:56 < amiller> also petertodd tell me what you think of this 22:56 < amiller> a major thing that is lacking is the ability to get realtime measurements of mining power 22:56 < amiller> this would be solved if mining pools would release some of their shares, as realtime streams of proof of work 22:56 < petertodd> heh, I think you are a bad person, incapable of love, for trying to defeat anonymity, but at the same time, I'd much, much rather see you do it, so you should do this 22:57 < petertodd> well, just ask them nicely... 22:57 < amiller> well asking them is one thing 22:57 < amiller> but i'd rather everyone demand it because they acknowledge its better for the network to do so 22:57 < amiller> anyone who's doing mining should be able to produce concise summaries of their work 22:57 < amiller> just a sample of their shares, like their nearest misses 22:58 < amiller> i could measure p2pool this way of course 22:58 < amiller> but "ethical" pools like slush or btcguild or whatever should adopt this too because it would make it easier to respond to changes 22:58 < amiller> for example during the 0.7/0.8 fork it would make it easier/quicker to estimate just how much of the hashpower has switched behaviors or something 22:58 < petertodd> sounds like central authority... 22:59 < amiller> no it's inherently distributed 22:59 < petertodd> if you need that information, I think it'd be better to ask how can you *not* need it 22:59 < amiller> do you grok what i mean by concise samples of proof of work 22:59 < amiller> oh i see what you mean 23:00 < amiller> the realtime information could be used to amplify movements like that? 23:00 < petertodd> see, I think we're better off accempting that in the short term mining is this crazy random process, and you just have to wait until consensus emerges 17:46 < amiller> lets keep consideing the worst case where i am the only one using this trade path and so i have to pay for the entire validation 17:47 < gmaxwell> that in and of itself is a residual hold up risk. 17:48 < gmaxwell> e.g. I can at least extort the value of that refund minus epsilon assuming the non-iterated interaction. 17:48 < amiller> lets decide we figure out what that price will be and set an appropriate length of time 17:48 < gmaxwell> I'm not sure how much of a real risk holdup actually is. 17:48 < amiller> does this solve the race condition 17:48 < amiller> i still can't put my finger on how to state this 17:48 < gmaxwell> The interesting thing is that it's always been possible to do secure-except-holdup cross chain transactions and no one is doing it. 17:49 < gmaxwell> But you can't say that holdup is some enormous scare factor because plenty of people do totally insecure cross chain trades. 17:49 < gmaxwell> I have a feeling that holdup isn't actually a big problem. It's a problem but you could just add a little bit of reputation or identity and basically eliminate it. 17:50 < petertodd> All the evidence that the holdup happened can be right in the blockchain making the reuse problem fidelity bonds face much easier to solve. 17:50 < gmaxwell> (or at least reduce it to the point where that kind of solution is cheaper even considering the weighed failures than the infrastructure required and the direct costs for your proof-refund txns) 17:51 < amiller> i'm aiming bigger, if this is solvable then it's useful for local rather than global chains 17:51 < gmaxwell> petertodd: right, you can even say a foo-bond can only be used for one txout at a time. 17:52 < petertodd> gmaxwell: exactly 17:52 < gmaxwell> amiller: I realize this, as a fundimental way of making thing scale better. ... making the global chain a metachain that validates cross chain transactions, effectively. In which case its reasonable for the local chains to all watch the global chain but not viceversa. 17:52 < amiller> right 17:52 < amiller> yeah... well put 17:53 < petertodd> worst comes to worst, use the global chain for consensus on the fidelity bonds 17:54 < petertodd> And the existence of a global chain can be used directly for your proof-of-work algorithm via proof-of-sacrifice. 17:57 < amiller> ok so along the way, at the very least we've talked just now about a new result for SPV verification 17:57 < amiller> you can sample work and show that a coin *is still available/unspent* without even having to validate all the headers 17:58 < petertodd> ? I missed how that works 17:58 < amiller> petertodd, do you know the work-sampling idea 17:59 < petertodd> amiller: no 18:00 < amiller> petertodd, https://bitcointalk.org/index.php?topic=98986.0 18:00 < amiller> if you have some big collection of blocks, and you want to estimate the total amount of proof-of-work used to create them all, you can do that just by sampling a really small number of them 18:01 < amiller> if there are a million blocks with at least two zeros 00xxxxx 18:01 < petertodd> right, seems obvious enough 18:02 < amiller> then there are probably at least a hundred blocks with several more zeros 00000xxx 18:02 < gmaxwell> amiller: works for large numbers, not so much for small numbers though.. and that doesn't prove they're connected, unless the structure is changed to link along the hash highway. 18:03 < amiller> the structure can be changed pretty efficiently to have a sort of skip-list like thing to make it easier to produce that sample 18:03 < amiller> for spv it's not necessary to prove they're connected, you just have to prove they all don't disagree 18:04 < petertodd> amiller: merkle mountain range: https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 18:04 < petertodd> how are you going to show they don't disagree? 18:04 < gmaxwell> I'm not actually sure if thats better for proving header difficutly than a straight non-interactive cut and choose. The later is easier to put proofs in just some blocks. 18:05 < amiller> petertodd, by showing that each member of the sample commits to a utxo and that each utxo still has the transaction in it i want to prove still exists 18:05 < gmaxwell> petertodd: you repeat the proof for each block e.g. it's unspent here and here and here and here. you don't need to show they're connected. 18:05 < gmaxwell> big proof though. 18:06 < amiller> gmaxwell, i think you might be right about cut and choose working just as well 18:07 < amiller> in any case it's basically just possible to do this 18:09 < petertodd> amiller: Why not just do a binary search? 18:10 < petertodd> amiller: Oh wait, I'm dumb... 18:11 < gmaxwell> its kinda sad no one has proposed a non-interactive cut and choose to faster bootstrap spv. 18:11 < amiller> i guess i still don't know how to efficiently prove that it wasn't spent in the last 10 blocks, because you can fake that work easier 18:11 < petertodd> Well, SPV bootstraps pretty fast anyway... 18:11 < amiller> i think i worked out that you could sample work more finely towards the front and get some benefit 18:12 < petertodd> amiller: Proving a coin wasn't spent recently is always going to be insecure - you only have a recent mined block as witness. 18:12 < gmaxwell> petertodd: they're distributing "checkpoints" with SPV clients now to make them bootstrap fast. :( 18:13 < petertodd> amiller: I mentioned to TD earlier today the idea of miners committing to a merkle tree of txids in their mempool, just to prove visibility, you could use that if the commitment included txins being spent. 18:13 < gmaxwell> (though their checkpoints aren't the same kind of thing the reference client has at least in bitcoinj based stuff they're a "if you can connect back at least this far, the sum of the rest of the diff is Y", as far as I understand it) 18:14 < petertodd> gmaxwell: What? True, I guess on a cellphone ~100MB adds up or whatever it is... 18:14 < gmaxwell> well it's 20mbytes right now. 18:14 < gmaxwell> but the fetching isn't very efficient. 18:14 < gmaxwell> e.g. not pipelined. 18:15 < petertodd> gmaxwell: What do you mean by pipelined? You just mean we can't ask for more than one block header at a time? 18:17 < gmaxwell> I thought they did scalar fetching instead of piplelining, but I might be incorrect. I'm going by what I've seen from logged getheaders but perhaps I'm just missing them setting the count to >1. 18:17 < gmaxwell> Otherwise I don't really understand the reason for the optimization. 18:18 < petertodd> gah, powers out, wonder how long the ups's at work last... 18:18 < petertodd> gmaxwell: TD's NSA handlers? 18:19 < petertodd> I guess you should be able to set your bloom filter to match nothing, then ask for sequences of blocks, and get just the headers pipelined 18:22 < gmaxwell> petertodd: I mean, getheaders works just like getblocks and should be able to pipeline. 18:23 < gmaxwell> I just didn't think it was being used that way; but its likely that I'm stupid 19:32 < amiller> so this should also work with other-than-proof of work 19:33 < amiller> suppose there are just two separately-trusted serializer entities like opentransaction servers or quorum or whatever 19:36 < amiller> eh i'll finish that thought later --- Log closed Tue Jul 09 00:00:22 2013 --- Log opened Tue Jul 09 00:00:22 2013 10:48 < petertodd> gmaxwell, amiller: powers back - Toronto just broke the record for most rain in a single day in history, 126mm, vs. the previous of 121mm during hurricane hazel in the 50's... the creek behind my apartment rose about 15ft, although fortunately the engineering is pretty good and houses are set back enough that other than a flooded school it was just some basements here and there flooded. 10:53 < amiller> ahh... hopefully your basement wasn't affected! 10:53 < amiller> according to my logs you did not miss any conversation :) 10:54 < petertodd> I'm on the twelfth floor :) 10:54 < petertodd> thought my legs are killing me... the backup power for the elevators and lights died, and I spent a few hours helping people up to their apartments who didn't have lights... 11:16 < gmaxwell> 'here is a flashlight, drop it down the garbage chute when you make it' 12:38 < petertodd> gmaxwell: clever 15:08 < gmaxwell> petertodd: have you pondered the implications of replacing chaum tokens in a chaumian bank with zerocoin? I think it lets you make the signing oracle memoryless (well, enough to verify ZC proofs). 15:09 < petertodd> gmaxwell: That's a good idea actually 15:10 < petertodd> gmaxwell: Although right now I'm convinced the right way to go is with a proof-of-sacrifice blockchain. 15:10 < gmaxwell> Further reducing the scale of the part that has to be trustworthy and resistant to regulator weirdness. Also, if we had a more scalable group signature scheme, the bank could be pretty massively distributed. 15:11 < petertodd> gmaxwell: Auditing the signing oracle would be really easy too. 15:12 < petertodd> gmaxwell: Oh hang on though, you still need consensus about the state of the zerocoin accumulator, so it's not memoryless 15:12 < gmaxwell> petertodd: no you don't. 15:12 < petertodd> How does that work? 15:12 < gmaxwell> it signs the last proof it saw. 15:13 < gmaxwell> and then you just present that proof with your next update. 15:13 < gmaxwell> same way a storageless full miner could still add transactions with the help of a client that has the utxo. 15:13 < petertodd> Yes, but it needs to know the height of the last proof signed. That's not totally memoryless 15:14 < gmaxwell> Fair point. In the case where its not distributed it still reduces it to a counter. 15:14 * jgarzik listens -- this might have application on my idea for a network of bots that enable off-chain transactions, with some level of prove-they-are-not-cheating 05:17 < gmaxwell> jtimon: well not quite because there is no perfect competition, so everyone with friction along that path are taking their tax. 05:17 < deantrade> Well, if the coins weren't spent for 100 years, then the market probably already adjusted to the lower effective money supply, then like if the original miners who forgot/lost their private keys all get their coins thrown out, people will then know for sure the money supply actually is smaller. 05:18 < jtimon> think about paper wallets, physical representations of bitcoin... 05:18 < jtimon> gmaxwell there is perfect competition in theory 05:19 < jtimon> and bitcoin's "demand for security" is extremely elastic 05:20 < gmaxwell> security is basically a perfect lemon market. You only need any at all except in hindsight. 05:20 < deantrade> jtimon: on that note, I was thinking that eventually people will make altcoins with all sorts of different fixed inflation rates (fixed per ledger), and then let the market decide which inflation rate they want to use. 05:22 < deantrade> I wish bitcoin didn't have such drastic changes in block reward... 50 25 12.5... its a big deal when transaction fees are significantly less than inflation block reward 05:23 < deantrade> I mean to say, it shoulda been made more continual, no? 05:23 < gmaxwell> seemed to work out okay in practice. 05:24 < gmaxwell> piecewise constant has certian planning and accounting advantages. 05:24 < deantrade> In practice it didn't really matter too much to the miners. But when the next transition hits, miners will have tro do lots of planning yea on what kind of hardware they want to buy and run. 05:24 < jtimon> in freicoin it decreases linearly 05:25 < jtimon> gmaxwell some have said that the first reward halving caused the following "bubble" 05:25 < deantrade> In just one block the reward for mining is going to half when it had been the same for 4 years, that is going to have a big effect on network hash rate when it happens 05:25 < jtimon> deantrade not necessarily, it can also affect prices, or both or a combination 05:26 < gmaxwell> jtimon: the following bubble was pretty long after (three months?) 05:26 < gmaxwell> jtimon: if so, uh. well I am not complaining. 05:26 < deantrade> jtimon: No, I don't think so. Bitcoin is valuable because it is better than other currencies/money/banking systems. 05:26 < deantrade> Maybe bitcoin's halving just brought lots of media attention and more confidence to the system because it was maturing. 05:27 < jtimon> I think it was Impaler who speculated that that was the time it took for the markets to "feel the lack of new bitcoins coming" 05:27 < jtimon> according to him, miners speculated as much as they could but then they had to sell some part to pay the bills 05:28 < jtimon> I think liear would have been better but I don't think it is a big deal really 05:29 < deantrade> Linear? I'm not sure what you mean. Do you mean a more continual reward reduction rather than one step every 4 years? 05:29 < gmaxwell> jtimon: I'm skeptical, market volume was a pretty big multiple of the newly mined coins by then (oddly it seems lower now) but I guess its unknowable. 05:30 < jtimon> deantrade yes, in frc it is reduced every block until it is not reduced anymore 05:30 < gmaxwell> the biggest argument against the half operation that I have is that it creates a pretty big incentive to orphan the last block! 05:31 < gmaxwell> but arguably a continuious formula makes for a much smaller incentive to do that constantly instead of only a couple times in the system's life. 05:31 < jtimon> gmaxwell yeah I don't know, Impaler or galambo (I think was Impaler) made some numbers I think, but I agree is probably unknowable 05:32 < jtimon> never thought about it that way 05:32 < gmaxwell> jtimon: it's also hard to sort out because we actually changed who was mining at that time. 05:33 < gmaxwell> When the 50->25 change happened I was watching eagerly to see if we'd get stuck warring for the last 50 btc block. :P 05:33 < jtimon> I have no idea, but it was an interesting hypothesis 05:33 < gmaxwell> certantly we had miners which were large enough to where doing so would have been rational. 05:33 < deantrade> I was just looking at the FAQ on freicoin. I disagree with a lot of what the author has to say, his philosophy. It flies in the face of Austrian Economics. 05:33 < jtimon> yeah, we have to rewrite those faqs to somthing more neutral 05:34 < jtimon> r000n wrote those faqs 05:34 < deantrade> For example: "But money is created by the government, isn't it?" You say the government doesn't make the money, but that's not quite right. 05:34 < jtimon> I wrote ones before but then they were assimilated into the about page... 05:34 < deantrade> The Federal Government's Military and Citizen Police enforce the US's monopoly on money in the US and in international trade 05:34 < jtimon> it's not very well expressed 05:35 < jtimon> but comercial banks create most of the money, even if the state enforced that privilege 05:35 < deantrade> In exchange, the Federal Reserve prints them lots of money for thier protection racket. 05:35 < deantrade> Yea, I agree, the commercial banks also with their FDIC default protection get to print lots of money for themselves too 05:36 < jtimon> the treasury could print the money directly without needing to "exchange" anything with the fed 05:36 < deantrade> Yea but that would be less confusing, and they like to keep the sheeple confused 05:36 < jtimon> that's what "greenbackers", positive money and other monetary reformist propose 05:37 < jtimon> what backs paper money is the state and its promise to tax you on that currency 05:37 < deantrade> Anyways, yea the government is the enforcer of the monopoly money, the gov steals from gold backed private banks (NORFED/egold/1933) 05:37 < jtimon> not anything in the feds balance sheet 05:38 < deantrade> No, what backs paper money is that using paper money and banks increases our productivity via productivity gains in specialization and trade 05:38 < jtimon> that's what back all money, but yes, true 05:38 < deantrade> Its just that there is a monopoly enforcement on USD, so we have to use USD to get those productivity gains 05:39 < jtimon> what i mean is that state money (like any other money) doesn't need any backing 05:40 < jtimon> and the goverment could take all the seignoriage for itself instead of giving it to the banking cartel 05:40 < deantrade> I agree, only for money to have reliable limited supply and for it to be easily/most efficent in trading is what makes money valuable as money 05:40 < jtimon> it doesn't even need to impose a monopoly 05:41 < deantrade> Hm, but the banking cartel is kind of like the smart people, and the government is just pandering politicans who do what the cartel wants. 05:42 < jtimon> yeah, the politicians don't rule 05:43 < deantrade> Freicoin says that the underlying cause of the boom/bust cycle is the entrenchment of the financial elite... so it then concludes that for people to be able to own durable valubable things for a long time is bad. 05:43 < deantrade> That is invalid. 05:43 < deantrade> The boom/bust cycle is caused by monopoly money enforcement + money supply manipulation. 05:45 < jtimon> no, what causes monetary cycles is nominally everlasting money's incapability of producing zero interest rates when real capital yields naturally drop that low 05:45 < jtimon> keynes didn't solved the problem, but the problem is older than him 05:45 < jtimon> there was monetary cycles with gold 05:46 < jtimon> we really need to correct the fact, thank you for pointing that out 05:47 < deantrade> "There was monetary cycles with gold"-> not so much when there were private banks, there were local and chain defaults, and booms from bankers increasing their reserve ratios... but nothing like what the Federal Reserve can do. 05:47 < jtimon> probably you learn more about free-money by reading directly from Gesell 05:48 < jtimon> well, I'm not historian 05:49 < jtimon> but when do you say monetary cicles started? 05:50 < jtimon> Gesell, predicted hyperiflation as the unoavoidable end of keynes-like schemes, yet was strongly against gold and blamed it for cycles 05:50 < deantrade> "money's incapability of producing zero interest rates when real capital yields drop that low"-> uh... in the free market... every durable good has an interest rate that directly corresponds to how much value over time it brings to the market owners as demand and people's strength of desire to own something now rather than later. 05:51 < deantrade> Monetary cycles start when banks loan out at higher rates then they can afford to stay in business without defaulting. 05:51 < deantrade> When banks loan more out (higher reserve ratios) (lower interest rates) 05:52 < jtimon> deantrade so called "time preference" theory of interest is based on the fallacy that everybody prefers things in the present over things in the future 05:52 < jtimon> just because everybody prefers dollars and gold in the present than in the future 05:53 < deantrade> If people don't care when they have something then interest rates go lower. That doesn't make it invalid/fallacy, you are just confirming what I am saying. 05:53 < jtimon> interest rates, like any other price, depends on supply and demand 05:54 < deantrade> But if people want things more right away then interest rates go up. 05:54 < jtimon> capital yields are profits, and depend on competition, not in the intrinsic properties of the real capital 05:54 < jtimon> the more factories there are, the less each one of them yields 05:54 < deantrade> Agreed on last 2 statements. 05:55 < jtimon> and if people prefer things in the future they go negative? that can't happen with gold, usd or btc 05:55 < jtimon> money DOES HAVE and effect on people's time preference, more than the other way around 05:56 < petertodd> well, maybe not ok as it might make mapping inter-network connections easier... 05:58 <@gmaxwell> hm. making a blind SIN into a rate limit is a little tricky. "This message is signed by key(s) from the SIN SET, with at least X btc in value" isn't enough, since its not a rate. (e.g. you can keep doing it) 05:59 < petertodd> can't the blinding be deterministic? IE it maps to one and only one sacrifice from the set of all prior sacrifices 06:00 <@gmaxwell> You need an additional "Random ID X is the hash of a determinsitic signature of time T, by key(s) from the SIN SET, with at least X btc in value." term. 06:00 < petertodd> yeah 06:00 <@gmaxwell> where time is quantized to get you your rate limit. 06:01 <@gmaxwell> (perhaps just divided by the value times some rate control factor set by the system) 06:01 < CodeShark> sorry for interrupting but what's a sacrifice? 06:01 <@gmaxwell> CodeShark: e.g. https://en.bitcoin.it/wiki/Identity_protocol_v1 06:02 < petertodd> CodeShark: underlyng mechanism: https://en.bitcoin.it/wiki/Fidelity_bonds 06:02 < CodeShark> oh, that :) 06:02 <@gmaxwell> yea, perhaps a better page. 06:02 < petertodd> gmaxwell: I need to do a specific "proof-of-sacrifice" page 06:02 <@gmaxwell> doesn't have to be coins to fees, could just be coins parked in the UTXO set or something else... but coins in the utxo set can keep moving, which makes sacrifice better. 06:06 <@gmaxwell> sadly even the fastest ZKP system would still effectively be a POW ratelimit right now. :P 06:06 < CodeShark> by "parked" you mean something like a reverse timelock? 06:07 < CodeShark> "coins cannot be spent until after block X" 06:07 < petertodd> gmaxwell: lol 06:07 < petertodd> CodeShark: that's not yet possible to do in bitcoin 06:07 < CodeShark> petertodd: I know - but in principle it could be done 06:08 < petertodd> gmaxwell: coins in the UTXO set do have the disadvantage of making attacks cheaper, kinda like merge-mining 06:08 < CodeShark> this is wizards, after all :) 06:08 <@gmaxwell> CodeShark: by parked I just mean, e.g. coins that were sitting in place as of time X. ... perhaps moved right after. 06:08 < petertodd> CodeShark: true! 06:09 <@gmaxwell> e.g. at the first block after midnight every night (by the blockchain timestamps) becomes the parking-block-height. If we had some kind of utxo commitment you'd just prove your had coins as of the most recent parking height... and that gives you bitmessage bandwidth. 06:10 <@gmaxwell> so long as the snapshot is atomic there is no double dipping. 06:11 <@gmaxwell> and as PT pointed out before the utxo commitment doesn't even need to be in bitcoin itself, it could just be computed by bitmessage nodes. (though theyd have to have the full utxo set to do it) 06:11 <@gmaxwell> probably sins are better though, since they're more easily found, etc. 06:14 < petertodd> gmaxwell: I'm very skeptical of systems that allow for re-use across different applications - UTXO-based stuff falls into that category 06:14 < petertodd> gmaxwell: thre is the disadvantage of a smaller anonymity set though 06:15 <@gmaxwell> yea, using the whole utxo set has the biggest anonymity set. 06:16 < petertodd> oh, speaking of, so I came up with a nice scheme for non-interactive stealth addresses 06:17 < petertodd> your anonymity set is some configurable subset of all transactions 06:17 <@gmaxwell> whats a stealth address? 06:18 < petertodd> just have the receiver publish a pubkey, and the sender does ECDH with the pubkey of one of the inputs to derive shared secret x, which is then used to derive a destination address from the receivers pubkey 06:18 < petertodd> the receiver now scans the whole blockchain looking for funds it can spend. To make it more efficient, just use some mechanism so that scan only has to happen for a subset of all transactions, e.g. by forcing one of the addresses in the transaction to have some specific prefix 06:19 < petertodd> stealth address being a publicly known address where funds sent to it are not known publicly 06:19 <@gmaxwell> yea, bytecoin suggested something like that a long time ago! 06:19 < petertodd> nice! 06:19 <@gmaxwell> (he also described how to send an undetectable encrypted message inside it!) 06:20 < petertodd> ha, I was just re-reading that post... 06:20 < petertodd> obviously not very well :P 06:20 < petertodd> or maybe well enough! 06:20 < petertodd> anyway it's a pretty decent solution to soemthing amir and co have been worrid about for awhile 06:20 <@gmaxwell> yea, in any case, yea .. it's just computationally expensive for the reciever... 06:21 <@gmaxwell> and I don't really know that payments with one way communication are really all that interestesting. 06:21 < petertodd> not a big deal - so is bitmessage which was (one of) his alternatives 06:21 <@gmaxwell> maybe they are. I dunno. 06:21 <@gmaxwell> perhaps there should be an address type defined for "donation addresses" which are just that. 06:22 < petertodd> I suspect that making stealth addresses well-supported would in practice get rid of a lot of address re-use due to UI constraints 06:22 <@gmaxwell> as far as your "analysis bait" I suggest using R as a sidechannel. 06:22 <@gmaxwell> yea, I agree, you win. it's an awesome point. 06:22 < petertodd> if we can tell people the "address" for their wallet is some stealth address, I think we'd have a decent UI that people would actually use correctly 06:23 <@gmaxwell> it's one of the few cases we've had where address reuse is hard to eliminate, and the cost on the reciever is not so high... plus if they're special donation addresses that fact that its reciever expensive isn't so bad. 06:23 < petertodd> well, it needs to be a distinguisher that prefix-filtering can identify (annoyingly bloom filtering can't pull this off without making the transactions distinguishable) 06:24 < petertodd> and the great thing with prefix-filtering is that stealth addresses done that way are no more bandwidth intensive than the alternative 06:24 <@gmaxwell> well it could have its own filtering. 06:24 <@gmaxwell> e.g. some servers that tell you about all transactions meeting some criteria. 06:25 < petertodd> yeah, although we're not likely to do mined commitments to those lists which kinda sucks 06:25 < petertodd> we're very likely to do prefix-filtering compatible commits 06:25 < petertodd> *commitments 06:27 < CodeShark> I'd love to see a CAS which compensates you for providing resources to the network for all these kinds of things 06:28 <@gmaxwell> petertodd: so.. downsides, an arbritary point multiply is a fair bit more expensive than multiplies with a generator. and you now have to keep a secret key online in order to tell which txn are paying you. 06:28 < petertodd> the hard part is figuring out how to force the dest address into the right format, if you have txin pubkey A and receiver pubkey B you get a fixed B', now you can brute force with some incrementing integer i, but that upps the computational effort for the receiver proportionally 06:29 < petertodd> gmaxwell: the secret key doesn't need to be the same secret as unlocks the funds though 06:29 < petertodd> gmaxwell: doubles the size of the address though 06:29 < petertodd> (which is already larger than usual) 06:30 <@gmaxwell> petertodd: I think it's okay if the address is kinda big. After all it has to be big just to have a pubkey. 06:30 < CodeShark> what does UI simplicity have to do with underlying protocols? when you connect to an ssl site, there's a whole handshake mechanism going on under the hood most users don't ever notice 06:30 < petertodd> gmaxwell: yup 06:30 <@gmaxwell> CodeShark: Reality. 06:30 < petertodd> CodeShark: it matters a lot because people like to pass around addresses in things like PGP-signed emails 06:30 <@gmaxwell> CodeShark: go solve address reuse for things like donation addresses that people slap on forum signatures. :) 06:30 < petertodd> CodeShark: requiring payment protocol for that stuff really sucks 06:32 < CodeShark> ok, granted, that is a reasonable use case 06:33 < petertodd> gmaxwell: a cheap trick would be to fail a bit on absolute indistinguishability and reuse, say, nSequence for the prefix-forcing integer 06:34 < petertodd> gmaxwell: you could even use the nonce on the signature, but that breaks determinism... 06:34 <@gmaxwell> petertodd: I don't know why you didn't like my R grinding. :P 06:34 <@gmaxwell> oh thats why 06:34 < petertodd> gmaxwell: yeah, this should be compatible with as many wallets as possible 06:36 <@gmaxwell> meh, if you don't require any obvious 'bait' then its easy. 06:37 < petertodd> what do you mean by that? 06:42 <@gmaxwell> I mean the tricky part is adding something distinguishable to the transaction. 06:42 < petertodd> oh right 06:42 < petertodd> well 06:42 <@gmaxwell> should just benchmark and see how expensive it is to do ecdh with every txn in the blockchain. 06:42 < petertodd> yeah 06:43 < petertodd> can't be much different than syncing the blockchain on a full node... 06:45 < petertodd> with the two key version you can outsource the computational work too - the risk is only that the counterparty could deanonymize you, something, say, electrum servers already can do 06:46 <@gmaxwell> yep. 10:43 < HM2> http://boingboing.net/2013/12/15/bruce-schneier-and-eben-moglen-2.html 10:43 < HM2> can't believe i missed this over the last week 10:50 < adam3us> btw the card thing P(52,26) is conveniently > 2^128. course then you have to keep them from getting accidentally shuffled 10:58 < adam3us> vaguely related to the idea to use shuffled subset of bit-card.de plastic bitcoin cards to avoid trust in printer https://bitcointalk.org/index.php?topic=330819.msg3548144#msg3548144 pay to address created by adding Q values off half of them, use the other half to check the private key is under the sticker 13:37 < gmaxwell> Sadly that doesn't prevent bitcoin from comitting suicide, but at least it would be with the consent of people that own a bunch of it. 13:37 < petertodd> Yup. I'm happy if Bitcoin is destroyed with the concent of those holding Bitcoins myself. 13:37 < petertodd> *consent 13:38 < petertodd> From a practical perspective, it also takes a lot of politics out of the situation IMO. 13:39 < gmaxwell> Well, to be clear: it's some kind of 'majority' consent... which means that some people holding bitcoin will not consent to the suicide. But the alternatives sound worse. 13:39 < gmaxwell> (e.g. alternatives being technical guy political tournamants and fork-risking-wars over client software) 13:40 < gmaxwell> I think ideally would have been to establish bitcoin with initial parameters that could be kept forever. 13:40 < gmaxwell> But since that seems to be impossible, having an economic majority seems like the next best thing. 13:41 < petertodd> Yup, see Peter Vessenes comments about how much a fork would harm bitcoin: https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/pull/4#issuecomment-18988575 13:42 < petertodd> In a sense the presense of alt-coins makes it always be an economic majority thing, but the process of people dumping bitcoin for another coin will be really ugly. 13:42 < petertodd> Much better if we come to consensus on an equitable process to choose the limit. 13:43 < petertodd> It'll still lead to PR campaigns and the like of course, but those efforts become less relevant to the dev team. 13:45 < petertodd> The voting method is also designed such that an SPV client can verify the vote, and in particular, that means even if you don't hold the coins directly you can verify the person you did voted according to your wishes. (or the majority of a banks clients wishes for instance) 13:46 < gmaxwell> petertodd: can it support key delegation? in particular I should be able to take my coin signing keys offline. 13:46 < realzies> so imma start up an llvm backend project, and see where I can go 13:46 < realzies> I've never dealt with LLVM backend api, so its gonna be a learning experience 13:46 < petertodd> gmaxwell: With scripting support, yes. 13:46 < realzies> but first, breakfast 13:47 < petertodd> gmaxwell: The idea is a vote is considered valid if a scriptSig matches a txout scriptPubKey, so just add a special OP_VOTE thing - would work best with MAST support. 13:47 < gmaxwell> wow, you seem to have politically influenced vessenes. 13:48 < petertodd> Well, jdillon too. 13:49 < gmaxwell> One problem with the vote thing I expency is there is an uncountably infinite number of free parameters. 13:49 < gmaxwell> e.g. how fast can the parameters be changed, what are the maximums and minimums. 13:49 < petertodd> For sure, such votes can be extended to anything... 13:50 < petertodd> You could just as easily vote on the coin distribution schedule. 13:50 < gmaxwell> Yes, _HOWEVER_, as I said above the ideal is that we have something and that it never changes let people switch currencies if we got it that wrong. 13:50 < petertodd> But then again, changing the blocksize is setting precedent that we're willing to change an economic parameter too. 13:51 < gmaxwell> But well, that doesn't work when basically everyone can agree that the paramter is probably not right at least not right forever. 13:51 < gmaxwell> I think we can all agree that the distribution schedule is right enough forever. 13:51 < petertodd> Yeah, well, something I realized recently was you can construct a PoW function for an alt-coin that forces miners to prove they've attacked Bitcoin. 13:51 < gmaxwell> And changing it against the consent of some would be no better than letting people change currencies on their own. 13:52 < gmaxwell> petertodd: oh sure, trivial to do. merge mine with bitcoin and constrain it to only be 'bad blocks'. 13:52 < petertodd> Yeah, anyway, if there *was* a strong movement to change the distribution schedule, well, it'd be better to do it with a vote that by fiat. 13:53 < gmaxwell> Whereas with blocksize, I do think that changing it with the consent of most but not all is actually still politically and morally superior to saying "fuck you, switch to fatcoin". 13:53 < petertodd> gmaxwell: Yup, and make those bad blocks empty aside from a bunch of UTXO spam... 13:53 < petertodd> Yeah, and what jdillon proposed was to calculate the median of the votes, which means that everyones vote did count. 13:55 < gmaxwell> I'll have to look at the details later, I'm still getting myself comfortable with making the blocksize controlled that way. 13:55 < petertodd> Yeah, and details matter - I don't think you can prove a median was calculated accurately without all votes for instance. 13:56 < gmaxwell> I suppose you could gain traction for a particular implementation by proposing them and externally to the blockchain gain POS signmessages. 13:56 < petertodd> Ha, yeah for sure. 13:56 < gmaxwell> petertodd: yes, I would have instead expected something where each block commits to a set of votes, and the block hash picks a representative vote. 13:56 < petertodd> gmaxwell: Yup, NIZK-style random vote. 13:57 < petertodd> gmaxwell: He did say that the per-block vote should be median, and to then take the mean of the blocks - that can be proved incrementally. 13:58 < gmaxwell> one problem with voting is that many voters will be pretty indifferent. It will be easy to buy their votes. 13:58 < petertodd> Oh, and the nonce for the NIZK proof should probably be taken by getting the LSB of the last 64 blocks... 13:59 < gmaxwell> does that matter? 13:59 < petertodd> Sure, but it's ultimately an economic power vote anyway - what I'd be more worried about is wallet software that votes behind users backs. 13:59 < gmaxwell> If the current block goes into the proof, which it must.. then you could search for your favorite vote. 13:59 < petertodd> Yes, because you want to make sure that you can't apply more hashing power to mess with the vote. 13:59 < gmaxwell> petertodd: yea, except you don't solve that. 14:00 < gmaxwell> e.g. H(last block .. this block) is no better than H(this block) for picking the resulting value. 14:00 < petertodd> Sure I do, if the LSB of the current vote only allows you to influence the path taken at the bottom of the tree, they you have the least possible control. (if the bottom is sorted) 14:01 < gmaxwell> then you can deny entry into the tree for selected votes to get two votes you like into the position decided by that bit. 14:01 < gmaxwell> and then you get complete selection with only 1 bit more work. 14:01 < petertodd> Right, but the miner choses what votes to include in the first palce. 14:01 < petertodd> *place 14:02 < gmaxwell> I'll have to go read jdillion's thing then, as I'm not quite following how its really solved. 14:02 < petertodd> We're only trying to make sure they can't include 10 votes, and claim all 10 were for the highest size. 14:03 < gmaxwell> so, maybe it would help the proposal: but I would suggest that engineering sanity constrains the maximum rate of blocksize change. 14:03 < gmaxwell> And so instead of people voting on a particular size they could just vote for larger or not. 14:04 < gmaxwell> and stop voting for larger when its large enough. 14:04 < petertodd> Yeah, he's done that to a degree: if the size goes up, and people stop voting, the status quo votes are for the average of the new and old size, so the size will automatically start going down again. 14:04 < petertodd> One issue with sanity constraints is picking the rate of max change is in itself political... 14:05 < gmaxwell> yea thats what I was talking about uncountable paramter space. 14:05 < gmaxwell> But I think it's less bad. 14:06 < gmaxwell> The exact value is debatable, but I think I can say "whatever it is, it shouldn't be faster than doubling every year" and I think no one would argue. 14:07 < petertodd> Hmm... given the votes are essentially part of the UTXO set, actually what the miner does is add votes to that set, and the NIZK is then picking representative votes - it is acceptable to then calculate the median of the votes for the blocks in the past year in that case. 14:07 < gmaxwell> maybe the downward limit is harder to guess. 14:07 < petertodd> gmaxwell: I'm sure Mike would. :P 14:07 < gmaxwell> I don't think he would, or if he did he'd give up easily. 14:07 < petertodd> Yeah, in jdillons proposal with miner consent the limit can drop as fast as the users want it too. 14:08 < gmaxwell> doubling every year is really really fast. It's faster than expected computer scaling. 14:08 < petertodd> Which is interesting: a 50% economic majority, with 50% hashing power, can vote to shutdown Bitcoin. 14:08 < gmaxwell> and yet it's still slow enough that you can plan for it. Every fiscial year plan to double the amount of storage you're already using. :P 14:08 < petertodd> True, doubling works for that. 14:09 < gmaxwell> petertodd: should there be a minimum maximum? on one hand, it's stupid to vote it down to nothing. OTOH miners can already do that. 14:09 < gmaxwell> the vote would just make it easier for miners to coordinate doing that. 14:09 < petertodd> Heh, you could say every year we pick a representative UTXO, and if they voted to double, we do. 14:10 < gmaxwell> petertodd: variance is a bit high on that. :P 14:10 < petertodd> Yup, I don't see anything wrong with that, and after all it *does* require 50% majority of miners. 14:10 < petertodd> A 50% majority can always chose to ignore the minority including those votes. 14:10 < gmaxwell> petertodd: just for technical reasons, a limit might make sense, because, uh. you don't want to actually stupidly end up in a state where a next block isn't possible. :P 14:11 < petertodd> Yeah, heck, a lower limit of 1MB would probably be fine. 14:11 < petertodd> Maybe say 100KB for sake of argument. 16:31 < petertodd> now, back to my main point: why can't I parallelize that? I have a n port memory block, so I just have n different cuckoo cycle-finding attempts running in parallel 16:32 < tromp__> because prior to insertion both cuckoo[i] and cukoo[j] may alrd point elsewhere 16:32 < tromp__> because the paths from one attemp will totally screw up the paths from the opther 16:32 < petertodd> so what? sometimes these attempts will collide, but that's just a probability thing, we can discard those failed attempts 16:33 < petertodd> I'm still getting parallelism 16:33 < tromp__> no you'll almost never be able to follow a long path of edges all from one attempt 16:33 < petertodd> tromp__: how long is long? 16:34 < tromp__> to find a 42 cycle, you'll need to follow for instance paths of length 21 from each of i and j 16:34 < tromp__> and all these 41 edges you follow MUST be from the same attempt 16:34 < petertodd> (btw, the magic word here is birthday) 16:34 < tromp__> so your odds of running even 2 instances in parallel are about 2^-41 16:34 < tromp__> good luck with that 16:35 < petertodd> ah, but are you sure I can't be more clever than that? 16:35 < tromp__> my paper analyses a more sensible case of trying to reduce memory 16:35 < tromp__> i cannot prove it, but i'm pretty sure 16:36 < tromp__> i'll bet money on it 16:36 < petertodd> like, suppose handle collissions by quickly grabbing an adjacent memory cell to temporarily store the extra data? 16:36 < petertodd> that's the kind of thing a custom ASIC could be engineered to do cheaply 16:36 < petertodd> *suppose I 16:37 < tromp__> then you're essentially creating a bucket instead of a single slot 16:37 < petertodd> tromp__: sure, but I can do that really cheaply! 16:37 < tromp__> no, adjacent slots will mostly be in use 16:37 < petertodd> tromp__: why? 16:38 < tromp__> because you''ll be at a load of close to 50% before you find cycles 16:38 < petertodd> for instance, with my grid of small memory bank architecture I can easily have the circuits for each small bank handle that deconfliction 16:38 < tromp__> so almost half of all slots are filled 16:39 < petertodd> tromp__: right, but remember all that matters is we find a short cycle 16:39 < tromp__> plus the administrative overhead of keeping track of which slots store an i edge of an i-1/i+1 edge will kill you 16:40 < petertodd> in software it'd kill you, in hardware it won't 16:40 < tromp__> yes, if you call 42 short 16:40 < petertodd> 42 is short compared to hundreds of mb 16:41 < tromp__> basically, if you try to use shortcuts for edges that work 90% of the time, then you'l still be only 0.9^42 effevtive 16:41 < tromp__> which is negligably small 16:42 < tromp__> cuckoo makes you use most of N * 32 bits for a single attempt 16:42 < petertodd> you're still not getting it... let me try another argument 16:42 < petertodd> so remember what I was saying about how memory works? 16:42 < petertodd> even in the *single* attempt case, a routed memory architecture uses a lot less power than a standard one 16:42 < tromp__> let me ask a qst first 16:43 < petertodd> qst? 16:43 < tromp__> if you think you can run multiple instances within memory, are you claiming that you can run cuckoo with half the designed memory? 16:43 < petertodd> tromp__: no, I'm claiming I can run it in less power 16:44 < tromp__> power is alrd pretty small since most time is spent waiting for memory latency 16:44 < petertodd> if you think power is what matters then you don't understand the economics of PoW... 16:44 < tromp__> you assume that PoW must be dominated by cpu bound computation 16:44 < petertodd> you're always in the situation where if you use the equipment for more than a few months power costs more than the equipment 16:45 < tromp__> that's why cuckoo is different. 16:45 < tromp__> you'll be spending way more on RAM prices than on power 16:46 < petertodd> if you want me to believe that, then get a hardware designer to analyse your design, you haven't done that 16:48 < tromp__> i just want you to believe that you cannot feasibly run cuckoo within half the designated memory, even if you add lots of non-memory asics 16:48 < petertodd> tromp__: which I'm not claiming - asics can be memory optimized too you know 16:48 < petertodd> a interesting construction technique for that is to take a memory die and overlay it with a non-memory die actually - extremely low latency, and totally custom 16:49 < tromp__> since cuckoo really randomly access the random-access-memory, it will be hard to optimize memory layout 16:49 < petertodd> could be a good way to do the routed memory option actually, and then use power-gating to turn off whatever part of the dies isn't being used for computation, as well as put the dram's into lower power modes 16:50 < petertodd> you don't have to optimize layout, you optimize the wiring that gets the signals to and from the memory cells 16:50 < petertodd> like I said, you burn a lot of power getting the data from the dram cell to the processor and back - shorten those wires and the hwole thing uses a lot less power 16:50 < petertodd> how do you shorten them? crazy custom asics, and die-on-die is a pretty solid way to do that 16:51 < petertodd> you also get lower latency by shortening them, and you *did* say cuckoo is latency hard... 16:51 < tromp__> any such optimizatoin would benefit existing ram chips as well. we can assume that samsung alrd optimized their memory chips pretty well 16:52 < petertodd> no they won't, dram is constrained by the fact that it has to be general purpose, I'm saying you can optimize for latency by placing a asic with the computational part of the circuit - not much - directly on top of the memory die 16:52 < petertodd> remember that L1 and L2 cache is basically that same strategy, but with tradeoffs due to all the computational circuits needed in a modern processor 16:52 < tromp__> the computational part of cuckoo is really small. just one hash per edge 16:53 < petertodd> exactly! that's a huge problem 16:53 < tromp__> whereas you need to do 3.3 memory reads and 1.75 memory writes per edge on avg 16:53 < tromp__> so it's really dominated by latency 16:53 < petertodd> so my custom asic die can be those tiny little hashing units scattered all over the place, and my custom memory die can have a lot of read/write ports so that the wires to the closest hashing unit are short, thus reducing the latency 16:53 < tromp__> putting hash circuits on your memory die doesnt help much 16:54 < petertodd> once you find your hash, then the wires to the *next* memory cell/hashing unit can also be short 16:54 < petertodd> tromp__: if you think that doesn't help much, you don't think L1/L2 cache helps either 16:54 < tromp__> all the memmory accesses still need to be coordinated to properly follow the paths 16:54 < tromp__> and reverse parts 16:54 < petertodd> so? that can be done locally with custom routing circuitry dedicated to that task 16:54 < tromp__> for cuckoo, L1/L2 cache will be quite useless 16:55 < petertodd> yes, only because it's so small, I'm telling you how to make essentially a custom GPU dedicated to hashing with distributed memory to keep latencies down 16:56 < tromp__> your hashers will be idle 99.999% of the time 16:56 < petertodd> and that's a good thing! when they're idle they use no power 16:56 < petertodd> in fact you'd probably do best with a really custom async-logic implementation of this so you don't have to route clock signals a long distance 16:56 < tromp__> and have no benefit over a single hasher doing all the hashing work 16:57 < petertodd> yes you do, getting the data to and from that hashing uses a lot of power 16:57 < tromp__> you cannot avoid the latency induced by having to coordinate values read from random memory locations 16:57 < tromp__> no matter what wiring, the distance between 2 random memory locations is still large 16:57 < petertodd> yes I do, my hashing circuitry and memory routing circuitry is physically located closer to the cells than before, so speed of light is short 16:58 < petertodd> nope, I can do far more efficiently if the computation and routing happens on the same die and/or module 16:58 < petertodd> remember, the reason why main memory access are so slow is because of the speed of light - I've proposing a design that shortens all those distances drasticly 16:59 < tromp__> your not shortening the distance from random location cuckoo[i] to random location cuckoo[j] 16:59 < tromp__> and the algorithm's action depend on both those values 17:00 < petertodd> yes I am! the distance in commodity hardware is about 10cm, I'm shortening it to about cm 17:00 < petertodd> *about 1cm 17:00 < petertodd> even less if I use crazy 3d packaging... which I can because this is low power! 17:00 < petertodd> like, I should actually sandwich at least three dies, hashing in the middle and memory on either side 17:01 < petertodd> (you may not know this, by direct die-to-die connections are possible these days with techniques like microdots of conductive glue) 17:01 < tromp__> if 3d memory becomes feasible you'll see it on commoduty hardware first 17:02 < petertodd> hint: you already do, it gets used for cache and even main memory (in system-on-a-chip designs) 17:02 < petertodd> problem is those designs aren't optimized for latency 17:03 < petertodd> instead they *tradeoff* area for latency, and then make it back up by taking advantage of locality with caching 17:03 < phantomcircuit> petertodd, for scrypt? 17:03 < petertodd> which means I can create a custom design by optimizing for latency at the expense of some area cost 17:03 < petertodd> phantomcircuit: we're talking about cuckoo cycle pow 17:04 < petertodd> phantomcircuit: it's supposed to be asic hard, but it's actually the exact opposite 08:58 < iddo> TD: yeah but they prefer (anonymous) submission to conference for peer review, instead of posting it publicly and confusing random people who come across false proofs 08:58 < nsh> confusion has some overlap with inspiration :) 08:58 < nsh> i don't mind 1000 quacks if there's one genius 08:59 < nsh> (the ratio is probably much higher in practice though) 09:01 < iddo> nsh: i think poly time algorithms for interesting problems are no more than a small const in exponent after optimizations, say n^6 or n^12 when n is the bit size 09:02 < nsh> right, i wonder why this is though... seems very... fortunate 09:02 < iddo> nsh: obviously you can have artificial problems like clique of size 1000 in an arbitrary graph, with poly time complexity of n^1000 09:02 < nsh> sure, there'll always be nasty cases. but it's a question of how they're distributed i suppose 09:26 < jtimon> so iddo, has the paper been proven wrong? 09:29 < iddo> jtimon: probably no one serious tried to look and refute it 09:29 < andytoshi> jtimon: this paper is a tangled structure of about 30 definitions and 10 nested algorithms which purports to be a program which proves the existence of a poly-time algo for a given NP problem 09:29 < andytoshi> (i think) 09:29 < andytoshi> nobody is going to peer-review that when it's just a random thing on the arxiv 09:29 < iddo> jtimon: is you google you can find explanations, e.g. http://www.scottaaronson.com/blog/?p=458 09:32 < pigeons> http://arxiv.org/abs/0711.0770 this one is clearer 09:32 < andytoshi> (iddo's link is a general "how to judge P vs NP papers without reading too closely" article) 09:36 < iddo> there was a claim that looked serious (involving a new tecnique of statistical physics) about 3 years ago, so Terence Tao and co. looked and demolished it within a few days after it became public: http://michaelnielsen.org/polymath1/index.php?title=Deolalikar's_P!%3DNP_paper 09:41 < t7> Terence Tao used to hang out in the go-lang irc channel :| 09:45 < andytoshi> does he not anymore? he seems to spend an impossible amount of time hanging out on the internet 09:45 < andytoshi> considering how much work he gets done.. 09:46 < t7> andytoshi i stopped using go a long time ago 09:54 < jtimon> pigeons you gave me a link about a physics unified theory 09:54 < pigeons> yeah sorry, bad joke 09:54 < jtimon> ah, ok 09:54 < jtimon> this one is clearer 09:54 < pigeons> i was trying to comment on the reliability of arxiv.org papers 09:54 < jtimon> I see 09:55 < pigeons> but if you have to explain the joke, it wasnt a very good one :) 09:55 < jtimon> but is there a critique to this concrete proposal? 09:56 < jtimon> although thank you for the link iddo 09:58 < jtimon> or it was just rewarded as "not enough serious" and not reviewd by anyone or something? 12:35 < maaku> jtimon: the paper has only been up for hours 12:36 < jtimon> oh, I see, so there's probably no critique yet 13:37 < zooko> Huh, there are two papers recently added to eprint.iacr.org with "proof of space" in their title. 13:37 < zooko> amiller: have you seen gmaxwell's argument that making mining-effort into a "dual purpose" operation isn't necessarily good? 13:38 < amiller> fwiw i am *not* in favor of "dual purpose" unless the dual purpose is intrinsic to the system itself somehow 13:38 < amiller> zooko, ^ 13:38 < amiller> that probably makes no sense i can try to elaborate though 13:41 * nsh nods 13:41 < gmaxwell> it makes sense to me. 13:42 < andytoshi> it makes sense to me 13:43 < amiller> ok :) 13:43 < andytoshi> though i'd have to think a bit about why you feel that way 13:43 < amiller> these two proofs of space papers are interesitng that they show up though http://eprint.iacr.org/2013/805 and http://eprint.iacr.org/2013/796 13:44 < amiller> i can't really figure out if they're better than gmaxwell's proof of storage 13:46 < nsh> eerily simlar works 13:46 < nsh> (per abstract, at leasts) 13:47 < amiller> oh, one of the auhtors of one of them is also on the Secure Multiparty Computation on Bitcoin paper 13:47 < zooko> amiller: that makes sense. 13:47 < amiller> university of warsaw seems to have a strong bitcoin research faction now... 13:47 < zooko> amiller: because of gmaxwell's argument about weakened incentives for correct consensus-building? 13:48 < amiller> zooko, yes that's the argument i have in mind and think is right 13:48 < zooko> ("consensus-building" 13:48 < zooko> amiller: thanks. 13:51 < gmaxwell> amiller: I think the first paper there is basically isomorphic to my proposal with a lot of obfscuating language. 13:52 < gmaxwell> well not quite isomorphic. 13:53 < amiller> do we have a standard template form letter yet to send people who write papers and don't cite forums posts they should 13:53 * amiller wants to see whatever iddo sent the lottery paper auhtors 13:54 < _ingsoc> Lottery paper? 13:55 < amiller> _ingsoc, http://eprint.iacr.org/2013/784 summarized in this thread https://bitcointalk.org/index.php?topic=355174.0 13:56 < _ingsoc> Oh cool. Thank you. :) 14:10 < iddo> amiller: i pasted the link here yesterday: http://www.cs.technion.ac.il/~idddo/cointossBitcoin.pdf 14:10 < iddo> i asked them to reference this in their paper, but they haven't replied so far 19:23 < andytoshi> like, in 100 years? 19:24 < andytoshi> it's growing at well under 10gb/year 19:25 < andytoshi> the block limit is 1mb, let's suppose that each one takes 1mb on disk, and that the blocks come every 10 minutes 19:26 < andytoshi> that's 144 per day, 52560 per year 19:26 < andytoshi> 52.5 gb 19:26 < andytoshi> so 20 years minimum 19:26 < gmaxwell> nOgAnOo: Bitcoin already is decenteralized, so I'm confused by your question. 19:31 < phantomcircuit> gmaxwell, i think he means storage of old blocks 19:31 < gavinandresen> andytoshi: yes, but there is broad consensus that we will need to increase the max blocksize soon-ish. 19:33 < phantomcircuit> nOgAnOo, nobody is going to watch that 19:33 < gavinandresen> mmm. it is on youtube, it must be correct. 19:33 < phantomcircuit> you might as well have just asked us to stare at the wall for 5 minutes 19:33 < gavinandresen> nOgAnOo: there are lots of plans for how to scale up bitcoin while keeping it decentralized. 19:34 < gavinandresen> nOgAnOo: actually IMPLEMENTING them will take time, careful thought, etc. 19:34 < gavinandresen> In any case, scaling up is in the category of "good problem to have" 19:36 * andytoshi is actually watching the video.. 19:37 < andytoshi> "250 gigabytes within 2 years" 19:38 < phantomcircuit> andytoshi, otherwise known as "i pulled this number out of my ass" 19:38 < andytoshi> mmhmm 19:38 < andytoshi> after that it sorta crumbles from lies into incoherency 19:38 < andytoshi> to answer your question nOgAnOo, there is thought going into blockchain expansion, but no concrete plans 19:39 < andytoshi> and it's not even close to as urgent as that video claims 19:40 * nsh smiles 19:40 < andytoshi> nOgAnOo: if you listen to this channel you'll see links to research drifting by 19:40 < andytoshi> following them would involve a -lot- of background research i'm afraid 19:40 < jrmithdobbs> so you're a moron asking why you're a moron that doesn't understand a different moron, good show 19:40 < jrmithdobbs> good show indeed 19:41 < andytoshi> but you're not going to get a coherent picture of anything from youtubers 19:42 < phantomcircuit> lol 19:42 < jrmithdobbs> andytoshi: or "christian" researchers ... or any "religious sect" researchers, for that matter 19:43 < jrmithdobbs> andytoshi: "<3 19:43 < edulix> did I read christian researcher in bitcoin-wizards? makes sense, mixing different kind of magic 19:44 < andytoshi> jrmithdobbs: i recently moved to america, was caught off guard by the amount of "god bless"s that go on between strangers here 19:44 < andytoshi> so i give them all the benefit of the doubt 19:45 < amiller> gesundheit 19:45 < jrmithdobbs> andytoshi: where i grew up in texas and have developed a 7th sense for the bullshit and know exactly when to start mocking instead of attempting to teach 19:45 < jrmithdobbs> andytoshi: ;p 19:46 < andytoshi> well, i'm still learning ;) 19:46 < edulix> nOgAnOo: in the new world order, maybe vatican opens the next mtgox :p 19:51 < nsh> there are sci-fi precendents for this 19:52 < nsh> (deranged-seeming religious beliefs inspiring technological uptake from strange quarters) 19:52 < nsh> also historical precedents :) 19:52 < nsh> but the sci-fi ones are more fun 19:53 < jrmithdobbs> we don't need sci-fi examples, we've got luke! ;p 19:59 * nsh smiles 20:20 < amiller> i'm trying to think of how to explain what's significant about the choices made about how much deposits are needed for the lottery game 20:20 < amiller> in N player lottery game from this paper 20:20 < amiller> say each party puts in 1 coin 20:20 < amiller> the point is that one person is supposed to win N coins 20:20 < amiller> first just note that the expected utility is zero 20:21 < amiller> expected money payout anyway 20:21 < amiller> if the other party goes away you don't necessarily learn the result 20:21 < amiller> one of the parties i mean 20:22 < amiller> but who cares if he has already put in his money 20:22 < amiller> there's a sort of common problem in protocols like this where you show fairness is impossible 20:22 < amiller> suppose you *could* carry out the protocol fairly if someone doesn't send their message in time 20:23 < amiller> that means that last parties message is optional and he might as well not send it 20:23 < amiller> but then the second to last party's input must have mattered 20:23 < amiller> so you follow that back and either you already knew the outcome for the beginning, or someone's participation makes a difference whether it's fair or not 20:23 < amiller> and so the solution is to overcompensate 08:36 < iddo> hmm headers first is an optimization that isn't related to merkle datastruct (like MMR) for lite nodes, i think? 08:37 < sipa> not at all 08:37 < sipa> completely orthogonal 08:38 < iddo> ok, peter todd and amiller said yesterday that the MMR stuff can mitigate DoS that checkpoints currently protects against, i wonder why... 08:39 < sipa> checkpoints don't protect against a DoS, they are just there to make not-checking-all-signatures safe 08:40 < sipa> wait, no, they do protect against a dos by helpig the heuristics determine if an early block in the chain has a chance of beatig the total known PoW 08:40 < iddo> sipa: yes i mean what gmaxwell said: https://bitcointalk.org/index.php?topic=194078.msg2014204#msg2014204 (i.e. you ignore diff-1 at genesis because you already have a checkpoint) 08:41 < iddo> but then peter todd said that MMR can give this anti-DoS without checkpoints, and amiller said that the reason is that blocks have commitments to the UTXO set 08:42 < iddo> but i don't see why it helps, yet 08:43 < iddo> this is in the context of the new paper by Aviv Zohar, it seems that anti-DoS is easier with Bitcoin rules than his new rules, assuming that there are no checkpoints 08:45 < iddo> for example the most naive anti-DoS is for the Bitcoin node to have some quota and not accept more than certain amount of forks for each block, so if in the future it turns out that a competing fork is better then that node will need to ask peers for blocks that it rejected in the past 08:46 < iddo> but with the new paper, this naive anti-DoS doesn't work, i think 08:46 < iddo> (could cause netsplits that don't re-converge) 08:48 < iddo> and even if it can work with the new rules, the communication among nodes will be much greater i think 09:35 < petertodd> iddo: emphasis on *sum* tree - the MMR (or just merkle tree) lets you interactively query your peer to be sure the total sum work claimed makes sense. But yeah, even without the sum tree just working backwards from current best block is pretty good too. 09:49 < iddo> petertodd: trying to understand you... isn't that just a method to prove more efficiently that a competing fork has more weight? 09:50 < iddo> petertodd: what i don't understand, diff-1 PoW blocks are (relatively) easy to generate, what's the rule that will cause you to ignore them instead of DoS attack where you'd be bloating your local copy of the blockchain with them? 09:51 < iddo> (checkpoints do prevent this kind of DoS attack) 09:56 < iddo> it still seems to me that with Bitcoin rules to select the best chain we can have anti-DoS mechanisms (without checkpoints) against diff-1 orphans at genesis attack, while with Aviv Zohar's rules I'm not so sure 10:00 < iddo> but i'm still unclear why amiller and you said that such merkle trees remove the need for checkpoints, is it just in the context of bootstrapping new nodes without doing too much work verifying the entire history, or also in the context of anti-DoS ? 10:57 < amiller> iddo, well... you can do something like starting at SPV security and gradually validating the chain 11:05 < iddo> amiller: but not all nodes can do that, i think? the question is still whether full nodes should eliminate orphan branches or keep them, if they always eliminate then the communication can blowup? 11:07 < amiller> eventually eliminate them? 11:09 < iddo> yes i think that with Bitcoin it may be safe to eliminate old orphans (assuming no checkpoints), but with Aviv Zohar's rules, i'm not sure yet 11:09 < amiller> you may even think of it as an incentive thing, there's a tradeoff from an individuals point of view 11:09 < amiller> potentially keeping some orphans around will save on future bandwidth, but at the cost of storage now 11:10 < iddo> it's also not only about eliminating orphans that you already have, but also about rejecting new orphans, like the 1-diff at genesis attack 11:12 < iddo> with Bitcoin i think that it can be safe to reject short orphans (with small risk that you may need to request them later and waste communication), but with Aviv Zohar's rule, not sure.. 12:14 < iddo> ok i summarized what i asked here, in the public thread: https://bitcointalk.org/index.php?topic=359582.msg3867074#msg3867074 12:19 < iddo> gmaxwell: with this new rule, you think that blocks need to point to all their ancestors only because of lite clients? full nodes can calculate the difficulty of a block without it having pointers to ancestors, i think? 12:20 < amiller> one question i've had is how you do efficient merging 12:20 < amiller> to make sure the same work doesn't show up in multiple places in the same tree 12:29 < iddo> amiller: btw if you can dig up #bitcoin-dev or mailing list link where you first proposed this rule, maybe they could reference you in this paper:) might be worthwhile, there's plan for followup paper too 12:38 < amiller> i send an email to the thread with the irc log from bitcoin-dev 12:39 < amiller> i wouldn't mind having an acknowledgement but i didn't develop the idea very far at all :p 12:39 < amiller> i'm really glad that someone is working on it. 12:42 < amiller> i also tried to emphasize that, it's not even that their idea isn't fine as is (we haven't argued super well that there *clearly is* a big dos attack), but that it's difficult to analyze that there are no dos attacks, so being conservative to include thing is understandable 12:43 < amiller> so if they really want to say there thing is practical and ready to implement, they should come up with some really compelling anti-dos analysis 12:44 < amiller> that's just my opinion though :o 12:46 < iddo> yes that's all true, probably difficult to analyse it in theory, trying simulations first is a good idea 14:32 < warren> gmaxwell: hm.... the previous thoughts about pruning included nodes having a random subset of the blockchain to serve to peers. that seems good, but that may have privacy issues? 14:32 < warren> gmaxwell: you can use that to identify nodes 14:34 < gmaxwell> You can use many things to distinguish nodes already. So what about it? 14:35 < gmaxwell> You propose instead forcing nodes to use tens of gigabytes of disk space if they want to contribute at all to distributed storage? 14:35 < warren> no 14:35 < gmaxwell> It doesn't connect transactions to anything. 14:36 < warren> are there ways to obscure the subset so it is less certainly a unique identifier 14:36 < gmaxwell> I never suggested a random subset that would be stupid, I always suggested contigious quantized ranges. 14:37 < gmaxwell> (stupid because it would take a lot more data to express than just a range or two) 14:38 < warren> ok 14:43 < sipa> and be a lot harder to make sure that a particular block is available 14:44 < sipa> in particular, you'd need O(n^2) nodes that serve the same n blocks with the same probability to get equal chance a particular block is available 14:45 < warren> when I connect to random bitcoin peers now, it seems that often many of the peers are useless, too slow or fake 14:45 < iddo> in the future we can have SCIP proofs for UTXO "checkpoints", so less need to serve old blocks 14:46 < warren> hmm key birthdates would help 14:57 < gmaxwell> iddo: perhaps, we need scip that doesn't need a trusted CRS.. and prover performance that at least makes it possible to run. 14:58 < gmaxwell> I don't know if we'll have that in 2 years, 5 years, or 10 years. 15:01 < iddo> proof size is logarithmic in num of computation steps (computation == verifying the history, maybe optimized by composing with prev SCIP checkpoints), the issue is how big are the constants of this log size proof.... 15:01 < iddo> this is for the variant without CRS 15:08 < phantomcircuit> warren, you can already uniquely identify peers fairly reliably 15:08 < phantomcircuit> they give everybody the same version nonce iirc 15:49 < gmaxwell> iddo: well for checkpoints it can be rather large, eventually it will be small relative to the blockchain. :) But I worry about computing it just being infeasable. If it costs $1k in compute time thats doable, if it costs $1m in compute time thats right out. 15:56 < amiller> hrm, what should be the parts of a bitcoin gambling tool that plays through games of iddo's protocol? 15:57 < amiller> i am thinking it should be a self contained wallet 15:57 < amiller> because i would want to have some notion of 'sending coins to my gambling wallet' rather than integrating it with my personal bitcoind or something big like that 15:58 < amiller> really i would want this to be SPV something, it's not particularly supposed to provide bandwidth to anyone 16:05 < amiller> i guess i should study bitcoinj 16:33 < gmaxwell> iddo: I really wish people with implementations of snarks for C would release something... there are 'small' applications we could use the stuff for right away. Like proving ownership of a bitcoin without disclosing which bitcoin you own. 16:35 < sipa> i've been out for too long... how does snarks relate to scip? 16:37 < maaku> sipa: scip is snarks 16:37 < maaku> SNARKS is the general term 16:37 < maaku> SCIP is what Eli et al call their implementation of a SNARKS system 16:37 < maaku> gmaxwell: correct me if i'm wrong 16:39 < gmaxwell> sipa: SCIP is just what Eli et all call their SNARKS for C stuff. 16:40 < sipa> ok 16:40 < sipa> are they abbreviations of something? 16:40 < gmaxwell> SNARK = succinct argument of knowledge (sometimes zk-SNARK when its also zero knowledge). succinct ~meaning that its sublinear in the witness size, argument because they are only computationally sound, they're not a proof. 16:41 < gmaxwell> (there is some proof that you cannot produce a proof (perfectly sound) which is succinct, the best you can do is computationally sound) 16:43 < gwillen> gmaxwell: is there a 30-second explanation of what 'computationally sound' means in this context? 09:33 < michagogo|cloud> - We would like to remind you that unauthorised public logging of channels on the network is prohibited. Public channel logging should only take place where the channel owner(s) has requested this and users of the channel are all made aware (if you are publically logging your channel, you may wish to keep a notice in the topic and perhaps as an on-join 09:33 < michagogo|cloud> message). 09:33 < michagogo|cloud> (minus a few line breaks) 09:34 < andytoshi> yeah, i see it now 09:35 < andytoshi> i'll stop publishing the logs until i get an ack from someone 09:38 < michagogo|cloud> andytoshi: At the moment, it's not "someone", it's greg 09:39 < michagogo|cloud> (or jgarzik, if he decides that he wants to get freenode staff to op him in here) 09:53 < andytoshi> michagogo|cloud: did you get my message late last night, saying i fixed the donation address thing with the coinjoiner? 09:53 < andytoshi> http://testing.wpsoftware.net/coinjoin/sign.php?session=b3b098642a36f1aa62a333f5a15a6e98a04dfb7622e4eb3dd74f3d706f149d7b 09:53 < michagogo|cloud> I signed and submitted 09:54 < michagogo|cloud> (earlier, when I saw that) 09:55 < andytoshi> hmm, i'm pretty sure i did as well 09:55 < andytoshi> i re-submitted just in case, otherwise i've got a new bug :( 10:00 < michagogo|cloud> just resubmitted just in case 10:01 < andytoshi> thx 10:01 < andytoshi> it looks like all the signatures are in the database, if it's not working then there's a merging problem 10:11 < michagogo|cloud> andytoshi: any luck? 10:14 < andytoshi> michagogo|cloud: yeah, the outputs are subtly different for what i signed and what you signed 10:14 < andytoshi> like, the scriptpubkeys have slightly different hex 10:15 < andytoshi> but, the DB shouldn't have accepted any such discrepancies, so i'm not sure (a) how this could even happen or (b) how it got through the site's input filter 10:16 < andytoshi> i signed 76a9143312004af0b4d2323676e488ae6900c9cb3b38c888ac:10000000 10:16 < andytoshi> u signed 76a9148c04bfe5e2a91b609b92d4f7af6cadda9d1e47e088ac:10000000 10:16 < andytoshi> oh, those are actually completely different.. 10:17 < andytoshi> what i wrote there is scriptPubKey:nValue 10:21 < andytoshi> ok, this is embarassing ... i changed the output of coinjoin a few days ago, and i updated the PHP code to check errors correctly when validating unsigned transactions 10:22 < andytoshi> but forgot to update the code which validted signed transactions 10:26 < andytosh1> you submitted a signed transaction that didn't match the one offered by the site (probably because you re-submitted your signed transaction from last time, but this is a new session so the inputs/outputs got reordered) 10:26 < michagogo|cloud> I did? 10:27 < andytosh1> it appears so, yeah 10:27 < andytosh1> one moment, i'll clear out the signed transactions from the db and we can both resubmit 10:27 < andytosh1> done 10:27 < andytosh1> oops, i have to put the seed one back :P 10:29 < andytosh1> ok, can you try again? 10:31 < michagogo|cloud> done 10:32 < michagogo|cloud> andytosh1: submitted 10:33 < andytosh1> thx, got yours 10:34 < andytosh1> seems like it did not get mine.. 10:40 < andytosh1> ok, now the one that i submitted, bitcoind cannot decode :} but again, php is accepting it.. 10:45 < andytoshi> awesome, it went through :) tx d08ed6edab38bbd80eb96739777b096ccc654f5a1c398baeeaa11355b6d75bd6 10:45 < andytoshi> thanks a ton for testing, i'm glad we had so much bad input 11:02 < jgarzik> hrm 11:03 < jgarzik> Has anyone worked on a script form that does "<multisig> AND <multisig>"? 11:03 < jgarzik> OP_AND is disabled 11:19 < nsh> HULK SPLIT! 11:24 < gmaxwell> jgarzik: works for true false, also you can do that with OP_IF, or with just two CHECKMULTISIG VERIFY in a row 13:01 < jgarzik> gmaxwell, I was thinking "if multisig then multisig else false endif". Two multisig in a row should work too... 17:33 < andytoshi> if i want to update my joiner to use blinded addresses, what user tools (if any) exist for this? 17:34 < andytoshi> if i write some, what papers should i read re implementing the crypto? 17:37 < nsh> andytoshi, what are blinded addresses? 17:37 < andytoshi> nsh: https://en.wikipedia.org/wiki/Blind_signature is a good overview 17:37 < nsh> chaum's blind sigs? 17:37 < andytoshi> yeah 17:37 < nsh> kk, reading 17:37 < gmaxwell> andytoshi: see maaku's git repo. 17:37 < andytoshi> cool, thx 17:38 < gmaxwell> (He implemented RSA blind signatures for this stuff) 17:45 < andytoshi> he has, for example, in the function _pad_message "REVIEW: I need a professional cryptographer...Does it matter in this particular applicaiton if the padding is deterministic instead of random?" 17:45 < andytoshi> if there are any professional cryptographers on here, i am curious too :) 18:25 < maaku> i asked that of gmaxwell iirc, and no it doesn't matter 18:25 < maaku> but also, it doesn't matter if it is deterministic or not 18:25 < maaku> the protocol changed a bit since I wrote that 18:40 < nsh> maaku, issue that springs to mind is that blind signing is insecure if the keys are also used to encrypt, which is generally not (so far, to my knowledge) the case with bitcoin privkeys, but worthy of consideration nevertheless 18:41 < maaku> coinjoin keys are ephemeral RSA keys used for that join only 18:41 < nsh> ah 18:42 < maaku> although I would prefer schnorr ec blind signatures using one of djb's curves, if someone went through the trouble of working out how to do that 18:43 < maaku> but yeah, throwaway keys on a different curve, so not much danger of that 18:43 * nsh nods 18:43 < maaku> i just wasn't sure if deterministic padding weakened the signature or otherwise led to any sort of attack 18:44 < gmaxwell> maaku: funny, I was going to make a comment to that effect; "if you feel like implementing something, blind schnorr would probably be better" 18:44 * nsh reads http://blog.cryptographyengineering.com/p/note-on-blind-signature-schemes.html 18:46 < maaku> all the pieces are there, I think, but I wouldn't trust myself to put them together 18:46 < maaku> I'm an informed user of crypographic systems, not an experienced practitioner of the art 18:47 < maaku> but RSA is hard to f@&# up 18:48 < gmaxwell> Hm? ha. Thats exactly the opposite of my view. 18:48 < jrmithdobbs> rsa is pretty easy to fuckup 18:48 < gmaxwell> RSA is pretty easy to F^$%# up and EC systems tend to be harder 18:48 < jrmithdobbs> especially if you have to write it for multiple different hw platforms or runtime environments 18:48 < gmaxwell> "Oh you thought you were signing? HAH No. You were decrypting things for me. Sucks to be you!" 18:48 < maaku> i meant not implement correctly -- fewer moving parts with rsa 18:48 < jrmithdobbs> ya 18:49 < jrmithdobbs> that ya was to gmaxwell's comment 18:50 < jrmithdobbs> maaku: a lot of the errors you can make implementing rsa are less immediately obvious but more completely destructive to the security of your protocol/use 18:50 < maaku> jrmithdobbs: i'm aware 18:50 < gmaxwell> maaku: well fair enough, though once you have the primitives already 18:50 < andytoshi> i'd be interested in looking at schnorr signatures, i've got a few papers about them backlogged 18:52 < maaku> gmaxwell: yeah that's what i'm saying - i don't trust myself to modify djb's sources to do schnorr blind sig and trust that it actually *is* correct signature primatives 18:53 < maaku> but if someone where to write that, it'd be easier and safer to integrate into coinjoin implementations (and faster, and higher secuirty level .. really no downsides) 18:54 < gmaxwell> maaku: well I believe that no changes are required in the validator, so that should help gain confidence that its correct. 18:55 < gmaxwell> e.g. it should just need a blind/unblind/and blindsign function (and the latter only because the normal signing functions do the hash internally).. and the result should be verifyable with an unmodified code. 19:02 < adam3us> maaku: i might be persuaded to try that (EdDSA ==EC Schnorr blind sig) --- Log closed Tue Dec 17 00:00:02 2013 --- Log opened Tue Dec 17 00:00:02 2013 00:20 < gmaxwell> ugh. https://bitcointalk.org/index.php?topic=374085.0 00:22 < Luke-Jr> gmaxwell: well, Gavin did encourage it in his blog 00:24 < gmaxwell> mostly ugging at advocating it for "Logins to websites without passwords" and "pseudonyms" where encryption is entirely the wrong tool, and the requirement to have 'spent' from it is completely unnecessary because signmessage already does those things, and a lesser ugh at the address reuse that implies. 00:25 < gmaxwell> it's also probably only about 50 lines of code, just seems weird to me to see people making annoucements for such small things. 00:25 < Luke-Jr> I was ugging at the data-in-bitcoin-blockchain :P 00:26 < gmaxwell> they aren't putting any data in the blockchain yet. 00:27 < gmaxwell> all they're doing is using blockchain.info as a addr to pubkey service and doing encrypted messages using ECDH with that pubkey. 00:27 < Luke-Jr> O.o 00:29 < gmaxwell> Luke-Jr: mind giving a polite response on the loging / identity points pointing out that doing that via signmessage is already a widely established practice, doesn't require making transactions, carrying around the public key explicitly, or consulting (centeralized) databases? 00:31 < Luke-Jr> gmaxwell: well, this claims to be the inverse? 00:32 < Luke-Jr> oh, you mean just respond to that point 00:33 < gmaxwell> yea. I don't see any reason why you'd use something based on this over signmessage, but there may be people who see this post (even the author) who is unaware of signmessage. 00:35 < andytoshi> istr altoz being around for a long time, he should be aware of these things.. 00:36 < Luke-Jr> gmaxwell: http://bitcointroll.org/?topic=374085.msg4004568#msg4004568 00:37 < gmaxwell> Thanks. 17:14 < jtimon> gmaxwell: interesting prediction, but you've said two options, so that's my point, we can't predict the future of hardware, what architecture are we anti-optimizing against? 17:15 < sipa> i'm not sure it matters 17:15 < jtimon> yeah gmaxwell xmm mmx 17:15 < gmaxwell> jtimon: we? I think it's all stupid regardless. :) 17:16 < gmaxwell> as I said, I don't think arch targeting can prevent there being at least a small constant improvement from dedicated implementations. Since mining is ~near perfect competition that small factor is enough to generally exclude the non-specialized stuff regardless. 17:16 < gmaxwell> And so simple circuits like SHA256 at least improve equality of access.. anyone can design a sha256 asic which is pretty competative, (well if not actually fabricate it themselves) 17:17 < gmaxwell> vs if you really did build something that required AMD scale engineering, then you'd much more likely have a hardware monopoly or near so. 17:17 < gmaxwell> simple fast circuits also have fast verification, which is very helpful too. 17:18 < jtimon> ok, so I see you have even more reasons than me against the "quest for the perfect mining function" 17:19 < gmaxwell> I think that like a lot of things in engineering you can only optimize so far and then its all just messy tradeoffs. 17:19 < sipa> heh, maybe we need an altcoin optimized for ASICs 17:20 < gmaxwell> DES POW. 17:20 < sipa> where the PoW function is has a trivial optimal circuit design 17:20 < jtimon> targeting GPU-friendly but ASIC-hard is specially odd for me since 1) as you said the later doesn't really exists 2) GPUs are already a market with concentrated production (the problem suppesedly solved by "hardness") 17:20 < jtimon> sipa there's one alt named ASICcoin 17:21 < gmaxwell> DES sboxes make for trivial combinitoric logic, it's much slower on current cpus/gpus than it is in direct hardware all other things equal. 17:22 < gmaxwell> the sha256 circuit is really straight forward already. You can get some gains by careful staging to equalize latencies... 17:33 < andytoshi> i have a crazy idea (involving nonexistant crypto) for a research pathway to a SNARK without forge-enabling keying material: http://download.wpsoftware.net/bitcoin/wizardry/public-fhe.pdf 17:34 < andytoshi> throwing it out here because there's probably something obviously dumb about it, and you guys are good at catching that stuff 17:58 < gwern> http://www.reddit.com/r/ethereum/comments/1vh94e/dagger_updates/ 18:30 < jtimon> how "computer hardware" is not "theoretical computer science"? 18:32 < jtimon> oh, not experts in hardware, I missread 21:56 < gmaxwell> There was a puzzle in the MIT mystery hunt that some folks here would like solving. 21:57 < gmaxwell> oh. crud. I guess I can't post it until after the hunt is over, so forget the last line for three days. 23:38 < jcrubino> is it possible to have an address that is both a valid litecoin and bitcoin address? --- Log closed Sat Jan 18 00:00:29 2014 --- Log opened Sat Jan 18 00:00:29 2014 00:02 < Taek42> gmaxwell what do you do for a living? 00:02 < phantomcircuit> Taek42, he works at mozilla doing stuff and things 02:24 < justanotheruser> jcrubino: no simply because of the fact that litecoins version number starts is L, not 1 02:38 < jcrubino> justanotheruser: I have a testnet address that passes validation tests by both daemon clients 02:39 < justanotheruser> jcrubino: Hmm. I suppose if both daemons ignore the version it could be valid 02:40 < brisque> justanotheruser: I explained in #bitcoin-dev that you can use the same public keys, just the address reads differently. 02:40 < jcrubino> I chaes my tail in circles while unit testing over that 02:40 < justanotheruser> what character does the testnet address start with 02:40 < brisque> m or n 02:40 < brisque> ;;bc,wiki address prefixes 02:40 < gribble> https://en.bitcoin.it/wiki/List_of_address_prefixes | Dec 25, 2013 ... The encoding includes a version byte, which affects the first character in the address. The following is a list of some prefixes which are in use. 02:40 < justanotheruser> brisque: I meant for litecoin 02:40 < brisque> does litecoin have a testnet? 02:40 < jcrubino> yes 02:41 < justanotheruser> brisque: yes, but I figured it would would be valid for the bitcoin daemon considering the daemon might consider the version number bad 02:42 < brisque> if the testnet prefix is the same it'll work with no problem 02:42 < jcrubino> assumming I change out the address prefix in bitcoind to the litecoin version what else needs to change to make it litecoind ? 02:42 < justanotheruser> jcrubino: ultimately you can have a public key hash that is valid for both bitcoin and litecoin. An address is just a conversion to base 58 with a version number 02:42 < brisque> jcrubino: mainly just the POW system and the logo. 02:43 < jcrubino> does a non mining daemon verify the pow or does it just relay ? 02:45 < brisque> ever node validates the POW of every block 13:21 < justanotheruser> If it is possible to have a PoW that only has a maximum of like 5% improvement from CPU to ASIC, is that beneficial? 13:27 < nsh> justanotheruser, in general, no. 13:31 < maaku> justanotheruser: the best you could probably do is several multiples, maybe an order of magnitude 13:46 < justanotheruser> maaku: eh, I disagree. If the hashing function takes up a lot of code and uses many different RISC instructions, then you could use an ASIC, but it would might prohibitively expensive because you have to have so much circuitry to have the hash function implemented. 13:46 < justanotheruser> s/takes up a/uses a 13:48 * nsh frowns 14:03 < adam3us> justanotheruser: the hashing function would have to be very dynamically dependent on the instructins, or it can be special cased; even then someone can make the minimal unrolled cpu strip out everything else and put that circuity down redundancy as many times as it will fit. i think inevitably almost, hw wins, by a decent margin 14:06 < adam3us> maybe another direction is a FPGA friendly design, and hope ASIC/FPGA advantage will narrow as a trend. 14:06 < justanotheruser> adam3us: Yeah dynamically dependent instructions would be better. If you made it use all instructions, and it involved storing data in the registers, etc wouldn't the ASICs essentially be effecient CPUs? 14:07 < gmaxwell> why does this pow wanking keep going on here? 14:07 < gmaxwell> I can't imagine a less interesting subject. 14:07 < gmaxwell> Does anyone here even care about it? 14:07 < adam3us> potentially. however its a bit of a weird cpu. it doesnt mind the input being a counter, and 99.99999% of the outputs are thrown away 14:08 < justanotheruser> adam3us: maybe the PoW could require all the outputs. 14:09 < justanotheruser> One problem I see with this is verification taking a long time 14:09 < andytoshi> gmaxwell: +1, guys we had a long long discussion about this yesterday and completely overwhelmed my ability to follow the entire -wizards scrollback 14:09 < gmaxwell> I just don't even understand why it's being discussed, since I don't think anyone here even thinks its actually all that important. 14:10 < gmaxwell> (though maybe my tolerance is limited because I'm only looking in here once/twice a day because I'm busy elsewhere right now) 14:10 < justanotheruser> gmaxwell: It seems one of your altcoin ideas linked in the topic involves a modified PoW 14:10 < adam3us> maybe we need a #bitcoin-pow-wankery ;) 14:11 < gmaxwell> justanotheruser: I specfically avoided this kind of BS on that list. All the 'modified pow' there were achieving some other purpose than architectural overoptimization. 14:11 < adam3us> justanotheruser: many of the alts sole 'hook' (aka fake argument for existence/sales pitch) is a different pow for "decentralization" 14:12 < gmaxwell> I think there is no end to what you can discuss in that space, and the arguements that its a useful tradeoff are very hard to make a clear argument for. 14:12 < gmaxwell> It's just the kind of superficial thing that people can discuss forever. e.g. "random POW generator" 14:12 < justanotheruser> adam3us: I agree it doesn't save electricity or anything like that. People just end up spending money on the hardware instead of the electricity. 14:13 < adam3us> justanotheruser: so at a high level, it would not have to be so slow to verify just because it depends on the dynamic execution of a randomly generated machine code I think 14:13 < adam3us> justanotheruser: seems to me asic-hardness ends up using more electricity typically 14:15 < jtimon> justanotheruser when your ASIC competitors are doing 4% profits, will you mine at -1%? 14:16 < justanotheruser> jtimon: ASICs probably wouldn't give them 4% profits because they would have to buy new hardware 14:16 < adam3us> but its probably more fruitful towards decentralization to try find ways to put diseconomies of scale into the protocol somehow or make bitcoin less vulnerable to 25/33/50% attack, selfish mining and policy/censorship with any level of centralization, then maybe we dont even care 14:16 < justanotheruser> The ops here seem to want us to change the topic though. 14:16 < jtimon> profits = gains after all costs, including capital costs 14:17 < justanotheruser> jtimon: I don't understand why you defined profits. It doesn't really change anything about what I said. 14:18 < adam3us> as i recall no one found a good answer to the 25/33% attack, and ghash is at 34% now coincidentally 14:19 < justanotheruser> adam3us: what's the 25/33% attack? Just them being able do a large reorg some of the time? 14:19 < gmaxwell> it's the argument that pow-wanking for foo-hardness is irrelevant becausing the perfect competition of mining will drive even marginally less efficient out of business. You can debate how much slop there is... but whever you decide it won't be a huge amount. 19:50 < jtimon> I'm not saying it's not a difficult problem, I'm saying you can model the filter with against random curves without modeling any mining economics 19:51 < gmaxwell> No you can't. A filter with overshoot behaves very differently in a non-linear system than does one which is critically damped. 19:51 < jtimon> there could be an earthquake destroying 40% of the hashrate and you should be preapared as well 19:51 < phantomcircuit> gmaxwell, is there a cap on how large the change in difficult can be for any one period? (either up or down) ? 19:51 < gmaxwell> What I'm pointing out is that some filters can actually cause system failure under some mining economics models. 19:51 < gmaxwell> phantomcircuit: yes, 4x. 19:51 < phantomcircuit> oh 19:51 < gmaxwell> (in both directions) 19:52 < phantomcircuit> so that's effectively only relevant for down 19:52 < jtimon> gmaxwell I think all filters could fail under certain conditions 19:52 < gmaxwell> the box filter is probably unconditionally safe. 19:52 < jtimon> you must chose the conditions you're not prepared for 19:52 < gmaxwell> jtimon: forget "prepared", I'm pointing out that some designs can fail when nothing changes or goes wrong. 19:54 < gmaxwell> In an enviroment where miners turn off when not profitable and turn on when profitable, a design that has overshoot can drive the system into instability. miners turn on, diff goes up, but it goes up too much and then even more miners turn off. then when it goes down it goes down by too much and more miners turn on, and each swing a great portion of the hashrate is being pulled into the oscillation. 19:54 < jtimon> I haven't studied any of the filters so I believe a box filter could be better and there's designs that can failt with a constant hashrate 19:54 < midnightmagic> keynesian beauty contest to the rescue? 19:54 < midnightmagic> :-) 19:54 < jtimon> but when's the point in chosing those? 19:55 < gmaxwell> jtimon: I think the design in freicoin is one that can fail with constant hashrate! 19:55 < jtimon> gmaxwell you can also manually change diff with a hardfork 19:55 < gmaxwell> (it has a pretty substantial overshoot) 19:56 < jtimon> oh, I see 19:56 < jtimon> I didn't know 19:56 < gmaxwell> jtimon: which is part of the reason that worrying about black swans is probably a waste of time, esp if the result is something thats riskier. 19:56 < jtimon> like most times, it's a tradeoff 20:00 < jtimon> in any case, maybe you're right that a less "responsive" filter is better long term, with a mature market without so much subsidy 20:01 < jtimon> but in this case (allowing bitcoin asic miners to come and go, but not to mine both at the same time) we desperately needed something more prepared for wild swings 20:03 < gmaxwell> my complaint there is not about responsive. 20:05 < maaku_> gmaxwell: the overshoot is not that substantial 20:05 < maaku_> the prarameters themselves are slightly underdamped 20:05 < maaku_> and the overshoot comes from the 144-block window 20:06 < gmaxwell> maaku_: Hm. from the FIR filter I saw you using before it could be as high as 20%, IIRC though perhaps it got changed? 20:06 < maaku_> so with big square-wave changes, it takes a dozen or more blocks to react 20:06 < maaku_> no, it hasn't changed. 20:07 < maaku_> i just have a different opinion of those numbers - overshooting by 20% when someone is toggling an order of magnitude more hash power than your entire network is pretty good, imho 20:07 < maaku_> we were <1Th/s, and getting hit by 10Th/s chain hoppers 20:10 < gmaxwell> thats not what overshoot means, thats called group delay when it takes a long time to react at all. 20:11 < gmaxwell> Overshoot is when it does react that it can react more than the change. 20:12 < maaku_> yes, well you want a little bit of that 20:12 < maaku_> you want it to be underdamped, slightly 22:37 < justanotheruser1> How many inputs and how many outputs can be in a transaction? Is there a limit on this other than 1mb? --- Log closed Sat Jan 25 00:00:57 2014 --- Log opened Sat Jan 25 00:00:57 2014 01:31 < maaku_> justanotheruser: 18,446,744,073,709,551,615 01:31 < maaku_> you hit the 1mb limit long before then, however 03:07 < adam3us1> so i think i found a way to (network) efficiently and securely do SPV for single use addresses. now that i thought about it I dont see why i didnt see it before as it an application of NIFS which i described up as a problem statement of in 1996, and found a mechanism for in 1998 (novel use of IBE) and Boneh found a more efficient building block for in 2001 (the weil pairing) 03:08 < adam3us1> NIFS http://www.cypherspace.org/adam/nifs/ 03:10 < adam3us1> it was thought up to provide forward secrecy for email where there is no interactive communication. read that. its basically like a public derivation variant of HD wallet concept but where anyone can be after the fact given a private key 03:17 < adam3us1> hmm maybe not ... gotta think more about this (just woke up:) i am thinking weil pairing gives the extra flexibiliy so you can have someone derive a public encryption key for you from a reusable encryption pub key and the previous block number, then do a derivation from the reusable address with a random factor by sender, encrypt factor with the derived pub enc key, and then afterwards you can derive the corresponding private dec key and s 03:18 < adam3us1> and therefore the query (the private key) could be unique to the block only, obviously very compact, useless for correlating with other blocks, and non-interactive 03:20 < gmaxwell> well, we can do what tor is looking to do with hidden services but its not blind to someone who knows your address. 03:21 < gmaxwell> hm. interesting yea okay 03:22 < adam3us1> yes ok i think brain woke up, its not NIFS its a diff problem statement a variant without the forward-secrecy as you need random lookup in the tag space, and to be able to safely send people the private key 03:22 < gmaxwell> so how about this: take the reusable address scheme, but make the ECDH pubkey be pubkey + H(blocknumber)*G 03:23 < gmaxwell> the problem there is that it has the private key unzip attack that BIP32 has. 03:23 < adam3us1> gmaxwell: basically each user is their own IBE server, they publish the IBE params as their reusable public address 03:23 < gmaxwell> yea, I don't think this is doable without pairing the EC addition way to do it has the unzip attack. 03:23 < adam3us1> gmaxwell: so with IBE your identity is your key, so encrypt with the pub key derived from the previous block hash as "identity" 03:24 < adam3us1> gmaxwell: then do the normal sender choose rndom factor, encrypt factor with the derived pub key, ten to delegate a per block decrypt capability, you send the node the corresponding private key that you derive using your IBE private key. 03:24 < adam3us1> gmaxwell: agreed 03:25 < gmaxwell> then again the pairing is only needed for recognition, so it could be employed here. it would allow you to produce unique per block recognition keys. Someone you gave your reconigition private keys to could only reconize your transactions that used those keys. 03:25 < adam3us1> gmaxwell: unfortunately that lets weil-pairing crypto into the tent 03:25 < gmaxwell> But its only for privacy, I'm okay with that, but it's an implementation barrier. 03:25 < adam3us1> gmaxwell: yes. 03:26 < gmaxwell> (IMO thats how we should be using pairing in cryptosystems: for lower value applications, and solving things that can't be solved any other way) 03:26 < adam3us1> gmaxwell: well its a start, a proof of concept that its possible. petertodd started to think it maybe provably not, but that seemed wrong to me, and its a good thing he asked the q of can u prove it not, cos it triggered me to think in the other direction :) 03:27 < adam3us1> gmaxwell: yeah, if it has a sane failure mode. there maybe ways to contain the failure a bit with normal mechansims eg a few IBE keys or such 03:28 < adam3us1> gmaxwell: also i think IBE is technically overkill we dont really need a comm channel, that is a side effect of the previous mechanism. so we may be able to do better. 03:29 < adam3us1> gmaxwell: we just want a per block discriminant private key, we dont actually need to allow the node to decrypt something, it can give it to the SPV node and it can decrypt it, itself 03:29 < gmaxwell> well really what we want is a BIP32 like derivation which doesn't have the unzip attack. 03:29 < adam3us1> gmaxwell: exactly. 03:31 < adam3us1> gmaxwell: i dont think u can do it like that tho, because thats what i was trying to do with NIFS and I made and broke a few mechanisms 1996 and concluded you cant do it with DL, hence the IBE connection to NIFS 1998, and then Boneh weil pairing 2001 made it secure/efficient (but esoteric) 03:33 < gmaxwell> ::nods:: 03:34 < adam3us1> gmaxwell: but this seems something with lower requirements, more like a new problem statement, so maybe something below IBE can be found. anyway i was excited to have a proof of concept, even weil pairing using... have to think about that next step more :) 03:35 < gmaxwell> I'd thought about using the prior block as an identity parmeter but I didn't see how to get away from simulation by anyone who knew the address... the IBE approach indeed would work. 03:39 < gmaxwell> petertodd: to decode for you, since you may not be familar with IBE stuff: The idea is that the user has a master private key, which results in a master public key. Anyone can take a prior block hash and combine it with the master public key to get a session pubkey which could be used to encrypt a chaincode included in an OP_RETURN. Using the master private key the user can derrive the session private key, which can then be used to ... 03:39 < gmaxwell> ... reconize transactions using the same session key. economy from the blockchain is actually an important enough property, kinda ... 18:37 < gmaxwell> ... weird that you couldn't though! 18:38 < petertodd> maaku: for instance a really extreme example is to create a consensus system with no concept of coins at all, that does nothing more than map H(program)->Eval(program), if the program can access blockchain data as part of it's execution, the program itself can implement a bitcoin-like currency! 18:38 < petertodd> maaku: (sorry, that's commit to (H(program), input arguments)->Eval() to be exact) 18:38 < gmaxwell> "best part of this is that you already need 16GB to store the blockchain," ... ::sigh:: this isn't true, and it's also why I was asking about pruning in zero cash. Seems that they don't realize you can prune simply because the reference software doesnt'. 18:39 < petertodd> gmaxwell: or worse, have their marketing hats on... 18:39 < gmaxwell> I don't see any easy and catch free way to get pruning into an anonymous coin though. 18:39 < gmaxwell> petertodd: nah I just don't think they know a lot of people don't. 18:39 < petertodd> gmaxwell: ugh, pruning is in the satoshi whitepaper... 18:40 < gmaxwell> you think they really read it? 18:40 < petertodd> gmaxwell: the interesting part isn't that you can do pruning, but the extent to which the fact that you can is a bad thing 18:41 < gmaxwell> in any case, for these anonymous coin ideas what you end up having to have is a database of encrypted coins which have been created, and another database of non-encrypted coins that have been spent. 18:42 < maaku> petertodd: ok, i understand the feature request now. do you know a way in which this might be implemented? 18:42 < gmaxwell> The ZK proof when you spend is of a statement like "This decrypted coin exists in encrypted form in the encrypted coin database". And then the newly decrypted coin is added to the database of spent coins. 18:42 < petertodd> gmaxwell: though the database can be split up; you can think of both databases as cryptographic accumulators supporting VerExists() and conversely VerNoExist(), and thus get succinct proofs of either for SPV. 18:43 < gmaxwell> so you can't prune the encrypted coin database because you can't tell which entries have been spent. And you can't prune the spent coins database because then the coins could just be respent. 18:43 < gmaxwell> The coins database can be append only, but the spent coins database needs an efficient VerNoExist() so it must be key ordered. 18:44 < gmaxwell> key ordered makes it hard to outsource efficiently. (requires tracking the network) 18:44 < maaku> petertodd: if script was homoiconic it would be easier to attach a script which takes the transaction as input and outputs scripts to be attached to the outputs 18:44 < maaku> and those could be carried forward 18:44 < petertodd> maaku: well, in Bitcoin you need a very invasive soft-fork. vitalik's ethereum is in those directions, but the implementation is yuck 18:44 < Alanius> couldn't one store the spent coins in a merkle mountain range? Or am I mixing things up here? 18:45 < petertodd> gmaxwell: right, with spent that's the same problem as UTXO proofs. although you can design it so that the spent database need not be held in entirely for any one miner 18:45 < maaku> Alanius: "the spent coins database needs an efficient VerNoExist() so it must be key ordered" 18:45 < Alanius> ah, mmr' 18:45 < Alanius> s do not allow proof of non-existence? 18:45 < petertodd> Alanius: MMR can be used for unspent only, and I'm going to be very interested to find out if that's what they did 18:46 < petertodd> Alanius: they do, but the proof-of-non-existance is O(m log n) in size for a span of m blocks 18:46 < petertodd> Alanius: which you can do in zk-snark fashion, but that's costly 18:46 < maaku> petertodd: i think that's misleading from the context of his question 18:46 < maaku> Alanius: you can only prove non-existence based on what is being indexed 18:47 < maaku> MMR is indexed based on insertion order 18:47 < maaku> so you can prove, for example, that no coin was spent in between two adjacently spent coins 18:47 < jtimon> petertodd: I like a generic scheme too, I'm just not contrained to softforks, seriously I don't know what your claim is yet what solution and what problem are you referring to from my link? 18:47 < maaku> which is pretty useless 18:48 < Alanius> maaku: thanks! very intuitive explanation :) 18:48 < maaku> jtimon: he wants to attach arbitrary validation rules to outputs, and have those propogate in arbitrary ways in future transactions 18:48 < petertodd> maaku: but that's the thing, it's *not* useless, if you can prove when the coin was created, you naturally have a reasonable limit on the non-existance proof, which is a way that you could get something akin to pruning in zerocoin 18:48 < petertodd> maaku: basically the cost to make the zk-proof would increase as the coin gets older, but my understanding is that cost blows up very fast with current zk-snark technology 18:49 < gmaxwell> yea, so my thought for pruning is that when you create a coin you could created it with a generation number (which is made public by the ZK proof) 18:49 < gmaxwell> where 'generation number' means like "what month was it created in" 18:49 < petertodd> gmaxwell: yup 18:50 < gmaxwell> and then you can say that coins become unspendable after so many months, allowing you to prune both data sets. 18:50 < gmaxwell> But its kinda ugly. 18:50 < Alanius> that would partition the anonymity set 18:50 < gmaxwell> as it reduces your anonymity set and makes your coins expire.. and we can't even tell how many coins have expired! 18:50 < petertodd> gmaxwell: but why make them unspendable? just force you to prove correct manipulation of the spent set in your tx 18:51 < gmaxwell> petertodd: hm. and store the new spent set root? so you never close off an old spent set, it just becomes more espensive to spend from it? 18:51 < gmaxwell> I suppose thats true. 18:51 < petertodd> gmaxwell: well, doesn't even have to be more expensive, just more annoying 18:52 < gmaxwell> You still have the anonymity set reduction though, alas. 18:52 < petertodd> gmaxwell: basically if you're spent token set is a single radix tree, then you have a bunch of data that needs accessibility, to do better, shard that 18:52 < petertodd> gmaxwell: sure, but it's still easily inline with what coinjoin can do (anonymity set of tx's happening at roughly the same time) 18:53 < gmaxwell> oh it's much better since same time could be defined to be a month or more. 18:53 < petertodd> exactly! 18:53 < gmaxwell> it's still not free however. 18:53 < petertodd> and you want some amount of time anyway, as mining needs to imply at least having the data, so you want mining to be tied to, say, the last month of data 18:53 < gmaxwell> also there are some other tradeoffs which come into play. 18:53 < petertodd> ? 18:54 < gmaxwell> The ZK proofs are going to be most efficient if they have no branching, just a constant number of hash evaluations and some muxes to get data on the right side of the hash input. 18:54 < gmaxwell> One of the plus sides of pruning is that it should make the ZK proofs faster. 18:54 < petertodd> gmaxwell: so make a tree of every month from now until eternity 18:55 < petertodd> ok, sure 18:55 < gmaxwell> "once we have these coins we put in the hash tree; 64-depth key (2^64); when want to redeem; reveal the serial number, and can reveal 64-hashes before in the tree; " 18:55 < gmaxwell> (quoting from the talk) 18:55 < gmaxwell> sounds like they fixed the tree size at 64 deep so that they'd 'never' run out of room. 18:55 < petertodd> (note how they must have some mechanism to make collisions hard...) 18:56 < gmaxwell> With pruning we can do better and say, have a 2^33 deep tree. Which is fine for a months of transactions. 18:56 < petertodd> (oh, actually, no that's not true, you don't need that) 18:56 < petertodd> true, although the risk of accidentally picking someone elses serial number goes up 18:57 < gmaxwell> petertodd: no need to have a risk of that, you just use a >128 bit random serial number. 18:57 < gmaxwell> one turn of the compression function takes 512 bits. 18:58 < gmaxwell> In there you have to fit the value of the coin, a P2SH hash for the pubkey needed to spend it, and a serial number. 18:58 < petertodd> gmaxwell: wait, so how does that help? the tree is indexed right, so if the first 33 bits match I have a problem 18:58 < jtimon> for scalable "anonymous" transactions, more than zerocoin-like stuff I like petertodd's inputs only approach with an expiry on the UTXI entries 18:58 < gmaxwell> petertodd: no no, it's insertion ordered. 18:59 < petertodd> gmaxwell: oh right, doh 18:59 < petertodd> gmaxwell: quite correct 19:00 < petertodd> gmaxwell: well basically, the depth of that tree is purely your anonymity set 19:00 < gmaxwell> yes 19:00 < gmaxwell> say a coin looks like this [128 bit serial number, 64 bit future extensibility, 64 bit value, 256 bit P2SH hash] you add it to an insertion ordered tree. 19:01 < petertodd> jtimon: it's only scalable if you can figure out the right mining incentives and solve the data-hiding attack sufficiently 19:01 < gmaxwell> And then to emerge COIN you just produce a ZK proof that H(COIN) is in the tree.. which takes Log2(size) hashes under the ZK proof. 19:01 < gmaxwell> so if you require multiple trees for pruing purposes, then you can make them reasonably small at the cost of reducing the anonymity set. 19:03 < jtimon> petertodd, I don't know the data-hiding attack, but from what I hear from maaku what you're talking about is new, can I read a summary somewhere? 19:03 < petertodd> jtimon: https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html 15:11 < maaku> jtimon: http://pastebin.com/vUnrtLME 15:11 < TD> also i doubt any such system would be generic 15:11 < adam3us> gmaxwell: see i optimized the zkp range proof a lot manually in problem specific ways and still came to 1.5kB 15:11 < jtimon> thanks maaku 15:11 < TD> but sure, we can call them SNARKs instead 15:12 < adam3us> gmaxwell, TD: so i must be being dumb if their compiler can outperform me :).. but yes i stayed well clear of pairing 15:12 < TD> they use a lot of very complicated techniques 15:13 < TD> i only understand some of it 15:13 < amiller> with pinocchio you can create a proof for SHA1 in 15 seconds on a single thread desktop computer 15:13 < amiller> i'm pretty tinyram beats that 15:13 < gmaxwell> and the proof is a couple pairing group elements. 15:13 < adam3us> TD: its very powerful if that scales, so we can forgive pairing 15:13 < adam3us> gmaxwell: thats amazing 15:14 < TD> i thought it was 8 elements 15:14 < adam3us> and is this non IP-encrusted? 15:14 < warren> My BFL arrives today, far too late to be useful. 15:15 < gmaxwell> Well they have another backend that uses fiat-shamir with locally testable codes... the proofs are bigger but not astronomically large. 15:15 < adam3us> warren: still waiting for mine its been stuck as "fulfilled" but not shipped 15:15 < gmaxwell> (like zerocoin size) 15:15 < amiller> adam3us, there are currently three competing snarks projects, tinyram http://www.scipr-lab.org/tinyram pantry https://github.com/srinathtv/pantry and pinocchio https://research.microsoft.com/en-us/projects/verifcomp/ 15:16 < gmaxwell> adam3us: I did some searches a while back and didn't find anything, but who knows what of their optimizations they may have patented in the last year. 15:16 < adam3us> do yu know if any of them have not covered it with lots of patents 15:16 < warren> adam3us: I missed the "use paypal tos to force BFL refund" thread by 1 day. 15:16 < amiller> adam3us, of these tinyram isn't out yet, pantry is fully open source, pinocchio is mostly open source except for the backend which they're working on reimplemnting open source 15:16 < gmaxwell> If they do, it'll be sad because the history of crypto says that patented crypto is dead on arrival. 15:16 < adam3us> warren: i missed that outright... bought a part upgrade to the 600GH and left order for the smaller 5GH 15:17 < adam3us> gmaxwell, amiller, TD: ok you convinced me I have to learn what they are doing! 15:18 < amiller> adam3us, http://eprint.iacr.org/2012/215.pdf this is the GGPR scheme underlying pinocchio and pantry 15:18 < adam3us> jtimon: i think the committed tx topic did not continue when you lost connection 15:18 < jtimon> I still don't understand commited coins, gmaxwell perfectly explained my worries "he's asking about the case where you are d in a chain of hidden spends. a->b b->c c->d And he's confused about how you know that a->q didn't happend first." 15:19 < gmaxwell> jtimon: when you are d, and get paid by c you demand he provide you the required keys to trade your payment back to entirely public inputs. 15:19 < amiller> adam3us, actually GGPR underlies tinyram as well 15:19 < adam3us> jtimon: yes so the thing is if a->q happened it would be on the block chain, the encrypted/hashed tx and a second H(a), the sender must prvoide info to convince you that isnt the case, ie that that is a forgery/spam 15:19 < gmaxwell> jtimon: and when you do so, because you have a's public key, you can see that a->b is the first a spend in the chain. 15:20 < warren> adam3us: I sold this BFL on ebay. The first attempt failed with no bids. The second attempt succeeded with a bid. BFL forced the first expired listing offline with a "trademark/counterfeit" claim while leaving the high priced successful bids untouched... 15:20 < adam3us> warren: wow thats hostile 15:20 < jtimon> so a->b is in hidden form in the chain 15:20 < warren> I'm pretty sure that's abusing the law to manipulate perception of value. 15:21 < jtimon> b->c must also be in hidden form in the chain, right? 15:21 < adam3us> yes 15:21 < adam3us> it not offchain, its onchain but in encrypted/hashed form 15:21 < adam3us> such that anyone can see which are spends of the same key, they just dont know which key 15:22 < jtimon> and when I receive C->D, C also gives me proof that a->b, b->c and c->d where actually signed properly 15:22 < jtimon> were 15:23 < gmaxwell> well he gives you the keys required for you to be able to check for yourself. (it's not in zero knoweldge) 15:23 < adam3us> jtimon: yes, he just gives you a sym key that allows you to decrypt 15:23 < adam3us> jtimon: you can validate it yourself then as the bit of the block chain you care about is now decryptable and visible to you 15:24 < jtimon> so now I want to pay D -> E in public form 15:24 < gmaxwell> you would make those secrets public at that point, so the whole network could validate what you wanted before. 15:24 < jtimon> couldn't C try to publicly pay C -> C2 first ? 15:24 < adam3us> jtimon: you have to publish all the committed ones or the recipient otherwise needs keys for a-<c 15:25 < adam3us> jtimon: no because of the trick that a public spend correlates with the committed spends 15:25 < adam3us> as a public spend incudes pub key (not just address), and H(pub) can be calculated fro it, and H(pub) is attached cleartext to each committed spend 15:25 < jtimon> but no one is seeing any relation between hiden (commited is confusing sorry) spends 15:26 < jtimon> ok, so every hiden spent refers to the previous one 15:26 < maaku> hidden is a much better term 15:26 < jtimon> explicitly 15:26 < gmaxwell> jtimon: to make d -> e in public you disclose the keys, so the relations then become clear. 15:26 < maaku> yes, these are not blinded 15:27 < jtimon> but not until I publicly pay d -> e ? 15:27 < gmaxwell> right. 15:27 < jtimon> then at any time c -> c2 or b -> b2 could be bradcasted 15:27 < jtimon> no? 15:28 < maaku> yes, but it would be meaningless 15:28 < gmaxwell> No. 15:28 < gmaxwell> (as maaku says) 15:28 < adam3us> not really because people receiving them can see they are spent 15:28 < gmaxwell> Because everyone with the keys can see which comittments were first. 15:28 < maaku> c2 or b2 would have the keys necessary to go check the chain and realize they were double-spent 15:28 < adam3us> as with (c->c2) in clear form, you know public key of C, and that is attached to the original spend as H(c) 15:28 < gmaxwell> and the hidden -> public validation checks this too. 15:28 < adam3us> eeven if they didnt 15:29 < jtimon> ok, so then every hiden spent references the previous hiden spent 15:30 < adam3us> jtimon: the recipient of a hidden spend needs keys back to the first non hidden ancestor 15:30 < adam3us> jtimon: actually with optimiation its just one sym key you disclose at any time 15:30 < jtimon> let's say I have d -> e (public) prepared at home but I chose not to broadcast it until next week 15:30 < adam3us> jtimon: the sym key gives you enough to navigate backwards, decrypt, then validate normally 15:30 < gmaxwell> yea, because you could change the keys in the encrypted data. 15:31 < jtimon> there's 3 possibilities 15:31 < gmaxwell> s/change/chain/ 15:31 < gmaxwell> jtimon: I think you've thought yourself into a rut, this isn't that complicated. 15:32 < adam3us> jtimon: i think the thing your maybe missing is that, a public spend is also validated against its inputs, and the inputs are encrypted and so its rejected 15:32 < jtimon> 1) When miners receive public(C -> C2), they realise it is invalid because something in hidden(C->D) indicates it 15:33 < jtimon> hidden(C->D) is already in the chain 15:33 < adam3us> jtimon: think you meant c->d2, yes they can see tht hidden(c->d) was with the same key c as clear c->d2 so its invalid 15:34 < jtimon> ok, I got it 15:34 < adam3us> jtimon: so if clear spend of c->d2 comes after hidden spend c->d then d2 is a double spend and rejected; its interesting because in its hidden form the miner knows almost nothing so he can apply no policy 15:34 < gmaxwell> it would still work if they couldn't however, certantly easier that they can. 15:34 < jtimon> but no, I meant c2 to express that belongs to the same person 15:35 < jtimon> so, c->d publicly states {C, H(C->D)} 15:35 < adam3us> gmaxwell: ? what mean "it would still work if they couldn't however, certantly easier that they can." 15:36 < adam3us> hidden(c->d) = E(tx), H(c) approximatel 15:36 < jtimon> isn't this also traceable? 15:36 < gmaxwell> adam3us: I mean the requirement that miners can reject a double spend isn't a strict requirement. So long as the reciever can identify the first spend thats in the chain thats enough for the scheme to work. 15:36 < adam3us> jtimon: so if you send c->d2 publicly now anyone can compute H(c) and see wait that was alrady spent 15:36 < gmaxwell> jtimon: once the data is made public, sure. 15:36 < adam3us> gmaxwell: ah yes 15:37 < adam3us> jtimon: before its public its utterly hidden except to the people in the path 15:37 < adam3us> jtimon: you cant even tell is a path, the hidden tx are opaque blobs and H(c) is useless if you dont know c 15:38 < adam3us> amiller, gmaxwell, TD: surely SCIP-coin can be a game changer if there is an efficient non-patented version. or maybe the community can buy them out :) 15:39 < gmaxwell> then the other conversation we had was where I pointed out that using a sufficiently powerful (tm) zero knoweldge proof system you could do the private->public change without making the keys public. (I wrote about this at length in a forum thread of its own) 15:39 < gmaxwell> ( https://bitcointalk.org/index.php?topic=277389.0 ) 15:40 < adam3us> gmaxwell: think i missed that forum thread sounds like what you said above about SCIP 10:19 < gmaxwell> he doesn't agree, sadly. E.g. he has a definition of 'fully rigid' that doesn't include setting the base point: http://safecurves.cr.yp.to/rigid.html 10:19 < gmaxwell> I'll forward you email. one sec. 10:19 < adam3us> gmaxwell: i think we've got the same assumptions but to say it is easy to get two base points G & H which you can readily see no one knows the private key for (eg G=hash2curve(pi), H=hash2curve(e) for pi & e) 10:20 < adam3us> gmaxwell: i mean no one knows the discrete log of them to anything in particular, and certainly no one knows x st H=xG 10:21 < gmaxwell> adam3us: sure, but you have to pick your base point that way.. and it doesn't appear that anything anyone is likely to use right now does. 10:21 < adam3us> gmaxwell: i mean otherwie its a joke find H=hash2curve(pi), compute x=random, then set G=x^-1H => H=xG 10:21 < gmaxwell> adam3us: thats what I sent DJB. 10:21 < adam3us> gmaxwell: holy moly i am going to hit DJB! shame on twitter 10:22 < gmaxwell> (I mean I sent him an example sage notebook where I do exactly that, G=x^-1H ) 10:25 < gmaxwell> I can agree with him that it's not the most important thing... but it's also so easily avoided as an issue. I suspect he may have been disinclined to agree with me because his curves wouldn't meet the criteria (I have no clue where his base points came from). 10:27 < adam3us> gmaxwell: reading this bit now "What about rigid choices of base points?" from http://safecurves.cr.yp.to/rigid.html 10:28 < gmaxwell> Oh, wow, he must have added that after my email discussion with him! 10:30 < adam3us> gmaxwell: hmm he still disagrees however, he claims it doesnt matter however this maybe another one of those "depend what the use case is" things. to me i think the base should be fairly chosen or even a small set of fairly chosen base points should be presented 10:31 < adam3us> gmaxwell: thats rather narrow minded - if someone needs G & H then they cant use his G. they have to ignore it and safely generate two more 10:32 < adam3us> gmaxwell: which is a big onus to put on the implementor now they have to get into complex EC math arguments and understand the curve generation and limitations. big area for mistake or community rejection of their proposal 10:34 < gmaxwell> adam3us: I think the smallest possible x / y for performance reasons (makes a multiply easier) isn't /terrible/. I didn't realize thats what he'd done for his own curves. 10:34 < gmaxwell> But yea, I'm glad you agree that its stupid to not get this right. 10:35 < adam3us> gmaxwell: : oh thats not too bad. u have to consider also that someone could adapt the curve params to have a known discrete log small x,y. but as the curve params are chosen deterministically with rigid criteria and plausible seed 10:36 < adam3us> gmaxwell: then its probably ok 10:36 < gmaxwell> adam3us: yea, funny that I managed to not gather that from his emails. I only realized it after reading the update to the page and then looking at the values. 10:37 < adam3us> gmaxwell: he probably never said it - unstated assumption 10:42 < cfields> https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0cb112f7400187275da81a05a9ad0534f1430139 10:42 < cfields> all determinism problems in binutils (that i'm aware of) fixed. 10:42 < sipa> \o/ 10:44 < adam3us> btw about bitcoin implies need for end2end airgap model, someone i talked to said they discovered an egress vpn tunnel via their custom firewall scripts (pretty hard core security geek to notice) within a few ays of talking to me. seems like skype is a risk suggest not running it at all, running in vm (maybe there are people with skype & vm escape zerodays) or running it on a burner laptop on a different network literally 10:44 < adam3us> for people who seemingly are incapable of installing jabber client & otr because they want to do bitcoin stuff, but thats too complex :| 10:46 < adam3us> advice: paranoia *= 2 if you have bitcoins non airgapped, exchange accounts with bitcoins or doing bitcoin dev work. my prediction this security attack to the level of being willing to burn 0days to get into suspected intersting places ramping up 10:48 < adam3us> even airgapped bitcoins are at risk if you spend them. you need some better way to check the deposit address on exchanges. they need to use unique per user chain codes 10:48 < K1773R> setup the honeypots! 10:54 < gmaxwell> I've been using canary coins for a long time, never had one trigger, so I don't know if they work. 10:55 < adam3us> probably IMO baseband processor hacked or other smart-phone vector to attack google authenticators are the next step. it'll take the shine out of bitcoin if non-tech users get ripped (or even reasonably tech people who dont know how to setup hard core secure environments) 10:55 < gmaxwell> (canary coins = leave an easily found unencrypted wallet.dat on bastion hosts; hopefully someone who compromises the host moves the coins right away thus alerting you) 10:57 < adam3us> gmaxwell: yes. there maybe different attacks tho - random ones, and targeted ones aimed at people with known early bitcoins or who might be suspected to have early bitcoins. unfortunately i am in the suspected but actually not - have to tolerate the attacks, but without the coin hoard :) 10:58 < adam3us> and we saw jdillions pgp was compromise and his private decrypte msgs posted on the forum. pgp on line computer is probably not good in this environment 10:58 < gmaxwell> adam3us: well thats true for lots of us. I worry about people following me home. It's not nice to fear that some idiot might think that mugging you might yield a hundred million dollars .. without actually having the hundred million dollars. :P 11:01 < adam3us> gmaxwell: precisely. you cant afford or dont want to spend 1/3 your salary in using 100-millionaire private security type setups (body guards). so its kind of a shitty situation. you are exposed to the risks without the upside. 11:02 < adam3us> gmaxwell: this is why my bct sig line said for a long time "I am not satoshi" => i dont have many coins 11:03 < cfields> hmm, who should i ping about gitian stuff? 11:03 < gmaxwell> devrandom 11:03 < cfields> i need a raring builder 11:03 < cfields> ok. he comes around irc, right? 11:04 < cfields> nm, i see him in -dev 11:04 < adam3us> also OS upgrades are stupidly insecure. they are checking signatures not hashes. they cant check hashes because the new module wasnt coded at the time. we need something like laurie's cert transparency for OS patch hash transparency; as is possibly a weak point is the ubuntu/fedora etc package builder, or for anything x509 code signed another hacked CA 11:05 < cfields> ping Luke-Jr 11:10 < adam3us> so what about end to end address security. if you and another user have a trezor. say you need to pay someone 1btc or something non-trivial how do you know you have the recipients address, if you are using an online computer to create the offline signable transaction 11:11 < adam3us> seems like you need to use an address signed by the sender's base keypair (and encrypted with your base keypair) for end2end privacy and address authenticity 11:13 < adam3us> new armory feature I think you could make it a non-transferable signature probably would be slightly better if the payment request receiver is airgapped. 11:13 < adam3us> maybe this could be done as a payment request extension 11:14 < petertodd> adam3us: addresses aren't useful; identities are 11:14 < petertodd> adam3us: people keep trying to re-invent PGP... 11:14 < adam3us> this bitcoin thing is getting ahead of its own operational security tools - trajectory could be disrupted, or stupid central trust solutions or static addresses used as a counter-measure 11:15 < adam3us> petertodd: right, but when you send someone address via an unsecured connection and online computer (which maybe subject to 0-day compromise even with best precautions as the bitcoin stakes increase) 11:16 < adam3us> petertodd: currently you make no attempt to prove the identity owning the address to the offline wallet abot to make thepayent. yu just read if off the screen of a potentially compromised system which can put someone elses address on teh screeen 11:16 < petertodd> adam3us: yeah, but doing fancy crypto with addresses doesn't change a thing - the address still doesn't involve a human-meaningful identity 11:16 < petertodd> adam3us: well yeah, that's what the payment protocol is for, and for the decentralized case, add OpenPGP support and teach TREZOR about the WoT (have fun with that!) 11:17 < adam3us> petertodd: well there's no trust anchor. in the same way we exchange pgp fingerprints, we need to exchange like static vanity/random encryption address, and use that for encryption 11:17 < adam3us> petertodd: pff payment protcool is signed by an online ssl signing key 11:18 < petertodd> adam3us: sure, but would you rather exchange a single purpose bitcoin addr or a actually using for stuff in general pgp fingerprint? 11:18 < adam3us> petertodd: i bet 99% of web servers will sign it with their existing SSL key 11:18 < petertodd> adam3us: that's the only way it could possibly work 11:18 < petertodd> adam3us: payment protocol doesn't do any good if the identity involved != the identity of the website the user just visited 11:18 < petertodd> adam3us: sad but true 11:18 < jgarzik_> adam3us, scrolling back a bit, what do you mean RE OS upgrades when you say "they cant check hashes because the new module wasnt coded at the time." 11:19 < adam3us> petertodd: what i mean is we have the infrastructure available, but just lack the tools. offline wallet use base address as identity, but hash on biz card, pgp sign as attribute etc 11:19 < jgarzik_> adam3us, RPMs sign file hashes 03:36 < gmaxwell> amiller: you may find interesting: https://bitcointalk.org/index.php?topic=327767.0 looks like somewhat strong evidence of a 25% hashpower miner using it to exploit a gambling site. 03:36 < gmaxwell> (I'd say conclusive, but I think it's at least slightly plausable that someone else is framing them) 03:41 < michagogo|cloud> gmaxwell: could you give an example of a way they could be framed? 03:42 < michagogo|cloud> Finding their mining node or something? 03:42 < gmaxwell> e.g. 03:42 < gmaxwell> 3. Going further, I found the address the earnings from attack were sent to: 12e8322A9YqPbGBzFU6zXqn7KuBEHrpAAv 03:42 < gmaxwell> https://blockchain.info/tx/292e7354fbca1847f0cbdc87a7d62bc37e58e8b6fa773ef4846b959f28c42910 03:42 < gmaxwell> And then part of these funds (125 BTC) was sent to ghash.io's mining address: 03:42 < gmaxwell> https://blockchain.info/tx/48168cf655d0ac0c7c2733288ca72e69ecd515a9a0ab2821087eb33deb7c6962 03:42 < gmaxwell> ... 03:42 < gmaxwell> The attacker could have just paid some of their loot to ghash.io to make it look like they were in on it. 03:44 < phantomcircuit> gmaxwell, that's a lot of coin to frame them 03:44 < gmaxwell> To be clear: I think it's more likely that the simpler explination is correct. I'm just trying to behave responsibly by making it clear that I haven't seen enough to eliminate all doubt. 03:45 < gmaxwell> phantomcircuit: if you're a competing pool... and the funds were the procedes of an attack.. I don't see why losing half of them to frame someone wouldn't be a great plan. 03:46 < phantomcircuit> there isn't really anybody competing with them 03:46 < phantomcircuit> iirc most of their hashing power is from cex.io 03:46 < phantomcircuit> who aren't going to care about this at all 03:47 < gmaxwell> also, I expect that if there are attacks going on whats actually happening is that GHash.io is doing hashpower for hire instead of attacking themselves. 03:48 < gmaxwell> which would also explain all the evidence and changes the surface of culpability somewhat. (and more importantly, teaches us a slightly different lesson) 03:49 < phantomcircuit> gmaxwell, 45k transaction fee 03:49 < phantomcircuit> heh 03:49 < gmaxwell> e.g. the payments aren't to frame, they're payments for the hashpower they bought. 03:49 < gmaxwell> step 1) buy hashpower for a small markup over its worth, step 2) double spend the crap out of some shitty gambling site, step 3) profit. 03:51 < gmaxwell> just requires someone with a bunch of hashpower which is greedy or stupid enough to go along with people buying their hashpower. Sadly, lots of people sold hashpower on pirate40's service (confirmed by the SEC). 03:53 < gmaxwell> another interesting point is that they could have profitably (well, positive EV) performed this attack even if the gambling site had been required 6 confirms, if they really did have 25% hashpower behind the attack. 03:54 < gmaxwell> (25% reverses 6 confirms 5% of the time) 03:55 < michagogo|cloud> gmaxwell: so I'm guessing house edge is <5%? 03:55 < phantomcircuit> gmaxwell, except that screwing with unconfirmed transactions isn't likely to freak anybody out 03:55 < phantomcircuit> screwing with 6 confirm transactions is 03:56 < michagogo|cloud> Also you have the coinbases that you lose if you fail 03:56 < gmaxwell> michagogo|cloud: yea, these betting sites always have really small edges, enough that they almost certantly fail the https://en.wikipedia.org/wiki/Kelly_criterion for the largest bets they allow 03:58 < gmaxwell> michagogo|cloud: yea, you just need the attack to be profitable enough that you offset the coinbase loss expected. Which you can do because the absolute return on the attack is infinite (well, bounded by the casino's bank account, maximum bet size, and number of txn you can put in a block) even though the relative return is only some percentage. 03:59 < gmaxwell> this isn't to say that attacking 0 confirmed stuff isn't much better for the attacker, it is... but just 6 confirms doesn't stop such an attack from being postive EV if you can buy the hashpower to do it at a small markup. 04:01 < gmaxwell> Because the site does 0 confirm you can double spend them with no hashpower at all. I don't really understand why the attacker bothered with the hashpower. 04:01 < gmaxwell> Your success rate is lower, sure, but your costs are lower. 04:01 < warren> Despite this, people don't seem concerned about the real problem, massive centralization. 04:02 < warren> And I'm thrilled by the huge positive response to the p2pool grant yesterday. 04:02 < warren> <crickets> 04:02 < phantomcircuit> gmaxwell, the obvious answer is because they already had it 04:04 < gmaxwell> warren: dude, no one gives a shit about technology except us. :( This is why I think paying people to mine on p2pool is important. Or rather, it's not that people don't care, it's that it's really mentally expensive to sort this stuff out so people don't think about it. If you tell them upfront that they'll make more by switching to p2pool, then they don't have to think through the other stuff. 04:05 < phantomcircuit> lol it's funny cause really nobody cares 04:05 < warren> gmaxwell: make p2pool more scalable and easy enough for a caveman, maybe with no apparent share orphans/DOA with share merging, and tell them the pool's fees are lower than anything else, and then entice people to join with random donation subsidies. 04:06 < warren> currently I'm not confident that donating is well spent to attract miners who will stay 04:06 < phantomcircuit> warren, people are hella lazy 04:06 < phantomcircuit> once it's setup nobody is changing shit 04:07 < warren> it's rather scary that things are moving beyond mere centralized pools ... huge hashrate for hire 04:07 < gmaxwell> warren: perhaps but it will be months at best before its not a huge pita. and most of that isn't fixing p2pool. The fact that people are trying to run their mining on hardware that can't run bitcoind is at least as big of a barrier as anything inside p2pool. 04:07 < gmaxwell> warren: most people using bitcoin have no idea what role mining fills in the system. 04:07 < warren> gmaxwell: indeed 04:08 < gmaxwell> I reported here week before last of my expirence at the SV bitcoin users group. Lots of exicted people even generally technically competent ones (uh with technical CVs that include a lot of php and ruby...), almost none with any real clue how bitcoin works. 04:08 < gmaxwell> Even miners often have no clue what role mining serves. 04:09 < warren> past assumptions always assumed that large quantities of greedy miners will secure the network 04:09 < warren> centralized pools broke that 04:09 < warren> and greed can lead to even worse things 04:10 < gmaxwell> well, someone made the mistake of assuming miners were rational and well informed. 04:10 < michagogo|cloud> 11:05:45 <warren> gmaxwell: make p2pool more scalable and easy enough for a caveman, maybe with no apparent share orphans/DOA with share merging, and tell them the pool's fees are lower than anything else, and then entice people to join with random donation subsidies. 04:10 < michagogo|cloud> AIUI, p2pool's model inherently has many stales 04:10 < gmaxwell> the fucking stales are irrelevant. gah. stop @#$#@$ derailing things with that warren. 04:10 < warren> michagogo|cloud: please don't get into this right now, you're demonstrating the most common misunderstanding of p2pool 04:11 < gmaxwell> warren: and you encouraged him to accidentally! see how that works? 04:11 < michagogo|cloud> But the payout mechanism means that all that matters is your stales aren't proportionally more than others' 04:11 < michagogo|cloud> Okay, sorry 04:12 < gmaxwell> michagogo|cloud: :) if nothing else there is a major UI problem there though. Because it's hard to get people to as sophicated an understanding as that. 04:12 < michagogo|cloud> Lol, #$#@$ got detected as a channel 04:13 < warren> one of the proposed counter-measures against the selfish miner thing was the honest pools forming a cartel. If p2pool were to grow huge, that would become impossible. Now that being possible at all is scary. 04:20 < warren> gmaxwell: I don't see any fix for the greedy miners seeking profit by selling their hashes issue. 05:52 < adam3us> so is there any reason not everyone is mining on p2pool? 05:53 < sipa> compexity & variance 05:54 < gmaxwell> Yep, plus ignorance and lazy. 05:54 < gmaxwell> People think pool fees of 3% aren't much... 05:55 < warren> adam3us: https://bitcointalk.org/index.php?topic=329860.0 05:55 < sipa> when they're less than your monthly variance, you won't notice it anway :) 05:55 < gmaxwell> (but really, it's a lot more work to use: you have to run bitcoind.. which is like a day plus of install time and 15 gb of disk space and means you can't run on a rasberry pi) 05:55 < gmaxwell> (then you have to run p2pool, which is at least pretty easy) 05:55 < adam3us> to me 3% is phenomenally high, maybe i should start a pool with lower fees that refuses no GBT miners 05:56 < gmaxwell> vs: plug in miner, type in url. Recieve bitcoins. 05:56 < gmaxwell> adam3us: then you're suspect because you charge too little, obviously the majority of people paying 3% or more are getting something of value! 05:56 < gmaxwell> plus for non-PPS pools, being a small pool means you have enormous variance, you're objectively less good. 05:57 < gmaxwell> (or at least, very small pool) 05:57 < gmaxwell> (once you're finding a block a day the variance is probably not so bad) 05:57 < adam3us> gmaxwell: yeah the reality of decisions people make is sooo stupid that moderately smart people cant even comprehend or predict the market outcomes 05:57 < warren> sigh, I really thought at least one person would have donated there. 19:46 < petertodd> what's nifty about it, is a core bit of the trust would be the exact same merkle-sum utxo tree that Bitcoin itself might have one day --- Log closed Mon Apr 15 21:30:49 2013 --- Log opened Tue Apr 16 07:52:17 2013 --- Log closed Tue Apr 16 07:52:45 2013 --- Log opened Tue Apr 16 07:53:09 2013 --- Log closed Wed Apr 17 00:00:52 2013 --- Log opened Wed Apr 17 00:00:52 2013 --- Log closed Wed Apr 17 01:04:57 2013 --- Log opened Wed Apr 17 16:25:13 2013 --- Log closed Thu Apr 18 00:00:54 2013 --- Log opened Thu Apr 18 00:00:54 2013 --- Log closed Thu Apr 18 00:58:33 2013 --- Log opened Thu Apr 18 01:13:52 2013 22:03 < realazthat> sipa: ping --- Log closed Fri Apr 19 00:00:55 2013 --- Log opened Fri Apr 19 00:00:55 2013 --- Log closed Fri Apr 19 02:38:04 2013 --- Log opened Fri Apr 19 02:44:28 2013 03:23 < sipa> realazthat: yes? 03:23 < realazthat> I had a question but I'm following the boston situation :P 03:24 < realazthat> O 03:24 < realazthat> er 03:25 < realazthat> I'll ping you when I wake --- Log closed Sat Apr 20 00:00:56 2013 --- Log opened Sat Apr 20 00:00:56 2013 --- Log closed Sat Apr 20 00:19:43 2013 --- Log opened Sat Apr 20 00:45:29 2013 --- Log closed Sat Apr 20 01:23:01 2013 --- Log opened Sat Apr 20 01:28:14 2013 20:46 < vazakl-> sup --- Log closed Sun Apr 21 00:00:58 2013 --- Log opened Sun Apr 21 00:00:58 2013 --- Log closed Mon Apr 22 00:00:59 2013 --- Log opened Mon Apr 22 00:00:59 2013 --- Log closed Mon Apr 22 02:09:04 2013 --- Log opened Mon Apr 22 04:14:23 2013 --- Log closed Tue Apr 23 00:00:00 2013 --- Log opened Tue Apr 23 00:00:00 2013 --- Log closed Tue Apr 23 02:54:37 2013 --- Log opened Tue Apr 23 03:09:51 2013 03:09 !zelazny.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp 15:13 < DrChill> About to make a bot that buys and sells +0.75%, thoughts? It would get the average price after a successful buy+sell, and then use that to make the next trade 15:14 < realazthat> so you make money assuming bitcoin goes up 15:14 < realazthat> eventually 15:14 < realazthat> in that case, why not just buy and hold? 15:14 < realazthat> hmm dunno 15:15 < DrChill> It would buy low and sell high but in small increments 15:15 < DrChill> So even if the market is stable, it would profit 15:15 < realazthat> try it on old data :D 15:16 < DrChill> Indeed, I used to do something like this on a game, and made some profit doing it, should be fun to make :) 15:18 < realazthat> lol 15:49 < sipa> DrChill: off topic here 15:50 < DrChill> sipa: Ah, ok, sorry --- Log closed Wed Apr 24 00:00:01 2013 --- Log opened Wed Apr 24 00:00:01 2013 --- Log opened Wed Apr 24 10:04:23 2013 19:11 < amiller> i've been working on a couple new thoughts 19:11 < amiller> about incentive modeling 19:11 < amiller> i think the coinbase maturity time is hamrful 19:11 < amiller> i'll explain why 19:11 < amiller> lets say for now my model is some mix of attacker / honest / rational miners 19:12 < amiller> where all of the miners have to pay their mining costs, and the key thing about the rational ones is that they have to earn at least enough profit to pay off their costs otherwise they don't participate 19:13 < amiller> what we want, and what seems to generally be the case, is that it's rational to act like the honest nodes, in other words building on the longest valid chain you know about 19:14 < amiller> and basically the reason why that's rational is because if you mine on any smaller chain, it's more likely that someone else will extend the other block rather than yours so it will be wasted 19:14 < amiller> this breaks down under some conditions. 19:14 < amiller> the particular scenario i want to focus on is when there is an enormous anomalous fee paid in a single block 19:15 < amiller> think of a million dollar transaction fee 19:15 < amiller> suppose someone mines that block and claims that whole fee 19:16 < amiller> you have a choice of either trying to mine your own block and claim the fee for yourself or building top of that other guy's claim 19:18 < amiller> if you assume everyone else is honest, then you stand a lot more to gain by working on your own block 19:18 < amiller> that means it is not a nash equilibrium to work on someone else's block. 19:18 < amiller> ok so 19:19 < amiller> on the other extreme, you have to consider that even if you succeed at mining the block, it's possible other people won't extend yours anyway 19:19 < amiller> so! 19:20 < amiller> what's the optimal behavior/ 19:20 < amiller> you try to mine on the other block 19:20 < amiller> but if you succeed 19:20 < amiller> you take only a tiny bit of the fee for yourself! 19:20 < amiller> you broadcast a new transaction that puts most of the enormous fee back into the mempool! 19:21 < realazthat> hehe 19:21 < realazthat> or, 19:21 < amiller> now everyone would be fighting over that block more than yours 19:21 < amiller> so the nash equilibrium is when you take exactly what the cost of the work is 19:22 < amiller> because that's when no one has any incentive to remove your work for only a marginally higher rewards 19:22 < realazthat> you "make a deal" with a bunch of mining coops to fork at that very block, giving rogues a chance at that fee 19:22 < realazthat> or is that one of your suggestions 19:22 < realazthat> mm nvm 19:22 < realazthat> I think its the same thing 19:23 < amiller> now notice how the coinbase maturity prevents the nash equilibrium strategy from being reached 19:24 < amiller> because the only way someone could create that offshoot transaction to keep progress going forward 19:24 < amiller> is if you have unbounded budget in reserve 19:24 < amiller> because you can't use your coinbase transaction that earns the huge fee to create a transaction for them to include in the next block 19:25 < amiller> therefore the coinbase maturity actually *encourages* anti-consensus behavior 19:25 < amiller> it makes it impossible to take anything less than the whole damn rfee 19:25 < amiller> thus greatly increasing the value in quibbling over a big fee 20:20 <@gmaxwell> amiller: for some time I've wished that half the fee paid out in this block, and half of the rest paid out in the next block and so on. 20:21 <@gmaxwell> amiller: but this creates incentives to pay fees externally. 20:21 < amiller> i think my solution is great 20:21 < amiller> it means it's an auction 20:21 < amiller> you should take as much of the fee for yourself as you can except to the extent it makes it more likely for someone else just to outmine you 20:21 < amiller> actually i can be a litlte more specific than that 20:22 < amiller> nvm no i can't 20:25 <@gmaxwell> amiller: I don't think that actually matters, you'd just force people to pay you out of band instead of via direct fees. 20:26 < amiller> gmaxwell, i don't see what you mean 20:27 <@gmaxwell> amiller: the equlibrium state is that there are no fees in transactions at all, and people are just paying miners via some other means. 20:29 < amiller> i don't see why that's an equilibrium either 20:30 < sipa> i think the equilibrium state is that people who care about security, run a miner themself 20:30 < sipa> to get their own transactions mined 20:31 < amiller> i don't see how that helps security either 20:32 < amiller> anyway there's at least two different types of roles here, the miners and the users, and for the sake of the discussion i originally meant to hold the users constant 20:32 < amiller> where they pay whatever the fees are worth and the only way to do it is via transaction fee 20:33 < amiller> i don't understand how the ability to pay people out of band changes it or why that's cheaper/preferable 20:33 < amiller> or why mining your own transactions helps anything 20:36 < sipa> 'equilibrium' != 'helps' 20:37 < sipa> (but i'm not very knowledgeable about this, so if you don't agree, assume i'm wrong) 20:40 <@gmaxwell> amiller: because in my example there are no 'fees', and so incentive to orphan transactions. 20:42 < amiller> gmaxwell, i don't understand how this side payment mechanism works, so i don't really understand what you mean 20:43 <@gmaxwell> amiller: E.g. you send me shares and I pay you with regular bitcoin transactions just for virtue of trying to mine my transaction. 20:44 < amiller> and that's more cost effective than attaching a fee to a transaction 20:44 <@gmaxwell> it removes any orphaning incentive. 20:47 < amiller> sorry what's an orphaning incentive 20:48 < amiller> the only reason to pay tx fees is to be included in the next block as opposed to some later block right 20:55 <@gmaxwell> 16:14 < amiller> this breaks down under some conditions. 20:55 <@gmaxwell> 16:14 < amiller> the particular scenario i want to focus on is when there is an enormous anomalous fee paid in a single block 20:55 <@gmaxwell> 16:15 < amiller> think of a million dollar transaction fee 20:55 <@gmaxwell> 16:15 < amiller> suppose someone mines that block and claims that whole fee 20:55 <@gmaxwell> 16:16 < amiller> you have a choice of either trying to mine your own block and claim the fee for yourself or building top of that other guy's claim 20:55 < amiller> oh i see 20:57 <@gmaxwell> also on that subject petertodd has suggested that all users should nlocktime their transaction at the earliest height they think they could be reasonably mined at... so the chain must move forward to gobble up those fees. 20:57 < amiller> so my solution is for the miner who mines to put the rest back as a fee for the next miner to take 20:57 < petertodd> keep in mind, the worst case scenario only happens with optimal miners who have actually implemented code to do all this magic stuff. If you make it nearly always not worthwhile that code won't exist. 17:22 < sipa> bitcoin (at the protocol level) isn't designed for microtransactions 17:27 < phantomcircuit> arbart, trust a third party 17:27 < phantomcircuit> remember that the transactions are micro 17:30 < sipa> #bitcoin-dev please, btw 17:31 < arbart> sipa, cool, that is what i was wondering then i guess 17:31 < arbart> and alright, what is the purpose of this channel then, I thought it was similar? 17:33 < Luke-Jr> this channel is more like extreme advanced stuff that isn't really practical :p 17:33 < arbart> well that is what I like :) 17:33 < sipa> arbart: oh, i misread your line 17:34 < sipa> i thought you said "what is the state of enabling microtransactions", which would apply to bitcoin-as-it-exists today 17:34 < sipa> for state-of-the-art, there are some more interesting ideas 17:34 < sipa> like probabilistic transactions 17:34 < arbart> yes, now you are talking :) why i came here 17:36 < gmaxwell> probablistic transactions are more of a social/political challenge than a technical one. (I think the lottery protocols iddo/adam3us worked on can basically be applied directly to create a probablistic payment) 17:37 < arbart> ah interesting, i didn't find this before, now searching 'probabilistic transactions', i find much stuff! sipa, thank you already! 17:37 < sipa> arbart: gmaxwell certainly has more state about it than i do 17:39 < arbart> gmaxwell: what is the social/political challenge you see with it? 17:39 < Luke-Jr> arbart: 'probabilistic transactions' essentially means 9 times out of 10, you get nothing, and the 1 other time you get a penny 17:40 < gmaxwell> arbart: Many people seem to not regard a probablistic payment as a payment. 17:41 < arbart> ok, i'm starting to see. reading https://bitcointalk.org/index.php?topic=62558 right now. 17:43 < sipa> gmaxwell: many seem to not regard playing lotto as paying tax either 17:46 < gmaxwell> sipa: People are implementing batch DSA verification in this thread: https://bitcointalk.org/index.php?topic=427025.0 17:46 < arbart> it is interesting so far :) 17:46 < arbart> i understand it now 17:47 < sipa> gmaxwell: how do they overcome not knowing R.y? 17:47 < arbart> i think i am in -wizards and not -dev is because stuff like that gmaxwell is good to have, but not enough a solution, something more extreme :) is needed 17:48 < gmaxwell> sipa: brute force. 17:49 < arbart> i suppose it is hard to tell though, that looks interesting, and combined with pruning and all, might be enable native nanotransactions 17:50 < petertodd> arbart: pruning doesn't make the bandwidth problem go away unfortunately 17:50 < gmaxwell> sipa: basically you guess the sign and test and apparently this still comes out ahead. 17:50 < gmaxwell> arbart: native nanotransactions 17:50 < gmaxwell> doesn't really sound sensible in a global consensus system. 17:50 < arbart> :) 17:50 < gmaxwell> Now, you can do things to perform them non-globally and that perhaps becomes more interesting. 17:50 < arbart> hmm :) 17:50 < petertodd> arbart: now, an interesting question is if you really need global consensus? I think there are blockchain structures that don't 17:51 < arbart> ahh, right 17:51 < gmaxwell> So there are a couple paths to relaxing that which have different tradeoffs. 17:51 < petertodd> arbart: right now just trusting a third-party is probably far more practical 17:51 < arbart> maybe global checkpointing, but only local is interested in the details usually, etc? 17:52 < petertodd> arbart: trusting third-parties and non-global-consensus blockchains have interesting convergence re: security I suspect 17:52 < gmaxwell> are you just stringing words togeather? :P 17:52 < arbart> i understand the third-party thing, another avenue im interested in 17:52 < petertodd> arbart: global *ordering* is a better term 17:52 < petertodd> arbart: heh, lets see if I can explain my pet idea to you re: tree-chains... so imagine you have a blockchain, and you merge mined two child chains with it, left and right. 17:52 < arbart> only out of the necessity you think is there 17:52 < petertodd> arbart: you know what merge-mine means? 17:53 < arbart> ok, i get that term 17:53 < arbart> petertodd: not yet 17:54 < petertodd> mining: I find a pow solution so that my block will be part of the consensus 17:54 < petertodd> merge-mining: the rules of the system let me re-use a pow solution from a different consensus system, letting me do one bit of work, yet get two blocks from two different systems 17:54 < arbart> ok, intuitive :) 17:55 < petertodd> merge-mining is implemented by just letting you prove the block solution for sytem #2 by showing a merkle path through some tree that terminates in the blockheader for system #1 17:55 < petertodd> (namecoin does this) 17:56 < arbart> ok, i was guessing that, so i think i got it :) 17:56 < petertodd> right, so we have the parent chain, and two child chians, left and right, got that? you can mine the parent chain, or the parent chain and the left chain, or parent and right chain (in our system) 17:57 < arbart> petertodd: was just about to prod you :) 17:57 < petertodd> basically it's *exclusive*, you can only mine the left *or* right child chain (or neither) 17:57 < arbart> oh ok, noted 17:58 < petertodd> this means the work done on these child chians will tend to be half that of the parent (assuming the reward is halved for instance) 17:58 < petertodd> however, this also means that a given miner only needs the data, and thus bandwidth, cost of the parent and one child. so the total # of transactions in both children can be higher and the system still works 17:59 < petertodd> the downside is that transactions in either child chain have less security, it only requires 25% of the hashing power to reorg that chain as the parent chain 17:59 < petertodd> got that? 17:59 < arbart> oh wow, yes, a load balancing mechanism :) thinking about the security aspect though 18:00 < petertodd> yeah, so we've figured out how to make it more scalable, now, what about the security? well, lets make a new rule! if a pow solution for a child chain *also* meets the difficulty of the parent, we say that block is fixed - it's only allowed to be reorganized if the parent chain itself gets reoganized 18:01 < petertodd> now it takes 50% of total hashing power to attack the child chain right? nope 18:01 < petertodd> can you guess why? 18:01 < arbart> i guess im missing the reorganized part 18:02 < petertodd> reorg just means work is done to extend a block other than the current best block, so when your node learns about the longer chain, suddenly the shorter one is made invalid by definition 18:02 < arbart> well at least because only half the network is working on each side of the chain? 18:02 < petertodd> remember, the problem bitcoin is trying to solve is consensus on what's the longest chain 18:02 < arbart> ah nice okay, was just missing that definition 18:02 < petertodd> arbart: sure, but an attacker can still get some hashing power somehow and reorg one of those child chians, and they only need 25% of the total hashing power to do that 18:02 < arbart> or word i mean 18:03 < petertodd> good 18:03 < arbart> ah right, half of half, got it now. 18:03 < petertodd> yup 18:04 < Luke-Jr> petertodd: you coming to Miami? 18:04 < petertodd> so here's the question: with this fancy "parent chain locks things" scheme, why can the child chain be still attacked with just 25% hashing power? 18:04 < petertodd> Luke-Jr: isn't that, like, right now? 18:04 < Luke-Jr> petertodd: tomorrow :p 18:04 < petertodd> Luke-Jr: heh, nah, tomorrow's my last day of work, couldn't make it 18:05 < petertodd> Luke-Jr: how long does it go? I guess I could strictly speaking... :P 18:05 < Luke-Jr> Saturday and Sunday is the main conference! :p 18:05 < petertodd> Luke-Jr: heh, nah, too tight 18:05 < arbart> hmm, that is a sucky result, a good question to analyze, in order to make sure it is right :) 18:05 < Luke-Jr> Friday is just the pre-conference thing 18:05 < petertodd> arbart: Well, lets think this through: what does attack mean anyway? 18:06 < petertodd> arbart: So, I could attack the chain by making only empty blocks and make it useless, I could also attack it by reorganizing it and double-spending transactions... but there's one other thing I can do. 18:06 < arbart> well the value of what they are attacking is also half i suppose. that counts for enough to throw the game theory? 18:06 < Luke-Jr> petertodd: the first case is debatable 18:06 < petertodd> arbart: maybe! but what if they're just assholes and want to burn the world? 18:07 < petertodd> arbart: we might as well know how much said assholes need to spend 18:07 < arbart> so the one you didn't list is to just not allow new txs to be added? 18:07 < petertodd> Luke-Jr: for sake of argument, we'll say empty blocks are an attack 18:07 < petertodd> arbart: yup 18:07 < gmaxwell> "making only empty blocks and make it useless" 18:07 < arbart> ok, heh, that is the main one i knew about 18:07 < petertodd> arbart: oh, sorry, no, there's one I didn't list that's more subtle 18:08 < arbart> petertodd: ok, i understand, and agree with that knowledge being valueable! 18:09 < petertodd> arbart: I'll give you a hint: this rule where a particularly good PoW "locks" in the chain, how would you actually implement that? 18:10 < arbart> oh my, so put in their own entire child chain? 18:10 < petertodd> well, here's the big thing: in this scheme I'm assuming that miners mining these child chains also have full consensus on the parent, and all associated data 18:10 < arbart> i wondered about the exact implementation of what you asked there, but did not forumlate or see how it is done yet. 18:11 < petertodd> yeah, implementation is critical 18:11 < arbart> ok, 18:11 < arbart> i was thinking it wouldn't be that easy for my fear there 12:39 < petertodd> Luke-Jr: Like it or not sometimes there are *very* good reasons to be able to prove that the whole of Bitcoin was able to see your data. 12:40 < Luke-Jr> petertodd: not good reasons to force the whole of Bitcoin to see/store data they never consented to see/store 12:41 < petertodd> Meh, Bitcoin can be a better financial system with some of these uses. 12:42 < jgarzik> Luke-Jr, disagree. Plenty of uses for timestamping. That alone could revolutionize accounting and finance, in a way that bitcoin-the-currency doesn't IMO 12:42 < jgarzik> gotta strike a balance. the majority of users just want to transfer or hold bitcoins-the-currency. 12:42 < Luke-Jr> jgarzik: timestamping does not require cluttering the bitcoin blockchain 12:43 < Luke-Jr> just shove a hash in the merged-mining merkletree and that's it 12:43 < jgarzik> require? no. no other chain has the same strength, so rational economic actors will look at the strongest chain. 12:43 < jgarzik> yes, if there was an alt-chain for data, that all pool ops carried, things would be different 12:43 < petertodd> Luke-Jr: There are applications beyond timestamping you know - announce/commit sacrifices are a perfect example where genuine provably visibility is absolutely vital. 12:44 < Luke-Jr> petertodd: those are just timestamping too afaik 12:44 < petertodd> Luke-Jr: No they aren't: timestamping the announce is useless, you *must* prove that the whole of Bitcoin had the opportunity in advance to mine it. 12:45 < Luke-Jr> hmm 12:45 < Luke-Jr> how would a pre-announce merged-mined block not work for that? 12:47 < petertodd> Luke-Jr: Because if the alt-chain is merge mined by, say, 25% of mining pools your sacrifices are already so dubious as to be nearly worthless. 12:47 < petertodd> Luke-Jr: You need strong convincing evidence that the transaction really was visible to all. 12:47 < Luke-Jr> petertodd: not really. even 25% gives you 1 in 4 blocks 12:48 < Luke-Jr> you just need to wait 1-4 blocks additonal 12:48 < Luke-Jr> hmm 12:49 < Luke-Jr> yeah, I think it should be fine 12:49 < Luke-Jr> I do see another problem that affects it regardless of where the pre-announce is done.. 12:49 < petertodd> Luke-Jr: It has nothing to do with waiting; the issue is that with 25% a 12.5% pool has sufficient hashing power to 51% attack the proof-of-visibility chain and create sacrifices that were never publicly announced and thus aren't true sacrifices at all. 12:50 < Luke-Jr> petertodd: tie the POV chain to the BC chain 12:50 < Luke-Jr> POV blocks are only valid if they're in the BC chain 12:50 < Luke-Jr> in fact, POV doesn't need a chain of its own at all 12:50 < petertodd> Luke-Jr: Again, that's irrelevant. You need to show that the chain was public knowledge. 12:51 < Luke-Jr> ok, so then make POV a chain again, and each POV block confirms the previous was visible 12:51 < petertodd> Only with a very high participation rate among Bitcoin miners is the proof any good, and frankly at that point you're in the same situation you were before with bloating up a blockchain... 12:52 < Luke-Jr> not the same situation, no 12:52 < Luke-Jr> *users* don't need it 12:52 < petertodd> That's the thing, all it confirms is that x amount of hashing power saw a given transaction, if that x is even just 25% of the main Bitcoin blockchain the proof is already pretty dubious. 12:53 < petertodd> Announce/commit sacrifices already have the issue where you really need to discount them by 50% from the get-go to be sure, and at least 10% or so even if you aren't being cautious. 12:54 < Luke-Jr> why can't you just have a rule that the redemption of a send-to-any must occur in a separate block from the send-to-any itself, to be valid? 12:54 < petertodd> Well, indeed, any type of sacrifice to mining fees, with the possible exception of ones that are only spendable way in the future - months - which can't be done with the current scripting system. 12:55 < petertodd> Luke-Jr: That's what I proposed on the mailing list, and that's a soft fork. The other way is to do the sacrifice as a anyone-can-spend in the coinbase tx. 12:56 < Luke-Jr> petertodd: it's not a soft fork, it just has a risk some miner is a jerk and screws you :p 12:56 < petertodd> Luke-Jr: um... yeah... That's about a 100% risk if fidelity bonds are used even just a bit. 12:56 < petertodd> Luke-Jr: Who doesn't want free BTC? 12:57 < Luke-Jr> too bad there's no nLockTime for scriptPubKeys :P 12:58 < petertodd> Yup... 12:59 < petertodd> Anyway, point is, that's just one example where visibility proofs are essential, and there are a whole lot more out there... dismissing any and all data from the blockchain goes too far. 13:10 < Luke-Jr> I still see no need for it to be part of the BC blockchain 13:11 < Luke-Jr> a merged mine chain can be just as effective while not forcing itself on people who have not agreed to it 13:20 < petertodd> Like jgarzik said with this stuff you want to go for the strongest blockchain, and that'll be Bitcoin. Even merge mining doesn't help there because you are never going to get 100% participation, and if you do, it's damn near equivalent to putting it in the blockchain anyway. 13:22 < Luke-Jr> only equivalent for miners, not for everyone else 13:23 < Luke-Jr> and forcing people to do things against their consent is not justified to get 100% 13:23 < petertodd> Pff, don't give me that consent crap. If you want to enforce that, enforce it with code. 13:23 < Luke-Jr> exactly my point 13:24 < Luke-Jr> POV code should be written so that people can't force others to participate against their consent. 13:24 < petertodd> People run code that accepts arbitrary data right now; to say they aren't consenting to what the code they are running allows is silly. 13:24 < Luke-Jr> ie, if you don't use the merged chain, I won't recognize your proof 13:24 < petertodd> No, Bitcoin-Qt should be written to match what the users wish to consent too. 13:24 < Luke-Jr> petertodd: no, it isn't silly 13:25 < Luke-Jr> yes, gmaxwell proposed a solution to fix this problem on the Bitcoin side 13:25 < petertodd> If we wanted to govern ourselves by social rules we would be using something other than Bitcoin... 13:25 < Luke-Jr> Bitcoin != anarchist 13:25 < petertodd> yup, and gmaxwell's solution works well and if the userbase wishes to they can use it - if you are so concerned about this go and implement that solution! 13:26 < gmaxwell> feh. never that simple. 13:26 < petertodd> But don't give me crap about consent when people are willingly running code that works otherwise. 13:26 < gmaxwell> In a frictionless enviroment what you say is true, but we're not in a frictionless enviroment. 13:28 < gmaxwell> It's not like accepting my hash preimage stuff even if it were all implemented and tested is costless. A lot of people would resit it because they're simply unsure or don't understand the implications, even people who are very concerned about people stuffing troublesome data on their disks. 13:28 < gmaxwell> Go look at all the sites that will not pay to 3xxx adddresses. :( 13:28 < petertodd> That is true, but going and pouting that people are putting data in the blockchain obviously doesn't stop people from doing so - technical measures stop people. 13:29 < gmaxwell> I don't agree completely. Society is part of how this works too. Pouting influences behavior, including technical ones. It may, in fact, be a necessary precondition to deploying the technical solution. 13:30 < gmaxwell> We have lots of tools in our toolbelt, and we'd be fools to not use all of them because we've fixated on a particular kind of tool being right for a particular kind of problem. 13:30 < gmaxwell> Though, let me go back here a bit 13:31 < gmaxwell> If you're talking about data which is on the order of 32 bytes/txn ... well, you cannot securely bind a transaction to external data any smaller than that. 13:32 < petertodd> Don't get me wrong, I'm not going to say social measures are useless, my point is that they have proven to be not very useful again and again to anyone who has a reason to go against the social measures. 13:32 < petertodd> They're fine for discouraging people working on hobby projects, but that's about it. 13:32 < gmaxwell> Once you start getting bigger you have to worry that (1) deployment of the preimage stuff will actually break your system, (2) desire to preserve your system (I haven't followed the discussion, I assume you were talking about buting sacrifices in pubkeys?) might be used to argue against preimages, which kinda sucks. 13:33 < petertodd> gmaxwell: Well I was mainly using it as an example where you need a genuine proof-of-visibility and anything less just doesn't work. 13:33 < gmaxwell> amusingly I think that social measures are more effective against businesses han hobby projects the latter is in a better position to say "fuck you, I don't care what _anyone_ thinks" 13:34 < petertodd> gmaxwell: In response to Luke's assertian that merge mine chains and merkle-trees for timestamping is always good enough. 13:34 < petertodd> The problem is in Bitcoin businesses are often totally anonymous, and the issues where the social measures matter are complex technical things. 13:35 < gmaxwell> petertodd: ultimately any idea that depends on getting unjammablity from bitcoin is really fragile, I think. Simply because capacity will kill you if nothing else does. 13:35 < gmaxwell> meh. doesn't really matter if they're anonymous or not, I can deny a business income by social ostracism of their _customers_. 13:35 < petertodd> On the other hand if you can architect in a way where limited capacity is ok, it's the best solution out there. 20:12 < maaku> oh i meant lazy vs strict parameter evaluation (e.g. Haskell) 20:12 < jrmithdobbs> after doing nothing but writing haskell for the last 2 months 20:12 < jrmithdobbs> lol 20:12 < sipa> tree pieces are delimited by choose operators 20:12 < maaku> yes you definately need lazy/short-cut conditionals 20:12 < petertodd> gmaxwell, sipa: remember that one potential way of doing this is rather explicitly with OP_EVAL and OP_HASH160 (essentially) 20:13 < gmaxwell> sipa: I think you could go further and have two kinds of choose operator, one that hashes and one that doesn't. 20:13 < sipa> gmaxwell: well there can be a regular ifthenelse operator 20:13 < sipa> that has no choose magic 20:13 < gmaxwell> right. fair enough. 20:14 < sipa> i'm saying the same thing i think 20:14 < sipa> except choose is special in that it explicitly takes a hash as argument, and not an expression 20:14 < gmaxwell> Right. 20:15 < petertodd> sipa: note that simple if-else-endif isn't sufficient if scripts or script fragments can return a value before reaching the end of the block - you might not want the rest of the block to be public 20:15 < sipa> but so is const or access, they don't take subexpression eithet 20:15 < sipa> petertodd: these are not imperative programs, there is no return operator 20:16 < sipa> they're just expressions 20:16 < petertodd> sipa: right 20:16 < gmaxwell> petertodd: even if there were you could always wrap hte hidden data with another choice. 20:16 < petertodd> gmaxwell: true 20:17 < sipa> yeah, choice is there to hide pieces of the script 20:17 < sipa> either because they are large 20:17 < sipa> or because they are private 20:17 < petertodd> sipa: hmm... so when is choice not something you can do with an if block? 20:19 < gmaxwell> (kind of a fun thing where we could make standard addresses a choice with ecdsa in one branch and then a hash based quantum hard signature in the other... and if there is a compromise of ECDSA we soft fork to deny ecdsa redemption while people redeem coins via the hash based signing.) 20:19 < sipa> i don't think it's really an if in any caze 20:19 < sipa> let me come up with an example 20:19 < sipa> to do a 1-of-2 multisig 20:20 < sipa> let's say scriptA is something that fetches a sig from the stack and verifies it with pubkeyA 20:20 < maaku> hrm. I just realized that by executing code from the stack Joy/Cat makes it difficult to Merklize... 20:20 < sipa> scriptB is the same, but for pubkeyB 20:20 < petertodd> sipa: right 20:21 < petertodd> maaku: you can still merklize the initial code up to where the stack is executed 20:21 < jtimon> maaku: that seems right, I guess AST-script it is 20:21 < sipa> now you construct a script of the form choice(scriptA,scriptB), and put its merkle root in the output 20:21 < sipa> however, to spend it 20:22 < sipa> you either use choiceL(scriptA,hash[scriptB]) 20:22 < sipa> or choiceR(hash[scriptA],scriptB) 20:22 < petertodd> sipa: see, I'm not sure how that's any different from IF <executed ops> ELSE <hash> ENDIF 20:22 < petertodd> sipa: which is how I always envisioned MAST to work 20:22 < sipa> it's an if then else, but the if/else is hardcoded 20:23 < sipa> it cannot be an expression 20:23 < sipa> its runtime semantics is just the identity 20:24 < sipa> it only affects how the hash of the script is computed 20:24 < sipa> note that choiceL(scriptA,hash[scriptB]) evaluates to just scriptA 20:25 < petertodd> right, and by that I mean in the binary representation of a script, you'd have some way to signify a IF code block that must never be executed, followed by the hash, vs. one containing actual opcodes 20:25 < sipa> right, but i don't like to think of it in term of executable operations 20:26 < sipa> it's just a tree with certain parts covered, by giving a hash instead 20:26 < petertodd> well, we're using similar words for the same thing :) 20:26 < sipa> sure 20:27 < sipa> but i think your original question really was 20:27 < petertodd> see, my real point is, with merklized forth it gets even more sophisticated, because your symbol table is hashes of code, and potentially at runtime you'd do something more sophisticated there just get some chunk of code dynamically 20:27 < petertodd> yet you can still arrange such that code that's never executed is never provided 20:27 < sipa> that's over my head :) 20:28 < sipa> anyway 20:28 < sipa> one question is if there are other merkle-choosing-like operations possible 20:28 < sipa> which do not mimick if-then-else 20:29 < sipa> i think if you have some for(i in [0..n], f(i)) operator 20:29 < petertodd> sipa: tl;dr: forth can do the magic that lisp can do, not with macros, but with self-modifying code 20:30 < sipa> with n a constant integer 20:30 < petertodd> right 20:30 < sipa> then you can have a merkle version of it as well 20:30 < sipa> that takes the hash of the non-evaluated loops 20:30 < petertodd> and for that matter, you can do tail-recursion for loops too... 20:30 < petertodd> and that can still be merklized 20:31 < sipa> without needing to reveal how many loops you wanted to be possible 20:31 < gmaxwell> sipa: well ... if you have a homorphic hash you can do 1 of N execution more efficiently. Though I'm not aware of any way to do that which we'd consider in scope for this discussion. 20:32 < sipa> haha 20:32 < maaku> petertodd: how are you going to merklize forth? 20:32 < maaku> ah, are you thinking of replacing a quoted block with its merkle hash? 20:33 < petertodd> maaku: remember, we're merklizing the potential code that can be run 20:34 < petertodd> maaku: so if you end up with code that defines new symbols, but doesn't use those symbols, then the symbol definition doesn't actually need to happen if that particular execution trace doesn't use them 20:35 < gmaxwell> sipa: so, linear iterative compression. 20:35 < gmaxwell> say you have some straight line code that can stop at some point. 20:35 < maaku> petertodd: ok, in Joy at least "if/else" is handled like so (I think it's the same for Forth): <predicate-evaluation> [quoted-true-block] [quoted-false-block] OP_IF 20:36 < maaku> in other words, push the code on the stack before execution 20:36 < petertodd> maaku: correct 20:36 < maaku> so I suppose we can replace the branch not taken with OP_RETURN (when executing), plus an affixed hash value for what was there 20:36 < gmaxwell> ins0 1 2 3 4 5 6 7 8 you compute H(ins0....H(6|H(7|H(8))...) and then if you execute and run to step 4 and stop, you'd provide 0 1 2 3 4 H(5...H(8)). 20:37 < maaku> ok that would work 20:37 < petertodd> maaku: and a symbol is a chunk of code, so you have <predicate> Symbol1 Symbol2 OP_IF, and symbol2 never executes, then where the symbol is defined in the first place can be replaced with just the hash of the opcodes that would have been put there 20:37 < gmaxwell> I think that structure is not equal to choices. 20:37 < sipa> gmaxwell: that's exactly what i meant 20:37 < sipa> with the for loop 20:37 < gmaxwell> okay, good then I came about to the same thought. 20:37 < gmaxwell> is there something that generalizes those two? are there more? 20:38 < sipa> very good question! 20:38 < sipa> but it's really about some parametrizable control flow 20:38 < sipa> oh um 20:39 < sipa> this is an expression language 20:39 < sipa> a for loop doesn't really make sense 20:39 < sipa> but you can replace it by a fold 20:39 < sipa> fold(3,f,x) computing f(f(f(x))) 20:40 < petertodd> sipa: you know, you can replace a for loop with repeated opcodes, and zlib compression... 20:40 < sipa> where that recursive hashing becomes much more apparent 20:40 < maaku> jtimon: see above ^^ 20:40 < jtimon> yeah 20:41 < sipa> petertodd: that doesn't allow hiding the number of iterations from the root hash 20:41 < jtimon> "Combinators in Joy behave much like functionals or higher order functions in other languages, they minimise the need for recursive and non-recursive definitions." 20:41 < jtimon> maybe it's relevant although I'm starting to get tired and following your interesting conversation gets harder 20:41 < petertodd> sipa: ah, your example of a for loop is to loop based on a stack constant, not a symbol constant? 20:42 < sipa> petertodd: based on a constant given in the spending script 20:42 < petertodd> sipa: yeah, that's different 20:42 < sipa> petertodd: but NOT given in what goes in the root hash 20:42 < gmaxwell> fundimentally the _maximum_ depth of the loop could be hidden. (mean I can describe a language that allows this) 20:42 < petertodd> sipa: yup 20:43 < sipa> yes, you need to know a maximum iteration count 20:44 < sipa> but you don't have to reveal it 20:45 < gmaxwell> might be interesting to describe a hash based winternitz compressed signature in this language, assuming there exists an OP_PUSH_TX_HASH ... I propose that if our choice operator(s) are good then a maximally efficient winternitz signature will be completely natural. 20:46 < sipa> .. you lost me 20:47 < gmaxwell> sipa: you know how a lamport signature works, right? 20:48 < sipa> more or less, yes 20:48 < gmaxwell> for each message bit x, reveal either preimage_x or H(x) depending on if the message bit is 1 or 0. The public key is just the root hash over this data. 20:50 < sipa> hmm 20:50 < sipa> i need to see that on paper 20:50 < sipa> but now now 20:50 < gmaxwell> winternitz optimization: take your message bits in groups of 4 bits. so your 256 bit message becomes 64 4 bits words. you have then 64 preimages. H( ... 16hashes total ..H(H(preimage_n))) and your message word selects how deep in this structure you reveal. 20:51 < sipa> right 20:51 < sipa> so you weigh a smaller signatures over deeper hashes 14:37 < adam3us> petertodd: in the next round everyone gets as many votes as they have on their public key and the result defines which tx is first 14:37 < adam3us> (its all random anyway, it doesnt even matter which is first, just that one is chosen) 14:37 < petertodd> Interesting! That could be a decent way to reduce variance, although sounds like distributing the blocks for them to be voted on could be bandwidth intensive. 14:38 < adam3us> if the reward comes direct, maybe people can direct mine 14:39 < petertodd> (FWIW, fpga hardware is in the realm of 10x to 100x less efficient than ASICs depending on what you are trying to do; the FPGA's are commodity assumption is a lot easier to meet - maybe litecoin scrypt is already there) 14:39 < petertodd> adam3us: an idea I had was for the tx merkle tree to include pow 14:40 < petertodd> adam3us: like, every node on the tree would be able to include a specific pow, and you would sum total work 14:40 < petertodd> adam3us: makes it easy for anyone to do the pow for their own transactions, but the validation of the pow has to be reasonable efficient 14:42 < petertodd> (conveniently medium to high-end FPGAs these days all come with blockrams scattered over the die surface) 14:43 < petertodd> (sizes tend to be in the dozens to low hundreds of KiB per block ram, same size as litecoin scrypt assumes) 14:44 < petertodd> (the block rams however are themselves *not* as efficient as dedicated ASICs, because modern memory uses unique IC processes that verge on black magic; I'd have to investigate more to get an idea of what kinds of cost ratios are involved here and what they'd look like in the future) 14:49 < adam3us> petertodd: "an idea I had was for the tx merkle tree to include pow" did you see this paper http://hashcash.org/papers/merkle-proof.pdf by fabien coelho, i'm pretty sure you did maybe you were on the im thread when i heard a ref to it 14:49 < adam3us> "An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees" 14:50 < adam3us> its just space optimization and verification time optimization over sending n sub-puzzles, but its quite nice 14:50 < amiller> i bring up that paper a lot 14:50 < amiller> (but when i do, it never solves the problem i want it to) 14:50 < adam3us> amiller: it ws probably you i heard it from 14:52 < petertodd> right, that's where I got the idea 14:52 < adam3us> anyway in principle if you can earn voting rights by making disconnected proofs of work the proofs of work are not first past th post races and could even be deterministic (0 variance) 14:53 < adam3us> an end to luck, and you pick your own work size 14:54 < petertodd> Right, but how will that avoid the fastest miner wins problem? 14:54 < adam3us> petertodd: "sounds like distributing the blocks for them to be voted on could be bandwidth intensive." well they're broadcast already for spending 14:54 < adam3us> petertodd: well there is no winner, everyone collects voting power 14:55 < adam3us> petertodd: then you take a vote on which of double-spent tx are first 14:55 < adam3us> petertodd: tx with highest (or lowest) vote wins 14:55 < petertodd> Right, but think about the mechanics a bit more: how do you come to consensus on what block you're even going to vote on? 14:55 < adam3us> petertodd: like i say i dont think it even matters which is first, just that one wins - mining is quite random - the decision is made by a random node in proportion to power 14:57 < adam3us> petertodd:yes i get what you mean, but i this case as the voting rights are disconnected from the item voted on, ou can just vote on the few tx that have any conflict (maybe) individually or a sig on a list of them 14:57 < amiller> whta bout dakami's proof of x86? 14:57 < amiller> i wanna see that 14:58 < adam3us> amiller: dont know i just saw something vague from peter vesennes(sp?) forwared from xgbtc (ex google bitcoin list) how exclusionary! 14:58 < amiller> it's like the corollary of the no-free-lunch theorem 14:58 < amiller> everyone's optimal at something 14:58 < adam3us> amiller: i think some people are still stuck at not realizing a GPU *is* a better cpu (for mining) 14:59 < petertodd> adam3us: right, but you have to be careful to make sure that people can't reassign their votes - maybe force the pow that creates the votes reference a blockhash for timestamp that hash 15:01 < Luke-Jr> amiller: give Intel a monopoly on bitcoin? 15:02 < amiller> Luke-Jr, i wouldn't have chosen x86, presumably if you can do it for x86 you could do it for anything else too like a TI dsp which has an open spec, or arm 15:02 < Luke-Jr> ARM is even more closed than x86 15:02 < Luke-Jr> I'm not aware of any open TI dsps 15:02 < amiller> i don't even think it's a desirable property, i think bitcoin mining *should* only run on dedicated hardware :/ 15:02 < Luke-Jr> perhaps a subset of MIPS would work :p 15:03 < Luke-Jr> amiller: yes, but obviously this would be defining dedicated hardware as "x86" 15:03 < petertodd> amiller: that means control of bitcoin is centralized in the hands of the 2-3 chip fab companies in the world 15:03 < Luke-Jr> back in 2009, an ideal POW would have been one where RAM *was* the ASIC; but SHA256d has caught up 15:03 < amiller> build more chip fabs then 15:04 < petertodd> amiller: the entire world economy appears to be too small to do that. seriously 15:04 < amiller> meh 15:04 < petertodd> amiller: leading edge chip fabrication facilities are insanely expensive 15:04 < amiller> perhaps those don't even optimize for the kind of thing that makes a good bitcoin miner? 15:04 < amiller> i guess that doesn't make nsese 15:05 < petertodd> I understand your concern re: hash-reenting attackers, but understand it's a trade-off. It would be *very* easy for only a few governments (probably just one) to demand that all Bitcoin mining hardware be regulated in the future. 15:06 < Luke-Jr> frankly, POW is flawed unless over 50% of the world's electric production goes into mining at the most efficient way possible 15:06 < amiller> that is only if your attacker is that big 15:06 < Luke-Jr> frankly, POW is flawed unless over 50% of the world's electric production goes into mining at the most efficient way possible 15:06 < Luke-Jr> at some point, a replacement is needed 15:08 < petertodd> Luke-Jr: nah, that's a certificational flaw, not a pragmatic one :) The flaw really is more that the effort that goes into proof-of-work is only economically, say, 1% to 10% of the value of the system per year, which means any attacker gets a fairly large ratio of value destroyed to value spent, but there's nothing new about that... (box-cutters vs. the WTF) 15:08 < adam3us> petertodd: "adam3us: right, but you have to be careful to make sure that people can't reassign their votes - maybe force the pow that creates the votes reference a blockhash for timestamp that hash" yes there would have to be a timestamp chain included in the work to define the range of tx allowed for voting, and i suppose all previous round tx need to go in there also which comes back to how do you arrive at a serialization 15:08 < petertodd> s/WTF/WTC/... 15:09 < adam3us> amiller: re kaminksy this is what was forwarded to me email, posted by peter vessenes: 15:09 < petertodd> adam3us: yup, and it sounds like it'll be tricky to come up with a sufficiently simple system for that! though maybe just a direct timestamp chain would work, I'd have to think more... 15:09 < Luke-Jr> petertodd: I'm assuming the value goes up forever 15:09 < petertodd> it'd be really cool if a pure timestamp chain came out of this effort with a fairly short block interval... 15:09 < petertodd> Luke-Jr: ? 15:10 < adam3us> amiller: (on the ex google btc list) " Kaminsky proposed to me a proof of execution architecture plan which 15:10 < adam3us> sounds like it could guarantee it was running on Intel cores. I don't 15:10 < adam3us> want to steal his thunder, but it would be a proof of work that could 15:10 < adam3us> (provably?) disintermediate both botnet miners and ASIC companies. 15:10 < adam3us> I've been trolling around for someone to lead a 'health of mining' 15:10 < adam3us> committee for the Foundation, but haven't found someone willing to do the work of pulling the right folks together -- any volunteers here?" 15:10 < Luke-Jr> petertodd: at some point, it will become worthwhile to attack 15:10 < Luke-Jr> adam3us: ex google btc list? 15:12 < adam3us> sorry that was messed up, again: vesennes "Kaminsky proposed to me a proof of execution architecture plan which sounds like it could guarantee it was running on Intel cores. I don't want to steal his thunder, but it would be a proof of work that could (provably?) disintermediate both botnet miners and ASIC companies. I've been trolling around for someone to lead a 'health of mining' committee for the Foundation, but haven't found someone wi 15:12 < Luke-Jr> sounds like something I'm already involved in, though not as a committee 15:12 < sipa> adam3us: the foundation hasn't really had much to do with development or technical stuff 15:13 < adam3us> petertodd: "it'd be really cool if a pure timestamp chain came out of this effort with a fairly short block interval..." (yeah I know you like your timestamp server;) 15:13 < sipa> also, what do you mean by 'ex google btc list' ? 15:13 < sipa> is there a bitcoin mailing list for ex-googlers? :p 15:14 < adam3us> luke-jr, amiller, sipa: yes when my buddy forwarded it to me (I dont know how he got it because he's not an ex-googler) I was like WTF? exclusive ex-google bitcoin list? how ugly and exclusionary 15:15 < adam3us> could imagine vessenes got the wrong idea kaminsky likes to throw off the cuff thoughts and rants without thinking them through it maybe quite an unvalidated vague design idea 15:15 < Luke-Jr> adam3us: anyhow, health of mining is right up the avenue of things I've been doing for a long time 15:15 < amiller> former-marine silk-road squad 20:20 < petertodd> CodeShark: yeah, they fucked that one up though because strings blk*.dat wasn't cut-n-paste-able 20:20 < petertodd> CodeShark: cute though 20:21 < CodeShark> the retrieval tool shouldn't rely on the blk*.dat files at all 20:21 < CodeShark> retrieval should be possible via p2p protocol 20:21 <@gmaxwell> petertodd: see, you don't need an upload tool.. you just need datacoin. 20:21 < petertodd> CodeShark: no, I just mean that bootstrapping it was tough because you had to decode the tx containing the tool yourself 20:22 <@gmaxwell> it has the tool built in. 20:22 < petertodd> CodeShark: well that's a fun one: you can easily design this stuff to be SPV compatible re: bloom filters 20:22 < petertodd> CodeShark: even easier if someone implements prefix filters 20:23 < CodeShark> right 20:26 < petertodd> gmaxwell: it's always a trade-off between fees and security of your data... 20:27 < CodeShark> well, wrt txout bloat, the most sensible "wizards" solution seems to be to decrement the output value as a function of age until it drops to zero, at which point it is unspendable 20:28 < petertodd> CodeShark: MMR TXO commitments shift storage to wallets (roughly speaking) 20:28 < CodeShark> MMR - not sure I'm familiar with that acronym 20:29 < petertodd> CodeShark: merkle-mountain-range 20:29 < CodeShark> how does that work? 20:30 < petertodd> CodeShark: https://bitcointalk.org/index.php?topic=314467.msg3371194#msg3371194 20:31 < petertodd> CodeShark: there's some ugly issues re: bandwidth storage tradeoffs however - given that miners don't actually have an incentive to broadcast their blocks to >%30 of hashing power there can be incentives to make blocks full of UTXO spends that are ancient that no-one has cached 20:32 < petertodd> CodeShark: but that's a general problem... 20:34 < CodeShark> ah yes, interesting stuff. it's too bad the forums are so cluttered with garbage on occasion you do find good reads. I suppose I could filter by author :) 20:34 < petertodd> CodeShark: heh, well my fault for not having it writtne up as a paper yet 20:43 < CodeShark> the way things are right now, a secure signing node would have to store the complete transactions containing their outputs anyhow 20:43 < CodeShark> if for no other reason than that there's no other way for it to verify the output values 20:44 < CodeShark> so here we're also adding an O(log2) structure for proofs 20:44 < CodeShark> of existence in blocks 20:50 < CodeShark> existence of new outputs/removal of spent outputs, I should say 20:50 < petertodd> yeah, it's a fair bit of bandwidth over just the txin data 20:51 < petertodd> OTOH it is purely a tradeoff - if you have the UTXO set you don't have that cost 20:54 < CodeShark> so you would advertise whether or not you have the UTXO in the initial handshake? 20:55 < nsh> hmmm, there might be privacy implications in the negotiation 20:55 < petertodd> well, e.g. for a block being distributed if you don't have the utxo ask your peer to provide the proof 20:55 < CodeShark> asking the peer to provide the proof requires one more roundtrip which introduces greater latency 20:56 < petertodd> CodeShark: yup, which is why you want to have as many utxo's on hand as you can store 20:56 < CodeShark> point is you could establish whether or not you have the complete utxo in the initial negotiation 20:56 < petertodd> CodeShark: but at some point you run out of space, so you drop ones that are unlikely to be spent 20:56 < petertodd> CodeShark: well you could give your peer a bloom filter of wha tyou have, for example 20:57 < CodeShark> right, something along those lines might work 20:57 < petertodd> yup, lots of options, main thing is that all those options are things that aren't forks 20:59 < nsh> perhaps it might be good to enable an ecology to these things: let various different approaches be 'right' and let natural selection on the basis of effectiveness and cost tend toward improvement 21:00 < nsh> the monocultural aspects of the bitcoin network should be whittled to a fine point of essential security and consistency 21:00 < CodeShark> problem is natural selection favors diversity (i.e. forks) 21:00 < petertodd> nsh: agreed, although people tend to complain that their wallets don't go fast :) 21:01 < nsh> mmm 21:01 < CodeShark> well, these approaches don't require block chain forks - but they do require care with protocol issues 21:02 < nsh> CodeShark, can't you look at the (hard)fork border as the boundary of an island (let's call it Coinagascar)? you can still have diversity within those confines... 21:03 < CodeShark> I suppose we could separate the core validation algorithms from the specifics of the protocol itself :) 21:03 < CodeShark> as in the specifics of networking with pees 21:03 < CodeShark> *peers 21:03 * nsh nods 21:04 < nsh> the downside is that you lose some of the shepherding function of the core dev team 21:04 < nsh> but i would anticipate that function isn't long-term sustainable if bitcoin grows into a very large ecosystem anyway 21:05 < nsh> and it's already accepted that you choosing to use one solution over another can have financial implications 21:05 < nsh> s/you // 21:18 < maaku> "In conclusion, I think that humanity should stop publishing papers about Byzantine fault tolerance. I do not blame my fellow researchers for trying to publish in this area, in the same limited sense that I do not blame crackheads for wanting to acquire and then consume cocaine." 21:19 < maaku> ah, microsoft research, how i love thee 21:19 * nsh smiles 21:21 < nsh> hah, that whole piece is great 21:21 < nsh> ( https://research.microsoft.com/en-us/people/mickens/thesaddestmoment.pdf ) 21:25 <@gmaxwell> it's generally true of Byzantine fault tolerance. People who shit on Bitcoin are either in denial or unaware of the complete failure that field has been. 21:26 <@gmaxwell> An endless series of impossibly complicated protocols which can only work under highly unrealistic constraints and which generally burst into flames on contact with reality. 21:32 <@gmaxwell> it's basically a field that people have been wanking on more or less ineffectually since the late 1970s, making little useful progress, and then Bitcoin comes along and delivers a working system that is secure in the anonymous model, where like everything else required previously agreed participants, requires linear communication (as opposed to quadratic in the number of participants), and is relatively simply explained vs the charts ... 21:32 <@gmaxwell> ... in that paper. ... and did so basically as a footnote on the way to producing an entirely new kind of currency. 21:44 < nsh> reminds me of... atomic chemistry until the 1870s. decades of top scientists debating fancy models, vortex theories, all sorts of complex contrivances, and then Mendeleev comes along with the periodic table, pow! 21:49 < petertodd> gmaxwell: OTOH PoW blockchains appear to only work in conjunction with financial incentives 21:50 <@gmaxwell> petertodd: indeed, bitcoin is _not_ a fully general solution. 21:51 < petertodd> gmaxwell: though in many cases you can limit your "byzantine fault vulnerability" to a small part of software that is trusted to give an honest signature for some type of "fake work" 21:51 <@gmaxwell> it just happens to work (so far) for like ... the only application known where byzantine fault tolerance was actually a hard requirement. :P 21:51 < petertodd> gmaxwell: lol, there is that! 22:06 < nsh> serendipity --- Log closed Wed Dec 25 00:00:25 2013 --- Log opened Wed Dec 25 00:00:25 2013 --- Log closed Thu Dec 26 00:00:28 2013 --- Log opened Thu Dec 26 00:00:28 2013 14:14 < adam3us> nxt yet another big-claim-alt? 100% proof of stake in their case and its own block chain, no source code so far. all very confusing. claimed market cap > mastercoin already $100mil http://coinmarketcap.com/ i guess those market caps could do with some market depth caveats really 14:15 < adam3us> for the solidcoin spectators https://nextcoin.org/index.php/topic,104.0.html 14:15 < maaku> adam3us: it's pre-listed on a regular old web exchange 14:15 < adam3us> yes its unclear what if anything the price on dgex.com means - could be manipulated and controlled by nxt devs with ~0 mkt depth 14:16 < maaku> presumably with withdrawls eventually being handled via a premine 14:16 < adam3us> maaku: 71 "investors" donated a total of 21 btc < 1month ago and yet the claim it has a market cap of $100m... ha ha 14:17 < maaku> personally, I never understood the utility of proof-of-stake mining in any fraction 14:17 < maaku> especially when subsidies are involved ... all sorts of bad incentives 14:17 < maaku> about all its done is distract people from the real utility of PoS 14:18 < adam3us> maaku: well superficially it sounds interesting that eg ppcoin claim that for self interest someone holding 10% of stake would not want to double spend or he'd damage value of his own holdings however, then there is an unfair mining advantage to the stake holders which is a diff problem 14:19 < maaku> adam3us: yes, but the way to achieve that control is to allow the PoS participant to vote on something akin to a checkpoint 14:19 < maaku> not to have some sort of protocol-level conversion metric between stake and hashpower 14:19 < adam3us> maaku: i presume u mean effectively different votes for validity vs reward 14:20 < maaku> adam3us: i mean a different protocol for considering best block which takes into account out-of-band stakeholder votes 14:21 < adam3us> maaku: well nxt is 100% stake.. not sure if that even quite makes sense. the stake was bought for 21 btc in the last month! 17:04 < petertodd> tromp__: anyway, how much hardware design have you actually done? like, any at all? have you even taken a simple digital logic course and played around with some FPGAs? 17:05 < tromp__> yes i did digital logic as part of my cs curriculum 17:05 < tromp__> but never played with FPGAs 17:05 < petertodd> tromp__: yeah, digital logic, but did it talk about implementation level issues? 17:06 < petertodd> tromp__: I'd highly suggest learning about FPGAs at least before you try to design any more PoW algorithms - at least FPGAs let you see how your logic is physically synthesized 17:06 < phantomcircuit> petertodd, this seems like it would at least be better than scrypt as a memory hard function 17:07 < tromp__> scrypt isn't technically a proof of work 17:07 < tromp__> since it's doesn't have trivial verification 17:07 < phantomcircuit> main memory access with DDR3 is ~300 ns 17:07 < petertodd> phantomcircuit: maybe, but the question is memory hard actually what you want? gmaxwell's been pointing out that it's power that matters generally for running costs 17:08 < grazs> hmm, interesting 17:08 < petertodd> grazs: quite likely scrypt is actually *worse* for password hardening because it doesn't use as much power as other alternatives 17:09 < grazs> petertodd: my brain is stuck, I will meditate on this, had kind of an aha-moment though 17:10 < phantomcircuit> petertodd, if you can shift the costs from marginal to capital that is preferable as it reduces the incentive to be dishonest 17:10 < petertodd> phantomcircuit: only for non-commodity hardware 17:10 < phantomcircuit> if you've invested 10m into hardware which wont pay for itself for 10 years you're not going to be dishonest at year 1 17:10 < petertodd> phantomcircuit: for asic-soft algorithms that's a solved problem :) 17:11 < phantomcircuit> petertodd, well yes and no 17:12 < petertodd> tromp__: anyway, I gotta go - learn some more about digital logic and electronics - you need to be at the point where you can draw a reasonable design at the physical layout level, that is how the transistors are located and what wires connect what, if you want to be able to understand this stuff sufficiently 17:12 < phantomcircuit> petertodd, as it stands today the capital cost of asics is significant 17:12 < phantomcircuit> buttt 17:12 < phantomcircuit> that's going to change 17:13 < phantomcircuit> power costs are already significant but not the most significant 17:18 < tromp__> if anyone else has feedback on Cuckoo Cycle, i'd love to hear about it 17:19 < tromp__> it can't get much worse than being told it's the exact opposite of asic-hard :) 17:21 < azariah4> would the proposed ethereum contracts make sense if a contract is run on each node receiving a tx? 17:21 < nsh> additionally, it causes terminal cancer in puppies and war orphans 17:21 < nsh> :) 17:21 < azariah4> it seems they would need some way to only run once, or atleast on a limited number of nodes, with e.g. SNARK so other nodes can verify instead of actually running the script 17:22 < azariah4> especially given the fee per op/storage scheme 17:27 < tromp__> i've seen mention of SNARK proof size being very manageable at 288 bytes, but what's not clear to me is how much time the verification takes and whether that's practical 17:28 < tromp__> AFAIK ethereum is vague on how the processing fees for running scripts are actually distributed and to whom 17:28 < tacotime_> SNARK verification at 288 bytes is trivial 17:29 < tacotime_> But the parameter file size is not iirc 17:30 < tacotime_> For the zerocash implementation, the parameters file for their functions was over a gigabyte. 17:30 < nsh> closer to 2Gb iirc 17:32 < nsh> (i still can't intuit what this public parameters file _is_ -- how it's used as a resource...) 17:32 < azariah4> I suppose the fee scheme for contracts in ethereum could be made so that fees for a script can only be collected by the miner who mined the block containing the tx triggering the contract 17:32 < azariah4> that would make it unlikely (but not impossible of course) for other nodes to run the script 17:34 < tacotime_> nsh: gmaxwell probably knows more about what the parameters files do exactly, I still don't totally understand SCIPs. My understanding (which could be totally incorrect) is that for any given program you need to generate these parameters and disseminate them with the code you wish to have executed and verified. Then they are used (how?) when you issue arbitary inputs to the code to 17:34 < tacotime_> generate proofs that verify your given output. 17:35 < tacotime_> And that the parameters file must arise from a trusted source. 17:35 < nsh> ack to all of that 17:36 < nsh> but in terms of the proving and verifying algorithms: what use they make of the pubparam data 17:36 < nsh> i should just read the papers harder :) 17:37 < tacotime_> I'd love to do that if I didn't have all these other things to do for my grad studies in another field. :P If you figure it out, ELI5 it to me 17:37 < tromp__> so the parameter file is like a proof template that require further specification of 7 "points" that get encoded in 288 bytes 17:40 < nsh> okay, but what does template mean in terms of to a mathematical process? 17:40 < nsh> s/ to// 17:44 < tromp__> i imagine it's like the these steps http://en.wikipedia.org/wiki/Elliptic_Curve_DSA#Signature_verification_algorithm in the case of an ECDSA "contract" where (r,s) are the additional points 17:44 < tromp__> those steps are a lot shorter than 1Gb though 17:44 < nsh> andytoshi can explain! 17:45 < nsh> in zk-SNARKS, andytoshi: what is the it, algorithmically, about the public-parameters that is used in the proving and verifying processes? 17:45 < andytoshi> hi nsh, my logs only update every 12 minutes so i don't have any context 17:46 < nsh> i've been trying to get a handle on what is special-and-super-handy about the big public parameters in zk-SNARK systems 17:46 < andytoshi> one sec, i have the snark paper right in front of me.. 17:46 < nsh> so far i have a sense that it's some kind of common 'landscape' 17:47 < nsh> and the proof delineates a set of points that allow traversal of the landscape, with traversal being tantamount to verification of the computation's integrity 17:48 < nsh> but that's a long way from groking (and probably wrong, anyway) 17:48 < andytoshi> well, it's similar. the first step in the snark proof is to translate from ordinary C into an arithmetic circuit 17:48 < andytoshi> an arithmetic circuit is a directed acyclic graph where each node is labelled by a semiring operation (addition or multiplication) 17:49 < andytoshi> so you can construct polynomials in terms of that, and it turns out you can translate any bounded running-time program into such a circuit 17:49 < andytoshi> so the "landscape traversal" is just following the dag 17:50 < andytoshi> but there is some more complication because of the memory. circuits do not really encompass reading/writing to memory so there is additional work to do to verify that every read matches an earlier write.. 17:50 < nsh> right 17:50 < andytoshi> but in some sense that is incidental, the conceptual miracle happens even without memory 17:50 < nsh> so what is contained in the 1.7Gb pubparem file? and why is it all needed? 17:51 < tacotime_> Is certainty in the case of SCIPs probabilistic for some proof of execution? 17:51 < andytoshi> tacotime_: yeah. but according to the baysians all proofs are probabilistic anyway so this is no problem :) 17:51 < tacotime_> Heh. 17:52 < andytoshi> nsh: sorry, i'm flipping through the snark paper to look at how they compute the execution trace to see if there is some 'simple' idea which gives the compression 17:53 < andytoshi> gmaxwell might know this better than i, it deals heavily in linear pcps which i had never heard of before this paper. so that's some background reading i have to do.. 17:56 < andytoshi> Section 3 Verifying Circuit Sat via Linear PCPs is the relevant part of the ben-sasson paper @ http://eprint.iacr.org/2013/507 it has a 'high level' overview but i haven't read it well enough to summarize what's going on 17:58 < azariah4> this paper has some nice gems, hehe 17:58 < azariah4> "Concrete implementations are upper-bounded by computer memory size (and ultimately, the computational capacity of the universe), and thus their asymptotic behavior is ill-defined." 17:58 < azariah4> :D 18:05 < nsh> (dropped out for a moment there; local network troubleshooting for a stupid blue-ray player) 18:06 < andytoshi> what is the last thing you heard? 18:06 < nsh> -- 18:06 < nsh> <andytoshi> nsh: sorry, i'm flipping through the snark paper to look at how they compute the execution trace to see if there is some 'simple' idea which gives the compression 18:06 < nsh> <nsh> k 18:06 < nsh> [..] 18:06 < azariah4> andytoshi: they mention memory consistency though 18:06 < nsh> <andytoshi> Section 3 Verifying Circuit Sat via Linear PCPs is the relevant part of the ben-sasson paper @ http://eprint.iacr.org/2013/507 it has a 'high level' overview but i haven't read it well enough to summarize what's going on 18:06 < nsh> -- 18:06 < azariah4> in 2.3.2 18:06 < nsh> (missed the whatever was in the ellipsis) 18:07 < andytoshi> nsh: ok, that's the last thing i said. azariah4: yeah, of course, they solved that problem. but it's not relevant to conceptual questions about snarks 18:07 < andytoshi> nsh: also i said 18:08 < andytoshi> gmaxwell might know this better than i, it deals heavily in linear pcps which i had never heard of before this paper. so that's some background reading i have to do.. 18:11 * nsh nods 18:11 < nsh> thanks in any case 19:38 < adam3us> gmaxwell: so set r'=R.x, and find a new Q' =cQ that matches ie its true that sR=H(m)*G+rQ' = sR=H(m)*G+r*c*Q 19:40 < adam3us> gmaxwell: for that to work rc = r', so c=r'*r^-1 mod n; now you have a standard DSA sig but on a multiple of the recipients public key, the factor c is secret as the random factor in the chameleon hash 19:45 < adam3us> gmaxwell: forgery by the recipient would be again sR=?H(m)G+rcQ to find a different c' that matches a different H(m') ie to find sR=?H(m')G+rc'Q but as the recipient knows d from dG=Q he can write that sR=?[H(m')+rc'd]G vs [H(m)+rcd] so H(m')+rc'd=H(m)+rcd, so c'=(H(m)-H(m')+rcd)/rd 19:45 < adam3us> gmaxwell: seems to work (though I am tired so i may have screwed something)... did you have an app in mind? 19:46 < adam3us> gmaxwell: maybe more direct bitcoin integratability because it already understands and serializes ECDSA sigs? 19:46 < gmaxwell> adam3us: yea my thought there is that people already have ECDSA code, so a chameleon hashs based on one would be easy to integrate. 19:47 < adam3us> gmaxwell: makes sense and kind of convenient it provisionally seems to work 20:05 < Luke-Jr> http://siliconsaint.blogspot.se/2012/07/temperature-inversion-in-deep-sub.html --- Log closed Sun Oct 27 00:00:48 2013 --- Log opened Sun Oct 27 00:00:48 2013 05:47 < gmaxwell> adam3us: thank you very much for the crypto-anarchy explination on the forum. It's good to have someone post a structured view, instead of responding to that kind of complaint with "omg fight opression!" 10:47 < adam3us> gmaxwell: some people seem to say hal finney is not pro crypto anarchy I saw, but from what I recall of old cypherpunks posts he has really calm principled/reasoned arguments for why privacy is essential, because you need cryptography to enforce what are actually legal rights strongly etc, and he implemented and operated the first PGP based anonymous remailer, and RPOW and he was i think the first PGP employee after zimmermann also, its very 10:48 < sipa> its very[...] 10:48 < K1773R> 512 line limit of IRC :P 10:48 < K1773R> s/512/512 chars per/ 10:49 < K1773R> seems like a poor irc client :S 10:49 < sipa> i know few that deal well with overlong lines by default 10:50 < adam3us> its pidgin/linux hmm:... he (Finney) implemented and operated the first PGP based anonymous remailer, and RPOW and he was i think the first PGP employee after zimmermann also, its very hard to argue with things the way he puts them 10:51 < sipa> who is 'he'? 10:51 < adam3us> hal finney 10:51 < sipa> hmm, i don't understand 10:51 < adam3us> sipa: we were talking about explaining motivations for cryptographic privacy and I was saying i thoght hal finney does a nice job 10:51 < sipa> ah, by "hard to argue with" you mean "he is right"? 10:52 < adam3us> sipa: oh yes... i mean it sounds so reasonable and logical and non-controversial that the opponent is going to sound like an idiot or churlsih to disgree :) 10:52 < sipa> right, got it 10:53 < sipa> "hard to argue with" sounded like "so stubborn you don't want to argue with" 10:53 < adam3us> sipa: whereas as gmawell said most people say things like "beat state" and what not and then people with statist view lose sight of reason 10:54 < adam3us> sipa: nah - i never actually met him in person, but net the net he is the nicest fellow, least likely to get in a flame war, and actually doing a lot of privacy useful coding, so productive on the "cypherpunks write code" scale also 10:55 < sipa> scale also[...] 10:55 < sipa> wait, that is actually the end :) 10:55 < sipa> sorry, misparse 11:00 < adam3us> sipa: it was in relation to this bitcointalk thread https://bitcointalk.org/index.php?topic=318279.msg3419734#msg3419734 11:01 < adam3us> sipa: which was about chameleon hashes from greg but rapidly diverged into politics when someone said "what you want to forge a contract?? thats illegal" as a complete mismatch of understanding 11:01 < HM2> Snow Crash is an awesome book 11:01 < sipa> i remember why i stopped reading the forum :) 11:01 < HM2> The Baroque Cycle series is also great 11:03 < HM2> I can't remember if it was one of the BC books or Cryptonomicon that had the offshore data haven project 11:03 < adam3us> sipa: its almost funny, advanced math & bitcoin limits mixed with "doh" level newbies he he 11:04 < adam3us> HM2: i think that might've been cryptonomicon yes - very cool, like the pirate bay they are also jurisdiction hopping seemingly successfully for many years playing whack-a-mole, or havenco was the closest thing on the offshare oilrig/micro-nation-state 11:07 < HM2> this Chameleon hash thing sounds interesting 11:07 < HM2> it effectively turns the terms of the contract in to a key, right? 11:08 < adam3us> HM2: i love the line in snow crash where they run into the "president of the united states" and no one knows who he is or cares - sort of like the token "president" of somalia he's only president in his own mind as the state is a distant memory 11:08 < HM2> lol i don't recall that 11:10 < HM2> hmmm 11:12 < adam3us> HM2: so the idea which was greg's is that alice & bob can have a contract but keep the contract private, and bob cant tell other people the contract because he has the private key to could forge any contact 11:14 < adam3us> HM2: and yet if bob cheats and doesnt fulfill the contract alice can shame him by revealing the contract, it must be true because either that is the contract, or bob forged it; if bob forged it he's renegning on the contract and if he doesnt forge it alice has some proof that can convince others of what bob agreed to 11:15 < adam3us> hm2: its a bit like a non-transferable signature, except then either party could forge the contract, so alice cant prove anything to other people to shame bob and tarnish his reputation for cheating 11:16 < adam3us> hm2: so its forgeable, but only by bob some kind of mix of a hash function on one side and a non-transferable sig on the other; quite a nice building block 11:17 < HM2> How does the public remediate contract disputes exactly? 11:18 < HM2> If Alice is selling Bob something then either Alice can access the wallet and complete the contract or some public action + Bobs proof of contract can 11:18 < adam3us> HM2: they dont exactly, but if bob has a nice ebay-style rating there is a threat that alice can prove things to other people if he cheats, so he has an incentive to play nice 11:19 < adam3us> hm2: oh yes, the relation to the contract hash, is that in order to cash the payment, bob effectively demonstrates he has the hash, because he has to multiply the base address by it 11:19 < HM2> right so it's not a system to prevent you from being screwed over, like a reversal in a blockchain like system? it's just a reputation system 11:20 < adam3us> hm2: so he cant deny all knowledge as everyone can see the cash in his address and the tx which can be seen to hash from the contract to his address 11:20 < adam3us> hm2: yes its interesting because its simultaneously private (because its non-transferable) and yet there is still a threat of revealing the contact 11:20 < adam3us> hm2: contract 11:21 < HM2> right but if Alice sells Bob a TV and Bob claims he he never received it but Alice took the money, and Alice said Bob did receive it. what do you gain? it's still open to dispute 11:21 < adam3us> hm2: its unusual because normally its either non-transferable or its signed (non-repudiable) and yet like OTR you dont want non-repuiable signatures published or the other party to renege on the implied privacy 11:22 < adam3us> hm2: yes greg on the post mentioned if its a physical item or a matter of opinion kind of contract you might add an arbitrator 11:22 < HM2> what kind of contracts actually benefit then? 11:22 < adam3us> hm2: but if its straight up swap 1BTC for 150 LTC 11:23 < adam3us> hm2: well that could probably be done atomically, but where you are relying on reputation and want contract privacy 11:23 < HM2> hmm 11:23 < adam3us> hm2: i mean the thesis is that private contacting parties should not have to tell anyone about the contents of their contract 11:23 < adam3us> hm2: so maybe alice doesnt know bob that well and doesnt quite trust him not to blab and show everyone else the ebook she bought because its racy 11:24 < adam3us> hm2: with normal signed contracts bob can prove that because alice signed her order, so bob can embarrass her 11:25 < adam3us> hm2: with chameleon hash based sig, bob cant really do that because bob can make that contract say whatever he wants (he can forge it), so no one will necessarily believe him as there is no transferable proof 11:25 < HM2> oh i'm slowly getting it 11:25 < HM2> so you have a transaction that can be shown by one party to be for anything 11:25 < HM2> and by the other for one specific thing 11:25 < HM2> is that about it? 11:25 < Luke-Jr> sounds useless <.< 11:26 < adam3us> hm2: so far thats standard non-transferable sig (opposite of non-repudiable sig), but the interesting new feature is that in addition to that, alice can actually prove bob accepted the contract so the power to prove things is asymmetric 11:26 < adam3us> hm2: yes 11:26 < HM2> big words like repudiable don't do well for me on Sundays 11:26 < Luke-Jr> lol 11:27 < adam3us> luke-jr: spoilsport - actually i think probably it should be the default sig in smart contracts / bitcoin script! you do want the mechanism to not have unintended side effects for the users 11:27 < HM2> oh 11:27 < HM2> so how does one construct a Chameleon hash with ECs? I understand basic EC algebra 11:27 < Luke-Jr> adam3us: a contract you cannot prove the contents of cannot be enforced, thus has no purpose 11:27 < adam3us> hm2: you dont want that should say 11:28 < adam3us> luke-jr: but you can prove it (alice can) 11:28 < adam3us> luke-jr: its just bob that cant 11:28 < Luke-Jr> adam3us: a one-sided contract is nasty enough already 23:37 < petertodd> gmaxwell: so is this partial UTXO mode scary enough that you'd rather not see it happen or what? I figure long-term we need UTXO posession proofs for miners, and it pushes decentralization by making it easier to run a full-node 23:38 < petertodd> gmaxwell: I really like how it lets those nodes do useful work for the network - relaying tx's increases your anonymity set, and they can serve SPV nodes just fine 23:39 < petertodd> gmaxwell: heck, add a way to make bogus tx's expensive and they can even relay any transaction, or just rely on how the proofs that a tx was bogus just give the partial-UTXO holders information they would have retrieved later anyway 23:39 < petertodd> (needs a relatively expensive *spent* UTXO map, but that map can be distributed) 23:39 < gmaxwell> I don't see why it would hurt.. but if there were a committed utxo you could relay any transaction just by getting the membership proofs for its inputs. 23:40 < petertodd> gmaxwell: yes, that too, and it'd lead to a mode of use more applicable to adding committed UTXO later 23:46 < Luke-Jr> petertodd: should I post "needs rebase" to all your open pullreqs that need it, or can I just make you a list here? 23:47 < petertodd> Luke-Jr: nah, add it to the pullreqs 23:47 < Luke-Jr> k 23:51 < petertodd> Luke-Jr: nLockTime rolling for mining - what timespan do miners actually change the timestamp when doing this? 23:51 < petertodd> Luke-Jr: er, nTime rolling... 23:51 < petertodd> Luke-Jr: and is time rolling now obsolete? 23:52 < Luke-Jr> petertodd: in practice, I'd say it varies :/ 23:52 < Luke-Jr> time rolling isn't obsolete, but not implemented with stratum yet 23:52 < petertodd> Luke-Jr: we talking seconds, tens of seconds? minutes? 23:52 < Luke-Jr> it's somewhere near the top of my BFGMiner todo 23:52 < Luke-Jr> petertodd: I would be surprised if ntime was off by more than 5 minutes 23:52 < petertodd> huh, I thought it was actually common 23:53 < Luke-Jr> stratum regressed a lot of progress that had been made with getwork :/ 23:54 < petertodd> I was thinking it could be interesting to do a high-resolution timestamping facility by taking the best pow known for every second basically 23:54 < Luke-Jr> well, you might still get a lot of variety from fast pools 23:55 < petertodd> Yeah, it's no good if people need time rolling. 23:55 < petertodd> (although another non-rolled header could be acceptable) 23:57 < petertodd> See, it'd be possible for nLockTime w/ time-based locks to create some really ugly incentives for miners to mine blocks at thelimit of the 2hr window - a timestamping chain could provide a way for nodes to at least detect that their clocks are off, especially given how peers can mess with them. 23:58 < petertodd> It's still dodgy though... I was thinking if nLockTime-by-time inclusion was based on the previous block timestamp it'd be ok, but that still leaves large miners with incentives to screw with the 2hr window, never mind how it can reduce competition if there exists clock skew in the mining nodes. --- Log closed Wed Jul 17 00:00:57 2013 --- Log opened Wed Jul 17 00:00:57 2013 00:01 < petertodd> (remember that if this is a timestamping facility any node wanting to know the current time simply gets a nonce timestamped, and then they know what time it is!) 00:11 < Luke-Jr> I don't see how nLockTime can discourage forward-dating blocks 00:11 < Luke-Jr> and there is no 2hr window backward.. 00:12 < Luke-Jr> well, I guess if miners are behaving there is <.< 00:19 < petertodd> The problem is a block being created with nTime > actual time, and the incentive is to get a head start on other miners to put, say, a high-fee nLockTime in the block you are creating. 00:21 < Luke-Jr> petertodd: but nLockTime only sets a minimum time, it cannot set a maximum 00:22 < petertodd> but that's it, if I have a 1BTC fee tx, with nLockTime expiring in two hours, why not take the increased orphan chance and set nTime on my block to two hours ahead/ 00:22 < petertodd> ? 00:22 < petertodd> yet if we allow that incentive, it's very bad for consensus 00:23 < gmaxwell> ha. We can fix. 00:23 < gmaxwell> it's a soft forking fix. 00:23 < gmaxwell> use the last blocks ntime, not this one. 00:23 < Luke-Jr> is sipa's secp256k1 branch reasonably stable? 00:23 < petertodd> gmaxwell: that's what I said... 00:24 < gmaxwell> petertodd: sorry I just read the last couple lines. 00:24 < Luke-Jr> petertodd: AFAIK we already don't relay transactions with time in the future? 00:24 < gmaxwell> petertodd: well I agree. (or not even the last block it could use the minimum time) 00:24 < petertodd> gmaxwell: The problem is, that's only a fix if mining power is well distributed, it actually makes things worse because if there is a lot of profit to be gained the miners with a lot of hashing power still have the incentive, and it's to a much greater degree. (their orphan rate is less) 00:24 < Luke-Jr> gmaxwell: the minimum time will be earlier than the last block's :p 00:25 < gmaxwell> Luke-Jr: sure, but that doesn't change it really. Presumably if people start locking in the future miners will run nodes that take what they get and selfishly horde them, creating incentives for all miners to run good collection networks. 00:25 < petertodd> Luke-Jr: sure, but there are lots of ways to learn that a tx exists 00:26 < gmaxwell> petertodd: one of the reasons that the min is important there is because (1) it's hard to advance, and (2) when you advance it you raise the difficulty. 00:26 < petertodd> gmaxwell: I was working on figuring out the expected return - the math is really ugly 00:27 < gmaxwell> petertodd: a worst case expected return may be easier. 00:27 < petertodd> gmaxwell: Worst case is easy - your block is orphaned. 00:28 < petertodd> gmaxwell: See the issue is that once I find a block, the other side needs to find two blocks to beat me. As time goes on more of the other sides hashing power will accept my from the future block as valid, so then you get the next level where the remainder needs three blocks and so on. 00:28 < petertodd> gmaxwell: Pretty sure it can't be done as a closed-form equation. 00:30 < petertodd> gmaxwell: I don't think minimum time works either, because you still get to manipulate it by creating blocks in the future, although the ability too is definitely less. If I could show you'd need >50% hashing power to do anything interesting I'd be set. 00:31 < Luke-Jr> petertodd: hmm, is block-uneconomic-utxo-creation basically just an older revision of what Gavin did in 0.8.2? 00:31 < gmaxwell> petertodd: moving the minimum time forward needs the coperation of >50% of the hashpower over the small median window. 00:32 < petertodd> Luke-Jr: It's what Gavin did but non-hardcoded. I'd emphasize the better, not the older. :P 00:32 < Luke-Jr> petertodd: will you be rebasing it despite its closed status? 00:32 < Luke-Jr> actually, what about Gavin's is hardcoded? <.< 00:33 < petertodd> gmaxwell: Yeah, but you have to assume a steady stream of these incentives. 00:33 < gmaxwell> petertodd: right, so you have some force that turns all miners into a conspiracy. 00:34 < petertodd> gmaxwell: exactly 00:34 < petertodd> gmaxwell: nLockTime by time should have never been added in the first place, but it's such a nice idea on the face of it 00:35 < Luke-Jr> softfork so nLockTime requires data on what block a transaction was created at, and enforces the 10 min per block <.< 00:36 < petertodd> Luke-Jr: ? 00:36 < Luke-Jr> petertodd: for example, if you nLockTime for 1 day from now, it also enforces 144 blocks passing too 00:37 < Luke-Jr> so block count must be >now+144 AND time must be >now+24h 00:37 < Luke-Jr> not perfect, but might help 00:37 < petertodd> Still doesn't help in the usual case where mean interval is < 10 minutes, because you're back to only caring about time. 00:38 < Luke-Jr> usual now, but not eventually 00:38 < petertodd> Right, you've solved half the problem, when measured over the entire lifespan of Bitcoin, and only approximately half. :P 00:39 < Luke-Jr> theory is so much nicer than practice <.< 00:39 < gmaxwell> I'm forgetting why this is a problem again? If miners mine blocks early, people will just artifically inflate their times or switch to height locking. 00:39 < petertodd> The problem is you're incentivising miners to make the 2hr window for block acceptance effectively shorter. 00:39 < petertodd> Thus requiring accurate clocks for consensus. 00:39 < gmaxwell> if miners do this consistently they'll drive difficulty up too which wouldn't be in their interest. 00:39 < Luke-Jr> ^ 00:40 < petertodd> gmaxwell: It's only a fixed 2hr offset, that just drives difficulty up by 0.5% 00:40 < Luke-Jr> and on top of that, you'd just end up treating nTime with a minus-2-hours :p 00:41 < Luke-Jr> if everyone does it, it's predictable. 00:41 < petertodd> More to the point for any individual miner the marginal difference if they do it is effectively zero. 00:41 < gmaxwell> consider, why why cant the 2 hour window be 24 hours? 00:41 < petertodd> Luke-Jr: But that's the problem, if everyone does it, and people respond, then you can extend the interval even further! 00:41 < Luke-Jr> petertodd: how? 00:41 < petertodd> gmaxwell: It should have been more like 24 hours in the first place... 00:42 < Luke-Jr> you don't change the 2h rule 00:42 < Luke-Jr> you just assume miner times will always be up against it 00:42 < gmaxwell> Luke-Jr: move your clock/window forward so you dont reject stupid blocks. 00:42 < petertodd> Luke-Jr: Again, the issue is the effect on *consusus*. I don't care when the tx gets mined, I care that miners are incentivised to break consunsus for anyone without NTP. 00:43 < petertodd> The problem is no matter *what* the window is, there is an incentive to mine as close to the window as possible to accept a tx sooner than your competitors. 07:22 < adam3us> petertodd: yes but that way lies doom unfortunately, if the tx and users continue to scale 07:23 < petertodd> adam3us: do you understand how TXO commitments can be re-worked into a shardable blockchain? 07:24 < petertodd> adam3us: nah, $20 uncensorable transactions of unseizable electronic money is a pretty damn good outcome. Be nice if we can do better than that, but just that alone is pretty good. 07:24 < adam3us> petertodd: i think vaguely is there a forum link or search term? 07:24 < adam3us> petertodd: $20 i agree 07:24 < petertodd> I've explained it in IRC, haven't written anything up on bitcointalk 07:25 < petertodd> Yup. The real danger with off-chain stuff isn't that transactions will be expensive, is that they'll be too cheap! Bitcoin's inflation rate goes to zero in the long run, and at some point the minimum reward to miners will become low enough that the security of the whole system is threatened. 07:25 < adam3us> petertodd: well one argument could be for unseizable digital scarcity wealth storage and not high tx at all, that is interesting in itself even without p2p tx at any high volume beyond a few tx per year per user 07:26 < petertodd> yup 07:26 < petertodd> you can always build upon that layer 07:26 < adam3us> petertodd: interesting observation, yes offchain success threatens chain security at the limit 07:27 < petertodd> Yeah, on the other hand, what matters isn't what transaction fees are, but rather what profit margin there is. Or to be exact, how much money is uselesslessly spent on overhead rather than mining itself. 07:27 < adam3us> petertodd: without naming names some people seem a little impatient and short-termist and they may steer things into dangerous directions without really thinking things through - i do like how you focus n the long term big picture 07:27 < adam3us> petertodd: its like chess, you dont win by looking at the next move, but at the end game from the start 07:28 < petertodd> People without a good understanding of economics have often argued that we need larger blocks because we need lots of transactions so the fees can support miners, but if those fees go into network bandwidth and harddrives, we haven't gained anything. 07:29 < adam3us> petertodd: and there is lots of scope for extremely plausible long term thinking sabotage disguised as rational short-term pragmatism; i get of assertive short-termists who cant explain or dont wish to entertain long term implications 07:29 < petertodd> For sure. There's a lot of pressure in this community for people like me to stop talking so much about the long term and focus on "real world engineering", but that's the kind of thinking you see at web 2.0 startups, and they have an alarming tendency to die early deaths. 07:30 < adam3us> petertodd: /i get ^suspicious of^ assertive.../ 07:30 < petertodd> Ha, for sure, once you start assuming possible malice all this stuff gets really ugly. :P 07:30 < adam3us> petertodd: precisely 07:31 < petertodd> Reminds me: the more I think about it, the more I think I should be encouraging abuse like timestamping and data-in-the-chain so we get a good understanding of the parameters of that abuse before making decisions based on assumptions about what demand there is to do such things. 07:31 < adam3us> petertodd: i've been through a few startups, and without embarrassing the guilty, a guy who wanted to code and stop wasting time thinking and architecting the right solution, within 1year it deadended 07:31 < MoALTz> one idea is that some coin gets lost in every transaction, as well as fees. reason: the "loss" is actually donating value to the network as compensation for bandwidth, hard-drive storage, cpu usage; the losses mean that all the remaining coin gets more valuable 07:32 < petertodd> adam3us: Absolutely. This isn't a standard engineering problem where the solution space is well understood. 07:32 < adam3us> petertodd: it only didnt get ugly at company future level cos i rewrote it from scratch in a 80/hr week skunkworks 07:32 < adam3us> petertodd: 1 week of the right thing vs 1 year x 10 people of "stop talking big picture write code" ... thats the true picture 07:33 < petertodd> adam3us: Heh. Another case in point: maaku has spent a lot of effort implementing UTXO commitments with authenticated radix trees, and meanwhile I come up with TXO commitments seem to have made all that effort obsolete. 07:33 < petertodd> A month in the lab saves a day in the library. :/ 07:33 < MoALTz> writing code that does something is indeed better. i need to do more of that. 07:35 < petertodd> Equally though, code is needed too... The lesson is just to understand the problem well before you start getting into code. 07:35 < adam3us> petertodd: that company later sold for $100m that probably wouldnt have happened w/out that rewrite... startups are full of random unproductive "code fast" shit that amazingly frequently ends up in the dustbin, ZKS was like that also 07:35 < adam3us> petertodd: exactly 07:35 < MoALTz> petertodd: easy to overdo it the other way 07:35 < adam3us> petertodd: problem is its very very hard to see any big improvement 07:37 < adam3us> petertodd: i think because of the interconnected cross dependencies; each important piece is fulfilling 3 or 4 functions, and while each function could get scaling by omiting a feature you cant change anything because overall it only just works with all the cross deendencies in place 07:37 < petertodd> MoALTz: The problem with my way is it's hard for people who don't understand the issues in great detail to tell the difference between smart people thinking hard about a problem, and wasting time doing nothing of real value. Code on the other hand can be evaluated for volume relatively easily. 07:38 < adam3us> petertodd, MoALTz: i can actually code, damn fast too; but mostly i am trying to solve the hard problem - if i crack a hard problem, will be coding like a demon :) 07:38 < petertodd> adam3us: Yup. I run into that at my day job all the time, because our system is extremely tightly coupled and unavoidable so. I've quite literally done projects that involved 8 months of design, followed by a week or two of implementation, with the implementation working pretty much perfectly the first time. 07:39 < adam3us> MoALTz: but yes there are multiple pressing issues that have gotta be worked on now that are defined 07:39 < MoALTz> adam3us: i tend to think of ideas, test them in my mind a lot, but cannot keep myself coding up a test implementation for them long enough to test them 07:39 < petertodd> adam3us: I've also had projects with 8 months of implementations, followed by realizing that was all a waste and I should have done a month of design up-front. 07:40 < adam3us> petertodd: a problem in startup culture that contributes is that management thinks of the work so far as "investment" so they cant change path even when they see the writing on the wall that this is a very bad path 07:41 < adam3us> petertodd: when hat you've done so far turns out to be wrong, yo need to be willing to rip it up and start again, they rarely can do that 07:41 < adam3us> petertodd: so ayway more back ontopic: i was wondering about disentangling bitcoin mining dependencies 07:41 < petertodd> Yup. I'm lucky to have a boss who's willing to accept that sometimes you've got to throw away what you've done, but even then it's hard. 07:42 < adam3us> petertodd: as i think in isolation nicer things can be done, just not on the interdependent version 07:43 < adam3us> petertodd: eg if you're talking about reward only (not relating to validation) you could probably direct mine with 0 variance work and no need for mining pools 07:43 < petertodd> Ok, before you get too deep, so lets check: what are the main functions of mining? 07:43 < adam3us> petertodd: so leads to can you separate reward from validation 07:43 < adam3us> petertodd: confusingly many :) 07:43 < petertodd> Yeah, reward != validation. 07:44 < petertodd> OTOH, in practice you need things like tx fees so you can figure out which tx should be in a block. 07:44 < adam3us> petertodd: so reward, blockchain evolution voting, spv client validation, sybil attack defense 07:44 < adam3us> petertodd: did i miss some? 07:45 < adam3us> petertodd: ah yes you reminded converging on a block definition 07:45 < petertodd> See, you're talking about a level farther removed than what I would have said. 07:45 < petertodd> For instance, proof-of-publication is really important. 07:46 < adam3us> petertodd: ah yes arbitrating which tx is first in double spends 07:46 < petertodd> Right, so timestamping. 07:46 < adam3us> petertodd: i was thinking one way to look at it is (apart from spv validation) bitcoin is actualy implementing a timestamping service 07:46 < petertodd> But do you understand what's so important about proof-of-publication? (or to be exact, proof-of-readership) 07:47 < adam3us> petertodd: and actualy something slightly more also: a namespace (like a timestamp but where names are strictly and cryptoraphically first come first served) 07:48 < adam3us> petertodd: maybe .. are you saying like wht defines a tx as confirmed is taht you see it (and not a double-spend) in the block chain 07:48 < adam3us> petertodd: i think it cn be equated actually to an auditable namespace, where the "name" is the txout 07:48 < petertodd> See, proof-of-publication/readership is what makes timestamping useful to prevent double-spends. 07:49 < petertodd> Do you understand why? 07:49 < adam3us> petertodd: do spell it out, its probable we are saying the same thing, but with different terms; i call that an application of an auditable namspace 23:42 < petertodd> same 23:42 < gmaxwell> petertodd: well look at my example and tell me how a merkle tree would work there? 23:43 < petertodd> oh, wait, stupid, I missed the S doesn't know c part somehow... 23:43 < petertodd> yeah, it's useful in that case 23:43 < petertodd> hmm... how about querying the UTXO set without telling the server what you are querying? 23:45 < gmaxwell> what would you query it for? 23:45 < petertodd> check that a txout is in the set, and thus a transaction someone handed you is valid 23:46 < gmaxwell> so one problem is say you get a hit ... now you say, okay give me the full transaction. 23:46 < gmaxwell> oops the server says, nah that was a fake hit I don't have that txout. 23:47 < petertodd> I'm more thinking you have a contract with a third-party UTXO database provider, and you want to know if a customer's transaction is valid, and neither you nor the customer has a UTXO set (so the customer can't give you a UTXO proof directly) 23:48 < petertodd> Only really useful if you have a safe zero-conf system of course... 23:49 < petertodd> Though it'd be useful for checking fidelity bonds. 23:51 < gmaxwell> In general I could see how this would be useful for a very large database to prevent censorship. 23:51 < gmaxwell> though how do you not get them to censor in advance when constructing the filter. hm. 23:51 < petertodd> Selective censorship 23:51 < petertodd> (client selective) 23:51 < gmaxwell> ah right. 23:52 < petertodd> Given how dodgy anonymous com channels are, that's a really useful thing to be able to do. --- Log closed Wed Jul 24 00:00:18 2013 --- Log opened Wed Jul 24 00:00:18 2013 00:29 < amiller> hrm, hrm, just how strong is SPV anyway 00:29 < amiller> it's actually really secure 00:29 < petertodd> define "really" 00:30 < amiller> by the ordinary bitcoin assumptions, 51% etc etc, the problem with SPV isn't that a client might get duped or double spent 00:30 < amiller> the bigger problem is that "mining" as an SPV client is irresponsible and a public hazard, which could ruin the 51% 00:30 < amiller> the bigger problem is that "mining" as an SPV client is irresponsible and a public hazard, which could ruin the 51 00:30 < amiller> (er up arrow mistake) 00:31 < amiller> if 51% of miners do full validation and not just SPV, then the point is SPV is safe for everyone else 00:31 < petertodd> so lets say I accept transactions with one confirmation, and you've figured out what node I'm using, how secure is SPV for me in terms of cost to attack me? 00:31 < amiller> one confirmation doesn't count 00:31 < petertodd> why? 00:31 < amiller> it's still 6 or whatever, you have to do a risk calculation 00:31 < petertodd> why is it 6? 00:31 < petertodd> what not 5? or 7? 00:31 < petertodd> or 144? 00:31 < amiller> i carried on a thread once trying to analyze this 00:31 < amiller> 6 is just a social norm 00:32 < petertodd> did you analyze it in terms of probabiity, or cost? 00:32 < amiller> but really you could treat it as a risk management problem 00:32 < amiller> both 00:32 < amiller> cost is basically measured in time 00:32 < petertodd> no, cost is measured in money 00:32 < amiller> the longer you wait, the more of a hassle it is, and the more likely it's not suitable 00:32 < petertodd> lol, "hassle" has nothing to do with attacks 00:32 < petertodd> be precise, how much money does it cost you to attack me, and under what assumptions? 00:33 < amiller> petertodd, the only real interesting thing i came up with is that it isn't even the cost of attacking *you* 00:33 < amiller> it's more about the likelihood of getting swept up in an attack aimed at someone else 00:33 < petertodd> ah, you're getting closer to understanding this... 00:33 < petertodd> so what happens to this cost stuff if the attacker is attacking n targets at once? 00:33 < amiller> my basic model is an attacker with a budget and a time window 00:34 < amiller> i let the attacker have infinite hash power, but not an infinite amount of energy 00:34 < petertodd> how many targets does this attacker have? 00:34 < amiller> the target is some fraction of all the double spend opportunities in whatever time window they're successful in mining an "attack fork" 00:34 < petertodd> right, so your attacker can pay $x/second worth of electricity to get y hashes/second 00:35 < amiller> the attacker can purchase B hashes and he gets them all at once 00:35 < petertodd> heh, you've even more optimistic than I'm talking about, but go on 00:35 < amiller> so fix the network's hash rate, and the attacker's budget B. now the attacker has to pick a time window and a probability of success 00:36 < amiller> one thing i like to consider (i think someone else has talked about this recently) is a doomsday attack where someone makes a credible threat that they're going to reverse 24 hours of blockchain history 00:36 < amiller> beeginning on Jan 1 or something like that 00:36 < amiller> everyone knows (or believes) in advance that doublespends will be possible during this time 00:37 < amiller> (maybe there's some anonymous dropbox where you are supposed to spend your doublespend transactions) 00:37 < amiller> the point of this thought experiment is that the attack might not even need to be skillfully coordinated 00:37 < Luke-Jr> amiller: that'd be a difficult situation to double-spend in 00:37 < amiller> if you had an attack fork, maybe you can just get everyone to doublespend each other 00:37 < petertodd> hang on, go back a second, so how are you calculating return for the attacker against my SPV example? 00:38 < petertodd> what specifically is the attacker doing for that matter? 00:38 < amiller> petertodd, ok ok so i went on a tangent to describe the enormous attack that gets everyone to double spend everything 00:38 < petertodd> remember, I'm an SPV client 00:38 < amiller> the more realistic one i guess is that the point is an attacker pays for and mines an attack fork, and then tries to do some big double spending at that time 00:39 < amiller> petertodd, SPV or not, the point is you go find all the merchants you can 00:39 < petertodd> again, I'm an SPV client, why bother double-spending me at all? 00:39 < amiller> that are willing to make big irreovacalbe actions after some number of blocks 00:39 < petertodd> why not make a block that meets difficulty, and is filled with transactions that are fake? 00:39 < amiller> where that number of blocks is less than what you can mine with your attack budget! 00:40 < amiller> petertodd, the point is, if there's a merchant that lets you drive off with a ferrari after 6 blocks, and you are able to in a timely fashion produce 7 blocks before everyone else makes 6, then you can win a ferrarri 00:41 < petertodd> you're making a lot of assumptions 00:41 < petertodd> I can be much more clever than just trying to double-spend 00:41 < amiller> what else would you do 00:41 < amiller> what else would you need to do 00:41 < amiller> you could double spend money you don't even have 00:41 < petertodd> as I said, I can make blocks that are filled with completely invalid transactions creating money out of thin air 00:41 < petertodd> SPV clients can't tell the difference 00:41 < amiller> sure, good point 00:41 < amiller> that... definitely decreases the cost of an attack 00:42 < petertodd> indeed 00:42 < amiller> especially since if the attack fails in the ordinary double spend case you'd have a lot more to lose. 00:42 < petertodd> doesn't take much to sybil the network, after all, I might have other uses for that capability like trying to figure out who is making what transactions 00:43 < amiller> still, if you can achieve anything against this SPV client, you could also double spend the ordinary clients 00:43 < amiller> and double-spend is still a serious attack 00:43 < amiller> the real havoc is if SPV clients mine. 00:44 < petertodd> the thing is, against an SPV client I don't even need the money, and can launch my attack against a huge number of targets at once, so even if there's a tiny chance of success for any one target I win overall 00:44 < petertodd> (again, goes back to sybiling the network) 00:44 < petertodd> I don't need a 100% sybil 00:45 < amiller> petertodd, it's still very expensive for you to make an attack fork... 00:45 < amiller> a successful attack is more profitable if there are lots of SPV merchants, yeah 00:45 < petertodd> it is *right now*, it might not be in the future as fees become more important, and we don't know 00:46 < petertodd> heck, I could probably pull all this off in a real-life scenario, by, say, controlling the wireless network at a "satoshi circle" event and MITMing everyones android phone 00:47 < petertodd> "Gee, confirmations sure are taking awhile today aren't they?" 00:47 < amiller> it's quiet, too quiet. 00:47 < petertodd> Play it carefully and I can make it look like I lost money in the attack too so it's not obvious who actually made it happen. 00:48 < petertodd> In this scenario 10% of the hashing power would probably be enough for a real-life attack. 00:48 < petertodd> Heck, 0% given people accept zero-conf... 00:48 < amiller> yes 00:48 < amiller> so! 00:48 < amiller> lets say you're going to do a risk analysis 00:48 < amiller> lets say you're about to exchange 1 btc for cash 00:48 < amiller> how long should you wait? 00:48 < amiller> even if you're a full client 00:49 < petertodd> The best way, is for me to check their government issued photo ID and take a picture of it so I can report the counter-party to the police. 00:49 < amiller> heh, so we get as far as we can with the crypto and let government registries pick up the slack :p 00:50 < amiller> i'm not comfortable with protocols for which i don't have a model (not that i have a satisfactory one for bitcoin, which definitely makes me uncomfortable) 09:32 < adam3us> tacotime_: it was the same story again with larimer/protoshare/invictus momentum "cpu only" memory hard PoW, someone showed a few weeks into an impressively large VPS rented power driven difficulty ram that it was duh TMTOable and so worked just fine in GPU 09:32 < tacotime_> He did release some really broken source code, but then just fucked off 09:32 < tacotime_> If it's parallelizable, I find it difficult to believe that a GPU won't run faster even if you need memory 09:33 < tacotime_> GPU vRAM bandwidth is always going to be greater than the DDR3 bus on the main board 09:34 < adam3us> tacotime_: they tend to need unique memory per mining instance, so momentum aimed for 750MB but then someone TMTO'ed that with bloom filter in place of hash-table. (unreliable but much smaller hash-table) 09:34 < tacotime_> So when I hear about "dagger" I don't pay much attention either... implement it on GPU and play with it for a couple weeks, otherwise don't say it's hard to run on any single piece of hardware 09:34 < tacotime_> mm 09:35 < adam3us> tacotime_: yes. but GPU ram bus is wider.. like 256-bit, 384-bit etc vs CPU at 64-bit cache line. so that erodes a bit of the throughput. and the access is random and usually like 64-bit word size (or should be for this reaso) 09:36 < adam3us> tacotime_: 256-bit might be quite ideal for dagger :) its a merkle tree. 09:38 < adam3us> tacotime_: the only thing dagger is adding is to use coelho's use of fiat-shamir to make verification faster (and a few more links in the tree to make calculating all merkle steps slightly less skippable) its mostly a tweaked coelho merkle PoW. i mentioned the coelho merkle pow to vitalik its where he got the idea from. 09:40 < killerstorm> hi. does anyone have an idea when OP_RETURN outputs will be usable on the mainnet? 09:41 < jtimon> adam3us, tacotime_ : that's the problem. The story seems plausible, but solidcoin is not a reputable source... 09:41 < jtimon> adam3us, tacotime_ : the fact that "you would be making mining bitcoin and selling them for ltc if you really want the ltc" (I read that somewhere) 09:42 < jtimon> adam3us, tacotime_ : seems to point out in that direction, if ltc mining was less competitive, it should have been more profitable 09:42 < jtimon> maybe it was just a botnet what caused that 09:44 < adam3us> killerstorm: i am guessing that is a color coin related question ;) 09:46 < killerstorm> adam3us: yep. it's possible to do coloring without it, using otherwise unused nSequence is appealing, but people freak out and ask about OP_RETURN 09:47 < killerstorm> also it looks like non-tech people think that use of OP_RETURN makes protocol better and more legitimate :-/ 09:48 < jtimon> which reminds me...adam3us seems like enabling "joyscript" in all assets, but disabling the ops needed for quines/covenants on the hostcoin would be a good compromise 09:49 < jtimon> adam3us: you know I don't share yyour same fears, but we don't know of any use case that requires covenants in the hostcoin 09:49 < jtimon> killerstorm: yeah, some freicoiners thought it would allow people to use the chain for messaging, files... 09:51 < adam3us> killerstorm: here's some replayed history from a few days back 09:51 < adam3us> (06:42:24 AM) justanotheruser: "So, with some reluctance, I recently merged Relay OP_RETURN data TxOut as standard transaction type. 09:51 < adam3us> (06:42:36 AM) justanotheruser: So will it be standard in .9? 09:51 < adam3us> (06:42:52 AM) Luke-Jr: hopefully not 09:51 < adam3us> (06:43:04 AM) gmaxwell: 21:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out. 09:51 < adam3us> (09:46:35 PM) adam3us: gmaxwell: "as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out." dont object to backing out (say NO to block-chain spam!), but what are they saying missing context? 09:51 < adam3us> (10:37:04 PM) gmaxwell: adam3us: there have been a number of articles about how bitcoin has been "upgraded" to enable "distributed storage" and such horrifying things like that. 09:51 < adam3us> (10:40:32 PM) adam3us: gmaxwell: ah yes. its a scary situation indeed. the flip side is there are then people who will stego encode then in multisigs if you dont, and create needless non-compactable TXOs and on. 09:52 < adam3us> (10:41:17 PM) gmaxwell: adam3us: thats why I didn't oppose it initially. Though the trade off of people thinking it is a good non-antisocial and supported application is concerning. 09:52 < adam3us> (10:41:39 PM) gmaxwell: Esp what happens if abusive use arises and it must be turned back, but there is also non-abusive use? 09:52 < adam3us> killerstorm: (end of few days old discussion paste) 09:54 < jtimon> I don't see it as such a bad thing, I think timestamping is a legitimate use of the chain, but it's sad how people understand it 09:55 < jtimon> about using the nsequence fields...I don't know, some people want to use it for microtransactions channels 09:55 < jtimon> I think the probable solution is for microtransactions to be directly off-chain, but I don't know... 09:55 < adam3us> jtimon, killerstorm: coloring is lower bandwidth than mastercoin (which sends even bid and meta-messages over the blockchain) but its still in theory non-btc tx bandwidth use. 09:56 < adam3us> jtimon: time-stamping at least typically is putting a single hash which is the merkle root of many documents 09:57 < jtimon> adam3us: yeah, I don't think you need to allow more than a single hash after return 09:57 < killerstorm> adam3us: by the way, gmaxwell mentioned that P2SH^2 would make storing data in blockchain impossible, but this is not true, it just makes it more expensive: people can simply 'mine' hashes which have prefixes they need and share data through those prefixes. 09:57 < jtimon> being not in-chain validated, it can be transffered off-chain as well 09:58 < jtimon> p2sh^2 ?? 09:58 < killerstorm> jtimon: as far as I know, nSequence is basically dead, it was a bad idea in the first place. It is possible to do same thing (but better!) using multi-signature scripts. 09:58 < adam3us> killerstorm: yes this was mentioned somewhere. he viewed it as closer. also there are multiple stego encoding opportunities, eg unused not obviously invalid 1 of 2 multisig addresses etc. but just because you could stego encode with increasingly lower bit rates doesnt make it a good thing :) was talking about this with petertodd in the mastercoin context.. for them they'd as well use a separate merge mined chain IMO 10:00 < jtimon> killerstorm oh, this doesn't use replacements https://bitcointalk.org/index.php?topic=244656.0 10:00 < jtimon> I guess nobody has a use for it then 10:03 < jtimon> adam3us do you know of any proposed use of replacements? https://en.bitcoin.it/wiki/Contracts#Example_5:_Trading_across_chains this needed it? 10:04 < jtimon> well, that can be replaced with coinswap, which doesn't need nseq iirc 10:08 < adam3us> jtimon: i dont know, others would know better 10:09 < adam3us> jtimon, killerstorm: i think killerstorm implemented atomic swap in is chromawallet (color coin wallet) if i recall the announce 10:10 < jtimon> adam3us but that is atomic swap between colors in the same chain 10:10 < jtimon> the link and coinswap is cross-chain 10:11 < killerstorm> transaction replacements are usable under condition that all miners are honest. this just doesn't make any sense. 10:11 < jtimon> well, coinswap can also be used in the same chain for mixing 10:11 < killerstorm> trading-across-chains doesn't need replacements 10:12 < jtimon> killerstorm: yes, you're completely right, miners should just get the transaction with higher fees when they receive double-spends 10:51 < jtimon> I guess we should just remove the seq field in freimarkets... 11:10 < adam3us> jtimon: the seq field was designed for revisable bids? 11:11 < TD> it is designed for mempool replacement 11:11 < TD> basically for high frequency trading between a set of parties (to use satoshis terminology) 11:14 < jtimon> adam3us, TD: yes, but as killerstorm says there's no reason for a miner to accept seq=5 over seq=3 if seq=3 has a hegher fee 11:16 < TD> of course there is 11:16 < TD> this kind of nonsense reasoning about game theory is so destructive 11:17 < TD> the reason is that if useful and compelling apps rely on that functionality, that increases demand for bitcoin and thus the value of their fees and inflationary rewards 11:17 < TD> miners are not thinking only 20 minutes into the future, you know 11:17 < TD> it's sort of like saying "bitcoin can't work because miners have incentive to merge together and then do 51% attacks to double spend" 11:18 < TD> what we actually see is the opposite, where pools throttle themselves if they get too big because to do otherwise would hurt the value of their money 11:18 < pigeons> the same pool that did double spend? 11:18 < pigeons> or facilitate it i mean 11:19 < TD> other pools have done the same thing in the past 11:19 < TD> deepbit, btc guild etc 11:19 < gmaxwell> deepbit was DDOSed off the network for a week solid when it reached 50% I don't believe it ever regulated itself. 11:21 < gmaxwell> I'd like it to be true, but the self regulation is not working well, it's not like 40% is at all okay. Ghash.io stole several hundred btc from betcoin dice when it had just 25% (possible due to betcoin accepting unconfirmed) and then continued to grow to >40% after that. 11:21 < gmaxwell> I dunno about the game theory stuff, I agree it's wankery. But at the same time the observed behaviors are not good either. 11:21 < TD> correctly configured incentives don't magically make better solutions appear though 11:22 < gmaxwell> We agree. 11:22 < gmaxwell> (well you and I at least on that. :) ) 16:57 < tholenst> actually, until here you don't need so much; you only need to be able to call ECDSA_CHECKSIG directly, and then you can do it similar to detecting a SHA256 collision 16:57 < sipa> (i'm also not convinced about the usefulness, but that's another matter) 16:58 < tholenst> but -- the problem is that the money which is supposed to back your transaction might be gone once you detect the double spend. For this you need more, and weirder opcodes 16:59 < sipa> well if it's gone, it's gone 17:00 < sipa> going beyond the basic rule of "a coin can only be spent once" is dark magic 17:00 < tholenst> i adhere to that basic rule 17:01 < tholenst> the basic idea is: if you spend a "backing coin", you can only spend it in such a way that for the next... say 100 blocks, it still remains a backing coin 17:01 < tholenst> and only after that it can become a usual coin 17:02 < sipa> mhmm... dark magic :) 17:03 < tholenst> i don't think there's anything dark there 17:03 < sipa> (not impossible, and not necessarily a problem, but i think the consequences become horrible to reason about) 17:04 < tholenst> no, why? will you be happy if i give a proof of some good properties? 17:04 < sipa> no need to convince me :) 17:04 < sipa> it's just interesting to think about 17:04 < tholenst> i seriously think it would be a good idea to have it implemented 17:04 < sipa> as in it means the the spending transaction, as long as the backing coin that can spend from under it, even confirmed, is not actually spendable 17:05 < sipa> or at least, losing fungibility 17:05 < sipa> (those coins would be worth less than other coins) 17:05 < sipa> as they're less certain 17:05 < tholenst> no, you can move them back to normal coins, it just takes 100 blocks 17:05 < sipa> so 17:06 < sipa> you pay me, by spending coins C1, and sending me a coin C2 17:06 < nsh> so wait, we get complete anarchy with a BBC broadcast-loop that removes all the vulgarity and orgies? 17:06 < sipa> as long as C2 is buried less than 100 blocks deep 17:06 < sipa> C1 persists in some form 17:06 < tholenst> no no, I don't send you coin C2; I send you C1, and if I double spend C1, you get to destroy C2 17:06 < sipa> C1 belongs to you, it's the original coin you had 17:07 < sipa> there's nothing special with it, and it's buried 10000 blocks deep 17:07 < tholenst> I own both C1 and C2 17:07 < sipa> wait, what? 17:07 < sipa> i'm not following 17:08 < tholenst> the idea is: in order to pay you with C1, i need to back up the payment with C2. C2 has a different PKScript, which makes it a "backing coin" 17:08 < sipa> wait, let's talk about transactions instead 17:08 < sipa> you create a transaction which spends C1, and what else? 17:08 < tholenst> ok coin = txout 17:08 < sipa> yeah 17:09 < tholenst> I give you a PubKey2-signature of "If you find 2 PK-1 signed messages you may destroy the txout C2" 17:10 < tholenst> "PK-1 signed" is supposed to mean "signed with the same key as C1 is" 17:17 < andytoshi> ok, and C2 needs to be a special invalid-for-100-blocks output? 17:18 < andytoshi> it'd be neat if you could mark outputs as "cannot be spent with fewer than N confirms" 17:18 < tholenst> yes 17:19 < andytoshi> this is cool, i definitely think it changes coin properties too much to be bolted into bitcoin, but istm that it makes sense 17:20 < sipa> istm? 17:20 < andytoshi> as sipa says, there are cases when a "double spend" is a legitimate thing to occur, so these would need to be special transactions 17:20 < andytoshi> it seems to me 17:21 < tholenst> yeah one has to be careful with it; note though that if you can wait a bit (100 blocks) with the double spend, you can first move C2 17:22 < andytoshi> yeah, the receiver of the funds would estimate how long the tx will take to confirm, and require C2 have that many "cannot spent until" ticks left 17:22 < tholenst> anyhow, I plan to write a detailed proposal... I think it's worth it even if it doesn't go into bitcoin. it would finally be some real selling point for an altcoin, imo 17:23 < andytoshi> that'd be great 17:23 < andytoshi> if you can, explore the consequences re fungibility of locking coins like this 17:23 < tholenst> can you elaborate what you mean by that? 17:24 < andytoshi> well, if some coins can be spent quickly and others can't, the quick-spendable ones are more useful 17:24 < nsh> we need an playpit/sandbox for alt-experimentation 17:24 < andytoshi> so rather than "a coin is a coin is a coin" different coins might have different values 17:24 < andytoshi> otoh if they are locked in place, it's hard to claim they have any value, so maybe it's fine 17:24 < andytoshi> nsh: perhaps BlueMatt's thing will give that to us :} 17:25 < nsh> mm, unfortunately as stands it only changes the (mostly) boring things 17:26 < tholenst> well, you just need 100 blocks to get the backing coins back into normal coins; that's not even a day wait. 17:26 < andytoshi> sure, but given that's apparently popular, i'm sure if you gave BlueMatt a patch he'd inject it into the alts for a few days 17:26 < tholenst> it seems people are already fascinated by BlueMatt's thing :) 17:26 < nsh> haha 17:26 < nsh> i suppose there's no shortage of volunteer test subjects 17:27 < andytoshi> tholenst: ok, another thing to think about is what happens if there is a reorg, and the block at which the coin becomes normal changes 17:27 < nsh> quick, before we end up with ethics panel! 17:27 < nsh> good point 17:27 < tholenst> yes, ok 17:28 < andytoshi> nsh: people releasing cryptographic software without understanding it, and then goading people into putting money into them, are evil, there's no ethical concern in fucking with them 17:28 * nsh smiles 17:30 < Luke-Jr> andytoshi: evil is evil, even if the victim is guilty of evil things themselves 17:31 < andytoshi> Luke-Jr: fair enough 17:31 < andytoshi> tholenst: so, my specific concern is: suppose a coin becomes valid at block 300000, then i spend it in the next block 17:32 < andytoshi> some reorg happens and now the coin becomes valid at block 300005 17:32 < andytoshi> what happens to my spend? 17:32 < sipa> if the coin creation is reorganized, the spending of it is certainly reorganized too! 17:32 < tholenst> maybe bad things? but for that a 100 block reorg needs to happen, and then bad thing happen anyhow 17:32 < andytoshi> sipa: that's my thought, yeah, but it makes reorgs more complicated 17:33 < sipa> i doubt it 17:33 < Alanius> andytoshi: well, as long as they use the power of argument and not of coercion, I'm not sure "evil" is the right word 17:33 < sipa> let's not go there 17:33 < nsh> +1 17:33 < sipa> andytoshi: if everything is defined within one chain, there should be no problem with reorganizations 17:33 < sipa> but i'm not sufficiently understanding the scheme 17:34 < andytoshi> well, i spend something at block 300000, but suppose suddenly it is invalid until block 300500 (this is an extreme case) 17:34 < andytoshi> so suddenly my payment is invalid, and i have a window in which to double-spend 17:34 < sipa> that cannot happen without invalidating the spend as well 17:34 < sipa> as the spend happens after the creation 17:35 < sipa> ah 17:35 < andytoshi> yeah, so this complicates analysis and i think also has consequences for fungibility of recently-valid coins 17:36 < tholenst> I am not sure i understand your problem. Do you agree this only happens if the reorg is something like 100 blocks deep? 17:36 < andytoshi> but i also suspect this is fixable while still retaining the benefits of tholenst's trickery 17:36 < andytoshi> tholenst: yeah, it'd have to be deeper than the coin's invalid-until-N-blocks count 17:36 < andytoshi> so maybe we could require all transactions which do this to have N higher than 100 17:37 < tholenst> ok, i didn't think too much about that yet. 17:37 < andytoshi> or maybe, rather than saying "invalid until 100 confirms" you say "invalid until block 300000" and hardcode the 300000 17:37 < andytoshi> then you don't care about when the tx is actually mined, so there is no concern about reorgs 17:37 < tholenst> you could do that, but then you have to renew the backing txouts periodically; I don't like that 17:38 < andytoshi> well, you'd have to do this anyway i think 17:39 < tholenst> I think it makes sense at this point if I write down the proposal in more detail. 17:39 < andytoshi> yeah, it'd be good to have something precise to discuss 17:41 < tholenst> the input was useful to me anyhow :) more to think about, ty! 17:41 < nsh> what's the distribution of reorg heights? 17:41 < nsh> any theoretical basis for calculating that, or is it near-enough empirical? 17:42 < nsh> s/heights/depths/ 17:43 < tholenst> for a theoretical basis, you need to have some kind of clue how fast the block distributes among the miners 17:43 < andytoshi> nsh: (a) hard to make precise, as generally only part of the network perceives a reorg as a reorg, while the rest of them saw the winning chain first, (b) the big ones occur by implementation bugs, which are hard to predict, (c) the small ones probably are also due to network flukes which are also hard to predict, thought they might have a nice distribution since they're frequent 17:44 * nsh nods 17:44 < nsh> but it should be possible to put a 100-block reorg into an improbability bracket 17:46 < tholenst> agreed, using only mild assumptions that should be possible 18:34 < andytoshi> nsh, tholenst: my expectation is that if you can get any number assuming no horrific forking bitcoind bugs, it'd be like 1/googol or something 18:35 < andytoshi> way way way lower than the chance of a serious dev mistake 18:35 < andytoshi> so that's the probability you need to estimate, and good luck with that :) 18:35 < nsh> pft, i crunch graham's number for breakfast 18:36 < andytoshi> it's higher than 1/graham's number ;) 18:36 < nsh> maybe late lunch then :) 19:46 < andytoshi> BlueMatt: you are "everything that is wrong with cryptos" :) 00:04 < petertodd> same issue with Bitcoin fundementally, but more likely to be a problem in practice "yeah, you see, I can't change my mining pool to prevent those stolen funds from being moved" 00:06 < amiller> how to know if you're an illegally operating MSB tip #103125: you're capable of detect and returning someone's stolen funds... 00:07 < petertodd> lol 00:08 < petertodd> "This isn't a MSB! Why fraudproofs/trusted-hardware/closed source software/The FSM stop that!" 00:10 <@gmaxwell> :) 00:11 <@gmaxwell> I hope at least some people were getting my points about building systems where _no one_ gets put in the awkward position of having to decide to protect a theif. 00:12 < amiller> i'm interested in more ideas/examples of how to encourage things-that-will-eventually-fail to fail immediately and obviously 00:12 < petertodd> gmaxwell: I'd suggest actually saying that directly... 00:12 <@gmaxwell> I thought I did! 00:12 < petertodd> I got it, I doubt even 10% of the audience did. 00:36 <@gmaxwell> " It would have been wrong of us to demand that the operator of a service turn down a well substantiated request in a case like this, it would make them a villain to the kind and honest people their decision harmed. We shouldn't create a world where people have to make choices like that." 00:37 < warren> gmaxwell: so the strongcoin guy detected the thief then modified the .js to take it? That wasn't entirely clear on the thread. 00:40 < warren> It's amazing to me that the thief would be so dumb to use a traceable wallet at all. 00:41 <@gmaxwell> I mean, being a thief suggests a prior probablity that you are not someone who makes excellent life choices. 00:42 <@gmaxwell> warren: yea, my understanding was that he just modified the script to have if(this_is_such_and_such)sendallfunds(overhere); 00:42 < warren> that's scary. 00:43 < warren> I haven't checked if my blockchain wallet as Chrome extension has been silently updating itself 00:43 <@gmaxwell> It's the expected and obvious outcome and it's what I've spent the last year trying to convince people exists on these sites. 00:43 <@gmaxwell> ... 00:43 <@gmaxwell> warren: the extension only makes sure that the site matches the github, or at least thats how it used to work. 00:43 < warren> I've been meaning to switch away from it for weeks for that reason, and also the ability to brute force attack a wallet. I strongly suspect someone downloaded all the encrypted wallets. 00:44 <@gmaxwell> yea, a lot of compromises lately and people claiming they had fairly strong keys. 00:44 < warren> I think there were two or three different blockchain wallet attacks 00:44 <@gmaxwell> there might be a vulnerability that let people bulk download the encrypted wallets. (perhaps some xss) 00:45 <@gmaxwell> (er, CSRF really) 00:45 < warren> 1) XSS or java browser exploits from clicking links on btc-e trollchat. 2) Android wallet malware and blockchain's android wallet being far less secure. 3) Weak passphrases and brute force cracking of all encrypted wallets that were downloaded. 00:46 <@gmaxwell> fwiw, I do all my webbrowsing in a seperate VM. Security is just too hard. 00:46 < warren> gmaxwell: reportedly someone is 95% through writing another js client-side encrypted wallet. he intends on open sourcing it. 00:46 < warren> yeah 00:46 <@gmaxwell> ::Sigh:: sounds like another instawallet waiting to happen. :P 00:46 < warren> sadly there seems to be something wrong with kvm. It's wayyyy slower than a few months ago. 00:46 <@gmaxwell> People are really too easily convinces that JS wallets are completely secure. 00:47 <@gmaxwell> weird. Working fine for me. 00:47 < warren> not sure what's going on 00:47 <@gmaxwell> s/convinces/convinced/ 00:48 < warren> He's writing it for Litecoin, but will launch it for both 00:48 < warren> Litecoin idiot factor is a bit higher ... and MtGox confirmed today that they will launch Litecoin real soon. https://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdf 00:48 <@gmaxwell> why doesn't he just take the blockchain.info code? 00:49 < warren> not sure, it has no copyright or license notices, suggesting it is on github only to allow auditing? 00:49 < warren> Litecoin remains unmaintained. I really want to work on it but too busy. I volunteered to help the professor finish her book before the June 1st deadline. 00:49 <@gmaxwell> oh, hm. I thought it was liberally licensed, I got yelled at by piuk for calling it propritary. 00:49 < warren> oh? 00:50 <@gmaxwell> as far as litecoin goes... ... tell mtgox that they want to pay you to work on it, and perhaps then you could justify some more time? 00:50 <@gmaxwell> if they're trading it .. and litecoin goes explody it could turn out quite bad for them. 00:50 < warren> I seriously doubt they would pay me. 00:51 < warren> well, it could go explody even if maintained 00:51 <@gmaxwell> sure, more likely to if unmaintained. 00:51 <@gmaxwell> I mean, other altcoins have had enormous rewrite attacks in order to exploit exchanges. 00:51 <@gmaxwell> and those exchanges are no longer in business anymore. 00:52 < warren> Litecoin remains vulnerable to the BDB lock limit self-consistency issue now. 00:53 < warren> gmaxwell: how is your relationship with mtgox? could you suggest this? 00:53 < amiller> oh wow litecoin is being added to mtgox? 00:53 < warren> amiller: yes. seems premature and risky to me. 00:53 < amiller> i actually did *not* suspect an altcoin would catch on... like this... 00:53 < amiller> crazy times 00:54 <@gmaxwell> magicaltux was saying it was a joke a few weeks ago. I suspect it was a joke and then it got a positive response from someone relevent. 00:54 < warren> I'm not invested in Litecoin. I'm interested in developing it because 1) they're hurting for devs 2) I want to prove anti-spam policies that Bitcoin seems unwilling to adopt. 00:55 <@gmaxwell> A friend that has some of my old gpus is mining litecoin, ... he went through three pools before finding one that wasn't just robbing him blind. 00:56 <@gmaxwell> (I suspect his anti-samdar is not very finely tuned!) 00:56 < warren> There are honest litecoin pools. Trouble is they get killed by DDoS often. 00:56 < warren> p2pool is the most reliable way to mine it. 00:57 <@gmaxwell> yea, I think he was on one that got dos killed first, and then switched to something else that just never paid him at all... and then another one which was giving him about 10% of what he should have been getting... and then one that went offline with positive balances. 00:57 < warren> Trouble with p2pool though is the dust + litecoin's super high fees. I tried to convince forrest to reduce the number of shares in the next p2pool hardfork as the current dust size is unusably small. He isn't budging. 00:58 <@gmaxwell> people can turn up their share difficulty if they're prefer to not get dust. 00:59 < warren> My maximum 100% efficiency dust size is too small. 00:59 < warren> I had to abuse 7 10KB free tx's to combine a thousand of them yesterday. 00:59 < warren> (maybe not a thousand, a few hundred, dunno) 01:00 <@gmaxwell> huh? changing you share difficulty shouldn't have anything to do with your efficiency! 01:01 < warren> What difficulty factor are you suggesting? 01:01 < warren> 5x less often? 01:02 <@gmaxwell> however much makes it so you don't get paid in every block 01:03 < warren> It allows a maximum of 10x 01:03 < warren> which isn't high enough to do that 01:03 <@gmaxwell> ah, well that seems like an issue. 01:03 <@gmaxwell> it should be claimed not on the up side but on the down side.. e.g. it shouldn't get you set it to more than 1/50th of a block or something. 01:04 < warren> It really isn't clear why Litecoin has such exchange value. There's NO VENDORS. 01:05 <@gmaxwell> it's speculation 01:05 <@gmaxwell> duh 01:05 < warren> were you serious about asking mtgox to sponsor dev? 01:05 < warren> Not a weekend bounty, like payouts every 3 months as long as progress is made. 01:05 <@gmaxwell> I was, I have no clue if they'll do it if they're not already doing it they're morons... given that they're morons, ::shrugs:: 01:07 < warren> I'm 60% convinced the hash is a risk. 01:07 <@gmaxwell> know of any online namecoin wallets that support importing private keys? I have some nmc to rid myself of and don't really feel like starting up a namecoin node.... 01:07 < warren> It seems implausible that someone would invest money to destroy it though. They could just extract outsized profits. 01:08 < warren> nope 01:08 < warren> heading to class, bbl 01:54 < petertodd> re: litecoin a silkroad clone started up recently that denominates in litecoin by default 01:55 < amiller> https://gist.github.com/amiller/cf9af3fbc23a629d3084 i summarized my above points about fees and contention here 01:58 < petertodd> Hmm... one odd thing about coinbase tx's is they can-not have non-generation inputs. If you allowed that, and made them an exception to the usual rule that you can-not spend a coinbase, your equilibrium creating behavior can be done, paying part of the fee to the next miner, and yet still avoid the mess of a re-org canceling coinbases. 01:59 < petertodd> The fee you give to the next miner would basically be an anyone-can-spend output from the coinbase tx. 01:59 < amiller> righteous 02:00 < petertodd> yup 02:00 < petertodd> but it's late here, night 02:00 <@gmaxwell> or you do what I suggested before make uncollected fees spill forward and you avoid all the weird maturity restrictions 02:01 < petertodd> gmaxwell: makes proofs that the block is correct potentially unbounded in size 02:01 < amiller> no you'd just have everyone keep a counter in their state 02:02 < petertodd> hmm, yeah, I'll think on that, but later 02:06 <@gmaxwell> petertodd: nah, doesn't, you just make the payforward accumulator part of the header. 04:39 < warren> gmaxwell: coblee is concerned about taking donations/sponsorship to help dev because that may create expectations or implied liability 22:10 < amiller> i'm just saying that including it in a storage proof of work puzzle of some kind is an approach to getting replication, which is closer to what you want than just paying one service specific 22:11 < petertodd> Problem is replication factor is a human thing, and it *can't* be proven with a proof-of-work. Sure you can make a storage hard proof-of-work that kinda sorta implies it, but it tells us nothing about how many data centers need to burn down. 22:12 < amiller> the point is i agree that the cool thing about this is that it's not the network's problem if your old data is forgotten, and it can be up to the individual user to take appropriate precuations to pay people to store the relevant data in the right way 22:12 < amiller> we're all in fierce agreement here 22:12 < petertodd> I suspect in reality the "pay to get my txout mined" is more than sufficient to get at least a dozen full copies out there, and remember that if you leave your computing running, even as a partial node, you can both contribute to the validation effort and keep the proofs for yoru txouts up-to-date. 22:12 < gmaxwell> yea, and it's tricky to not create huge outsourcing or consolidation benefits that way. amiller: your best solution against outsourcing requires some pretty tricky economic reasoning on the part of miners which is currently disproven by existing practice (not just in bitcoin but in every place humans transact no one ever demands cryptographic proof of anything) 22:12 < amiller> insertion-order-sorted merkle tree is outstandingly cool in this regard 22:13 < amiller> or MMR if you prefer :3 22:13 < gmaxwell> petertodd: well and a logical thing is to also include kind of DHTish recovery service. E.g. randomly keep X gbytes worth of data, so you can have a chance to partake in people paying for recovery. 22:13 < petertodd> Ha, hey, I dedicated Merkle Mountain Ranges to all the hikes in the Canadian Rockies I've had with my dad, so I'm fighting to make the name stick. :P 22:14 < amiller> i'm okay with that :) 22:14 < petertodd> amiller: Hey, at least I didn't call it Todd Trees. 22:14 < amiller> lol 22:14 < gmaxwell> amiller: MMR also implies that you care about the cheap insert rule. :) 22:14 < petertodd> gmaxwell: Yeah, and the "DHT" in this case needs nothing more than sipa's block ranges really - it'd be a long time before the DHT actually needs routing. 22:15 < amiller> i'll consider that MMR refers to not just the data structure but all the implied good properites it has :) 22:15 < gmaxwell> petertodd: yea, locality is good as it reduces the storage and computation required. 22:16 < gmaxwell> I wish sharding it were easier, but there are weird fungibility problems with sharding. 22:16 < petertodd> gmaxwell: I'm pretty sure I can do a sharding scheme that doesn't have fungibility issues actually, although it will have scary fraud issues. 22:17 < gmaxwell> you are not helping my confidence there! 22:17 < petertodd> gmaxwell: It'd also have 51% attack issues given we need a market for transaction fees... although I think with my "per-tx pow" scheme and some proof-of-stake sprinkled in it just barely works... 22:18 < gmaxwell> it works if you have a hierarchal currency. E.g. a master coin that everyone validates. And then shard coins. And you can only spend within shards and between shards and master. But that hurts fungibility. 22:18 < petertodd> gmaxwell: Yes, multiple currencies makes it really easy. I think on the forum I gave the toy example of a circular set of currencies, where mining always mined an adjacent pair basically. 22:19 < petertodd> (good post to timestamp come to think of it...) 22:20 < amiller> i'm beginning to think even fungibiility doesn't matter asm uch 22:20 < amiller> one thing i've been worrying about with, say, ripple or color coin currencies is how you pay the miners if they don't care about your currency 22:21 < amiller> but you *don't* have to pay all the miners, you only need to pay enough of them 22:21 < amiller> you can mine your own irrelevant transactions if you can afford the cpu but no one else likes your currency 22:21 < amiller> the more broadly valuable your sillycoins are the easier it is to convince all the miners to include it 22:22 < petertodd> amiller: With wallet support it'd be easy enough to paper over the fungibility problems by just trying hard to keep the user's wallet well balanced, and accepting that some transactions take a few more confirms. 22:22 < amiller> sure 22:22 < amiller> you can have an automated portfolio of colored coins too 22:22 < petertodd> amiller: Someone more versed in graph theory than me could probably come up with some scheme where you have log(n) steps to spend any coin. 22:23 < amiller> you could have an altcoin that had proof of work mining, no startup bonus, only self issued currencies, and fees are just paid in IOUcoins of any user's discretion 22:24 < amiller> the only problem is that we don't have much reason yet to be confident that the whole consensus thing works with the current system with all the block bonuses removed 22:24 < petertodd> amiller: Well, do you understand my circularly set of pair-wise-mined currencies example? 22:24 < petertodd> amiller: You can still have block bonuses their. 22:25 < amiller> block bonuses are gonna go away anyway so the question is are voluntary transactions fees just to the miner good enough 22:25 < amiller> i like the idea that eventually you'll have to bribe the next miner to build on your block rather than 'discouraging' it 22:26 < petertodd> Yeah, and anyway to make such schemes work we have to get fraud proofs to work well, and I think right now TXO commitments are the logical way to do that... 22:28 < petertodd> One interesting thing about all this stuff, is suppose we got a nice, shardable, ultra-decentralized currency: I suspect we'd want a token system, with fixed values, so that the transactions related to the lowest value tokens moving around can be reglegated to the lowest security chain. 22:28 < petertodd> Otherwise the whole thing just becomes a nice way to instant-message your friends... 22:28 < amiller> petertodd, no the trick is insurance 22:28 < amiller> i sort of have an idea of how navigating the multi hierarchy currency works 22:29 < amiller> the main questions is how you exchange value from a small currency to a larger one 22:30 < amiller> like even if you have a locally-meaningful currency, it's still beneficial to have a broader audience observe the transactions 22:30 < petertodd> See, I'm thinking of a system where for a long, long time, the "1 satoshi" chain has basically no attention paid to it so fraud is rampant and people don't trade in single satoshis. 22:31 < petertodd> Because if you *can* cheaply trade in single satoshis, securely, then what stops me from timestamping everything? At some point something needs to break down, and there needs to be some way to "communicate" back the cost of the whole system to it's users. 22:31 < petertodd> There Ain't No Such Thing As A Free Lunch! 22:32 < amiller> i think we vaguely agree again :) 22:32 < gmaxwell> shard by txout value.. interesting. 22:32 < gmaxwell> but that creates a linear hieararchy which is kinda lame. 22:32 < petertodd> Yeah, I think it'd probably work best with some kind of storage-hard proof-of-work, especially if it can somehow be directly related to validation. 22:33 < petertodd> gmaxwell: Maybe it doesn't need to be linear? Maybe it's just opportunisticly sharded, IE you mine whatever part of the UTXO set that you want too, and we use fraud proofs to keep people honest. 22:33 < petertodd> A worthless chain won't have many people actually validating it, so every so often someone will get away with fraud, or the data will get lost and coins will become unspendable. 22:34 < petertodd> Conversely the 2^32 satoshi chain is actually economically important, and it's basically impossible to get away with fraud. 22:34 < amiller> sorry in advance for the following ramble but just be glad it's not in bitcoin-dev 22:34 < petertodd> All those chains can operate in lock-step too, so atomic transactions are still possible. (though exchanging a 2x 1 satoshi tokens for a 2 satoshi token won't be possible) 22:34 < amiller> what strikes me as really strange is that with the bribery/incentive/rational modeling it seems like we're headed towards a system that works even if people just do wahtever benefits them 22:35 < amiller> what's the role of the protocol or constitution in that case? 22:35 < amiller> what's even the need for a correct set of rules if following them is optional but just benficial by default somehow 22:35 < amiller> and i wonder if the explanation is that it's arbitrage of some kind between two kinds of rationality 22:35 < amiller> there's like the immediate greedy decision that you'd make fully anonymously 22:36 < amiller> and a separate kind of policy that you want to enforce on everyone else 22:36 < amiller> like it's easy to show support for a certain rule when it's probably not going to affect you anyway, like by building on someone else's block 22:37 < petertodd> I'll warn you, I'm this close to inviting you to #postmodern-bitcoin... :P 22:37 < amiller> likewise it's easy to deviate from the rule when the benefit is clear 22:37 < amiller> yeah well 22:37 < petertodd> heh, though go on :P 22:38 < amiller> that was the end of the thought i guess 22:38 < amiller> sometimes there's a new datastructure at the end, not this time 22:39 < petertodd> gmaxwell: Oh, and you know, what's really interesting with multiple powers of two token chains is that MMR TXO commitments are the perfect data structure for them, given the mandatory data required to mine a new block is very small, and they can continue even if all the data is lost. 22:40 < gmaxwell> well.. there is less need to shard if full verifying requires little state.. the primary advantage is potential bandwidth. 13:01 < gmaxwell> Things like that crop up all over the place, we get them in Bitcoin... they show up in any sufficiently large piece of software or hardware design. In digital electronics you'll sometimes have problems when analog effects that you thought you could ignore crop up. 13:02 < Emcy> obviously its not such a big problem as i think then 13:02 < Emcy> are there any cryptosystems that are unkowable in full by human mind? 13:03 < gmaxwell> Well... 13:04 < gmaxwell> We depend on knowing the thing in order to make arguments for its security. Modern cryprosystems are build out of simple regular parts. Otherwise if you make something too complex you'll miss a weakness which will be obvious to someone who 'looks at it from another angle'. 13:04 < gmaxwell> So all the primitives we use are quite simple and straighforward. 13:05 < gmaxwell> Though in more recent times people have been building taller towers, systems which are only simple if you abstract away the details. 13:05 < Emcy> but they dont always interact in the way you think they should. 13:06 < Emcy> perhaps one day we will throw together enough primitives that it will turn around and ask us for clemency..... 13:09 < andytoshi> Emcy: there is a good lesson about this in the history of tls 13:10 < andytoshi> http://blog.cryptographyengineering.com/2012/09/on-provable-security-of-tls-part-2.html 13:12 < Emcy> im sure it is provably secure, the auth part is letting it down badly though these days 13:13 < andytoshi> that link has a short blurb about the MAC fiasco in the 90's 13:14 < Emcy> wots taht 13:14 < Emcy> nm ill read 13:15 < andytoshi> it's a classic "things interact in surprising ways when you pile them on" story 13:15 < andytoshi> and the complexity of that probelm was not even very high.. 13:17 < Emcy> from what ive seen almost no servers still dont use tls 1.2 13:18 < andytoshi> yeah, i don't think browsers will even accept tls 1.0 13:18 < Emcy> i always thought people used old shit because its been in the trenches longer than new shit. 13:19 < Emcy> i saw a server with tls 1.0 and 1024 rc4 or something recently 13:20 < Emcy> thats pretty bad 13:22 < Emcy> jesus christ it just rained the hardest its ever rained around here in 30 years 13:22 < Emcy> it was raining upwards....... 13:22 < Emcy> wall of water 13:23 < andytoshi> well, i am off to the airport, good talking to you guys 13:24 < Emcy> good flight 13:24 < Emcy> oh 13:34 < Emcy> god dammit planetside 2 has been down for hours 13:35 < Emcy> i spose thats why its free 13:56 < nsh> andytoshi, your link on tls -- reminds me of that scene from one of the hitch-hiker's guide books... 13:56 < nsh> "Arthur goes to the village. He finds a woman seer who swats at flies in front of a cave. She smells horrible. She does her dead goat-like animals. He helps her take her photocopy machine out into the sun because it is solar-powered. She hands the photocopies to him. It is the story of her life. He should read it and not make the decisions she made to end up alone..." 13:56 < nsh> ( http://www.bookrags.com/studyguide-mostly-harmless/chapanal005.html ) 13:57 < nsh> someone should teach a remedial history of the internet, annotated at every point where we fucked it up 13:57 < nsh> in case we get a chance to start over at some point :) 14:51 < eclark> what do you think of **********DOGE********* 14:57 * nsh looks at eclark pointedly 16:59 <@gmaxwell> andytoshi, luke: I went and posted the description of my attack on that cryptosystem. (since he tried and didn't figure it out and asked me to explain it) 17:03 < jtimon> gmaxwell do you have a link? 17:05 <@gmaxwell> jtimon: https://bitcointalk.org/index.php?topic=374085.0 17:07 < jtimon> thanks 17:24 < nsh> i don't really understand the assumption that you'd want to have much correspondence with someone you just performed a pseudoanonymous one-time transaction with. i rarely feel the urge to call the hot-dog stand for a chat... 17:26 < helo> maybe authentication to some service that the one-time transaction paid for 17:26 < nsh> mmm 17:34 < helo> people generally handle their bitcoin private keys more securely than most other kinds of private keys, so services that are cobbled together ontop of bitcoin's PKI smell ultra-secure 17:36 < BlueMatt> heh, shit...they recovered rsa pgp private keys from the noise a cpu makes... 17:36 < nsh> yeah, was reading about that today 17:41 <@gmaxwell> BlueMatt: none of the crypto we use for bitcoin is timing/power side channel immune. 17:41 <@gmaxwell> I don't believe there exists constant time implementations of the primitives for secp256k1 at all right now. 17:41 < BlueMatt> gmaxwell: I didnt think they were, I just found this particular paper fun 17:42 < nsh> i wonder how much of the efficiency advantage of EC is lost with constant time primitives... 17:43 <@gmaxwell> nsh: the curve25519 stuff is constant time, and stupid fast... but its partly a result of having picked parameters with that in mind. 17:43 < nsh> hmmm, okay 17:44 < nsh> i wish djb would release the minimaLT code :/ 18:06 <@gmaxwell> dear god. 18:06 <@gmaxwell> this guy is wasting unbounded amounts of my time in private message. 18:07 < BlueMatt> so ignore him? 18:07 < BlueMatt> or limit your bw 18:07 <@gmaxwell> I had hoped that I'd not be able to waste any time on him by dispatching luke to respond on the threat, but that ended up like a cesium / water reaction. 18:07 <@gmaxwell> s/threat/thread/ 18:08 <@gmaxwell> dude is convinced he's going to revolutionize bitcoin with his grand ideas, but his only expirence is with bc.i. 18:08 <@gmaxwell> and he's all confused about how bitcoin works. 18:08 <@gmaxwell> and every exchange I have with him is revealing another understanding. 18:09 <@gmaxwell> like after message 6 I discover that he's planning on 'solving' the problem that the "messages in transactions are cleartext". 18:09 * nsh chuckles 18:09 < maaku> gmaxwell: there are a dozen people on bitcointalk like that 18:09 < maaku> if only the ignore bit were an option :\ 18:09 <@gmaxwell> And the idea that a business that ships out goods to people would generate a new address for each payment seems to be completely foreign to him. 18:10 < BlueMatt> maaku: a dozen? really? theres like a few thousand... 18:10 < maaku> heh 18:10 <@gmaxwell> I could ignore him but I don't want him going and fucking stuff up with his earnest enthusiasm. 18:11 < nsh> there should be a crypto playpen tarpit for people 18:11 * maaku fully expects him to find some inestor willing to throw insane amount of money at his ideas 18:12 < BlueMatt> or...we could just let people implement dumb crypto primitives, and use idiots to steal coins from 18:14 <@gmaxwell> part of the problem, of course, is that even the broken and dumb ones are seldom so bad as to enable theft. 18:15 < BlueMatt> yup 18:15 <@gmaxwell> like this guys busted ass cryptography still would take 2^64 queries to a decryption oracle to crack one message. Even if someone had convinced him to reduce the mac to 32 bits, it likely would have only rarely been a pratical attack. 18:16 <@gmaxwell> he also thinks he can do things with transaction "from" addresses. 18:16 < BlueMatt> how much would it cost to put an ad on bitcointalk that just says "THERE IS NO FROM ADDRESS, GET THAT THROUGH YOUR HEAD, IF YOU DONT GET IT, GO AWAY" 18:17 < nsh> ehehe 18:17 <@gmaxwell> BlueMatt: I wonder what the revenue stream from bc.i is? It can't be that great if its really just the ads and they don't have income from spying on people or whatever. 18:18 <@gmaxwell> We could raise money to buy it and shut it down. 18:18 <@gmaxwell> Without notice. 18:18 < BlueMatt> they have pretty reasonable vc funding iirc 18:18 < BlueMatt> so...they must have some business model, somewhere 18:18 <@gmaxwell> And a full screen "HA HA WE TOOK YOUR MONEY, YOU WERE AN IDIOT FOR USING A CENTERALIZED SERVICE" 18:18 <@gmaxwell> darn 18:18 < BlueMatt> even if its "down the road, we..." 18:18 <@gmaxwell> (3) profit. 18:21 < maaku> money up for grabs: https://telegram.org/crypto_contest 18:23 < maaku> http://core.telegram.org/techfaq 18:24 <@gmaxwell> uh. 18:24 <@gmaxwell> that seems really dishonest to me. 18:25 <@gmaxwell> it looks like the security is dependant on their server handing out the correct keys. 18:25 < BlueMatt> they claim you can also do dh p2p and then compare some image that represents the shared key or something 18:25 * BlueMatt didnt read closely, it just said "compare image after dh exchange" 18:28 <@gmaxwell> I wonder why they're using sha1, especially when they need 512 bits of KDF. 18:48 <@gmaxwell> I see that news.ycombinator.com has similar thoughts to me, https://news.ycombinator.com/item?id=6931457 18:51 < nsh> "Yeah, it's probably against the rules of the competition and will get you arrested if you try. But I think if someone does break into their central server and wins the competition that way, they should still be paid out." 18:51 < nsh> i like those odds! 18:53 * gmaxwell contemplates that google search you did earlier today in #bitcoin ... :P 18:54 * nsh smiles 18:55 <@gmaxwell> hm. I was trying to see what their physical location was, and it seems to be run by totally anonymous parties? 18:57 < nsh> can you sell on the google play store anonymously? 18:58 < nsh> LLCs are registered, but anyone can call themselves X LLC https://play.google.com/store/apps/developer?id=Telegram++LLC 19:00 < nsh> possibly William / Jordan A Baker http://trademarks.justia.com/860/10/telegram-86010749.html 19:00 < nsh> (no mention of encryption in the trademark application though) 19:01 < nsh> ( http://companies.findthecompany.com/l/32066563/Telegram-Llc-in-Wilmington-DE ) 19:43 < adam3us> hmm this coinmessage thread is locked so i cant join in! i was going to explain that what the sender claims is R.x from R=rP can be s st there is no solution to s=f(x) ie s is not on the curve. he doesnt seem to get that (re comments about s being > n) 14:12 < gmaxwell> making it somewhat small means that from day 1 people would need to vote to keep the size up, thats probably good. 14:12 < gmaxwell> e.g. you want to actually make the minimum smaller than the current need so the need to vote doesn't surprise people later. 14:13 < petertodd> The thing is a non-vote is always a vote for the status quo, so people *don't* need to vote if they are happy. 14:13 < petertodd> (or just want the limit to reduce a bit) 14:13 < gmaxwell> petertodd: how do you vote for a reduction? 14:14 < petertodd> You vote for a reduction and a miner can chose to include it. 14:14 < petertodd> *choose 14:14 < petertodd> (john thought some % of the block limit should be reserved for votes FWIW) 14:14 < gmaxwell> hm. perhaps instead the vote-absent-target should be some median of the last N block sizes. 14:15 < gmaxwell> Since miners can already drive it down to nothing regardless of what the voters think. 14:15 < petertodd> That's what john proposed, the limit changes once per year, and a non-vote is a vote for the median of last years and this years limit. 14:15 < gmaxwell> not a median of the limits, a median of the observed blocksizes. 14:15 < petertodd> Basically that's just there so that if a too-high size allows for censorship, the limit will gradually reduce. 14:15 < petertodd> But that means miners can just pad blocks to change peoples status quo votes. 14:16 < gmaxwell> petertodd: yes, so then they stop voting. 14:16 < petertodd> But you can't *not* vote the status quo except by voting something else. 14:17 < gmaxwell> or to be more clear miners actual observed behavior _is_ the status quo. 14:18 < gmaxwell> petertodd: median(blocks) < limit < 2*limit. You're voting if the limit should be closer to median(blocks) or 2*limit. 14:18 < gmaxwell> if you don't vote, thats a vote for the median, and the limit will fall. 14:18 < petertodd> Hmm... that's reasonable. 14:18 < gmaxwell> (as the median must always be smaller than the limit) 14:18 < gmaxwell> the speed at which it falls depends on the miners behavior. 14:19 < gmaxwell> it will fall slowly if they're consistently right at the limit. 14:19 < petertodd> Although it's easy for all miners to decide to pad blocks to keep median(blocks) == limit 14:19 < gmaxwell> maybe median(blocks)- just incease they .. rigt 14:19 < gmaxwell> er right. 14:19 < petertodd> With jdillons proposal, the limit *will* fall even in that case. 14:19 < petertodd> For that matter, not all miners, 50% majority of miners. 14:20 < gmaxwell> yea, doesn't actually even need to be median, it could be a mean or some kind of weighed mean. 14:21 < petertodd> I'd just keep it as vote for 2*limit or vote for limit/2 in that case, pick a representative UTXO for each block, and calculate weighted mean for the past years worth of blocks. 14:21 < petertodd> Every step of that is cheap to prove. 14:22 < gmaxwell> So that has stability problems, I think. 14:23 < gmaxwell> basically, if blocks are full and you're like "fuck! I have more bandwidth, I want cheaper transactions" 14:23 < gmaxwell> you'll be voting 2* all year long with all your friends. 14:23 < gmaxwell> maybe you really only needed a 10% bump. 14:23 < gmaxwell> you'll be pissed alll year and then get a great big step when you really only needed 10% (but you don't _know_ you only needed 10%) 14:24 < gmaxwell> so it should probably be more continious to facilitate discovery. 14:24 < gmaxwell> One problem is that a rolling window has a high group delay. 14:25 < petertodd> Hmm... make the limit change every block, by 2 / (1year/10minutes) ? 14:25 < gmaxwell> so you're voting 2* for a long time, and then finally it really goes up.. and keeps going up even though you're like "fuck, too big!" 14:25 < gmaxwell> so there is a tradeoff there. 14:25 < petertodd> Yes, but everyone can spend their txouts to change their votes. 14:26 < gmaxwell> okay, I'll accept that its acceptably soluable. 14:26 < petertodd> Of course, in the context of computer systems, chances are 2x isn't really a big change. 14:27 < gmaxwell> well not just computer systems. 14:27 < gmaxwell> this is needed to keep fees up to prop up difficulty. 14:28 < petertodd> Against an attacker is does 2x feel like much safety margin? 14:31 < petertodd> Oh nice, so 1year/10minutes = 52,560 ~= 2^16, so the code can simply find a representative UTXO, and if the vote is to raise, do limit += limit>>16 14:31 < petertodd> If the vote isn't to raise, do limit -= limit>>17 14:32 < petertodd> oh, wait, no I'm an idiot... --- Log closed Fri Jul 19 00:00:02 2013 --- Log opened Fri Jul 19 00:00:02 2013 11:13 < jgarzik> petertodd, RE identity + IRC replacement via P2P flood-fill network... do you think a PoW element should be included, a la BitMessage? Or just rely on identity cost and shared opinion 11:13 < jgarzik> ? 11:14 < petertodd> I think identity cost is enough because the domain over where the message is sent is fixed - there's no re-use potential. 11:15 < petertodd> rb 11:15 < petertodd> brb 11:47 < petertodd> back 13:08 < petertodd> jgarzik: I suspect dealing with the graph of trust is going to be tricky... smells like a computationally intensive graph problem. 13:09 < jgarzik> indeed 13:09 < petertodd> One subtlety is you have to apply the same anti-spam rules to messages stating who you trust. 13:10 < petertodd> The other one is how do you find peers who have similar ideas of what to filter. 13:11 < petertodd> For v1.0 maybe the right approach is to not do it as a graph, but as a simple accounting of the sum sacrifice ignoring someone. 13:13 < jgarzik> certainly easier 13:14 < jgarzik> though disappointing there must be some sort of state 13:14 < petertodd> Yes, more minimal state, but that's still state. 13:14 < petertodd> At least it's state without user-controllable parameters - like bitcoin peers can sync to each other and come to consensus. 13:15 < jgarzik> also I wouldn't want everyone in the world on the same P2P network. My proxy would join user-specified networks, each with their own DNS seeds or methods of address gathering/bootstrapping/sharing. i.e. join "freenode" network with specified network magic and DNS seeds 13:15 < jgarzik> enables darknets and scaling 13:16 < petertodd> For bitcoin P2P flood fill jdillon suggested that you split things up into different domains by a simple UUID. 13:16 < petertodd> Nodes can even advertise a bloom filter of what UUIDs they participate in. 13:30 < jgarzik> Perhaps, but ultimately I think people should be able to avoid transiting data for networks they care nothing about 13:31 < jgarzik> Proxy can talk to multiple P2P networks just as easily 13:32 < petertodd> Point is with those UUIDs that's exactly what happens, yet to an observer the behavior of all those networks is identical. 13:33 < petertodd> Also allows for a meta-UUID(s) to make peer discovery for a given UUID easier. 16:38 < sipa> every time i (re)join here, it seems the number of people has grown :) 16:39 < petertodd> we'll have to make -gods eventually 16:39 < sipa> well, there's always #bitcoin-satoshi above... 16:40 < petertodd> heh 16:43 < gmaxwell> this is the best bitcoin channel. 16:43 < gmaxwell> well, other than the one where you have to solve the cryptographic puzzle embedded in the blockchain to join... --- Log closed Sat Jul 20 00:00:05 2013 --- Log opened Sat Jul 20 00:00:05 2013 02:27 < midnightmagic> :-I please don't tell me that unless there is actually a puzzle 02:28 < midnightmagic> lol 02:28 * midnightmagic distracts himself by clicking the bitmaps in obscure unicode glyphs --- Log closed Sun Jul 21 00:00:08 2013 --- Log opened Sun Jul 21 00:00:08 2013 19:12 < gmaxwell> petertodd: so one additional property your transaction PoW stuff would have is that it would increase the incentive to make sure you include transactions from the far side of a network partition. --- Log closed Mon Jul 22 00:00:11 2013 --- Log opened Mon Jul 22 00:00:11 2013 06:57 < petertodd> gmaxwell: indeed, for my proof-of-sacrifice ideas, like the zookeyv key-value consensus system, I was thinking that'd basically be the whole incentive to try to broadcast the fact that you made a block/tx as widely as possible 06:58 < petertodd> gmaxwell: Works really well I think if the blockchain has a DAG strucuture and including non-conflicting branches is advantageous. --- Log closed Tue Jul 23 00:00:15 2013 --- Log opened Tue Jul 23 00:00:15 2013 02:42 * amiller grumbles 02:43 < amiller> i think the first rule of bitcoin is "no global identities" 22:14 < gmaxwell> http://www.tdp.cat/issues/tdp.a015a09.pdf 22:14 < gmaxwell> damnit I must be tired. 22:14 < gmaxwell> Can someone decode which properties there actually achieving there? 23:30 < petertodd> "secure against semi-honest servers" <- you've got good reasons to wonder 23:37 < petertodd> yeah, I don't think it's interesting for us - seems to be an interactive protocol where the client gets a proof that c \in S without knowing S, but you still need that round trip 23:38 < petertodd> I think the advantage over a merkle tree is supposed to be that the underlying primative can be a bloom filter, rather than a complete dataset like a merkle tree 23:40 < gmaxwell> https://news.ycombinator.com/item?id=6094383 23:40 < gmaxwell> there I tried to read it again and managed to uncross my eyes long enough to understand their first form. 23:41 < gmaxwell> it's relatively clever, at at least less obviously horrible to some of the oblivious query stuff... but I can't think of anything we could use it for. 23:41 < petertodd> yeah, and that kinda makes sense, but what they are talking about appears to have to be an interactive protocol 23:41 < gmaxwell> petertodd: it is. 23:41 < gmaxwell> you can't query membership without asking the other side to blind sign for you. 23:41 < petertodd> right, which isn't much better than just a merkle tree 23:42 < gmaxwell> I can't think of anything we can use it for. 07:56 < warren> they're scared suddenly by Luke-Jr's patch, and realization that there's targeted ways for pools to filter only them 07:58 < adam3us> warren: i dont want to give them ideas but i think steganography wins (eg they could use committed tx too (even steganographically encoded variant of it), and we may want to prevent miner policy with (non-stego) committed tx also) Luke-Jr is awesome but miner policy is a slippery slope when we have limited technical defense against miner centralization 07:59 < sipa> luke's patch makes sense, but it's not rational for miners to adopt it 07:59 < sipa> it adds complexity to mining, and can only result in lost fee income 08:00 < adam3us> sipa: his policy was to deprioritize non-unique addresses right? or was the another feature also? 08:00 < sipa> yes 08:01 < adam3us> sipa: and msc is using address tagging i guess 08:01 < warren> adam3us: their address tagging is for dumb reasons that have nothing to do with the goal of the protocol 08:01 < adam3us> sipa: sweet patch btw :) 08:01 < warren> adam3us: it's for the founder to collect a tax on every tx 08:02 < Fistful_1f_LTC> why dont they move to PTS 08:02 < adam3us> warren: yes so the patch is a temporary win 08:02 < Fistful_1f_LTC> or create their own, 08:02 < adam3us> Fistful_1f_LTC: yes i suggested that to ripper123 on the msc thread - pts 08:02 < sipa> PTS? 08:02 < Fistful_1f_LTC> protoshare 08:02 < Fistful_1f_LTC> bitshare 08:03 < adam3us> sipa: protoshares a temporary "please mine this while we code bitshare" and we promise to give pts a 10% premine equity in bitshare 08:03 < Fistful_1f_LTC> lol 08:03 < sipa> brrr 08:03 < warren> Fistful_1f_LTC: I think their goal is to avoid having the entire network being declared illegal by making it impossible to be detected 08:04 < adam3us> Fistful_1f_LTC: its awesome - i hung out the on the #protoshares irc for a short while - most of the people had no idea what or why they wre mining, only that they were there EARLY so if it rocketed theyd make bundle 08:05 < adam3us> warren: i think stego works, eg built on committed tx. but only up to the insider attack someone can get in their identify msc tx via nominal value msc tx, and feed the info and evidence to miners to block 08:08 < Fistful_1f_LTC> adam3us: it's already rallying, 08:08 < adam3us> sipa: the mistakes on pts were almost terracoin in proportion. its hashrate went up faster than the adjustment could control, so it mined 6months planned in 1 week. they released a hardfork patch and demaned all miners switch 08:08 < Fistful_1f_LTC> i'm mining a ton right now 08:08 < TD> i don't think miners should be down-prioritising address re-use 08:08 < adam3us> Fistful_1f_LTC: i think you maybe could get more speed, like n^2 more by increasing the ram used in the code 08:09 < Fistful_1f_LTC> how would i do that? 08:10 < adam3us> Fistful_1f_LTC: there is a data structure tht stors colision candidates, its set to lke 1GB, if you increase it to 64GB it may run 1000x faster 08:10 < adam3us> Fistful_1f_LTC: (or however much ram you have) 08:11 < Fistful_1f_LTC> using AWS 08:11 < Fistful_1f_LTC> its probably scalable 08:11 < adam3us> Fistful_1f_LTC: yes you can choose instances with more or less RAM, but try it first 08:12 < warren> TD: sipa: sure Luke-Jr's patch may not be rational, although filtering MSC may 08:12 < TD> well it's just not useful, imo. people already have incentives to not re-use addresses 08:13 < Fistful_1f_LTC> ok, you kno which datastructure that is? 08:13 < adam3us> Fistful_1f_LTC: erm 1 sec 08:13 < Fistful_1f_LTC> or which miner are you talking about the coyote one ? or the beer 08:14 < adam3us> Fistful_1f_LTC: either the qt client or the ptsminer client (its the same code)... the bitshare binary they dont release source for 08:14 < warren> and OMG, have you read their "spec"? The designer seriously doesn't know what he's doing. 08:15 < Fistful_1f_LTC> ok, i use ypool's miner, which is slightly faster, 08:15 < warren> huh, protoshares uses XPM's pow? 08:17 < adam3us> Fistful_1f_LTC: probably from same source... look for semiOrderedMap.cpp 08:17 < Fistful_1f_LTC> adam3us: cool, thanks 08:17 < Fistful_1f_LTC> warren: they use momoentum, 08:18 < adam3us> Fistful_1f_LTC: (I havent tried it... just as they are using birthday collision, until ram is full it speed increases n^2 with size of ram, if the cpu cores are fast enough to fill it in about the size of a block duration) 08:18 < Fistful_1f_LTC> slightly "hardened" scrypt, but it seems it's not that much harder 08:19 < adam3us> Fistful_1f_LTC: did they change it? i think its H=hashcash-SHA512-26 (26 bit bitcoin like collision) 08:19 < Fistful_1f_LTC> adam3us: i will test it then 08:19 < adam3us> Fistful_1f_LTC: warren: then they find store H(cb,a), H(cb,b) for random values or counters a, until they find H(cb,a)==H(cb,b) in the last 50-bits (50-bit birthday partial collision) 08:20 < adam3us> Fistful_1f_LTC, warren: finally they test if H(cb,a,b) < target 08:21 < adam3us> Fistful_1f_LTC, warren: (cb is coinbase) their idea is its they wanted to make a scrypt variant which was faster to verify (3 hashes) but still needed ram like scrypt, an interesting but unsolved design concept (i thought of it and tried it myself ages ago - its not easy) 08:24 < adam3us> Fistful_1f_LTC, warren: consequently they failed on 3 counts: 1. it has TMTO (via unreliable bloom storage - which they dint realize) so it can probably be made to work in GPU L2 cache; 2. it has progress so powerful computers win more than their share, 3. it has economies of scale (ie 2x ram = 4x power). triple fail 08:27 < warren> adam3us: I recall Luke-Jr was touting their design earlier while making fun of Litecoin's PoW failure. =) 08:27 < warren> (sure ,Litecoin had a PoW failure) 08:31 < adam3us> warren: litecoin PoW failure was params, this one is algorithmic :) an luckily for the investors in litecoin, the b0rken params turned to be OK params for GPUs when ASICs took over 08:33 < adam3us> warren: 3am dude. 08:33 < warren> sigh 08:33 < warren> yeah 08:37 < adam3us> warren: it would be interesting to find a way to design a secure memory hard pow that does not require memory to verify and has no progress nor economy of scale problems (nor tmtos) 08:38 < warren> adam3us: I don't have enough CPU's to benefit from that new scamcoin. 08:39 < adam3us> warren: the guy who asked me to look at it rented 80 vsps from the vsp provider that bitshare were getting affiliation profitfor 08:39 < adam3us> warren: then bitshre did the hard fork he had 80 vsp sitting there with nothing to do on a monht contract, he was not happy 08:40 < warren> adam3us: read the launch of XPM and digitalocean? hilarious 08:40 < adam3us> warren: (the difficulty jump after the fork made it ridiculous) 08:40 < adam3us> warren: no will go take a look for giggles 08:41 < warren> hmm, can't find the URL 08:41 < warren> adam3us: someone made a killing ... from referral codes 09:40 < petertodd> adam3us: the underlying problem isn't the incentive to mine - timestamping by itself is fine - it's the incentive to *publish* 09:41 < petertodd> sipa: sure, but equally adopting the dust patch can only result in lost-fee income too... 09:42 < petertodd> warren: yeah, I told MSC to ditch the address tagging too - they understand the issue and even came up with the idea of creating a globally predictable per-MSC address so that MSC clients could still work via SPV 09:42 < petertodd> warren: s/they/some of them/ :P 09:42 < warren> gavinandresen: just to confirm, you have 5 BTC available for macosx corruption bounty? 1) explain HOW it happens 2) provide a fix that is acceptable for merging by the standard review procedure. 09:43 < warren> petertodd: ooh 09:43 < petertodd> warren: (a MSC investor approached me a while back and paid me to do a bit of consulting for them; said investor decided to sell all the same) 09:43 < warren> petertodd: that's a better design than what I came up with 09:43 < adam3us> petertodd: well if the mine is of a bitcoin coinbase that includes a merkle root for the side-chain - then the miner has to publish it to collect their bitcoin reward 09:44 < petertodd> warren: yeah, basically the idea would be to predict the address, you'd have to duplicate a decent chunk of their code. Obvously that can be stopped, but it's a pain in the ass too. 09:44 < warren> gavinandresen: we'll chip in to the bounty, ask public for more donations to chip in more and post it. 09:44 < petertodd> adam3us: sure, but what if publishing late has incentives for some reason? mastercoin has global state crap so... 09:46 < adam3us> petertodd: well other than selfish mining, delaying publication of bitcoin blocks is playing dice with $25*450 09:47 < petertodd> adam3us: yes, *bitcoin* blocks, we're talking about mastercoin here 09:47 < petertodd> (well I'm talking...) 09:47 < adam3us> petertodd: the pay not to mine, given tx is a problem for bitcoin also, or pay to mine a different msc merkleroot 09:48 < petertodd> adam3us: right, but remember, this is a side-chain, timestamped, so the problem is what happenes if a MSC tx or block or whatever it's called gets stamped, but not published? it's not a trivial problem 09:50 < adam3us> petertodd: ah i see what you mean. mining a hash runs the risk that the block is not available. bitcoin mines a hash, but announces by sending the block in one stage (not hash then block) 09:51 < adam3us> petertodd: i think other miners ignore hashes without blocks, and orphan them 09:51 < petertodd> adam3us: exactly. and with pow mining, it helps that naturally everyone is running flat out - not true with sacrifices/timestamps/etc. 09:58 < petertodd> bbl 14:03 < Luke-Jr> adam3us: there's no slope in miner policy. miners have always had a right to decide which transactions they will and won't accept 14:04 < Luke-Jr> sipa: it's rational for miners to use it because it ensures the value of their earned bitcoin remains 20:35 < amiller> then you'd have to run E(P') in time t^3 just to get the 2nd from last, etc... 20:35 < amiller> E(E(P')) i mean 20:39 < gmaxwell> yuck. 22:59 < amiller> i want to make a new definition for proof of knowledge 22:59 < amiller> bitcoin is really the perfect example for this 23:05 < gmaxwell> hm? 23:05 < amiller> the need for something like an extractor is because of the vacuousness of just saying "there exists", in the sense that a blockhash is valid if there exists some valid blockdata that's a preimage of it 23:05 < amiller> because there are a lot of valid blocks and the hash has collisions somewhere 23:09 < amiller> the recursive snark / proof-carrying-data paper basically defines this "compliance predicate" thing that describes valid blocks but as a recursive statement 23:09 < amiller> hrm 23:09 < gmaxwell> hm. I guess a useful definition of proof of knoweldge required that the thing you're proving be concrete enough that it's not a totally empty claim. 23:11 < amiller> the idea of an extractor is pretty compelling, like it says you have to efficiently provide the witness, where the witness is all the actual data 23:12 < amiller> the technical details are baffling and unnecessary tricky though, like it basically says "given access to compiled program code that produces a proof, there's an efficient reverse-engineering that produces the witness" 23:15 < amiller> so i wonder if there's a more indirect way to do it that's like 23:17 < amiller> rather than saying there's an extractor that extracts the witness, producing the proof using anything other than the witness is hard 23:37 < gmaxwell> it is a bit interesting the the SNARK proof is there exists a witness such that f(public,w)=x... but it doesn't directly prove that the prover knew the witness. 23:39 < amiller> "knew the witness" is really difficult to define 23:44 < amiller> it would be a really minor engineering effort to make pinocchio work for bitcoin 23:44 < amiller> like, who cares if it takes 10 minutes to make a whole blockchain proof 23:45 < amiller> per block even 23:45 < amiller> the "real world practical costs" threshold is a whole lot different if it's public data and its providence concerns a lot of people 23:45 < amiller> provenance* 23:46 < gmaxwell> You think the prover could run that fast, with a state space of several hundred megabytes? 23:46 < gmaxwell> (and ECDSA signature validation in it?) 23:47 < amiller> yeah maybe 23:47 < amiller> one of the weird things is that 23:47 < amiller> because of the algebraic structure (it's bilinear groups based on elliptic curves anyway) you get some kind of strange operations for free 23:47 < gmaxwell> well I think that would be tremendously valuable, it greatly changes our long term scaling, since we could have comitted utxos and then proofs of them and nodes could hotstart without substantially degrading the security model. 23:48 < amiller> yeah it changes things about the whole chains-validating-other-chains kind of stuff too which is more deeply why i'm so interested 23:48 < amiller> so, like, it's possible that lattice based hashes or lattice based signatures would be even cheaper than it seems 23:49 < gmaxwell> eliminating storage of user provided data would also remove a lot of existential risk for us... I think it's only a matter of time before someone tries to use childporn in the historic chain as an excuse to shut down bitcoin or to force it to become centeralized. 23:51 < gmaxwell> I know how to keep user provided data out of the utxo, but can't remove it historically without either proofs of validation or a reduction in the security model. ... but if the computation cost thousands of dollars to perform for the proof thats not a big deal. 23:52 < gmaxwell> (okay, well thousands would be kinda obnoxious, but it's viable) 23:52 < amiller> yeah. 23:54 < gmaxwell> by the numbers I think the majority of bitcoin users don't have a clue about security at all, and would be perfectly happy if all the rules were removed from the software and BTCguild, slush, and asicminer were just trusted to do the right thing. ... so I do worry a lot about a politically hot argument to degrade the security for expedient reasons. --- Log closed Wed Aug 28 00:00:47 2013 --- Log opened Wed Aug 28 00:00:47 2013 00:31 < Luke-Jr> gmaxwell: maybe BFL should start self-mining. people would care about that. 00:35 < gmaxwell> Anyone able to decode something comprehensible from this: https://bitcointalk.org/index.php?topic=282726.0 01:55 < gmaxwell> wtf. why is most work on secure multiparty computation using a semi-honest participant attack model. 01:55 < gmaxwell> I hate academics. 07:50 < gmaxwell> amiller: did you see me yabbering about performing interactive cut-and-choose with the blockchain itself as the counterparty? --- Log closed Thu Aug 29 00:00:50 2013 --- Log opened Thu Aug 29 00:00:50 2013 20:15 < gmaxwell> petertodd: so, generalizing the sighash flags. Imagine a tree structured transaction seralization. There are N leafs matching up to the N data values being encoded. 20:16 < petertodd> Yup 20:16 < gmaxwell> petertodd: you form an N bit vector, setting 1s for all the items you want to sign for, and then you can encode that vector by encoding run lenths values. 20:16 < petertodd> Exactly what I was thinking too 20:17 < gmaxwell> e.g. if N=100 then you might code <100> to indicate all 1s.. or if you code 101111..<end> 1,98 or whatever. 20:17 < petertodd> You can further simplify it too by making the interpretation of that vector be centered on the input, so simple concatenation works. 20:18 < gmaxwell> and then you can stick on the checksig operator this runlength sequence as an input, you gather up the leafs that are matched by the mask and sort them by value.. and thats what you sign. 20:18 < gmaxwell> petertodd: you don't need to though because to support any changes you'd leave the runlength token outside of the signature. 20:18 < gmaxwell> so someone adding to the transaction would just compute another runlength token. 20:19 < petertodd> gmaxwell: Aw heck, I was thinking to simpify that compute code, but yeah, it'd probably just be easier to index from zero anyway. 20:19 < gmaxwell> But ... the downside of this is that it leaves malleability. And I'm annoyed that I see no way to preserve the flexibility I want without creating free malleability. 20:19 < petertodd> Yeah, I think that's impossible. Better to make a new system where you can sign a scriptPubKey:valout output instead. 20:19 < gmaxwell> (if you want to be complicated there are all sorts of fancy things you can do to make coding the runlength value efficient... but since you never hash it.. it's not really protocol normative) 20:20 < petertodd> *scriptPubKey:value 20:20 < gmaxwell> yea, I don't see how the malleability can ever really be completely removed unless you really heavly restrict scriptsig form. 20:20 < petertodd> Hmm... true you could actually not hash it at all, although that'd be a lot of complex changes in the scripting system. 20:21 < gmaxwell> e.g. OP_NOP <push> checksig is still valid.. so you'd have to have a rule saying you couldn't do that. But I'm suggesting never hashing that value anywhere in the protocol. 20:21 < gmaxwell> basically I'm saying the scriptsigs for a txn would be a seperate hashtree. You'd still commit it in the blockchain but it would be a seperate fork. 20:22 < petertodd> Yeah, see I'm thinking s/OP_NOPn/OP_CHECKSIG2/ basically, and continuing to get the signature from the scriptSig, and continuing to hash that. 20:23 < gmaxwell> well I'm pondering how I'd completely change the transaction format to make some of the things that are clearly broken better. 20:23 < gmaxwell> e.g. the fact that fidelity bond proofs are unreasonably big. 20:23 < petertodd> Yeah, problem is you do want to preserve the backwards compatibility I think. The main thing we're missing is input values; got anything else in mind? 20:24 < petertodd> re: fidelity bonds, I just wrote a OP_CHECKLOCKTIMEVERIFY patch actually. 20:24 < gmaxwell> proof size and prunability of scriptsigs while keeping everything else (same problem) is what concerns me most w/ the current format. 20:24 < gmaxwell> even with OP_CHECKLOCKTIMEVERIFY I can't check a @#$@ single output without hashing the whole txn. 20:25 < gmaxwell> (okay, with the midstate compression perhaps you can get the last one, but thats a kludgy hack) 20:25 < petertodd> Right, and to solve that I think all you actually need is just to extend the merkle tree into the tx, plus making that merkle tree include input CTxOut's 20:25 < gmaxwell> right thats what I'm thinking about. How do you lay out the transaction so the data elements form an efficient tree... and then express the data you want to include in your hash efficiently as some masking over that tree. 20:25 < petertodd> I can't think of any other fields that are needed; maybe a per-transaction checkpoint. 20:26 < petertodd> Ah I see, yes, that's a good approach. 20:27 < petertodd> I guess the easiest would be to just number the roots of that tree, and make your RLL-encoded bitfield spit out indexes. 20:27 < gmaxwell> I think the txn global data is a version, a nlocktime, a checkpoint, and the counts and sums for the subtrees. 20:27 < petertodd> Right, sums are important. 20:27 < petertodd> Do you want a single checkpoint for the whole tx? 20:28 < gmaxwell> And the inputs have a sum tree of input data, the scriptsigs have a sumtree of sigsize bytes, the outputs have a sum tree of output value. the two sums give you the fees. 20:28 < petertodd> That's good 20:29 < gmaxwell> petertodd: I _think_ so, as they're redundant if they aren't identical, but it might make some merging complicated as you'd have to agree on the checkpoints when you include them.. otherwise the checkpoint should just becomes scriptsig operator that pushes the checkpoint onto the stack of data that gets signed. 01:06 < amiller> i have a friend who basically derived this in some private conversation last year :x 01:06 < amiller> i told him i didn't know any signature scheme that could be combined that way 01:06 < amiller> it was specifically about doing red balloons where you can't strip the new fee off 01:07 < gmaxwell> amiller: for ecdsa we have public + r + s for this we would have public + aggregate(s) but if it's use for anonymity you have to have an extra public key for each output. 01:07 < gmaxwell> and yea, this is really trivial with pairing crypto. 01:09 < amiller> yeah i ran through your elaboration and it made sense 01:09 < amiller> (i am not really checked out to read and securitize crypto but w/e) 01:09 < gmaxwell> the signature algorithim with one way aggregation is circua 2003. This posters contribution is the idea that if you seperate your spend and your output signatures would be insecure in isolation and aggregate them before announcing, you don't have linking. 01:09 < gmaxwell> Well .. it's pairing which uh. may not give everyone warm fuzzies. 01:10 < gmaxwell> because it's all based on carefully choosing groups withere the delusional DH problem is trivial to solve. 01:11 < amiller> yeah also all elliptic curves were generated by j.e. hoover 01:11 < gmaxwell> man I made the mistake of making a few comments on that, and have had press calling me all week about it. 01:13 < petertodd> gmaxwell: good job 01:14 < amiller> you and matt green. 01:14 < amiller> who visits my office once a week :3 01:14 < amiller> i gave him a copper bitcoin trinket today 01:14 < amiller> if you think *you* open your big mouth.... 01:14 < amiller> anyway so... 01:15 < amiller> pairings are fine w/e PBC is easy enough to use and almost fast 01:15 < gmaxwell> amiller: can you ask him what he's doing going and filling reporters heads with the idea that the NSA can steal bitcoin with SHA256 collisions? That has to be the biggest streach theory I've heard all weak and I really wanna know how the reporter got that out of him. :P 01:15 < gmaxwell> yea PBC is pretty sweet. 01:16 < gmaxwell> one pairing operation per txn is kinda lame but its not nonviable in the slighest. 01:17 < amiller> why not just merge all the tx 01:17 < amiller> miner makes one big ol operation 01:17 < amiller> one pairing and a dozen of the other things the third one 01:36 < gmaxwell> because the validation needs one pairing per message and public key. 01:37 < amiller> oh 01:43 < gmaxwell> (and one G2 multiply) 01:43 < gmaxwell> er GT multiply. 01:43 < gmaxwell> stupid paring terminology. 08:50 * jgarzik continues to work on auctionpunk 08:50 < jgarzik> new sub-idea: address servers 08:51 < jgarzik> Right now, "auctiond" communicates directly with bitcoind, obtaining addresses for payments and watching for those payments 08:51 < jgarzik> If a third component existed to serve out bitcoin addresses, this auction server need never touch a wallet at all 08:52 < jgarzik> that third component could do what auctiond does now -- call bitcoind getaccountaddress -- or read from a static file of 1 million pre-generated addresses, or any other method 12:40 < HM> or if bitcoind actually talked to a database server, everything could just talk to that :P 12:59 < jgarzik> well, this is more an administrative boundary; trying to design an API around that concept. 13:00 < jgarzik> a wallet is a kay management unit. people may choose to manage keys in different ways. 13:00 < jgarzik> an address server is one way to enable many different wallet configurations. --- Log closed Sun Sep 15 00:00:39 2013 --- Log opened Sun Sep 15 00:00:39 2013 20:49 < jgarzik> basic auction server complete. now rewriting JSON-RPC -> HTTP REST ;p 22:08 < petertodd> nifty 22:09 < petertodd> jgarzik: I'm doing some work on what I'm calling the bitcoin.chain module to handle stuff like blockchain header maintenance and what not for python-bitcoinlib 22:11 < petertodd> jgarzik: Thinking it should look something like a magical box where you can ive it blockchain headers, and it figures out what's the biggest sum-work sub-chain, similar to sipa's work on headers-first. 22:12 < petertodd> jgarzik: (obviously it's ok if the box uses a pile of ram in degenerate cases... so long as the more obvious way to do it works well) 22:17 < BlueMatt> how did I end up leaving here? :( 22:17 < BlueMatt> petertodd: researching attacking tpms in what sense? dma to break txt or so? 22:17 < petertodd> BlueMatt: I guess Hogwarts expelled you. 22:18 < BlueMatt> <petertodd> There's a lot of possible attacks, but yeah, breaking memory is a big one. Of course, the big issue with even Intel's TPM stuff is that AFAIK main memory is unencrypted - rather useless. 22:18 < BlueMatt> petertodd: yea, well if you can rewrite kernel code via dma, tpm data can be read arbitrarily, essentially 22:18 < petertodd> Yup, and people overestimate how hard it is to get data out of main memory: just cool down the RAM sticks, turn off the machine, and transfer them to another machine for a cold-boot attack. 22:19 < BlueMatt> hence why txt exists (run program protected from dma, etc, where you can get new tpm status so that you can protect better) 22:19 < petertodd> IE, any application that needs sensitive data stored in RAM is insecure, making a lot of applications useless. 22:19 < BlueMatt> ofc there are (apparently) attacks against txt where you can break the IOMMU protection and then get access to the "protected" program 22:19 < petertodd> Yes, but TXT execution still leaves the program data in RAM unless you do really clever stuff with L1/L2 cache. 22:20 < BlueMatt> petertodd: see https://github.com/TheBlueMatt/linux for some work Ive been doing (and am now continuing) that builds on the TRESOR store-encryption-keys-in-registers stuff 22:20 < BlueMatt> petertodd: yes, but you can get the tpm to hash the program and only allow private data to be read when you load the right program 22:20 < petertodd> Ah cool, yeah that's a nifty approach, and easier to implement than cache tricks from what I hear. 22:21 < BlueMatt> well, except for dma tricks where you just rewrite the kernel code..... 22:21 < petertodd> (note that my main TPM interest is remote attestation, for wallet stuff your type of security is probably fine) 22:22 < BlueMatt> ahh, well yea I mean you essentially need secure IOMMU limits st no hardware can write arbitrary crap to kernel memory 22:23 < BlueMatt> which is being worked on...but there are still drivers that dont do it right (hence my desire to find programmable pcie chips...) 22:23 < petertodd> I also have a project I want to do that'll just be a uC with a cheap FTDI USB<->serial chip and some very simple anti-tamper stuff to store full-disk-encryption keys, as well as provide a way to detect tamper events - the latter could be used to wipe system memory in conjunction with a in-case UPS. 22:24 < petertodd> You basically want to be sure the attacker can't plug in some hardware to a running machine right? 22:24 < gmaxwell> BlueMatt: so there are things like fpga devkits with pcie, but the pcie bus connection is some fixed logic, and may not be able to make do what you want. 22:24 < BlueMatt> petertodd: well, my threat model is how to protect against an attacker who can 22:24 < petertodd> Er, right, make sure an attacker who can can't do anyting interesting. :) 22:25 < BlueMatt> petertodd: see https://forums.hak5.org/index.php?/topic/28816-howto-anti-forensics-mass-storage-device-as-a-key-device-for-fde/ where I build a flash drive that is smart and tries to figure out when someone is trying to read it 22:25 < BlueMatt> petertodd: yea 22:25 < petertodd> BlueMatt: Lol, yeah I saw that earlier, very nifty. 22:26 < petertodd> See, my thinking is that there's probably so much backdoor crap and exploits in standard hardware, that it'd be more productive to add more hardware to the problem, but simple hardware that we can trust. 22:26 < BlueMatt> gmaxwell: fixed bus logic there should be fine, you just have to be able to change how it reports itself to the host 22:27 < BlueMatt> petertodd: yes, a smaller trust base would be nice, but its theoretically possible to do it all properly without any custom hardware so thats what Im looking at 22:28 < BlueMatt> also: doing a wallet in tpm should be done... 22:28 < BlueMatt> wallet in intel txt would be the ultimate in security for private key storage and signing 22:28 < BlueMatt> ofc you should probably just do a hardware thinggy instead, but.... 22:29 < petertodd> BlueMatt: Well, they're both ideas with advantages and disadvantages so... if I build my little USB thing, think it'd be easy to write some kernel drivers/dmcrypt startup scripts to use it? I suspect it won't be a very hard project, much less than the other stuff you're working on. 22:31 < petertodd> BlueMatt: Reminds me: apparently the newer intel TXT stuff can even display things on screen securely, and take in user input from the keyboard and mouse securely, at the hardware level! 22:31 < BlueMatt> ooooooooooo 22:32 < BlueMatt> petertodd: in my case its incredibly easy because I just treat it like a flash drive and read in a sector 22:32 < BlueMatt> petertodd: thats probably one of the easiest ways (its already implemented...) and you can still do that in trusted hardware 22:32 < BlueMatt> but reading over serial shouldn't really be any harder 22:33 < petertodd> Well, remember the key idea I have is to make my USB thing actually connect to anti-tamper sensors, so when the thieves steal your server at the colo center the moment they open the case/move it the keys get wiped, yet you can still reboot it/handle power failures. 22:34 < petertodd> (or for that matter, ship it in the mail) 22:34 < BlueMatt> petertodd: you can do that in usb too... 22:34 < BlueMatt> usb with the same chip on the backend 22:34 < BlueMatt> (internal-case usb headers instead of standard A plug, probably) 20:33 < andytoshi> oh, damn, that was my first exposure to 21st century crypto, i thought maybe it was an implementation-friendly field :( 20:35 < gmaxwell> well, it's mixed. A lot of things in pairing crypto are easily implemented. E.g. I went and implemented the OWAS from that paper in under half an hour, including learning to use the pairing crypto library. 22:46 < Taek42> I had an idea for variable-speed blockchains 22:47 < Taek42> which I think would be desirable, because when you set a static rate, you can either be too slow (meaning you could go much faster) 22:47 < Taek42> or too fast (meaning that blocks happen faster than nodes can communicate them) 22:47 < Taek42> and right now, most coins seem to pick arbitrary values 22:49 < Taek42> If you count how many blocks have the same parent (as a percentage) 22:50 < gmaxwell> Taek42: amiller proposed several years ago commiting to orphans to control loop the rate. 22:50 < Taek42> how was the reaction to the proposal. Also, is there a link? 22:50 < gmaxwell> Taek42: but the problem with that it has enormous centeralization risks in two different ways. 22:50 < Taek42> how so? 22:52 < gmaxwell> Say for example that 60% of the hashpower was within the east cost of the US, such as system might happily adapt itself down to 100ms blocks, and just exclude the outside world. Even if the outside blocks were enough to slow it down, the majority could just happily ignore them, since its in their interest to keep it fast. Now, okay, perhaps you have some sensible floor to prevent this. 22:53 < Taek42> I think I have 22:53 < gmaxwell> Then you have the fact that only miners play in this scheme but the block rate is very important to clients as well. 1 second blocks would be a ~600x increase in bandwidth and cpu for SPV clients over 10 minutes blocks. 22:53 < Taek42> that's only assuming that at 1% blocks the blocks (and not the transaction data) are the majority of the information 22:53 < Taek42> *at 1 second blocks 22:54 < gmaxwell> so while the miners are all getting paid for their mining and can afford fast networks tunnels through the earth and neutrino reactor transmitters and what have you the rest of nodes have to keep up with the flood but aren't compensated to pay for these increased costs. 22:54 < gmaxwell> and they have no control channel to express this displeasure. 22:55 < Taek42> hmmm 22:56 < gmaxwell> Taek42: why wouldn't it be at 1 second though? the system will keep speeding up until miners can't get lower latency networks, and then it will start excluding miners who are too far out e.g. in .au. Right now there is hardly any incentive to do anything heroic about your network as a miner, but if the time kept going down as miners improved their connectivity there would be. 22:56 < gmaxwell> amiller_: perhaps has a link to his writeup. 22:57 < Taek42> Well the idea is that when you want to send money over the network you just tell a miner. I don't think faster blockrates would result in less transactions 22:57 < Taek42> unless a faster blockrate meant that non-miners couldn't verify the balance of an adversary 22:57 < gmaxwell> (uh, you know bitcoin has no balances in it 22:57 < Taek42> I'm guessing you are saying a semantic thing 22:58 < gmaxwell> It would intefear with other nodes imposing the rules. Bitcoin is a trustless system, and part of the incentive alignment for miners is that non-miners vaidate their blocks too. 22:59 < Taek42> how can non-miners validate a block? I thought blocks were validated by additional blocks being mined on top of them 22:59 < gmaxwell> ... 22:59 < Taek42> bear with me 22:59 < gmaxwell> By stepping through the data and checking each piece of it against the hundreds of rules of the system. 23:00 < Taek42> oh okay 23:00 < Taek42> but say that a non-miner finds something incorrect 23:00 < Taek42> what happens? 23:00 < wyager> Mmmm 23:01 < wyager> They ignore the block 23:01 < gmaxwell> They just ignore the block forever and all successive blocks. This is what prevents a malicious group of miners from inflating the currency or stealing people's coins (which might have returns great enough to justify their misbehavior) 23:01 < wyager> You're thinking of an SPV node, Taek42 23:01 < wyager> SPV nodes verify blocks by their depth 23:01 < wyager> (right?) 23:01 < wyager> full nodes actually verify blocks 23:01 < Taek42> okay that makes sense 23:01 < wyager> Like, making sure their hash value is low enough and there aren't any illegal transactions and stuff 23:02 < gmaxwell> Bitcoin's security is predominantly autonomous zero trust you don't trust anyone at all to the extent that thats possible. Miners influence is strictly limited to transaction ordering which is powerful, but hopefully limited enough to keep them honest. 23:03 < gmaxwell> (and we only trust miners for ordering because we don't have an alternative... it would be nice if physics allowed a decenteralized, autonomous, and consistent ordering but it appears not to) 23:03 < Taek42> consistent ordering might be more achievable if you implementing some sorting 23:03 < Taek42> but then miners could still pick different blocks for different transactions 23:04 < Taek42> *implemented 23:05 < gmaxwell> Taek42: sorting can't work unless you have a jamming proof network which can reach all parties in finite time. Otherwise someone can know of a transaction that others don't and the rest only learn later. 23:05 < Taek42> yeah 23:06 < gmaxwell> in any case, thats why we have mining, it solves that little problem. 23:06 < Taek42> with the current bitcoin, what happens when the transaction volume grows to a point where only miners can keep up? 23:07 < gmaxwell> But mining means bitcoin isn't like most cryptosystems, the good guys don't have an exponential advantage over the attacker, only a linear one; so that makes the economics very important too. 23:07 < gmaxwell> Taek42: it can't. 23:07 < Taek42> what do you mean by it can't? 23:07 < Taek42> suppose you reach several thousand transactions per second? 23:07 < gmaxwell> The system has hardcoded rules on the maximum size of blocks technically as absolute as the limit of 21 million total bitcoins. This means that even if the miners want to make huge blocks to stop other people from validating they can't. 23:08 < Taek42> ah 23:08 < gmaxwell> and to increase the limit requires all node software be replaced, so effectively it requires the consent of all the (remaining) users. 23:08 < Taek42> so at some point the demand for transactions could outgrow the hardcoded rule that limits transaction volume 23:09 < gmaxwell> Sure, though there are many differnet ways to deal with that (beyond just upping the limit which is perhaps possible, but there is that decenteralization tradeoff). 23:11 < Taek42> forgive me as I start to talk about things I don't know much about; wouldn't a more ideal currency (if theoretically impossible) not require non-miners to participate at all? 23:12 < wyager> Well an ideal currency wouldn't require miners or nodes or any of that stuff :p 23:12 < gmaxwell> Taek42: no, thats horiffic. 23:12 < Taek42> that's a good point 23:12 < Taek42> why horrific? 23:12 < gmaxwell> Taek42: because then you'd have to trust miners. And the whole point of Bitcoin was to eliminate trust. 23:13 < Taek42> what if you only have to trust that 51% of miners are honest? 23:13 < gmaxwell> The ideal system would have no miners, just participants. 23:13 < Taek42> participants that don't need to keep track of the entire state of the system 23:13 < gmaxwell> Taek42: what would make them honest? Bitcoin's assumption isn't merely that most are honest. 23:14 < Taek42> what if you only have to trust that only (epsilon approaching 0%) miners are honest? 23:15 < Taek42> but I see what you are saying 23:15 < gmaxwell> Taek42: after all, the fed's employees are mostly honest. The fact that everything else gets enforced by mathmatical proof with 100% strength is one of the reasons the fact that honest users don't have an advantage over attackers is perhaps acceptable. 23:15 < Taek42> with bitcoin you don't need to trust some foreign entity, you can verify the whole chain yourself 23:15 < Taek42> but the cost is a 12GB (and growing) file and some computation 23:15 < gmaxwell> no, thats not quite true. 23:16 < Taek42> expand? 23:16 < gmaxwell> You can go ahead and delete the historic blocks, they're only used to initialize new peers. (well not quite, at least not yet if you delete them your node will work fine until a new peer tries to grab a historic block from you and then you'll crash) 23:16 < gmaxwell> you only need the chainstate to verify new blocks that come in. 23:17 < gmaxwell> and thats about 300 MBytes right now. 23:17 < gmaxwell> and grows moderately slowly (looked decidely logarithmic before people started created junk txouts to store data). 23:17 < Taek42> but then you have to trust the incoming chainstate 23:17 < Taek42> if you are new 23:18 < gmaxwell> Nope. 23:18 < Taek42> no? 23:18 < gmaxwell> You can build it for yourself, but not store the historic data. (e.g. you have to inspect it once, but no storage cost) 23:18 < Taek42> okay 23:19 < Taek42> you still won't know though if you are looking at the actual chain or a fork 23:19 < gmaxwell> huh?! 23:19 < Taek42> suppose you are on a malicious network 23:19 < Taek42> feeding you a set of blocks from the genesis block 23:19 < Taek42> at some point they fork 23:19 < Taek42> and create an alternate histroy 23:19 < Taek42> *history 23:19 < gmaxwell> No, you inspect headers first to decide which chain has the most proof of work. Then validate it it. If you find a rule violation you black list that block and reorg. 23:20 < Taek42> assuming you get a block from the correct chain 23:20 < gmaxwell> No, it doesn't matter. 23:20 < Taek42> ??? 23:21 < gmaxwell> Taek42: lets contine your example. 23:21 < Taek42> okay, I'll rework it a little though 14:23 < pigeons> I thought this was um, interesting or funny or weird or dangerous or something, "Moreover, the developers have purposefully introduced three security flaws into the source code that they will be releasing, as a means of encouraging the community to scrutinize the code and to prevent people from creating copies of Nxt by simply taking the source code and re-using it. People who discover the security holes will be able to claim rewards for fin 14:23 < pigeons> http://nxtcrypto.wikia.com/wiki/FAQ 14:24 < adam3us> maaku: i was thinking maybe one could have a trusted server for simulating alts. rent virtual "VPS" resources. buy virtual "ASICs" and so on, the actual money goes to charity or btc QA or something. then its green. and it doesnt matter if its centralized because dogecoin grade alts have largely no tx anyway. 14:25 < pigeons> there was a game that did that, but its gone now 14:25 < pigeons> it had an internal exchange and you could make your own coins too etc and "virtually" mine them without really mining or using electricity 14:27 < adam3us> pigeons: seems like a lower energy sandbox for dogecoin, shitcoin et al play in, pity it died 14:28 < pigeons> yeah it added simulated pools when they came along and you culd run your own mining pool without having to get ddossed 14:29 < pigeons> you could virtually pre-order your asics and virtually never get them 14:30 < adam3us> pigeons: fantastic 14:31 < pigeons> he sold the code before he closed to a guy who was in over his head and couldnt keep it running but i think at this point it wouldnt really help, best to just start with your own bugs instead of someone else's 14:32 < adam3us> $1k by end of year ;) 14:32 < adam3us> ? 14:36 < adam3us> heh hash rate went over 10 PH and now the format is confused 1.045E7 https://blockchain.info/q/hashrate 15:17 < nsh> someone asks in ##crypto why ripemd-160 is used for addresses rather than just a truncation of sha-256 output 15:17 < nsh> i'm not sure how to answer... 15:20 < maaku> because the great satoshi said so 15:21 < maaku> retroactive reason: because breaking sha-256 doesn't mean a break of the address format, meaning coins would still be secure 15:21 * nsh prostrates before the ceremonial altar 15:21 < nsh> mmm 15:21 < maaku> obviously lots of other things would have to change if sha256 was broken, but you could still keep the same ledger 15:22 < nsh> right 15:34 < iddo> maaku: thats not so clear, if you can do sha256 collisions then you also have collisions for Bitcoin addresses (though i'm not sure how to use it to attack), and if you can do 2nd-preimage attack on sha256 then you can steal coins if someone re-uses an address 15:37 < iddo> an answer on stackexchange says that it's just "belt and suspenders" approach: http://bitcoin.stackexchange.com/questions/9202/why-does-bitcoin-use-two-hash-functions-sha-256-and-ripemd-160-to-create-an-ad 15:39 < andytoshi> gmax suggested that using a second hash function would guarantee that addresses still have a uniform distribution, while truncated-sha is not proven to have this property 15:39 < andytoshi> well, not just the distribution, preimage resistance as well 15:40 < iddo> hmm not sure what you mean by proven, there are no rigorous proofs for heuristic constructions like sha2 15:41 < andytoshi> true, i guess what i mean is "commonly believed" 15:41 < iddo> if sha2 is computationally indistinguishable from a random oracle, then truncated-sha2 is fine 15:42 < andytoshi> sure, but this isn't true because eg there are length extension attacks 15:42 < andytoshi> which distinguish it from a random oracle 15:42 < iddo> not for sha256d 15:43 < andytoshi> yeah -- and mining even depends on sha256d looking like a random oracle 15:43 < andytoshi> so tbh i am just as confused by the ripemd usage as anybody 15:46 < maaku> andytoshi: as I said, if a weakness is found in sha256, it is more likely to be able to be applied to sha256^2 than ripemd160(sha256()) 15:47 < iddo> another question is why not just use the full 256 bits of sha256d, then you get an even better benefit of 256 bits of security if you don't re-use addresses, instead of 160 bits... the drawbacks are more bloat on the blockchain, and longer addresses for people to use 15:47 < maaku> so therefore, it's more likely that the current setup would protect users even in a catastrophic break of sha256 15:47 < maaku> iddo: even 160 bits is excessive. the birthday paradox doesn't apply here 15:47 < iddo> maaku: but what if a weakness is found in ripemd-160 ... ? 15:48 < maaku> iddo: nothing happens unless a weakness is found in ripemd-160 AND sha-256 15:48 < maaku> its additive security 15:50 < iddo> maaku: no, if you have 2nd-preimage attack on ripemd-160, then just create fresh ECDSA keypairs + sha256 hash, in a way that you get the same image (i.e. the 2nd-preimage attack) as someone elses Bitcoin address, and then steal his coins 15:52 < iddo> well actually it's not clear, depends how the 2nd-preimage attack works 15:52 < andytoshi> you'd have to get a preimage for the sha256 as well 15:52 < andytoshi> if you can 2nd-preimage SHA256 then i think you've got a problem, because if you can get the same SHA256 hash, it won't matter that you apply RIPEMD-160 on top of it 15:52 < andytoshi> but this is only a concern if you know the pubkey that you are trying to preimage 15:53 < andytoshi> pubkey whose image you are trying to duplicate* 15:54 < andytoshi> but until you spend a coin with a certain address, you don't expose the pubkey (or even its SHA256 hash), so you're ok in the case of no address reuse 15:54 < iddo> if you just find 2nd-preimage of random pubkey, then it wouldn't help you because you wouldn't know the corresponding privkey 15:55 < andytoshi> oh, right, derp 15:57 < iddo> i actually don't really see how either sha2 or ripemd 2nd-preimage attacks can be done in this context (i.e. in the context where you create random-looking pubkeys that are supposed to be the preimage, by invoking the ECDSA keygen) 19:02 < nsh> oh 19:03 < nsh> andytoshi / gmaxwell: thinking back to the question of the factor of 8 in curve25519 scalars, could it be to do with the square property of x coordinates? 19:04 < nsh> -- 19:04 < nsh> Firstly, since the field is only 255 bits, the 256th bit is always zero. Thus if an attacker sees a series of 32-byte strings where the top bit of the last byte is always zero, then they can be confident that they are not random strings. This is easy to fix however, just XOR in a random bit and mask it out before processing. 19:04 < nsh> Secondly, the attacker can assume that a 32-byte string is an x coordinate and check whether x3 + 486662x2 + x is a square. This will always be true if the strings are x coordinates, by the curve equation, but will only be true 50% of the time otherwise. This problem is a lot harder to fix. 19:04 < nsh> -- https://www.imperialviolet.org/2013/12/25/elligator.html 19:04 < nsh> (probably not, but it just came back to mind while reading that page) 19:06 < nsh> "Square roots are defined in the standard way for finite fields where q 19:07 < nsh> (eight is rather low number for which to ascribe meaning to coincidence, i know...) 19:35 < andytoshi> nice find nsh, i dunno, i'll have to study this 19:36 < andytoshi> it looks to me that this is about disguising x coordinates, which isn't a goal of plain old ed25519 19:36 < andytoshi> eg they have bit 254 always set, which is a pretty obvious tell 19:38 < nsh> right 19:38 < andytoshi> also iirc we are talking about privkey encoding anyway, which is not broadcast 19:39 * nsh nods 19:39 < andytoshi> otoh, the square property of x coordinates could very well be involved with the factor of 8, i don't know 19:39 < nsh> yes, maybe very vaguely 19:39 < maaku> anyone asked DJB? 19:40 < nsh> no, i was going to tweet him 19:40 < andytoshi> no, i think everyone here is intimidated by him :P 19:40 < nsh> but he doesn't use twitter that extensively. might be better to email him 19:40 < nsh> oh, i don't have that problem :) 19:40 < andytoshi> :) 19:40 < nsh> i fell in the contempt couldron as an infant and the potion had a permanent effect 19:41 < nsh> cauldron* 19:41 < maaku> well it'd spoil the puzzle anyway :) 19:42 < andytoshi> haha 22:38 < warren> http://coinmarketcap.com/ interesting how they count #2 22:44 < phantomcircuit> warren, XRP is an altcoin with bad security 22:44 < phantomcircuit> and a totally fucking HUGE premine 22:45 < warren> phantomcircuit: they included the entire premine in that "market cap" 22:46 < gmaxwell> of course they did, it's part of the market cap. 22:47 < gmaxwell> I dunno how else you'd calculate it. 22:51 < phantomcircuit> warren, the premine is already on the network 22:51 < phantomcircuit> that is a reasonable way to calculate the market cap 22:52 < BlueMatt> it'd be nice if they showed market depth too, though 22:52 < phantomcircuit> however XRP is very illiquid 22:52 < phantomcircuit> so that doesn't mean much of naything 23:01 < phantomcircuit> BlueMatt, nearly all of the bids are for the exact same amount of btc 23:01 < phantomcircuit> 0.2625 23:02 < phantomcircuit> which tells me they're fake bids 23:02 < CodeShark> market caps in general for any of these coins is not particularly meaningful :) 23:02 < CodeShark> you need to take depth into account 23:03 < CodeShark> but these numbers do sound impressive, nonetheless 23:03 < CodeShark> so they do have press value 23:04 < maaku> yeah market cap is totally useless 23:04 < maaku> http://37signals.com/svn/posts/1941-press-release-37signals-valuation-tops-100-billion-after-bold-vc-investment 23:04 < CodeShark> lol 23:06 < BlueMatt> phantomcircuit: even sill, the market depth is significantly lower than btc, which should be shown there 23:07 < CodeShark> a meaningful statistic would be, say, how much you could get in dollars if you currently held 10% of it and sold it right now 23:07 < BlueMatt> maaku: lol, nice 16:19 < gmaxwell> yea, fair enough. 16:20 < maaku> nsh: yeah actually the coincovenant thread is basically a listing of what you could do with a turing-complete script language and introspective builtins 16:21 < maaku> the snark is just a really cool addition 16:21 < gmaxwell> Yea, I think nothing there requires the snark except for efficiency. 16:21 < gmaxwell> might be good to add some examples that need zero knoweldge 16:25 < maaku> petertodd gmaxwell: btw didn't mean to take credit for this old idea. i thought nsh meant the benefits of using Joy 16:27 < nsh> i'm curious in general and specific :) 16:27 < petertodd> I'm curious if joy brings us any joy. 16:32 < maaku> cdr=-\ 16:32 < maaku> 6jm 16:32 < maaku> sorry 16:33 < petertodd> maaku: glad to see you have (formerly) strong passwords 16:33 < maaku> haha, toddler found my keyboard 16:33 < maaku> gmaxwell: well there are bounties. you'd need a zk proof to safely claim a sha256 collision 16:35 < maaku> you can even design a covenant which forces revelation if the coins are to be actually used 16:35 * petertodd says hi to little maaku 16:36 < sipa> cdr-=\ -> that's actually potentially valid C code 17:34 < pigeons> adam3us: I just saw https://github.com/atoponce/d-note uses hashcash to generate a token before you can submit 18:05 < jtimon> ok, so I need a name for the TC merklized extrospective scripting extension I just understood hours ago 18:06 < jtimon> otherwise "the new thing" is taken and I cannot learn or think about anything else new too me 18:06 < sipa> tc? 18:07 < sipa> extrospective? 18:07 < nsh> turing complete, no idea 18:08 < nsh> network-external inputs maybe 18:08 < jtimon> tc = turing complete 18:09 < jtimon> extrospective = you can reference the scripts in the outputs of future transactions, parts in them, and maybe also the current utxo and the block header 18:09 < petertodd> jtimon: that's a pretty good description IMO 18:09 < jtimon> something outside the script itself 18:09 < jtimon> thank you 18:10 < petertodd> jtimon: more than current utxo too, but likely committed data of some kind within (to be clear) 18:11 < jtimon> although joy is a new addition and not necessary for the idea I like joyScripts, although I also like quineScripts, and we could also just maintain coincovenants (although not all uses use quines/covenants) 18:14 < jtimon> petertodd, you mean previous data in the chain? I guess it could work if people provide proofs to the miners, but for some reason I haven't found yet, that intuitively scares me 18:14 < jtimon> also I don't know any use et neither 18:14 < jtimon> *yet 18:15 < petertodd> jtimon: well, there's the model where it's proof based, referencing the prevblock hash, or you can have a model where miners are expected to actually have some set of data on hand. (that could take a lot of potential forms) 18:16 < jtimon> stateless validation is very attractive 18:17 < jtimon> I'm not sure what you mean by referencing the previous block hash 18:17 < gmaxwell> any stateful process can be reduced to a stateless one just by gathering up the state and presenting it as an input. 18:18 < petertodd> jtimon: IE, make your script take a proof in the form of a merkle path to the prevblockhash 18:18 < jtimon> petertodd: what kind of commited utxo are we assuming if any? 18:19 < petertodd> jtimon: could be a lot of forms, could be a committed MMR TXO too 18:19 < jtimon> I see, just one of them 18:20 < petertodd> jtimon: well, you can do both if you really want :P 18:20 < petertodd> jtimon: and actually, if you do expiration, both could make a lot of sense 18:21 < jtimon> well, I think expiration would be necessary for your TXI thing, but I don't know much about MMR 18:23 < jtimon> the advantages and stuff, I just read that once but I don't remember the motivation 18:23 < jtimon> I'm going to read again 18:24 < jtimon> but maybe a hybrid commited expired-TXI + UTXO would make sense too? 18:24 < petertodd> exactly 18:24 < jtimon> oh, I see 18:24 < jtimon> you use the MMR structure for the TXI ? 18:25 < petertodd> one interesting thing is that you probably want the PoW algorithm to be tightly coupled to some subset of blockchain data - perhaps the last year/GB of it - so a PoW on the UTXO set is an attractive idea 18:25 < petertodd> right, for long-term MMR works really well 18:26 < petertodd> note that when I say "UTXO" set that doesn't necessarily mean it the way you would mean in bitcoin - for some extrospective scripting consensus system your utxo set might mean a lot of things that may or may not be coins 18:27 < jtimon> to be honest, I'm thinking in freimarket's utxo 18:27 < petertodd> e.g. the absolute extreme you can take this idea is for the system to be essentially a key-value global consensus, where keys are H(script) and values the output of those scripts (basically) 18:27 < jtimon> with asset types, unique bitstrings... 18:27 < petertodd> yup 18:28 < petertodd> and mastercoin needs to look something like that if it's going to be useful 18:28 < jtimon> well, values also have refHeight for interest/demurrage and I guess some other minor details 18:28 < petertodd> right 18:29 < jtimon> why " you probably want the PoW algorithm to be tightly coupled to some subset of blockchain data"? 18:29 < petertodd> my extreme example, which I guess I could call MetaCoin, could be done such that the scripts themselves are what define consensus currency systems within MetaCoin 18:29 < petertodd> jtimon: because you want there to be incentive for miners to actually publish the contents of the blocks they mine, rather than just headers 18:30 < petertodd> jtimon: basically with stateless validation you can wind up with miners having no blockchain data at all, and then find out that only a single party has the data, and hence can assist others in creating transactions (or no-one has the data and the coin gets stuck!) 18:30 < jtimon> an interesting thing is that with unique tokens, you have effectively a per-asset namespace that you can use as generic key/value store 18:31 < petertodd> jtimon: yes, *but* that's only useful if either multiple values can be associated with a single key, or the keys are scripts 18:32 < petertodd> jtimon: see, you can view a decentralized consensus system's blockchain as a weird type of cryptographic accumulator - it's easy enough to create a proof that some tx-thing existed or didn't exist in that chain, but you must have blockchain data to update (and create) those proofs 18:32 < jtimon> but the holders could take care of keeping their data, no? 18:33 < gmaxwell> how can you keep data if miners aren't even sending you enough to update your copy? 18:34 < petertodd> gmaxwell: well, remember how with MMR TXO you can get transactions mined with the assistance of third-parties who create the txin proofs for you? of course, with the txin proofs, miners with no blockchain data at all can safely mine the txs 18:35 < petertodd> gmaxwell: hence, you can wind up with a system that appears to work just fine, until one day you realize only one entity has a copy of some or all blockchain data - even worse if you've got some sharded (U)TXO set scheme going on 18:35 < jtimon> gmaxwell I thought your part of the trie in which your data resides cannot be modified if not by you, maybe I misundertood something about maaku's updatable structure 18:36 < jtimon> I also don't understand this senstence "that's only useful if either multiple values can be associated with a single key, or the keys are scripts" 18:36 < petertodd> jtimon: yeah, but what forces miners to actually publish the content of blocks to other miners? nothing 18:36 < petertodd> jtimon: e.g. with my "one entity has a copy of the blockchain" example, miners could be just sending their blocks to that entity, but not to each other, and the system will appear to work just fine 18:36 < petertodd> jtimon: maybe that happens due to lazyness, maybe due to sybil attack, who knows? 18:37 < jtimon> they need to publish the new root of the trie, and they want other miners to believe them, so they will send all the proofs they used to update the tree 18:37 < petertodd> jtimon: in a sharded system, it means you can 51% attack some *subset* of the (U)TXO space, likely with less than 51% of hashing power 18:37 < gmaxwell> jtimon: your own coin could only be modified by you, but all the neghboring branches can be modified by the holders of 2^levels-up coins. 18:38 < petertodd> jtimon: nope. Miners will lose money if they mine invalid blocks, so we can trust them not too do that 95% of the time, and it's in your incentive to very quickly mine the longest chain so you're not wasting your time... 18:38 < petertodd> jtimon: and if tx's can provide proof that they are valid to include in a block, all the better! 18:38 < jtimon> you're trying to explain me the problem of relying on archive nodes 18:39 < petertodd> jtimon: or hell, imagine some scheme where we're using SCIP moon magic so that miners can prove their blocks *are* valid 18:39 < petertodd> jtimon: roughly speaking, but it's really even deeper than that 18:39 < jtimon> I thought that wasn't a problem with maaku's latest updatable utxo design 18:40 < petertodd> jtimon: no it is, it's just not as likely to be an actual problem as some sharded blockchain scheme. 18:40 < petertodd> jtimon: mainly I'm interested in solving that because I think it's an important part of making consensus schems more scalable 18:40 < jtimon> miner 1 receives all the proofs it needs from regular users to update from UTXOn-1 to UTXOn 18:41 < jtimon> he sends the mined block and all those proofs to all miners 18:41 < jtimon> I'm still missing the problem 18:42 < petertodd> it's simple: what forces him to actually send those proofs to other miners? they can mine just fine without them, and have incentives to skimp on doing proper validation 18:42 < jtimon> you said it yourself " Miners will lose money if they mine invalid blocks" 13:56 < petertodd> Yeah, then the proof-of-bitcoin-sacrifice version of namecoin basically removes the "coin" part of namecoin. 13:57 < amiller> so the attacker is assumed to have a bounded budget *in bitcoins* 13:57 < petertodd> Exactly 13:57 < amiller> and namecoin transaction fees are paid in bitcoins? 13:58 < amiller> and they are paid to miners who sacrifice their own bitcoins in return for the transaction fees such that those balance out? 13:58 < petertodd> Well... there aren't really transaction fees in this model. Blocks are then just lists of keys and values, potentially with signatures if make a system where the initial key-value setting includes a pubkey for additional settings. (as namecoin does) 13:59 < petertodd> It also means the blockchain can be organized as a directed acyclic graph, with priority given to key-value entries in block with the highest total sacrifice. 13:59 < amiller> well what is the attackers budget related to/ 14:00 < petertodd> Because each block is associated with a sacrifice, the attackers budget is to outspend all the sacrifices already made for the existing blockdag. 14:01 < amiller> what is the incentive for creating a sacrifice? 14:02 < petertodd> Doing so lets you make a block with key-value associations. 14:02 < petertodd> What's interesting, is the amount of sacrifice can be set low until an attacker comes along. 14:02 < amiller> is there no incentive for sacrifice? 14:03 < petertodd> Ha, yes, other than outspending an attacker! 14:03 < petertodd> *Socially* the system really needs ways for interested parties to easily get together and create a sacrifice. 14:03 < amiller> so it would be a bit like bitcoin without mining fees 14:03 < amiller> without blockreward 14:03 < amiller> just blocks and pow and no reward 14:03 < petertodd> Like an assurance contract, but that's tricky 14:03 < petertodd> Yup 14:04 < amiller> ok 14:04 < amiller> so the fundamental difference really isn't about substituting work for coin, but substituting incentives for no-incentives 14:05 < petertodd> For instance, if I were to register petertodd.zookv, I'd probably sacrifice 1BTC because, why not? Now in doing so, I'd make all prior blocks 1BTC more difficult to re-write. 14:06 < petertodd> See, namecoin is interesting here. Why would a miner mine namecoin? To get namecoins which will hopefully be valuable in the future because they can be used to register names. 14:06 < petertodd> There was a *lot* of speculation going on in the namecoin space... 14:06 < amiller> could i do something like 14:06 < amiller> sacrifice 0.00000001 btc for a ton of names 14:06 < amiller> and then one 10 btc block on top 14:06 < amiller> and then it would take 10btc to reverse any of the names 14:07 < petertodd> Exactly 14:07 < petertodd> See, you can also do key-value without a blockchain, where what is the canonical mapping is simply the highest sacrifice. 14:07 < petertodd> But I suspect that has bad social properties... 14:08 < amiller> so lets say i buy a name soc1024.com 14:08 < amiller> for a 0.1 or something 14:08 < amiller> if someone else buys it for 0.11 14:08 < amiller> i still lost my 0.1 right 14:08 < amiller> it was sacrificed in bitcoin and so gone forever 14:08 < petertodd> Yeah, in a non-blockchain version of k-v that's exactly what happens. 14:09 < amiller> what if auction sites worked that way 14:09 < amiller> like on ebay 14:09 < amiller> you can bid on an item 14:09 < amiller> and you lose that much money even if you get outbid 14:09 < petertodd> In a blockchain version, you'd have a rule where the first k-v created includes a pubkey, and subsequent modifications require a valid signature. (up to some expiration time or something) 14:09 < amiller> and every time you bid higher you lose the sum of all of your bids 14:09 < petertodd> There's gotta be a whole whack of economic analysis on that kind of auction... 14:09 < amiller> doesn't it seem like a horribly perverse auction 14:10 < amiller> i don't know how to say specifically what is wrong though 14:10 < petertodd> It does, which is why I think a blockchain/dag based system where you build on each others sacrifices is the only sane way to do it. 14:10 < amiller> ok let me try to understand how that would work 14:11 < amiller> (i'm trying to piece together the parts above where you mentioned it, but please start again on explaining the dag version?) 14:12 < petertodd> The dag version just has a rule where if two blocks have a set of k-v settings that don't conflict, they can be merged back together to form canonical history. 14:13 < petertodd> Because these are sacrifices, it's good to ensure that people won't lose their sacrifice just because someone else made one at the same time. 14:13 < amiller> i see 14:14 < petertodd> The other key detail, is that building on each other's sacrifices gives a strong incentive to broadcast them. 14:15 < amiller> if i pretend that there's no latency and nothing happens at *exactly* the same time then the dag isn't any different than the first way 14:15 < petertodd> Sure, the dag is just to get around the fact that there is latency involved. Potentially multiple blocks worth of latency in the case of announce-commit sacrifices. 14:16 < amiller> so if it has some undesirable economic property even with no latency it's still present even with the dag 14:16 < amiller> i'm trying to think of how to approach analyzing this economically... 14:16 < amiller> normally in auctions the design is to get the best price for the auctioneer 14:17 < amiller> and people participating in the auction usually make a decision like 14:17 < petertodd> Ok, so think of it this way: we want the system to provide the best rewrite security, especially over time, for the purchaser of the k-v map. 14:17 < amiller> basically they have to have a maximum amount of money they would pay to own the item 14:18 < amiller> and then the system lets them express that 14:18 < amiller> because if the price of the item is above what they'd pay then they don't get it and they don't lose money 14:18 < amiller> if it's below or equal what they pay then they might get it 14:19 < petertodd> Yes, excellent! So by including a rule where k-v maps only come into affect after n blocks, you just need to watch the blockchain, and if it looks like someone else is trying to rewrite history you can stop them with a further sacrifice. 14:20 < amiller> i wouldn't bother if i think it's probably someone else's problem and it's not wroth it to me, there's a public good contribution thing going on there 14:21 < petertodd> Yup, and it's easy to determine if it's someone elses problem too. Yet if that someone else further upps the sacrifice amount, they've helped you anyway. 14:21 < amiller> how might i decide how much it's worth it to me 14:21 < amiller> like 14:22 < amiller> maybe i get some kind of income for every day that the name points to me 14:22 < amiller> like if someone hacked my business url then i'd sue for lost business damages proportional to how many days it was broken or something like that 14:22 < petertodd> Well, if you're running silkroad.zkv... 14:25 < amiller> hm 14:25 < petertodd> What's really interesting, is if the dag structure ensures that only conflicting key's in conflicting blocks are ignored, but the rest of the mapping is left untouched, if, say, the system gets used and early on silkroad.zkv is registered, a later rewrite history attempt can replace it, but every other mapping will have been strengthened by the attack. 14:26 < amiller> oh so 14:26 < amiller> so i buy soc1024.com for 0.1 14:26 < amiller> a few days later 100btc in total have been sacrificed *on top* of that 14:26 < amiller> so now the cost to an attacker to rewrite me should be 100.1 and i'm pretty safe 14:26 < amiller> *but* 14:27 < amiller> the attacker could *just* rewrite mine for 0.11 and merge along with everything else 14:27 < amiller> so it would only cost him 0.11 to rewrite me? in that case i'm not very safe 14:28 < petertodd> Nope, the attacker would have to spend >100.1 BTC to rewrite yours, but if he does, any k-v setting that he didn't try to rewrite now takes >200.2 btc to rewrite. 14:28 < amiller> could i just register all the names all at once 14:29 < amiller> maybe it would be helpful to make a simulation or demo of this 14:29 < amiller> a board game 14:29 < petertodd> Of course you could. You probably want, at least initially, for the rules to include a namecoin-like minimum sacrifice amount. 14:29 < petertodd> Like 0.1BTC per k-v initial setting. 14:29 < amiller> my intuition is that this is an absolutely horrible idea but i'm trying to be methodical :p 14:30 < petertodd> Heh, my intuition is that this is an absolutely horrible idea, but the alternatives may be worse. 14:30 < amiller> that *there are worse alternatives* i'd agree with :) 14:30 < petertodd> lol 14:31 < amiller> i still have high hope though for something really good 14:31 < petertodd> I really don't like how namecoin became mainly a speculative thing, but such is life. 14:31 < amiller> yeah, same 14:31 < amiller> i think it's really important 14:31 < amiller> it's actually the best other-than-money application i can think of for public crowdsource networks like generalized bitcoin 14:31 < petertodd> For sure, and not just for DNS names. 14:32 < amiller> i guess it's not a good sign if i can't even think of a clear way to say that this scheme is deficient in some way 14:32 < amiller> this is really tricky to analyze 14:32 < petertodd> I think the thing is froma *technical* point of view it obviously works. But does it work socially? Hard to say. 14:33 < petertodd> Speaking of, something I didn't say to you is blocksize - I think there needs to be a mechanism where blocks in the scheme are either directly limited in size, or for the data to get progressively less important as the size goes up somehow. 14:34 < petertodd> Also the sacrifice should be calculated per byte consumed. 13:38 < adam3us> gmaxwell: well a base point could be generator of the full group, i think (if they chose it that way?); and that may explain the 8s that appear in the verification relationship perhaps. 13:54 < maaku> gmaxwell: what's the context of "expensive validation" - my script musing on #bitcoin-dev? 13:54 < gmaxwell> maaku: yea 13:55 < maaku> well in some of the applications i'm imagining it could be more efficient to validate a message signature than a transaction 13:56 < maaku> so, you could sign the transaction itself as a message, efficiently proving you have the inputs, and then get gray-listed if the actual validation fails 13:57 < maaku> e.g. the script is "if real-transaction then <complicated covenant code> endif <standard pubkeyhash script>" 13:58 < maaku> i would like a better method though 14:00 < maaku> you could require something like the above if the (explicit) instruction count is greater than some normal-use threshold 14:02 < maaku> pigeons: ;;cjs 14:02 < maaku> ;;cjs 14:02 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one. 14:02 < maaku> andytoshi: but it'd be nice if there was an announcement when a new session started 14:05 < adam3us> gmaxwell: so i was musing an analogous argument to pegged side-chain security (cant inflate supply of main chain) could be used to introduce SNARKs + committed-tx or some variant of it in a zero-coin like zerotrust mixer on the main chain 14:06 < michagogo|cloud> Anyone have a link to andytoshi's cj client? 14:06 < adam3us> gmaxwell: or perhaps more simply, just make a zerocash snark as a reference example of a pegged-side chain (though i note even green put a disclaimer in his talk that this is a bit bleeding edge and could have problems) 14:06 < EasyAt> maaku: Couldn't I send a bogus TX that has a ton of operations to verify to chew through processing power? 14:07 < adam3us> gmaxwell: which seems kind of ironic (proposing to integrate zerocash in the pattern in which zeroin was proposed), now that zerocash is proposed as an alt. (and I and Hal were more excited about moving zerocoin into its own alt) 14:08 < EasyAt> You would have to do a ton of ops before you realize the TX isn't valid 14:09 < maaku> EasyAt: yes, which is why as I said above you might require that the owner provide a quick-verifying signature over the transaction of the expensive inputs 14:09 < maaku> so you know the transaction came from him 14:09 < adam3us> anyone how big is the UTXO set if compacted now? 14:09 < maaku> and then gray-list the inputs if the validation fails 14:09 < maaku> adam3us: gettxsetinfo or something similar 14:10 < maaku> EasyAt: then it at least becomes expensive to perform DoS 14:11 < michagogo|cloud> [off]test 14:12 < michagogo|cloud> Oh, are the logs not live? 14:12 < EasyAt> maaku: What do you mean by gray list? 14:12 < maaku> e.g. only pay attention to transactions with inputs that have less than 20 instructions, *or* transactions enveloped with a less-than-20-ops signature for the expensive inputs 14:13 < maaku> gray list would be a list of inputs you no longer relay transactions for, maybe for a period of time or require higher fees 14:14 < andytoshi> michagogo|cloud: source is at https://github.com/apoelstra/cj-client 14:14 < andytoshi> michagogo|cloud: windows build at http://download.wpsoftware.net/bitcoin/cj-windows.zip 14:15 < michagogo|cloud> thanks 14:15 < gmaxwell> andytoshi: about 300 mbytes. 14:15 < gmaxwell> oops 14:15 < gmaxwell> adam3us: 14:15 < michagogo|cloud> "cj-windows.zip is not commonly downloaded and could be dangerous." 14:15 < andytoshi> gmaxwell: !!!! ;) 14:15 < gmaxwell> bitcoind gettxoutsetinfo 14:15 < gmaxwell> { "height" : 280494, "bestblock" : "00000000000000024c41edbc27cb0d093b593a47030b886fade01f9d19b8047a", "transactions" : 2597060, "txouts" : 8350183, "bytes_serialized" : 293414423, "hash_serialized" : "ca53e5d3a59fc7a3dca134cce6942c2af5d85c2ce21d985c8b06526e795faf74", "total_amount" : 12262214.79395749 14:16 < gmaxwell> } 14:16 < andytoshi> michagogo|cloud: populism is not security, your browser uses faulty assumptions 14:16 < michagogo|cloud> andytoshi: I know 14:16 < michagogo|cloud> I wasn't ascribing any meaning to that thing 14:16 < michagogo|cloud> Just wanted to let you know Chrome was flagging it 14:16 < gmaxwell> what a shitty thing 14:16 < andytoshi> ok, good to know 14:16 < andytoshi> chrome should really be flagging windows.. 14:16 < gmaxwell> I bet if you throw the same binary on github you get no warning. 14:17 < michagogo|cloud> btw, I assume it uses RPC? 14:17 < michagogo|cloud> Which calls? 14:17 < michagogo|cloud> (i.e. can it work on 0.8.6?) 14:17 < andytoshi> michagogo|cloud: listunspent, createrawtransaction, decoderawtransaction, signrawtransaction, getaddress, walletpassphrase 14:17 < andytoshi> i think those are fine 14:18 < gmaxwell> also gettxout 14:18 < andytoshi> oh, gettxout, dumpprivkey 14:18 < gmaxwell> you might want to use getrawchangeaddress but I think its git-only. 14:18 < gmaxwell> perhaps try getrawchangeaddress and if it isn't there, use getnewaddress? 14:18 < michagogo|cloud> In about 7 minutes when my 0.8.6-compatible blocks and chainstate finish copying over I'll see 14:19 < andytoshi> gmaxwell: what is the difference? 14:19 < gmaxwell> andytoshi: change addresses get hidden in the transaction list. But perhaps not. actually nevermind that if you do that people will spazz. 14:20 < gmaxwell> though .. actually you really should have a feature to let the user specify recipent addresses for the CJ outputs. (Personally I send my CJ outputs to offline wallets!) 14:21 < andytoshi> gmaxwell: agreed, my original UI sketch had such a thing 14:21 < andytoshi> but it's hard to design a UI for that non-intrusively 14:21 < michagogo|cloud> andytoshi: Hm, it doesn't seem to be launching 14:22 < michagogo|cloud> The process is ther, but just sitting at 164K of memory 14:22 < michagogo|cloud> there* 14:22 < andytoshi> michagogo|cloud: any output? 14:22 < michagogo|cloud> and not visibly opening anything 14:22 < andytoshi> my guess is that it's stalled pinging my server.. 14:22 < michagogo|cloud> Oh, that's why 14:22 < michagogo|cloud> I don't know why it took so long to show up 14:22 < michagogo|cloud> "Our information on this file is inconclusive." 14:22 < andytoshi> oh, weird, it's quick for me (and i'm a good 2500km from the server) 14:23 < michagogo|cloud> "We recommend not using this file unless you know it is safe." 14:23 < gmaxwell> well it does connect to the remote server at startup. 14:23 < andytoshi> oh fuck windows 14:23 < michagogo|cloud> andytoshi: Nah 14:23 < michagogo|cloud> Not Windows, security software 14:26 < adam3us> gmaxwell: so that is 275MB vs 13GB for utxo vs txo about 2% 14:27 < gmaxwell> more like vs 16G. 14:28 < adam3us> gmaxwell: oh i thought jgarzik said his torrent was 13G 14:28 < gmaxwell> adam3us: sipa did some charts a long time ago, utxo size looked to be ~log() the blockchain size. 14:28 < gmaxwell> the torrent doesn't take it up to tip. 14:29 < adam3us> gmaxwell: (sending email cc green re contact from the other crypto guy mentioned in PM, i thought I'd take the opp to correct his 16GB bitcoin vs 1.2GB zercocash claim;) 14:36 < michagogo|cloud> andytoshi: eww, always-on-top? 14:37 < nsh> you don't get anywhere in the dog-eat-dog world of windowing systems by ceding your platform 14:39 < andytoshi> michagogo|cloud: what is always on top? 14:39 < michagogo|cloud> The cj client 14:39 < andytoshi> really? 14:39 < michagogo|cloud> Yes. 14:40 < maaku> who doesn't like it on top 14:40 * michagogo|cloud 14:40 < andytoshi> oh, oops, i had gtk_window_set_keep_above () in there 14:40 < andytoshi> i didn't notice because i don't use a floating WM 14:40 * gmaxwell xmoand user unaffected 14:40 < michagogo|cloud> ;;google xmoand 14:40 < gribble> [Arena PvP] Xmo and Xtk 2v2 - Forst Mage/Mage pt 1 - YouTube: <http://www.youtube.com/watch?v=jHdT36vjQN0>; Xmo and Xtk TCB Double Frost Mage 2v2 Arena Part 1 - YouTube: <http://www.youtube.com/watch?v=YFMWKyYmioY>; Xmo and Xtk 2v2 Act II Double Frost Mage 2v2 Arena Part 1 - YouTube: <http://www.youtube.com/watch?v=hmH8F2MiSog> 14:41 < gmaxwell> yea, srsly. y'all use a floating window manager? sucks to be you. 14:41 < jtimon> xmonad? 14:41 < andytoshi> ....and a thought gmaxwell had a floating WM :P 14:41 < michagogo|cloud> And 14:41 < michagogo|cloud> Ah* 14:41 < andytoshi> michagogo|cloud: thanks much for testing, you are the first person with a normal system to have done so 14:41 < gmaxwell> No, I use xmonad. 14:41 < andytoshi> i'll refresh the build 14:42 < jtimon> hehe, I tried some tiling VM but I left it due to a lack of time for config 14:42 < gmaxwell> (I was happy I didn't need to report problems with the tiling wm, I guess I know why now) 14:42 < jtimon> I will definetely try again though 14:42 < gmaxwell> jtimon: to configure xmonad is very simple. 14:42 < gmaxwell> You join #haskell and nice people do it for you. 14:42 < jtimon> I shouldn't had started with ratpoison, but the name was so cool 14:42 < nsh> senate judiciary hearing on NSA started 10m ago 14:42 < michagogo|cloud> andytoshi: Is there a way to cj on testnet? 14:42 < nsh> http://www.c-span.org/Live-Video/C-SPAN3/ http://www.judiciary.senate.gov/hearings/hearing.cfm?id=32caee8082f9297f0e7df6280b369172 14:42 < jtimon> the two I used more were i3 and qtile 14:43 < michagogo|cloud> ;;tcjs 14:43 < gribble> Error: "tcjs" is not a valid command. 14:43 < michagogo|cloud> ;;cjst 14:43 < gribble> Error: "cjst" is not a valid command. 14:43 < andytoshi> michagogo|cloud: yeah, there is a cjconfig.conf file 14:43 < nsh> (Cass Sunstein currently summarizing review panel findings) 14:43 < gmaxwell> nsh: what did they find? 14:43 < andytoshi> in cjclient/, wherever Bitcoin/ is 14:43 < michagogo|cloud> andytoshi: What's the URL for the testnet page? 23:41 < petertodd> andytoshi: also the real importance of chainstate is being able to product compact proofs that rules were violated 23:42 < gmaxwell> andytoshi: if the chainstate is commited then you could have a full validating node without even storing the chainstate, but at the cost of txns having to carry chainstate proofs. (just hashtree fragments) 23:42 < andytoshi> ok, i see, did not realize that bandwidth would be hit so hard -- i was looking at "download 20gb of old transactions and validate them" as being much more overwhelming 23:43 < gmaxwell> and its orthorgonal to if you hot-started or not. If you hotstart without something like a snark proving chainstate faithfulness you reduce full nodes to SPV security e.g. miners could potentially inflate the coin. 23:43 < andytoshi> well, you might keep the last few weeks of actual blocks so that miners would need to outcompute the network for a long time to do that 23:43 < gmaxwell> and using a snark to prove a full chainstate fidelity isn't technically feasable yet, I think. though perhaps we're close if you skip the script evaluation. 23:45 < gmaxwell> andytoshi: but keep in mind in doing that you change the incentives completely. so the analysis isn't simple. E.g. if non-miner full nodes didn't check the generated amount, would miners just all set their generated coins to 100 and leave them there? 23:45 < grau> checkpoints skip script evaluation 23:45 < gmaxwell> grau: we're going to remove that in bitcoin-qt almost certantly after headers first, and even there there is a commandline switch to reenable. 23:46 < gmaxwell> and miners don't set checkpoints. 23:46 < andytoshi> gmaxwell: presumably at all times non-miner full nodes have the past ten days or so of blocks (and they'd be dropping them), so there'd never be a window when people weren't validating the latest blocks 23:46 < gmaxwell> Basically the point there is that if miners can get themselves a blank cheque its a very different set of incentives than we currently have. 23:48 < grau> I think it will be miner keeping check on each other not user 23:48 < gmaxwell> andytoshi: sure, you just have eluria and ghash.io and slush (>>50% of the network) agree to do a 10 day reorg that harms nothing but gives them 10x the coins. Why not? it's tricky. And then why would people keep 10 days? 0 days is enough until the attack actually happens. Let someone _else_ take the cost of preventing the attack. 23:48 < gmaxwell> BlueMatt [~BlueMatt@unaffiliated/bluematt] has quit [Ping timeout: 260 seconds] 23:48 < grau> user will move to SPV, even merchants may 23:48 < gmaxwell> oops missate there. 23:48 < andytoshi> grau: then there's an incentive to conspire/collaborate and this leads to pool centralization 23:49 < andytoshi> ah, now i see the incentive problem with what i suggested 23:49 < gmaxwell> grau: there are only two or three people in the world required to achieve >50% control of hashrate. 23:49 < gmaxwell> (and one of them (the cex.io guy) has physical control of most of his hashrate directly) 23:50 < andytoshi> ugh, this is so frustrating, i had this massive blind spot in my analysis of pruning schemes 23:50 < andytoshi> if only i could convey that feeling to the alt-chasers.. 23:50 < gmaxwell> grau: trusting miners is a pretty terrible idea, far worse than trusting the fed at least the fed has a sea of regulations and public identity regulating its behavior. Miners are anonymousish, fully self selecting, unregulated, etc. 23:50 < grau> gmaxwell: assuming 2-3 would and use it to inflate coins. This could be surfaced by anyone and would destroy trust in the currency and that possibility would keep them from doing that. 23:51 < gmaxwell> and if you regulate them, the you just undermine the system in a differnet way. 23:51 < gmaxwell> Instead they can be regulated _naturally_ by the system how it was designed: but not trusting them any more than the absolute minimum needed. 23:51 < gmaxwell> (by having full nodes that impose the rules) 23:51 < Luke-Jr> BlueMatt: anyhow, maybe you misread what I said. I said you *are* a bitcoin dev.. 23:51 < BlueMatt> ahh, ok 23:53 < grau> collaborating between miner to change rules is the same dilemma as in "selfish mining", whort term incentives against long 23:54 < grau> *short 23:54 < petertodd> grau: relying on incentives of a small number of quite-possibly non-rational people is crazy 23:54 < grau> if you have an other choice 23:55 * gmaxwell out 23:55 < petertodd> grau: well we do: design crypto-currencies where pools aren't possible, and be ready to deploy them if it becomes an issue (as an example) 23:56 < Luke-Jr> petertodd: if pools aren't possible, then you get worse alternatives (hosted mining) 23:56 < grau> design a migration policy of welth also if you are that 23:56 < petertodd> grau: that's the easy part actually 23:56 < gmaxwell> Luke-Jr: hosted mining is made insecure by the same things that break pools (though perhaps no one cares, which was the argument I gave before: easier to break pools than hosted mining) 23:57 < petertodd> Luke-Jr: basic physics fortunately encourages decentralization of hashing power 23:57 < gmaxwell> oh yea I'm not here 23:57 < Luke-Jr> that's why it's better to make decentralised pooling as cheap as possible, cheaper than hosted mining 23:57 < grau> petertodd: why that? bigger plants should have better ratios of energy/hash 23:58 < Luke-Jr> ^ + bulk orders of hardware get better prices 23:59 < petertodd> grau: nope, the basic unit of production is the chip + power supply, and for that your economy of scale is making them. otoh your costs to run the hardware has a huge component of getting rid of waste heat, which incentivizes decentralization 23:59 < petertodd> grau: e.g. "a bitcoin miner in every water heater" --- Log closed Sun Jan 05 00:00:55 2014 --- Log opened Sun Jan 05 00:00:55 2014 00:02 < grau> petertodd: thereby you would raise production cost of e.g. water heater. Competition in water heater would eliminate that. 00:02 < petertodd> grau: if crypto-coin mining has a value, and heating water has a value, then you're cost for doing both at once is less than separating the two activities 00:04 < grau> You assume that water-heater mining is profitable to the extent that it ever amortizes the added production cost. That is not given. 00:06 < petertodd> grau: my point is if bitcoin mining is profitable, it'll be more profitable if you can use the waste heat for something useful. using waste heat for something useful is easier with more decentralization than less 00:08 < grau> There are places where getting rid of heat is not a big issue. I think you engage a bit in wishful thinking. We should rather think hard of how to deal with centralized mining. 00:09 < petertodd> grau: yes, and those places are always decentralized! it's just the basic physics of heat: surface area scales by x^2 and volume x^3 00:10 < grau> iceland 00:10 < petertodd> grau: obviously bitcoin mining will tend towards more northern places, but there's a whole lot of those around 00:11 < gmaxwell> 21:07 < NomZ> You all will love this one. The dogecoin blockchain split after someone submittted a 500M transaction. 00:11 < petertodd> grau: my parents live in a place significantly colder than iceland... 00:12 < grau> petertodd: wow, send them some boxes to mine :) 00:13 < petertodd> grau: yeah, I've done the math on that, it actually makes quite a lot of sense. furthermore in communities north of them the high cost of electricity is *not* a factor because the electricity generation is all diesel anyway, and diesel's more expensive (slightly) than fuel oil 00:13 < grau> gmaxwell: tomorrow you'll have lots of journalists asking if this could happen to BTC 00:15 < brisque> grau: not having scrollback to refer to, can you give me a one line summery of what you're referencing? 00:15 < gmaxwell> http://www.reddit.com/r/dogecoin/comments/1ufl1e/much_concern_dogecoin_block_chain_has_split/cehm0yw 00:16 < brisque> gmaxwell: ouch. I suppose that's what you get when you have inexperienced developers managing a bitcoin clone. 00:16 < petertodd> gmaxwell: heh, yeah warren noticed that awhile back 00:17 < andytoshi> petertodd, warren: oh? what is special about this 500m tx? 00:17 < Luke-Jr> lolwut @ font 00:17 < petertodd> andytoshi: it triggers some sanity limits that they recently removed 00:17 < brisque> andytoshi: the title of the thread has the details. some clients accept larger amounts in blocks than others. 00:17 < warren> andytoshi: competence 00:18 < brisque> "Ten days ago, the developers made a change to the Dogecoin client that raised the limit of coins in a block from 500 million to 10 billion. So now some folks are running Dogecoin clients without that change, because they are older, and some folks are running newer clients. In block 42279, a transaction that broke the rule -- containing more than 500 million DOGE -- has prevented these older clients from advancin 00:18 < warren> did the pools upgrade? 00:18 < gmaxwell> .... wtf they didn't stage the change?!@# 00:18 < andytoshi> holy shit, this is so incompetent i can't believe it, even from doge 00:19 < brisque> presumably one pool updated, then the big TX made it into a block and the chain forked 00:19 < gmaxwell> well we learned nothing then, as we've succesfully made a number of changes that would have been forking if not staged. 00:20 < brisque> warren: from looking, there's some on one fork and some on another. presumably anybody on the old client has been left behind and that's the majority at this point. 00:20 < andytoshi> it appears they just pushed a forking change in a routine update? what the fuck? 00:20 < nsh> my hilarity sense is tingling... 00:20 < warren> three forks exist? 00:20 < warren> not sure how 00:20 < warren> but it's hilarious 00:21 < nsh> oldyellercoin.... 00:21 < brisque> they might have changed the TX limit previously without making it a staged change. 16:55 < petertodd> Well the resolution protocol can easily have the blockchain be a directed acyclic graph instead where non-conflicting transactions in different forks on the graph can be merged back together later. 16:56 < petertodd> The incentive to broadcast your blocks (which can be just a single transaction) would then be to prevent rewriting by being on a part of the graph with maximal sacrifice. 16:56 < petertodd> Problem is how do you distribute the coins in the first place? 16:57 < petertodd> It'd also have ugly problems if transaction volume was low, because you're only safe from a rewrite once more coins have been sacrificed by *others* than your transaction was worth. 16:57 < petertodd> Hard to bootstrap that... 16:58 < petertodd> It is interesting though how it suggests that a proof-of-stake cryptocoin is probably more viable if there isn't a block reward. 17:01 < petertodd> Not much more viable mind you: it's still the fundemental problem of how do you know time has moved forward without a random beacon. (IE signing for a bunch of stake is something I can only do once - after that more signatures are meaningless, yet there's no good way to decide on what % ofthe outstanding coins should participate) --- Log closed Wed Jul 03 00:00:07 2013 --- Log opened Wed Jul 03 00:00:07 2013 06:05 < sipa> :o 06:06 < gmaxwell> you were out! 06:06 < gmaxwell> oh no! 06:06 < petertodd> ...we need a -wizards archive... 06:07 * sipa demugglifies 06:08 < gmaxwell> you totally missed me being an idiot and taking like .. an hour to understand what petertodd was talking about with "proof of possession" and application to proof of sacrifice identity. 06:08 < petertodd> Lol, well I can cut that part out from the archive... 06:08 < petertodd> Though really it's a subtle point, albeit one that you should grok. :P 06:11 < gmaxwell> well in my defense I joined midconversation and didn't read the backscroll. 06:11 < petertodd> ...and if you look you'll notice I changed some of my arguments a bit because I had come up with that idea on the spot nearly. 06:21 < gmaxwell> I still think that even the less secure form of tearable data is interesting until there is actually a problem with people accepting blocks without seeing the good stuff. 06:37 < petertodd> I think the issue there is once you've got to the trouble of having tearable data, why not have proof-of-posession? 06:38 < petertodd> Remember that the nonce can be the previous block hash to keep performance requirements minimal. 06:40 < gmaxwell> two blocks back, so you're not latency threatened perhaps 06:41 < gmaxwell> but I think I proposed this when people were really worried about the 1txn miner and miners without the utxo set. And it was pointed out that people could just advertise the roots. 06:41 < gmaxwell> (I'd proposed a kind of proof of possession to prove you had the utxo set so you couldn't mine without it) 06:41 < petertodd> Sure, and add a system where you can use that proof-of-posession to spend certain designated fees as your payment. 06:42 < petertodd> Heh, yeah, and I kinda reinvented that with my idea for doing low-bandwidth zero-validation cooperative P2Pool... 06:42 < gmaxwell> a general argument against needing that is that if there are sacrifices going on, you'll _want_ to know about them so you would be disinclined to accept blocks that have hidden them. 06:43 < petertodd> Well I'm assuming this would be just another part of a UTXO proof system so there's no way to hide anything. 06:45 < gmaxwell> I'm just saying that something simpler may be more adequate than you're giving it credit for. 06:46 < petertodd> I'm just saying once you've done a soft-fork you're 90% of the way there... 06:46 < petertodd> Really simplier would be to do it as a pure merge mined chain. 06:46 < petertodd> (or a non-soft-fork) 06:47 < gmaxwell> merged mined.. uh 06:47 < gmaxwell> warning: absense of incentive detected 06:47 < gmaxwell> :P 06:48 < gmaxwell> well, I suppose my argument applies: if this merged mined thing teaches you about valuable transactions 06:48 < gmaxwell> then there is an incentive to particiate. 06:48 < petertodd> indeed, but without actual proof-of-posession you are relying on nothing more than people just using the defaults 06:48 < petertodd> that may be a much weaker assumption in the future... 06:49 < petertodd> Yeah, or if it's mined with some kind of proof-of-stake from people with a vested interestin the data itself. 06:50 < petertodd> *interest 06:50 < gmaxwell> how do you detect those people? 06:50 < petertodd> Heck, fidelity bond participants to pay rewards after some amount of merge mining... 06:50 < gmaxwell> the one who announced it isnt the useful one to mine it. 06:51 < petertodd> No, but for, say, a fidelity bonded bank thing you mind find a banks competitors proving that the fraud proof ledger is well distributed to discourage anyone from committing fraud, a bit weak sure, but at least the cost is pure bandwidth + some storage. 06:52 < petertodd> (remember the bitcoin blockchain can be used as a random beacon to keep the merge mining moving forward) 06:55 < petertodd> interesting thought: a bank might want to prove that their *clients* had been participating in some visible fraud proof storage system, so that if the bank gets sold one day the consent of the clients to the state of the fraud proof ledger is known and thus a proof disclosed after the fact can be declared invalid 06:56 < gmaxwell> petertodd: we're in cycles, we stumbed on this when talking about the IRC stuff: the irc bank could prune its transaction records once the customer provided a no-fraud ping. 06:56 < gmaxwell> because if they claimed fraud later you wouldn't have to prove them wrong, you'd just show their no fraud ping. :P 06:57 * gmaxwell predicts "what is a segmentation violation" in a minute. 06:57 < petertodd> Ah, I forgot about that bit... nice example of how it's a continuum of visibility options. 06:58 < petertodd> heh... 11:13 < adam3us> now you guys woke up: i was thinking the outcome is the miner will win the proportion of his own (and other peoples) sacrifice to miners in relation to his share of the network power 11:14 < adam3us> so that being the case, why not just pay to the set of miners (over some rolling transaction history) in proportion to how often they've been winning --- Log closed Thu Jul 04 00:00:10 2013 --- Log opened Thu Jul 04 00:00:10 2013 14:49 < adam3us> petertodd: not afk? about your proof of sacrifice somewhat resistant to miner inside attack, not sure if you saw my additional thought 14:50 < adam3us> petertodd: i think it averages out to pay to miners in proportion to their mining power, so you could more simply achieve the same effect by paying to miners in proportion to their rolling average proportion of nework power (with some signature annotation saying this is a proof of donation to miners) 15:22 < petertodd> But that's not a sacrifice without a solid way to pick the lucky miner randomly. 15:24 < petertodd> ...and that doesn't work because there is no way to commit the funds such that if a miner is picked that you do not want the funds to go to the funds will go to them anyway - Bitcoin just can't do that in the scripting system. 16:29 < adam3us> petertodd: but what is special about giving it to a random miner in (chances biased in proportion to their power) vs just giving it to the miners in proportion to their recent demonstration of power (eg last month). if they keep running for another month the effect in terms of what they receive will be basically the same right? 16:30 < adam3us> petertodd: I dont know why you would not want the funds to go to a specific miner, but the approach you discussed recently doesnt prevent that either, because well a random miner will win, you have no control 16:54 < petertodd> We're talking about sacrifices; if the destination of the funds can be controlled it's probably not a true sacrifice. 16:57 < adam3us> petertodd: my point is the approach you proposed a few days ago, it has the property that funds are given to miners, with some randomness, but presuming lots of people make proofs of sacrifice over time that will average out anyway, so the net result is that miners (all of them) receive funds in proportion to their percentage of network power, agreed? 16:59 < adam3us> petertodd: and is so, you can simplify and achieve the same effect by just paying to miners in proportion to their wins over the last month (pay to all of them, a multiple output); you would need some special annotation to indicate this is not just a payment to miners, its a sacrifice to miners and that will be validated by other full nodes against the correct proportion being paid to the miners against the validated average network power 17:01 < petertodd> But doing that in Bitcoin is impossible if you want to ensure the person making the sacrifice can't direct it to themselves. 17:01 < petertodd> If you don't ensure that, it's not a true sacrifice. 17:02 < petertodd> What you are proposing would be at minimum a soft fork involving a lot of complex code with no advantage over a random model - it all evens out in the end. 17:04 < petertodd> Not to mention what you really want is anyone-can-spend outputs that remain locked for long enough that even if a pool has, say, 40% hashing power and is willing to play dirty and make sacrifices knowing that 40% of the time they'll mine the fees anyway it is unknown to them if they'll be in business by the time the output is spendable. IE sacrifices that only go back to miners after multiple months. 17:04 < adam3us> petertodd: i am not saying the sacrificer can spend to themselves, they can only spend to the miners during the last month, in proportion to the power (1GH = 100 satoshi sacrfice or whatever ratio), and if the sacrificer pays to the wrong proportion or to the wrong users, it will be rejected by all validators (full nodes) 00:05 < warren> what's wrong with p2pool's approach? 00:05 < warren> p2pool implementation has scalability problems and payouts are too often in too small dust, but that's a current implementation issue. 00:07 < amiller> well p2pool's approach is based on the same technique that makes hosted mining feasible/attractive 00:07 < amiller> (despite the fact that no one does it yet) 00:08 < warren> I mean, if users were more concerned about the risks of mining centralization, they would use p2pool-like approaches, there could be multiple of them. 00:08 < warren> p2pool needs to be a lot more efficient than it is now. We hope to throw a few thousand dollars into its development. 00:08 < amiller> well see the thing is the risks of mining centralization aren't felt by individual users acting in self interset 00:09 < amiller> it's kind of like a social cost 00:09 < warren> amiller: p2pool miners can earn more than centralized pool mining 00:09 < amiller> warren, i am not talking about centralized pool mining 00:09 < amiller> i'm talking about hosted mining 00:09 < amiller> where you rent cpu power from a miner warehouse somewhere in the cool fjords of sweden 00:10 < amiller> where the hydroelectric power is cheapest 00:11 < jgarzik> Alydian is doing that 00:11 < jgarzik> $0.5 million for a petahash or three 00:11 < amiller> ah, thanks jgarzik 00:11 < jgarzik> though not necessarily in sweden 00:11 < jgarzik> knc and a couple others are doing hosted mining 00:11 < amiller> are there threads panicking about this 00:12 < jgarzik> and well over a year ago, "Vladimir" on the forums sold hashes in this manner. you paid for a certain amount of hashes (GPU at the time). 00:12 < jgarzik> nope, it's already been explored 00:14 < amiller> already been explored? what conclusion did they come to? (i'm searching for such threads) 01:17 < gmaxwell> nanotube: amiller's plan to foil cloud mining is like julian assange's plan to use leaks to undermine secrecy. :P 01:18 < gmaxwell> I don't think anyone has explored foiling it through clever techno-economic hacks. 01:19 < gmaxwell> (nor do I think amiller's ideas would ever go anywhere, but they may someday turn useful should bitcoin fail to centralization) 01:19 < gmaxwell> (so that the $next_thing, in 100 years when people will finally trust a next-thing, won't have the same flaw) 01:21 * amiller can wait 01:21 * nanotube also plans on being around in 100years. 01:22 < nanotube> assuming we don't have a major cataclysm, seems within the realm of possibility 01:23 < gmaxwell> amiller: I can defeat your approach. :( 01:24 < gmaxwell> I have some independant hardware maker build my hardware with an odometer, and the hardware gets audited by people with electron microscopes (at random, which I can afford because I'm mega cloud) 01:25 < nanotube> we just need to make bitcoin asic coffeemakers and spaceheaters. 01:26 < nanotube> and have them default-set to mine solo. 01:26 < gmaxwell> yea, I've argued that before: for low level waste heat decentralization is actually more cost effective... but deploymens seem to suggest that I'm wrong. 01:26 < gmaxwell> er deployments. 01:26 < nanotube> once we have millions of these out there, no need to worry about it. 01:26 < nanotube> there are deployments? 01:27 < gmaxwell> alternatively, I just run my cloud business such that I pay the average expected payout regardless of the actual payout, and I hire trained assassins to patrol my datacenter to catch theiving techs. 01:27 < gmaxwell> nanotube: there are a number of big online highly centeralized deployments, e.g. asicminer and the 200TH mine that most of the bitfury parts went to. 01:28 < nanotube> gmaxwell: well yes, but there are no deployments of relatively cheap consumer hardware that mines automagically with no user intervention. 01:28 < gmaxwell> cointerra's original business plan was that, but the club to the head that they need to sell stuff was strong enough, but I don't know if they were just delayed or really deflected, see: http://cointerra.com/about/ "Our mission is to become a reliable and trusted node for transaction clearing on a stable and flourishing Bitcoin network." 01:28 < gmaxwell> no no right. 01:29 < gmaxwell> I'm saying that my theory that decenteralized is more efficient than centeralized because the waste heat is more productively disposed of may be wrong. 01:29 < gmaxwell> because I'm seeing lots of centeralized deployments and there is no bitcoin coffeewarmer. 01:29 < nanotube> hmm 01:30 < gmaxwell> I dunno why it's wrong, I certantly lived it in VA. with substantially free power in part of the year because mining completely replaced heating costs. 01:30 < gmaxwell> (realistically the heatpump was probably 2x more power efficient, still... half price power is good) 01:31 < nanotube> maybe because nobody's gonna buy a 3000-dollar spaceheater. :P 01:31 < nanotube> the bfl jalapenos could have been it... but bfl fscked up, as we all know. 01:32 < gmaxwell> well the actual cost of building these things is ... not that high. I titter a bit at the forum people "why would they sell them when they could mine!" "because you morons will pay a kings randsom for the hardware!" 01:32 < nanotube> hehe 01:44 < Luke-Jr> lol 01:45 < petertodd> Why mine when you can sell the hardware and make debt payments now? 01:46 < Luke-Jr> petertodd: and make a nice profit until you actually ship! 01:46 < petertodd> heh 01:46 < Luke-Jr> bah! Qt 5 requires Perl 5.16 01:46 < petertodd> <shudder> 01:46 < Luke-Jr> not sure I want to upgrade to testing perl 01:46 < petertodd> awful, horrible language 01:47 < Luke-Jr> Perl is lovely. 01:47 < Luke-Jr> I think I prefer to stick to stable versions though 01:48 < Luke-Jr> OH! That's how I can get the election by a landslide! 01:48 < Luke-Jr> "I know Perl. =_=" 01:48 < petertodd> I don't vote for the mentally ill. 01:48 < Luke-Jr> :P 01:48 < petertodd> well, at least *that* kind of mentally ill... 01:49 < Luke-Jr> Perl is the kind of thing where you hate it until you're familiar enough with it. :P 01:50 < petertodd> yeah, I got familiar with it then went to art school... 01:51 < Luke-Jr> I wrote an emulator in Perl once! :P 01:52 < petertodd> heh, of what? line noise? 01:52 < Luke-Jr> it was one of my toy MIPS emulators I think 01:52 < petertodd> I hope you ported perl to it 01:52 < Luke-Jr> :D 01:53 < warren> I don't know who to vote for. 01:53 < petertodd> I wonder what's the longest chain of emulators ever emulated? 01:53 < warren> There's no Clinton on the ballot. 01:53 < petertodd> I was hoping to vote for the other lizard. 01:54 < phantomcircuit> petertodd, well someone wrote a Z80 emulator for a Z80 and then ran it on x86 01:55 < petertodd> phantomcircuit: I was more thinking Arthur Ganson's "Machine with Concrete" - https://www.youtube.com/watch?v=5q-BH-tvxEg 03:15 < petertodd> Random number generator: https://www.youtube.com/watch?v=a6aicIcQJvc 03:15 < petertodd> and sublime work of work 03:16 < petertodd> ganson is a genius 15:53 < gmaxwell> amiller: am I correct in beleving that just having basic pairing operators (gt* gt/ g1^ g1+ gt= and loads of g1 types) is all we'd need to verify pinocchio in script? 16:05 < amiller> gmaxwell, yes definitely. 16:07 < amiller> gmaxwell, i think it would be easy to implement using PBC 16:08 < amiller> pinocchio requires a few specific twist curve 16:09 < amiller> they have two curves basically 16:12 < gmaxwell> amiller: In the SCIP they mention they have selected a curve with a particular efficient endomorphism, I assumed this was just distortion map optimization and would already be in pbc. 16:12 < gmaxwell> (I guess its a requirement that the curve and its quadratic twist have the same embedding degree?) 16:14 < gmaxwell> In any case, I was just musing on what the minimal cryptographic extensions to script were to achieve the widest increase in applications. 16:14 < sipa> OP_X86 16:15 < Luke-Jr> P2SH-for-SCIP would be useful 16:15 < amiller> i don't actually know any details about how pairing based crypto works, i only understand it at the bilinear map layer 16:19 < amiller> i may end up trying to learn it in a hurry and implement the pinocchio verifier myself :/ 16:19 < amiller> of course for efficiency it's always hard to find the right abstraction 16:24 < amiller> https://crypto.stanford.edu/pbc/manual/ch08s08.html this are the BN curves y^2 = x^3 + b i think pinocchio uses 16:26 < gmaxwell> ah, okay, yea, I would have assumed it was though out of the ones in PBC. I still don't exactly understand how the pairing operation isn't slow as @#$@# for k=12 but apparently its not. 16:46 < amiller> the pinocchio guy said a similar thing once, that they picked a specific curve and used a lot of curve-specific implementation optimizations 16:46 < amiller> but maybe it's just this distortion map thing you're mentioning 19:44 < gmaxwell> So perhaps this was obvious, but I realized that a sensible way to go about establishing the usefulness and correctness of a new scripting system for bitcoin is to implement it, and embed it in a harness that uses it as the controlling criteria in a signing oracle. 19:45 < gmaxwell> e.g. you take your script, hash it, compute a new public key from the oracle's well known public key. Then do things where you want the oracle to sign with that key... then go present the oracle your script and when it accepts it signs for you. 19:46 < gmaxwell> so then you could make any new application for your new bitcoin script opcodes you want, with the limitation that you depend on a trusted oracle. 19:46 < gmaxwell> But if the usefulness of the improved script is established then thats the on-ramp to making it part of the distributed system proper. 19:56 < amiller> that's a neat idea. 19:57 < amiller> that would work e.g. for zerocoin 20:04 < phantomcircuit> this is driving me insane 20:05 < phantomcircuit> i cant get the block header that cpuminer is finding from the info stratum provides 14:25 < maaku> So question for the other -wizards': are there hard-fork changes which would make identity management easier? 14:26 < maaku> s/hard-fork/hard or soft fork/ 14:34 < gmaxwell> maaku: being able to prove an output was created in the chain with a smaller proof (which doesn't include a whole transaction) would be nice. 14:35 < maaku> so merkleized transactions, presumably? 14:39 < gmaxwell> yes. Then you'd probably also want lockable outputs. 14:40 < maaku> lockable meaning can't be spent for X blocks, or until block X? 15:18 < gmaxwell> Either would work for SINs, the latter is probably more generally useful... the former may be better for SINs. 16:54 < gavinandresen> High-quality thoughts on selfish mining happening here: https://bitcointalk.org/index.php?topic=327064 17:34 < MC1984> i dont know. Weve already seen we cant wholly rely on positive incentives to maximise desireable behavior (like simply making sure your mining setup is bloody working properly and keeping it so) 17:34 < MC1984> whos to say we can wholly rely on negative incentives to minimise undesireable behavior. 17:35 < MC1984> ki mean, if that were true democracy would actually work right... 17:36 < MC1984> even wholly/substantially. Especially if a rumour or urban myth goes round amongst the plebs of a way to mine more coins for free or somthing even if its actaully killing bitcoin 17:37 < maaku> hrm. SIN and namecoin are very similar mechanisms, are they not? 17:38 < gmaxwell> maaku: namecoin expects the network can do lookups for you. sin expects the user to extract a proof and provide it. 17:38 < gmaxwell> You can verify sin without speaking the bitcoin protocol at all (with some security discussion because you're "blind SPV"). 18:02 < michagogo|cloud> What goes on in this channel? (found it thanks to the mailing list) 18:03 < gmaxwell> A muggle1 18:03 < gmaxwell> ! 18:03 < gmaxwell> burn him! 18:03 * amiller put on his robe and wizard hat 18:03 < gmaxwell> michagogo|cloud: we talk about far out technical stuff instead of pragmatic near term bitcoin things. It's kind of a cryptonerds bitcoin-dev-offtopic. 18:04 < michagogo|cloud> Hmm, sounds interesting 18:05 < sipa> amiller: http://bash.org/?104383 ? 18:05 < maaku> stuff that's longer-term than the next release cycle 18:05 < pigeons> maaku: are you mining the -wazards for feature ideas to solve problems to add to freimarkets? 18:05 < pigeons> ;) 18:05 < amiller> bloodninja yeah ;p 18:05 < maaku> hah sometimes. that's what my question bout SIN was for 18:07 < maaku> but it's relevant since we can actually experiment with this stuff on a live network there 18:07 < michagogo|cloud> SIN/ 18:07 < michagogo|cloud> s|/|?| 18:08 < maaku> michagogo|cloud: https://en.bitcoin.it/wiki/Identity_protocol_v1 18:09 < sipa> someone should write an identity protcol v2 18:09 < sipa> so we can talk about the Original SIN 18:10 * michagogo|cloud wonders if he's missing something 18:11 < amiller> "A SIN ("System Identification Number") is the unique record identifier by which this identity will be known." 18:12 < michagogo|cloud> I saw that 18:12 < michagogo|cloud> sipa: Is that a reference to something? 18:13 < maaku> michagogo|cloud: an oppressive catholic education 18:13 < maaku> http://en.wikipedia.org/wiki/Original_sin 18:14 * michagogo|cloud glances at the nick list, between kinlo and maaku 18:32 < adam3us> why do we want identities again? 18:37 < adam3us> ok skimmed bitcoin.it/.. identity_proto.. for issuer signed attestations brands is the most flexible blind signature protocol 18:38 < adam3us> there are also some protocols for serial anonymous use, where if you get banned you lose your access token, but not your anonymity 18:50 < gmaxwell> adam3us: right, for anti-trolling/spamming/etc. 18:56 < adam3us> gmaxwell: yes, the interesting thing is it turns out to be possible to be serially anonymous (as distinct from pseudonymous) while reusing a single authorization 18:57 < gmaxwell> adam3us: yea, e.g. via chaining blind signatures. Are there other ways? 18:57 < adam3us> gmaxwell: at some earlier point people supposed you could not be anonymous and yet anti-trolled 18:57 < gmaxwell> e.g. present an identiying sync, get a chaum token.. chain it forward.. 18:57 < adam3us> gmaxwell: yes the actual approach was something simple like that 18:58 < gmaxwell> s/sync/sin/ --- Log closed Fri Nov 08 00:00:41 2013 --- Log opened Fri Nov 08 00:00:41 2013 06:31 < adam3us> anyone tried to figure out if ed felten is right? 06:32 < adam3us> i posed the question similarly in my comments to the selfish-miner paper authors (on bitcoin-dev): https://bitcointalk.org/index.php?topic=327064 06:33 < adam3us> wrong link http://sourceforge.net/mailarchive/message.php?msg_id=31612133 06:33 < adam3us> "It is also not clear what will happen if multiple selfish miners compete with each other. A selfish miner cooperating as a peer to increase percentage runs risk of mutual sabotage - he has to announce his private block to his co-conspirator, and the co-conspirator may publish, or collude with another non-selfish miner." 06:34 < adam3us> felten claims the answer to that q. is selfish mining is unstable so wont persist 06:35 < adam3us> (well a selfish pool composed of multiple smaller pools or powerful miners, is unstable is his claim) 10:39 < amiller> adam3us, ian michael miers sent ed an email about this 10:40 < amiller> it would be pretty straightforward for the pool operator to enforce/discourage fairweather-mining 10:40 < amiller> for example if you don't keep up the pace, you get kickedo ut 10:41 < adam3us> amiller: yes i thought it was an interesting question, and posed it also, but i am not sure ed's gut reaction is necessarily right or properly checked 10:41 < adam3us> is that public email? on a list? 10:42 < amiller> it was a private email, instigated by a public twitter conversation 11:44 < adam3us> amiller: i guess the fair-weather guy could also sell information or be in collusion with or be a larger unselfish miner; then he can switch to the previous block at random, and the selfish miner wont know which block to mine (do this reactively when the selfish miner gets ahead) 11:45 < adam3us> amiller: as soon as the selfish miner is > 1 block ahead (which happens 1/9 of the time with 33% power), the unselfish miner has already lost so he loses nothing new by this strategy 11:47 < amiller> did you switch from fairweather miner to unselfish miner? 11:48 < adam3us> amiller: no 11:48 < adam3us> amiller: fairweather is someone who attacks the selfish mining pool from within, unselfish is someone who is running the normal protocol 11:49 < adam3us> amiller: my point is the unselfish miner can sabotage the selfish mining game, and to the selfish miner he'll just look ridiculously unlucky which he will notice soon enough 11:50 < adam3us> amiller: but if he cant find anyone who wont do that to him, he cant do the attack unless he amasses 33% himself 11:50 < amiller> i have no idea what you're saying actually ;/ 11:51 < amiller> you're saying fairweather miners can undetectably leak information to some other unselfsih miner? 11:52 < adam3us> amiller: correct, they can participate in the selfish mining in hashrate, but sabotage it, but it will be noticed statistically that the selfish pool is not doing as well as expected 13:30 < adam3us> seems like it could be useful to extend timelock to be a scrit function rather than a tx property so you can do before, after, ranges, and do in one tx rather than multiple interlocked tx 14:08 < gmaxwell> adam3us: the creates freaky problems where a transaction which falls out of the chain in a reorg can't be put back in. 14:10 < adam3us> gmaxwell: yes you'd have to have it confirmed (timestamped) within it validity period or you're out of luck 14:11 < gmaxwell> adam3us: not just that, it can be confirmed.. and then the chain gets reorged.. and it can never be put back. 14:11 < gmaxwell> The security of all coins decended from that one arguably reduced forever. 14:23 < adam3us> gmaxwell: well a coin reorg that excludes it is not much different to putting zero fees and not getting in the first time 14:25 < gmaxwell> adam3us: it is because you know when its never been in. This is the same kind of fungibility problem that coins derrived from coinbase txn have, which is why they have a 100 block settling time. 14:26 < gmaxwell> I'm not saying no-never... but it has tradeoffs which make me uneasy. 14:45 < adam3us> gmaxwell: yes. maybe an addendum could be to authorize belated adding if previously confirmed in an orphan within th required block/time 14:49 < amiller> i don't get how it's different 14:49 < amiller> if the chain gets reorged, one conflicting transaction can replace the other 14:50 < amiller> everything descending from the tree is affected, if the fork goes back that far 14:50 < adam3us> amiller: he means that if its < timelock, nd the time has passed you're out of luck 14:50 < amiller> yeah 14:50 < adam3us> amiller: whereas now timelock is only > timelock so you just resend it 14:50 < amiller> it's still caveat emptor, i don't see how that should matter 14:50 < amiller> or to put it another way, if you receive a bitcoin from someone, who just received it from someone else, it's still not fungible 14:51 < adam3us> amiller: yes that is somewhat true; if a big enough reorg occured to undo 6 blocks, never mind 100 you've got other problem, you're vulnerable to full-on 51% attacks 14:52 < adam3us> amiller: but gmaxwell is right that mined blocks are treated with more suspicion in terms of confirmations at least in the qt client 14:52 < amiller> perhaps they shouldn't be? 14:53 < amiller> anyway i think coinbase maturity is a bad rule because of economic blah blah incentive-compatible but that's a dead horse 14:53 < adam3us> amiller: well there could be an argument that honest reorgs would preserve the transaction order 14:53 < amiller> honest reorgs is a weird model but sure 13:30 < adam3us> petertodd: isnt that enough 13:31 < petertodd> Right, but the issue is a 51% attack against some subset of the blockchain data. 13:31 < petertodd> Like, if other miners *didn't* build upon your part of the blockchain via timestamping, this wouldn't be a big deal. 13:33 < adam3us> petertodd: yes its another aspect of the one-true chain model (must be up to 7 dependencies by now) it ensures that once your block is burried even one block other miners have an incentive to mine it ot avoid being orphaned 13:34 < petertodd> Yup 13:34 < adam3us> petertodd: i think i had the analgous problem you are talking about with complex incentives for the "thicket" of block chains approach 13:35 < petertodd> Sure, although I think the biggest issue is just the really fundemental one about how you need to be sure the blockchain data is in the hands of more than one person. 13:35 < adam3us> petertodd: at that time i concluded it was enough alone to kill it - simplicity is good etc but this variant has additional advantages so maybe we can still get back to a net win eventually 13:36 < petertodd> Yup. Like, suppose we could make the assumption that the majority of hashing power would be mining all shards in one go, then that majority would have the data, and there'd be no issue at all. But we can't assume that. 13:36 < adam3us> petertodd: its not inherently interesting to someone to censor your shared block hash, they have to want to present a different version of it with a different spend 13:36 < adam3us> petertodd: right - thats the 7th dependency - super-entangled design when you get to all of the dependenices 13:36 < petertodd> Economically interesting no, but if their goal is to destroy the system then you're in trouble. 13:37 < adam3us> petertodd: yes, and you have defend against that 13:37 < petertodd> Yup. I dunno, maybe it's the case that fundementally you can't? But I'd sure hope you could at least do better. 13:37 < adam3us> petertodd: in my thicket thought experiment (unpublished) i was supposing some modest reward bonus for being the first to pull in a shard-hash 13:38 < petertodd> what do you mean by "pull in"? 13:38 < adam3us> petertodd: or a share of the fees in it (hash it as an input another shard hash) 13:39 < adam3us> petertodd: i think you need to have some list or merkle hash of shard-hashes so that as time-progresses each hashed block includes everything else if you explore down the tree a bit 13:40 < petertodd> See, my thought experiement is a little different: for a given committed transaction input, we should be able to calculate the total work done by all miners with that transaction input in their dataset. (assuming the pow scheme does proof-of-data) 13:40 < adam3us> petertodd: (each shard-hash includes all other shard hashes in a best effort sense, motivated by a share of the fee and/or reward) 13:41 < petertodd> Yeah, although maybe at this point it'd be better to leave reward out; I think in a inflationary system we can reward people simply by taking their coins away unless they mine in porportion to the coins they own. 13:44 < adam3us> random non-tech thought about the "what is bitcoin" virtual commodity, etc .. its a crypto/math geeks stamp collection 13:44 < petertodd> heh 13:45 < adam3us> see in hashcash in the mail context they were stamps and i have a page with a stamp collection; they are rare because they ar eexpensive, and a math/crypto/computer geek can admire and appreciate the beauty (or waste) in finding a number with 15 leading 0 hex digits so they have math aesthic value too 13:46 < adam3us> http://hashcash.org/stamps/ one of those was 48 bits eve years ago 13:46 < petertodd> yeah, bitcoin is special in figuring out how to take those stamps and assign them owners with global consensus 13:46 < petertodd> heh, meanwhile we've got, what, 68 zero sha256^2 pre-images now? 13:46 < adam3us> right; it wouldve been easy to give a hashcash a public key, just include a pub key in the hash (as bitcoin does), and i thought about it for mail apps even (prove a reputation) 13:47 < adam3us> yes 13:48 < adam3us> actually i calculated it here: https://en.bitcoin.it/wiki/Hashcash 13:48 < adam3us> its 60.6 bits right now 13:48 < adam3us> or 61.6 bits of security (there are 2 hashes per try so +1) 13:48 < adam3us> more secure than 56-bit DES :) 13:48 < petertodd> ha 13:50 < gmaxwell> adam3us: well I don't think you get to count the ^2 ... I mean, sha256 is much slower in hardware than DES and you're not counting that. 13:50 < adam3us> the guy etienne gervais wrote his own openCL hashcash-sha1 miner just to get leaderboard on that page :) 13:50 < petertodd> Interesting thought: so, in my txin commitments scheme, what you need to keep "up-to-date" with, in terms of the blockchain, is the part of the blockchain with the still un-revealed txouts that your wallet contains. IE, the important part of the txin space is still "zeroed" up until you want to spend it to someone else. 13:50 < adam3us> gmaxwell: yes it is a question of what counts as an op in O(2^n) notation grey area 13:51 < petertodd> Not brilliant, but it is a bit of a security improvement in that targetting you specifically to make your coins unspendable is hard if you keep those txouts a secret. 13:51 < adam3us> gmaxwell: if it was computing DES unlike eff des cracker which computed one des decryption in 56hrs, bitcoin network can do it in < 12 sec 13:51 < gmaxwell> you could instead use some transistor toggle metric. 13:52 < adam3us> gmaxwell: vaguely recall knuth might've had some complexity metric based on a styled pseudo assembly code :) even with cycles or instructions depends on cisc, risc etc 13:53 < gmaxwell> adam3us: art's (who you didn't get to interact with, early bitcoiner who went away) fpga mining farm could do a full des search in ~24 hours and I think that was just a 40GH bitcoin farm. 13:54 < adam3us> gmaxwell: its interesting in that des cracker was built in 1998 for $250k but if it was sha256 instead of des it'd still be respectable and maybe profitable for bitcoin i think (have to check calc) 13:55 < gmaxwell> adam3us: DES is especially weird, becaues the sboxes yield especially compact combinitorial logic. 13:55 < adam3us> it was doing 280 TDes/sec 13:55 < adam3us> for $250k 13:59 < adam3us> gmaxwell: something seems wrong bitcoin hashrate = 3 ExaH/sec if deepcrack was 280, it'd be only 10x slower, but thats not true; yet 2^56/56/6/1000^4 = 280 hhmm (deepcrack could do 2^56 in 56hrs) 14:00 < adam3us> gmaxwell: oh bitcoin hash rate is now 4 Exah (33% increase as of a few days) jeeze 14:10 < petertodd> adam3us: suppose we ensured that mining some portion of the blockchain required the consent of the majority of the owners of the coins in that portion, do you think the data hidng problem would be sufficiently solved? 14:10 < petertodd> (ignore practical difficulties here) 14:16 < sipa> adam3us: what is Exah? 14:16 < sipa> per what time? 14:17 < sipa> it's 3.8 petahash/s 14:17 < sipa> where hash = double-sha256 15:36 < HM2> Android has improved its security further by adding support for two more cryptographic algorithms. Elliptic Curve Digital Signature Algorithm (ECDSA) support has been added to the keystore provider improving security of digital signing, applicable to scenarios such as signing of an application or a data connection. The Scrypt key derivation function is implemented to protect the cryptographic keys used for full-disk encryption 15:36 < HM2> Android adopting Scrypt is pretty big crypto news I guess 15:40 < sipa> ooh nice 15:42 < HM2> yeah, not sure whether they make that available via the general crypto APIs 16:45 < adam3us> sipa: better that explains my error 17:19 < sipa> amiller: ? 17:19 < sipa> ah! 17:20 < amiller> haha, my phishing attack is complete 17:20 * gmaxwell is confused 17:20 < amiller> i'm approximately authenticated as adam back 17:20 < amiller> as far as sipa is concerned 17:21 < gmaxwell> Well, a people all look the same. 17:22 < sipa> my authentication scheme is based on H(nick[0]) 17:42 < amiller> ugh question about colored coins again 17:42 < amiller> to determine if a txoutput has the color 17:42 < amiller> do you have to trace just a *path* through the transaction tree down to the genesis of the colored coin/ 17:42 < amiller> or do you have to trace the whole tree? 17:43 < amiller> someone convinced me it was just the tree 17:43 < amiller> er just a path 17:43 < amiller> but now i think it's the entire tree, because you have to establish the color value of *every* txinput, which is then recursive 17:44 < gmaxwell> amiller: I'm not following the distinction. If you recieve a colored coin and someone tells you the respective genesises you can just connect them and ignore unrelated parts of the history. 17:44 < gmaxwell> I suspect most people flapping their lips about this stuff have never picked a random coin on the network and tried to extract its whole history.... :P 17:45 < gmaxwell> (it's pretty normal for something to be tainted against a singnificant fraction of all past transactions) 17:45 < amiller> what is the unrelated part of the history though? 17:45 < amiller> it would be nice if, for example, if i only cared about this current txout, then i have to look backwards to at most one txinput ineach transaction 17:45 < amiller> thus a linear path from the txout in question to the genesis 17:45 < gmaxwell> amiller: if you know which coins were the genesis you can trace forward and back and meet in the middle. 17:46 < gmaxwell> amiller: you only can do that if you already know the path (e.g. someone else already traced it) 17:46 < gmaxwell> if you know the genesis and the rule is setup right you can trace forward with one output per transaction. 17:46 < gmaxwell> but backwards alone is exponential. 17:47 < amiller> i don't see how to go forward with one txout per transaction 17:47 < amiller> can you recommend a link with code for this 18:15 < jgarzik> adam3us, TBH it's not just laziness. Even if my bitcoinj-based Bitcoin Wallet was [hopefully] updated to reuse addresses tomorrow, you still have a problem of address reuse being practically mandated by circumstance, in the other direction: 18:15 < adam3us> sipa: when presented with a key though 18:15 < jgarzik> miner payouts, salary payouts, etc. 18:15 < jgarzik> no good way exists to give a payment stream a set of addresses 18:15 < sipa> adam3us: they could reveal that key 18:15 < TD> lol 18:15 < TD> wallet author lazyness 18:16 < TD> adam3us: you can follow HD wallets in bitcoinj development work here: https://code.google.com/r/hearn-bitcoinj/source/list?name=keychain 18:16 < TD> as you can see lots of code has been going in for the past 6-7 weeks 18:16 < adam3us> jgarzik: yes indeed. well there is a mix of like wallets that only support one address supposedly? and then there are real problems. signature lines, biz cards, etc they are truly simpler to use and understand and in some use-cases hard to avoid! 18:16 < Luke-Jr> jgarzik: HD wallet spec has stuff for that 18:16 < TD> adam3us: design doc is here, to give you a flavour of how complicated the work is: https://code.google.com/r/hearn-bitcoinj/source/browse/designdocs/Deterministic%20wallets.txt?name=keychain 18:17 < am42> lol 18:17 < am42> guys... 18:17 < jgarzik> Luke-Jr, yes, any derivation scheme fits the use case 18:17 < adam3us> jgarzik: "no good way exists to give a payment stream a set of addresses" well like Luke-Jr said shared subwallet chain-code should work for stream 18:17 < jgarzik> as long as it is standardized 18:17 < jgarzik> and private 18:18 < jgarzik> the whole world doesn't need to track my salary 18:18 < Luke-Jr> but it's so fun! <.< 18:19 < jgarzik> I would love to find a solution for mass payouts killing privacy. the solution seems to be "send a bunch of little TXs", which is network-unfriendly. 18:19 * TD shrugs 18:19 < TD> the point of bitcoin is to move money, well 18:19 < TD> that's why we need to scale the tech 18:20 < TD> so we're not afraid of making little transactions if that's what it takes to give good privacy 18:20 < TD> adam3us: anyway if you're feeling non-lazy you're welcome to help chip in with the implementation ..... 18:20 < adam3us> TD: scary looking spec there. btw relatedly petertodd was saying that bloom is not that private with default parameters 18:20 < TD> :) 18:20 < TD> yeah current bitcoinj has a default very low false positive rate and a few bugs 18:21 < TD> ways the remote node can trick you into revealing whether you own a particular key, stuff like that 18:21 < TD> we experimented with a higher FP rate in this dev cycle but it wasn't usable on 3G connections. so we need to add a notion of bandwidth modes to the API 18:21 < TD> then if we're on wifi we can ramp it up, etc 18:21 < TD> either that, or some kind of auto measurement/adaptation, but that's harder 18:21 < sipa> well, as long as bitcoinj wallets reuse addresses by default, there's little point in trying to protect privacy using bloom filters ) 18:22 < TD> yeah - that's why i'm working on HD wallets at the moment and not bloom filtering :) 18:22 < adam3us> TD: still i wonder if its more private still than the prefix idea prefix leaks to all and interacts badly with existing statisical network analysis 18:22 < sipa> yeah, i know, not commenting there 18:22 < am42> guys i want to buy safe bTC wia Western Union 18:22 < am42> or MoneyGram 18:22 < TD> but as you can see from the design doc ..... well, bitcoinj wallet class got a lot of features over the years, so making sure none of them break and the upgrade is smooth, takes a lot of work 18:22 < adam3us> sipa: ha ha 18:22 < am42> how to do that safe? 18:23 < sipa> am42: not here, try #bitcoin 18:23 < wallet42> td: will bloom filters work with stealth addresses? 18:23 < adam3us> jgarzik: "I would love to find a solution for mass payouts killing privacy." this seems like a coin control issue. 18:23 < TD> i don't know. i haven't really worked through the details of ... lets call them "routing addresses 18:23 < adam3us> wallet42: i think not 18:24 < TD> but yeah there's an obvious conceptual issue there - bloom filters are intended to hide what the node should be looking for. but with stealth/routing addresses, the client doesn't know what it's looking for either, in a way 18:24 < adam3us> TD: i was suggesting unlinkable static (vs the current static aka reused). 18:24 < TD> with the payment protocol it might be different because then you don't have to find payments only via the chain 18:25 < TD> adam3us: yeah but i think "static" is jargony 18:25 < adam3us> TD: exactly. the client would have to give the node a private key to scan with. and that scanning is like heavy 18:26 < TD> if the payer submits the tx directly to the payee via bluetooth/http/other payment protocol methods that issue goes away of course 18:26 < TD> but then you have to be online 18:26 < adam3us> TD: and then i think there's no ambiguity left for bloom to work with. unless you upload a few other peoples private key also 18:26 < TD> or have a dropbox of some kind 18:26 < adam3us> TD: yes. i guess we cant or dont want to accept that as an assumption and also one or other part could get lost. 18:27 < adam3us> TD: routing address is not bad. 18:28 < adam3us> jgarzik: didnt petertodd write something called dust be gone that swept up all the tiny tracking spam payments into a corner so your wallet doesnt auto grab them? or coin control to not use them until you run out of bigger coins. 18:32 < TD> i think it paid dust outputs to miner fees 18:43 < EasyAt> I don't understand the use of these tracking outputs. Is it because if the TX is to me I will relay it, whereas if it isn't mine I'll drop it because it's dust? 18:44 < adam3us> EasyAt: apparently they send tiny payments to lots of people, then watch them be respent. 18:44 < EasyAt> Can't I just track outputs from a target address without tagging it 18:44 < adam3us> EasyAt: your wallet just grabs random inputs from whats in the wallet, "coin control" is not clever yet apparently. its like someone giving you marked pennies. 18:45 < adam3us> EasyAt: well not if someone is not reusing addresses so much. 18:45 < EasyAt> Yea, but once they target my address they can just watch all outputs and the chain of TXs following? 18:46 < maaku> EasyAt: these addresses are one-use only 18:46 < adam3us> EasyAt: i guess you could say its a way to force someone to reuse an address against their wish... send them unsolicited dust to their address. 18:46 < maaku> oh n/m 18:47 < sipa> i really prefer a model where you have to ask for every transaction you have to send first 18:47 < sipa> but it seems the bitcoin economy hasn't evolved that way 18:47 < adam3us> EasyAt: your wallet contains like 100 addresses and the wallet tries to not reuse them. so they know this particular address is yours for some reason. maybe the point is the dust payment is to the same address, and may get used in a different payment (even tho its the same address its a different txout) 18:48 < EasyAt> adam3us: Is it in the hopes that you will spend the dust with another output from a different address, thus leaking some info? 18:49 < adam3us> EasyAt: its not automatic that all payments from the same address would go in the same payment. its not balanced based so each txout is spent separately. if they see one of those dust payments respent with an address of yours they didnt know was yours, they do now 18:49 < adam3us> EasyAt: but i dont know who would care enough to waste btc dust to find out really. maybe some academics doing analysis or something? 18:50 < EasyAt> adam3us: Indeed, I follow you 18:50 < EasyAt> tainting people 18:50 < EasyAt> Or address grouping, I suppose 18:51 < EasyAt> sipa: In your model I would need permission from the receiver? 18:52 < adam3us> EasyAt: yes probably the latter. yes his model is that and would work, in an older version there was sent via IP which could've been more perission based as there was an interactive link anyway 18:53 < EasyAt> Interesting, thank your for the input 18:54 < adam3us> in an ideal world we'd have better privacy so people could send you small payments and it wouldnt matter. 18:55 < sipa> EasyAt: i would like that yes 18:55 < sipa> EasyAt: that you could not send coins without permission from the receiver 18:56 < EasyAt> How would cold wallets receive funds in that case 18:56 < sipa> nothing prevents it from being presigned 18:57 < EasyAt> Hm, then wouldn't I need prior knowledge of the TX? How about a cold wallet used for donations? 19:00 < adam3us> EasyAt: maybe there could be a separate key for permission to send sig than for spending. (like the chain-code being in an online computer and the private key in the offline) 19:01 < adam3us> sipa: it would also solve address reuse. new address on each signed payment permission 19:03 < EasyAt> Or, maybe a way to publish a ruleset in the blockchain for acceptable payments to an address 19:04 < EasyAt> Though, by doing so I am giving up my pubkey... I think 19:04 < EasyAt> Well, I can't think of a way not to give it up 19:05 < sipa> adam3us: well, it's exactly what the payment protocol intends to bring back 19:09 < adam3us> sipa: yes. 19:21 < jcrubino> was a rename decided for stealth addresses? I would like to propose "quiet addresses" or "silent address" 19:23 < adam3us> jcrubino: i think we have a winner from jeremy spilman "reusuable address" 19:23 < jcrubino> sounds good 19:23 < gmaxwell> I like reusable address. 19:24 < maaku> very nice 19:25 < adam3us> gmaxwell: yea me too. i am not sure of the level of enthusiasm for this all being a done deal tho "I have high hopes for this feature. The war *against* address reuse may soon be a distant memory." (Jeremy on bitcoin-dev list) 19:25 < adam3us> gmaxwell: seems to me there is a big open question about SPV compatibility. 12:15 < adam3us> hm2: then everyone is a user (who uses it) but zerocoin is slow, bloated coins, and only one denomination (imagine paying $10k in 1c coins) 12:16 < HM2> i'm sure sipa could cook up something with hash trees 12:16 < adam3us> hm2: if you can follow chameleon hash argument u could grok it 12:16 < HM2> everything in bitcoin is solvable with another tree of hashes 12:16 < sipa> HM2: gmaxwell and petertodd are far more experts at using hashes for everything :) 12:16 < adam3us> hm2: funny u should say that committed transactions potentially hide a lot from the public are also just hashes 12:17 * sipa just implements 12:17 < adam3us> hm2: a different privacy model, where the only people who see who is paying who and how much are the people in the history of the payment (not the public at large) 12:21 < HM2> sipa, it's better for your sanity i'm sure 12:26 < adam3us> someone who knows something about hashes, trees, and tries ought to do something about bitcoin scalability; something concrete like a bip and an implementation 12:27 < adam3us> if bitcoin doesnt scale people will do something stupid offchain eg centralized micropayments with trust me bitcoin backing and when dust reaches $10k all bitcoin transactions will be offchain 12:27 < adam3us> that would be a very rubbish end to bitcoin ecash 12:33 < adam3us> you've got to wonder if accumulators could help also rather than trees, gives a kind of commutative hash tree so it can be rebalanced without changing the root hash 12:35 < sipa> hash(sort([h0,h1])) 12:36 < sipa> ha: 12:36 < adam3us> sipa: thats the effect you'd get but without the sort implication of needing the serializations available 12:36 < sipa> Please remember - don't hoard TestNet coins or try to sell them. TestNet coins are worthless, but useful. They are useful because they are worthless. If you will add value to them, they will be useless, therefore worthless. 12:37 < adam3us> sipa: lol 12:37 < sipa> (from tpfaucet.appspot.com) 12:37 < adam3us> sipa: a(h1,h2)=a(h2,h1) and a(h1,a(h2,h3)) = a(a(h1,h2),h3) etc 12:38 < adam3us> sipa: and what more you can prove hn is in the tree in O(1) space and work rather than O(log2(n)), thats the real bonus 12:38 < sipa> over my head :) 12:39 < sipa> anyone has a testnet address and wants some coins? i need a test 12:39 < HM2> i wonder if anyones managed to trick anyone in to buying testnet coins thinking they're mainnet coins 12:41 < adam3us> sipa: its simple really; just a=g^h1 mod n and to add another hash a2=a^h2 = g^(h1*h2) and repeat user2 can keep g^(h1*h3) (ie with h2 missing) then user 2 proves he's in the accumulator by showing A'=g^(h1*h3)^h2 == A ie A'^h2 = A 12:41 < sipa> oh 12:41 < adam3us> sipa: it only works because its in an RSA group so you cant compute 1/h1 its mod phi(n) which no one knows 12:41 < HM2> except bruce schneier 12:41 < sipa> got it 12:42 < K1773R> sipa: mz1iravK75FhNCyinytJhNCVqxmhFddohn 12:42 < sipa> bruce schneier can recite pi backwards 12:42 < HM2> ;) 12:42 < adam3us> hm2: is this the bruce schneier = crypto chuck norris meme :) 12:42 < adam3us> hm2: he does look a bit like norris 12:43 < HM2> except politically more agreeable 13:03 < adam3us> amiller: about byzantine general and Aspnes et al "exposing computationally challenged byzantine impostors" it occurs to me that bitcoin should not actually need to quite solve the byzantine general problem 13:04 < adam3us> amiller: because you dont really care which tx is first from a set of double spends, just that one is chosen, even at random; maybe that leaves some scope for improvement over the general version of the problem where they actually want to know the correct answer 13:18 < maaku> adam3us: i'm working on the hash-trie thing 13:18 < maaku> and yes, we need it for scalability, especially an address/script indexed tree 13:19 < sipa> that makes non-anonymous non-validating wallets that only maintain a balance and no transaction history indeed scale easily 13:21 < sipa> and with an txid-indexed index, allows validating clients to skip replaying history, assuming they trust it in an SPV way 13:24 < maaku> well, they can validate backwards from the current set, allowing a choice of security in the spectrum between SPV+ and full 13:25 < sipa> if undo data is available over the network, yes 13:27 < amiller> adam3us, so yeah the standard byzantine consensus requires a property like Unanimity, which says the thing chosen is the *one everyone wants* in some sense, but there are a variety of different options people commonly use 13:27 < amiller> one is that it only matters if everyone begins wanting the same thing 13:27 < amiller> another is that it only matters if there are no faults and everyone is honest 13:27 < amiller> another is that the chosen one with high probability has to be close to the plurality 13:28 < amiller> what it means for bitcoin is that if you allow the adversary to always influence the block 13:28 < amiller> a block with no tx's in it is a valid block 13:28 < amiller> so just consensus without some unanimity-like condition would mean you couldn't get a transaction included 13:28 < amiller> something that's bugging me is this concept of, what if you had a transaction that could only be accepted on an even 1000th block 13:29 < amiller> should bitcoin guarantee that you'll get it in quickly? 13:29 < amiller> if the (sub-50%) attacker gets to influence one out of a thousand blocks like that then it could keep that pathological transaction from even getting in 13:54 < maaku> sipa: I suggest commitment of undo blocks in addition to hash roots 13:54 < maaku> and, eventually, some way of querying that data over the network 14:05 < maaku> amiller: I would think that pathological case is the user's fault 14:10 < adam3us> amiller: so what about if the vote is just which transaction is included not whether a tx is included 14:11 < amiller> well there's that edge case where like, you basically can never prove someone *didn't* hear something 14:11 < adam3us> amiller: eg you mine on your own public key to gain voting rights and reward (as a miner) then you exercise those voting rights to say which transactions u like and if there are any dups the highest or th elowest wins 14:11 < amiller> so bitcoin's design is very tolerant of miners pretending they didn't hear a transaction 14:11 < amiller> you never get misbehavior for ignoring a message or playing dumb and not being aware of a tx, etc 14:12 < adam3us> amiller: yes but if the vote is which you like or prefer if there is a dup, an absense of a vote is an abstention, not a dislike 14:12 < adam3us> amiller: attackers can abstain all they like (in fact they're encouraged to) 14:13 < amiller> well if everyone includes all the transactions they've heard... 14:13 < amiller> i dunno, this is tricky, but basically even in the reference client there's miner policy about which valid transactions to include, sort by fee/priority etc 14:13 < amiller> so you don't your transaction in if the miners are all too full and they like others better than yorus 14:14 < adam3us> amiller: i believe its only because of the one-true-chain model to making near 50% attacks difficult (to eventually chose a winning fork if there is a simultaneous block) 14:15 < adam3us> amiller: yes but the concept of a single block as a unified winner is due to a random winner taking 100% of vote 14:17 < adam3us> amiller: if multiple people can vote its more like proportional representation, and all non-dup tx are in by default; and which dup is used is based on the highest (or lowest) voted dup... the vote is mostly for avoiding dups 14:18 < adam3us> amiller: and it doesnt even matter which dup to use, just a random one will do fine (even one chosen by the attacker) 14:19 < amiller> are you saying you'd merge votes 14:19 < amiller> like if i cast 1 vote for {A,B} and you cast 1 vote for {B,C} then that counts as 2 votes for {A,B,C}? 14:20 < adam3us> well the idea is include anything that is not a dup 14:20 < adam3us> so the vote is irrelevant unless there is a dup 14:21 < adam3us> if there is a space limitation take the n highest voted until you're full 14:21 < adam3us> it does have to be somehow consistently serialized however which is the hard part 14:24 < adam3us> adam3us: its only if there are votes (A,B1) and (A,B2) and (B3,C) you need to use the votes to see which of B1,B2,B3 triple spend to use 14:26 < adam3us> adam3us: hypothetically say voting rights are accumulated in one round, to be used during the next round to arbitrate which blocks to include; the hard part is to consistently arrive at the same view of transactions and votes everywhere; maybe the guy who wins the block reward, gets to define the serialization but must provide the vote proofs to justify his decision, or his block serialization is defined as invalid 14:29 < adam3us> amiller: "well there's that edge case where like, you basically can never prove someone *didn't* hear something" well if its in a trie or sorted binary tree you can efficiently prove he received it or not 14:30 < adam3us> amiller: and if you use committed transactions the miners and voters dont know what they're voting on as the sender, recipient and amount is hidden; then ll attacks degenerate to random DoS or blocking all tx but their own 14:35 < adam3us> committed transactions description is https://bitcointalk.org/index.php?topic=206303.15 14:37 < amiller> well committed transaction doesn't mean the transaction is valid 14:37 < adam3us> it does mean its not double spent however 14:37 < amiller> i think i would like the most if you were able to accept zero knowledge proofs of validity without having to learn anything else about the transaction 14:37 < adam3us> which is bitcoins main challenge 14:38 < adam3us> (the users validate the value from the spend history) 14:38 < adam3us> (which is not particularly spv friendly but there you go, maybe maaku & tries could help that) 12:23 < adam3us> jtimon: the firewall is its not plausible for bitcoin main to consider accepting transfers back from a side chain (2-way peg) unless there is assurance that fraud or security bugs on the side chain can cause holders of bitcoin main coins to be dilluted or lose btc 12:23 < jtimon> petertodd: another is demurrage BUT why would you expect not to have any in-chain transactions? off-chain transactions cannot be p2p currencies 12:23 < adam3us> jtimon: /can/can not/. fortunately that seems possible to assure, hence 2-way peg excitement 12:23 < petertodd> Keep in mind, it's not that I disagree with TD's hope's of people playing nice, it's that if you're depending on that you've got a system with much weaker security guarantees than one that doesn't need honesty. 12:24 < petertodd> jtimon: why pay for an on-chian tx when an off-chian one works well enough? it's simple, less demand for on-chian tx's means less fees, and thus less security 12:25 < adam3us> petertodd: yes. i think 51/33% attacks, incentive in btc main, and merge mined alt & sidechains is far from a done thing. r& d community need to figure out the optimal game-theory and protocol strategies 12:25 < jtimon> petertodd: if an off-chain system has all the properties bitcoin has, why should we fight to maintain a less efficient system? 12:25 < petertodd> jtimon: e.g. suppose fairly secure DRM w/ remote attestation was being shipped to consumers: you can easily turn that into a pretty good off-chain tx system with pretty good security that will get used a lot. That'll take a lot of money away from miners, reducing the security of the underlying system. 12:25 < petertodd> jtimon: because plausible off-chian tx systems *require* bitcoin to exist under the hood 12:26 < adam3us> jtimon: in this side-chain model bitcoin main is the sole home of reward mining. its the hub at the center. 12:26 < petertodd> jtimon: without bitcoin they don't work 12:26 < jtimon> DRM needs proprietary software, which means we can't trust it 12:26 < jtimon> proprietary soft/hardware 12:26 < petertodd> jtimon: so what? trust isn't a binary thing 12:27 < jtimon> oh, I see "nbecause plausible off-chian tx systems *require* bitcoin to exist under the hood" this is what I was missing 12:27 < petertodd> jtimon: if I can trust it *enough* I can use it for less valuable payments and save the more expensive on-chian tx's for more valuable stuff 12:27 < jtimon> freimarkets private blockchains don't need public chains to work 12:27 < petertodd> and if bitcoin still exists, I can use techniques like fidelity bonds to make cracking the DRM system a lot less attractive 12:27 < adam3us> petertodd: there's a guy making offline bitcoin stuff using TPM cards that are microsd sized (via encrypted exchange of private keys) some people see to be excited enuf to be making him non-trivial btc onations 12:27 < jtimon> they can just interoperate with them 12:28 < adam3us> jtimon: is it drazan? 12:28 < jtimon> of course they don't have all the properties bitcoin has 12:28 < petertodd> adam3us: indeed, I'm thinking of buying a pair to support him 12:29 < adam3us> jtimon: drazvan https://bitcointalk.org/index.php?topic=319146.msg4494688#msg4494688 12:29 < adam3us> jtimon: its kind of cool. not secure at the limit, but maybe it works for low value offline tx. its only the users that lose if it goes wrong, nor online btc holders 12:29 < jtimon> so your concern is that off-chain systems relying on bitcoin are so useful that nobody uses in-chain transactions 12:30 < petertodd> jtimon: doesn't have to be "nobody", just has to be sufficiently less demand for on-chian that total fees doesn't pay for enough security 12:31 < jtimon> well, since I'm not against credit, I'm fine if people use other-things-than-bitcoin offline, so these kind of things don't excite me that much, I haven't read the thread yet though 12:31 < adam3us> petertodd: or maybe some trust/certification/ripple stuff sneaks in and mining contribution is reduced 12:32 < jtimon> petertodd I tend to worry more about "too much security" in the chain than about "too little of it" 12:32 < petertodd> my rough guess is something like 0.1% to 1% of the total value of all Bitcoins should go to PoW security per year. Satoshi should have let that happen with either never-ending inflation, or better yet, explicit demurrage. Doing mining that way give a very simple and stable security guarantee, and importantly works regardless of how many on-chain tx's are done. 12:32 < adam3us> jtimon: they are bitcoins, just transfered by encrypted exchange of private keys, in the model that the user doesnt know the private key and the TPM microsd card wont give it to them (or moare accurately tries to prevent cloning, you can load and unload them) 12:32 < petertodd> jtimon: "too much" just means you're wasting money - not a big deal. 12:32 < petertodd> jtimon: too little and some malicious 51% attacker destroys the whole system and we're fucked - big deal 12:32 < adam3us> petertodd: but he should do NFC or QR code, not SMS :( 12:32 < petertodd> jtimon: 0.1% to 1% are pretty low numbers that can be ignored as "rounding errors" 12:33 < petertodd> adam3us: isn't that just a software detail? the hardware itself isn't what does SMS 12:33 < adam3us> petertodd: sure 12:33 < jtimon> maybe I'm too hippy or something, too much you're wasting resources, destroying more nature than you need and all that 12:33 < adam3us> petertodd: nfc/qr = network privacy. sms=privacy leak. 12:34 < petertodd> jtimon: well, meh :) I'm sure conventional transaction systems tend to spend at least similar amounts of money per year on security, likely usually much more than that 12:34 < petertodd> jtimon: I mean, hell, I'm sure with credit cards the numbers are about that *per transaction* 12:34 < jtimon> well, I'm pretty sure 2PC ripple doesn't waste more resources than it needs 12:34 < petertodd> jtimon: wastes a lot of human brainpower on person-to-person trust relationships 12:35 < jtimon> credit cards need to feed fat cats, thus their high fees, but that's another story 12:35 < petertodd> jtimon: that's a shitty way to talk about the situation and makes you sound like an occupy activist 12:36 < jtimon> petertodd I disagree on that I don't have to think a lot when a friend of mine wants to borrow 10 eur 12:36 < petertodd> jtimon: well I think you're dead wrong there :) 12:37 < petertodd> more to the point, if you can only borrow 10 eur from each friend, then actually using ripple for any large tx gets tough 12:38 < jtimon> whatever, I can say it more correctly but it's just takes longer 12:38 < jtimon> was just laziness 12:38 < jtimon> credit cards are a very unefficient system for multiple reasons, I was talking about efficient systems like @PC Ripple 12:38 < jtimon> 2PC 12:38 < jtimon> petertodd: you see I believe in both counterpartyless money and credit monies complementing each other 12:40 < jtimon> to me, people that plainly reject credit as an exchange toold often sound like braindeath cultists goldbugs 12:40 < jtimon> just like people plainly rejecting counterpartyless money and only accepting mutual credit sound like fanatic 12:40 < petertodd> jtimon: You see, I belive in "This Bitcoin thing just requires me to install an app on my phone. This ripple things requires me to dick around convincing my friends to extend credit relationships to me and sounds like a shit-load of work." 12:40 < jtimon> that's just to me 12:41 < petertodd> jtimon: "Also, it's gonna be really awkward to turn down Bob because of his gambling problem." 12:41 < jtimon> petertodd: organizing a ntework of mutual credit local currencies is even more work 12:41 < petertodd> jtimon: "Nice guy, but still hasn't paid me back that $1000 I gave him when he got fired three years ago and needed to pay rent." 12:41 < petertodd> jtimon: "But I'd rather not bring that up again...." 12:42 < jtimon> I agree that a ripple-like network has harder critical mass problem than bitcoin 12:42 < petertodd> jtimon: Meh, software can do that automatically, and more likely we'll have schemes where the exchange rates don't float. 12:42 < petertodd> jtimon: It's orders of magnitude harder. 12:43 < jtimon> luckily it can start with other currencies like backed currencies, bonds, coupons, shares... 12:44 < petertodd> it's totally irrelevant what currency ripple works on, the problem is the social dynamics of it 12:44 < jtimon> maybe it never goes beyond that, but I think coupons can be more imporant than many expect in the future 12:45 < jtimon> if you have a pub and people accept some of your "I owe you a beer at my pub" currency, why wouldn't you do that? 12:46 < petertodd> *if* people accept it 12:46 < petertodd> if they don't, then you've put a lot of effort into a system that never got used 12:47 < jtimon> mutual credit is widely used right now 12:47 < jtimon> much more than you think 12:48 < jtimon> I just want to give this systems a plattorm to securely inter-operate 12:48 < petertodd> I know, it's why I've said before that ripple is much more likely to catch on for b2b transactions given that 30-day-credit relationships are extremely common 12:49 < petertodd> but fundementally you have to ask why you would use the ripple *technology* to manage those relationships? if transaction fees are sufficiently low, there isn't necessarily a compelling reason to bother 12:49 < jtimon> yeah, b2b, so called "barter networks" (they're really just another currency), coupons, local currencies... 12:50 < jtimon> to interoperate with others 12:50 < jtimon> to be able to pay with your spanish local currency in germany 12:50 < petertodd> well, again, what does ripple bring to the table? the ability to do cut-thru credit relationships, what does that do for you? potentially reduces transaction fees 12:50 < petertodd> if fees are low enough, why bother? 12:50 < jtimon> you just need a market path from the spanish local currency to the germany one 09:48 < adam3us> sipa, gmaxwell: so maybe there is a way to force the brute force to work on full preimage and not birthday via the structure of the p2sh calculation 09:49 < gmaxwell> adam3us: sure, you can make life linearly harder by using a 'vanity p2sh address'. 09:50 < adam3us> gmaxwell: as is its yet-another-consideration for the catalog of how-to safely use things (eg dont use p2sh for hashlock) 09:51 < gmaxwell> adam3us: I don't think you can say don't use p2sh for hashlock. But, certantly, you should understand the tradeoffs. 09:52 < adam3us> adam3us: yes, its another place to think about the use-case and think is it strong enough for the time-frame what are the incentives; i think its nicer to say its bullet-proof, knock yourself out for a building block 09:52 < gmaxwell> e.g. if you make the guy that will provide H(x) for the hashlock do so before the public key(s) in the hashlock script are generated, then can he can't search for a p2sh. 09:53 < adam3us> gmaxwell: are you sure? the network doesnt care what you agreed offchain, just that the spender can provide s' st AH(s') = addr, and provide inputs that make s' return true 09:54 < adam3us> gmaxwell: so that only applies to inputs already on the blockchain (i think coinswap does 4 block chain tx, so that maybe the case) 09:55 < adam3us> gmaxwell: eg lets say p2sh = RIPEMD160-128(y=SHA256(s))||y[0..31] 09:55 < adam3us> 128-bit truncate, and expose 32 bits from the inner hash 09:56 < adam3us> gmaxwell: not though hard about but that might screw over the birthday attack that kind of direction anyway 09:56 < adam3us> gmaxwell: otherwise just 256-bit script hash fixes... 09:56 < gmaxwell> adam3us: You are going to pay to {something} + preimage of HX. You are concerned that if the provider of HX gives you the p2sh address for "{something} + preimage of HX" he'll know another p2sh script that lets him redeem without revealing HX. 09:57 < gmaxwell> adam3us: if you say "Tell me HX, I'll tell you the {something} and we'll use that" then the attack doesn't exist. 09:57 < gmaxwell> (under that kind of protocol, at least) 09:57 < adam3us> gmaxwell: i guess HX better be 256-bit hash output also (yes) 09:58 < adam3us> gmaxwell: err no its irrelevant for hashlock if the committer knows two preimages if either is shown, the other party can unlock with it... 09:58 < gmaxwell> adam3us: doesn't actually matter! 09:58 < gmaxwell> yep. 09:58 < adam3us> gmaxwell: right 09:59 < gmaxwell> well for hash interlock, it matters for some other things. 09:59 < gmaxwell> E.g. it matters for this one: https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked 10:04 < adam3us> gmaxwell: btw i think the above p2sh = RIPEMD160-128(y=SHA256(s))||y[0..31] doesnt work probably just screen for 32-bit match then O(2^32)*O(2^64)=O(2^80), the only solution i see is a bigger hash 10:05 < adam3us> maybe you can create for similar cost two public keys Q, Q' AH(Q)=AH(Q') and do some mischief to some other script assumptions, eg an expensive way to create signature malleability 10:10 < gmaxwell> adam3us: yea, thats what I meant by a linear cost increase by using a vanity address. Cute idea to use inner agreement. 10:12 < adam3us> gmaxwell: if you revealed RIPE160(y=SHA256(s))||y[0..31] i think that'd do the trick :) and actually its smaller than using 256-bit output 10:13 < adam3us> gmaxwell: (right idea, wrong parameters a few up) 10:14 < adam3us> gmaxwell: kind of like a 2nd, inner, address checksum 10:55 < adam3us> gmaxwell: about coinSwap you mentioned blind sigs but is that necessary? if each user connects using tor to submit the new address he'd like, and then all users only sign the n of n if their undisclosed but self-chosen address is in the output? 10:59 < adam3us> gmaxwell: starting to have doubts about RIPE160(y=SHA256(s))||y[0..31] isnt that a blackbox 196-bit hash and so attackable with O(2^88).. ignoring the validation method (to check last 32-bits are coming from the inner hash) - its generically blackbox birthday attackable surely! 11:12 < gmaxwell> adam3us: where did I mention blind sigs? 11:12 < gmaxwell> you mean coinjoin. 11:13 < gmaxwell> The reason you (may) need blind sigs is to prevent denial of service attacks. If you do as you describe a trouble maker can continually jam any join operation at basically no cost. 13:32 < adam3us> gmaxwell: no i meant coinswap "It's possible to construct cryptographically-blinded CoinJoins where _no one_ learns whose output is whose (except for each output's owner). CoinSwap results in the participants knowing the linkage." 13:36 < gmaxwell> adam3us: ah, in the coinswap I was comparing to coinjoin. My response applies. :) The reason you (may) want to use blind signing in establishing coinjoins is so you can figure out who is DOSing the join so you can ban them. 13:37 < adam3us> gmaxwell: ah.. duh that was a cross ref to coinjoin, and not coinswap per se 13:50 < gmaxwell> adam3us: the coinswaps are inherently 2-of-2, and so they can't be internally blind (the players still know that the coins are linked). 13:50 < gmaxwell> e.g. you don't know anyones IPs, but you know the connection between this coin and that coin that the swap is intended to conceal. 14:23 < adam3us> gmaxwell: but isnt the coin n of n general case? 14:28 < adam3us> gmaxwell: i was thinking (after coinjoin, before coinswap) that maybe you can p2p coinswap (but didnt get around to trying to figure out how) but that maybe you can chain it, so you get your recipient involved, and you dont learn their address, yet your signature approves it 14:28 < gmaxwell> yes, it should be chainable, but your probablity of failure goes up, and I'm not sure that you can identify the cause of the failure. 14:37 < adam3us> gmaxwell: well eg so in coinjoin A enlists C's help to pay B but A learns B's address. if C was doing this for multiple users in parallel I was thinking maybe A can blind sign B's payment address, and to th extent there are multiple parallel protocol runs there would be an anonymity set 14:39 < adam3us> gmaxwell: but the hashlock value X being chosen by B and disclosed as part of the payment completion links the payments; however perhaps if C could choose X and use the same X for all the parallel protocol runs unlinkability within the anonymity set could be restored 14:54 < adam3us> gmaxwell: btw (reading coinjoin about zerocoin problems) "Uses an accumulator which grows forever and has no pruning" I think accumulator is fixed size, just 3072-bits. The users just have to run full nodes and keep updating w_j=g^(x_1* *x_{j-1}*x_{j+1}*..>*x_n), (omitting x_j which is theirs) so they can prove w_j^x_j==A mod n 14:55 < adam3us> gmaxwell: (but the rest of the critiques I agree, its impractically inefficient) 15:00 < amiller> adam3us, it's not the accumulator which grows unbounded 15:00 < amiller> it's the list of spent serial numbers 15:01 < amiller> you literally have to check a list of serial numbers that have already been spent every time 15:01 < adam3us> amiller: thats true, I expect thats what Greg meant presumably 15:01 < amiller> you can put them in an ever growing tree but eh 15:08 < gmaxwell> Indeed, thats what I mean there. I didn't actually mean the RSA accumulator, I chose my words foolishly. :) Just that it has an evergrowing database that you can't forget until all the coins are out. 15:08 < gmaxwell> (and if you don't have a way to close off adding new coins, never.) 15:09 < gmaxwell> there are ways around it, e.g. have accumulator's which must have all their coins removed by height whatever or they're forever unrecoverable. 15:10 < gmaxwell> In any case, I wasn't trying to pan zerocoin only highlight that there were non-trivial costs: that its not magic. 20:03 < HM2> hmm NIST reviewing their crypto process 20:03 < HM2> good news i guess --- Log closed Sun Nov 03 00:00:14 2013 --- Log opened Sun Nov 03 00:00:14 2013 08:57 < adam3us> btw i was misinterpreting https://blockchain.info/q/hashrate as in GH rather than the correct TH in my comparison a few days ago of network has to eff des cracker ($250k, 56hrs to break one O(2^56) des key) 08:58 < sipa> gribble has a ;;nethash command that gives a good estimate in GH/s 08:59 < sipa> (it's pulled from my site) 08:59 < sipa> oh, you're not in #bitcoin-dev ? 08:59 < adam3us> so.. bitcoin is actually doing O(2^71) work puzzles (or O(2^72) if you count each of the double hashes) per 10mins, and if bitcoin was attacking DES (which is probably easier than 1 SHA256 round as DES is ASIC friendly) could do in 9.4ms per DES key to deepcracks 56hrs 08:59 < sipa> that reasoning is flawed IMHO, as the current ASICs cannot do DES at all 08:59 < adam3us> and if focussed on skipjack (80bit previously secret NSA cipher in clipper) it could break one of those every 2 days 09:00 < sipa> yes, it would cost the same of less to produce a similar amount of ASICs that could do DES 09:00 < sipa> but contrary to Bitcoin mining, it does not pay for itself 09:00 < adam3us> sipa: yes its a what if and gmaxwell noted DES is actually more ASIC friendly 09:00 < sipa> i'm sure it is 09:00 < sipa> but i don't think that's very relevant 09:01 < sipa> unless you just want a "how much would it cost to crack DES" computation 09:01 < adam3us> sipa: sure; i just think its interesting to express security of the hash in O(2^k) for comparison and ... 72-bits is a surprising amount for 10mnis 09:01 < adam3us> sipa: (eg for comparison to the birthday attack on p2sh addresses which is itself O(2^80) + tmto) 09:02 < sipa> it's 2**51.85 double-SHA256 per second 09:02 < adam3us> sipa: that makes the RIPEMD160 birthday attack not entirely theoretical 09:02 < adam3us> sipa: err that sounds like my previous gh calc 09:03 < adam3us> https://blockchain.info/q/hashrate = 3983800.965092061 09:03 < sipa> we're at 2**73.5 double-SHA256 in total, ever 09:03 < adam3us> and thats TH so basically 4 PH 09:03 < sipa> i refuse to look at b.i 15:25 < gmaxwell> maaku: sure, if your output sizes are not equal, and you exclude the possibility that users aren't doing fun things like paying eachother with imbalanced transactions... then you get some probablity mass for any output that it came from any one of the inputs.. and the distribution isn't flat. 15:25 < gmaxwell> e.g. it couldn't have come from any initial parties that had less coin than it as the first example. 15:26 < gmaxwell> if you have a chain of transactions then you can say "it could have come from A or B, if and only if Z didn't come from A or B, if Z did then it came from B or C" 15:28 < maaku> Although coinjoin payments throw a muck in that 15:29 < maaku> The anonymity set is bounded by the number of participants, obviously 15:29 < gmaxwell> yea, or fancier things.. like do a CJ transaction where you put in 2 BTC, and I put in 1 BTC... and I walk away with 2 BTC and you walk away with 1 BTC. You just paid me 1 BTC... and someone trying to deanonymize with values got an exactly opposite result. 15:30 < maaku> When you limit yourself to standard sizes, you limit yourself to the people actually participating at that level 15:30 < maaku> Whereas if you allow any random output amounts, then there's even mixing between "levels" going on 15:30 < gmaxwell> yea, I don't like _forcing_ sizes, but obviously you get better privacy if you make use of size alignment where it exists. 15:31 < gmaxwell> especially if people are doing things like pay-to-payment where 2,1 becomes 1,2 ... making value analysis unrelable. 15:32 < maaku> I haven't formalized this, by my intuition is that if we let output sizes be a random walk based on availability, or even guided to "equalize" the distribution of outputs, you'd get maximal anonymity that way 15:32 < maaku> Much better than standardizing on fixed sizes, which actually hurts you relative to the anonymity you could achieve 15:33 < gmaxwell> sort of would make an interesting payment protocol addition. "pay me xxx BTC to yyy, oh yea, and add these extra inputs too I'll worry about getting them signed" 15:33 < maaku> Yeah that would be a good addition 15:34 < gmaxwell> lets you handle dust consolidation too. 15:40 < phantomcircuit> maaku, the output sizes would then be largely set by the meeting point then right? 15:41 < petertodd> gmaxwell: got a name for that concept? good addition to the payment protocol for sure 15:41 < gmaxwell> its sort of the opposite of change. 15:41 < maaku> phantomcircuit: my design allows participants to set allowed ranges, and the joiner / meeting point decides the actual output sizes 15:42 < maaku> it's fully p2p so all clients spend some time participating in other proposed joins, some time organizing their own 15:43 < phantomcircuit> oh using blinding and what not? 15:43 < phantomcircuit> maaku, are you relying on being able to get tor to give you a new hidden service locally? because it's unpossible to make it do that 15:44 < phantomcircuit> i actually tried to add it as a control instruction but it doesn't seem to work except during initialization 15:44 < phantomcircuit> didn't investigate why though 15:45 < andytoshi> can you do it with two fixed hidden services? 15:45 < maaku> andytoshi: no the anonymous revelation is one-use-only 15:46 < maaku> phantomcircuit: I find that hard to believe, unless I'm misunderstanding what you're saying 15:46 < maaku> all you need is one new circuit to broadcast the revelation message 15:47 < phantomcircuit> maaku, im asking if you need the individual clients to have their own hidden service address 15:47 < phantomcircuit> or whether you have a central meeting point with it's own fixed address 15:48 < phantomcircuit> if you need to generate a hidden service endpoint on the clients side 15:48 < phantomcircuit> you're gonna have a bad time 15:48 < maaku> no you do not 15:49 < maaku> clients have fixed endpoints, but there is no central server 15:49 < maaku> the revelation message only needs to be broadcast on a new circuit 15:49 < phantomcircuit> ok 15:49 < maaku> but it doesn't need a hidden service for that 15:49 < maaku> but it's a complicated question because it's getting into low-level details that could change 15:49 < phantomcircuit> you'll need them to setup the hidden service manually still but at least that is a one time setup 15:50 < maaku> for example I've propsed implementing it over bitmessage, which may or may not need a full hidden service; i don't know 15:51 < maaku> but in principle, you just need to connect over a new circuit and broadcast to a random selection of peers the revelation message, and wait to hear the same message arrive at your normal fixed hidden service port, then disconnect and dissolve the circuit 15:53 < maaku> but to andytoshi's point you certainly don't want the 2nd connection to be fixed, because then you could link successive joins to the same person, under some circumstances at least 15:58 < gmaxwell> maaku: there is a bunch of data that you actually need to make sure are consistent for all the players, or you have a risk of the server deanonymizing people even with multiple real players.. though these things could be addressed with the same mechnism I suggested for address reuse. 15:59 < gmaxwell> but I don't know if it matters all that much just due to the risk that the attacker makes all your counterparties sybs. 15:59 < phantomcircuit> oh and something to keep in mind 16:00 < phantomcircuit> if you're using public derivation with an hd wallet then they can figure out if you're using the same chain by just generating them 16:00 < gmaxwell> phantomcircuit: huh, no only if you give them an extended public key, and why would you do that? 16:00 < phantomcircuit> gmaxwell, lazyness? 16:01 < phantomcircuit> im pretty sure i've seen at least one person suggesting it 16:03 < gmaxwell> I used a crazy rhetorical stunt on the OTR mailing list today and I think it worked. 16:04 < phantomcircuit> gmaxwell, link? 16:04 < phantomcircuit> or is it postman 16:04 < phantomcircuit> stupid postman 16:04 < gmaxwell> Some guy was arging that MPOTR shouldn't have non-non-repudiation (the OTR denyability property) because it's hard and because people will believe totally unauthenticated transcripts anyways, so the non-non-repudiation buys you nothing. 16:05 < gmaxwell> I responded, and in my response I edited the quotation so that he was saying he was a state sponsored shill. 16:05 < BlueMatt> heh 16:05 < gmaxwell> To which he responded perfectly "It's also unethical to silent change my quote to read something I didn't say." 16:05 < gmaxwell> To which I responded, "Do you mean to suggest that you actually have an ability to refute a 16:05 < gmaxwell> non-cryptographically attested transcript? And that someone might 16:05 < gmaxwell> believe your claim that it was forged? Interesting." 16:05 < andytoshi> ha! 16:06 < gmaxwell> and ... he seems to have now softened his position! O_o 16:06 < BlueMatt> heh, nice 16:07 < nsh> gmaxwell, could summarize the current status of MPOTR? are there workable algorithms/libraries/architectures? 16:07 < nsh> *could you 16:07 < nsh> that would be a nice thing for everyone to have about now... 16:08 < gmaxwell> nsh: I haven't kept up with it. There is a paper published on it, I read it when it came out, and concluded it sounded sensible and forgot it. 16:08 < nsh> ok 16:08 < gmaxwell> Actually implementing it is hard because the obvious way of achieving it has a consensus problem burried into it. 16:08 < gmaxwell> (fortunately not an anonymous consensus though) 16:09 < nsh> hmm 16:09 < nsh> what is consensuated? 16:09 < gmaxwell> basically you divide the chat into arbritarily short epochs and when everyone agrees an epoch has ended you publish the authentication keys so that all parties could fake the transcript. 16:10 < nsh> hmm 16:10 < gmaxwell> You need a consensus that an epoch is over, or someone could trick you into disclosing your authentication key prematurely, and then create forged messages from you for anyone else who doesn't believe the epoch is complete. 16:10 * nsh nods 16:11 < gmaxwell> This is all a problem because you want the property that no chart participant can pretend to be any other in realtime, but later any party can create a forged transcript. 16:11 < gmaxwell> s/chart/chat/ 16:11 < gmaxwell> If you don't care about the people pretending to be each other there are a bunch of simple things to do. 16:12 < nsh> hmm 16:12 < gmaxwell> OTR does the same thing, but 2 party consensus is trivial. :P 16:12 < nsh> aye 17:00 < jrmithdobbs> you can't "get it out" 17:01 < jrmithdobbs> erm, wrong channel 17:43 < phantomcircuit> jrmithdobbs, lol @ no context 19:01 < gmaxwell> andytoshi: ... bad luck on that thread on bitcointalk. 19:02 < Luke-Jr> luck? O.o 19:08 < andytoshi> haha 19:08 < andytoshi> i think i made him look like enough of a tool that people will hesitate to use his software 19:09 < andytoshi> (not that people who need encryption would be searching bitcointalk anyway) 19:09 < jrmithdobbs> andytoshi: still waiting on that to work with tux 19:24 < BlueMatt> are there any serious or semi-serious proposals for how to fix an altcoin 1:1 to bitcoin without a large cost to bitcoin miners given some hardfork changes to bitcoin? 19:26 < gmaxwell> if not for the disabled operators you could probably do it without hardfork changes to bitcoin, though you would only have SPV security in the altcoin-bitcoin direction. 19:27 < BlueMatt> even getting spv security in the altcoin-> bitcoin direction is non-trivial, no? 19:27 < BlueMatt> (given hardfork to reenable opcodes) 19:27 < BlueMatt> you'd have to have the whole chain history, or some subset starting from the time of the bitcoin->altcoin transfer 19:28 < BlueMatt> well, whole block-header-chain-history 19:28 < gmaxwell> yea, you just write a script that can do a spv validation and then takes a chunk of headers of a prespecified sufficient difficulty. 05:10 < gmaxwell> if not they may be for a helluva ride as the hashrate majority when I looked _appeared_ to be on the acceptable-to-all fork 05:11 < gmaxwell> who the heck knows what happens if you upgrade to code that imposes a checkpoint you've long since violated and you don't reindex. 05:12 < brisque> the commit only checkpoints two very late blocks, but I'm not really sure how the behaviour works 05:12 < brisque> https://github.com/dogecoin/dogecoin/commit/dab72582b657395a25e25f4ea367b8b8990db460 05:13 < brisque> in the first commit they only checkpoint the later block *after* the fork, but wisely added a checkpoint for the forking block later on. 05:13 < gmaxwell> this sounds like a bad idea, if the hashrate majority is on the old stuff, they'll keep on trucking. If its on the new stuff, they didn't need the checkpoint at all. 05:15 < brisque> from their IRC (signal to noise was off the chart, it was hard to tell) the older branch had the majority and was overtaking the newer clients with the forking change. as the original instructions from the developer were to upgrade at all costs, I guess they just went with it. 05:15 < gmaxwell> also if you upgrade a node already past the checkpoint on the non-checkpointed chain, it's not going to reorg on its own unless you do a reindex. 05:16 < gmaxwell> seems like a really bad plan to me, since they won't know for sure if they'll actually get the majority to switch fast. 05:16 < gmaxwell> so it might make a huge reorg days later... 05:19 < brisque> I'm not sure it was thought through that much, from talking to the developer before he was certainly trying to grapple with what was going on, but doesn't have that much experience with the finer points. 05:20 < gmaxwell> my strategy would have been to revert the change, set the change to trigger in the future, checkpoint the chain everyone can accept. release and nag everyone to upgrade to that. 05:21 < brisque> sounds familiar. 05:21 < gmaxwell> that would avoid any (further) reorgs assuming the hashpower majority was already on the generally acceptable chain. 05:21 < gmaxwell> it's even _better_ than when we did it in bitcoin, if the hashpower majority is on the generally acceptable chain most of the time. 05:22 < gmaxwell> (bitcoin was screwed because there was a decisive hashpower majority on a chain the majority of nodes would reject) 05:24 < brisque> handled with relative grace given the circumstances. it would have been harder with a majority p2pool, but significantly easier now that we have two pools with a majority hashrate. 05:26 < gmaxwell> well it wouldn't have happened at all really with p2pool. majority of nodes were not on the fork creating version we would have just gotten a _single_ orphan block out of it and probably not noticed the event. :( (if thats good or bad it's unclear!) 05:27 < gmaxwell> it's actually an interesting question if the BIP50 fork actually happened earlier and we missed it because the old chain got ahead fast enough. 05:28 < brisque> the 0.8 chain was from a single pool wasn't it? 05:29 < brisque> wouldn't they have notice the sudden increase in orphaned blocks? 05:29 < gmaxwell> no, its was from two primarily. 05:29 < brisque> BTCGuild and Slush, got it. 05:29 < gmaxwell> brisque: I mean in a hypothetical world where hashpower wasn't consoldated at a big pool... 05:30 < gmaxwell> the trigger was pretty hard to hit, we went for months before triggering it again after the large blocks were allowed again. 05:30 < gmaxwell> I think we've triggered large numbers of unpatched 0.7 nodes to misbehave only twice since. 05:30 < brisque> so 0.7 clients without a modified database configuration are permanently orphaned now? 05:30 < gmaxwell> no because its non-determinstic. 05:30 < gmaxwell> the last time apparently got a lot of them though. 05:31 < gmaxwell> I'd bet you could sync a new one from start successfully now though. 05:32 < gmaxwell> if instead the <0.8 nodes solved two blocks before the 0.8 only chain got a second, it would have just been orphaned and probably no one would have noticed, since that orphan producing 0.8 node would likely have not triggered it again with its next block. 05:32 < gmaxwell> (as some portion of its txn would have been included on the <0.8 chain.) 05:33 < brisque> I've a few 0.7.99 clients at the current highest block, so you're likely right with that. 05:34 < gmaxwell> 0.7.99 = 0.8 for this purpose. 05:35 < michagogo|cloud> 12:26:40 <gmaxwell> well it wouldn't have happened at all really with p2pool. majority of nodes were not on the fork creating version we would have just gotten a _single_ orphan block out of it and probably not noticed the event. :( (if thats good or bad it's unclear!) 05:36 < michagogo|cloud> B 05:37 < michagogo|cloud> Gah, I hate when that happens 05:39 < michagogo|cloud> But wouldn't the transactions have ended up in the mempools of the upgraded nodes, getting remined again at each block that an upgraded node mined? 05:41 < gmaxwell> michagogo|cloud: yes, creating single height forks which wouldn't continue (far) if they were in the minority, and would stop if they restarted, and would stop if they switched to the latest build. and since they were already running the latest code, there is a prior probablity that they're likely to upgrade. 05:45 < michagogo|cloud> gmaxwell: Sure, but it wouldn't just be a single block, it would be a bunch of 1-deep forks, and I think "oh, I stopped getting doges for my mining" would have lead to it being noticed 05:50 < gmaxwell> michagogo|cloud: I think you're splicing two discussion now. 05:50 < gmaxwell> not being noticed was a comment on the bitcoin pre-0.8 vs 0.8 hardfork 05:50 < michagogo|cloud> oh 05:50 < gmaxwell> which wouldn't have likely retriggered. 05:50 < michagogo|cloud> ...right, sorry 05:51 * michagogo|cloud rereads 05:51 * michagogo|cloud goes back into his corner 07:47 < adam3us> i liked jtimon's use of the word scamcoin to cover param-tweaks. i do think we need a clear tone setting term for param-tweaks vs actual alts, the scam coins are unduly dirtying even the concept of alts; alts with actual innovation could be useful things; as we've discussed btc pegged side-chains are good for some types of things, but actualy experiments in proof of work, economics may not be possible fit into that model 07:49 < brisque> adam3us: what do you call things like Primecoin and NXT? they're not parameter tweaks, but still not sane things to be promoting. as soon as you create differentiation you end up encouraging one over the other. 07:49 < adam3us> (and btc pegged side-chains have some technical and game-theory open questions, though its' an idea I find interesting and perhaps of great value to bitcoin ecosystem so eg we can run bitcoin 0.x and bitcoin 1.x in parallel, or competing bitcoin 1a.x and bitcoin 1b.x 07:50 < adam3us> brisque: yes i do wonder about that. as i said on a private chat prime coin is pretty close to another scam coin. the paper talking about the scientific method is not credible. it doesnt benefit the world to search for pairs of mid-sized priimes any more thn searching for hashcash stamps for the bitcoin stamp-collection 07:51 < sipa> i also believe not all "silly" altcoins are intended as scams 07:51 < brisque> I'd have to check, but I'm sceptical that their prime searching thing is reliable as a hash too. 07:52 < adam3us> you know i think momentum PoW might actual have some utility, the paper describing it is undefined/ambiguous on most of the critical issues; but i think reverse engineering it it might actually be an interestingly step towards a memory hard pow that doesnt require memory to verify (despite failing multiple other features he set himself) 07:53 < brisque> sipa: it might not be intended that way, but anybody looking at the Alternate Cryptocurrencies subforum should certainly be able to work out what's going on. 07:53 < adam3us> sipa: yeah scam might be the wrong word. i just think we owe like jtimon & maaku credit for having a non scamcoin, and just ranting against alts unfairly taints their freicoin economic experiement 07:54 < sipa> there are really many cases 07:55 < sipa> of coutse, a ton of silly alts (just tweaking some parameters) 07:55 < adam3us> brisque: there can be a difference between ooh make-money-fast, missed the bitcoin bubble, maybe i too can get some small early-adopter mining/premine mentality which isnt exactly a scam (otehr than egregious premine) but an attempt to get rich now that the proof has been given over 3 years of high uncertaint with bitcoin bootstrap that crypto currencies can bootstrap 07:55 < sipa> there are some that try to address a different problem (namecoin, datacoin) 07:56 < sipa> some are failed experiments on their own (litecoin as gpu-resistant pow perhaps) 07:56 < sipa> ppcoin was interesting, but flawed imho 07:56 < adam3us> and it can be somewhat hard to untangle. like if coingen succeeds in squelching param tweak,s maybe the people who can use a compiler enough to not need a hosted compiler will then just try harder to make a story 07:56 < brisque> adam3us: yes, but that said you don't want to be promoting NXT. it isn't a parameter swap but it's ridiculously insecure. 07:56 < adam3us> sipa: that probably becomes the new min-bar for "innovation" 07:57 < adam3us> brisque: very true. 07:57 < sipa> i've long been thinking about creating my own altcoin 07:57 < adam3us> see we have like "moron coins" and "good coder but crypto/distrbitued system incompetent" coins and usually a lot of greed and a bit of scam mixed in 07:57 < sipa> to fix all things that are wtong in bitcoin :) 07:58 < sipa> but time... 23:21 < gmaxwell> they create malicious blocks, okay fine. Does this chain of malicious blocks have the most total POW of all the chains you can see. 23:21 < Taek42> (not that I think it's a realistic attack - just having fun) 23:21 < gmaxwell> ? 23:21 < Taek42> start from the gensis block 23:21 < Taek42> connect to the 'internet' (which is actually controlled by the NSA) 23:22 < Taek42> so every block you see has been manipulated 23:22 < Taek42> by your upstream attacker 23:23 < gmaxwell> Yea, okay. You're talking about an isolation attack. 23:23 < Taek42> yeah 23:23 < Taek42> sorry still learning the terms 23:24 < gmaxwell> So, a couple defenses: any client software should have the total work of the real network at the time of its creation coded into it, so a rewrite from genesis attack reduces to being able to get honest software. (unless the attacker has enough hashpower to overcome the network throughly) 23:25 < gmaxwell> If thats the case, then they can only isolate you relative to a recent forking of the network which means unless they have very significant hashpower they can only create blocks slowly. 23:25 < gmaxwell> Because you're validating blocks they can only create an apparently valid chain only spend their own coins on you (or newly mined coins, but those can't be spent until they've produced >100 blocks) 23:26 < Taek42> wait that last part - newly mined coins can't be spent right away? 23:26 < gmaxwell> no, not for 100 blocks. 23:27 < Taek42> didn't know that 23:27 < Taek42> I'd like to see a currency (soon) that could realistically support blocks every few hundred milliseconds 23:28 < wyager> Why? 23:28 < Taek42> so that bitcoin could be used in stores and be as fast as credit cards 23:28 < gmaxwell> Taek42: ... 23:28 < wyager> It already can. 23:28 < wyager> You don't *need* to wait for a confirmation 23:28 < Taek42> with the help of a centralized party 23:28 < Taek42> or if the store owner takes a risk and doesn't confirm 23:28 < gmaxwell> complete misunderstanding there. Bitcoin transactions are already instant, their irreversability takes time. Credit card transactions are reversable for _months_. 23:28 < wyager> conventional wisdom tells us waiting a few seconds for a double spend is "good enough" 23:28 < gmaxwell> wyager: uhhhh 23:28 < wyager> Which is true 23:29 < wyager> (to be clear: Wait 5 seconds to make sure no one sent out a competing txn, then you're good) 23:29 < gmaxwell> wyager: thats really not true, not at all. It depends on the specifics of your situation and doesn't generalize. In some cases it's perfectly fine, in others its not. 23:29 < wyager> OK, true 23:29 < Taek42> credit card transactions are reversible under a set of rules that are trusted by the centralized system we use today 23:29 < wyager> Don't do that for expensive transactions. But if you're buying milk and eggs at the store, I'd say it's fine. 23:30 < gmaxwell> Taek42: no they're not, call up your credit card company. They will reverse _any_ transaction. You just have to ask. 23:30 < gmaxwell> (and of course tell them some yarn about how it couldn't have been yours) 23:30 < wyager> ^It's true. You don't even need to sign anything. 23:30 < wyager> And the *only* time the CC companies side with the merchant is if the merchant has an ink imprint of your physical card and a physical copy of your signature 23:30 < Taek42> yes but for the most part store owners don't have to deal with large enough losses 23:30 < wyager> which no one ever does 23:31 < wyager> They certainly do 23:31 < gmaxwell> Taek42: the merchant gets told and of course could sue you or ban you from their store. But they could do the same with a bitcoin transaction if their security procedures were setup for it. 23:31 < wyager> most stores pay chargeback insurance 23:31 < gmaxwell> Taek42: in any case, you cannot have a bitcoin like system with 100ms blocks, it wouldn't be reliably convergent. 23:31 < Taek42> right but we'd like a system where you don't need all of that fuss 23:31 < gmaxwell> Taek42: already in bitcoin with our moderately sized blocks we get 90% propagation taking a couple seconds. 23:31 < Taek42> well, I don't think you could have a single global blockchain 23:32 < Taek42> I'm here to talk about what types of changes might make it feasible 23:32 < wyager> Then how do you know your blockchain is correct? 23:32 < gmaxwell> if the mean time between blocks falls below the network radius the system will stop converging. (e.g. orphan rate tends to >100%) 23:32 < Luke-Jr> nevermind credit cards, lots of stores take personal checks.. 23:32 < gmaxwell> Taek42: you could have a control loop to control orphan levels, the result wouldn't bee 100ms. 23:33 < gmaxwell> not unless the network collapsed to excluding miners outside of a few geographically close and well connected data centers. 23:33 < Taek42> well let's relax it to 5 seconds then 23:33 < Taek42> actually 23:33 < Taek42> let me think for a minute or so 23:33 < gmaxwell> Taek42: great, so then you have times when the first confirmation takes 50 seconds due to variance. 23:33 < Luke-Jr> Taek42: more often blocks = lower difficulty = less security per block 23:33 < Taek42> true 23:34 < Luke-Jr> there's simply no need for blocks faster than 10 minutes 23:34 < Taek42> why not? 23:34 < gmaxwell> seriously, expecting a blockchain consensus to be instant is foolish and unnecessary. There are plenty of ways to secure payments for instant transactions which doesn't involve centeralizing things. 23:34 < kyrio> lol 23:34 < Taek42> what if imgur wants to switch to a system where people pay in bitcoins before downloading an image from their servers? 23:34 < Taek42> a true micropayment system? 23:35 < Taek42> gmaxwell people would have said the same thing about bitcoin 10 years ago 23:35 < Taek42> and still say the same about it today 23:35 < gmaxwell> Taek42: then they can't use direct bitcoin payments for every item regardless because of scalablity. Bitcoin is a global broadcast network. People in china don't care about imgur's dust payments. They could use a micropayment channel, for example, however. 23:35 < gmaxwell> and those increment instantly. 23:36 < Taek42> how do micropayment channels work? 23:36 < gmaxwell> seriously, please spend some time researching before showing up asking to redesign a system you aren't fully up to speed on yet. 23:36 < Taek42> I've spent lots of time researching 23:36 < Taek42> but there's lots to look at 23:37 < Luke-Jr> Taek42: there's no need for blocks faster than 10 minutes, because TODAY, 10 minutes is INSANELY FASTER THAN EVERYTHING ELSE 23:37 < kyrio> lol 23:37 < gmaxwell> kyrio: can you say anything else? 23:37 < Luke-Jr> credit cards take 6+ months to confirm 23:37 < Luke-Jr> personal checks, you don't even know if the person has the money! 23:37 < Taek42> Luke-Jr that's a bit of a poor argument. Just because it's better than everything that currently exists doesn't mean that it's better than what is maximally useful 23:37 < gmaxwell> Luke-Jr: Yes, though you may need some additional things to give bitcoin credit card parity, depending on the application. 23:38 < Luke-Jr> gmaxwell: caselaw is the only thing that comes to mind <.< 23:38 < gmaxwell> Taek42: reducing the block time is has a lot of collateral effects, however, and can never guarantee "instant" on its own. 23:39 < gmaxwell> Luke-Jr: well, for example, digital ID that will allow a defrauded merchant to sue the cheating customer in the case of a reversal. (for items of value great enough to bother doing that) 23:40 < Luke-Jr> gmaxwell: merchants could easily require scanning your photo id to accept bitcoin payments 23:41 < gmaxwell> Taek42: e.g. say you have an orphan rate targeting thing and you ignore the node and client operating costs. What will it's speed be if you're targeting <10% orphans or whatever? median time to network saturation is a few seconds, so needs to be 1/ some multiple of that, say 10 seconds. Which means you're going to get 1+ minute confirmation times pretty often, and a single confirm is not terribly persusive esp in a network with ... 23:41 < gmaxwell> ... 10% orphans. 23:41 < gmaxwell> Luke-Jr: sure. some do. 23:43 < gmaxwell> Taek42: for something which is a true micropayment system, some semi-decenteralized but not trustless clearing house probably does provide a pretty optimal tradeoff. Because you can have instant processing, and the trust exposure is minimal since you're talking about very small values... 23:44 < Taek42> sounds reasonable to me 23:44 < gmaxwell> e.g. you assign coins to a bank run by 5 entities such that it requires 3 out of the 5 to spend the coins, then the 5 entities cooperate to operate a micropayment system. 23:44 < gmaxwell> bitcoin's multisignature transactions directly facilitates that. 23:44 < gmaxwell> and then you can reasonably have deeply subsecond payments for very tiny amounts. 23:44 < Taek42> I've tried reading about the multisignature transactions, and I get a bit confused 23:45 < Taek42> my friend said there's a limit of like 3 signatures? 23:46 < Luke-Jr> just to use the public infrastructure 23:46 < Luke-Jr> up to 20 if you make private arrangements 23:47 < Luke-Jr> and that's to spend, not to receive 23:47 < gmaxwell> No. Distinction between IsStandard() and the rules of the system. Basically unusual transactions are not relayed by the network to prevent them from being used for DOS attacks... IsStandard doesn't need to be consistent across the network and is easily changed in updates. 23:47 < Taek42> ok 23:48 < Luke-Jr> IsStandard isn't centralised either - any miner can change it for himself 23:58 < Taek42> gmaxwell (and everybody), what altcoins do you think are most interesting? 23:59 < Luke-Jr> Tonal Bitcoin, Namecoin, and Freicoin are pretty much all 23:59 < wyager> Primecoin, but I don't trust that prime finding difficulty will stay significant --- Log closed Tue Jan 07 00:00:00 2014 05:01 < gmaxwell> where the website isn't scraping their keys, where its rng isn't weak, where they actually manage to memorize a key that attackers with big fpga farms won't guess, but don't then manage to forget it. ... and then later they come back to collect their coins and don't mess up a copy and paste on the destination, and finally don't manage to send all their coins to fees. 05:02 < gmaxwell> And in the interm hopefully there wasn't an ECDSA or RIPEMD160 break that left them behind in some hard forking update that was easily handled by normal software wallets, but not by specific keys people have memorized. 05:02 < Emcy> yeah bitcoin has a lot of ways to ensure you spend your retirement in the dosshouse..... 05:03 < Emcy> tbh im really really scared about when the time comes to move what coins i have again 05:03 < wumpus> to be fair, storing a large amount of value in any physical commodity is just as risky 05:04 < Emcy> im waiting for you to finish HD wallets.....then wait some more incase theres some atrocious bug....... 05:04 < wumpus> I hardly even dare to touch the wallet code, apart from fixing bugs or small code movements :p 05:07 < Emcy> yeah bitcoin development, 4 guys squatting digging up a landmine because it has to be moved over there to make room for the snake pit 05:08 < wumpus> hah 05:24 < adam3us> gmaxwell, Emcy: yes i worry about bitflips - we saw the first hand 2x in mozy (50Pb cloud store) bitflip twice in ECC ram that were detected 05:26 < adam3us> gmaxwell, Emcy: if you do something enough on enough servers, you will get a bitflip in data (or code); that was in ram between upload and store to disk (a short period of time), and they made it more robust by reading back from disk and checking the hash again if i recall 05:27 < Emcy> 2 bits in 50pb? thats safe as houses 05:27 < adam3us> i would not recommend moving more than 5% of money in one tx on a big tx really - i think the bitstamp moving 195k coins = $150m were nuts 05:57 < wumpus> Emcy: remember that most consumer tech is not quite as reliable as servers 06:07 < midnightmagic> yikes(bitflips in ecc ram) 06:08 < midnightmagic> i've seen it happen on 24tb storage arrays 08:21 < adam3us> Emcy: safe as houses; hmm basically its relatively safe, but not quite - if its an amount of money you cant afford to lose i think its better to do it in stages (5% per time) and/or to add extra double checks 08:25 < adam3us> Emcy: already bitcoin has 32-bit truncated sha256 checksum included in the address format, but if the address got bit-flipped before going to the network. maybe other nodes would consider a invalid checksum address as invalid. does the checksum even exist at the wire level? or is that a human encoding only thing. 08:25 < adam3us> Emcy: otherwise sooner or later as transaction volume grows that WILL happen to someone 08:45 < andytoshi> adam3us: there are indeed no checksums at the wire level 09:09 < andytoshi> gmaxwell: just saw your response to that encrypt-to-address thing 09:10 < andytoshi> yikes, why did he think it was responsible to release encryption software when he didn't know how it worked? 09:11 < andytoshi> oh, i see, it's a bit more subtle than that.. 09:19 < andytoshi> i read "what is the nonce" and thought uh-oh 11:43 < adam3us> andytoshi: there is probably an implied checksum on any signed tx, the recipients addr is signed by the senders private key; if any bits are flipped (in recipient addr, or sig, or pub key, or output values) the sig is invalid so the tx is ignored 12:06 < gmaxwell> adam3us: we do have a checksum on the wire. 12:06 < gmaxwell> not that it really matters that much since all the important data is authenticated. 12:10 < Luke-Jr> sigh 12:10 < Luke-Jr> gmaxwell: well, it does with the anti-DoS stuf 12:10 < Luke-Jr> gmaxwell: without a checksum, peopel would get banned for corruption 12:35 < maaku> adam3us: there isn't any checksum protecting the data from the time the transaction is created to the moment it is signed 12:35 < maaku> a not insignificant amount of time if you are getting signatures from offline devices, for example 12:36 < Luke-Jr> perhaps we should be creating and signing every transaction twice 12:36 < Luke-Jr> with a comparison 12:36 < andytoshi> maybe this is something to think about for version 2 transactions.. 12:37 < andytoshi> also have a way to indicate if outputs are blinded 12:37 < andytoshi> so that createrawtransaction would deal with them 12:46 < maaku> I think this is a higher-level problem 12:46 < maaku> We just need an interchange format that includes checksums 12:47 < maaku> Of which there are probably multiple bips I am not familiar with 12:50 < maaku> The raw transaction apis should be working with these enveloped transactions 12:51 < andytoshi> yeah, i agree .. hopefully there is a bip about this 12:52 * maaku reviews the bip list and is surprised that there isn't one covering this 12:52 < andytoshi> damn, there's probably too many usecases to consider 12:53 < maaku> Well I'm not sure that matters. It could literally be as simple as "strip all signatures, calculate 4-byte checksum, append checksum & prefix version, base58 encode" 12:53 < maaku> Then internally, that checksum could be checked before signing 12:55 < helo> can it be validated after it is signed? 12:55 < Luke-Jr> andytoshi: you sockpuppet! 12:55 < andytoshi> Luke-Jr: haha, i was gonna bug you about that.. 12:55 < helo> a lot of pre-signing bitflips would cause the tx to fail normal verification 12:55 < andytoshi> then i realized that obviously nothing you or i say would help 12:55 < maaku> yeah, but safety check - you don't want signatures to exist for transactions you didn't mean to sign 12:55 < maaku> helo: but there are some which won't 12:56 < maaku> e.g. bitflip in the pubkey-hash 12:56 < helo> right... so valide those after signing? 12:56 < maaku> you could do that ... but is that solving a problem? 12:57 < helo> not afaict :) 12:58 < andytoshi> maaku: i'd like a transaction envelope which can have some or all signatures available.. 12:58 < maaku> andytoshi: sure it can include the signatures 12:58 < maaku> but the checksum has to be sig-less 12:59 < andytoshi> ah, i see 13:02 < andytoshi> would there be any point to having a MAC as well? 13:02 < andytoshi> i'm thinking about the reasons that people pass raw transactions around today.. 13:02 < andytoshi> i guess, an optional mac, if it were required then the checksum would accomplish nothing.. 13:04 < andytoshi> hmm, actually any authenticating tokens would have to be negotiated outside of this format anyway 13:04 < maaku> well the authentication purpose of the MAC is covered by the signature, no? 13:04 < andytoshi> yeah, when you have a signature -- but if, say, i was submitting an unsigned transaction for long-term storage for some reason 13:04 < maaku> well maybe there's a use case involving third parties I'm not thinking of 13:05 < andytoshi> but i think that problem should be solved on still higher a level 13:06 < andytoshi> a checksum would cover innoculous corruption, that's pretty-much all we could prevent with the information associated with an unsigned transaction 13:29 < petertodd> handed in my resignation at work: http://0bin.net/paste/TW-j6eQy8SPX6KOW#W6xba/5CVZcf8xpA/YLtz+cGcjb8CMYNhfE7lNdbuwU= 13:30 < petertodd> I thought PGP-signing it would be appropriate; hilarious that there's a hard-copy of that now with my pen-and-paper signature on it too 13:46 * nsh raises a glass to commemorate petertodd's career transition 13:47 < gmaxwell> nsh: is that ... hemlock? 13:48 < nsh> oops, wrong party 13:48 < nsh> :) 13:48 < gmaxwell> petertodd: congrats 13:54 < michagogo|cloud> petertodd: how is that hilarious? 13:59 < petertodd> Thanks! 13:59 < petertodd> And ha, I manged to get the date wrong... it's January 24th that I leave, Feb 1st is the start date with mastercoin. 13:59 < petertodd> *managed 13:59 * michagogo|cloud doesn't find that funny 14:00 < petertodd> michagogo|cloud: that's because you're a pseudonym :p 14:00 < petertodd> brb, meeting 14:00 < michagogo|cloud> petertodd: huh? 14:01 < michagogo|cloud> Why is it funny to PGP-sign and pen-on-paper-sign the same document? o_A 14:01 < michagogo|cloud> s/A/O/ 14:23 < petertodd> michagogo|cloud: it's a bit redundant IMO, or really, calls into question the whole idea of "signing" things 14:23 < petertodd> michagogo|cloud: shows how all the paperless office stuff just hasn't taken off too 14:23 < michagogo|cloud> Sure 14:23 < michagogo|cloud> But I, personally, don't find it funny... 14:24 < petertodd> well, as I said, you're a pseudonym utterly dependent on PGP :P 14:24 < michagogo|cloud> I am? 14:24 < gmaxwell> Don't worry, I found it funny. 14:25 < petertodd> gmaxwell: heh, HR found it hilarious, and also impressively knew exactly what the PGP signature was too! 14:25 < phantomcircuit> the redundant department of redundancy and redundant things 14:27 < petertodd> phantomcircuit: funny that that department is known for analyzing and reducing redundencies... but only external to it 14:28 < phantomcircuit> electronics designer? does that mean you make the things pretty 14:29 < petertodd> phantomcircuit: yes, I make beautiful artworks that sadly have an exceptionally small audience of admirers 14:29 < phantomcircuit> petertodd, i've never known an HR department that added value to the companyt 14:30 < petertodd> phantomcircuit: I actually think HR where I am adds value to the company, and more generally I've got a lot of praise for management 14:31 < andytoshi> damn, i like these PR guys... i should apply for your job 14:32 < andytoshi> maaku: regarding a transaction envelope, it should have a way to indicate that outputs (or anything) are blinded 14:32 < andytoshi> so that, e.g. if i have people submitting stuff to my joiner, i know which outputs i need to have unblinded before collecting signatures 14:32 < maaku> andytoshi: I think that's a different problem... 13:27 < petertodd> TD: "If people s privacy is being protected via other means, then CoinJoin becomes a help thieves hide their stolen money system which reduces incentive to take part, increases legal risk even further and would make people wonder why their wallet apps were asking them to pay fees simply in order to shield people whom they most likely think are bad." <- you say multiple times that coinjoin is legally questionable. I'm pointing out why ... 13:27 < petertodd> ... they both can be considered legally questionable. 13:27 < petertodd> TD: also, that quote is implying that coinjoin requires extra fees, which isn't true, so please fix that 13:28 < TD> merge avoidance doesn't help anyone hide stolen money, though. it is just irrelevant to that. 13:28 < Emcy> TD if he did then try him 13:29 < Emcy> but theyve charged others because they had actual evidence they did it, but not him because they dont and wont 13:29 < petertodd> TD: absolutely it does: it makes it harder to link thefts together to a single person, and in general makes it harder for people to link transactions together, making the job of investigators harder 13:29 < petertodd> TD: for instance it obscures the amount of funds moved per transaction, valuable information for tracing a theft and distinguishing it form other transactions 13:30 < TD> i don't think so, but we'll see. 13:30 < petertodd> TD: and again, please fix your article, if you don't then reasonable people would certainely conclude you are being delibrately dishonest 13:30 < TD> what is your rationale for saying coinjoin does not require extra fees? that you expect people to only do joins when they want to make a payment? 13:30 < TD> i have a feeling the term "coinjoin" has become overloaded to mean different things to different people 13:31 < TD> which makes it inherently hard to write about 13:31 < petertodd> TD: yes, that's what I've been proposing for pervasive two-party-mix support. and of course it means different things to different people: it's a bag of techniques - currently simple and automatic two-party-mixes is where development effort is being focused 13:31 < TD> i already pointed out the implementation difficulties with trying to do it "just in time", but i can clarify that last sentence to say it's explicitly talking about the asynchronous form 13:32 < Emcy> actually my little story about twitter harassment is another example of how fucked up things get when people just assume *convenientdigital ID* = a person and an action 13:32 < Emcy> IP address in that case 13:32 < petertodd> TD: then fix that. better yet, leave that off: as I say, merge avoidance costs more in fees so the comparison is rather odd 13:32 < Emcy> he even told them about exoneraTOR :/ 13:33 < maaku> TD: I'd *really* like to see a bip 32 extension of the payment protocol 13:33 < TD> Emcy: which is correct for the vast majority of the time that people don't run Tor. I think Tor is a good example of what can go wrong with Bitcoin, really. the abuse keeps it small, which means the people who do choose to run it have bigger problems. a new parallel onion network that re-uses tor software but which requires anonymous IDs/passports to use and made it super easy for network operators to report/tackle abuse, 13:33 < TD> useful 13:34 < TD> maaku: yeah me too but again, after v1 is done :) 13:34 < petertodd> maaku: reminds me, a generalized standard for "here's how I want you to build the scriptPubKey" that could do things like bip32+multisig or ECDH stealth addresses would be useful 13:34 < TD> petertodd: fees are dominated by the inputs/outputs and as you note yourself, you need to use similar techniques for coinjoin to really work. so i am not convinced fees required would end up much different. 13:35 < TD> as the total number of inputs/outputs would be similar 13:36 < petertodd> TD: no, like I said above you end up needing fewer inputs and outputs because you achieve privacy by matching the other parties values. (or txin combinations) CJ gives you much more flexibility with how you expand your anonymity set. 13:36 < petertodd> TD: and indeed, just using CJ with no value match avoidance at all is cheaper in terms of fees, and stll provides some privacy benefit 13:37 < midnightmagic> it's possible to get merge-avoidance-like inputs by mining in p2pool with an address randomizer; i have also written a simple perl tool which builds rawtx. it looks like a few p2pool'ers are already doing a rudimentary form of merge-avoidance right now, which I've discovered is limited mostly by how many addresses payment-accepting people are willing to give me at once. 13:37 < maaku> ... and how much hashpower you have to throw at it 13:38 < nsh> TD: "anonymous IDs/passports.... super easy.... tackle abuse" until the abuser gets a new anonymous ID, N minutes later, right? or do we have way of anonymously banning people on some effective and enduring basis these days? 13:38 < petertodd> nsh: you fidelity bond the ids 13:38 < nsh> oh okay, right anything's possible when you have to have money to play 13:38 < nsh> :) 13:39 < petertodd> nsh: you can also tie them to real-world passports or similar things with certain cryptographic techniques 13:39 < nsh> mm 13:39 < TD> nsh: right the whole idea is to make it expensive. 13:39 < TD> nsh: which is all banning IPs does anyway 13:39 < nsh> the problem is that what is a trifling loss to most people in the "developed world" is a substantial barrier to entry for everyone else 13:40 < TD> nsh: it doesn't help for the super serious stuff where you get your door kicked down because of something your IP address did, but tor kind of sucks to use because of all the low level abuse, not so much that stuff 13:40 * nsh nods 13:40 < TD> nsh: yeah. you could combine various techniques. like, use a SNARK proof that your e-Passport is from India, and then require a sacrifice that's much smaller as a result. but all this is quite advanced. 13:41 < nsh> right, i can conceive of such a hybrid system being somewhat universally and equitably applicable, but it seems quite far on the horizon atm 13:41 < nsh> baby steps, though :) 13:41 < TD> well, maybe a few years 13:41 * nsh nods 13:41 < petertodd> nsh: good example: decentralized CJ will most likely use tx fees as the anti-spam, which ahs the nifty security property that a sybil attacker has well-defined costs that can be reasoned about 13:41 < TD> for now an onion network only usable by rich people, is still better than one that's only usable by hard-core anonymity freaks who don't mind having a half-broken internet 13:42 < nsh> right (x2) 13:42 < petertodd> nsh: e.g. if tx fees were what miners lived on, and everyone used CJ, you could get security as good as the 51% security of bitcoin itself against sybils 13:42 < nsh> interesting 13:42 < TD> petertodd: ok i need to read more/ponder more about value matching as you describe, to understand your argument about fees being lower. once i get mentally awake enough to do that i will add a comment or update the article. actually if you have a twitter account you could also comment on that part of the article directly. 13:42 < petertodd> TD: cool 13:43 < nsh> could the bitcoin foundation provide a stipend to one of the people who makes those neat visualizations on e.g. informationisbeautiful to have the patience to sit with a technically-minded person and have something like CJ dynamics explained well-enough to illustrate graphically 13:43 < nsh> i feel the comprehensive enfranchisement of the bitcoin community would benefit drastically from such an arrangement 13:43 < Emcy> i dont think they want anything to do with anything like that 13:44 < nsh> well, some nice people with deep wallets :) 13:44 < petertodd> nsh: there is a catch though: what I proposed re tx fees isn't something anyone has figured out how to do perfectly, the best I've come up with is to attach nLockTime'd transactions to your CJ-related messages that pay fees in the future, which proves that you will either pay tx fees now spending those txouts, or they will be spent by the nLockTime'd tx, but that only applies to a single output 13:44 < nsh> hmm 13:45 < nsh> that's just an efficiency problem at worst though? 13:45 < petertodd> nsh: yeah, the technique approximates perfection :) 13:45 * nsh smiles 13:45 < petertodd> nsh: fancy crypto could probably help, but I try to avoid anything I can't explain to actual wallet developers :P 13:46 < nsh> wisely, i'd say :) 13:48 < TD> sucky parental internet 13:48 < nsh> andytoshi, are you still logging here? 13:49 < petertodd> nsh: his logbot died a little while ago today I thought 13:49 < petertodd> nsh: I've got logs 13:49 < nsh> aye, can't see it 13:49 < nsh> (was just in case TD/outpingers wanted to catch up their buffers) 13:50 < andytoshi> nsh: shit, no 13:50 < TD> i should set up an irc proxy again 13:50 < andytoshi> i didn't see it die 13:50 < TD> no matter 13:50 * andytoshi-logbot is logging 13:50 < petertodd> nsh: I really gotta get around to implementing decentralized IRC... lol 13:50 < andytoshi> thx, my perl script does not notice being unhooked for some reason, it is supposed to reconnect 13:50 < nsh> petertodd, didn't you have notes on that? 13:50 < petertodd> nsh: meh, I'll just write a whitepaper on it instead... 13:50 < nsh> aye, that's the way 13:50 < nsh> implementation is for grad-students 13:51 < petertodd> nsh: hehe, "My favorite programming language is English." 13:51 < TD> secure irc (not decentralised) exists, cryptocat 13:51 < TD> though not sure there's any point encrypting irc :) 13:51 < TD> of course it's not really irc 13:51 * nsh smiles 13:51 < nsh> what's the latency on pond? 13:51 < TD> high 13:51 < petertodd> nsh: high 13:51 < nsh> ok, nm 13:51 < TD> it's meant for email like uses 13:52 < nsh> right 13:52 < maaku> nsh: there's built in delays on pond 13:52 < TD> multi-user chat OTR like chat is what cryptocat is for 13:52 * nsh nods 21:49 <@gmaxwell> he continued in his response: " I have friends that have been using bitcoin for years and they use the same address because it's very convenient for peer-to-peer transmission (you don't have to ask a new one all the time). Heck, I'm working on a project (not this one) right now and that's reusing addresses in certain cases. 21:49 <@gmaxwell> If this is as important as you've made it seem, this needs to be a lot more prominently communicated to the general public, explaining all the risks of not changing addresses with every outgoing transaction." 21:49 <@gmaxwell> which I think is probably fair enough. 21:50 <@gmaxwell> It's not communicated well, especially since there is some wallet software that basically forces reuse. 21:50 <@gmaxwell> (e.g. multibit) 21:50 < BlueMatt> we need a much, much, much better bitcoin intro for devs 21:50 < BlueMatt> and bitcoin wallet on android :( 21:51 <@gmaxwell> We're also failing to use the existing software as an educational tool. There really should be some warning emblem that comes up on transactions that reuse addresses. 21:52 * BlueMatt desperately wants to have a good bitcoin library that provides nice apis to encourage proper use 21:52 < BlueMatt> but, sadly, that requires lots of effort... 21:53 < adam3us> gmaxwell: i think Luke-Jr is on the right track with eligius policy there ;) just need wider adoption of his patch "why is my transaction not completing"... well did u read the doco? no address reuse 21:53 <@gmaxwell> well, there is A bitcoin library, bitcoinj but basically um.. all (?!) its users are not so good on the best practices front 21:53 < Luke-Jr> there's also libbitcoin 21:53 <@gmaxwell> I don't think you can both provide enough flexibility to really be a toolbox without making it easy to abuse. 21:54 < Luke-Jr> gmaxwell: well, bitcoinj goes very far in making abuse easy 21:54 < BlueMatt> gmaxwell: even bitcoinj fails to get it right by far 21:55 < BlueMatt> (hell, all the apps that use it reuse the hell out of addresses) 21:55 < BlueMatt> gmaxwell: easy to abuse != easy to use right and possible to abuse 21:55 <@gmaxwell> okay, thats a point. 21:55 < BlueMatt> Luke-Jr: does libbitcoin do an actually good job here? 21:56 < Luke-Jr> BlueMatt: not sure 21:56 < BlueMatt> oh, well if we're just listing bitcoin libraries...there's millions 21:56 < Luke-Jr> there are? 21:56 < BlueMatt> theres the one in go, theres ones (multiple) in python 21:56 < BlueMatt> theres another one in java 21:56 <@gmaxwell> well if you limit them to c-callable... 21:57 < BlueMatt> theres bitcoin js theres bitcoin-ruby..... 21:57 < BlueMatt> gmaxwell: meh, you can call pretty much all of those from c with the right wrappers 21:57 < adam3us> i kind of like the public public derivation method (sender multiply Q by r and encrypt r for recipient, plus some bloom filter hint to reduce that below full node trial decrpt all payments) for this reason - safe to reuse because the uncompressed address is randomized during payment 22:26 < adam3us> jgarzik: proof of $somethingelse... doesnt proof of stake give a reward bias to those with lots of btc? 22:29 < adam3us> jgarzik: interesting result for efficiency, and self-interest to not damage the network, but side-effect an ongoing mining advantage to large btc holders 23:06 < Luke-Jr> adam3us: only if subsidy is on those blocks.. 23:06 < Luke-Jr> proof-of-stake without subsidy might be interesting --- Log closed Thu Dec 19 00:00:08 2013 --- Log opened Thu Dec 19 00:00:08 2013 00:53 < nanotube> gmaxwell: http://qdb.us/64573 about that riddle. :) 00:55 < Emcy> http://it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu well shit 01:23 < maaku> adam3us Luke-Jr: there are interesting applications of proof-of-stake if it can be divorced from mining reward 01:24 < maaku> imho proof of stake should never have been tangled up in block generation or mining subsidy 05:30 < adam3us> gmaxwell: btw much further up, about gpg noise attack, mentioned bitcoin signature is not timing resistant, yet another reason for non-address reuse; however chain-codes weaken that, exfiltrate the chain code from network computer, and timing/sound recover one public or private derived key to the point of recovery, and game over. 05:31 < adam3us> gmaxwell: at least the public & private derived HD sub-keys are probably randomized enough via HMAC that accumulative timing attack seems unlikely; also the whole thing yet another argument for Bernstien's EdDSA (aka EC Schnorr) as it has no timing attack (no private key dependent branches), though deterministic DSA also fixes that 06:19 < adam3us> about the 1:1 peg discussed yesterday, so far it seems like because btc2->btc1 flow is authorized by spv proof, that the entire alt is only good to spv security level. can this be improved to full node security? seems to imply full nodes need to be on both networks. 06:20 < adam3us> also if there is no native reward whats the motive to merge mine the btc2 - only btc2 network tx fees. isnt that vulnerable to incentive attacks as fees are 2-3% of reward. like ghash.io level pool could be paid to forge spv and succeed enough of time to make that an economically rational theft attack 07:31 < Hunger-> hi 07:37 < adam3us> hi 11:23 < andytoshi> http://crypto.stackexchange.com/questions/12425/why-are-the-lower-3-bits-of-curve25519-ed25519-secret-keys-cleared-during-creati 11:38 < phantomcircuit> adam3us, iirc that requires you to do a lot of private key ops 11:46 < TD> the latest academic paper on bitcoin leaves a lot to be desired 11:47 < TD> http://eprint.iacr.org/2013/829.pdf - i sent them some corrections 11:48 < andytoshi> i read the first few paragraphs and decided to ignore that one ... thanks for the vigilance 11:49 < phantomcircuit> TD, sorry to be annoying but can you check that pm 11:50 < TD> i didn't see it actually, poor irc client ui my end it seems .. 12:01 < helo> have altcoins implemented many items from https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas ? 12:02 <@gmaxwell> helo: For the most part altcoins don't implement ideas. They search and replace strings. 12:02 < TD> sometimes, for added excitement, they search and replace hash algorithms or fee schedules. 12:02 < TD> but that's rare 12:02 < helo> those are some really neat ideas... it's a shame 12:03 < TD> with proof of stake and prime coin being notable exceptions 12:04 <@gmaxwell> TD: good email. ... I did learn one thing from the paper, although even in that it was wrong: They pointed out that if you send funds to a reused address it identifies your change. ... which isn't correct because some clients reuse their change addresses (doh), but igoring that its another example of how one person's reuse can thwart someone elses good practices that I hadn't considered. 12:04 < helo> i doubt most of the altcoin devs have the skill to implement them correctly (i doubt i do either), but it seems like they'd at least try 12:09 < petertodd> gmaxwell: speaking of, I think as a general principle we want to encourage address re-use for any application where public info allows for address linkage anyway; address re-use is a way of letting others easily know the address is *not* private 12:10 < petertodd> gmaxwell: e.g. for coinjoin you can better protect your privacy sometimes by avoiding joins with parties that have re-used addresses in some cases. 12:11 <@gmaxwell> I dunno, public info isn't equally distributed. I'd rather be deanonymized by a forum post than data in the blockchain. 12:11 <@gmaxwell> But I see your point. 12:11 < petertodd> Depends on the attacker - my suspicion is the type that will do detailed tx linkage analysis will also have databases of forum posts and p2pool share data. 12:12 <@gmaxwell> with blockchain.info my grandma is an attacker, though not a terribly effective one. 12:13 < petertodd> yeah 12:13 < petertodd> Would be nice if there was a way to mark a scriptPubKey as "We've made this unique, but the info required to link it is something the <TLA> could find." 12:14 < petertodd> Where TLA \in (Cyber Grandmas of America, FBI, NSA, etc.) 12:23 < andytoshi> helo: IMO it'd be really frustrating to make big changes to bitcoind (though every day the devs make more progress toward modularity -- thanks guys!), so if you wanted to implement some serious ideas you'd be better off writing from scratch 12:23 < andytoshi> so there's not really anything between "zero work" and "a ton of work" 12:25 <@gmaxwell> meh, a number of those ideas would be quite selfcontained. 12:25 < helo> there is at least a similarly prohibitive steep gradient from "zero understanding" to "sufficient understanding" 12:26 <@gmaxwell> andytoshi: two additional features that might be interesting in your coinjoiner. The ability to give it an input with a threshold. E.g. join this if and only if you get at least 4 other things to join with... if I'm paying a fee to join I really don't want it to be some two party thing with some address reusing fool. :P 12:27 < andytoshi> gmaxwell: oh, good idea 12:27 <@gmaxwell> andytoshi: the other is that you probably should convert submitted signatures to canonical form... as differences in signatures might be privacy reducing to participants. 12:27 < andytoshi> right now i'm depending on "if you're ok using rawtx's, probably you aren't clueless" 12:28 < andytoshi> yes, good call, that also gels well with my true goal of "learn rust and understand bitcoin encoding in detail" 12:28 <@gmaxwell> In partcular the s/2 thing is enforced by bitcoin git but not 0.8.6 so their signatures are somewhat distinguishable. 12:28 <@gmaxwell> (for now it might be wise to randomize the s/2 characteristic, but later after 0.9 is out you should conver things to the canonical form) 12:29 <@gmaxwell> I'm not sure if anyone would submit to you padded r/s values or negative r/s values, but they might some of the web signers in the past were broken. best to fix that. 03:51 < gmaxwell> Hopefully this is at least about something other than that thread. 03:52 < gmaxwell> That thread was metal "lost" in the mail. Insurance wouldn't cover it. coingenuity actually sent the guy replacement metal out of his own pocket, but the guy really wanted the bitcoins returned (the price of bitcoin went from $10 to $100 shortly after the sale) 03:53 < petertodd> ha 03:53 < gmaxwell> coingenuity believes (rightly or wrongly) that the guy was just trying to scam him into giving the coin back after he had regrets about the price going up. 03:54 < gmaxwell> and, as a result took forever to resolve it, I suppose something you could rightfully fault him for... in general a number of people have complaints about his services' timelyness, though having had a lot of discussion with coingenuity I'm generally pretty sympathetic. 03:56 < Luke-Jr> I seem to recall him saying he was having problems with banks though 03:56 < Luke-Jr> hopefully it didn't blow up into something 03:59 < Luke-Jr> gmaxwell: I do think the insurance refusing to cover it was ridiculous though 04:01 < Luke-Jr> (not that I doubt the insurance did something ridiculous) 04:01 < gmaxwell> Luke-Jr: yea thats been part of whats been causing him delays, you've heard that lots of people have had banks randomly closing accounts of people who mention Bitcoin. Now imagine that you're in a business moving hundreds of thousands of dollars of precious metal for bitcoin and dealing with banks... 04:04 < Luke-Jr> I hadn't heard that about banks (closing personal accounts who mention Bitcoin..) 04:04 < gmaxwell> amiller: FWIW, I think I originally proposed the hashlock for binding cross chain. 04:06 < gmaxwell> Luke-Jr: yea, us bank, capitol one, bank of the west, and chase are known to have closed random personal accounts on account of bitcoin activity. 04:06 < gmaxwell> Commercial accounts have had an even harder time. 04:18 < gmaxwell> amiller: in any case, please feel free to go post how awesome you think that transaction pattern is on the coinswap thread. petertodd likewise, posting some smart things would be nice. 04:18 < gmaxwell> Otherwise the thread may start off with derping people. 04:21 < adam3us> gmaxwell, Luke-Jr: you need a real bank, not one of those pennyante us jobs; credit-suisse/UBS with an actual swiss account, then any stupidity has to be approved by swiss court, and they dont take 'please do this' even from the US, they demand verifiable proof before they act; 'course you dont get one of those without $500k min deposit, but thats the correct approach - disclose it on your tax forms, etc but you're outsourcing due-process to 04:22 < Luke-Jr> adam3us: do they do business with US citizens still? :o 04:22 < Luke-Jr> adam3us: and do they take initial deposits via wire? :p 04:22 < adam3us> luke-jr: fuck no 04:22 < Luke-Jr> aka bitcoins 04:23 < Luke-Jr> so not really an option 04:23 < adam3us> luke-jr: well i guess I jest, I think they would, though they will insist on disclosure 04:26 < adam3us> luke-jr: but seriously there is no sane reason anyone with > $500k liquid assets would keep a red cent in the US (or most other wesetern countries) . I am half swiss so i might be biased (mother is from Zurich) 04:27 < Luke-Jr> adam3us: I'm not sure US citizens really have a choice anymore. :/ 04:27 < adam3us> luke-jr: it has zero to do with tax avoidance (do NOT do that, especially in the US) and everything to do with ensuring legal due diligence in any third party decisions about your wealth, and US is 100 yrs behind .ch in legal system impartiality & political independence, due process, etc 04:29 < Luke-Jr> I'm sure, but last I heard the US made it pretty much impractical for any non-US banks to do business with citizens 04:30 < maaku> some, not all 04:30 < maaku> there's some carribian banks that haven't felt the pressure yet 04:31 < adam3us> luke-jr: as I understand it, the result was .ch min deposit and min annual fee went up - they dont want to deal with US related admin costs unless its worth it 04:31 < Luke-Jr> I guess the hard part, if they really want $500k min deposit, will be getting a single $500k withdrawl from some exchange :/ 04:34 < adam3us> luke-jr: its probably etiquette to go there with your passport for acct setup, zurich is a nice place, they are not offering anonymity, just the application of swiss banking confidentiality (pseudonymit with them holing your real id in escrow) - anything illegal by their laws, and with proof a swiss court has verified will be disclosed/seized; but the bar is pretty high: proof of tax evasion, extortion, organized crime, terror is what its me 04:35 < Luke-Jr> I don't have a passport. 04:35 < petertodd> ! 04:35 < maaku> Luke-Jr: if you can show assets (walk into a UBS branch with documentation), then they will work with you to handle the deposit over multiple transactions 04:35 < maaku> and get a passport 04:35 < Luke-Jr> adam3us: btw, your lines keep going over freenode's limit and getting cut off 04:36 < Luke-Jr> yeah, I should get a passport. but that's so much trouble. 04:36 < adam3us> luke-jr: there are other AAB+ rated swiss only banks (no branches or personnel outside .ch) that are more immune to real-politic foreign influence; the UBS problems a few yrs back were because of pressure the US could exert because UBS had US branches 04:37 < adam3us> luke-jr: i dont think the US actually has any literally any AAB+ rate banks period; if you want your money to still be there in 100 years, its the only option; i think the smart money is in these swiss only banks 04:38 < maaku> Luke-Jr: on the other hand, St. Vincent is only an hour or two away from you, doesn't require a passport, and has stricter secrecy laws than .ch 04:39 < adam3us> maaku: yes but i doubt st vincent has any AAB+ banks either, so if you are paranoid about the safety and continuity of your wealth (think Allen Stanford carribean bank scam), .ch is the gold standard 04:40 < adam3us> maaku: i know a guy here in malta, who's dad lost his shirt in the Stanford ponzi scam, the Stanford guy had put a lot of effort into building a credible bank profile and reputation 04:41 < Luke-Jr> no government lasts forever, not even .ch 04:41 < adam3us> luke-jr: they lasted longer than yours so far :P 04:41 < Luke-Jr> adam3us: which is all the more reason they might fall first :p 04:42 < adam3us> luke-jr: and they're politically neutral, armed to the teeth, and are holding 1/3 of the worlds offshore wealth, no one, not even the nazis wanted .ch to fail - politicians dont piss where they have their money hidden 04:42 < Luke-Jr> that was 50 years ago 04:43 < Luke-Jr> frankly, if I lived almost anywhere in Europe today, I'd probably be taking up arms against the government 04:43 < adam3us> luke-jr: they still have 1/3 of the worlds offshore money thats a big chunk of real-politic leverage 04:43 < Luke-Jr> maybe 04:44 < adam3us> luke-jr: .ch is also not politically part of .eu - they had a referendum and the citizens were against it 04:44 < Luke-Jr> adam3us: but they ratified the UN CRC 04:46 < adam3us> luke-jr: i think their focus as a country is to retain their gold standard banking status, because their livelihood depends on it, they have no natural resources other than cheap hydro, and they are almost the wealthiest country per capita in per capita income, they dont want to screw that up 04:46 < Luke-Jr> yeah, it might be good enough for just holding money 04:46 < Luke-Jr> but still, I'll have to figure out this passport nonsense first 04:47 < maaku> Luke-Jr: you can do it by mail. is there something holding up your case? 04:47 < adam3us> luke-jr: it aint that bad, get somebody to do the paper work for you - i hate paper work also 04:47 < Luke-Jr> maaku: pretty sure you can't here 04:47 < Luke-Jr> I think you have to go in and get fingerprinted and all sorts of garbage 04:49 < Luke-Jr> and yeah, I expect trouble with my case because of past legal problems with a certain insane State too 04:50 < adam3us> btw about this mintchip thing for bitcoin private keys, offline etc; i think the guy is missing to know about observer protocols, this can be done with an 8-bit smartcard CPU, not read coinswap yet is there another thread 04:50 < maaku> well unless it's a child support issue or your have outstanding warrants, i don't think they have the right to deny you 04:50 < maaku> sucks about the situation though, hope it gets sorted out 04:51 < Luke-Jr> maaku: yep, it's a child support issue 04:51 < adam3us> luke-jr: if you were serious about account, i do not think its a hard requirement to visit switzerland to setup an account, you'd have to ask them to check that is still the case (was about 10 yrs ago for sure) 04:52 < Luke-Jr> Nebraska thinks my wife and I should pay child support to the State for our children, because they kidnapped them for 3 years 04:52 < maaku> wtf.. jesus. that is fucked up, and yet not suprising. my condolances. 04:53 < Luke-Jr> (which is a big part of why I have zero tolerance for the UN CRC which purports to do away with parental rights entirely) 05:00 < petertodd> Too bad organizations like http://www.parentalrights.org seem to be all coming from the "strict parental rights" side of things - myself I'm in favor of something more like a third option where for many issues neither the state nor the parents should have rights over their children. (IE access to contraceptives should be something neither the state nor parents should be able to prevent) 05:02 < Luke-Jr> contraceptives should be blanket illegal for everyone in all cases 05:02 < petertodd> ha, I thought Catholic thinking on that subject had been relaxed these days? 05:02 < Luke-Jr> Catholic teaching is perfect and thus never changes. 05:03 < petertodd> Don't you mean our records of the past teachings of the Church must be wrong? 05:03 < Luke-Jr> no. 05:03 < petertodd> (aka, the 1984 doctrine :P) 05:04 < Luke-Jr> I have no idea what you're talking about. 13:14 < petertodd> sipa: OpenPGP actually does have some limited signing bits that you can use for that kind of thing. Poorly understood as you say. 13:14 < sipa> s/GPG/PGP/ 13:15 < petertodd> sipa: Heck, jdillon signed my key back, and signed the photo packet... if he verified that, I have a stalker. 13:16 < petertodd> jgarzik: Sounds great, but how will you boil it down to something really simple for the algorithms? Do you think a key-value store is sufficient? 13:16 < jgarzik> petertodd, That's the tough part. Where/how to store this decentralized identity database. 13:17 < jgarzik> petertodd, That's why I was looking into miner sacrifices 13:17 < jgarzik> If you associate a cost to identity creation, hopefully flooding is prevented 13:17 < petertodd> jgarzik: Yeah... too bad gmaxwells bytecoin doesn't exist. 13:17 < jgarzik> and if flooding is prevented, then it is likely easier to convince people to P2P-share the database 13:18 < jgarzik> a la blockchain 13:18 < petertodd> jgarzik: Of course, key-value in the blockchain has been suggested over and over, and aside from bloat it's a reasonable idea as all you need to know is that someone else can't claim they have the most recent pair. 13:19 < jgarzik> It would be nice if adding new merge-mined chains was easier 13:19 < petertodd> I dunno, I'm skeptical about merge-mining stuff like that, because the incentives to actually do it are weak. 13:20 < jgarzik> petertodd, miners and pools definitely respond to "easy additional income, for the same amount of work" incentives 13:20 < petertodd> I have the same problem distributing fraud-proofs for fidelity-bonded banks: you have to be able to prove that a fraud proof *wasn't* made in the past, and the only way to reasonably do that is have a data storage service with consensus on it's contents. 13:20 < jgarzik> yep :/ 13:21 < petertodd> jgarzik: Which is the problem. The incentive can just as easily be "PGP-CA blockchain isn't used that much, lets kill it for the lulz" 13:21 < petertodd> jgarzik: It wouldn't be an issue, except for the fact that you need to be able to sell fidelity bonds if you've been honest to solve the "service own retiring" problem, and selling them is only reliable if you can be sure it's not a tainted identity. 13:21 < jgarzik> I really think this decentralized identity project could be huge, though. Create an identity, create a market, trade, dispose of market. Coalesce, exchange, disperse. Automatic markets, anywhere, anytime. The main linking factor is your identity. 13:22 < jgarzik> yeah 13:23 < petertodd> Possibly. I mean, the bigger question si what exactly is being bought and sold? Now digital goods are an option, but lots of classes of stuff really does need real-world identities. 13:23 < petertodd> for instance really general colored coins for real-life business stocks seems kinda crazy to me 13:23 < petertodd> (other than just an accounting system) 13:24 < jgarzik> If you have a SIN, you can collect endorsements (digital signatures) from third parties, proving your real world identity 13:25 < jgarzik> But each SIN holder chooses what endorsements to add, which to publish, which to keep private 13:25 < petertodd> Heh, get governments in on it and some of the endorsements can be pretty damn direct... 13:26 < jgarzik> Just need a central root point for each identity, to digital sign (for example) permission-to-see-my-identity 13:26 < jgarzik> indeed 13:26 < jgarzik> Just thinking about how to export it over the Internet, in a secure fashion 13:26 < jgarzik> Your SIN, your crypto-identity, should be able to securely link to other identity systems 13:27 < petertodd> Well, I mean if you can get a consensus on a big, timestamped, H(key)-H(value) table the actual transport can happen in a lot of ways - the receiver will always know they either got the true key-value by checking that H(key) H(value) matches. 13:28 < jgarzik> agreed 13:28 < petertodd> With that, transport on systems like DHT is a *lot* more acceptable. 13:28 < petertodd> It's too bad cryptographic accumulators don't quite work the way we want them too here... 13:29 < petertodd> Unfortunately I think you're basically forced into a blockchain here. 13:29 < petertodd> Albeit one that only needs 32+32=64 bytes per UTXO entry. 13:29 < petertodd> ...and what blocksize? (ducks) 13:29 < jgarzik> hehehe 13:30 < petertodd> Actually, seriously speaking, I'd namespace it to (semi)-solve that problem. 13:30 < jgarzik> petertodd, explain? not sure what you mean 13:31 < petertodd> By namespace I just mean separate it into multiple blockchains, so that you can prune all but what you are actually interested in. 13:31 < jgarzik> ah, indeed 13:31 < petertodd> You still have to deal with bandwidth for all k-v pairs though, or you won't know if the POS's used to create them are valid. 13:32 < petertodd> (IE, that's the equivilant of an invalid block in the system) 13:32 < jgarzik> yep 13:32 < jgarzik> thus, The Difficult Part 13:32 < jgarzik> if it can be solved, decentralized identity Will Be Big 13:33 < jgarzik> PoS might also be needed/used for changing, not just identity creation 13:34 < petertodd> Well, do it hiarchical, with a top-most k/v store, with the k's being the state of the next level of k/v store. 13:34 < petertodd> See, basically you want to be sure you haven't missed any updates. 13:34 < petertodd> ...although, no, that still doesn't work, because of withholding attacks... 13:35 < petertodd> Yeah, I'd be inclined to do PoS for every update basically. 13:36 < petertodd> Oh, and here's another mental model: see what you have with this database, is the ultimate cryptographic accumulator that works the way you want it too: arbitrary checking if p in S 13:39 < petertodd> Your block header algorithm can actually be kinda interesting too... so you need to do on-chain Bitcoin POS transactions right? Make those transactions in a way that is distinguishable - IE you can tell if a given tx may have been part of the chain - and have your best block selection be the sum of all sacrifices. 13:40 < petertodd> Now if someone does a withholding attack, it's still ugly, but at least you can sacrifice more Bitcoins than the PoS's whose contents you *don't* know about and be sure your now on the best chain. Your incentive, assuming the system is used, is to then broadcast your data widely so others sacrifice on top of your sacrifices. 13:41 < petertodd> Basically the 51% attack is now sacrifice more Bitcoins than the sum of all Bitcoins sacrificed. Not great, but at least it's easily measurable security. 13:41 < petertodd> Does have ugly issues if Bitcoin's value crashes... 13:42 < petertodd> But maybe that doesn't really matter, the Bitcoin PoW would be vulnerable anyway. 13:44 < petertodd> This whole scheme does depend on independent miners: the fact you're "mining" this blockchain is easily visible by the fixed namespace ID's. You may find a 51% majority conspiring to block your foo-k/v namespace for whatever reason. 13:45 < amiller> for the PoS thing you're talking about, the way to solve my objection with it (that there's nothing at stake) is to make it so the sacrifice is a sacrifice even if the block containing the sacrifice isn't selected 13:45 < amiller> if you do work on a PoW fork attack, your work is wasted if you fail 13:46 < amiller> meaning if your attack fork doesn't end up being taken as the main chain 13:46 < jgarzik> petertodd, yeah, if bitcoin dies we're fucked anyway ;p 13:46 < petertodd> amiller: Absolutely. It *must* be a genuine Bitcoin sacrifice, like an announce/commit sacrifice or anyone-can-spend coinbase output. 13:46 < amiller> so maybe you could fix that by saying that your best selection is the sum of all sacrifices, such that the transaction sacrifices are valid on every chain even the ones you didn't select? 13:46 < jgarzik> petertodd, BTW, what is the current favorite anyone-can-spend? 13:46 < amiller> ok sure anyone-can-spend coinbase 13:46 < jgarzik> OP_TRUE or somesuch 13:47 < petertodd> jgarzik: anyone can spend coinbase is shortest, for general use w/o miner help I haven't come up with anything better than announce/commit 13:47 < petertodd> amiller: ooh, that's a very good idea 13:48 < jgarzik> amiller, interesting 13:48 < jgarzik> a bit of a variant on total work 13:48 < petertodd> amiller: and your "block headers" are very similar to what merge-mined alt-coins carry around anyway 13:51 < petertodd> oh, and with anyone-can-spend coinbase output, the priority block # is obviously just the block #, however with announce-commit that's trickier 13:52 < jgarzik> I need to collect this into a wiki page somewhere 13:52 < petertodd> well, actually, maybe it doesn't matter... priority is independent per k-v pair, so if your announce commit means some of your k-v block was invalidated by a later update, it doesn't matter that much 13:53 * jgarzik wishes there was a crypto-wiki, rather than stuffing everything on en.bitcoin.it. I suppose a github .md or gist will suffice. 13:53 < jgarzik> There definitely needs to be very high priority k-v's, and then secondary ones. the primary, high prio ones are the root for other attestations/proofs/signatures 13:53 < petertodd> also, before I forget, actually pure k-v isn't really enough for most things, you probably need signatures so that once you establish that you own a k-v pair, you can update it with a signed update 13:53 < warren> Wow. BFL sent me a refund after 1 day. 13:54 < jgarzik> Tempting to say that ultra-high-prio ones simply cannot be changed. Create an identity with a certain number of immutable k-v's. 13:54 < petertodd> and on top of this, so don't forget you can use a merkle sum tree with your k-v pairs if you want a system where each pair has an individual sacrifice amount 13:55 < jgarzik> Some services, I imagine, would want that. A third party service might require a specific sacrifice, or real world protocol of some sort. 13:36 < petertodd> But the point is, those anonymous businesses are associated with industries where the customers don't seem to care as much, and in addition the anonymity means their backend stuff is often very obscured. (I'm sure someone is timestamping log files for something, but good luck ever figuring out who they are) 13:38 < gmaxwell> uh, what the heck were you proposing where such a business needs generic worldwide visiblity unjammablity? 13:38 < petertodd> Announce/commit sacrifices are the cannonical example. 13:39 < petertodd> Fraud proofs are another, that's a case where the existance of a "fall-back" way of ensuring global visibility is really valuable even if you have lesser means like merge-mined chains. 13:39 < gmaxwell> But they dont they need visiblity to the interested parties. 13:40 < gmaxwell> I'm struggling to come up with something which needs visiblity to _disinterested_ parties. 13:40 < gmaxwell> (esp since you can't, you know, make people who don't care pay attention) 13:40 < petertodd> The problem is the only way to prove visibity is by proof-of-work or proof-of-stake, and the former gets really scary fast due to the large pools out there. 13:41 < gmaxwell> but that isn't solved by making things clear-visible in the blockchain. 13:41 < petertodd> The latter is ugly because it's active, and can tightly couple finance into a system where the attack is losing money if the data is made public. 13:42 < gmaxwell> e.g. so you put data in the clear in the blockchain, but thats no proof that anyone who mattered actually noticed it there even if they had the data available to them. 13:42 < petertodd> Sure it is: if it's in the Bitcoin blockchain I can be damn sure that anyone who was interested could have seen it. If it's a merge-mined chain with low hash rate it would be very easy for that data to be hidden by an attacker. 13:43 < gmaxwell> In fact, you've already proved it you've made all kinds of weird transactions which people could have redeemed and either didn't or took a long time to do so. (or required you pointing them out at least) 13:43 < petertodd> Right, but in any system actually using this stuff the interested parties will look if it matters, and if no-one is interested, so what? 13:44 < gmaxwell> at least the merged mined thing actually creates evidence of seeing it by someone who (programmatically) cares. 13:45 < gmaxwell> We could also introduce a general mechenism for this kind of thing which doesn't create any perpetual storage, I suppose. 13:45 < petertodd> Take the example of a fidelity bonded bank where you want to sell your bank, but also want to be sure that no-one has committed fraud but withheld the fraud proof: you wan to be able to say "if it's not in some blockchain, the fraud never happened" 13:46 < gmaxwell> and, yet, you can still do that just in terms of sum difficulty of a merged mined chain. 13:46 < petertodd> Sure, and you can do that if, for instance, we have UTXO posession proofs as part of the proof-of-work function, and they you would show via UTXO proofs that the data existed in the UTXO set and people posessed it, but they can drop it after the fact. (need a hard fork due to some details obviously) 13:47 < petertodd> gmaxwell: Of course, my point is any merge mined chain will always be inferior to Bitcoin because it will always have a lower hash rate, *or* the system has effectively become part of Bitcoin anyway. 13:47 < gmaxwell> (or sum-stake, or signed by some trusted observer or all of the above) 13:48 < petertodd> Basically have some data in a transaction that you don't need to proove the transaction is valid, but you do need to temporarily posess to fufill your proof-of-posession PoW. 13:48 < gmaxwell> petertodd: okay, let me grant that: but being part of bitcoin itself isn't the same thing as sticking all data at the root level. 13:49 < gmaxwell> As it is today there is no way to do finite lifetime data in bitcoin, and everything you're talking about needs _at most_ finite lifetime. 13:50 < petertodd> Of course, but that's where my temporary forced storage scheme is useful, but that's a soft-fork at minimum and more likely people with the need will just keep stuffing their data into the blockchain. 13:51 < gmaxwell> okay, welll certantly, you can say that a mechenism for temporary storage is virtuious even if we still hold the view that forced non-currency-data storage is wrong and should be technically defeated where possible. 13:53 < petertodd> Exactly. Point is figure out those technical solutions and make them work - don't go whining about social responsibility and "consent" as Luke does because the whole point of Bitcoin is to replace social mechanisms with technical ones, so work within that paradigm. 13:54 < petertodd> Not to mention how bizzare it is to be complaining about people creating prunable data, yet we won't say a thing about low-values transactions. The technical impact of both types of data is exactly the same - the archival blockchain gets bigger. (UTXO bloat is of course another matter, but that's solidly a design flaw) 13:55 < gmaxwell> hah. It's not like the technical stuff appears whole cloth in a vacuum. First it must justify our social responsibility. Absent consent the security of the technology is paper thin. 13:56 < gmaxwell> "won't say a thing" uh, we just nuked very tiny output creation. 13:56 < gmaxwell> And low value txn is pretty tricky: we don't know where the dividing line is. 13:57 < petertodd> Yes, and I did say that UTXO bloat is a design flaw; nuking tiny output creation is an example of a patch to try to fix that design flaw. 13:57 < gmaxwell> Vs it's easy to say Bitcoin is not a @#$@# storage locker for your nuddies or whatever. :P 13:57 < gmaxwell> harder to actually stop it, but at least agreeing on the goal is easier. 13:57 < petertodd> ...but then is it ok to use bitcoin as a proof-of-visibility for your financial application? 13:58 < gmaxwell> Not really, for one it just won't work. Limited channel capacity will make that unpredictably fail for you. 13:59 < petertodd> Limited channel capacity makes the entire *system* fail unpredictably by that logic. 13:59 < petertodd> There are *lots* of applications where the fact that the channel capacity is limited is not only acceptable, but actually kind of a good thing. 13:59 < gmaxwell> It makes the future system's scale uncertian. But bitcoin doesn't just fail because it becomes slow to make transactions, your financial application certantly might. 14:00 < gmaxwell> kind of a good thing sure, and bitcoin itself is one of them. But the challege there is limited channel where the capacity gets eaten up by _something else_ is not so obviously a good thing. 14:01 < petertodd> Any financial application will need to make transactions; you can easily design your need for data bandwidth to correspond to your need for transaction bandwidth. 14:02 < petertodd> Part of that design is of course determining how resistant you want to be to efforts to stamp out data in the blockchain, but you can always get some amount of data in there so the option always exists. 14:03 < gmaxwell> Okay, well we go back to my comment earlier that some small sidechannel like 32 bytes per transaction is probably something we can tolerate because there are just too many useful things that cannot be done without it. So figure out how to fit into that model and _MAYBE_ you have something that is still viable, maybe. Not certantly: since if the whole world was using bitcoin it isn't clear that any particular user would be able to get 14:04 < gmaxwell> But anything more than that, and it's not clear that it wouldn't trivially be stampped out by the first persistant effort to really cram in some nasty stuff in the broadcast channel. 14:04 < petertodd> But that's the thing: a sidechannel of any size just puts a price on the data relative to a transaction. We can push that price one way or another, but we know we want make that price infinity - there are just too many ways to stuff data in transactions. 14:04 < gmaxwell> I mean. jesus, don't design business plans that can be shut down by a bored 12 year old. 14:05 < gmaxwell> petertodd: we can make anything that has uxto storage be a hash preimage. 14:05 < jgarzik> hehe that says it all ;p 14:05 < petertodd> I'm not talking about UTXO storage, I'm talking about in-blockchain data. 14:06 < petertodd> UTXO storage is something we can go very far in preventing, up to having to perform partial hash collisions, but in-blockchain data isn't something we can stop - you can always play games with pubkeys. 14:08 < gmaxwell> petertodd: oh, well I'm actually far less concerned with that, as you can simply puncture the validation rules. There is a balance that provides adequate pratical security. 14:08 < petertodd> puncture the validation rules? 14:08 < gmaxwell> There are plenty of people who think it would be perfectly sane to just forget all the spent txo before height 210000 or whatever. 14:08 < petertodd> Ah, yeah, which for the proof-of-visibility application is completely fine. 14:09 < gmaxwell> Not just in a pruning sense, but completely. 14:09 < jgarzik> I still like the idea of modifying my OP_RETURN patch to permit standard, spendable transactions || size <= 80 14:09 < gmaxwell> Depends on what you're trying to prove visible to who. 14:09 < jgarzik> gmaxwell, in this case, https://en.bitcoin.it/wiki/Identity_protocol_v1 14:09 < petertodd> Sure, but you can always prove your data was as visible as any other blockchain data in the time period, and that's all you need frankly. 14:09 < jgarzik> (that was the genesis of this whole proof-of-visibility discussion) 14:10 < jgarzik> indeed 14:11 < petertodd> jgarzik: ...and I strongly think OP_RETURN should be slightly cheaper at stuffing data in the blockchain than the P2SH+multisig games that we can-not stop, as a harm reduction measure 02:22 < gmaxwell> (they don't attack their bitcoin daemons because the attackers can't reach them) 10:10 < adam3us> btw people seemed to prefer hidden tx to committed tx as a descriptive name, but i chose the name originally as it is using a bit-commitment 10:10 < adam3us> (re conversation yesterday with gmaxwell, jtimon, maaku and a few others) 16:20 < gmaxwell> http://www.forbes.com/sites/kashmirhill/2013/11/13/sanitizing-bitcoin-coin-validation/ ... sigh. 16:21 < sipa> as long as they can do their job, our privacy isn't good enough 16:21 < gmaxwell> Right. 16:22 < gmaxwell> Making privacy better will be harder when people have made a business out of undermining it... though perhaps there will be more interest in improving it. 16:22 < sipa> so maybe that does provide a useful service''' making people realize that privacy needs actual work 16:23 < gmaxwell> Indeed. I guess we'll see how the harm investment in screwing up privacy and promoting that privacy must be removed balances against the benefit making people realize that privacy is a problem. 16:46 < adam3us> man what a bad idea 16:47 < adam3us> (coin alidation) 16:48 < gmaxwell> maybe they'll pull a mastercoin next and raise a million dollars to fund their attack on bitcoin's fungibility? :P 16:48 < adam3us> need to figure out some way to compact committed tx without revealing 16:48 < adam3us> msc = moral hazard 16:50 < gmaxwell> Another interesting element to this risk: If we don't fix the bitcoin ecosystem to make these businesses impossible it becomes more likely that some bitcoin clone which fixes them out of the box (perhaps just using things we could 'easily' deploy) will replace bitcoin. 16:51 < adam3us> gmaxwell: well so far we didnt figure out a fix - if we do i might start to soften my anti-alt stance if it was the only way to do it, but i think i'd go for staging method 16:51 < gmaxwell> adam3us: I think we have adequate fixes already. 16:51 < adam3us> gmaxwell: it seemed for a while there was actual interest in making an all zc alt for example; hal finney thought it was a cool idea 16:52 < gmaxwell> E.g. if all wallets were automatically doing coinjoins and coinswaps then such a business wouldn't be vilable. 16:53 < gmaxwell> you don't have to have perfect anonymity to throughly break that kind of business. 16:53 < adam3us> gmaxwell: yes. it's clearly an improvement. but i'd really like to see if anyone can figure out some crypto enforced fungibility 16:54 < gmaxwell> it's hard to even deploy that though, esp with funded attacks on privacy. The nice thing about things that don't change the network is that people can say "well, there is nothing we can do about that". 16:54 < adam3us> gmaxwell: if u could get clients to upgrade, they may work harder on analysis however - its like crap 1st gen security, it engenders an arms race of heavily funded 2nd gen attacks etc (sat tv content scrambler story) 16:55 < adam3us> gmaxwell: true, you are "just" using core features 16:56 < gmaxwell> adam3us: the security provided by coinjoins and coinswaps is not pretextual though. So yea, more powerful analysis weakens user privacy but but even assuming an optimal attacker, they do improve privacy. 16:56 < gmaxwell> a 16:57 < gmaxwell> adam3us: dunno if you played with the ZC codebase a lot... it ... doesn't seem too easy to integrate in a sane way. 16:57 < adam3us> gmaxwell: "hard to even deploy... esp with funded attacks on privacy." 16:57 < adam3us> gmaxwell: meaning? the network needs distribution or the anti-privacy lobby tries to shut it down early? 16:58 < gmaxwell> E.g. Peter Vessenes attacking bitcoin privacy at the conference .. until some folks pulled him aside and pointed out the fungiblity problems. 16:58 < adam3us> gmaxwell: no i didnt look at zc code 16:59 < gmaxwell> adam3us: the problem with changing the network is that you can't (safely) use the changes until some super majority of nodes, including jumpy business participants like mtgox, deploy the changes. There is a coordination problem there, and no real way to ease into it. 16:59 < adam3us> gmaxwell: here's my versoin of what could be done, i think you reache similar tec conclusions: full anon fungibiity, opaque pricvacy (user knows who's paying) rest as now; then you can subpoena recipient 17:00 < adam3us> gmaxwell: yes; maybe staging helps.. then they are bicoins and you can step in and out of them via p2p exchange 17:00 < gmaxwell> The people who see themselves as "working with" regulators can very easily be pushed into a corner where they oppose this stuff. Good luck deploying a soft fork with the foundation opposing it. So thats why I think at least within bitcoin privacy features can't be driven by the network. 17:00 < adam3us> gmaxwell: if gox doesnt take staging, swap them for bitcoin main coins first 17:02 < adam3us> gmaxwell: mere thought of foundation opposing on political grounds (cringe). the fork threat may not be enough ebcause of all these bitcoin businesses f the users depend on the businesses more than the biz depends on users 17:03 < gmaxwell> right. 17:04 < adam3us> gmaxwell: ok, but we can play games too; work out minimum required and otherwise useful enabling chnges, wait 6months, start using them 17:04 < gmaxwell> (In general thats why I've been really skeptical about "businesses will run full nodes!" as an argument for long term preservation of the system invariants... historically business interests tend to be very short term, and they haven't done a good job driving good monetary policy in other economicies) 17:04 < adam3us> gmaxwell: eg say coinjoin could work so much better if you had useful change x that also has useful biz value... etc you get it 17:06 < adam3us> gmaxwell: biz cant see past the next quarter, 2yrs if you're lucky; and unfortunately most suits dont much think or care about user/community interests - i mean this stuff could have society level implications if screwed up by a few ignorant/selfish suits 17:08 < adam3us> anyway put your thinking cap on :) this problem must be fixed 17:09 < adam3us> another opportunity btw is the scaling point if offchain tx are needed, biz will be desperate to use them, devs figure out how to do it, implement it, fix a few ills along the way 17:13 < adam3us> (forbes article)" t want to be the sheriff of the Bitcoin community. We just want to create an ecosystem of clean addresses. ... if anyone needs motivation to figure out some crypto fungibility before they defacto royally screw fungibility - what next - deals with miners to block the unclean one? 17:15 < gmaxwell> adam3us: no, step (2) is everyone rushing to pay for subscriptions to their feeds so that they don't accidentally accept an unclean coin and thereby make their own coins unclean. 17:15 < gmaxwell> step (3) is miners block them, saving everyone else the trouble. 17:15 < gmaxwell> :P 17:15 < gmaxwell> (or even to prevent their fees from being declared dirty) 17:15 < adam3us> they are bitcoin scourge 17:16 < gmaxwell> Well, presumably they haven't thought this through. 17:16 < adam3us> i mean seriously - its horrendous directin 17:17 < adam3us> outright destructive - 10x worse than satoshi dice. if anyone knows those devs/tech guys they should reach out 17:18 < gmaxwell> I think I'm a little less shocked than you because I expected this (and we've seen it proposed by newbies enough times 17:18 < adam3us> this is the kind of thing i was taking about fungibility introducing costs into the transactionlayer and pulling it down to the level of status-quo networks, its all wron 17:19 < adam3us> its also architecturally wrong - you need identity agnostic fungibility, and optional certified identity (required or not by the recipient by a peer choice) 17:20 < adam3us> and some transaction encryption really 17:20 < gmaxwell> adam3us: yea. identities are useful and don't require fungibility destruction or public privacy elimination. 17:20 < adam3us> so thats the design requirements in my view; the next challenge is how, its damn har 17:20 < adam3us> precisely 17:22 < adam3us> it maybe necessary to technologically disabuse them of their wrong headedness in the short term. i mean if their service was used by any bitcin biz or miners at any scale, that could be a serious problem for fungibility 17:25 < gmaxwell> adam3us: more precisely, we can't get privacy measures adopted if there is too much important infrastructure which demands they don't exist. 17:25 < gmaxwell> or says my logs: 17:25 < gmaxwell> 13:47 <gmaxwell> yea, no idea. In any case, I'm glad for anyone to be 17:25 < gmaxwell> working on some of this stuff. I worry if some of the stronger financial 17:25 < gmaxwell> privacy tools are not im plemented and widely used soon we'll grow too much infrastructure that assumes they don't exist. 17:25 < adam3us> yes, this is why the architecture is wrong - the biz people are making defacto architecture decisions 17:30 < sipa> i wish we had never stopped using pay-to-IP :( 17:31 < gmaxwell> petertodd: so, I realized last week that coinjoin and the replace-by-fee mutually assured destruction have a negative interaction potential. 17:31 < sipa> (and improved it with authenticated rather than replace it with pay-to-pubkeyhash) 17:31 < gmaxwell> petertodd: e.g. you CJ with someone to pay. And then your CJ party doublespends not paying your recipent. Then your recipent freaks the heck out and issues a destructive child... 17:39 < MC1984> the biz people are making defacto architecture decisions 17:40 < MC1984> whoops 17:41 < adam3us> i never got what replace-by-fee MAD was - petertodd wanted to be able to revise fees in case transactions got stuck, ok that has new problems for 0-confirms, then he proposed most things must remain as is, just the fee increase from a new input i presume, but how is that MAD? 17:41 < TD> sipa: what difference would that make? 17:42 < TD> sipa: the transactions are all still public 06:11 < warren> <---- yes, it's true, and that doesn't actually matter 06:11 < adam3us> warren: really whats the example of already happened? 06:12 < adam3us> petertodd: now you can give x to the smart card and H to the wallet/phone and the issuer can do the a=kG work, so the wallet only has to do r1=cx+w mod n 06:12 < warren> adam3us: at the simplest level, we exposed bugs in several components before they were merged into bitcoin-0.9. More complicated: we influenced the recent security releases with our own research meant to protect the bitcoin network. 06:13 < warren> adam3us: there remains more we are not disclosing to the public because it would risk to the bitcoin network 06:13 < warren> adam3us: the recent lively discourse about NODE_BLOOM remains unresolved and is related to one of those issues 06:13 < adam3us> petertodd: the extended EC schnorr sig is a, r1, r2 06:14 < adam3us> warren: ok, thats v. interesting and good to know, but i still prefer bitcoin-staging if it could be got off the ground 06:14 < warren> adam3us: good luck 06:16 < warren> adam3us: I'm not married to litecoin. I just looked at the state of things in March when I joined, found Litecoin to be "unmaintained, totally broken and without political opposition to fixing things" so I used that as a means to learn the codebase. I've been increasingly branching into fixing things in Bitcoin. 06:16 < adam3us> warren: re scrypt(1) apparently ROMix (also by colin percival) is provably memory-hard, memory hardness (freedom from time-memory tradeoffs) was not a design requirement of Scrypt(1) 06:16 < warren> adam3us: I began coin dev in May 2013, all of the failures you're talking about were long before my time. 06:16 < adam3us> warren: bitcoin armory is using ROMix for key derivation rather than Scrypt for this reason 06:18 < adam3us> adam3us: eg if you like you can make an scrypt implemntation (hardware or sofware) that is using mem=128kB parameter, but 16kB ram or 1kB ram - just more inner round repetition 06:18 < warren> adam3us: i'm fully aware of the TMTO thing, and i don't care. 06:18 < adam3us> warren: someone should try that, maybe you can mine scrypt faster on a gpu or fpga that way => profit 06:18 < warren> adam3us: people have tried 06:18 < warren> and I don't care what users do 06:19 < adam3us> warren: would be curious what the optimal scrypt tmto params were for diff hw 06:19 < warren> adam3us: the standard GPU miners use a 50% memory TMTO which seems to maximize performance for scrypt on that hardware. there's apparently FPGA and ASIC's hapening soon too. 06:20 < adam3us> warren: yes i hear the asic rumor will be interesting to see how that compares perf 06:20 < warren> adam3us: like I said earlier, the failure of the original scrypt parameters has nothing to do with the soundness of the network and its ability to defend itself 06:21 < warren> adam3us: I personally would be more concerned about the coins that invite regulatory hazard through properties like centralization 06:23 < adam3us> petertodd: so the observer conclusion is its a special form of 2 of 2 sig where the smartcard cant even tell which sig it contributed to (privacy) and yet can prevent double spending (up to hw tamper resistance) the observer is the smartphone/computer the card connects with which can prevent inflow/outflow subliminal channels 06:23 < warren> adam3us: I had already spent months testing a hybrid of 0.8 and 0.9 with Litecoin, so I reused most of that work in a Bitcoin branch with fixes and features. https://bitcointalk.org/index.php?topic=320695 Exposing more bugs before 0.9 while bringing some features to users sooner. 06:23 < adam3us> warren: agreed on both fronts, that was my motivation for committed transactions 06:23 < petertodd> adam3us: right, so explain in 30 seconds what's the big advantage of schnorr? is it flexibility? privacy? 06:24 < adam3us> petertodd: both 06:24 < petertodd> adam3us: ok, so what's the list of what it'll make possible? (remember, I need to explain this to a pool op, for instance) 06:24 < adam3us> petertodd: efficiency, flexibility, privacy, O(1) vs O(n) compactness of k of n sigs 06:24 < petertodd> adam3us: not clear enough 06:25 < petertodd> Like, give me a really simple example of something I can't do now, but will be able too. 06:25 < adam3us> petertodd: so you can make k of n sigs where the public key is a single public keya nd the private key is split into n pieces so you can have k of n sigs 06:26 < adam3us> petertodd: you can also after-the-fact combine your public key with another user to create an after the fact 2 of 2 (or n of n) that is represented by a single public key on the transaction 06:26 < petertodd> My inner Joe Public is saying "Huh?" 06:27 < adam3us> petertodd: so this results in smaller n of n sigs and privacy of how many people even are behind an address 06:27 < petertodd> huh? 06:28 < adam3us> petertodd: if n of n or k of n become widely used the sigs are smaller .. one sig vs n which saves block chain space, and makes chain validation n times faster 06:28 < petertodd> why are you fucking up Bitcoin? Bitcoin is perfect already, all hail Satoshi! 06:28 < petertodd> why all this complexity with n's and k's when you have bitcoin addresses and my balance! 06:29 < adam3us> petertodd: the primary risk for bitcoin is centralization and scalability, if that fails, bitcoin fails when dust becomes $10k and everyone switches to using lame trust me centralized "offchain", everyone shoudl care about this :P 06:30 < petertodd> The wiki says Bitcoin scales to VISA levels! Says so! Why change what already works! 06:30 < adam3us> petertodd: u need n of n for like type2/type3 exchanges, escrow situations etc so I expect them to become more common over time 06:31 < adam3us> petertodd: yeah right - i also can say something scales (with the unstated assumption that i can invent, implement and deploy not yet invented innovations that may not even be mathematically feasible) :D 06:31 < petertodd> type2/type3 exchanges? why do we want exchanges? decentalized exchanges is what we need like localbitcoins! 06:31 < adam3us> petertodd: u run a nice devils advocate line btw 06:31 < petertodd> heh 06:32 < petertodd> or in this case, devils mouth-breathing southern cousin :/ 06:32 < warren> well, I give up, I cant' actually test mac builds/runtime so I can't fix this. 06:33 < adam3us> petertodd: u want type2/type3 because they are trustless - they cant steal your bitcoins, but they can green color tx so that settlement is faster allowing you to onwards trade and avoid volatility risk 06:33 < adam3us> petertodd: thogh i am also a fan of p2p atomic trade (must go reread those protocols and see if they are actually secure from abort/extort attacks) 06:33 < petertodd> heh, even I don't know what "type2/type3" exchanges are... 06:34 < adam3us> petertodd: type2 is like what bitalo is now working on, exchnge escrows fiat, but only does a2nd 2 of 2 sig n the transfer to finalize it; the actual ownership and authority is with users, a time lock ensures the user retains their bitcoin even if the exchange goes down without warning 06:35 < warren> I looked into installing a hackintosh VM to test this, but the amount of time needed to do it appears more than the time value of just buying a mac. 06:35 < adam3us> petertodd: type3 is if you have blockchain tradeable assets like litecoin vs bitcoin, or colored usdcoin from an issuer vs bitcoin or goldcoin; then the xchange isnt even escrowing fiat 06:37 < petertodd> right, I've never heard those terms myself 06:40 < adam3us> petertodd: probably cooked up in offline colorcoin discussions - to save having to describe a paragraph worth just give them a ame 06:40 < petertodd> huh, you gotta admit though, that's politically going to be seen as a very niche reason to change stuff 06:40 < adam3us> petertodd: sounds cool to VCs too ;) 06:41 < petertodd> you ever looked at the bitcointalk archives re: p2sh? just getting that was horribly painful 06:42 < adam3us> petertodd: probably scalability changes and decentralization are far higher priority however as far as I see its mostly an open research question if anything fundamental (non-incremental) can be done with scalability 06:42 < adam3us> petertodd: i didnt, but i think i got it; maybe i am missing something though? 06:44 < petertodd> one ugly thing with scalability is it's just as likely that bitcoin won't scale with regard to verification, so we'll see centralization, and rather than fix that the alternative instead will be people start using other systems that also don't scale, but have sufficiently low usage that they work in practice 06:44 < adam3us> petertodd: most people on the scalability idea exploration end up reinventing consensus ripple, and finally realizing how bitcoin defends against sybil and then "oh now i get it" :) 06:44 < petertodd> huh? who is even working on scalability other than myself and gmaxwell? 06:46 < adam3us> petertodd: multiple people think distributed offchain/scalability magic is the holy grail and are queueing up to pay for it to happen 06:46 < petertodd> such as? 06:46 < adam3us> petertodd: i'm not saying they got anywhere technically, i am saying they magically wish it could happen... and see $ for whoever could deploy it first 06:47 < petertodd> inputs.io and coinbase, among others, have actually deployed it, and it works just fine 06:47 < adam3us> petertodd: thats not distributed 06:47 < petertodd> it's dead simple and trading off counter-party risk is perfectly acceptable to a lot of people. 06:48 < petertodd> you mean decentralized, and so what? centralized solutions built on top of decentralized ones mean you've always got the decentralized system to fall back on 06:48 < adam3us> petertodd: well if that goes to its logical conclusion in 5 years and everyone is using trust me big 10 offchain bitcoin is dead for its assumed value/purpose of auditability, zero trust 01:46 < amiller> i started thinking about whether general/unbounded recursion can be implemented using snarks 01:47 < gmaxwell> amiller: I can imagine that code with the right "periodic" structure could be... 01:47 < gmaxwell> But it would be the same code that you could also prove its result in closed form. 01:47 < gmaxwell> And so, why not just put in the closed form code? :P 01:49 < amiller> well an example is like a list with unknown bound 01:49 < amiller> say a sum over such a list 01:50 < amiller> that would ordinarily require unbounded size input to the circuit which doesn't work 01:51 < amiller> but you can give it the root digest of a hash chain list and then that's obviously fine 01:52 < amiller> but still a circuit that just checks hashes would still have to check a bounded number of hashes 01:54 < gmaxwell> right sure, the challenge there is making something which is secure against a prover key generating oracle. otherwise, you would just rig the decisions to only check the right places. 01:55 < amiller> i think what i should do is show that iterations reaches a fixpoint somehow 02:21 < amiller> normally the possible configuration space of a turing machine is infinite 02:22 < amiller> because it can run for an unbounded amount of time and have add one more element to its unbounded tape at each step --- Log closed Tue Aug 27 00:00:44 2013 --- Log opened Tue Aug 27 00:00:44 2013 10:54 < amiller> yeah so 10:54 < amiller> the only obstacle to implementing a snark verifier within a snark program 10:55 < amiller> is that we don't have any simple C code that implements the bilinear pairing needed to make pinocchio work 12:36 < gmaxwell> So I've been talking with Iddo in private about a bunch of SCIP things and came up with a cute idea you all may enjoy. 12:37 < gmaxwell> In some of the SCIP versions the prover produces a large number of locally testable points, then builds a hashtree over them, and the hash tree tells them which points to sample to show the verifier. 12:38 < gmaxwell> This can achieve reasonable security because the local tests depend on the other local tests, and a bad one is unlikely to pass with junk inputs. 12:39 < gmaxwell> But you still need to have many tests to achieve reasonable security, because the prover has a verification oracle (e.g. he can just simulate the oracle and keep trying junk inputs until he finds one that passes, unless you have many sampled points) 12:39 < gmaxwell> So I suggested this idea: You create the large SCIP proof with all the locally testable points, with its hash root in a transaction, and you give the whole big thing to a miner. 12:40 < gmaxwell> The miner uses its own randomness to test it (an interactive proof, no verification oracle)... and happy that its valid the miner mines a block. 12:40 < gmaxwell> Now you use that block hash to ultimately select which parts of the locally testable proof to transmit along with the block. 12:41 < gmaxwell> So a verification oracle now would have to have some large multiple of the whole bitcoin network's computational power. 12:41 < gmaxwell> Morover, as the block becomes further burried, later blocks can perform additional selection to further trim down the proof. 12:41 < petertodd> define "verification oracle"? 12:41 < gmaxwell> Until the proof is nothing more than the hashroot, security provided by POW burrying. 12:42 < gmaxwell> petertodd: A magic black box that you give a proof to and it tells you if the verifier would accept the proof. 12:42 < petertodd> gmaxwell: Hmm... ok so you want the verification oracle to have to have hashing power so you can't just use it to create fake proofs? 12:44 < gmaxwell> Right the idea behind these hash tree committment proofs is that they're non-interactive the hash of the proof tells you the random elements to test... but unless you make the function that selects the points you sample very expensive a dishonect prover can potentially create a fake proof. 12:45 < gmaxwell> My idea is to introduce a weak kind of interaction, interaction with the bitcoin network, to create a verifier which is at least as strong at getting "oracled" as the bitcoin network is against overpowering attacks. 12:46 < gmaxwell> I had a weaker form of this idea earlier where you make the tranasactions two phase first make a txn that commits your proof, then a second transaction which provides the selection... but I just today realized that you can have the miner do this, and it eliminates the need for two transactions. 12:47 < petertodd> Ok, so another way of describing it, is to just say that miners are making a non-interactive proof, but the selection process within that proof relies on the incredibly high cost of selecting blocks to avoid the invalid parts of the proof as opposed to a more general "picking only invalid requires 2^n hash ops" 12:47 < petertodd> Or really, by being multistage the "2^n hash ops" is achieved by multiplying the ops by the ops required to find a block. 12:47 < gmaxwell> petertodd: yea exactly. But in particular, it requires a multiple of the bitcoin computing power, whatever that is. 12:47 < petertodd> Kinda like I was talking about for UTXO posession proofs before. 12:48 < gmaxwell> Also, it fits with a general idea that as a block gets burried (more POW) you could use the subsiquent blocks to throw away more and more of the proof... So the network starts out as zero-trust validation, but the deep history is just POW-consensus validation. 12:49 < gmaxwell> if transactions were structured so that you could elide scriptpubkeys this could also be used to compress regular bitcoin transactions burried far in the history. 12:49 < petertodd> Heh, so you could describe it in terms of "including all the subsequent blocks, the proof would require n hash ops to have p probability of finding a fraudulent proof" 12:51 < amiller> i wonder why it should matter if you have old proofs 12:51 < amiller> like 12:52 < gmaxwell> also, if you generalize this to cover the validation of whole old blocks (e.g. by making hte chain a hash tree itself) and the fall off in proof size is exponential with more work, it means that the data required to sync the historical chain is some constant. 12:52 < amiller> if you have a proof that the nth block is valid and contains a proof that the n-1th block is valid and contains a proof etc etc 12:52 < amiller> why is it necessary to demonstrate posession of old history 12:53 < amiller> the only reason i think is to tolerate forks 12:53 < gmaxwell> amiller: It's not, assuming you have these proofs. (and forks, but forks don't _pratically_ apply to _old_ data, for some definition of old, or the system is already doomed) 12:54 < amiller> then the work could probably be used on something more meaningful 12:55 < amiller> hm 12:55 < gmaxwell> I fully welcome someone going out and building UTXO checkpoints that prove faithful validation... thats likely a big engineering challenge however. 12:55 < amiller> i have been doing a lot of work with the pinocchio guy, which is tinyram's competitor basically 12:55 < amiller> we are trying to implement hashes and merkle trees in pinocchio 12:55 < petertodd> gmaxwell: Yeah, with the fraud % stuff I was talking about before you could use the PoW hash to select some subset of transactions/txouts to show proofs for, which as you say keeps the sync data required constant. 12:55 < amiller> pinocchio is a small C compiler but it has no ram unlike tinyram, so we have to approximate it with merkle trees 12:55 < amiller> he says that it's impractical for the time being to implement the recursive checker 12:56 < amiller> even though it's constant size it is a big constant 12:56 < amiller> we'd basically have to port the whole GMP library and bilinear pairing operation to this and it's just expensive 12:56 < amiller> but i'm really convinced now that recursive composition will work in a straightforward way 12:56 < petertodd> gmaxwell: The fraud possible would then be a function of literally some % of total outstanding UTXO value - though it really should take age into account given lost coins would then make the economic % of fraud possible go up. 12:56 < gmaxwell> amiller: there is a lot thats _possible_ but the engineering work and runtime requirements are still just too insane. 12:57 < petertodd> gmaxwell: (assuming the numbers work out so that the % is even meaningful) 12:57 < amiller> it's engineering yeah but it might be worthwhile in this case 12:57 < amiller> even the cost of building the proofs diminishes if it can be parallelized/distributed 12:57 < amiller> which it can 12:58 < gmaxwell> petertodd: So I even wonder if the worrying about subsetting single blocks makes sense when you could just subset out whole blocks. So long as you could produce a locally testable proof of a single block (which we can, if we have a comitted utxo). 12:59 < gmaxwell> petertodd: so the idea is that for the old history you forget whole blocks forever, selected by the hash of new blocks... and just retain some fraction along with the locally testable proof (uxto fragments that let you validate the block).. would be interesting to work out the cheating economics. 12:59 < petertodd> gmaxwell: We don't even need comitted utxo really: in your proof just provide the txouts spent by that block a level deeper. 13:00 < gmaxwell> petertodd: hm. it's true, you just need the SPV fragments for all the inputs. 13:00 < petertodd> gmaxwell: It'd all work especially well for the simplier interactive case where you're just trying to make sure the UTXO set a peer gave you is actually valid - best of all if we screw up we can change the algorithm without even a soft-fork. 13:01 < gmaxwell> Yea, in the interactive case this is all a lot stronger. But if we want to make historical storage a constant interactive is out. 13:01 < petertodd> Sure, but point is we can engineer that *first*, and learn from it prior to doing the non-ineractive version. 20:26 < petertodd> That PRNG was used in a *lot* of corporate applications, it's easy to discount how much it was used because public open source stuff knew better. 20:27 < jrmithdobbs> still. 20:27 < jrmithdobbs> now that we KNOW the traffic is being archived for statistical analysis? 20:27 < petertodd> RC4 still hasn't been broken fully... 20:27 < jrmithdobbs> it's been broken enough for the scale of collection we're talking. 20:27 < jrmithdobbs> since the early 90s 20:27 < petertodd> and unlike before, we can argue against RC4 on the "maybe it's actually fully broken" angle without being labeled as paranoid 20:28 < petertodd> we can also argue that opinions of people who argue otherwise should be discounted because we *know* that there are NSA plants out there 20:29 < jrmithdobbs> petertodd: ya and what about new software being implemented using things like cram-md5 because there's just no standards that point them at anything sane? 20:30 < petertodd> bbl 20:30 < jrmithdobbs> petertodd: when we start adressing real problems ... :( 20:38 < gmaxwell> jrmithdobbs: pre-snowden a lot of tech people were letting themselves believe that only ${muslim terrorists} were being targeted with this stuff, snowden leaks show that basically everyone is, including the leaders of allied countries. Compartmentalization kept most people from knowing the scope though they might have guessed they could easily convince themselves that they're paranoid. 20:39 < gmaxwell> jrmithdobbs: there was a massive shift in the IETF, all new standards for at least the next couple years will have people insisting and winning in their insistance on opportunistic encryption as mandatory. The people who used to combat that stuff with "waa waa you're paranoid, and waa waa we need higher speed for commercial purposes" have lost. 20:40 < adam3us> gmax: right; conveniently now the paranoid are proven righ and get a wildcard to fix stupid problems and dismiss stupidity as likely sabotage (and there probably was and remains real sabotage at ietf committee, internal company design, code, NIST on nist side and nsa side and so on. 20:40 < gmaxwell> They stand at the mic and say these things still, but then people put snowden slides up on the projectors and those people sit down. 20:41 < gmaxwell> (This happened in both the webrtc working group and http2.0 working group in the last IETF, and I expect to see more of it in vancouver week after next. 20:41 < gmaxwell> ) 20:42 < gmaxwell> adam3us: yea. exactly. The pro-crypto people have a free pass, and they're making some use of it. 20:45 < adam3us> gmax: updated chameleon hash thread with the ecdsa version, found and fixed a few problems, and realized its actually got an extra property - bob cant forge at all if alice reveals the contract 20:47 < adam3us> the other extremely nice thing about the snowden leaks and shaming of NSA for illegal dangerous to society and democracy behavior is it finally swept away the last of the 911 security vs privacy which was a break on privacy tech startup activity; anyone interested in privacy tech has the moral authority for the next decade, and thats a fantastic asset 20:49 < adam3us> it puts the shoe on the other foot; its no longer but wont criminals or terrorists hide; rather its like i was saying the types of tings hal was saying - the onus is n the opposer to explain why they want to bypass the mechanism for exercising of legally protected rights of freedom of speech & association 20:51 < adam3us> and the trump card is lost: they cant say trust us thats only used for terrorists; we know it was used for everyone, and even abused in clearly non-terror cases as an undisclosed source (with some fabricated cover story of accidentally stumbling upon the "crime") judges were not amused to find that, and already there are some decisions informing the accused 20:51 < petertodd> It's also a money thing too: the leaks have shown you can't trust US companies and US cloud computing services, which is already having a very real impact, for instance IBM hardware sales to China have dropped by about 40% already. 20:52 < petertodd> This kind of things sends money to companies that aren't as suspect, and in turn reduces US influence on standards and hardware. 20:53 < adam3us> all the political lobbying and real or faux reaction from euro politicians: i think they should just funnel a few bil euro of their r&d framework towards end2end encrypt everything (the eur r&d budget is a scary thing - they spend billions and billions on academic / industry demonstrators and "applied research" most of which is crap) 20:54 < petertodd> A similar situation is with the ITAR controls on things like gyroscopes: at work I have to have an ITAR security clearance because we use missile guidance grade gyroscopes, and the system we're building is itself an ITAR controlled good. But the ITAR requirements are sufficiently onerous enough that it's making this tech available from non-itar-signatory countries; we'll soon be able to ditch a lot of our US-made equipment for Russian-made, and even Iranian-made in some cases. (!) 20:54 < petertodd> Push money into non-US hardware companies and you'll be able to buy fully-Chinese made hardware, and setup systems where both the US and China would need to co-operate to break it. 20:54 < adam3us> yes its a bad day to be a us cloud company, and probably a bad day to be cloud company at all: it has shown the cloud cant be trusted, at least not without end2end encryption which only properly works for dumb storage without efficient FHE (tahoe-lafs is probably about as smart as secured cloud can get without fhe) 20:55 < petertodd> adam3us: yup. Trusted computing can change that of course, and as I said above, we'll hopefully get competing US and Chinese and others implementations of it. 20:57 < adam3us> i am wondering if chinese made cpus, chipsets and network gear is better in fact - the chines dont have anything against me, they're just interested in supressing domestic political agitation and the odd bit of industrial espionage; apparently stallman uses some chinese cpu laptop 20:58 < adam3us> everything i'm doing that i care about is open source and open spec anyway so the chinese have no interest and even seem neutral on bitcoin. vs the us is not to be trusted 20:59 < adam3us> petertodd: problem with trusted computing is trusting the manufacturer, though there are interesting things you can do with it, eg people were talking about a tpm secured remailer, its a toolkit for making arbitrary multi-party-computation 21:00 < petertodd> for sure, and it doesn't need to be better, just different. Even if the US and China were co-operating, it'd be easy to imagine situations where layering both techs would result in unbreakable systems. For instance, a US and Chinese PRNG may be broken by either, but in such a way that the combination can't be broken by either. 21:00 < adam3us> petertodd: which is really hard to do efficiently directly, whre with a tpm you can use remote attestation and tpm key management, trusted non debuggable agents, sealed disk storage and ring -1 protected ram to protect it 21:01 < petertodd> adam3us: I need to write up a paper on my thoughts on how to make useful open-source remote attestation capable gear; I do think it can be done with auditing schemes and careful hardware design. 21:01 < petertodd> too many projects... 21:01 < adam3us> petertodd: and the tpm's are going deeper, on to the cpu die, the embedded mmu, and i presume on the fly encrypted RAM (rather than the external mmu curtain on ring-1) 21:02 < petertodd> adam3us: yup, intels' next gen stuff is going to look like that 21:02 < petertodd> adam3us: basically I think you can make stuff that's just as secure form physical tampering, and make it in such a way that you can still take the device apart and verify the hardware did what it claimed to do. 21:03 < adam3us> petertodd: if one could do those things (open source hw tpm) or mix of chinese & us implementations in a strengthening enforcing way maybe could build a multi party RPOW with bitcoin inflation control :) 21:03 < petertodd> adam3us: for sure, and with such devices you can make my fidelity bonded banking stuff work in practice. 21:03 < adam3us> petertodd: that can solve many problems if the tpm can enforce hard to enforce issues, efficiently, scalably and without broadcast 21:04 < adam3us> petertodd: one generic problem is its hard to defend hw security where the enemy is the hw owner & operator, as DeCSS found out the harway 21:05 < petertodd> adam3us: yup, and with care, you don't need TPM's that are 100% unbreakable, just ones that have useful lower-bounds on how expensive it is to break any individual TPM 21:05 < petertodd> adam3us: right, and manufacturer and assembler should be added to that list too 21:06 < adam3us> petertodd: tpm-world is like a corporate firewall, if the nsa gets its nose inside there via a forged TPM signing key which is actually running in software what was supposed to be in hw, its a squishy insecure interior 21:06 < adam3us> petertodd: i am hoping instead we get fast enough FHE that people can build custom chips to do it in usable speed 21:07 < petertodd> adam3us: yeah, so the trick is build hardware where a third-party can take a whole production run of the hardware, tear some devices apart, verify they do what they claim to do, and sign the rest as authentic 21:07 < adam3us> petertodd: they clearly need something useful to do with 6.2bil transistors of the latest 2816 core amd offering 21:07 < petertodd> FHE? 21:07 < adam3us> fully homomorphic enc 21:07 < petertodd> ah 21:07 < petertodd> FHE can't do things like verify that Tor nodes aren't logging though 21:08 < adam3us> petertodd: it might be able to 21:08 < petertodd> how? 21:09 < adam3us> petertodd: there are some mind bending what ifs if you had it, eg could it do remote attestation, could it do ZKP of what code it ran (SCIP) 00:37 < amiller> generated by the verifier (the person who's about to accept a connection if the puzzle is responded correctly) 00:37 < gmaxwell> and what happens next? 00:38 < gmaxwell> (what does the responder do with the challenge?) 00:38 < amiller> you use that challenge as seed to a prf to generate random plinko paths down the tree 00:38 < amiller> the responder returns with some k number of merkle tree branches each long n 00:38 < amiller> log n* 00:38 < gmaxwell> great and you do that and you conclude that you should end up at ID 8 00:38 < gmaxwell> and then you compute H(verifierID || 8) 00:39 < gmaxwell> Where is your storage hardness? :P 00:39 < amiller> you need to produce the whole merkle branch 00:39 < amiller> that's really hard unless you've precomputed and stored it 00:39 < amiller> maybe it should be H(verifierID || proverID || i) 00:39 < amiller> so that multiple peopel can't share the same disk to sybil connect you 00:39 < amiller> but still the point is you make the leaves easily computed 00:40 < gmaxwell> amiller: nah, I can compute the data once, and just store the top N levels of the tree. (just a few hashes) 00:40 < amiller> but you make it so you basically need nearly all of them to answer a response 00:40 < gmaxwell> then I get a 2^N speedup in computing the answer. 00:40 < amiller> i see and then recompute some of them 00:40 < amiller> hm. 00:40 < gmaxwell> (I actually have a solution to this, I'm toying with you to see if you come up with it too, I was surprised at how long it took me) 00:40 < gmaxwell> (or if you come up with another one) 00:41 < amiller> uh, well, the next thing i usually think of is where each leaf depends on the previous so you actually have to compute them sequentially 00:41 < amiller> but that's hard to verify efficiently (at least i don't know how) 00:41 < gmaxwell> yea, but then how does the verifier not have to do the same 00:41 < gmaxwell> exactly. 00:42 < gmaxwell> okay, I give you my solution: https://bitcointalk.org/index.php?topic=310323.0 (when you care to look, it's simple) 00:42 < amiller> there might be trapdoor kind of things where the verifier has a shortcut but the prover has to do it sequentially 00:42 < amiller> that kind of thing is generally much easier in this interactive setting 00:44 < gmaxwell> amiller: yea, I came up with something which followed that description pretty exactly using fully homorphic encryption. (Basically the challenger asks the prover to run a secret sequential function, saving the intermediate results.. and with knoweldge of the function the challenger can instead run an algebraically simplified version) but FHE = yuck. 00:45 < gmaxwell> fortunately there is a simpler way. 00:46 < amiller> i've read that three times (at various times in the last two weeks) and haven't gotten it 00:46 < gmaxwell> wow, sorry. :( 00:46 < amiller> but now that i've paged in all the other naive ideas i can probably close the gap now 00:46 < amiller> "The server then can periodically pick a random index and perform log2(size) hash operations to determine the value at that index and then can challenge the client to provide the corresponding index for that value. 00:46 < amiller> " 00:46 < amiller> could you write that part out? 00:47 < gmaxwell> H(verifierID || proverID) is the seed to a tree structured pseudorandom function. E.g. you have efficient random access to this pseudorandom function. 00:47 < gmaxwell> the prover hashes the leaves of this function and stores the results. 00:48 < gmaxwell> The verifier picks a random leaf, computes its hash, and challenges the prover to tell it the matching index. 00:48 < amiller> i get how {Left, Right} = H(seed) is used to construct the tree the first time 00:49 < amiller> ohhh..... you sort the leaves when you're done 00:49 < gmaxwell> Right. 00:50 < amiller> can't you estimate the path for a value pretty closely 00:50 < gmaxwell> I'm asking you to have performed precomputation for a preimage attack on this function. 00:50 < gmaxwell> If you only know the seed and I ask you "What index leaf value begins with 0xDEADBEEF" what do you do? 00:51 < gmaxwell> There is nothing to estimate, its strongly pseudorandom, you couldn't do better than decoding sequentually until you find 0xDEADBEEF 00:52 < amiller> okay i think i get it 00:52 < midnightmagic> gmaxwell: It's computed on-the-fly as the server asks for it? 00:52 < midnightmagic> (first time rather) 00:53 < gmaxwell> midnightmagic: first time, I suppose. But the idea is to pick parameters where if you don't store the result you'll be wasting a ton of computation recomputing the whole thing for every challenge. 00:53 < gmaxwell> Where otherwise it would be just a couple IOs to find the right answer. 00:53 < amiller> it takes n log n setup time 00:53 < amiller> where n = 2^k 00:54 < midnightmagic> gmaxwell: I imagine th eguard time to allow the client time to compute would be spent just idling? What happens before the table is finally computed? 00:55 < gmaxwell> midnightmagic: if you made the seed H(your ip || peer's IP) you could actually compute it offline before ever trying to connect to them. 00:55 < gmaxwell> (argument against actually using IPs is nats, alas... more pratically you could connect, get your challenge and get kicked off, then come back later with your table built) 00:55 < midnightmagic> gmaxwell: In order for the server to verify that, it would also need to do it, but it doesn't know in advance who's going to connect? 00:56 < gmaxwell> midnightmagic: nope, the idea here is that the server doesn't need to do anything expensive to verify. 00:56 < gmaxwell> The function is fast to run in one direction, but not the other. :) 00:56 * midnightmagic reads it again.. 00:57 < midnightmagic> ah. 00:57 < gmaxwell> The server picks an index at random, and then does log2(N) hash operations to find the leaf value at that index. (thats cheap) 00:57 < gmaxwell> then it gives you the leaf value and asks you for the index. 00:58 < midnightmagic> I guess Evil Server sits and listens for 50,000 incoming connections, has the client do single lookups, and disconnects without actually being a bitcoin node? 00:59 < gmaxwell> midnightmagic: perhaps. The way I envision this is that you'd have a server you already like, and you do this protocol with it to get yourself a privleged connection slot. So if the server gets dos attacked you don't get punted. 00:59 < midnightmagic> so we're talking one-way trust in that case. client knows the server is happy, server doesn't know the client is happy. 01:00 < gmaxwell> so if nodes are doing this only with servers they already like, the evil server attack isn't so concerning... but indeed, thats a point. 01:00 < midnightmagic> makes sense, I like it. 01:00 * midnightmagic files away conceptual technique for application to other things 01:01 < midnightmagic> the tahoe people were trying to do proof-of-storage to try to prevent servers from claiming they had data but actually not having it at all, and misleading clients into thinking the file was safe. 01:01 < midnightmagic> (without transferring the files) 01:05 < gmaxwell> this only works, sadly, with random data... but the reason for that is it requires the verifier to have never done the work. if you don't mind the verifier having had the data at one time, you can do this easily. 01:05 < midnightmagic> i wonder if the prng seed could be used to build an un-precomputable path through the blockchain 01:08 < midnightmagic> i guess that doesn't increase resources more than every bitcoin node already has. 01:08 < gmaxwell> sure but you'd have that same data for all peers, so it wouldn't stop you from connecting to 100k nodes successfully. 01:09 < gmaxwell> (otherwise, yea would be best to make the data bitcoin data, since the verifier already has that, and it's in our interest to copy it) 01:34 < amiller> gmaxwell, https://gist.github.com/amiller/7131876 http://codepad.org/Nzp2Vdsk 01:34 < amiller> seems fine to me now, i buy it 01:44 < amiller> i don't know why no one has done that before but i don't think i've seen anything like it 01:44 < amiller> really cool 01:52 < amiller> hrm it kind of isn't such a great tradeoff because there's a long setup time 01:52 < amiller> i mean, the setup time is the time to fill the disk, plus to sort it 01:52 < amiller> you would want like a btree kind of sort anyway which would be kind of slow 01:52 < amiller> i guess that's where the idea left off 02:00 < amiller> it would be really good to reduce the I/Os by the k factor 02:01 < amiller> the merkle tree based solutions have that problem too, pretty much 02:01 < amiller> well not exactly because you can go straight to the data which can be large than the index 02:32 < gmaxwell> amiller: did you see my similarly structred idea for lamport keys? I've still not seen anything like that either, they're kinda related. 02:32 < amiller> gmaxwell, no 02:35 < gmaxwell> amiller: so, you have a firm mental model for lamport right. And that you can put your public key in a hashtree and use the root.. when you sign you reveal the preimages selected by the message bits and then only the minimum necessary set of tree fragments to show that your preimages came from the right public key 02:35 < gmaxwell> e.g. you can send less than hash_size * 2 hashes because of common branch compression in the pubkey. 02:37 < gmaxwell> So take the same idea and use the same kind of tree csprng to expand a single secret value to all your secret values. Now when signing you can do the same kind of tree compression of the hash preimages! you selectively reveal chunks of the tree-csprng state so that the verifier can recover the preimages you were required to reveal and no others. 02:38 < gmaxwell> this is actually far more powerful for things other than lamport though. 02:38 < gmaxwell> It has powerful applications to making protocols for secure permutations (e.g. voting) use less bandwidth. 12:29 < adam3us> gmaxwell: i mean in principle if u dont know the key, you learn nothing other than you dont have the key whether the resulting point is on the curve or not? 12:29 < gmaxwell> adam3us: go see petertodd's stealth address post in bitcoin-dev 12:29 < adam3us> gmaxwell: yes i read that at the time. 12:30 < gmaxwell> He proposed, in passing, to encrypt the nonce used in the transaction with e.g. H(stealth address). This is bad because if you have a large list of stealth addresses you can test transactions to see if they might be related to one stealth address or another. 12:33 < adam3us> gmaxwell: ok so nonce is the wrong term i guess; he said "payor generates nonce keypair P=eG" less confusing to call that an emphemeral keypair. the only nonce in DSA could arguably be k. 12:39 < petertodd> adam3us: basically something like 1 in 256 arbitrary 33 byte strings are valid ECC pubkeys, so decrypting and checking gives you a lot of statistical info that it shouldn't 12:39 < adam3us> petertodd: i did not find the encrypt with H(addr) so I dont know what you are encrypting yet, but if you are encrypting with something unknown to the attacker i do not see the attack 12:40 < petertodd> adam3us: well the stealth address is known to our attacker in my attack model 12:41 < adam3us> petertodd: doesnot the stealth address S=dP=eQ ie unknowable if u do not know d or e 12:42 < petertodd> adam3us: we're talking about the sender emphemerial pubkey, the one that goes into a OP_RETURN txout, I suggested encrypting that data so that it wasn't obvious if the transaction was or was not a stealth tx 12:42 < petertodd> adam3us: gmaxwell's point is that the encryption leaks info because you can trial decrypt, and if the result is a valid pubkey, you know you have a high probability of having guessed the right stealth addr 12:42 < adam3us> petertodd: ok as far as that goes i why dont you use one of the input addresses as the emphemeral pub key 12:43 < petertodd> adam3us: because that leaks info to the receiver about which txin did the money come from, and also makes assumptions about how you fund the tx 12:43 < adam3us> petertodd: still if its proper encryption with a key unknown to the attacker you can trial decrypt until the heat death of the universe ;) and only explore which are on the curve and not, which has a known probability distribution... and so what? 12:44 < petertodd> adam3us: the thing is in this case the attacker *does* know the key, only the weaker attacker doesn't 12:44 < petertodd> adam3us: the weak attacker is worse off, but the not so weak attacker is much better off - bad tradeoff 12:45 < adam3us> petertodd: how did u arrive at a threat model where the attacker knows your decryption key? 12:45 < petertodd> adam3us: because it's in the stealth address itself 12:52 < adam3us> petertodd: so you are talking about encrypting P the ephemeral pub key, using the hash of the stealth pub key S (presumably a diff hash than the one used to compute the stealth address as that is also public). now S=dQ and Q is the recipients static receive addess. and S=eP, and P=dG d is nly known to the sender. But e is known to the recipient Q=eG. so the recipient has a catch 22 he doesnt known d so he cant compute S=dQ, and he knows 12:52 < adam3us> petertodd: seems stuck in circular dependency 12:54 < petertodd> adam3us: the point is to hide the transaction from weaker attackers who *don't* know the stealth address, which is a valuable thing. but it's not worth it if it makes it easier for attackers who do know; there's no circular dependency there 12:55 < petertodd> adam3us: read my post again and you'll see what I mean 12:55 < adam3us> petertodd: the original post or one of the 5 followup posts? (i didnt find it yet) 12:55 < petertodd> adam3us: my original 13:01 < adam3us> petertodd: ah ok so u want to encrypt it with H(Q) not H(S). gmaxwell had said "you suggested in your message that the nonce could be encrypted with H(stealth address)" ok so the stealth address is Q, not S, and actually I see you changed to Q' in the write up over previous IRC here. fine. yes gmaxwell is right. 13:02 < adam3us> petertodd: but why do you want to encrypt ephemeral pub key P at all? to obfuscate that ths is a stealth payment? who else makes 0 value payments to invalid addresses? 13:05 < adam3us> petertodd: "the [ephemeral] keypair [P...] is included in the transaction in an additional zero-valued output: RETURN <P>" what is that an ignored, UTXO compactible, 32 byte message? 13:29 < gmaxwell> adam3us: he wanted to obscure that it was a stealth payment maybe share anonymity set with a timestamping thing. 13:30 < gmaxwell> But no joy. 13:30 < adam3us> gmaxwell: ok hence the elligator thread. 13:32 < adam3us> gmaxwell: it a classic steganography requirement. all decryptions must be equally plausible. alternatively he could send P+Q and hash2curve his timestamp hashes :) 14:01 * nsh looks at this twister.net.co thing 14:33 < nsh> libboost-dev is 60Mb.... 14:33 < nsh> (with all the attendant repocruft) 14:36 < nsh> wait, another 139Mb for libboost-all-dev 17:40 < gmaxwell> https://soundcloud.com/rdlmitedu/140113_0001-wav Matt Green presents Zerocoin/Zerocash at Real World Crypto 2014 17:45 < Luke-Jr> gmaxwell: is it practical now? 17:46 < petertodd> gmaxwell: they released a paper yet? 17:46 < jron> petertodd, no paper yet afaik. 17:47 < nsh> has anyone looked at how twister is using the blockchain/PoW and to what degree it's sane/scalable? 17:47 < petertodd> nsh: it's aweful, for instance there is a per-tx PoW, yet the difficulty for that PoW is hard-coded 17:47 < nsh> mm 17:48 < nsh> it is viable in principle though? 17:48 < maaku> gmaxwell: anything new presented at that talk? 17:48 < nsh> seems to be very early alpha, so maybe all kinds of silly parametric decisions/hacks 17:48 < petertodd> nsh: no, there's no incentive built into the system other than the ability to spam other users with messages... and no way to guarantee the messages will be shown in the UI 17:48 < nsh> :/ 17:49 < gmaxwell> maaku: I haven't listened to it yet, I peppered jron with some questions. 17:49 < maaku> k 17:49 < petertodd> jron: pity 17:49 < jron> Luke-Jr, it sounds like the only thing they add to the blockchain is 288 bytes 17:49 < petertodd> nsh: it should have used an existing name thing like namecoin 17:49 * nsh nods 17:50 < petertodd> jron: small enough it doesn't need to be a separate chain, although my understanding is they're making it one 17:50 < jron> petertodd, correct. they are calling it "zerocash" 17:50 < gmaxwell> jron: Oh, I'm pretty sure its a bit more complex than that. At a minimum it should be their proofs plus one or two additional hash trees. 17:50 < petertodd> jron: and totally separate PoW right? 17:50 < gmaxwell> jron: Did they say anything about recovering space from old completed transactions? (e.g. analogous to pruning in bitcoin) 17:51 < jron> petertodd, there was no mention of their PoW function. 17:51 < gmaxwell> I had a couple ideas for how to achieve pruning in a zerocash like system but they all were kinda ugly and had tradeoffs I didn't like. 17:52 < petertodd> jron: heh, hopefully they'll take my advice from last summer and do a proof-of-sacrifice or bitcoin timestamped+pos for proof-of-publication 17:52 < jron> gmaxwell, there was no talk of pruning that I heard. 17:52 < gmaxwell> jron: :( 17:52 < jron> petertodd, I assume proof of sacrifice is destroying btc? 17:52 < petertodd> jron: yup 17:53 < jron> I was thinking about that on the drive home. 17:54 < petertodd> jron: basically you need to be able to securely order the transactions to solve double-spending, which is easy, and also come to consensus about what chain has the most "users" in a sense. pow is a really simple way to do both, but is vulnerable to attack. 17:54 < nsh> that soundcloud recording is 600% reverberation by weight 17:54 < nsh> :/ 17:54 < petertodd> nsh: I hear it was held in a big church :/ 17:54 < nsh> shame 17:54 < gmaxwell> jron: can you go compare zerocash with zerocoin for the channel? (I know some things from private conversations that I haven't told people here which were probably disclosed in the talk, but it'll take a couple hours before I can listen) 17:58 < Luke-Jr> anyone have any legal contacts with Google? 17:58 < maaku> Luke-Jr: as in with Google's lawyers? 17:58 < Luke-Jr> maaku: yes, or anyone who can help me get Nest thermostats GPL compliant :p 17:59 < jron> I need to relisten but it sounds like they ripped out a lot of the code from libzerocoin. They also cut the proof size down from about 4KB to 288 bytes and the verification time down milliseconds. 17:59 < maaku> holy cow, $3.2 billion for a thermostat? 17:59 < Luke-Jr> maaku: it's a smartphone inside 18:00 < Luke-Jr> and right now it gives the company complete control over your home temperatrue :/ 18:00 < jron> the trade of for the verification time is it takes about 2 minutes to perform a transaction in addition to the confirmation time. 18:01 < petertodd> jron: 2 min on what kind of machine? 18:01 < jron> petertodd, single core current gen 18:01 < petertodd> jron: not bad, is the computation parallelizable? 18:02 < jron> petertodd, he didn't say. I assumed it was but that is a great question. 18:02 < maaku> Luke-Jr: most effective, but asshole method for compliance is to get a blog post calling them out on the front page of HN 18:02 < maaku> it'll be fixed within hours 18:03 < petertodd> jron: if the computation can be outsourced in any way would be really interesting too 18:03 < jron> he also mentioned a large blog that is required to spend coins. the size is about 1.2 GB. 18:03 < maaku> jron: 2 minutes to *verify* a transaction, not sign? 18:03 < jron> large blob* 18:03 < petertodd> jron: is the 1.2GB akin to a private key, or some shared data structure everyone just needs? 18:03 < maaku> ok n/m reading fail 18:03 < jron> maaku, verification is sub second. 15:43 < gmaxwell> adam3us: but then you're demanding that every single fininacal transaction ibm engage in be globally visible. every hardware purchase, every paycheck, every invoice. 15:43 < gmaxwell> "uhh" 15:44 < adam3us> gmaxwell: dont forget about homomorphic encrypted value for commercial confidentiality 15:44 < gmaxwell> And of course they could just say that they're going to be issuing against this seperate account and please pay to it, because they won't ship you your hardware if you don't do as they say. Who's going to argue with that. 15:44 < gmaxwell> just seeing the volume of transactions in total is a big confidentality leak... 15:44 < adam3us> gmaxwell: i am not saying anyone can try to do all that now i am sayig i thnk that is the future for fiancial networks, putting mre and more of it under apriori rule enforcement to reduce systemic risk 15:45 < adam3us> gmaxwell: encryoted value, it has to happen, bitcoin is not suitable for commercial confidentiality (or even private confidentiality - a few people get paid in bitcoin it leaks far too much) 15:46 < gmaxwell> adam3us: okay sure. Every layer of this you add though you move it further away from something which even sounds remotely pratically achievable today. I'm happy to move in that direction, but one of the reasons I think cypherpunk vision failed almost completely in round one (save for keeping strong crypto from being outlawed) is because the bridge building failed. I'm happy to think one or two steps a head, but I think you're going ... 15:46 < gmaxwell> ... too far for me to care. :) I just want fungible flexible highly trustworthy ecash. :) 15:47 < adam3us> gmaxwell: sure, step 1 fungibility 15:47 < adam3us> step 2 maybe distributed security for share issues 15:48 < adam3us> DBC (colored coins, though not necessarily using coloring nor bitcoin nominal value payments) 15:48 < gmaxwell> (and, as an aside, I'm worried about fungiblity measures in bitcoin being politically difficult if we don't get them in fast... e.g. if we get norms around blacklisting naughty coins and such, then any fungiblity measure will be a tool of evil.) 15:49 < adam3us> mostly explaining why i think it matters to have bearer and distributed enforcement for stocks, often the directoin things take is a side effect of interim decisions 15:50 < adam3us> gmaxwell: yes... i was starting to think maybe i am missing some aspect of committed tx, maybe committed tx plus more efficient homomorphic value, can do something interesting zc ike but without the overhead 15:50 < gmaxwell> well there are ways to do ZC with reduced overhead. 15:50 < adam3us> gmaxwell: ie dont check the inputs match the outputs, check all inputs add to all outputs 15:50 < gmaxwell> but uh you might not like the security tradeoffs. :P 15:50 < adam3us> gmaxwell: ok that'll work too : 15:50 < adam3us> oh 15:51 < adam3us> gmaxwell: i had one more idea too but i didnt crack the crypto yet, to make a blind proof of work 15:52 < adam3us> gmaxwell: then you can prove your tx is confirmed, the depth of the confirmation, that it adds up (encypted value) basicall bitcoin in zero knowledge! 15:52 < amiller> the blind proof of work still has pretty unclear benefit even if you just assume abstractly you have free ZK 15:52 < maaku> the ZC bloat is in the scriptSig though, right? 15:52 < gmaxwell> for example, there is a pairing crypto way to do the accumulators which is much more space efficient. :P There is also a fiat-shamir way where you can use the blockhash to do a cut-and-choose to compress your proof. 15:53 < adam3us> gmaxwell: zc uses fiat shamir transform in their cut-and-choose already right 15:53 < gmaxwell> maaku: not only, you need to have a growing anti-doublespend list. 15:53 < gmaxwell> adam3us: I know, but I'm pointing out that you can use the blockchain to compress it further. :P 15:53 < maaku> o_O !! 15:53 < adam3us> gmaxwell: ok, every bit helps 15:53 * maaku goes to read the paper, finally 15:53 < adam3us> gmaxwell: feel free to write that up sometime on bct 15:54 < gmaxwell> I did. uh, in some random thread. 15:55 < gmaxwell> The point is that you can do an interactive hashtree proof where you interact with the network. E.g. you give the miner a big proof, and the block hash tells it how to subset the proof. Because the block hash requires 2^lots work, creating a false proof is at least as expensive as mining many blocks and throwing them away. 15:55 < adam3us> amiller: point of blind pow is you could then prove in zero knowledge that your transaction is validated 15:56 < adam3us> amiller: its not enough by itself, lots of other detail level issues arise but its an interesting direction towards fungibility motivated anonymity 15:57 < adam3us> amiller: but its kind of moot so far as i cant seem to make an efficiently verifiable blind proof of work 15:57 < gmaxwell> the weird thing about my blockhash stuff is that in the common models of analyizing the security of fiat-shamir it adds nothing, because you normally assume that taking the proof commitment and turning it into random validation queries is O(1). 15:57 < maaku> "and check that S does not appear in any previous transaction" <-- I see. 15:58 < maaku> I somehow missed that before. So space wise this isn't actually an improvement over straight chaum ecash, is it? 15:58 < gmaxwell> maaku: yea, so if you don't want it to suck you have to have lifetime limits on ZC pools. 15:58 < gmaxwell> (so you could 'prune' off the anti-replay lists) 15:59 < gmaxwell> the network could also potentially outsource the anti-replay list storage by storing them in trees and having update proofs for them with the transactions. 15:59 < gmaxwell> which then makes the system more like PT's MMR-coin stuff, conceptually. 15:59 < adam3us> gmaxwell: interesting, seems to be somewhat related to the merkle pow for reduced variance 16:02 < gmaxwell> https://bitcointalk.org/index.php?topic=284194.0 < I mention it as a throwaway comment at the bottom here. 16:03 < gmaxwell> though I wrote it up on a long PM conversation with iddo. (I was suggesting it in the context of improving the scalablity of the SCIP stuff based on the locally checkable code stuff.) 16:08 < gmaxwell> (basically in that post I show how to make cut-and-choose random encrypted shuffles use log(security) bandwidth, and then point out that you can do the block hash thing because I thought I should put the idea out in public in case some shithead comes along and tried patenting it :P ) 17:06 < jtimon> gmaxwell adam3us I still fail to see why traceability implies revocability 17:07 < jtimon> even with centralized redemption, I don't see how IBM shares are more revocable than bitcoins 17:08 < jtimon> basic colored coins do not provide support for KYC compliance 17:08 < gmaxwell> jtimon: because IBM can be ordered to ignore shares tracable from some point, and to credit some other shares instead. You can trade these shares still, but without IBMs future support they only have novelty value. :P 17:09 < jtimon> but why would be IBM be ordered to break his contract? 17:09 < maaku> jtimon: legal pressure 17:09 < jtimon> I don't see the example 17:10 < maaku> maybe response to theft, trying to reverse a ponzi scheme, etc. 17:10 < jtimon> so Bob steals from Alice and sells to Carol, who sells to David...why should Z be punished for Bob's crime? 17:12 < jtimon> I'm assuming non-authorized assets where the the issuer doesn't knows the bearers identity 17:12 < Luke-Jr> gmaxwell: how about this argument: if IBM runs its own stock exchange, it needs to make sure only licensed investors buy in; with coloured coins, supposedly there is no way to require IBM to do this 17:13 < jtimon> Luke-Jr freimarkets supports KYC compliance, but it's of course optional 17:14 < Luke-Jr> KYC isn't related to this 17:15 < Luke-Jr> this is "if Joe isn't a licensed investor, he is not allowed to purchase shares" 17:15 < jtimon> well, by authorized assets I mean all those limitations 17:16 < jtimon> a closed list of licensed investors is the same as a closed list of authorized users (previously identified by the issuer) 17:16 < Luke-Jr> anyhow, it's silly to do this with a public blockchain 17:16 < jtimon> the way we do it is actually pretty stupid but very flexible 17:17 < Luke-Jr> as long as people are complying with the restrictions anyway, they should just host their own stock registry 17:17 < jtimon> require an "authorizer" to sign all transactions including that asset (but yes, it's stupid in almost all cases) 17:18 < jtimon> yes, if you're going to sign everything, the only reason not to run your own off-chain ledger is to provide more transparency 17:19 < jtimon> I know a local currency designer that needs this, although I don't think his "100% transpoarent currency" is a good idea 17:20 < maaku> Luke-Jr: I agree it's stupid, but it's something people ask for, to achieve regulatory compliance... 17:20 < Luke-Jr> maaku: using a blockchain instead of hosting it at the company, does not help regulatory compliance 17:20 < Luke-Jr> you can disclose your private "blockchain" if you want transparency 17:21 < maaku> ? no i meant the KYC/authorized accounts 17:21 < jtimon> would bitstamp be issuing in ripple if they didn't had a non-scalable version of this? 17:21 < maaku> doesn't matter if it's on public chain or private server 17:21 < maaku> as to using the public chain for asset issuance, i see very limited uses for that 17:22 < jtimon> the most obvious one are small issuers who can't run their own server and don't want to trust a server 17:22 < jtimon> but shares is also interesting 17:23 < jtimon> are 17:23 < jtimon> even if redeption is centralized, there's zero trust in accounting and exchange 17:24 < maaku> IBM, for example, would probably contract out to another company that handles hosting the gateway exchange and KYC compliance (making sure transactions only involve registered securities professionals, etc.) 18:03 < gmaxwell> jron: sounds like he actually didn't give a lot of technical details. 18:04 < jron> gmaxwell, it was a basic overview. 18:04 < Luke-Jr> maaku: HN? 18:04 < gmaxwell> This is annoying, because I actually can answer all of these questions. 18:04 < michagogo|cloud> Luke-Jr: Hacker News 18:05 < michagogo|cloud> Luke-Jr: So I'm guessing you already saw https://nest.com/legal/compliance/ and it's incomplete? 18:05 < gmaxwell> well, in any case, I don't think I'm giving anything away that I hadn't guessed at before I'd talked to them. They're using a ZK-SNARK based on the GGPR 2012 paper, this is the CRS-assumption pairing crypto knoweldge of exponent assumption for quadratic arithemetic programs stuff that is used in pinocchio and the tinyram papers. 18:06 < jron> petertodd, he descibes the 1.2 GB dataset as a large set of public params required to spend coins. 18:06 < gmaxwell> The proving side of this system is pretty highly paralizable. I don't know the size of the proving key, since it's polylogarithmic in the size of the circuit being proved. 18:07 < Luke-Jr> michagogo|cloud: it's missing build/install stuff 18:07 < gmaxwell> The verification key and proof sizes are just dependant on security, and you can see figures on them in the vntinyram paper: http://eprint.iacr.org/2013/507 18:07 < michagogo|cloud> ah 18:08 < gmaxwell> But presumably they wouldn't use tinyram for this, they don't need turing complete to prove some anonymous transactions. Instead I expect them to prove hashfunctions and equality, and so a custom circut could be a lot smaller. 18:09 < gmaxwell> (a straighforward implementation of SHA256 has 30k AND gates but most (90%?) of these are in 32 bit adders, and a 32 bit adder in a QAP takes just a couple gates instead of 65 in a boolean circuit) 18:10 < jron> they did mention the use of SHA256 and SNARK to achieve the proof size 18:12 < maaku> jron: did they go into any detail about how the public params were derived? 18:13 < jron> <jron> he did mention two possible options. the first was finding as many willing and "trusted" participants to create it in a semi-distributed fashion. 18:13 < jron> <jron> the second was writing software to do it p2p but he didn't go into specifics on how that could be pulled off. 18:14 < gmaxwell> ^ that was from when I asked in #zerocoin 18:15 < gmaxwell> So yea, the problem with the GGPR ZK-SNARK is that there is a set of asymetric encryption keys and if _anyone_ knows them or finds them, then that party can trivially make false proofs. 18:16 < Alanius> I think I know what I'm reading tomorrow :-) 18:16 < Luke-Jr> gmaxwell: does someone *need* to know the private key? 18:16 < maaku> Luke-Jr: you need the private key to create the public params 18:16 < Luke-Jr> else, have lots of N people pick entropy to produce a public key for which there is no known private <.< 18:16 < maaku> so you need to trust that someone diddn't keep a record 18:16 < gmaxwell> it has to be known temporarily to generate the public keys. At least unless you invoke some multiparty computation unicorn. 18:16 < maaku> or MPC 18:16 < Luke-Jr> so the public key can't be generated without the private key? :< 18:17 < nsh> someone needs to be trusted to forget something... 18:17 < Luke-Jr> Bernanke can do it! 18:17 < gmaxwell> At which point we're starting to recursively nest unicorns, since most efficient MPC stuff being written about works by using ZK-SNARKS to prove the players aren't cheating. 18:17 < nsh> lol 18:17 < gmaxwell> Basically the whole GGPR scheme works by reducing proving the correctness of program execution to proving you know the roots of some polynomials meeting some constraints. 18:18 < gmaxwell> What happens is that you find these polynomials and then encrypt them with the public keys produced in a prior initilization phase, and then also encrypt your roots.. And the cryptosystem has the right kind of homorphism that the encrypted roots are still roots of the encrypted polynomial. 18:18 < petertodd> gmaxwell: pity, although I'll bet you the average person won't blink an eye at the "founders could fuck it all up" problem 18:18 < maaku> gmaxwell: wait, it's a valid question - is there some way you can just use random junk for the public portion, like say the first sequence of PI bits which satisfies whatever constraint is necessary? 18:19 < gmaxwell> maaku: no. 18:19 < maaku> k, fair enough :) 18:19 < gmaxwell> Since you have no freeking clue what points the polynomial is being evaluated at, you can't generate a fake polynomial that will pass the test. but if you have the secret data you know the points and its trivial to generate a fake proof. 18:19 * maaku demonstrates is ignorance of pairing crypto 18:20 < gmaxwell> maaku: basically you can pick random keys, but they won't agree with each other, since you need to both encrypt your roots and the polynomial in such a way as the result can still be tested. 18:20 < jtimon> https://groups.google.com/d/msg/bitcoinx/EntSAsMLFck/X-7h5sgnMNoJ 18:22 < petertodd> jtimon: pragmatic, but computational crypto-coins are admittedly a lot more interesting solution to that problem 18:22 < gmaxwell> in any case, I'd really suggest sitting down and reading the vntinyram paper, skipping over the mathy parts as you see fit. 18:23 < gmaxwell> Because the scipr-lab.org people have a public maining list, and I have an existance proof now that they respond on it. :) 18:23 < gmaxwell> (linked here: http://www.scipr-lab.org/ ) 18:23 < jtimon> petertodd: I don't think I understand you 18:23 < gmaxwell> while they probably don't know anything about zerocash, they do know the backend cryptosystem. 18:24 < jtimon> petertodd: what problem you mean exactly? 18:25 < jtimon> petertodd: and what do you mean by "computatuional crypto-coins"? 18:26 < gmaxwell> Oh I linked the wrong paper earler, the vnTinyRam paper is http://eprint.iacr.org/2013/879 and it has all the benchmark figured (and I strongly believe that the verfier numbers will apply to any zerocash proposal) 18:27 < petertodd> jtimon: basically, people have proposed much more sophisticated scripting languages, to the extent that the txin scriptPubKey could constrain txout scriptPubKey's, meaning that a txout with a scriptPubKey of a specific form would be proof that the txin scriptPubKey also had the correct form all the way back to some genesis txout, thus, colored coins 18:28 < jron> someone posted some of the key points from the zerocash presentation here: http://pastebin.com/Dd60ZaT7 18:28 < gmaxwell> petertodd: Zero knoweldge computational crypto coins are even better for that. 18:29 < petertodd> gmaxwell: of course, after all, you write about coin covenents on trolltalk 18:29 < petertodd> gmaxwell: s/write/wrote/ 18:30 < gmaxwell> jron: thanks! 18:30 < petertodd> gmaxwell: directly interpreted consensus systems can be upgraded to ZK systems after the fact 18:31 < gmaxwell> Yea, okay, so they point out there that the ZK based construction allows them to encrypt values to. 18:31 < gmaxwell> s/to/too/. 18:32 < gmaxwell> This is really important because it means that the anonymity set size is all transactions, not just all transactions with plausable values for you. 18:32 < gmaxwell> But it has some crazy consequences. 18:32 < gmaxwell> Like there becomes no way to even roughly gauge the size of the economy anymore. 18:33 < gmaxwell> It also interacts very poorly with the security assumptions... In zerocoin someone who compromised the magical RSA number could drain out an accumulator and steal all the coins in it. Which is bad but: 18:33 < jtimon> petertodd: I'm not sure I understand your claim yet thought, you're just saying that you prefer other colored coins schemes over this one https://bitcointalk.org/index.php?topic=253385.0? 18:34 < gmaxwell> In a system with hidden values under ZK proof a CRS compromise gives unbounded undetectable(*) inflation. 18:34 < Alanius> you could estimate roughly the size of the economy by monitoring the transaction fees 18:34 < petertodd> jtimon: no, I'm saying I prefer schemes that allow for totally generic colored coins, or anything else you might want to do 18:34 < gmaxwell> (*) well, I suppose once you personally end up with more coins in your wallet than should exist you will then believe there has been a cryptosystem compromise. 18:34 < jron> gmaxwell, hah! 18:34 < maaku> Alanius: txn fees have nothing to do with txn values.. 18:34 < gmaxwell> Alanius: perhaps! but you couldn't tell if a transaction was for 1 coin or 100000 coins. 18:35 < maaku> petertodd: what does "totally generic" mean? 18:35 < Alanius> sure, but it would be pretty stupid to fee 10 coins for 1 coin's worth of actual transfer 18:35 < Alanius> hence, "roughly" :) 18:35 < maaku> it'd be a lower bound ... but probably a very low lower bound 18:35 < gmaxwell> Alanius: normally in bitcoin like systems the fees are just proportional to the data size of a transaction, since that reflects the networks actual processing cost. 18:36 < maaku> but i think you understand that :) 18:36 < gmaxwell> maaku: you could force fees to be related to value.. I suppose, though that would be an information leak, plus it would be u. You can't have it both ways, I think. :P 18:36 < sipa> Alanius: when fees are free-floating and there's an actual market around, i suppose to some extent 18:36 < petertodd> maaku: if a scriptPubKey can restrict redemption to transactions with txouts with scriptPubKeys of forms that propagate those convenants, then you can create generic limitations on how the coins can be spent 18:37 < gmaxwell> heck you could even force a kind of value information leak from transactions. E.g. force under the zk proof for you to generate a randomly fuzzed version of your txn value which you make public. And then people could gauge the average economy size without any specific transaction giving away its size... but its not clear to me if being able to size up the 15:15 < petertodd> adam3us: ha! though it was a good learning experience re: worse-is-better 15:15 < amiller> i think it's a plausible idea 15:15 < Luke-Jr> maybe whoever-posted-that's problem is that they're only looking at ex-googlers 15:16 < amiller> would be hard to show it works for x86 without really well identifying x86 15:16 < amiller> you could do something where anything other than the given architecture uses slightly more power or something 15:16 < adam3us> petertodd: well i just think timestamping is a cleaner and simpler problem and bitcoin could do with dependencies untangling if its at all possible because the heavy cross design links make it nearly impossible to change anything significant 15:16 < petertodd> adam3us: WTF? the current POW algorithm already makes botnets unprofitable compared to ASICs :( 15:17 * Luke-Jr notes making a x86 POW effectively makes the entire x86 spec part of the bug-for-bug bitcoin protocol 15:17 < petertodd> adam3us: yes, although you have to be careful to make sure your system doesn't need proof-of-publication, or that to the extent it needs it, you have the incentives right so that POP is actually working 15:17 < adam3us> x86 mining: i tried to interest schnieir and kocher and kelsey and gilmore (people who worked on DES EFF cracker from some years back) if they would like to collab/ comment on making ASIC unfriendly design 15:18 < petertodd> Luke-Jr: and x86 POW becomes more and more attractive to ASICS as more features are added to x86, reducing the amount of silicon you are actually exercising... 15:18 < Luke-Jr> why are people obsessed with making this "ASIC unfriendly"? 15:18 < Luke-Jr> ASIC is the ideal 15:18 < petertodd> Luke-Jr: because if you are ASIC frieldly control of bitcoin is centralized in the hands of about 2 to 3 companies 15:18 < adam3us> x86 mining: kocher had some comments which were similar to this x86 concept basically do a lot of dynamic things relying at bit-level on x86 execution so the end result needs to understand that cpu 15:18 < Luke-Jr> petertodd: it's more centralised if it's ASIC unfriendly. 15:19 < petertodd> Luke-Jr: in theory, no, but those 2 to 3 companies are going to be rather unhappy to stop shipping commodity hardware for the sake of srewing over bitcoin 15:20 < petertodd> Luke-Jr: Government has a much harder time telling Samsung "from now on, RAM chips are a controlled good" than "yeah, just no more SHA256d ASICs unless they have the know-your-customer hardware in them" 15:21 < adam3us> this was kocher on something similar (email): "Of the various options for avoiding the "problem" of ASICs outperforming regular CPUs, the obvious option (ala litecoin at least to some degree) is to use a computations that utilize the full resources of a typical PC (e.g., DRAM intensive, use the multiplier a lot, large code image, etc.) This tilts the equation away from dedicated hardware boards, but still favors people who are willing to ha 15:21 < Luke-Jr> petertodd: in all cases where government is the enemy, government wins by default. 15:22 < adam3us> luke-jr: thats why cryptography is good: its an immovable object they cant bend it to their will anymore than redefine pi to 3 (and they tried that too apparently) 15:22 < petertodd> Luke-Jr: right, so lets just give up... that's not a good position, especially when it looks like ASIC-resistant is viable 15:22 < petertodd> adam3us: that kind of thinking seems to often result in over-optimization for PC design now, rather than what it may be in the future; hard-forks are hard! 15:23 < Luke-Jr> petertodd: it doesn't look that way. 15:23 < Luke-Jr> ASIC-resistent is impossible in theory 15:23 < Luke-Jr> you can *always* specialise anything 15:23 < adam3us> luke-jr: " it's more centralised if it's ASIC unfriendly." that is an equally plausible argument - it just depends on how available ASICs are - i think they suffer from market forces where anyone capable of making them miners them rather than sell (or are incompetent like butterfly) 15:24 < Luke-Jr> adam3us: don't forget that self-mining is inherently competing against yourself 15:24 < petertodd> Luke-Jr: again, ASICs will always be some epsilon better, but we can live with it if the ratio is small - just makes transactions that people want to censor more expensive. 2x or 3x is reasonable, 1000x isn't 15:24 < adam3us> kocher contd: "miners occasionally unearth the right to publish puzzles to other miners (with rewards to those who solve these puzzles, as well as rewards to the puzzle issuer if puzzle solutions are neither too hard nor too easy)." 15:25 < Luke-Jr> selling mining hardware is more economically rational 15:25 < petertodd> Luke-Jr: I pointed out above how FPGAs may already meet that criteria w/ litecoin scrypt, and while assuming FPGAs are available is a weaker anti-censorship assumption, it's not an unreasonable one. 15:26 < adam3us> luke-jr: yes thats true (self-mining compete with self) but I am going to be super-pissed if when my march 2013 ordered miners turn up finally with adifficulty making it hard to recoup $5k spent, that they look burnt in with butterfly "test" keys preinstalled with 6mo of mining on the addresses 15:27 < Luke-Jr> adam3us: I expect the mining landscape to look very different a year from now. 15:27 < petertodd> adam3us: heh, I checked, butterfly hasn't shiped me any hardware that looks like it was tested at all :P 15:28 < adam3us> kocher last: " It'd also be entirely possible to design a new algorithm with extremely ASIC/FPGA-unfriendly elements, such as a gigantic piles of auto-generated code (= and growing faster than FPGAs) that gets changed periodically." 15:29 < adam3us> luke-jr: if he supply problems are smoothed out so anyone can place money and get working efficient 28nm hardware by return of post, I will be very happy as that is a valid (and simpler) solution 15:29 < Luke-Jr> adam3us: one time I pondered a POW that defined the subsequent POW from interpreting its hash a certain way 15:29 < Luke-Jr> adam3us: and the difficulty adjusted between the different POW algos by trying to make them equally rare 15:30 < petertodd> adam3us: fwiw I switched my 65nm outstanding order to 28nm monarchs 15:30 < Luke-Jr> yes, I think 28nm hardware available near cost to ship within a week, is a realistic expectation after difficulty catches up 15:30 < adam3us> luke-jr: the people on bitcoin forum who PM'd me with their 16 AES, 16 SHA3 finalist approach had some idea like the hash to use is derived from hash outputs and things like that 15:31 < adam3us> petertodd: is that butterfly? 15:31 < Luke-Jr> it'd be interesting to try some of these experiments in BFGMiner at some point 15:32 < Luke-Jr> woo, 20 GB of null data deleted XD 15:33 < Luke-Jr> problem is, as soon as anyone implements a new POW, the scammers jump on it 15:36 < adam3us> petertodd: think that is worth doing? I have 130GH ordered (2x 50GH 2x 5GH) and could swap it to 600GH (it approx the same price) but it'll come later its "only" 4x faster / $ approx and maybe difficulty will jump by that in the period? 15:36 < adam3us> petertodd: they have a comically bad record at not shipping within 6mo-year of when they estimate which is punitive in mining terms with diffulty adjustment at super-moore's law rate 15:36 < petertodd> adam3us: my thinking re: mining is long-term, and 28nm is going to make break-even for longer I think 15:37 < petertodd> adam3us: they have a record of shipping late, but given that I work in the hardware industry I have a lot of symapthy for that :P 15:37 < adam3us> petertodd: well its getting longer term by the day thats for sure 15:37 < petertodd> adam3us: yup, right now 64nm has a payback time of ~1 year 15:37 < Luke-Jr> adam3us: 1 time does not make a record 15:37 < adam3us> petertodd: eg maybe i think it would've paid itself in a month at beginning i dont even know ok 1 year thats long 15:37 < Luke-Jr> unless we're talking in terms of "world record" 15:38 < adam3us> luke-jr: didnt they do that several times? their previous gen people were bitching about too? 15:38 < Luke-Jr> 1 year isn't long for most things 15:38 < Luke-Jr> adam3us: they've always been late, but not 6 months 15:38 < petertodd> adam3us: probably longer in practice. Which FWIW is still very good for most businesses, it's jut not the crazy profitability people are used too. 15:38 < Luke-Jr> adam3us: FPGA minirig was only like 1-3 weeks IIRC 15:38 < Luke-Jr> FPGA singles were a month or two IIRC 15:38 < adam3us> well i orered 17 mar the 50GH singles 15:38 < adam3us> and i havent seen it yet 15:39 < Luke-Jr> yeah, not doubting they screwed up big time with SC 15:39 < Luke-Jr> I'd expect a few weeks for Monarch personally 15:39 < adam3us> no sorry 17 april 15:39 < Luke-Jr> (late) 15:40 < adam3us> luke-jr: they said end of year, that might be ok 15:41 < petertodd> adam3us: oh, I ordered hardware in early march, so you're going to get that soon... but even then I'd still consder going to 28nm 15:41 < petertodd> adam3us: depends on what your cost structure is; I value quiet energy efficient hardware 15:42 < petertodd> Also, I'm not in it expecting to make money... mainly I have hardware because it's useful at times. 15:42 < adam3us> petertodd: their own page is even self-contradictory "However, we aren't shipping anytime soon. This is a Pre-Order product, so if you're uncomfortable waiting an indeterminate length of time for the final phase, do NOT pre-order this product. With that in mind, our current schedule is on track for shippments to begin towards end of year. " and higher up "jan/feb 2014" 15:43 < adam3us> petertodd: i figure for 6mo of the year you're gonna need a space heater anyway in canada, and your electricity is cheap also 15:43 < petertodd> adam3us: just means they don't have the units built and ready to ship - shit happens! 15:44 < petertodd> adam3us: exactly, and my parents live in the far north where the heating season is 8 months of the year 08:22 < jtimon> but they can just use a simple timestamping server that functionally acts as blind signer for the commit 08:23 < adam3us> jtimon: so it seems to me you can use chaum blind cert to have the issuer create you a issuer blind but transferable proof, and traceable proof 08:23 < jtimon> I was under the impression that you couldn't transfer chaumian cash conditionally, but since I was confusing chaumian cash with blind mac...no I'm notsure 08:25 < jtimon> also fellowtraveller confirmed me jsut that: you cannot atomically trade assets in different servers 08:26 < adam3us> jtimon: the mechanism bitcoin is using to generalize a signature into a script is to augment the verification step in a way that is hashed into the sending address 08:27 < adam3us> jtimon: as the issuer doesnt even see your sending address during the issue process it can be whatever you wish 08:27 < adam3us> jtimon: rather than H(Q) it could be H(y=H(x) and ECDSA(Q)) 08:28 < adam3us> jtimon: and i presume your atomic method uses some script referring to cross chain activities that the verifier must monitor 08:29 < jtimon> yes, or just conditional to a centralized timestamper that signs the hash of the tx before expiry 08:29 < adam3us> jtimon: well i think OT does not include an external timestamp maybe it is possible but they did not so far try to explore in that area 08:29 < adam3us> jtimon: so then yes i dont see that a certified blind sig is any differnt other than there is no coinbase issue, just issuer issue 08:30 < adam3us> jtimon: and the issuer issue is verified by checking the bldin certificate signature (and the signature made by the certified key on the transaction) 08:31 < jtimon> and this could be all implemented in a pow chain, no? 08:31 < adam3us> jtimon: after its transfered normal block chain rules apply, unless you aim to refresh the blinding by refresh (redeem and immediately reiussue) 08:31 < adam3us> jtimon: i think so 08:31 < adam3us> jtimon: why schnorr blind sig is interesting is that can even use bitcoin style keys with the same curves 08:32 < adam3us> jtimon: i didnt find an efficient simple ecdsa (there is a moderately efficient but ridiculously complex and experimental grade crypto assuption method involving homomorphic additinon in damgard-jurik extnesion to paillier but i would not touch that) 08:33 < adam3us> jtimon: blind schnorr cetificate is basically brands certificate with 0 attributes 08:35 < adam3us> jtimon: btw p5 and p6 give the chaum and schnorr blind sig 08:35 < adam3us> http://www.di.ens.fr/~pointche/Documents/Slides/1996_asiacrypt.pdf 08:36 < adam3us> jtimon: i think EC schnorr is probably preferable for size, security etc and compatibility with bitcoin while still a simple protocol with no hard to implement crypto 08:36 < adam3us> jtimon: eg you need 3072 bit blind RSA for same security as 256-bit blind EC schnorr 08:38 < adam3us> jtimon: also i propose generally bitcoin should add schnorr as a new signature type, because it has many flexibility, space and performance improvements in addition to supporting simple blinding where ECDSA does none of those things 08:39 < jtimon> so functionally this would allow secure off-chain transfers in adition to in-chain conditional transfers, no? 08:40 < adam3us> jtimon: i think it should allow everything you can do with non-blind sigs, though i am not sure how the security of your off-chain transfer works 08:41 < adam3us> jtimon: btw with brands credentials you can do "secure" offline transaction even (where the double spender is later detected and loses their anonymity) probably of limited use in a "trust no one" model but interesting property 08:42 < jtimon> in freimarkets off-chain transfers are just transfers in "private chains", you have to trust the accountant 08:42 < adam3us> jtimon: guess it should work then. is the issuer also the accountant/transaction server? 08:43 < jtimon> if you trade assets in different private servers, you make the whole transaction conditional to a 3rd party centralized timestamp or to a transaction in a public chain before block Exp 08:43 < adam3us> jtimon: makes sense 08:46 < jtimon> I definetely need to study chaumian cash better 08:46 < jtimon> thank you 08:46 < jtimon> I'm going to eat now 08:47 < adam3us> try out the credlib library 08:47 < adam3us> the api is optimized for simplicity 08:47 < adam3us> there is an example program 08:47 < adam3us> using either chaum or brands 08:48 < adam3us> think of blind schnorr as basically brands with 0 attributes 08:48 < adam3us> http://www.cypherspace.org/credlib/ 09:01 < adam3us> btw i lied and it seems i didnt actually get around to implement chaum credential support in credlib, though i was thinking of it, its been a few years since i worked on it so forgot status -- you need to replace the serial in libchaum.c with hash of your public key, or script hash 09:03 < adam3us> there are chaum signatures/cash but not chaum credential (were you can sign with the key certified in the credential) see above change 12:12 < michagogo|cloud> 01:49:09 <gmaxwell> (the closest I could find was ILS but it was fixed to the israel lira, which was fixed to the ukp, which was fixed to the usd (!), which was previously fixed to gold) 12:12 < michagogo|cloud> IIRC, it's slightly more complicated -- you had the Lira, which started as fixed to the GBP, but was unfixed at some point, then that became the Shekel, 10 Liras to 1 Shekel, and then the Shekel became the New Shekel, usually referred to as NIS here in Israel, but the currency code (ISO?) is ILS 12:13 < michagogo|cloud> 04:39:54 <gmaxwell> what a mess.. you hardware fractionalized and sold to people with no control over it.. who then mine at a single enormous pool which is full of these miners that can't vote with their feet. 12:13 < michagogo|cloud> IIRC, they can sort of vote with their feet -- I think I remember reading that if you have a certain number of GH/s credits on cex.io, you can "redeem" them and they'll ship you an equivalent miner 12:13 < michagogo|cloud> 05:21:57 <petertodd> double-spend warnings are going to make this really interesting given that gavin's planning on implementing them by broadcasting the whole tx 12:13 < michagogo|cloud> Hmm, I hadn't heard about that -- where can I find more information? 12:15 < petertodd> michagogo|cloud: IRC logs 12:15 < petertodd> #bitcoin-dev IIRC 12:15 < michagogo|cloud> Got a timestamp? 12:15 < michagogo|cloud> Well, if not -dev, then no accessible-to-me logs 12:16 < sipa> i think it was here 12:17 < petertodd> #bitcoin-wizards actually, 13-11-01 12:17 < michagogo|cloud> In that case, there aren't public logs 12:17 < michagogo|cloud> (or, shouldn't be according to freenode policy, since there's no link in the topic or join message) 12:18 < petertodd> well anyway, it's not rocket surgery: to prove a double-spend you have to relay the whole tx, so gavin wants to add code to relay the first double-spend seen for every tx in the mempool 12:19 < petertodd> ...which makes bandwidth DoS attacks hundreds of times cheaper in the best case 12:20 < michagogo|cloud> Hmm? Hundreds of times? 12:20 < michagogo|cloud> Why not twice? 12:20 * michagogo|cloud is sure he's overlooking something 12:20 < petertodd> yup, basically the double-spend could be a 100K transaction, while the original was just ~200 bytes or something 12:20 < sipa> and you only pay for the one that gets merged 12:20 < michagogo|cloud> Oh, right 12:20 < michagogo|cloud> of course. 12:21 < petertodd> yup. Beats me why gavin doesn't understand that, but whatever. 12:21 < michagogo|cloud> What are his counter-arguments? 12:21 < petertodd> He didn't have any. 12:21 < michagogo|cloud> Also: I assume he'd leave the "mine the first one you saw" rule? 12:21 < petertodd> yup 12:21 < petertodd> anyway, what's nifty about that, is it makes adopting replace-by-fee really easy for miners - no need to find peers that use that rule 12:22 < petertodd> heck, because the double-spend will be checked fully, the singaturs might even be in the sigcache... 12:22 < michagogo|cloud> What's the sigcache? 12:23 < petertodd> just a cache of checked signatures - makes tx validation, and hence block validation, go faster 12:23 < michagogo|cloud> And yeah, sure -- there are plenty of reasons that relaying double-spends would be a good thing 12:24 < petertodd> I'm pretty dubious about the DoS potential - lots of fun things you could do with strategically slowing down propagation. 12:24 < michagogo|cloud> Ah, so if a transaction is relayed, the sig will be cached as valid, so that when it makes it into a block the sig won't need to be verified again? 12:24 < petertodd> Equally though, if you reducethe priority of double-spend notifications, then you can DoS to get away with a double-spend... 12:24 < petertodd> michagogo|cloud: correct 12:25 < michagogo|cloud> Yeah, the DoS is definitely problematic -- what about restricting the size of the double-spend relative to the original? 12:25 < michagogo|cloud> Or the fee, or the fee/kB? 12:25 < petertodd> The only way to do that is to restrict the size of transctions in general. 12:26 < petertodd> If you restrict by fee, then the value of the notification is lost. (unless miners adopt replace-by-fee semantics!) 12:26 < michagogo|cloud> What's wrong with "don't relay a double-spend more than X times the size of the original"? 12:26 < michagogo|cloud> Oh, I see 12:26 < petertodd> heh 12:26 < michagogo|cloud> I was just thinking about it in terms of replace-by-fee 12:26 < petertodd> Reality is, zero-conf is dangerous and we're stupid to try to do anything about that. 12:26 < michagogo|cloud> Right, there's also the "warn the merchant" use case 12:27 < michagogo|cloud> I disagree with the last part 12:27 < petertodd> Now see, *with* replace-by-fee it does make sense to relay double-spends with identical fee-per-kb to warn merchants, but that's it. 12:27 < petertodd> (that lets them use scorched-earth properly) 16:30 < amiller> in fact if the input space is bounded, as is the case with bitcoin, there's a nonzero chance that there's *no solution* and the blocks are jammed 16:31 < amiller> this doesn't matter because there's less chance of that happening than finding a collision 16:31 < amiller> a design requirement it's important that the nonce + merkle root range is sufficiently large that is very unlikely to happen 16:33 < amiller> this basically just fits into my point that there's no existing definition for "proof-of-work" that actually describes what's important for bitcoin 16:34 < amiller> the more important point is that if t is the number of steps needed to find a solution with probability 1 or nearly 1 or whatever, even taking just a small number steps should give you a solution with approximately probability 1/t 16:34 < amiller> that's the main thing that's obviously essential for bitcoin and *isn't even close* to part of anyones definition of proof-of-work 16:36 < gmaxwell> its interesting that you mention it, there was a nice argument with adam back on the forum where he was arguing that bitcoin should be using a proof of work scheme which had cumulative small work 16:37 < gmaxwell> and people arguing that it wouldn't work for bitcoin, basically because it actually broke up the stochastic lottery behavior and that we actually need it. 16:40 < amiller> yeah, there's lots of papers with "perfect proof of work" puzzles that take exactly t units to solve and any less has zero chance of success, and that's obviously no good 16:40 < amiller> it shouldn't be hard to modify the definition so that it's like 16:41 < amiller> you put in t units of work, you get.... well the equivalent of t lotto chances, binomial distribution, whatever 16:41 < amiller> subdivided down to whatever asymptotically small little chunk --- Log closed Sat Sep 21 00:00:01 2013 --- Log opened Sat Sep 21 00:00:01 2013 16:37 < gmaxwell> http://www.smbc-comics.com/?id=3119#comic "Use one-time signatures" 17:41 < gmaxwell> amiller: Can you help me understand why these extractability assumptions are required for 1-round and public verifier NP argument systems? Why is it not sufficient to just argue that compromising these systems requires finding a collision for the one way hashes (for public verifyable, and PIR 1 round) or breaking the PIR privacy (for the PIR ones). 17:42 < amiller> gmaxwell, the extractibility argument is the only commonly-accepted way of defining what it means to "find" a collision 17:42 < amiller> the point is that it rules out obfuscation 17:43 < amiller> if you could obfuscate the hash function then you could do something that's "like" finding a hash collision, but the hash collision is hidden, and since it's obfuscated you can't get it out, so is it really even there 17:47 < gmaxwell> I guess I'm missing how it connects. Say I have a PCP system for my NP language which is complete, and with X queries is exponentially unlikely to accept falsely. I construct a hash tree over it, and I use the hashroot to select a random verifier. Which runs, checks its X points and accepts. So this should be computationally sound for some X, as the prover would have to do retries exponential in X to get false acceptance. 17:48 < gmaxwell> So I don't see where I need to invoke anything stronger than the collission resistance of the hash function to make this work. 17:51 < gmaxwell> (also, as an aside, I don't really get the focus on deletgated computation: any of these schemes have a effort blowup of far beyond 2x for the prover, if I don't trust my cloud provider I can just run my computation N times on N providers. :P all the real applications I can think of for designated validator don't really need succinctness in the validation. ... succinctness is interesting in the publicly verified cases simply ... 17:51 < gmaxwell> ... because the verification will be done many times) 18:16 < amiller> gmaxwell, i'm pretty sure there are some pcp schemes for NP that are 1 round and only rely on collision resistance, and aren't succinct 18:17 < amiller> hm, i'm not sure actually, maybe that's not possible except with 2 rounds 18:17 < amiller> i know that a big thing in this area are the impossibility proofs that show that something like an extractibility assumption has to exist 18:18 < gmaxwell> Yes, I've seen that mentioned but don't understand why. A bunch of stuff is also about the PIR-based 1-round systems, which I don't give a shit about because they're designated verifier. (though I think the idea of using PIR to do compression of a PCP is pretty cool) 18:19 < gmaxwell> amiller: but intutively, you have some PCP system where X random queries on it make it sound. You commit to it. Then the verifier does his X random queries checking the hashtree to make sure the prover can't adapt. There you have a sound two round system. 18:21 < gmaxwell> If you replace the verifier's randomness with some function on the hash root, then a cheating prover can only reduce the soundness by whatever amount he can iterate, assuming the hash function is strong. And since the PCP system's soundness is exponential in the number of queries, adding a few more quries should be enough to achieve soundness against a computationally bounded prover. 18:21 < gmaxwell> So obviously I'm missing something but I'm not sure what. 18:24 < gmaxwell> Wading through papers is somewhat slow because I don't have a huge background in this field, and because I don't care about the succinct designated verifier stuff much, and it's like 3/4 of the papers. (since for bitcoin we either need public verification (e.g. for script or for bitcoin itself), or for things like my contingent payment protocol, we can have a designated verifier, but we don't care if its succinct) 18:25 < warren> I didn't vote in the election yet. 18:25 < warren> Any thoughts? 18:33 < amiller> you really need succinct public verification don't you 18:34 < amiller> i mean, designated verifier is almost always easier 18:36 < gmaxwell> Right. We need reasonably succinct public verification (secure against verifier oracle, in particular, though if push came to shove we can do a quasi-two-round public verification) for using this stuff for script, or for validating bitcoin itself. 18:37 < gmaxwell> (quasi-two-round: in some schemes we could reduce the size for a given soundness by using future block hashes for a committed proof to throw away part of the proof) 18:39 < gmaxwell> And yea, designated verifier is easier. I was just commenting that for the applications I have for designated verifier, I don't really give a crap about succinctness, except in so far that succinctness also seems to make it easier to be confident about zero knoweldge for the cases where that matters. I think the whole delegated computing idea is kinda dull. 18:40 < gmaxwell> warren: did you listen to / read the debate with the finalists? 18:41 < warren> gmaxwell: I missed that, searching 18:42 < amiller> gmaxwell, well this is the paper associated with that impossibility proof http://eprint.iacr.org/2010/610.pdf 18:42 < amiller> i don't understand it at any deep level though 18:43 < petertodd> gmaxwell: re: wealth: just make sure you use the right isotope 18:43 < gmaxwell> amiller: ah, thank you! 18:43 < gmaxwell> I note right away: 18:43 < gmaxwell> "The work of [Mic94] showed that such arguments can also be made fully non-interactive in the random-oracle 18:43 < gmaxwell> model. However, this leaves the question whether succinct non-interactive arguments (SNARGs) may exist in the standard 18:43 < gmaxwell> model." 18:44 < gmaxwell> Mic94 is the one that described the PCP scheme above where the commitment is the verifiers randomness. What a slog of a read that paper is.. its like 30 pages just to get to that simple system. :P 18:44 < gmaxwell> So perhaps this is all just not wanting to depend on the random-oracle model? pfft. 18:44 < amiller> yes definitely 18:44 < amiller> okay so the extractibility stuff 18:44 < amiller> is strictly weaker than a random oracle 18:45 < amiller> collision resistant hash -> extractable hash -> random oracle 18:46 < gmaxwell> Considering that pratically all digital signature algorithims in industry deployment have proofs that depend on random oracle, though ones that don't exist I am suddenly less concerned. 18:46 < amiller> the hope is that something like extractability is a more limited assumption and maybe somethings atisfies it 18:47 < amiller> so when it comes to building security proofs of these things 18:47 < amiller> basically if you know a thing is extractable 18:48 < gmaxwell> I've read the paper that shows that things which are sematically secure under random oracle are not necessarily secure under _any_ realizable scheme but I felt it was pretty contrived. I guess the thing that I was missing was just that extractable was supposted to be a more limited assumption than random oracle. 18:48 < amiller> then you get to say, suppose any arbitrary adversary produces a valid proof, then i can run an extractor on that adversary that produces the actual hash collision, and that extractor is only polynomially than the original adversary itself 18:48 < amiller> for a proof with the random oracle, you basically get to look at the oracle queries directly 18:50 < amiller> so logically it's almost as good, except that the extractor can get really big if you apply extractability over and over again to work backwards 18:50 < amiller> so extractability sucks, basically 18:50 < amiller> it's the worst of both worlds 18:50 < amiller> it turns what would be simple in the random oracle world into a really frustrating counting argument that doesn't seem to even increase security 18:51 < amiller> but it's still a really strong assumption anyway and non-falsifiable etc etc 18:54 < gmaxwell> amiller: thanks. Okay, I both understand this better now, and realize that I previously understood more of it than I thought. 19:50 < gmaxwell> Hm. I wonder if it's possible to get mintchip to do a hashlocked transaction. 19:50 < gmaxwell> If it could you could do secure btc/mintchip. 19:52 < phantomcircuit> gmaxwell, secure ish 19:53 < gmaxwell> well unless it could do timelock you'd have holdup risk. 23:27 < gmaxwell> In which I attempt a trustlessness smackdown: https://bitcointalk.org/index.php?topic=355016.msg3802226#msg3802226 --- Log closed Tue Dec 03 00:00:27 2013 --- Log opened Tue Dec 03 00:00:27 2013 00:08 < cork2> hey 00:15 < cork2> o________0 00:17 < Mike_B> gmaxwell: that's a very good post 00:25 < cork2> so how do I go about integrating a simple game to make a new alt coin 00:25 < Mike_B> has anyone in here looked carefully at the ripple architecture? 00:25 < Mike_B> i'm very interested in how consensus works vs proof of work 00:25 < Mike_B> i'm curious if it's possible to come up with the same sort of system but that doesn't require XRP and all that 00:29 < pigeons> Mike_B: probably not. The knock I've seen from people like amiller is that it may not work despite XRP 00:29 < pigeons> XRP is just a anti-abuse mechanism, not a part of the ripple consensus process 00:30 < Mike_B> well, a few things 00:30 < amiller> i've started trying to give ripple a thorough analysis with sample code experiments and such 00:30 < Mike_B> 1) i'm trying to figure out if XRP is really necessary to prevent abuse in the consensus process. i doubt it; seems likes they shoehorned it in 00:30 < Mike_B> 2) are you saying consensus itself is broken? if so, how? 00:31 < pigeons> its not to prevent abuse in the consensus process, its to prevent abuse of shared resources like ledger space and transaction capactiy 00:31 < amiller> i'm really sure the consensus system is broken and totally preposterous 00:32 < amiller> it's not so much that it's broken, but that it only works under exteremely optimistic conditions, which specifically amount in this case to "everyone uses the official validators list" 00:33 < gwillen> I am not sure sure the consensus system is preposterous 00:33 < gmaxwell> Mike_B: https://bitcointalk.org/index.php?topic=144471.0 00:33 < gwillen> but it's not clear they will ever switch to using the consensus system 00:33 < gwillen> from what they have right now, which is purely centralized 00:34 < amiller> they are "using" the consensus system 00:34 < amiller> it's implemented in their code, they're running the code 00:34 < gmaxwell> Mike_B: read more than just the intial message I answered my own question and had a nice debate about their consensus system with one of their main developers. 00:34 < gwillen> can we just come up with a scheme to merge-mine an old-ripple-like consensus system into bitcoin 00:34 < gwillen> and then use that to kill off new-ripple by outcompeting it 00:34 < gmaxwell> gwillen: there is no need to have a consensus system for ripple! 00:34 < gwillen> er, old-ripple-like system, rather 00:34 < amiller> gwillen, that sounds reasonable to me 00:34 < gmaxwell> that was part of the attraction, the need for consensus was minimal to none. 00:34 < Mike_B> pigeons: how does bitcoin not have the same issue? transaction fees? i don't understand that 00:35 < amiller> gwillen, that's essentially what "Freimarkets" is 00:35 < gwillen> gmaxwell: well, the old ripple was purely centralized 00:35 < Mike_B> gmaxwell: thanks, i'll read 00:35 < gwillen> gmaxwell: I guess it's true that you do only need local knowledge of balances for the most part 00:35 < gwillen> gmaxwell: so you should be able to design a system that doesn't need centralization or consensus 00:35 < gmaxwell> gwillen: right, route finding doesn't need to be consistent, and the actual transaction only needs to involve the involved parties. 00:35 < gwillen> hmmm. 00:36 < gwillen> you do sort of want the actual transaciton to be atomic 00:36 < amiller> i don't think you're right about the transaction only involving the involved prties 00:36 < gwillen> that might require some sort of commitment mechanism 00:36 < pigeons> gwillen: the ideas like that were here http://archive.ripple-project.org/Protocol/Protocol?from=Protocol.Index 00:36 < gwillen> if you don't care about atomicity then it doesn't really need one 00:36 < amiller> the whole point is you can change the ledgers of people who aren't online 00:36 < gmaxwell> gwillen: yes, the atomic kill is the complicated part. 00:36 < gmaxwell> amiller: then you could still have distributed 'proxies' who can play your role when you are not online, but again without requring a global consensus. 00:37 < amiller> i'm pretty sure there's a good use for global (or at least somewhat larger scale) consensus even with that but what you're suggesting is still reasonable for the most part 00:37 < gmaxwell> gwillen: the atomic part is being able to unwind a transaction which has only partially completed. 00:38 < gmaxwell> amiller: I'm not saying you couldn't add one, but adding one makes scaling fundimentally harder. Global consensus should be avoided where its at all possible to do so. 00:39 < gmaxwell> gwillen: e.g. you're flowing credit alice -> bob -> carol -> sue and before it's established carol goes offline. And now you need to unwind the alice -> bob reservation in order to setup a new path to sue. 00:41 < gwillen> gmaxwell: I guess you don't really need any atomic primitives for that. 00:41 < gwillen> local atomicity of operations on the links is fine 00:43 < pigeons> aw too bad jtimon isnt on at the moment, he had an intersting proposal for ripple transaction processing "2 phase commit model" or something 00:43 < gmaxwell> gwillen: it's somewhat tricky. So you're tearing down alice -> bob but then carol comes back online 00:44 < gmaxwell> It's solvable, I mean if its solvable globally its certantly solvable locally. 00:44 < gwillen> gmaxwell: at any given moment there is some participant who is 'furthest along' in the chain, and they know whether they are currently setting up or aborting 00:44 < gwillen> so it seems pretty doable 00:44 < amiller> i think that's a really bad solution 00:44 < amiller> i guess someone should implement it that way first, at least it's decentralized 00:45 < gmaxwell> Having to back it out the opposite way is somewhat inefficient. 00:45 < amiller> you basically get all your liquidity tied up in trades that aren't likely to complete 00:45 < gmaxwell> But yea, workable. 00:45 < Mike_B> phew, this is a very large thread 00:45 < gwillen> but yeah, offline functioning would be nice 00:45 < amiller> you also get people able to lie when they offer exchanges 00:45 < Mike_B> i'll read the whole thing before asking more questions 00:45 < gwillen> and since we have this distributed consensus ledger right here 00:45 < gwillen> seems like we might as well use it ;-) 00:45 < amiller> in other words if i offer to exchange 1 of your IOUs for any 1.5 of someone else's, i shouldn't be able to cause those trades to abort 00:46 < gmaxwell> amiller: hm? you can be reasonably confident that it's likly to compelte.. and if someone lies you should be able to lrove it. 00:46 < amiller> that's the advantage of having the orders committed into the ledger where they can be executed automatically 00:46 < amiller> no way you definitely can't prove it 00:46 < gwillen> yeah, I was mostly thinking of old-ripple 00:46 < gwillen> the trades and stuff in new-ripple require more machinery 00:46 < amiller> old ripple always involved trades 00:46 < amiller> you would set up a willingness to exchange one IOU for another 00:46 < amiller> maybe old ripple never actually had that :/ 00:46 < gmaxwell> amiller: yea great, except when there isn't room in the ledger. 00:47 < amiller> you don't necessarily need a huge ledger 00:47 < gmaxwell> amiller: did old ripple have you only do trades against XRP to avoid the N^2 problem? but also thereby letting anyone with a trillion xrp walk away with all the IOUs? :P 00:47 < gwillen> old ripple didn't have XRP, or trades, or currencies 00:48 < amiller> no it didn't, but current ripple actually has that functionality implemented corretly in their api 00:48 < gwillen> under old ripple, everybody issued their own IOUs that were all pegged to USD 00:48 < gwillen> old ripple was more or less entirely unlike new ripple, relaly 00:48 < pigeons> you don't have to trade against XRP in new ripple 00:48 < amiller> whether their web front end presents that to the user is kind of different, and i don't think they made the worng decision tehre necessarily 00:48 < amiller> they've done a thoroughly good job on the api, it's only the *whole underlying consensus mechanism* that doesn't work 00:48 < gmaxwell> pigeons: IIRC when I looked at some of their prerelease code all trade was really against xrp on the backend. 00:49 < pigeons> gmaxwell: it isnt 00:49 < pigeons> i construct my own paths 00:49 < gmaxwell> interesting. Is there actually enough usage of it that thats workable now? 00:50 < pigeons> recently they like to push that "hey you can just trade against XRP so you don't have to worry about all the combinations of pairs" but you can construct paths just as well that dont use XRP, and the pathfinding doesnt give preference to XRP 00:50 < pigeons> well enough usage is kind of subjective, but you can get rather large complicated paths now 00:51 < amiller> pigeons, you should make a walk through of this somehow, like a forum post 00:51 < pigeons> they've improved the server pathfinding engine a lot finsally but you can implenment your own and submit your own paths to be excuted 00:51 < amiller> i don't think anyone else is using it or knows how 00:51 < pigeons> right but then they would do the arbitrage trades i'm doing 00:52 < pigeons> but look at the ripple_path_find api, and kind of chain and brute force it to every issuer the destination accepts 00:52 < pigeons> and every currency code 00:52 < pigeons> let me ask if i can share my friend's custom client with you 19:48 < petertodd> gmaxwell: ah, well that's a better argument come to think of it. 19:49 < petertodd> gmaxwell: although like I say, for the KDF use-case you might as well just make a whole bunch of them, targetted to specific cpu's 19:49 < petertodd> gmaxwell: use whatever one the user happens to have 19:50 < petertodd> gmaxwell: and... might as well make it memory-hard too, and get that extra 20W 19:52 < gmaxwell> petertodd: the premise under scrypt is really two fold: memory technology is uniform decreasing the attackers advantage, and that computers have a lot of gates as memory. Counter arguments are that once you are talking about power memory for a cracker might not be as uniform as thought, and when talking about power a computer doesn't actually have that much memory. 19:54 < petertodd> gmaxwell: yes, I'm not claiming that's a good premise, I'm claiming that in the case of a KDF *because* you have so much algorithm agility (make it a library!) optimal is to use a per-cpu-arch algorithm like your suggestion and make it depend on memory as well 19:54 < petertodd> gmaxwell: which means the salsa20 core in scrypt probably should be replaced by a series of algorithms that do well on simd 19:55 < petertodd> gmaxwell: dunno if you noticed but I did change my mind there :P 19:55 < gmaxwell> yea, sure, I don't think anything I've argued suggests that using memory is terrible, just that it may not be as automatically good as it seemed. 19:55 < petertodd> anyway, my *main* argument is that neither of us knows much about digital logic technology so... 19:56 < gmaxwell> sort of troubling that it seems no one has explored the energy cost angle on this. :-/ 19:56 < gmaxwell> would be ironic if the recommended scrypt parameters lowered attack costs. 19:57 < petertodd> meh, wouldn't be the first time 20:46 < phantomcircuit> huh that's interesting 20:46 < phantomcircuit> gmaxwell, i think cex.io moved all their hardware 20:47 < gmaxwell> phantomcircuit: interesting! 22:38 < _ingsoc> Does anyone remember that guy who talked about rewarding miners for putting energy into the grid? 22:45 < justanotheruser> _ingsoc: seems interesting, but not sure how you can prove you put energy into the grid 22:47 < _ingsoc> That was the problem if I remember correctly, needed some physical layer. --- Log closed Thu Jan 23 00:00:53 2014 --- Log opened Thu Jan 23 00:00:53 2014 04:27 < _ingsoc> So, get a hold of this Ethereum! 04:27 < _ingsoc> Thoughts? 07:32 < gmaxwell> adam3us: schnorr multisignature seems to be naturally sidechannel busting. 07:32 < gmaxwell> adam3us: e.g. you do 2-of-2 with the hardware wallet signing first... and the final R,S could be anything. 07:33 < gmaxwell> and avoids the other complexities with the device knowing what its signing when the signature is blind. 07:33 < adam3us> gmaxwell: yes. i mentioned two variants of the wallet observer thing on https://bitcointalk.org/index.php?topic=428494.new#new 07:34 < adam3us> gmaxwell: the basic one that brands talks about uses blind sig so the wallet has no subliminal channel 07:34 < adam3us> gmaxwell: but using brands ZKP issuing protocol, you can also prove to the wallet what it is blind signing, so it can show it on screen for approval with a hw wallet with screen like trezor, and STILL not have a subliminal channel 07:35 < adam3us> gmaxwell: i'm sure brands covered that somewhere in his thesis, the guy is exhaustively inventive. 07:36 < adam3us> gmaxwell: but yeah the subliminal channel freedom is beautiful thing to have as a building block 07:37 < gmaxwell> adam3us: Right but I believe that a regular 2 of 2 threshold signature has the same sidechannel elimination effect without requring the ZKP proof of what its signing. 07:38 < adam3us> gmaxwell: ah gotcha. yes that appears to be true also :) and nice and simple 07:52 < adam3us> gmaxwell: btw other than adding cc other authors, about the private key issue, another step could be to make an ID / RFC on EdDSA as a complement to the safe curve focused ID that Watson Ladd on IRTF CFRG is doing. i thnk the lowest 3 bits=0 is just a optimization, I dont immediately see why that cant be removed and multiply by 8 somewhere in the verification relation, and the bit 254 I think is just defensiveness 07:53 < adam3us> gmaxwell: ie bit 254 is not necessary for security, just that the montgomery ladder start at bit 254 whether its 0 or 1 to avoid a timing side-channel. thats all if anyone had time/energy for an RFC process but it would be a natural way to extract feedback from the algorithm authors 12:25 < jtimon> maaku,what if we start with the private chains? http://freicoin.freeforums.org/freimarkets-t717.html#p6913 12:25 < jtimon> not sure if wrong forum or not...I'll say the same on #freicoin just in case 14:12 < petertodd> lol twister: https://groups.google.com/d/msg/twister-dev/h2ukT1msggc/Jbh-UPYPGiIJ 14:12 < petertodd> "May someone suggest a good free captcha generator for text that is OCR 14:12 < petertodd> resistant?" 14:12 < petertodd> apparently they have a namesquatting problem... 14:13 < petertodd> they also have implemented ripple-style soft-consensus to prevent rewrite attacks 14:13 < gmaxwell> uh.. how does that work with anonymous participation? 14:14 < petertodd> good question! 14:14 < petertodd> that's the lead dev suggesting that! 14:15 < petertodd> they don't even use namecoin-style two-stage commit-reveal, so an attacker can watch the network for new name registrations and register all new names for themselves 14:15 < gmaxwell> lol 14:16 < Luke-Jr> facepalm 14:16 < petertodd> I almost want to fire up some ec2 instances and 51% the network with empty blocks just to see how they'll react - it's a social experiment at this point 14:17 < Luke-Jr> I think I like how with namecoin, if two people register the same name concurrently, both lose their coins ;) 14:17 < gmaxwell> I take it this isn't merged mined? 14:17 < petertodd> gmaxwell: nope 14:17 < gmaxwell> sha256 pow? 14:17 < petertodd> gmaxwell: and they changed the block header so standard scryptminers don't work, but with some effort you can still modify litecoin scrypt miners to mine it 14:18 < gmaxwell> ah. scrypt. 14:18 < petertodd> gmaxwell: they added CBlockHeader.nHeight 14:18 < gmaxwell> and just made the header a bit longer or? 14:18 < petertodd> but they left nVersion=2 and the supermajority code in for nVersion=2! 14:18 < petertodd> gmaxwell: yup 14:18 < gmaxwell> that probably actually won't break the gridseed asics, the work generator is apparently microcoded. 14:18 < petertodd> gmaxwell: I haven't looked into how hard it'd be to adapt a scrypt miner to that 14:19 < petertodd> gmaxwell: oh nice! 14:19 < gmaxwell> (they have an on chip work generator and increment logic which is apparently all microcoded) 14:20 < petertodd> gmaxwell: amir was trying to convince them to just use namecoin 14:21 < gmaxwell> namecoin codebase is nearly unmaintained. :( 14:21 < petertodd> twister codebase is worse than unmaintained 14:23 < gmaxwell> hopefully once scrypt mining asics exist in large enough quantities to have driven everyone off gpu mining people will go back to making merged mined things. 14:23 < petertodd> meh, merge-mining is no perfect solution either - just makes it easy to be attacked early on 14:24 < gmaxwell> petertodd: changes who can attack, for something which isn't compeating with bitcoin it's probably fine. 14:24 < petertodd> gmaxwell: you can be in trouble by competing with another merge-mined system you realize... 14:25 < gmaxwell> perhaps, but it's not clearcut. if 60% of your hashrate is really bitcoin miners who totally don't give a shit about any of these things attacking becomes hard. 14:25 < gavinandresen> gmaxwell: I think scrypt mining asics will just drive people to a wakier-proof-of-work-coin (Quark maybe). 14:26 < petertodd> gmaxwell: easy to start offering people >100% paying shares to quickly buy hashing power for an attack 14:26 < gmaxwell> gavinandresen: Thats a point! "DDD coin's Proof Of Work involves ringing peoples doorbells and running." 14:27 < gavinandresen> gmaxwell: lol 14:33 < petertodd> gmaxwell: anyway, I think I've got my "tree-chains" concept in decent shape: blockchian is a sharded tree, each node in the tree has left and right leaves that are half the difficulty of the parent node/chain. have participants have consensus about the contents of the blocks in the parent chain, and the blockheaders for left and right. the rule for left and right child chains is that full-diff PoW solution "locks" the order of the chain, so ... 14:33 < petertodd> ... re-ordering takes 51% with respect to the parent work. However contents are subject to 25% majority. You solve the "lost-data" problem by allowing the mining of a challenge - a tx that you want to see mined - and that tx must either be proved to be not minable (e.g. succinct MMR TXO) or prove that the tx was mined. If nothing happens, eventually the child chain can be re-orged. 14:34 < petertodd> Security guarantees are resistant to 50% attack for re-ordering transactions, 25% for censorship - however you can pay higher fees/work to force a tx to get mined. Done recursively you *will* get to the point where the PoW effort is too low to be secure, but at least that's an adjustable parameter. 14:34 < petertodd> It looks like merge-mining in a sense, but the challenge rule improves the security guarantees. 14:35 < petertodd> Dunno yet how you'd spend coins from one multi-level deep child chain to a different one - easy to think of cases where you allow inflation attacks. 14:37 < petertodd> gmaxwell: Note how all this is easiest to think about with per-tx work - IE one block == one tx. Also easiest to think about it in practice as a token transafer system - how you'd use it with unrestricted values is an interesting question given the inflation issue. 17:17 < arbart> what is the state of the art of enabling microtransactions? 17:37 < gmaxwell> no I mean, you're not supposted to give away any keys at all. and its pointless to do so, and I was pointing out that it was pointless to do so. 17:40 < michagogo|cloud> Oh 17:40 < michagogo|cloud> Ah, I see. 17:41 < michagogo|cloud> You were saying that the channel is non-transferable because even if you did give me your private key it wouldn't prove anything? 17:42 < gmaxwell> right, the _authentication_ is non-transferable. It convinces me, but not anyone else even if I give them everything I know. 17:42 < michagogo|cloud> Right, since you can't prove that you didn't create this message, only you can know for a fact that that's the case 17:43 < gmaxwell> yea, it's even stronger than that though a ring signature gets you that too. e.g. either X or Y created the message (assuming X and Y kept their private keys private) 17:43 < michagogo|cloud> (well, I guess you could if you get into the realm of trusted hardware, e.g. a device that generates a key and logs everything done with it) 17:43 < michagogo|cloud> Or is that not the case? 17:44 < gmaxwell> with a auth via ECDH the message is the same as plaintext. 17:44 < andytoshi> i think this notion of "non-transitive information" is one of the weirder things to come out of modern cryptography 17:45 < gmaxwell> even with trusted hardware because you can't even verify anything at all without one of the private keys. 17:45 < michagogo|cloud> (As you may have noticed, I know ~nothing-very little about cryptography 17:45 < michagogo|cloud> ) 17:51 < gmaxwell> andytoshi: well it's usually the color of the bits which is non-transitive rather than the information itself. 17:53 < andytoshi> gmaxwell: well, i can prove to you in zero knowledge that (say) i have a 3-coloring of a graph, and therefore that such a coloring exists 17:53 < andytoshi> and the existence of a coloring is a "solid" bit of information 17:53 < gmaxwell> different definition of 'color'. 17:54 < gmaxwell> required reading if you have not read: http://ansuz.sooke.bc.ca/entry/23 17:54 < andytoshi> hmm, yeah. 17:54 < andytoshi> i have indeed, a very useful article 18:00 < andytoshi> i'm not convinced that the existence of a 3-coloring is merely color though. it is a color on the bits of the actual coloring, sure, but the original graph is public knowledge and the fact of whether or not it is 3-colorable constitutes real context-independent information about it. 18:01 < gmaxwell> hm. you're right. 18:01 < gmaxwell> if we have a NIZK proof that the 3-coloring exists we clearly have information (1 bit, if your prior was uniform!) 18:02 < gmaxwell> and if we are the verifier in an interactive protocol, then we clearly have 1 bit too, because its exactly the same as the prior case. 18:02 < gmaxwell> but if we are not the designated verifier, then we know nothing at all. 18:02 < gmaxwell> And thats weird. 18:04 < andytoshi> very. and we are deriving this bit of real information (the graph has a coloring) from the color of the 3-coloring (which the prover has but verifier doesn't). so there is also a sort of level-crossing between meta-information and information, and we see in eg the goedel theorem that this level-crossing leads into all sorts of Weird Things happening 18:05 < andytoshi> ordinarily these kind of comments are just philosophical masturbation but with bitcoin we are assigning actual value to information and this blurring of categorical boundaries might have actual implications for how we ought to think about it 18:06 < gmaxwell> warning wank field detected. 18:06 < andytoshi> that's a really vague thing to say, sorry, i'm just spitballing 18:06 < gmaxwell> ;P 18:06 < gmaxwell> hehe 18:06 < andytoshi> :P 18:07 < gmaxwell> nah no need to apologize, I find myself contemplating interesthing things like that often and thinking "hm this really should have some deeper consequence" but it often doesn't have any I can find. 18:07 < jron> gmaxwell: thank you for posting the hearing cap. 18:07 < nsh> and cloak of comprehension 18:19 < helo> gmaxwell: you're going to be one of the panelists tomorrow in NY, right? 18:20 < helo> otherwise there's no way we can make up for the litecoin "creator" 18:22 < jtimon> I read he said in miami that some people call him "satoshi lite"...still eager to watch his intervention... 18:23 * andytoshi would never be so vain as to take satoshi's name.. 18:24 < sipa> recently a colleague asked me whether i was satoshi 18:24 < sipa> perhaps i shouldn't have answered in japanese 18:25 < brisque> andytoshi: that your nick is an anagram of satoshi is not a coincidence? 18:25 < sipa> anagram? 18:25 < c0rw1n> magarna 18:25 < gmaxwell> Ohayou asadimaska 18:26 < sipa> hajimemashite, satoshidesu 18:26 < gmaxwell> helo: they are doing more of this tomorrow? And no while I'm comfortable with public speaking I generally have the good sense to stay the heck away from official proceedings. 18:29 < helo> gmaxwell: yeah, there are three sessions tomorrow 18:30 < maaku> sipa: "If I was Satoshi with $1bn to my name, would I still be working here?" 18:30 < helo> the litecoin guy couldn't really even stay on topic... seemed like he just wanted to impress them with info overload 18:33 < Luke-Jr> sigh 18:34 < sipa> maaku: ha 18:35 < midnightmagic> maaku: I would. :) 18:35 < maaku> midnightmagic: wish I had your job :) 18:35 < midnightmagic> maaku: Oh, I don't mean my official job. I meant *in here*. 18:36 < maaku> oh heh, yeah 18:36 < midnightmagic> :-D 18:36 * michagogo|cloud wonders if there'll be recordings of the streams tomorrow as well 18:37 < jtimon> but sipa's colleague is from his official job, no? 18:37 < sipa> yes 18:38 * Luke-Jr thinks it's obvious who Satoshi really is, but *shrug* 18:38 < michagogo|cloud> Luke-Jr: o_O 18:38 < c0rw1n> obvious, really 18:38 < sipa> really? 18:39 < maaku> Al Gore, obviously 18:39 < tacotime_> I always knew he was a time travelling Japanese cat from the 42nd century. 18:39 < sipa> oh, right 18:39 < Luke-Jr> well, Sirius was the only developer "besides" Satoshi for a long time, and he was committing from the start of the git history.. 18:39 < Luke-Jr> and left at the same time 18:40 < gmaxwell> please don't speculate about that kind of stuff. 18:40 < c0rw1n> gwern has an interesting, abandoned investigation on satoshi 18:40 < gmaxwell> if someone convinces people that you are satoshi, then you get the security costs of shithead nutbags thinking that kidnapping your family might be a great way to get an anonymous billion dollars. 18:40 < Luke-Jr> at all? this channel is still private, right? O.o 18:41 < maaku> Luke-Jr: this channel is now logged 18:41 < gmaxwell> and If you are _not_ actually satoshi, then the cost of security against that threat is really intolerable. 18:41 < Luke-Jr> meh 18:41 < Luke-Jr> maaku: I don't see that in the topic 18:41 < gmaxwell> Besides, we all know Satoshi was a time travelling Japanese cat from the 42nd century 18:41 < Luke-Jr> so it shouldn't be 18:41 < andytoshi> the logs are non-nonrepudiable fwiw 18:41 < Luke-Jr> gmaxwell: s/cat/doge/ 18:42 < gmaxwell> Luke-Jr: though fwiw, the bitcoin history started on sourceforge and was imported into git. 18:42 < andytoshi> to Luke-Jr's point, the logs really should be mentioned in the topic 18:42 < andytoshi> i'm happy to strike anything that people request but people should be aware of it 18:42 < gmaxwell> so put them there, most of you are ops here. 18:43 * Luke-Jr kicks ChanServ 18:43 < Luke-Jr> :p 18:43 < gmaxwell> (I took the top N people by number of messages sent and made all of you ops, for N=10 or something) 18:43 < c0rw1n> if there are public logs i'd love to read them indeed, this being the most interesting #bitcoin-* i've found 18:44 < tacotime_> http://download.wpsoftware.net/bitcoin/wizards/ 18:44 < c0rw1n> ok thx :) 18:44 < tacotime_> I would prefer it continue to be logged, as I read these regularly when my VPS dies. 18:45 < tacotime_> It's a lot of the more interesting Bitcoin related discussion. 18:48 < justanotheruser> jtimon: not really what I was looking for. A f2f network doesn't do much in terms of lack timing attacks and lack of knowledge of the network 18:50 < maaku> justanotheruser: it's probably the closest thing out there though ... as I said earlier, I wish there was a community of cryptographers & security people willing to work on adding those features to retroshare-like apps 18:50 < maaku> (hint hint) 18:52 < justanotheruser> maaku: Basically what I'm looking for is a network that is resistant to timing attacks (RS fails), doesn't require full network broadcasting (RS passes), doesn't give info about who you know (RS fails), and doesn't require the trust of your peers (RS fails somewhat) 18:52 < justanotheruser> I believe those criteria would make the ultimate anonymity layer 18:55 < maaku> justanotheruser: I think if you swapped out the retroshare crypto for stuff with forward secrecy, added pond-like random message delays, and use Tor with fixed message sizes you could get most of the way there 18:57 < justanotheruser> maaku: I was thinking everyone just sends 1kb out every 3 seconds. Most of the time your node should have something useful to broadcast, if not then you can temporarily leave the network (or maybe theres a better solution) 19:04 < andytoshi> justanotheruser: probably you want to broadcast random data so that even if there is no traffic it is hard to do analysis 19:06 < brisque> andytoshi: chaffing your connection would be difficult though. if you limited yourself to 0.3kb/s that's a ceiling you can't easily go past. as soon as you go above that it's fairly apparent that you're doing /something/. same issue as before. 19:06 < brisque> andytoshi: if you ramp up the chaff data to a useful level, you're suddenly burning terabytes a month for no real purpose. 19:07 < andytoshi> yeah, maybe there is a way to have chaff based on a rolling average of actual data usage 14:36 < eristisk> ...anonymous system architecture, but wouldn't such a large change in the protocol be extremely difficult? 14:36 < gmaxwell> Well, not just selling. I don't mean that there is room for pretext... that I think if you optimize for scalablity OR privacy you end up with the same system. 14:37 < eristisk> You'd also make RMS happier. :) 14:37 < gmaxwell> eristisk: In practice everything is difficult. 14:37 < gmaxwell> s/pretext... that I think/pretext... I mean that I think/ 14:38 < gmaxwell> e.g. in either case you end up with a system that does state commitments and then succinct proofs that the state updates were faithful. 14:39 < eristisk> In my admittedly imperfect understanding of how that might be implemented exactly, it would seem that the blocks would have 'metadata' about the transactions to proove that they were valid instead of transaction data itself. 14:39 < gmaxwell> and you learn nothing about the details of the transactions, except that which is disclosed by the final state as compared to the prior state... (meaning you lose all the information about transactions chains that happened entirely in a block) 14:40 < iddo_> with headers-only sync, Bitcoin blocks also wouldn't contain transactions, just txid hashes ? 14:41 < gmaxwell> eristisk: No, they don't... :) 14:41 < gmaxwell> iddo_: no, headers are just the 80 byte bitcoin headers. 14:41 < gmaxwell> no txids. 14:42 < iddo_> gmaxwell: but we could have blocks only with the txids, and miners keep locally the txns themselves (and transmit txns to peers upon request) ? 14:42 < gmaxwell> eristisk: so some quick background. It's possible to construct cryptographic proofs that a given output was the faithful product of running a specified program on a specified input (along with additional private inputs, optionally). 14:42 < gmaxwell> iddo_: filtered blocks can do that, via the bloom filter stuff with just a trivial set. 14:43 * eristisk goes back to study the byte map of transactions to try to figure out what could realistically be ommitted in a state outsourcing system 14:43 < gmaxwell> eristisk: everything can be omitted. 14:43 < eristisk> I suppose so... kind of the point of hashing algorithms. 14:44 * nsh is dubious 14:44 < iddo_> gmaxwell: is it the devs plan to incorporate filtered blocks to Bitcoin in the future? 14:44 < gmaxwell> iddo_: it's already there, for over a year. 14:44 < iddo_> oh? 14:45 < iddo_> satoshi client already sends blocks without txns? and txns separately upon request? 14:45 < gmaxwell> iddo_: it's not used for fetching between bitcoind nodes, someone ought to do some testing to show if its actually faster once you consider the overhead of sending txids and the roundtrip latency. 14:45 < gmaxwell> iddo_: it can, if you ask it to. 14:45 < iddo_> cooool 14:45 < gmaxwell> eristisk: if you finish the prior block with a commitment to say, in bitcoin today, the UTXO set. Then you can have a program that takes in a prior utxo root hash as a public input, and then a bunch of transactions and utxo fragments as private inputs.. and it gives a public output as the new root hash of the utxo set. 14:47 < gmaxwell> and then a proof of this program's execution can be attached to the blocks. (and proofs can be constructed which are sublinear in the programs execution even constant just constant depending on the security parameters) 14:52 * nsh frowns 14:52 < nsh> there's a catch 14:52 < nsh> i'm pretty sure there's a catch... 14:53 < eristisk> ...essentially replacing the bulky transaction data itself with different data in the blocks containing the proofs of the cryptographic solution in the form of the new root hash to be used as public input for the next unsolved block? 14:55 < gmaxwell> eristisk: right. plus the extra data needed in the final state. e.g. if this was dones directly to bitcoin today it would be new utxo created, and the data required to remove the old utxo. But intermediate ones (created and destroyed within a block) are not ever communicated. 14:56 < eristisk> Very large pools could analyse and save significant amounts of transactions in secret, however. 14:56 < gmaxwell> There have been some proposed blockchain redesigns that would reduce that further. 14:56 < gmaxwell> eristisk: perhaps, but you still don't know whats happening in blocks created by other parties. 14:57 < gmaxwell> (these same techniquies can be applied to transactions themselves, and then you get what the zerocoin people are going to propose in their update. I'm just raising the level you do the proofs at to the whole block instead of the transactions. 14:57 < nsh> gmaxwell, i'd sure like to see some toy model of SNARK proof verification in aciton over a distributed system 14:58 < nsh> because i just can't shake this niggling feeling that there's a catch... 14:58 < gmaxwell> nsh: go grab the pantry stuff then. 14:58 < nsh> pantry stuff? 14:58 < gmaxwell> nsh: oh there are all kinds of _pratical_ engineering catches right now. 14:58 < gmaxwell> But the only fundimental catch is that you only get cryptographic soundness, not perfect soundless like bitcoin has now. 14:59 < nsh> modulo what assumptions? 14:59 * nsh checks https://github.com/srinathtv/pantry/ 15:01 < gmaxwell> nsh: you can construct these things out of serveral different cryptographic assumptions. Including ones that basically just depend on the existance of one way functions. (though those do not achieve optimal effiency so far) 15:01 * nsh nods 15:02 < nsh> ;;google knowledge-of-exponent assumption 15:03 < nsh> http://crypto.stackexchange.com/questions/6117/how-much-do-we-trust-kea1-assumption 15:05 < gmaxwell> nsh: the real catch in the system used behind that has nothing to do with KEA1 (and really what you'd need to ask about is just crypto in bilinear groups more than N-th power KEA) 15:06 < nsh> hmmm 15:06 < gmaxwell> it's that it's only publically verifyable in the CRS model e.g. there is a trusted magic value that everyone needs to be using. 15:06 * nsh reads amiller's post http://comments.gmane.org/gmane.comp.file-systems.tahoe.devel/7942 15:06 < gmaxwell> But as mentioned, it's possible to build such systems without that limitation. (though the proofs are not as insanely small in the things people have been coming up with) 15:07 * nsh nods 15:09 < nsh> can you formalize the argument that privacy is in some way proportional to communicative efficiency in a system of distributed ledger (or more generally a distributed many-party-input dataset)? 15:10 < nsh> it makes sense intuitively that there's an overhead to bearing deanonymising information 15:10 < gmaxwell> nsh: probably. I mean, I gave the adhoc outline of the argument... right. 15:10 < nsh> but it's be nice to think about it more mathematically perhaps 15:11 < nsh> oh, i wonder 15:11 < nsh> if you can apply a thermodynamic analysis to the system 15:12 < nsh> with information that can be destroyed/discarded without affecting the security of the system being analogous to waste heat 15:12 < gmaxwell> there is a counting argument. 15:12 * nsh nods 15:13 < gmaxwell> There are many ways to get from state A to B. An anonymous system doesn't care which one you take, an non-anonymous system does. 15:13 < nsh> right 15:14 < nsh> all we care about is certain rules about the traversal from the space of A to the space of B 15:14 < nsh> not the exact paths 15:15 < nsh> so the compression/succinctness is a product of symmetries defined by our agnosticism 15:15 < gmaxwell> probably easier to just compute the entropy of the deanonimizing information and say you save that. Though it's a little more complicated: if a coin used these states and proofs approach it would also compress away a bunch of non-anonymity related overhead. 15:15 < gmaxwell> And so you'd just get the anonymity savings as a side effect 15:15 < nsh> oh, hmm 15:16 < nsh> what other overhead is saved? 15:16 < jtimon> gmaxwell it seems to me that Peter todd's proposal for an inputs-only chain would be both more scalable (because miner's validations become simpler) and more private (because no miner gets full transactions) 15:16 < jtimon> at least more "spherically scalable" 15:16 < gmaxwell> jtimon: it's orthorgonal! ideally you combine these things. The proofs prevent linear complexity from signatures, the MMR stuff keeps the state space minal. 15:16 < jtimon> but the problem remains, why would miners mine in such a system 15:17 < gmaxwell> (thats also why I kept qualifying above as "if we were to do this as bitcoin is today") 15:17 < jtimon> yeah, I mean combining his proposal with full-block snark 15:17 < jtimon> I se 15:17 < jtimon> e 15:17 < gmaxwell> nsh: e.g. there are 2^big ways to satisfy a typical scriptpubkey. 15:17 < gmaxwell> nsh: which of those you used would be hidden. 15:17 < nsh> oh, right 15:18 < nsh> there are advantages to script transparency though 15:18 < nsh> for contracts, etc. 15:18 < gmaxwell> nsh: sure, but you can make them transparent directly between the users. 15:18 < nsh> right 15:19 < gmaxwell> No system that discloses the transactions can have better than linear scalablity in the size of new blocks for full nodes. ... 'cause you recieve data per transaction. 15:19 < gmaxwell> instead you use some snark and you end up with sublinear communications and validation complexity. The larger the system the bigger the advantage. 15:20 < nsh> but there is some preprocessing cost, or something 15:20 < gmaxwell> there are constants. 15:20 < jtimon> yeah, that would be the scalability vs centralization tradeoff 15:20 < gmaxwell> jtimon: I don't think there is. 15:21 < jtimon> you say the bigger the system the bigger the advantage 15:22 < jtimon> wouldn't a system that processes 1 M tx per snark block imply more centralization than one that only processes up to 100 tx/block? 15:22 < gmaxwell> jtimon: I don't see why? 15:23 < gmaxwell> just talking about the miner's computational costs? 21:22 < petertodd> adam3us: yeah, that's an interesting question: you really want a nothing-up-my-sleeve source of non-compactable random data! 21:22 < adam3us> petertodd: we've got one :) the block chain 21:22 < petertodd> adam3us: interesting problem to get bulk nothing-up-my-sleeve numbers - good opportunity for being overely cute 21:22 < petertodd> I was gonna say... 21:23 < petertodd> though even then you'd probably want to encrypt the blockchain with a CBC cipher to properly randomize it 21:23 < adam3us> petertodd: relatedly i proposed on CFRG using the block chain to proof NUMS / uncooked Elliptic curve paramter generation 21:23 < petertodd> ha nice 21:23 < adam3us> petertodd: i think its actually much better than the alternatives and the current state of the art which is quite gamable 21:24 < petertodd> adam3us: what's the state of the art? 21:24 < adam3us> petertodd: that soeone makes up a nice story about how they didnt cheat, like they publish the generation algorithm, code, and then feed it a seed like pi or a quote and say see "tada we couldnt have cheated" 21:25 < adam3us> petertodd: except there are 100s of bits of choices hidden in there.. 21:25 < adam3us> petertodd: which means the choices could've been ground (doh!) 21:25 < petertodd> adam3us: oh right 21:25 < petertodd> adam3us: well don't they usually pick the *first* bits of pi? 21:26 < adam3us> petertodd: yes but i mean the code itself, the endian choice, the order the options are considered etc 21:26 < adam3us> petertodd: http://www.ietf.org/mail-archive/web/cfrg/current/msg04019.html 21:26 < adam3us> petertodd: (its quite short and bitcoin amusing) 21:26 < petertodd> adam3us: sure, but not that many bits there... 21:27 < adam3us> petertodd: i reckon you could find quite a few if you tried see you are selecting curves on lot of complex rules, so which rule you reject first, that affects the choice 21:27 < petertodd> adam3us: ah, yeah I'll admit using the blockchain to prove you didn't try the whole process twice is nice 21:27 < adam3us> petertodd: many arbitrary decisions = grindability 21:28 < petertodd> adam3us: though don't make it double sha256, do it timelock crypto style so that to brute-force select would take longer than a block interval :P 21:28 < adam3us> petertodd: the certicom guy was saying hash like nasdaq closing prices, but hten after the fact its not as convincing. blockchain is like a transferable irrefutable self contained proof! 21:28 < petertodd> yup 21:29 < adam3us> petertodd: i like it :) i mean its actually a useful improvement 21:30 < petertodd> adam3us: I think I posted that on the cryptography mailing list, or if not that my "add together n previous blockhashes" idea that averages them all together 21:31 < petertodd> timelock works really well in this case because you don't care how long it takes to verify the process 21:33 < petertodd> adam3us: might be interesting to do some timelock crypto competitions with the memory-latency-hard technique - encrypt a private key of course and first to decrypt gets to spend it 21:33 < adam3us> petertodd: oh yeah i think i remember that post now you mention it.. maybe it stuck in my subconscious 21:33 < petertodd> adam3us: be nice to get some lower-bounds there 21:33 < petertodd> adam3us: I'm pretty sure there's nothing with better latency for large amounts of ram out there than commodity hardware 21:33 < adam3us> petertodd: out comes the watercooled monster box :) 21:34 < petertodd> adam3us: yup 21:34 < petertodd> adam3us: which reminds me: one of the hard things about all this asic-hard stuff is PoW doesn't need to be reliable, while even the worse consumer hardware is fairly reliable 21:34 < adam3us> petertodd: my cpu is good (4.8ghz hex core) but i didnt splash for fancy ram 21:34 < petertodd> adam3us: that costs you speed 21:35 < adam3us> petertodd: exactly, yes. (reliability argument) i think one of the asic hw people commented on that 21:35 < petertodd> with a big enough bounty it could be a good way to test the "single round of foo hash" idea 21:35 < petertodd> adam3us: butterfly labs for one implements that 21:35 < petertodd> adam3us: though we *are* lucky that overclocking is still popular 21:38 < adam3us> petertodd: oc is cost effective. that 6-core sandybridge is faster than i think just about any single socket xeon for 3x the price (or worse if you go for dual socket costs) 21:39 < adam3us> petertodd: ghz*core speed assuming parallelizable tasks. 21:39 < petertodd> heh, it'd be hilarious if all our efforts at ASIC-hard PoW just leads to more hardware designed for overclockers :P --- Log closed Fri Jan 17 00:00:09 2014 --- Log opened Fri Jan 17 00:00:09 2014 01:10 < maaku_> petertodd: that wouldn't be a bad outcome 01:11 * maaku_ dreams of commodity supercomputers 01:57 < CodeShark> opinions? https://github.com/CodeShark/bitcoin/compare/coinparams_new 02:21 < wumpus> CodeShark: I'm ok with moving more chain-specific configuration (such as MoneyRange) to chainparams, but adding all those redundant hashing algorithms isn't going to make it into mainline imo 02:21 < CodeShark> right, I realize that - I was considering a plugin model 02:22 < CodeShark> scrypt.so, hash9.so, etc... 02:23 < wumpus> hmm I don't know 02:23 < CodeShark> or perhaps a compiletime flag to statically link to a particular hash function 02:23 < wumpus> I'm all for making the source more modular, and making it into libraries, but loadable libraries brings a lot of problems of their own 02:24 < CodeShark> what are your concerns? 02:25 < wumpus> security mainly, incompatibility, general so/dll hell 02:25 < wumpus> for now I'd more like a modular approach based on libraries (which can get statically linked into the end product) 02:25 < CodeShark> so then perhaps a way to specify a list of static modules to link at compiletime 02:26 < wumpus> or make it possible to install the bitcoin core as a library, so that actual implementations/daemons can compile and link against it 02:27 < wumpus> or other applications that may need the bitcoin consensus stuff for their own purposes 02:28 < wumpus> anyway, lots of options, but: no altcoin specific stuff in bitcoin/bitcoin please 02:28 < CodeShark> for other applications I'm thinking more of a service-oriented architecture, with a core engine providing runtime services to other processes 02:29 < CodeShark> yeah, the intention wasn't to merge the altcoin specific stuff in bitcoin/bitcoin 02:29 < CodeShark> just to expose the ability to customize the core engine 02:29 < wumpus> okay 02:30 < CodeShark> the inclusion of scrypt and hash9 in particular is a total hack at this point, just intended to test the basic idea 02:34 < CodeShark> I'm also thinking that rather than trying to parametrize things like block reward and retargetting rules it would be better to also use a statically linked module approach 02:41 < wumpus> let's move this to #bitcoin-dev 08:20 < adam3us> amiller: when you're awake about fractional blocks, I am wondering if there is an incentive issue. if a 0.1 block collects .1 of fees and is easily orphanable by a powerful miner, what motive do they have to not selfishly orphan it to collect the other 10% of the fee. 09:39 < _ingsoc> andytoshi: Where are the -wizards logs again? 09:40 < andytoshi> _ingsoc: http://download.wpsoftware.net/bitcoin/wizards/ 09:41 < _ingsoc> Ty. 09:41 < michagogo|cloud> (That really belongs in the topic... 09:42 < andytoshi> no worries, i'm afraid you'll have a lot to scroll through, the last three days have been obscenely busy on this channel 09:42 < michagogo|cloud> ) 13:36 < gwern> I believe we were discussing ethereum before? might be of interest: https://bitslog.wordpress.com/2014/01/17/ethereum-dagger-pow-is-flawed/ http://www.reddit.com/r/ethereum/comments/1vgqa7/ethereum_dagger_pow_function_is_flawed/ 13:36 < Ursium> hi gwern, yes i saw that 13:37 < Ursium> i believe the founders are aware as i remember reading about this very issue a while back. 13:39 < petertodd> Ursium: that's not a very good analysis: sequential memory hardness isn't all it's cut up to be for real-world hardware designs 13:40 < Ursium> petertodd: i see! 13:40 < petertodd> Ursium: not to say his point is necessarily invalid, but what needs to be done is to get an *actual* hardware engineer on board rather than just a bunch of software people theorizing about what makes something asic hard 13:41 < Ursium> makes sense. Will be interesting to follow for sure 13:42 < sipa> (upcoming ad-hominem) the author suggesting x86 as script code doesn't inspire much confidence 13:42 < petertodd> sipa: +1 13:43 < maaku> i think there's a valid technical point in that ad-hominem 13:43 < Ursium> sipa: i believe they suggest C-like scripting which converts back to a very limited set of opcodes - so only interactions with the blockchain etc. What do you guys think? 13:43 < sipa> maaku: yes, but it's irrelevant to the issue being discussed 13:44 < maaku> Ursium: see the logs for the past few days. we've had some interesting discussions about what you can do with a more powerful script 13:44 < maaku> mostly related to covenants 13:44 < petertodd> Ursium: the idea of extrospective scripts is a good one, how to implement them is another issue 13:44 < maaku> you would *not* want to do so using an ad-hoc CISC language, however 13:45 < petertodd> maaku: speaking of: you realize that for colored coins and many other covenants, you actually only need to look *backwards*, so they aren't really covenants and have no issues 13:45 < maaku> you'd need something amenable to static analysis (e.g. a strongly typed stack language) 13:45 < petertodd> maaku: or a single type :P 13:46 < maaku> petertodd: ? for CC you need to look at the outputs of the current transaction to avoid inflation 13:46 < maaku> well, functions/combinators are types... 13:47 < maaku> michagogo|cloud: I'm allowed to op, but not change the title for some reason. Is that a different permission? 09:30 < amiller> gmaxwell, that trnasaction was made by the authors of the paper 09:30 < jtimon> iddo someone asked me yesterday for an atomic transaction in which one party gets a decryption key for a file, is that possible? 09:30 < jtimon> because I said no 09:30 < gmaxwell> jtimon: it's possible. 09:30 < jtimon> what's the coin toss protocol? 09:31 < gmaxwell> I described the required protocol a couple years ago. 09:31 < gmaxwell> jtimon: https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked 09:33 < jtimon> but the password gets revealed for everyone right? 09:35 < gmaxwell> jtimon: uh, it can be just a password for a one time encryption for that recipent, no one else gets the encrypted data. Alterantively, you can apply the "CoinSwap" encoding, so that the only txn that shows up in the blockchain is a 2 of 2 escrow, so long as the participants cooperate. 09:36 < gmaxwell> (basically in coinswap we show how to take any script releasable escrow traction and keep the real release details a secret, so long as the players play fair if they don't play fair the details get leaked but the funds still go to the right place) 09:36 < jtimon> I see, you can encrypt to certain public key 09:38 < jtimon> well, extro24 wanted to use it for authors to "sell content", DRMed content, I don't like the idea 09:39 < jtimon> but it seems it would be actually possible 09:39 < jtimon> what other use cases do you find interesting? 09:41 < gmaxwell> well it's not usually that interesting for "sell drmed content" since you don't really have a machine test that you'd like the content or something. So you're stuck trusting the seller that the key he gives you is a key for something you want. 09:41 < jtimon> oh, yeah, that's actually what I told him 09:41 < gmaxwell> for things that you can test with a machine my protocol could be used. 09:42 < gmaxwell> For example, "I'd like to buy the master key that cracks the drm scheme on these books" 09:42 < jtimon> how the networkknows that the secret decrypts the content without actually revealing the content to everyone? 09:42 < gmaxwell> jtimon: you prove it out of band. 09:42 < jtimon> with snark/scip no? 09:43 < gmaxwell> Basically I prove to you that X is the hash of the key you want, out of band. Using some kind of ZKP, doesn't have to be a SNARK but thats one way of course. 09:43 < gmaxwell> Then you make a transaction that can be redeemed if the person reveals a value that hashes to X. 09:44 < jtimon> this is the "I'd like to buy the master key that cracks the drm scheme on these books" use case? 09:44 < jtimon> no, in general 09:45 < gmaxwell> In general. 09:45 < gmaxwell> go read the webpage. :) 09:45 < iddo> gmaxwell: so do you think that it's possible to do a refund txn for a txn that had inputs of both Alice and Bob, i.e. the refund txn redeems (with locktime) both the coins of Alice and the coins of Bob, or Alice can cheat because Bob only sees the hash of what he signs? 09:45 < jtimon> yeah, sorry 09:47 < gmaxwell> iddo: it can be done, but its messy. 09:47 < iddo> how? :) 09:48 < gmaxwell> iddo: bob makes a transaction moving his coins. But doesn't annouce it. He tells alice the txid. ... 09:48 < gmaxwell> iddo: alice writes a txn spending those coins and hes but doesn't announce it, she writes a refund and gives the refund (only) to bob and has him sign it. 09:48 < gmaxwell> then after he does she gives him her escrow. and if he likes it, he announces his original move. 09:49 < iddo> ahh 09:49 < iddo> not too messy 09:50 < iddo> but more txns that would need to be broadcasted if both parties are honest, that's true 09:50 < gmaxwell> well, not on paper it's not. The problem is that any time you add an extra level of interaction you really make implementation in the real world messier. e.g. more round trips that can time out that you have to handle. :) and yes, more tx data. 09:50 < jtimon> hehe "because we're computer geeks we have no friends who can act as trusted mediators" 09:54 < epscy> gmaxwell: what are your thoughts on Quark? 09:58 < gmaxwell> epscy: that moronic altcoin that just uses every hash function out there? Well. moronic. doing that confers no specific advantage. 09:59 < gmaxwell> Even if you were to say asic resistance was desirable, it doesn't have that result, it increases the NRE but not the marginal costs, which makes an asic monopoly more likely (or a successful attack by a powerful entity who could eat the nre) 10:06 < jtimon> gmaxwell, this is very cool, I'm thinking voluntary computing, what limitations has the function H ? 10:06 < petertodd> gmaxwell: I noticed those txn's ages ago; I hadn't figured out what they were doing however 10:07 < gmaxwell> jtimon: it just has to be able to run inside your proof enviroment. 10:09 < jtimon> like a BOINC program? I doubt gridcoin has a p2p issuance solution, but it would be interesting 10:15 < gmaxwell> jtimon: it doesn't really make sense for boinc though, because the proof systems have quite high overhead. A lot of the theoreticians writing about snarks talk about delegation applications, but as far as I can tell they're on drugs. :) 10:15 < gmaxwell> (e.g. your problem was slow enough you needed to delegate it, so first you embed it in a proof system that makes it 1000x _more_ expensive 10:15 < jtimon> yeah, that's what I was asking for with the limitations of H 10:16 < jtimon> ok, it doesn't pays 10:16 < gmaxwell> it works in cases where you have a NP search and you want to pay people for the answer, not the work. 10:16 < gmaxwell> In which case the verification of the answer is fast, but not the search. 10:17 < jtimon> mhmm, maybe scientist could code their voluntary computing programs in a way that people serach for those answers and only prove them when they find them 10:18 < gmaxwell> I suppose, indeed, you can POWize any program by just defining some answers as distinguished. 10:18 < jtimon> but each case would be different, in some cases you won't be able to code those incentives 10:18 < gmaxwell> not necessarily. 10:19 < TD> gmaxwell: the why_hash_locked + scipr protocol should maybe be on the contracts page. as that seems like a very general approach to contracts 10:19 < jtimon> hmm POWize ANY program? 10:19 < TD> gmaxwell: would you mind if i copied it or linked it from the contracts page? any preference as to which? 10:22 < gmaxwell> TD: You can go ahead and link it. There are a bunch of links to it elsewhere, and I don't want to maintain two copies. I should probably go move it to [[Zero Knoweldge Contingent Payments]] or something like that, and then the original will at least have the move redirect. 10:22 < TD> ok 10:23 < TD> i suppose this is conceptually similar to oracle payments, except if the function you wish to gate the money on is pure then you can avoid the third party 10:27 < gmaxwell> if the oracles inputs are either untrusted or authenticated, then you basically run the payee run the oracle for you and prove he did it right. 10:29 < TD> yeah. but often you want to access some external state. if the state is signed (+timestamped?) then this construction is indeed better. otherwise the third party is still needed. 10:29 < TD> i really wish TLS had an ability to sign traffic streams. sigh. 10:30 < jtimon> gmaxwell we could issue freicoin foundation funds as bouties for "scientific solutions" this seems perfect for the job 10:30 < gmaxwell> Right, an interesting point is that you could seperate out the authentication and computation parts. E.g. have a trusted third party who connected to the site and signed the results. 10:30 < TD> right. that's true. 10:30 < TD> a generic TLS signing gateway would be useful for many things, like the p2p exchange thing too. 10:31 < TD> i guess you quickly get back to the tor issue of how do you stop people abusing you as a generic anonymizing proxy for wiki abuse and things 10:31 < TD> but perhaps simply restricting to HTTP GET fixes 90% of that 10:31 < TD> you don't need POST if you do a login out of band, and then simply do GETs with your cookies to obtain provable statements of things, and http responses already contain timestamps 11:00 < michagogo|cloud> 15:33:42 <gmaxwell> phantomcircuit: shesek has legal advice that says its not an escrow. Who knows. 11:00 < michagogo|cloud> If it matters, I understand he's based in Israel 11:56 < TD> gmaxwell: the pay to certificate idea seems like it can open up a whole bunch of interesting areas, like decentralised insurance schemes ... 11:56 < TD> where actuaries are replaced with market-based mechanisms instead. 11:56 < TD> the only human component becomes actually verifying that a specific event did take place in the real world. 11:58 < TD> pay-to-proof feels like a whole talk waiting to be given, actually 12:01 < gmaxwell> TD: yea, but not with open questions: no one wants to answer the question that will arise when someone points out that decentralised insurance schemes requires a is-someone-dead oracle. And that an assination market and an life insurance market are /very/ nearly the same thing. 12:01 < TD> but those things can be done in the centralised model too. as andy greenberg has shown. 12:03 < TD> i wonder if there are more efficient special case protocols for ZKProving signatures and cert chains 12:03 < TD> than snarks 12:03 < gmaxwell> Its true, I don't actually worry about those uses much people are actually less evil than we worry they are in general, any case but it just makes for some awkward conversations esp if you find yourself in a room that contains people who think that such an application would be a good use. 12:03 < TD> i expect assassination markets to shrivel up once the people running them notice bounties on their own heads ... 12:04 < TD> that's a double edged sword for real, aye 12:04 < andytoshi> i always assumed an assassination market would be set up by a rogue bot 12:04 < andytoshi> not even in a terminator-style encounter, just some stupid bug 17:22 < gmaxwell> andytoshi: one somewhat annoying thing about the fee/donation stuff is that it makes it impossible to go from round inputs to round outputs. 17:23 < gmaxwell> andytoshi: hm. also, can you perhaps have some ajax reloader thing, and perhaps play a chime or popup an alert when its time to sign? 17:23 < andytoshi> oh, sure 17:23 < andytoshi> i guess i should whitelist my own domain on noscript.. :P 17:24 < gmaxwell> maybe just have it display a countdown... and when it hits zero. popup a window/play a beep. 17:24 < gmaxwell> I missed the testnet one I threw coins into earlier. :P 17:25 < andytoshi> i think, i'll have the "there are XYZ seconds until whatever" displays count down everywhere, and i'll see about playing a beep 17:25 < andytoshi> whenever i google for things like "how to play sound using javascript" the forum posts that come up are so sad... 17:26 < andytoshi> fwiw, these never expire, you can F5 the 'sign.php?session=whatever' page for ever and ever 17:26 < gmaxwell> "Sorry, but this session has been invalidated. Probably there were not enough transactions to do a merge." 17:26 < andytoshi> ah 17:27 < andytoshi> that'll happen regardless of how closely you follow it, unless you submit multiple transactions yourself 17:27 < andytoshi> maybe i should extend the window rather than invalidating transactions? 17:27 < andytoshi> i don't want it to happen that somebody submits a transaction, nobody else does for a day or two, and then when finally people use the coinjoiner, it's got some forgotten transaction poisoning the pot 17:28 < gmaxwell> just document.write a tag... <audio autoplay><source src="http://foo.wav" type="audio/wav"></audio> 17:29 < gmaxwell> yea, you don't really want a old transaction jamming it. 17:30 < gmaxwell> What you could do is split off the old pot and start a new pot. The old pot can still get more txn added, but only if someone gets directed to it by ID. 17:30 < gmaxwell> e.g. I could add a txn to the pot, and email you a link directly to the pot. and it fails because no one else adds... and 24 hours later you can add a coin to it, then it'll go into signing X time after. 17:32 < andytoshi> yeah, that's a good idea, and it takes literally no code to implement.. 17:32 < andytoshi> i just have to commend out the "set status = invalid" line in the cronjob :P 17:32 < gmaxwell> you might want to have it check if the inputs are unspent and set it to invalid if any of them are spent. 17:34 < gmaxwell> e.g. if I put a coin in, send you a link. Then you don't notice the email, and I give up and join another session .. and my coin is spent.. later when you load the link it won't invite you to add more coins to a dead one. 17:34 < andytoshi> yeah, it should 17:35 < andytoshi> there is code which does that before it switches to signing mode 17:35 < gmaxwell> (or even just: if a coin is spent, you remove it from the mix, and if the count goes to zero the mix is invalidated) 17:37 < andytoshi> cool, done 17:38 < andytoshi> i should also add code so that if outputs are spent during the signing phase, that also invalidates things 17:38 < andytoshi> inputs* 17:41 < gmaxwell> just check on every load of the signing page, perhaps? 17:43 < andytoshi> nah, the pageloads are handled by PHP, i'm trying to avoid doing any real work in there.. 17:44 < andytoshi> i have a perl script which transitions to the next session, it does all the merging and validation checks 17:47 < andytoshi> well, that's not true, when you submit a transaction PHP does a spot check 17:50 < gmaxwell> not critical, but checking there would save some time signing a doomed transaction. 17:55 < andytoshi> i think i'll run the perl script every minute or two 17:56 < andytoshi> it should really know how long a session is supposed to be alive.. 18:46 < amincd> 20. 19:19 < andytoshi> gmaxwell: i think i've got the coinjoiner working, with the ding and the autorefresh and the frequent checking of transaction validity 19:19 < andytoshi> i still have not updated the tiebreaker code for most popular output to take into account roundness of numbers.. 19:21 < andytoshi> i'm really happy with how this is turning out, i do wish there was a nicer UI than "run these rawtx commands" 19:23 < michagogo|cloud> andytoshi: You could make a script or set of scripts for assorted languages to use the rpc interface to make a nicer UI 19:31 < gmaxwell> andytoshi: well, next step can be to write a client for it. :P 19:31 < nsh> use predicates 20:14 < maaku> gmaxwell: "The general idea is that the merging party can just make a list (blindly) mapping their inputs to outputs, give the list to all players, and commit to the list so that all players know they got the same list." <-- that's how I always understood the protocol, and what the one I'm working on does 20:14 < maaku> I guess I don't understand phillipsjk's attack? 20:16 < gmaxwell> e.g. you and I want to coinjoin and both of us want to pay 1 BTC to 1wikileaks (perhaps among several other outputs we want). 20:16 < maaku> ok 20:17 < gmaxwell> in the most straight forward construction the merging host could have just 1 1BTC output to 1wikileaks, and if you and I don't know about each other we'd inspect the transaction and each say "yep, 1btc payment to wikileaks, good to go" 20:18 < gmaxwell> meanwhile the merging host had just added in an extra 1btc payment to themselves. 20:19 < maaku> so in the version I'm working on, the merger (I call him the joiner) makes a proposal by referencing offers signed by each participant 20:19 < maaku> so we could, in principle, check that each others requirements were met and not double-count the donation 20:19 < maaku> but yes, I understand the problem now and I hadn't considered it 20:20 < maaku> my naive implementation would have just checked the user's own requirements and could fall victim to that 20:20 < gmaxwell> yea, it's perfectly solvable. 20:21 < maaku> hrm.. but this is maybe semantically ambiguous - what if I really only care that 1 btc was sent to 1wikileaks? 20:21 < gmaxwell> I give two ways to solve it one constrains an output pubkey, the other requires an extra communications roundtrip. I dunno if there are better ways. The communications round trip might just be necessary for anti-dos reasons regardless. 20:22 < gmaxwell> maaku: then you could signal that, I suppose... one is a superset of the other. 20:22 < maaku> in freimarkets for example, we have private servers that condition transactions based on whether an output matching a certain template makes it on the block chain 20:23 < gmaxwell> for transaction fees (which you can think of as being a 'reused address') it might actually be the case that you only care that X amount goes to them and you don't give a darn regardless. 20:23 < maaku> in which case you're using it as a semaphore ... but it's not really a problem if more money ends up there, and I assume that requiring both outputs is the better default 20:23 < gmaxwell> maaku: right, and what I'm saying is that the ability to accept such a case is a subset of the ability to detect that you're in such a case. 20:24 < maaku> yeah 20:24 < maaku> sorry, just thinking outloud 20:24 < gmaxwell> I'd actually like it if CJ things could merge outputs, e.g. 1 WL, 1 WL -> 2 WL.. but because of the triggers you'd want to actually communicate your willingness to accept. 20:25 < gmaxwell> (merging matching outputs is always equal or better for privacy, and its more efficient) 20:27 < maaku> yeah 20:28 < gmaxwell> andytoshi: I assume when you put this up for real you put it behind ssl? 20:33 < andytoshi> gmaxwell: yeah, definitely 20:34 < andytoshi> actually, i have been meaning to put my entire site behind ssl for a long time.. is there such a thing as a good cheap cert provider? 20:34 < gmaxwell> startssl 20:34 < maaku> startssl 20:35 < gmaxwell> at least in one of your dimensions its infinitely good. 20:35 < andytoshi> thx guys :) 20:35 < adam3us> andytoshi: all certs are equal, buy the cheapest :) (its an openssl design side effect - weakest link in chain defines system security) 20:36 < gmaxwell> not quite equal, since there is some inequality in support in older browsers, but I think for your stuff you don't care. 20:36 < maaku> adam3us: well, you need to make sure it's a widely deployed root cert (e.g. built into mobile browsers) 20:36 < maaku> but startssl is, and it's free ... kinda hard to beat that :) 20:36 < andytoshi> well, i meant 'good' in a moral sense.. for example godaddy supported SIPA, they act like scammers, they look sleazy, etc 20:37 < gmaxwell> If you don't pay them it's less morally ambigious. :) 20:37 < adam3us> maaku: some of them have a chain file you have to use, because they are subcas, which works but makes the cert response over the wire larger 20:37 < andytoshi> yeah, i buy that :) 20:37 < adam3us> maaku: free eh? thats pretty good 20:38 < maaku> well for the lowest level of verification ... as if verification actually meant anything 20:39 < maaku> unfortunately they require verification if your domain gets flagged as high-risk (e.g. monetize.io :( ) 20:39 < andytoshi> lowest level is fine, at least people can't read your traffic with tcpdump.. 20:39 < maaku> but even then, it's still the cheapest 20:39 < adam3us> maaku: yeah thats a new one to me, used to be like $7 - $10 cheapest 20:41 < gmaxwell> andytoshi: so wrt output values. Maybe instead of just the most popular output, when there is more than one output with exactly equal values, you list all of them. E.g. If you have 10.1 1 5.3133 you list 1 (roundest most popular output), and if later you have 10.1 10.1 1 5.3133 you list 10.1. and if later you have 10.1 10.1 1 1 2 2 5.3133 you list 10.1, 1, 2. It makes the txn more identifyable but you'd almost certantly learn ... 20:42 < gmaxwell> ... the same stuff by just continually polling the most popular output as it changes. 20:53 < gmaxwell> andytoshi: I got 18:15 < andytoshi> note that the idea about just wrapping a hard-to-verify PoW in a snark encourages centralization because the snarking step is hard to do but only has to be done once per block. so the more hashing power you have the smaller the percentage of power is "wasted" just proving that you did what you claimed. plus you can start building on that PoW before the proof is complete, but others don't get to see 18:15 < andytoshi> what to build on until you publish the proof 18:16 < maaku> andytoshi: not to mention incentives 18:16 < maaku> having a snark step delays annoucement as you have to build the snark proof 18:17 < andytoshi> maaku: yeah, i had several false starts trying to describe the incentive situation :P it's really confused 18:19 < andytoshi> the snarkchain model gmaxwell suggested is requiring SHA256(SNARK_PROVE(SHA256(utxo updates + nonce))) < TARGET, which avoids all these problems while also incentivize snark optimization work 18:21 < gmaxwell> whats this about linear pcps? The general problem with using PCP constructions directly is that they have insane expansion of the proof, so like the proof ends up being larger than the universe, which is generally regarded as a bad thing. If the proof is a linear function, however, like one structured as a hadamard code there is a way to effectively work with the proof in a transformed domain that makes operations compact. So you ... 18:21 < gmaxwell> ... don't actually have to instantiate the whole proof. 18:23 < gmaxwell> 14:35 < tacotime_> And that the parameters file must arise from a trusted source. 18:23 < gmaxwell> ^ not quite Thats how the GGPR'12 pairing-crypto SNARK stuff works. But its not inherent to verifyable execution. 18:24 < gmaxwell> The GGPR stuff has an advantage of being the most developed and currently most efficient approach. 18:25 < tromp__> gmaxwell, you missed my discussion with petertodd on Cuckoo Cycle. i was wondering if you had read the paper and had any feedback on it? 18:25 < gmaxwell> A not really accurate way to understand it is that it reduces the problem of verifying execution to testing the roots of some polynomials and testing some ratios of polynomials. ... then it instantiates a kind of homorphic cryptosystem so you can do all this in an encrypted domain. 18:25 < gmaxwell> tromp__: I saw the discussion but I didn't participate because I haven't read the paper. 18:26 < tromp__> ic, gmaxwell. anyway, i hope you have a chance to read it. i'd like to have your opinion on it 18:27 < gmaxwell> tromp__: I think petertodd's concers in the first half the the discussion were taking the wrong approach. I understand without reading the paper that the approach sounded like its based on finding a kind of structured multicollission? 18:28 < tromp__> yes, a combined 42-way collission if you like 18:28 < gmaxwell> Generally collission finding POWs give you asymetric memoryhardness but they have time/memory tradeoffs (e.g. using rho cycle finding). And generally multicollisions have more tradeoff available not less, so I'm interested in how you solve that but I should read the paper. 18:28 < tromp__> the key insight i think is that the edges must be processed in sequential ortder 18:29 < tromp__> it's not a collission of many to one 18:29 < tromp__> it really requires following long chains of pointers 18:30 < gmaxwell> The later half of PT's discussion is a more meta point which is some new thinking. I now believe (and have been talking some with Colin Percival some about) that the security analysis in the scrypt paper was significantly flawed. :( 18:30 < tromp__> which is what prevents those rainbow table/bloom filter collission shoirtcuts 18:31 < gmaxwell> Basically if you model a typical big computing cracking effort, for example, over the whole task of the computation, power costs can come out to something like 95% of the total cost (e.g. on 28nm) 18:32 < tromp__> cuckoo does about 5x more random memory accesses than hashing ops, so it should do well on power 18:32 < gmaxwell> So what can happen when you try to make a memory hard KDF is that you increase the silicon costs (part of the 5%) by say 10 fold or what have you but if in doing so the power costs to the attacker (for a users tolerance budget) goes down.. that may be a loss. 18:32 < tromp__> the latency will slow down the rate at which you can hash 18:33 < gmaxwell> yes, and I'm concerned thats actually bad. 18:33 < tromp__> in what way is a latency dominated pow bad? 18:33 < gmaxwell> e.g. you make the 5% 10x (say) more expensive but you make the 95% 1/4th as expensive then the result is a net loss. 18:34 < gmaxwell> tromp__: shifting cost to silicon over power potentially favors optimized hardware infrastructure. 18:34 < tromp__> but the power use will be limited by the relatively huge cost of dram 18:36 < tromp__> imagine how much memory is needed for its power-use to equal that of all sha256 asics in use now 18:36 < tromp__> it wld probably be more than all memory in existence 18:37 < tromp__> also, most power use in memory is due to high bandwidth ops 18:38 < tromp__> if you know you only need to fetch 32bit words, and dpn't fill cache lines with adjacent words, then power cld drop a lot 18:38 < gmaxwell> tromp__: Well we have an existance proof TCO wise the gridseed scrypt asics are a bigger improvement over GPUs than sha256 was. I _believe_ that increasing the memory size would actually make that worse, though I'm trying to talk to gridseed engineers about it but chineses/english language barriers are fun. :P 18:39 < gmaxwell> tromp__: I don't think you are following my argument there. I'm not quite sure how to state it more clearly. 18:39 < gmaxwell> I don't actually know how it pans out for different parameters, it's also pretty process sensitive, the last few process nodes scaled transistor density better than they scaled dynamic power. 18:39 < tromp__> i think scrypt has a LOT more parallellism in it than cuckoo 18:40 < andytoshi> tromp__: an attacker can amortize his hardware costs because he is generating shitloads of keys, and he benefits from lower power. an honest user of a KDF is hit much harder by latency costs and doesn't care about power because honest users don't generate many keys 18:40 < tromp__> are any scrypt asics in the hands of miners yet? 18:41 < gmaxwell> I have one sitting in front of me, they aren't widely available to the public yet. 18:42 < tromp__> the crucial question is, how many scrypt attempts does the chip run in parallel? 18:42 < maaku> gmaxwell: is it an asic, or an fpga prototype board 18:42 < gmaxwell> tromp__: but in this case the lack of parallelism helps the attacker. Thats why I was saying that more memory appears to actually make scrypt worse (for actual attack cost) relative to commodity hardware. Though there may be inflection points in the tradeoff. 18:42 < gmaxwell> maaku: an asic. 18:43 < tromp__> how much memory is on the scrypt asic? 18:45 < gmaxwell> tromp__: not sure, still trying to extract data from the people who made it. Each instance of scrypt needs 128k, unless you use a minor TMTO but I'm pretty sure they aren't. 18:46 < tromp__> right; so they'll be able to run 8192 instances with 1GB of on chip mem 18:47 < tromp__> now with cuckoo, you can set the memory requirement at 1GB, or 4GB. 18:47 < gmaxwell> It's in a super cheap QFN package, whole chip costs about $1.25 to make, they've been putting 5 of them to a proto board, which (including regulator losses) draws a bit less than 8 watts, and does 300KH/s which compares not too unfavorably to a year old / middle tier GPU. 18:47 < tromp__> and they won't be able to run more than a few instances 18:47 < gmaxwell> thats irrelevent sadly. 18:48 < tromp__> furhtermore, i don;t see how each instance can run mush faster than with a cpu hooked up to std RAM 18:48 < gmaxwell> tromp__: did you see andytoshi's illustration of the concern? 18:48 < tromp__> no, gmaxwell, where can i see it? 18:48 < gmaxwell> tromp__: oh you can get incredible speedups if you can avoid chip external (pin-count and frequency limited) long busses. 18:49 < gmaxwell> just the point above: 18:49 < gmaxwell> 15:40 < andytoshi> tromp__: an attacker can amortize his hardware costs because he is generating shitloads of keys, and he benefits from lower power. an honest user of a KDF is hit much harder by latency costs and doesn't care about power because honest users don't generate many keys 18:49 < gmaxwell> Basically these analysis must consider both the operating costs and the upfront costs. The hardware cost is amortized. 18:50 < gmaxwell> unfortunately a total cost model is much harder to do because its much more dependant on the physical instatiation than just trying to count transistors. 18:50 < tromp__> but amortization requires parallellization 18:51 < tromp__> no-one has proposed a viable way of parallellizing cuckoo?! 18:52 < gmaxwell> tromp__: Everything can be parallized. E.g. the attacker acts as two miners. Within the algorithim you are not parallel sure, but there is a maximum scope to this or you lose progress freeness, which is essential for consensus-POW. (maybe it doesn't matter for a KDF) 18:52 < andytoshi> no, amortization just requires you to run for a long time. 18:52 < gmaxwell> and yes, as andytoshi points out, just continuting to run for a long time is where the amortization comes from. 18:53 < gmaxwell> tromp__: I'm not sure what background you have in POW-consensus, do you understand what I mean about progress free being a requirement? 18:53 < tromp__> andytoshi, you can only run cuckoo for EASYNESS many nonces,, there are only a small number of cycles to be found in that time 18:53 < gmaxwell> tromp__: you don't just run it once and throw your hardware out, of course. 18:54 < tromp__> right, you need to use your 1GB of memory for, say, 10secs, and have some small prob of finding a 42 cycle 18:54 < tromp__> and keep repeating that 21:53 < midnightmagic> in essence, the retarget can be rewound as though no retarget has happened yet because a heavier subtree exists that hasn't reached retarget. 21:54 < maaku> midnightmagic: the reorg code doesn't care squat about retargetting, as far as I am aware 21:54 < gmaxwell> any limit creates a potential for an unresolvable fatal partition in the network if there is a reorg right at the boundary. So you argue "boundary X is safe because making a reorg that deep is infeasable" I respond "boundary X is pointless because it defends against an attack you just told me can never happen" :) 21:54 < midnightmagic> i don't know if it matters, was just thinking of possibilities. 21:54 < gmaxwell> midnightmagic: yea, I dunno if thats especially concerning subtle things to think through for sure. 21:56 < midnightmagic> maaku: I guess the retarget boundary may not be relevant, but it looks like a heavy subtree can make the main chain length *shorter*.. 21:56 < phantomcircuit> gmaxwell, "checkpoints are a performance feature not a security feature" 21:57 < gmaxwell> phantomcircuit: hm? yes. 21:57 < maaku> midnightmagic: it extends the length of the sub-tree, i don't see how it reduces the length of the main chain 21:58 < gmaxwell> maaku: well for security you actually care about the relative distance to the next best tree that doesn't include your txn. 21:58 < gmaxwell> since thats the amount of work required to change the decision. 21:58 < midnightmagic> maaku: It is possible that mining could indefinitely create a reorg which switches back and forth between two trees without actually extending the main chain length. 21:59 < midnightmagic> I don't think a 51% attack right now could do that. I think it must *extend* some tree in order to increase main chain length. 21:59 < gmaxwell> midnightmagic: I dunno that that matters though. I worry more about details like how the heck do you make sure that everyone actually agrees on longest. 22:00 < andytoshi> gmaxwell: well, if boundary X is there to try and keep nodes from getting DOS'd, even if it is infeasible to split the network that far back it is a useful boundary 22:00 < maaku> yes, a problem here is that you no longer have global knowledge about how much weaker a distant subtree (which you're ignoring due to DoS considerations) is, until it overtakes you 22:01 < maaku> but it would take the nuclear 51% for the subtree to have any effect, which is why it's not a very weighty concern from where I'm sitting... 22:01 < gmaxwell> andytoshi: header flooding alone isn't really an interesting dos though, esp as you don't forward them 22:02 < andytoshi> well, it could be interesting if you've gotta keep them all in memory at once 22:03 < Mike_B> hey btw gmaxwell - did you ever find that hashcash paper? 22:03 < Mike_B> i'd really love to read it if you did. 22:03 < andytoshi> i thought that was the crux of this "diff-1 flood" attack we are discussing 22:03 < gmaxwell> Mike_B: haven't had a chance. 22:03 < Mike_B> gmaxwell: do you remember the title? i was searching stuff like "hashcash progress-free" on google but without much luck. 22:06 < gmaxwell> Mike_B: if I did I would have just given you the result. 22:06 < midnightmagic> ah, footnote #10 was what I was looking for 22:07 < gmaxwell> andytoshi: I haven't been following the discussion here, and don't have time to. 22:09 < gmaxwell> andytoshi: but with a 'sutiable' headers first implementation diff-1 flooding basically reduces to a boring "peer can send me unwanted packets" problem... though I don't know if anyone would ever bother with the really dos hardened version since incrementing the minimum difficulty (and then fixating the old chain as a one time thing) is a simpler thing to do. 22:10 < gmaxwell> (if you don't mind potentially fetching fork headers multiple times you can basically bound the space uning a hierarchy of bloom filters to accept headers for inspection) 22:13 < andytoshi> hmm, i'd have to think about what a 'suitable' headers first implemetation would look like, since if you are weighing entire trees you can have a situation where two peers each have half the tree 22:13 < andytoshi> but neither is aware of the other half 22:15 < gmaxwell> oh if you're talking about that fast blocks paper, I think it destroys every anti-dos mechenism for block flooding I'm aware of (other thain incremeinting the minimum diff) 22:15 < andytoshi> oh, i am :P i think we have been talking past each other 22:15 < gmaxwell> well okay other than that, and other than SNARKs for membership in a chain of some total diff. 22:16 < maaku> andytoshi: which is totally fine... 22:16 < gmaxwell> e.g. you could build a snark for summing the diff of a chain which commits to a hashtree of headers. And then you can prove each header incrementally is a member of a chain with some sum diff. 22:17 < gmaxwell> maaku: it's fine? really? if you end up with half the hashrate on one subtree and half on another subtree.. thats not good. what triggers resyncing the missing blocks to make them ever converge? 22:17 < maaku> gmaxwell: reverting to IBD mode when one tree is longer, which it will be eventually 22:17 < andytoshi> right, my concern is that no node can make a snark because nobody individually has a heavy enough subtree 22:17 < andytoshi> but together, their subtrees could add up to a lot, so you have to listen to them all 22:18 < gmaxwell> maaku: I don't follow but I think I'm too worn out to think now. 22:19 < maaku> gmaxwell: the point is the question amounts to "assume a situation only possible as the result of a 51% attack, here's a problem" - and my response is "that problem will sort itself out, and beyond that is not worth thinking about because you're assuming a devistating attack" 22:20 < gmaxwell> maaku: I don't see that. assume the network ends up in a state where half the nodes know fork blocks ABC and half know DEF and as a result you have half hashpower on each subtree and they stay tied. What makes them eventually converge? 22:21 < maaku> gmaxwell: block generation being a stochastic process. they will diverge from each other randomly 22:21 < phantomcircuit> maaku, they *might* but you have no guaratee 22:21 < phantomcircuit> we like those 22:21 < gmaxwell> maaku: sure, but there are three extra blocks on each side. how long until one gets three ahead when they have an even split of hashpower? 22:22 < gmaxwell> and how much hashpower does it take to maintain that state? 22:22 < gmaxwell> (by adding extra orphans) 22:22 < maaku> i'm not sure i follow - why the magic number 3? 22:22 < gmaxwell> I just picked a number. 22:22 < Luke-Jr> obviously the Holy Trinity 22:23 < gmaxwell> 1, 2, many. Three is the smallest many. 22:23 < maaku> gmaxwell: well you just need a single block more on either chain 22:23 < andytoshi> once one half of the split gets one block ahead, that should be enough to draw hashpower toward it 22:24 < andytoshi> which is the way that their "eventually you always reconverge" theorem works 22:24 < gmaxwell> anyways, point I'm trying to make is I think you can put this system into a state where it will probably never converge, even without an (active) attacker. 22:24 < maaku> and chances are you'll get that ... unless the attacker is >51% of the network and censoring his own blocks, in which case :shrug: 22:24 < andytoshi> i think maaku is right, but only when everybody is sharing all the available blocks -- and then i think we have DoS potential 22:24 < gmaxwell> maaku: hm? no the nodes with the A B C orphans need the D E F orphan chain to be 4 blocks longer before they think its longer. 22:25 < gmaxwell> andytoshi: but _how_ do you share all blocks? how do you actually know if you have them all? how do you know if you don't to go get them? and how doesn't any anti-dos not mess that up? 22:26 < maaku> gmaxwell: ah ok i misunderstood your description of the initial state 22:26 < andytoshi> well, you have a master chain, and if you say, ignore any blocks more than 10000 behind the head of the chain, that would be an anti-DOS which doesn't affect this business of reconvergence 22:26 < andytoshi> unless you get a 10000-deep split, and then you're totally screwed 22:27 < andytoshi> but 10000 blocks ago the diff should be high enough that spamming blocks is impossible 22:27 < gmaxwell> you know for sure you have all the blocks normally, because of the linked list structure of the chain, but this stuff creates relationships which are not unidirectional. E.g. newer orphans make older blocks (which are later in the chain) better. 22:27 < maaku> gmaxwell: getting ahead (or behind) 3 blocks would take a while, but it will happen - and i should point out the chance of it happening is the same as getting into that state in the first place 22:27 < maaku> since you're presuming the forks have equal hash power, but somehow one has 3 more proof of works than the other 22:28 < gmaxwell> right 3 will happen buy may take a long time. .. a semi-active attacker with fairly modest hashpower who keeps mining more orphans only on the shortest subtree could prolong that. 22:29 < maaku> but "in reality" there will be some miners which only have one orphan stored - and they will jump ship first 22:30 < maaku> i think you're still balancing on a pin to set this up 22:32 < gmaxwell> maaku: but its a balance that could even happen without an attacker which I agree is unlikely, and attacker could make it happen for sure. wait for a natural split, buy a burst of hashing power to build two blocks and give them in a censored manner... repeat as needed to keep it imbalanced. I don't know that its fatal, but its a whole class of attack that doesn't exist in the current system because we have jamming resistant ... 22:32 < gmaxwell> ... communication of blocks 22:32 < midnightmagic> I guess building additional orphans is less of a good idea than building ones that are likely to become canonical due to coinbase payments. 22:32 < gmaxwell> midnightmagic: someone breaking the system is short coins and doesn't care about the coinbase payments. 22:32 < midnightmagic> hrm 22:33 < midnightmagic> joker effect. 22:33 < gmaxwell> "byzantine failure" 22:34 < gmaxwell> though perhaps its sufficient if miners commit to all the blocks they're using to contribute to the difficulty they're using ... maybe that gets it back to the same communications model. 22:34 < gmaxwell> e.g. if blocks get censored you'll know it if you hear the tip.. and then you can go looking for the contributors. 22:34 < midnightmagic> well it's pretty neat they did this paper, it's a cool idea. i wonder if it can work in a p2pool-like sharechain where orphans themselves could count towards the whole. 22:34 < maaku> gmaxwell: if the attacker is in a position to buy more than the entire hashpower of the network, there's a lot more they can do than just that 22:34 < maaku> are you saying they can do it without maintaining that hash advantage? 22:34 < gmaxwell> maaku: only for a brief window? no way. I'm saying they don't have to maintain a hashing advantage. 22:35 < gmaxwell> as you note, once its on-the-head-of-a-pin its unlikely to converge by chance... so they just have to keep proding it to equlibrium if its gets out. 22:35 < gmaxwell> they could have an average hashpower a small fraction of the networks and make the split continue to diverge. 22:36 < gmaxwell> e.g. 10% of the network hashpower they're adding 1 block to the smallest subtree per 10 blocks added to the network. 22:37 < maaku> gmaxwell: i'm not certain of that ... it's not explained how they're able to maintain this partition of knowledge about the orphans 22:37 < andytoshi> maaku: i think the idea is, the nodes don't think to ask for the missing orphans, because they don't see any new blocks referencing them 22:37 < gmaxwell> it's not knoweldge, they're making them and handing them out 22:38 < maaku> gmaxwell: i mean the orphans which resulted in the split in the first place 22:38 < maaku> andytoshi: a GHOST client would benefit from gossiping about orphans 22:40 < maaku> midnightmagic: i'd edit your post. it is perfectly possible to rewind past a difficulty retarget. we don't want to be spreading misinformation to the people who read that 22:41 < midnightmagic> maaku: It's a sub-point of stripping blocks off head..? 22:41 < maaku> midnightmagic: you can have a two-block reorg when the difficulty retarget was 1 block ago 22:42 < maaku> (and have a different retarget as the result, due to different timestamps) 22:42 < midnightmagic> maaku: Yes but after that reorg the head work count is not shorter, correct? 22:42 < maaku> correct 22:43 < maaku> but you post states "This includes rewinding back past a difficulty retarget, which is currently impossible" 22:43 < maaku> that *sounds* like diff retarget == checkpoint 22:43 < maaku> whether that is what you meant or not 22:43 < midnightmagic> I am editing the post, but that is a semantic difference of the meaning of the term "rewind" which I'd hoped was made clear by the fact I'd put it as a subpoint of *stripping off blocks from head without replacing them.* 22:45 < midnightmagic> That is, you have to replace it with a *greater* amount of work, and thus substitute one reorg for another. I'm assuming by now you know what I mean and just don't think the vocabulary I'm using is appropriate. 22:47 < maaku> midnightmagic: correct 23:59 < gmaxwell> yo dawg, i heard you liked vanity https://people.xiph.org/~greg/qr.png --- Log closed Mon Dec 09 00:00:42 2013 --- Log opened Mon Dec 09 00:00:42 2013 00:32 < amiller> lol. 02:41 < wumpus> hahaha nice gmaxwell 03:31 < wumpus> gmaxwell: so does that actually generate keys, convert to an address, create a qr code, and match to some target image or so? 03:33 < wumpus> or is the actual information in the qr code not important and it just makes use of the redundancy in the representation? 03:43 < maaku> wumpus: i would assume it's making use of redundancy, just from visual inspection 03:46 < wumpus> maaku: it seems that way, just found the paper: http://dl.dropboxusercontent.com/u/12405967/qrsem.pdf 03:47 < wumpus> I suppose that if one generated vanity keys one could get even closer to the target image, but it's not needed for the effect at all 03:48 < maaku> yeah that's why i figured it was redundancy 03:48 < maaku> it could have been a cleaner image without 03:48 < maaku> er, with a vanitygen approach 06:00 < michagogo|cloud> gmaxwell: Nice. (my phone couldn't read that, but zxing.org could) 14:18 < gmaxwell> hm. An interesting point about cryptocurrencies with perfect anonymity and fungibility is that they have assuming spherical cryptography fundimentally better scalablity. not having privacy means communicating more information. 14:19 < gmaxwell> you could imagine a cryptocurrency based on encrypted commitments and state outsourcing where a block doesn't communicate transactions at all, just the final state commitments and proofs that they're correct. 14:20 < iddo_> what is spherical cryptography ? 14:21 < gmaxwell> iddo_: I mean with tools that achieve everything we know is theoretically possible, "spherical cow", without pratical considerations or constant factors. 14:21 < iddo_> ahh 14:21 < gmaxwell> e.g. imagine a block that doesn't carry transactions, it just commits to the final state after all transactions were applied, and proves that the updates met the rules. 14:22 < iddo_> so with anonymous cryptocurrency, you mean that it's less communication complexity, but more computational complexity locally? 14:24 < gmaxwell> well I'm ignoring the complexity of the proof systems, in theory SNARKS can give quasi linear work on the prover, and constant communication and verifier complexity or similar efficiency. 14:24 < iddo_> gmaxwell: why did you say several days ago that Bitcoin mining power is about 2^74 now? i see about 64 leading zeros in the PoW hash of blocks now, isn't that 2^64 complexity? 14:24 < eristisk> So, a distributed blockchain model where the data contained within the blocks would be of much smaller size because of the the intentional absence of the bulk of the transaction data... wouldn't miners that solved the block still see the entire contents of the transactions? 14:24 < gmaxwell> iddo_: aggregate vs each blocks. 14:25 < gmaxwell> eristisk: sure, but only the block they produced. 14:25 < iddo_> gmaxwell: aggregate means what in this context? all the work that has been done since the genesis block? 14:25 < gmaxwell> Maybe my point was too abstract, but I'm only pointing out that the theoretical limits of cryptocurrency efficiency can only be achieved if the cryptocurrency is anonymous... because adding identifyable information increases that communication complexity to at least linear. 14:26 < gmaxwell> iddo_: correct. 14:26 < iddo_> cool 14:26 < gmaxwell> 74.63 right now. Smalleast hash so far is 000000000000000000028c32e6952731326747bae4be8db0f832d6eea0362050 14:26 < eristisk> Right, you'd have to have widespread miner collusion to consistently publish or backhandedly share the data in order to get all data. The other important part you brought up is something I'd personally like to see in Bitcoin (and other "complete blockchain" altcoins) itself anyway, which is encrypted commitments. 14:28 < gmaxwell> eristisk: well, there are ways to construct this stuff so that its anonymous even against miners. Doing so has pratical engineering challenges today, but they're solvable. It also has significant political challenges. 14:28 < gmaxwell> But perhaps the point I'm making eases the political challenges: anonymity is pretty much a mandatory outcome of optimal efficiency. 14:29 < iddo_> politicians care about efficiency ? :) 14:29 < zooko> Uh, did you just say "spherical cryptography" ? 14:29 < zooko> What's that? 14:30 < zooko> Oh, someone already asked. 14:30 < eristisk> It could be argued that there is space enough for a model as Bitcoin exists today (accelerating technological burdens of the large distributed data set notwithstanding) as well as an altcoin which successfully implements fully encrypted transport streams between nodes as well as transactionless blockchains as you are speaking of. 14:31 < gmaxwell> like a spherical cow, sorry. :) I just am talking about the theoretical asymptotic efficiency. The pratical implementations of the required tools are not there yet. 14:31 < gmaxwell> eristisk: money likes a monopoly. 14:31 < eristisk> More like: people like a money monopoly :P 14:32 < gmaxwell> And confidence in cryptocurrencies probably depends on a reasonably high degree of stickyness. "Why do I want your foo coins when next year bar coins will be the new hotness?" 14:33 < iddo_> thing about zerocoin is that CRS is exactly the kind of thing that people who are attracted to zerocoin don't like... i already see thread on that http://www.reddit.com/r/ZeroCoin/comments/1rxwvh/zerocoin_has_a_master_key/ 14:33 < gmaxwell> So yea, sure alternatives can and will exist... but I suspect that in enough time, as the engineering tradeoffs mature and stop being tradeoffs anymore it will just become a no-brainer to do thing like use snarks to compress bitcoin... and at the limit you end up making it anonymous even if that wasn't your goal. 14:33 < gmaxwell> iddo_: yea the CRS stuff is ... not good. But it's not fundimental. 14:34 < gmaxwell> we know from theoretical work that publically verifyable non-CRS sub-linear communication cost SNARKs can exist. 14:35 < iddo_> yes:) 14:35 < eristisk> Ah I see. Well, encrypted commitments could be added to Bitcoin with reasonably smaller fundamental changes in comparison to rewriting the protocol spec to remove transactions from the blockchain data. I get your point about "selling" it under the premise of solving the spiralling problem of storing such an increasingly massive distributed dataset whilst simultaneously arriving at a more... 23:42 < amiller> the thing is businesses benefit from this social awareness that all businesses are safe because they're regulated 23:42 <@gmaxwell> E.g. for a centeralized system you can point at all these RISKS that the regulations stop, ... and that there are reasons that the regulation is inexpensive. 23:42 < amiller> it's like a license to cater to stupid consumers 23:43 < amiller> decentralized means you're really on your own and don't expect a court to sort out your problems 23:43 < petertodd> depends on the model, the silk road benifits from the awareness that it isn't and isn't going to get shutdown on a whim 23:43 <@gmaxwell> petertodd: It means something, not in and of itself, but it means that people we might have expected to do otherwise didn't. 23:43 < amiller> ripple.com seems to be advocating the worst of all possible worlds 23:43 < petertodd> gmaxwell: FinCEN trying to fight bitcoin head on, and early, would have been *better* imo. 23:43 < amiller> by recommending that you join the system by "HIRING" a gateway "BUSINESS" to "trust" you 23:44 <@gmaxwell> amiller: in general this plays into the thinking I've been having lately about how our systems should try to minimize the best case and the worst case, regardless of their average case. 23:44 <@gmaxwell> E.g. if we can't prevent an attack almost completely we should make it trivial and automatic. No surprises. 23:44 < amiller> where you trust in the gateway is predicated on their contracts being enforceable by STATE LAWS which by the way no one expects to pay for because w/e 23:44 < amiller> gmaxwell, yeah better encourage the smaller attacks to happen right away 23:44 < amiller> fail fast fail early fail often? 23:44 < amiller> fail small 23:44 < petertodd> gmaxwell: indeed that's actually a big failing of the idea of fidelity bonded banking running on secure hardware you know 23:45 < petertodd> gmaxwell: fidelity bonds are going to be very, very, very tricky to get right, and the hardware lets you punt an issue that you probably shouldn't 23:45 < amiller> social collateral isn't free 23:45 <@gmaxwell> Not just right now but it's a line of thinking about how people relate to each other. I think there is evidence that people can prosper under many kinds of system for making agreements but whats important is that you can know what you're actually buying into. 23:45 < amiller> the fact that it seems scary and unusual to make formal relationships with friends where relationships can get hurt and damaged... that fear / discomfort you feel is how you know it's working 23:46 < petertodd> The rate of huge hacks hasn't changed much, yet the community seems to panic less on each one... 23:46 <@gmaxwell> E.g. if a kind of transaction is only 90% safe, I think people are better off if it's 0% safe. Because the 10% oh-fuck-I-got-ripped-off is 110% of the cost of it being completely unsafe. 23:47 <@gmaxwell> I boggle at the hash, ozcoin has been throughly hacked three times now. Slush 2.5 times. I don't see any evidence of either changing their business practices or the users really caring much. 23:48 < petertodd> but what exactly have their users lost anyway? 23:48 < petertodd> specifically, how much compared to the profits? 23:48 <@gmaxwell> In the case of ozcoin people are actually out money now. But indeed "easy come, easy go" 23:48 <@gmaxwell> I think the ops don't care much because they're mostly gambling with other people's money and what money of their own they lose was too easily won, and perhaps that applies to the users too. 23:49 < petertodd> no-one is getting sued for being a negligent op 23:49 < amiller> something that's funny to me is just how little of the ecommerce problem that bitcoin solves 23:49 < amiller> the silk road is a perfect example 23:49 < petertodd> which is sad when better software, multisig, multiple implementations etc. can make attacks orders of magnitude harder 23:50 < petertodd> what do you see as flawed in the silk road? 23:50 < amiller> it's a centralized script kiddie php/mysql database 23:50 <@gmaxwell> Seems like zero interest. The only pool security innovation that I'm aware of is eligius' coinbase payments, which were not created for security purposes initally (Luke's goal was to avoid running afoul of regulations by not handling third parties money) 23:50 < amiller> its' the weak link in a chain of two properly (sorta) decentralized miracle systems 23:50 < petertodd> amiller: with a damn good record in practice, and the central wallet is essential to privacy 23:51 <@gmaxwell> Well, I think SR does okay considering that people with high competence have many reasons to avoid it. 23:51 < amiller> essential - no.... damn good record... sure, and of course it gets first mover advantage and a ton of novelty 23:51 <@gmaxwell> petertodd: they have managed to disclose their IP .. twice. 23:51 < amiller> there's no better alternative i guess 23:51 < amiller> also bitcoin-otc is awesome and yet decentralized 23:51 < petertodd> gmaxwell: are you sure they actually disclosed their IP? with sites like that misdirect is good 23:51 < amiller> i want to see the real black market in my lifetime!!! 23:51 <@gmaxwell> well lemon market in any case. 23:52 < petertodd> silk road and it's ilk have the unique problem where competitors might be LEA honeypots 23:52 < amiller> ripple/^H^H^H^ excuse me social collateral solves a much larger problem than just bitcoin too 23:52 <@gmaxwell> petertodd: it's possible but I think pretty unlikely that it was a misdirection. (in particular, in one case the site was also accepting connections from the public internet ... and based on latency... it wasn't just a tor gateway to it) 23:52 < amiller> the quantities you formally transact with don't just have to be about currency trades it can be about shipments etc 23:53 < petertodd> amiller: thinking social collateral solves problems usually discounts the very real cost of thinking about social collateral 23:53 < amiller> thus it generalizes bitcoin, bitcoin-otc, and yes the silk road 23:53 < amiller> shit changes yo 23:53 < amiller> i thought i'd never see an irc room full of people checking each other's gpg keys 23:53 < amiller> gmaxwell informed me at one point that they still get scmamed constantly on bitcoin-otc because of... well not checking each others gpg keys 23:54 < petertodd> gmaxwell: absent evidence that they've actually been caught it may not mean much. Anyway, their IP is just as likely a VPS under a fake name. 23:54 < amiller> so maybe i have rose colored or purple-green trippy glasses or w/e but still 23:54 < petertodd> amiller: bitcoin-otc has a central database with no way to avoid trusting it - ugly 23:54 < petertodd> amiller: it's a nice hack, but it's so far from a good solution 23:54 <@gmaxwell> nanotube wants to fix the database issue, there is a whole irc channel for people nattering about that. 23:55 < amiller> totally that's why the future-bitcoin-that's-not-just-silly-gold will be largely about maintaining a decentralized reputation ledger! 23:55 < petertodd> good, -otc needs to be passing around actual bits of signed data, which sadly probably means a pile of custom software 23:55 < amiller> that's the sort of thing we should be figuring out how to encode in some kind of scripting language and figure out how to pay for with fees that make sense 23:55 <@gmaxwell> The data in that database is pairwise in any case, the way I recommend people use it is that they use it as a directory to find people they know that know the potential trader. 23:55 <@gmaxwell> so all the database could really do is DOS. 23:55 < amiller> the point is people are using it - it's a proof of concept that the social / too-hard-to-think-about problems can be overcome 23:56 < amiller> there's interest, people adapt 23:56 < petertodd> yes, which really gets down to how -otc is more about just bringing people together in a chat room, the ratings system isn't as important as you'd think 23:56 <@gmaxwell> The ratings system actually turns out to be .. well more useful than I expected and I am generally a dyed-in-the-wool reputation system hater. 23:57 <@gmaxwell> Though I guess that also means my expectations were low. :) 23:57 < amiller> the magic-database-in-the-sky is the revolutionary new technology of the decade :3 23:57 < petertodd> well, I've used -otc mainly to co-ordinate local trades, so there's a lot more going on than some PGP-based rating there 23:58 < amiller> i gave a guy a 2 when i should have given him a -1 23:58 < amiller> i feel really bad about it 23:58 <@gmaxwell> 0_o 23:59 <@gmaxwell> I'm pretty stingy with ratings, also the rating system has been good for me to consider my operational practices. E.g. I realized there were people that I was not willing to rate highly but I'd run code from them they'd given to me without auditing it. (and vice versa) --- Log closed Thu Apr 25 00:00:11 2013 --- Log opened Thu Apr 25 00:00:11 2013 --- Day changed Thu Apr 25 2013 00:00 < petertodd> heh, as inflammatory as it was I kinda liked jdillons point about how he trusts Mike with all the coins on his android wallet 00:01 <@gmaxwell> Yea, esp since android has silent push updates. 00:01 <@gmaxwell> You guys see the ozcoin / strongcoin drama? 00:02 < petertodd> also interesting to consider how the strongcoin 'coin movement' would be trivial to do on an off-chain tx system, yet at the same time with fraud proofs implemented doing so could be suicide (absent the still present client software vulnerabilities) 00:03 < petertodd> strongcoin got away with it, to the extent they have anyway, because humans are in the fraud detection loop 00:03 < petertodd> a regulatory issue too: "Um, you see if I return the funds this source code is going to declare me a fraudster and my clients will instantly stop using my service..." 12:51 < adam3us> cant say i like that direction very much - dsa itself is devoid enough of security proofs, and how do we prove the signature is immutable (once the encoding and known mutations are addressed) - it a novel security assumption that the mathematical crypto guys have not spent the last decade+ thinking about unlike basic dsa or schnorr 12:53 < gmaxwell> adam3us: it's just software engineering. How do you know your buffers don't overflow. :) 12:54 < gmaxwell> oh you mean just inside DSA. point. 12:54 < adam3us> yes dsa mathematical assurance 12:54 < adam3us> i do buy your rigid non openssl based deterministic encode/decode argument 12:54 < gmaxwell> It's worse because if you give me a discrete log solving oracle I know I can give you infinite signatures. 12:55 < gmaxwell> but I don't know that I can reduce it to that being sufficient, almost certantly not since DSA itself has no such reduction. 12:55 < adam3us> i am for example thinking of a DSA attack i made on a server compute offload system for DSA by markus jakobsson 12:56 < adam3us> it was surprisingly malleable 12:56 < adam3us> despite the unknown k^-1 values 12:56 < adam3us> (slightly different situation, but...) 12:57 < gmaxwell> There are other signing algorithims which I except would be easiy to prove where unique. E.g. I think a pairing short signature only has one signature just on information theoretic grounds... no such joy for DSA. 12:58 < adam3us> do you mean weil pairing based? zss? i wouldnt touch it with a barge pole ;) 12:59 < adam3us> weil pairing is too new, people are finding special curves to be avoided, fresh news now and then so i am scared of the parameter choices, people maybe making bad ones that'll get mathemtically broken presently 12:59 < adam3us> but yes non-malleability would be nice 13:00 < adam3us> i think schnorr is otherwise a rather nice signature scheme as its more flexible for eg k of n threshold, brands style boolean formulae, limited show even 13:01 < adam3us> limited show is very nice - you can force the signer to make one signature only ever on a given document (on pain of disclosing his private key via simultaneous equation) 13:02 < adam3us> of course disclosing private keys is less critical than usual in bitcoin as you only have to get there first, subsequent signatures are ignored 13:02 < gmaxwell> and because your private key has low value or at least can have low value. 13:03 < gmaxwell> since our privacy requires that you can have more for free. :) 13:03 < adam3us> eg re weil paring dangers, http://ellipticnews.wordpress.com/2013/05/22/joux-kills-pairings-in-characteristic-2/ 13:03 < gmaxwell> adam3us: Yea, well, I wasn't recommending it, but just saying... :) It's not so bad with curves though, I mean, most of the stuff being broken is the low embedding degree stuff that was known to be not a great idea. 13:03 < adam3us> he pretty much destroyed some parameters that people actually proposed not that long ago 13:04 < gmaxwell> adam3us: yea, but you can find publications eons ago about characteristic 2 being weak... ::shrugs:: 13:05 < adam3us> the danger is this isnt the end of the story we dont know how far new mathemtical attacks go towards currently considered secure parameters 13:05 < adam3us> anyway kind of a tangent :) 13:05 < adam3us> what are the known mathematical mutabilities? is r,-s it? 13:05 < gmaxwell> Sure. though, as you noted DSA is not provable secure in the standard model. :) 13:06 < gmaxwell> adam3us: r,-s is the only mathmatical one I know of. 13:06 < adam3us> yes and in that sense the best we can do is use old conservative assumptions that are secure in the sense only that no one broke them yet 13:07 < gmaxwell> My confidence in that class of assumption goes down every day. :) 13:07 < gmaxwell> (there are a lot of weaknesses we've fixed in bitcoin that could easily have been exploited even profitably in some cases but just no one did!) 13:08 < adam3us> maybe the interest would go up if we had zerocoin levels of privacy 13:08 < gmaxwell> e.g. I don't think anyone has used the r,-s malleability yet, they've used DER encoding ones.. confusingly one is where you code s as a _negative number_ e.g. not the same as -s mod order but just a sign bit that openssl ignores. 13:09 < gmaxwell> adam3us: I think that part of it is that if the attacks are sophicated, the people smart enough to pull them off can find better things to do with their time that they can still brag about. :P but who knows. 13:12 < adam3us> i think mostly that is true, though there are a few grey hats i've come across with the "if its broken it deserves to be exploited" mentality, that they seem to deeply internalize and see no moral problems with 13:14 < gmaxwell> Yea, but even those can find more interesting things to do, I think? Dunno I'm waving my arms, I can only say that I've observed a lot of stuff not getting exploited. 13:15 < gmaxwell> E.g. there is a lot of people using unconfirmed txn that would be jammed up by someone just making mutants in order to jam things up.. and no one seems to be doing that _generally_, only against satoshi dice, and I dunno if thats happening anymore. 13:19 < adam3us> maybe the bets are too smal 13:19 < adam3us> ok i think i have a mathematical argument for you;) 13:20 < adam3us> if (r,s) is a signature, then so is (2r,2^-1s) because that is (r',s') = dsa with k replaced with k'=2k which you can do even though you dont know k 13:21 < adam3us> and you can replace 2 with any invertible number in the range of n 13:21 < adam3us> so there are probably 2n or thereabout possible mutations 13:21 < sipa> with n = ? 13:22 < adam3us> order of curve 13:22 < sipa> ouch 13:22 < gmaxwell> I was trying to think about that before and thought there was some issue with it because Xr may not even be on the curve. 13:22 < adam3us> i think it works because (r,s)=([-kG]x,k^-1(H(m)+rd) 13:23 < adam3us> sorry that should be (r,s)=([kG]x,k^-1(H(m)+rd) 13:23 < sipa> gmaxwell: even if now, justbelow 2^255 values are 13:23 < sipa> so the odds of hittinga valid r are almost 50% 13:24 < gmaxwell> easy enough to try. 13:24 < adam3us> so (r',s')=([kG+kG]x,2^-1*k^-1(H(m+rd) 13:24 < sipa> this sounds like malleability is unsolvable? 13:24 < adam3us> eek not quite.. internal r 13:24 < adam3us> retract 13:25 < gmaxwell> yea, I don't think this is true. 13:25 < adam3us> (let me try some more tinkering) 13:25 < gmaxwell> If its true we just broke DSA 13:26 < gmaxwell> because we would have created a way of recovering K that looks like a collision search on a K multiple sequence, like how you solve the discrete log. 13:26 < adam3us> well not necessarily because you can only create a new signature of a known value (except that you cant so far othe than (r,-s) 13:27 < adam3us> i'm not sure about that... some of the other DL algorithms are reblindable or whatever you call it 13:27 < adam3us> eg elgamal 13:27 < adam3us> thats a related encryption algorithm version of near infinite mutuability 13:37 < gmaxwell> I don't think this works because the order is prime. But I'm in a meeting right now and haven't been able to just try it. 13:45 < adam3us> I think the EC version of elgamal will still be publicly reblindable 13:49 < adam3us> another interesting question would be if you have (r,s) and (r',s') two different signatures with different k values but on the same H(m) can you create a third signature (r",s") (ignoring the (r,-s) approach) 13:51 < gmaxwell> well I don't mind create two different signatures the signers could always create infinite more. 13:51 < gmaxwell> "Don't sign the same message multiple times" is simple enough, esp if people switch to derandomized dsa. (As I think all should) 13:53 < sipa> i don't see how you could compute s" 13:53 < sipa> unless the two k values are related 13:59 < adam3us> what's your email address sipa? i'll send you an unpublished attack relating to a server offload version of DSA which shows mathematically how manipulable this is 13:59 < gmaxwell> sipa: the idea there is to blindly swap K values on a signature. 14:00 < adam3us> note i said two real signatures (diff k values) on the same H(m)... thats going to be more manipulable 14:01 < sipa> adam3us: pieter.wuille@gmail.com 14:01 < sipa> gmaxwell: hmm, i'll have to think longer about it 14:02 < gmaxwell> I'm not saying it works, but I see vaguely how it might. I'd want to just try it. 14:03 < warren> petertodd: I'm in favor of getting rid of free tx's entirely. 14:06 < adam3us> sent mail 14:07 < adam3us> who's going to bitcoin in amsterday thurs-sat? 14:08 < sipa> i'm not, this time 14:09 < adam3us> the lesson from that server aided DSA attack is knowing any relation at all about k values is usually fatal 14:09 < MoALTz> warren: one suggestion i've said in passing before is to have a new field in the block header: minimum accepted fee; the block is only valid if all the tx contained with-in have at least that fee. on it's own that doesn't seem helpful, but consider the effect: if you want to know how long a tx will take to get onto the blockchain you look back over an arbitary number of blocks and see how many it would have made it int 14:09 < MoALTz> o (%age-wise) 14:10 < MoALTz> avoids hardcoded values too 14:11 < gmaxwell> MoALTz: people pay fees to miners in many different ways, not just tx fees. 14:11 < gmaxwell> e.g. today people will pay fees via child transactions that have high fees, or via special txouts paying a specific miner, or via external agreements. 14:12 < gmaxwell> MoALTz: so in your model miners would keep signaling 0 but then actually imposing higher fees. 14:13 < MoALTz> hmm. suggests some other contraint is needed as well 14:15 < MoALTz> for the "in-kind" payments i could see refunding the tx fee being done (coinbase). but yeah, it still needs more incentive for miners be give correct values for the mintxfee 00:40 < jgarzik> l very relevant to corruption prevention, just in different ways. 00:40 < maaku> left hand, meet right hand 00:40 < petertodd> well HP is a hollow shell of it's former self 00:41 < jgarzik> filesystems and block all go through page cache, even if write-through 00:41 < jgarzik> if you have PCI-express (PCIe) super-fast storage, even kernel page locking can become a relevant factor. 00:41 < petertodd> jgarzik: sucks that pages are so big, though for the average person 4KiB/transaction is not going to hurt you 00:42 < jgarzik> petertodd, indeed. That is one the annoying bits, for us. Our commits are likely well under 4k 00:42 < jgarzik> much less 8k 00:42 < petertodd> jgarzik: 64KiB is enough for anything right? :P 00:42 < jgarzik> ;p 00:43 < maaku> if you want to get clever, you can fill the extra space with error correction of previous writes 00:44 < petertodd> maaku: if you want to get overly clever, you would run a testnet node in parallel and also write your wallet data to the testnet blockchain 00:44 < petertodd> maaku: or maybe just a scamcoin that you don't like 00:44 < jgarzik> gmaxwell, upload the master public key to bitcoinkeyserver.net ;p 00:45 < jgarzik> gmaxwell, create a really slow, clunky mirror at bp.mit.edu 00:45 < gmaxwell> I do think supporting some kind of integrated backup system would be nice. 00:45 < gmaxwell> "we store our wallet backups encoded as fake public keys in the pgp key servers" 00:45 < jgarzik> "the cloud" 00:45 < petertodd> "the caves" 00:46 < petertodd> "the salt mines" 00:46 < maaku> jgarzik: gmaxwell: you do that, and people will start "logging into their account" on a friend's client 00:46 < petertodd> maaku: ooh, sounds useful! very 2.0! 00:46 < jgarzik> gmaxwell, heh, well, petertodd and I were discussing how SIN (an ECDSA key, after all) might look inside OpenPGP packetizing 00:46 < petertodd> maaku: can I login with my facebook account? 00:46 < jgarzik> gmaxwell, might be fun... 00:47 < gmaxwell> jgarzik: openpgp land is a little brain damaged, they'd likely just have some silly robot that sees your sin and signs for you. (see cacert's signer for an example) :( 00:47 < petertodd> gmaxwell: what's cacerts signer do exactly? sign for email identity? 00:48 < petertodd> gmaxwell: PGP runs a bot that does that 00:48 < jgarzik> gmaxwell, openpgp source code and packetization both leave a both to be desired. but ah well, it's The Standard. 00:48 < gmaxwell> petertodd: if you have two cacert certifications of your identity their robot will sign a pgp key for you, so long as the name matches exactly. 00:49 < jgarzik> everybody forks the same 1960s era codebase. 00:49 < jgarzik> I'm pretty sure OpenPGP was originally fortran, auto-translated to C 00:49 < gmaxwell> jgarzik: yea, and it covers a LOT of usecases. sometimes I get irritated and want to rewrite it, and then I remember it does a ton of stuff I don't even completely understand. 00:49 < petertodd> gmaxwell: oh, that's not so bad, though it'd be better done with a cert sig notation 00:49 < gmaxwell> "You can write fortran in any language" 00:50 < gmaxwell> petertodd: yea, it's just a sig0 user signature from some random key. 00:50 < petertodd> jgarzik: you mean the gnupg codebase? 00:50 < gmaxwell> buggers up the WOT because most things don't know to ignore it. 00:50 < petertodd> jgarzik: there's no OpenPGP codebase 00:50 < petertodd> gmaxwell: huh? all WoT tools require you to explicitly state your trust at every step, at least what I've used 00:52 < gmaxwell> petertodd: e.g. pathfinder tools will follow hops through that stupid key. 00:52 < gmaxwell> or at least some of them will. 00:54 < petertodd> gmaxwell: right, but pathfinder tools don't do what you really want anyway, because they don't let you specify anyones keys as trusted or untrusted 00:54 < gmaxwell> I know. 00:54 < petertodd> gmaxwell: equaly, they give you all the distict paths, so just pick one that doesn't use that key 00:54 < gmaxwell> I also recently realized that my own trust database is all 2#$@#@#$@ up, as well as my signature levels are all wrong. 00:55 < petertodd> Main thing is we need off-line versions of those things that use your trust settings. 00:55 < petertodd> how so? 00:55 < gmaxwell> at some point a gpg update switched me to the mode where it doesn't ask what level of verification you did, and just issues all sigs as sig0. 00:55 < petertodd> oh, you were local-signing keys? 00:56 < petertodd> likely gnupg changed because they wanted to simplify things, although IMO that's just a failing of non-existant tools to actually use the WoT 00:56 < gmaxwell> and most of my sigs are actually sig2/sig3. 00:56 < gmaxwell> and you can't change them without redoing the sigs. So now I'm probably not going to fix it until I scrap my old 1024 bit key. 00:57 < petertodd> right, because of how gnupg doesn't let you resign a key, although you can revoke the signature, minimize/clean the key to get rid of the revoked sigs, and resign, it's just not obvious 00:57 < petertodd> *obvious how 00:57 < gmaxwell> I know, but a PITA. and it will gunk up the keyservers with more signatures. 00:58 < gmaxwell> also, why the @#$@ must all your keysigning be with your master identity key? 00:58 < petertodd> the OpenPGP standard has trust signatures which let you specify a secondary key to do signing on your behalf 00:59 < gmaxwell> petertodd: yea but it looked like it would be treated as a differnet key id. E.g. I want a key which is signed by everyone, which delegates to a key signed only by it, which goes and signs everyone. 00:59 < gmaxwell> and everyone sees that as just the same as the master key signing everyone, unless I revoke the delegated key. 01:00 < petertodd> gmaxwell: I'd have to double-check, but I'm pretty sure that subkeys can have the cert bit set 01:00 < gmaxwell> gpg ui wouldn't let me do that at least. hm. that would be nice. 01:01 < petertodd> yeah, myself I just have hardware PGP keys, and keep my master key on one that I leave offline 01:01 < petertodd> my day-to-day subkey is in the second smartcard 01:01 < gmaxwell> you still need to interact with it to sign people. which is what I'd like to avoid. 01:02 < petertodd> well, done on a secure computer, esp if air-gapped, that's still pretty damn good 01:02 < gmaxwell> yea, but I update my master key once every couple years. I sign more often than that, so it should be seperate. 01:03 < petertodd> indeed, but as I say, I do think the standard supports what you want to do 01:03 < gmaxwell> cool. I'll have to give it a shot again, I only looked briefly. 01:04 < petertodd> anyway, without timestamping a lot of this stuff isn't as useful because sigs aren't trustworthy once keys are compromised 01:05 < phantomcircuit> jgarzik, in general relying on sector size writes being atomic doesn't seem like a great solution 01:05 < petertodd> IMO the more important thing for OpenPGP is to be able to know exactly when signatures were created, and be able to issue revokations as applying to after certain times 01:05 < gmaxwell> petertodd: have you thought about defining a signature packet that says "this key is timestamped" with blockheader stuff? 01:05 < petertodd> gmaxwell: yes, in fact last night I changed my GPG setup to use blockheader hashes as random beacons - only half the problem, but interesting how simple it was (uses signature notation data) 01:06 < petertodd> gmaxwell: I've looked at it carefully, and I think defining timestamping as a new signature algorithm is the right approach 01:06 < petertodd> OpenPGP already has a "this sig is a timestamp" bit 01:11 < gmaxwell> petertodd: though validating a bitcoin timestamp is not quite stateless... since you need to know some of the network. 01:12 < petertodd> gmaxwell: yeah, that'll be a first for OpenPGP 01:12 < gmaxwell> though I guess you can have a minimum difficulty... which is now almost 60 bits. 01:12 < gmaxwell> log2(267731249.48242110)+32 = 59.996 01:14 < petertodd> for validation of old sigs it's interesting how you could just ship a "official" set of block headers 01:14 < gmaxwell> well, it could be a --recv kind of thing to get the headers. 01:14 < gmaxwell> and show it as an untrusted signature if you don't have the headers or something. 01:16 < petertodd> yeah, though that's actually ignoring the bigger issue, which is that for user acceptance you have to have a way of timestamping that happens instantly or near instantly 01:17 < gmaxwell> not for key identification you don't. 01:18 < petertodd> gmaxwell: even for that people won't be happy - you need a scheme where you can upgrade the timestamp as more data is known 01:19 < petertodd> gmaxwell: one interesting idea is to put support for it into keyservers 01:20 < gmaxwell> I'd think the thing to do would be just for one of us to run it for the whole world. 01:20 < gmaxwell> just being able to get evidence that a key is as old as it claims to be is very useful once old is somewhat-old. 01:20 < gmaxwell> you might even intentionally delay publishing new timestamps since they're not useful when they've very new. 01:21 < petertodd> well, speaking of, a 1 second MMR timestamp chain is very useful there, so that timestamps *can* be made immediately 01:21 < petertodd> the problem is you want that chain to be a: reliable, and b: spam resistant, and c: still useful even if some big attacker wants to shut it down 01:30 < jgarzik> phantomcircuit, in general, relying on any generalization is unwise ;p 01:30 < phantomcircuit> jgarzik, heh 01:30 < jgarzik> phantomcircuit, the bottom line is always "know your hardware", but sadly many users fail that ;p 01:30 < phantomcircuit> jgarzik, fucking hdds do tons of random stupid shit 01:30 < jgarzik> know your hardware, and tune your software to match, I mean. 01:30 < phantomcircuit> hurr durr flying writes 01:31 < jgarzik> phantomcircuit, I think it's more the software on top in this era 22:40 < petertodd> amiller: Yeah, the meta-protocol/constitution really is then "what is the protocol for convincing other people to use my protocol/continue to use it"? 22:41 < petertodd> gmaxwell: Right, but remember I'm assuming no explicit transaction rate limits, so at some point something goes to infinity. 22:41 < petertodd> gmaxwell: Which means at some point one of the low value chains isn't secure. 22:42 < petertodd> amiller: As for incentives, I think any of these systems *must* work even if all participants are only short-term rational, and should work even if what the participants goals are varies hugely. 22:42 < petertodd> amiller: for instance we must be able to deal with data-spam with technical, rather than sociological measures 22:42 < amiller> we don't yet have a satisfactory explanation for the circular value argument of currency tokens as money 22:43 < amiller> the appeal of the commodity value money is that it starts somewhere 22:43 < amiller> here the simplest explanation is you can use the money to pay tx fees 22:43 < petertodd> amiller: sure we do, Rai stones are heavy! 22:43 < amiller> that just shows that there's a social demand/benefit for some mechanism of exchange 22:43 < amiller> it doesn't actually help you design an optimal system 22:44 < amiller> we're still making models of gold at this point 22:44 < petertodd> amiller: I think the more interesting question is what happens as tx fees rise/how much are people willing to pay for security? 22:44 < amiller> they're valuable because you can bribe miners with them and you can bribe miners with them because htey're valuable 22:45 < amiller> yeah there's that whole paying-for-system-security-is-eveyrone-else's-problem 22:45 < petertodd> proof-of-work is ugly because the total cost of the work needs to be some small % of the total value of the system, but in Bitcoin that means destroying it costs a small % of the total value of the system... systems incorporating proof-of-stake could in theory be better, requiring up to the total value of the system to destroy, but it's unclear how to actually build them 22:45 < amiller> yeah i agree with that 22:45 < gmaxwell> #include <unworkability_of_pos.h> 22:46 < petertodd> gmaxwell: I'm actually thinking that proof-of-stake can be used in conjunction with proof-of-work, especially if you have a jam-free network available 22:46 < amiller> my intuition is that there's a great theorem in here somewhere that you *have* to burn something of *objective* value, i.e., computational energy, in order to defend against an anonymous attacker 22:47 < gmaxwell> amiller: I agree. 22:47 < petertodd> gmaxwell: *relatively high bandwidth jam-free network 22:47 < amiller> if you have a proof of stake then it's a guarantee that there's a trusted party lurking somewhere 22:47 < gmaxwell> petertodd: yes, also, make me god of the universe and all this can work too... lots of things are easy when you can just pick preconditions. :) 22:47 < petertodd> amiller: Yes, but can we divise a system where you burn computational energy from the past, or *must* it be computational energy you burn *now*? 22:48 < amiller> i think it can't be from the past i think it has to be a present decision where you have the option of not burning it but benefiting it 22:48 < petertodd> amiller: Because if it can be computational energy you burn in the past, you can defeat 51% attackers by sacrificing your own coins in opposition. 22:48 < gmaxwell> petertodd: only if you have a perfect system for accounting for stored value, which we don't have as we're trying to build one. 22:48 < petertodd> amiller: IE replace-by-fee scorched earth applied to whole blockchains 22:48 < amiller> yeah you can sacrifice your own current coins by buying hashpower now 22:48 < gmaxwell> and yea, the works too. 22:49 < gmaxwell> thus checkpoints-in-txn-that-gate-fees. 22:49 < petertodd> gmaxwell: Yes, the chicken-and-egg problem is ugly but... with a infinite bandwidth jam-free network it certainely could be done, as you'd always know what coins got sacrificed by the defenders. 22:49 < petertodd> amiller: yes, but that's slow 22:49 < amiller> no it isn't? 22:49 < amiller> it's immediate 22:49 < gmaxwell> petertodd: Also works if you first covert me into a computer program, then convert all mass in the solar system for me to run on, and then upload everyone else into me. I promise. It'll be great. 22:49 < petertodd> amiller: It'd take at least a month or two to defend bitcoin from a 51% attacker by buying hashing power - factories have leadtimes. 22:50 < amiller> you don't defend against a 51% attacker, you prevent a 51% attacker from existing 22:50 < gmaxwell> petertodd: transaction fees with checkpoint-in-txn are buying hashing power instantly. people constantly buying hashing power to get mined is the protection. 22:50 < gmaxwell> what amiller said. 22:51 < amiller> since you don't control the attacker, you have to go fundsraising and bulk up the size of the network 22:51 < amiller> by offering free candy and big prizes for participants 22:51 < petertodd> amiller: 51% attackers come in a few types: those who have the majority of hashing power capacity, those who can temporarily obtain more, and those who have enough to rewrite the whole chain. 22:51 < gmaxwell> I wish pos would work, but like amiller I suspect that its deeply impossible. Sure you can make it work if you have jamfree communication between all parties. I don't think thats possible, however... because it would have to be infinite bandwidth. 22:52 < petertodd> amiller: We're best off if we can reduce the pow effort to the point where someone launches a 51% attack, they get stopped, and then the community responds by buying more physical hashing power. 22:52 < petertodd> amiller: Right now on the other hand we're flying blind and have no idea if we have enough - we're just hoping to god that an attack doesn't happen. 22:52 < amiller> you never have an idea if you have enough 22:52 < amiller> how much money should we spend on defense against aliens 22:52 < gmaxwell> ^ I certantly agree with that concern. We have no way to set the price, security is a lemon market. 22:52 < amiller> or on the military generally 22:53 < petertodd> amiller: Yes, and that's really inefficient! You want an attack to not be an end-the-world scenario, that is, you should be able to burn value to temporarily stop it. 22:53 < gmaxwell> worse, a viable strategy for an attacker is to try to convince you that you don't need so much security. 22:53 < petertodd> gmaxwell: that too 22:53 < amiller> any money spent on military that's sucecssful as a deterrent appears as a waste because the attacker didn't hsow up 22:54 < petertodd> There's probably nothing we can really do (fully decentralized) that can stop a "rewrite the whole chian" attacker, but against the "has the majority of hashing power" and "temporarily rents a majority" we can probably succeed. 22:54 < gmaxwell> petertodd: so interesting. lets say you have a relatively jam free network. A bad chain shows up. You issue transactions that burn all your coin, checkpointed so they can only exist in the bad chain. How do nodes know when they've seen enough of that to start ignoring that chain? 22:55 < petertodd> gmaxwell: Basically if burned coins == pow mined coins, the chain with the burned coins is considered to be the longest and wins. 22:55 < amiller> temporarily rents an infinite hashpower is fine as long as it's temporary 22:55 < amiller> you can only rewind so many blocks then everything goes on as usua 22:55 < amiller> "has the majority of the hash power forever" is not an attack worth defending against! 22:56 < amiller> figure out the size of your attacker's military and then build 1+ more than that! 22:56 < petertodd> gmaxwell: Note how this doesn't suffer as much from the direct "nothing at stake" aspect of proof-of-stake, because you're not directly gaining from the sacrifice. 22:57 < amiller> if you want to cut costs by being optimistic that your attackers aren't going to be so powerful then great 22:57 < petertodd> amiller: if P= and t=0 then we're safe, maybe :P 22:57 < amiller> lets just hope no one can afford 6 blocks, since that's what all the gold sells for (i think) 22:57 < petertodd> amiller: Yeah, as I say, so long as finding out we're wrong is something that can be fixed before the value of the coin plummets sufficiently that the whole system collapses we're good. 22:58 < amiller> sure just give the attacker what he wants 22:58 < gmaxwell> amiller: nah, the gold will notice a reversal dozens of blocks later, as I believe they check preshippment. 22:58 < amiller> then 24 hours or w/e? 22:58 < gmaxwell> amiller: but within 24 hours you'll hear that shit is busted. 22:59 < gmaxwell> and manually halt shipments. 22:59 < petertodd> amiller: well, that's an interesting thing, because the reversal attack can be handled with replace-by-fee scorched earth: wallets don't want the chain to go backwards, so they can respond by saying "well, if we have this chain, I'm happy to burn the money I received to increase the apparent work done by the "valid" chain" 22:59 < gmaxwell> petertodd: keep in mind the threat of people shorting the assets. 22:59 < petertodd> gmaxwell: yeah, lots of second order effects 22:59 < amiller> petertodd, if everyone burns 10% of their income 22:59 < amiller> petertodd, then no one has lost anything 22:59 < amiller> this doesn't work with fiat money 23:00 < amiller> (by fiat money i mean bitcoin, money not a commodity, the whole fiat=state thing is a misnomer, but sorry) 23:00 < gmaxwell> presumably only those fucked by the fork would burn money. 23:00 < petertodd> gmaxwell: I suspect in reality we'll never get a system that won't result in a few hours to days of chaos, but societies recover from that kind of thing all the time. 23:00 < amiller> petertodd, what you're saying is you want a cheap defense 16:59 < jgarzik> Then, the IRC bot would just ask for the user's identity token, verify that via ECDSA message, and proceed to add a new user to the bot-bank (or permit that user to access their existing account) 16:59 < jgarzik> i.e. makes identity separate from the service itself 17:00 < jgarzik> separate from the fidelity bonded banks itself, but an IMO necessary component 17:00 < jgarzik> anyway, should be straightforward, just wondered if anybody had done this before 17:02 < petertodd> Ah, cool, yeah seems reasonable. 17:05 < petertodd> jgarzik: Was my stuff on fee's useful? 17:06 <@gmaxwell> jgarzik: make sure you familarize yourself with what mozilla persona is doing wrt email bounded network identity. 17:08 < jgarzik> gmaxwell: will check it out 17:09 < jgarzik> petertodd: Basically, I was considering burning money as public proof that you "made an effort" to create this network identity 17:09 < jgarzik> and as such, those transactions might be fee-only sometimes, if there is no change 17:09 < petertodd> jgarzik: Right, sounds like fidelity bonds exactly. 17:09 < petertodd> fee-only sometimes? 17:10 < jgarzik> petertodd: if the proof (to be paid as fee) is 0.01 BTC, and you have only a 0.01 BTC coin, then (in theory) you have 1 input, 0 outputs 17:10 < jgarzik> but that is not permitted, and zero-value outputs are non-standard. 17:10 <@gmaxwell> jgarzik: I don't think a zero output txn is valid. 17:10 < jgarzik> gmaxwell: hence "that is not permitted" 17:11 < jgarzik> gmaxwell: and "(in theory)" 17:11 < jgarzik> Thus, what I want is not permitted, and a workaround must be found 17:11 < petertodd> So why not add a second input to the transaction? 17:12 < jgarzik> petertodd: it needs an output, not an input 17:12 <@gmaxwell> So, lets permit txn that have a single output, which is zero value, and the output is OP_RETURN (or whatever we want the prunable type to be) 17:12 < jgarzik> gmaxwell: that would work 17:12 < petertodd> jgarzik: The second input to get more funds, so the output is not zero valued. 17:12 <@gmaxwell> basically a UTXO cleaning transaction. 17:12 < petertodd> Or is the output supposed to not be spent or something? 17:13 < jgarzik> petertodd: the purpose -- burn money -- is all I need 17:13 < jgarzik> petertodd: therefore, no outputs are needed 17:13 <@gmaxwell> petertodd: the problem is that if you can have other outputs means that I can't tell you sacrifice from a regular txn fee. 17:13 <@gmaxwell> s/you/your/ 17:13 < petertodd> Yeah, and fees in general can be gamed by miners anyway, you really need a publish-wait-confirm sequence. 17:14 < petertodd> Why not just use the fidelity bond protocol directly? 17:14 < jgarzik> still have to digest it, and see if it fits the irc-bot use case 17:14 < jgarzik> I also think a cross-service network identity would be useful 17:15 < petertodd> Well, for the identity case, it's basically proving in a very robust way the fees attached to some hash, so I think it should be fine. 17:15 < petertodd> And if fidelity bonds become a thing, you'll be able to buy them easily enough, and securely, with a tx signed by multiple parties. 17:15 < jgarzik> basically attaching a cost to creating a network identity (though obviously a more centralized service might just charge a fee) 17:15 < petertodd> Well, you know I really think fidelity bonds solves that one very well. 17:16 < jgarzik> your writeup is open in my browser ;p 17:16 < petertodd> Best case possible is you need three tx proofs, proof of publish, proof of txin, and proof of the txout sacrificing the fees. 17:22 < jgarzik> It might also help to describe the use case I was thinking about 17:22 < jgarzik> I obtain a network identify U12345678 (and can pay for any number of network identities) 17:23 < jgarzik> U12345678 messages the Foo Bank Network, which maintains a provable, shared ledger of accounts 17:23 < jgarzik> messages are signed with keys associated with U12345678 network identity 17:24 < jgarzik> messages are "open account, withdraw, deposit" etc. 17:24 < jgarzik> Foo Bank Network might be one entity, but hopefully it is multiple entities 17:24 < petertodd> Right 17:24 < jgarzik> off-chain transactions are then possible, everything is digital signed and secured, and not 100% centralized 17:24 < petertodd> So why do you need to make the client's identity expensive to get? 17:25 < jgarzik> because identity is decoupled 17:25 < petertodd> from what? 17:26 < jgarzik> so you don't need a new login for each service 17:27 < petertodd> Sure, but again, why does the identity have to be expensive? 17:27 < petertodd> (if it's just for banking) 17:37 < HM> I think I prefer Schnorr signatures to DSA 17:37 < jgarzik> I want a semi-decentralized database for the identities, so there needs to be some cost for creating 1,000,000 identities 17:38 < petertodd> Ah, yeah that's totally reasonable 17:38 < jgarzik> another part in this is a layer where you may message easily between two network identities 17:38 < jgarzik> a _little bit_ like bitmessage 17:38 < petertodd> Do you want an identity to essentially give you the right to message a given amount of traffic per day, or what? 17:38 < jgarzik> the identities have some permanance 17:39 < jgarzik> petertodd: at the moment, just "the right to message" is sufficient, but that needs more thinking 17:39 < jgarzik> anyway, gotta tour some real estate, bbiah 17:39 < petertodd> Have fun, say hi to the kid for me. :) 18:21 < HM> actually I don't think you can do public key recovery on Schnorr signatures 18:25 < HM> In DSA you rely on the fact that 'r' can be used to determine kG (to within a few possibilities) 18:25 < HM> under Schnorr you lose r in a hash function 18:27 < HM> it's also cheaper to compute 18:28 < HM> (by one bigint division) 19:03 < HM> bollocks i was right the first time 19:03 < HM> you can recover public keys 19:04 < HM> wait, i have to make my mind up on this for good 19:06 < HM> nope, i was definitely right the 2nd time 19:08 <@sipa> i don't see how you could do key recovery with Schnorr signatures 19:08 < HM> thank you 19:08 < HM> lol 19:08 < HM> what I did was arrange for validation assuming you knew the public key 19:08 < HM> then sub back in the result and arrange for that public key :| 19:10 < HM> twice 19:10 < HM> basic algebra beat me twice 19:12 < HM> ah well, i've done it now. You can arrange for sG in both DSA and Schnorr and show you need to solve the DLP to fake a signature 21:44 < jgarzik> petertodd: MerkleBitcoinTx uses block number rather than block hash. why? 22:00 < petertodd> jgarzik: The blockchain is linear, so the block hash doesn't let you prove anything. 22:00 < petertodd> jgarzik: Granted, if it wasn't linear, like some sort of merkle skiplist or merkle mountain range, then a hash would make more sense. 22:01 < petertodd> jgarzik: Maybe just a premature optimization... submit a pull req, lol. 22:09 < jgarzik> petertodd: <shrug> maybe just being pedantic. the text said 'just like CMerkleTx', which is slightly incorrect 22:09 < petertodd> Hey, it's a spec, be pedantic. 22:10 < petertodd> Where did I go wrong? 22:10 < jgarzik> petertodd: "This is the same data that the CMerkleTx class contains" 22:11 < jgarzik> petertodd: CMerkleTx includes block hash not block index 22:11 < petertodd> Yup, you're right, I'll fix it. 22:15 < petertodd> alright, I'll push to the server when I'm back from work and have access to my gpg keys... 22:18 < jgarzik> petertodd: any demo code? 22:19 < petertodd> Not yet sorry; I wanted to add unit tests and better ways to create transactions to pynode, and got distracted... 22:20 < petertodd> BTW: re: cython, I found a compiler bug in it, which kinda scared me off for now... 22:30 * jgarzik ponders. N bots, cooperating but separate, independent entities (such as managing my identity service). Service must accept bitcoins from users, and therefore, any one of N bots must be able to generate a "you are authenticated; send X bitcoins to address 1YYY..." 22:31 < jgarzik> Can such a botnet survive a cheater? 22:31 * jgarzik tries to think of ways to centrally generate and share bitcoin addresses 22:31 < jgarzik> and prove a bot is cheating in short order 22:33 < jgarzik> on the other end, need to share service fees to each bot, dividing up service revenue without cheating 22:47 < nanotube> as to using irc bots as money keepers... keep in mind that you also have to trust the irc server operators (and irc server security, and bot security, but these two are obvious) 22:48 < nanotube> an irc oper can send and/or modify and/or block any messages coming through. 23:04 < jgarzik> nod 23:05 < weex> those deterministic wallets should work, the one where you have a public seed and private seed 23:09 < weex> or you just have the head bot sign each address 23:10 < jgarzik> need N-of-M security 23:10 < weex> like shamir's secret sharing? 23:10 < jgarzik> head bot == centralization, not distributed consensus 23:10 < weex> http://en.wikipedia.org/wiki/Secure_multi-party_computation 23:11 < weex> i want to watch this tech talk on it again sometime http://www.youtube.com/watch?v=LRAN_w1_qmw 23:20 < jgarzik> ok, more generally 23:20 < jgarzik> you have The Fund 23:21 < jgarzik> (a pool of bitcoins) 23:21 < jgarzik> You must generate new bitcoin addresses, to hand out to end users, from The Fund 23:21 < jgarzik> and The Fund must pay out according to pre-described rules 23:22 < jgarzik> The Fund is managed collectively by N parties, cross-checking each other. 23:22 < jgarzik> Can cheating by 1 party be prevented, in either of the two tasks (obtain new btc addr for customers, pay out to investors) 23:24 < jgarzik> One could hand out MITM BTC addrs, but that would be noticed as cheating when the party wanted to claim a payment has entered The Fund 23:25 < jgarzik> But creating the BTC addrs themselves... you still have the problem of private key distribution (or seed) 16:38 <@petertodd> That's really useful actually: means you can provide constantly updating refund scripts, that check for some given state of the txout set of something. 16:39 <@petertodd> Without having to screw with on-chain state. 16:40 <@petertodd> So, my bonded bank could say "Here's the script you need to run to get your coins back, but it's only good as long as the refund txouts I'm going to fund it for exist, but I can give you another one later." 16:40 < BlueMatt> but if you can specify any script that is signed, how is it different from just requiring the signature? 16:40 < BlueMatt> because you could otherwise just specify a OP_TRUE script that is signed 16:40 <@BlueMatt> its interesting in that you could give a 3rd party a signed script then they could spend that 16:41 <@petertodd> Because the script itself can check for constantly changing conditions so it can invalidate itself in the future. 16:41 <@petertodd> I was thinking of a crappy version of this with transactions that dependened on special txouts; spend the txout and the transaction is now invalid. 16:41 <@BlueMatt> but in that case, why not just send the coins to them? 16:42 <@petertodd> Because it's for refunds. You want the general case to be done off-chain, with on-chain possible. 16:43 <@petertodd> Basically the bank would control the state of the refund scripts with a single special txout, and then spend it or whatever to invalidate a whole swath of refunds pending in one go. 16:43 <@petertodd> (I'm assuming something like a ISTXOUTUNSPENT opcode) 16:43 <@petertodd> (which has other implications...) 16:43 <@gmaxwell> yea, yuck. :P 16:43 <@petertodd> Hey, give me more than 30 seconds to come up with a use-case... :P 16:44 * BlueMatt isnt sure of all the stuff we are building this on, but I was assuming the standard scripts-only-access-themselves stuff we use now 16:44 <@BlueMatt> maybe I should read scrollback longer.... 16:44 <@petertodd> It is important to keep in mind what Satoshi said ages ago about always allowing transactions to get reorged and accepted into the chain later though. 16:44 <@petertodd> BlueMatt: no, we're getting way more wizard than that. 16:45 <@BlueMatt> thought so...Ill shut up now 16:45 <@petertodd> Nah, just smoke some of this and you'll be good. 16:45 <@BlueMatt> heh, ok 16:45 <@gmaxwell> BlueMatt: well mostly I created this channel for the rocket science which is two steps removed from current Bitcoin. So what bitcoin currently does is only slightly relevant except to the extent that there is a good reason for it to be done that way. 16:46 <@petertodd> Basically we're gonna create SCAMCOIN and stuff all our dreams into it. 16:46 <@BlueMatt> ok, ok 16:46 <@gmaxwell> I find this stuff important and interesting, but sometimes this discussion floods bitcoin-dev, and I'm concerned that people who are only interested in bitcoin shouldn't get denied access to monitor #bitcoin-dev due to the flood of cryptocoin dreaming. 16:47 <@BlueMatt> thats fair 16:47 <@petertodd> Like, I've contributed maybe 5 lines of code to Bitcoin proper, and 10k lines of dreaming to bitcoin-dev 16:47 <@gmaxwell> plus some of the ideas that the crazy stuff results in are directly applicable to the current system, and we can then bring those back from the mountain tops as required. 16:48 <@petertodd> Lots of this stuff can be done as a soft-fork... 16:49 <@gmaxwell> 'can'... well. Kinda. You can change the script system as a soft fork, but if your change results in 100kb scriptsigs ... thats not a softfork. 16:49 <@gmaxwell> that's not even really 'just' a hardfork, it requires changing the security model. 16:49 <@BlueMatt> anyway...back to the point, if we are accessing outside state, being able to provide signed scripts would be interesting..."either spend this within the timeframe to get out of X, or dont and then you are locked"...assuming signed data can enforce a spend time limit 16:50 <@petertodd> Oh, reminds me, if we define a CHECK_SCRIPT_VERSION type opcode, to be used with new stuff in if endif blocks, we can really change anything but the else if, endif, "invalid even in a block" and finally data encoding opcodes. 16:50 <@BlueMatt> though thats probably not pie-in-the-sky enough... 16:50 <@petertodd> Basically, we're not gonna run out of opcodes. 16:51 <@gmaxwell> BlueMatt: maxtimes create some weird incentives, though I wish I knew the full reasons satoshi didn't want them. 16:51 <@petertodd> gmaxwell: Absolutely, 10k limit on scripts for these dreams... 16:51 <@petertodd> maxtimes? 16:51 <@petertodd> oh, right 16:51 <@BlueMatt> gmaxwell: yea, breaks reorgs sometimes, but I dunno, get the time spent signed by oracle 16:51 <@petertodd> See, my understanding is Satoshi mainy was against the reorg breaking problem. 16:51 <@BlueMatt> s/by oracle/by an oracle/ 16:52 <@petertodd> I dunno, I gotta agree with him there. 16:52 <@BlueMatt> (hopefully oracle isnt your oracle......) 16:52 <@petertodd> You could wind up invalidating everything, on the other hand, tx maleabilty also breaks reorgs... 16:52 * petertodd wonders if satoshi realized tx's were maleable from the beginning 16:53 <@BlueMatt> I dont think that was on purpose, if he did 16:53 <@sipa> i don't think he realized the problems with malleability 16:53 <@gmaxwell> I don't know, he must have known that you could stuff in extra opcode.. I doubt he knew the signatures themselves were malleable. 16:53 <@sipa> he also didn't consider hardforks to be a problem :) 16:53 <@gmaxwell> they would have been less of a problem two years ago. 16:53 <@BlueMatt> to be fair, early in bitcoin's life they werent 16:54 <@gmaxwell> Right. 16:54 <@sipa> indeed 16:54 <@petertodd> He did have the mindset of "one true client" is my understanding. 16:54 <@gmaxwell> That makes hardforks less bad. 16:54 <@sipa> one true full client, atleast 16:54 <@petertodd> He wasn't the one who added RPC right? 16:54 * BlueMatt 's head spins with the amount of cross-client cooperation that would be required for a hardfork now 16:55 <@gmaxwell> BlueMatt: Dunno, the software that is actually maintained is not that long a list. :( 16:55 <@BlueMatt> gmaxwell: even still... 16:55 <@BlueMatt> and its getting better quite quick, too 16:55 <@sipa> bitcoind, bitcoinj 16:55 <@BlueMatt> jgarzik's stuff 16:55 <@sipa> anything else? 16:55 <@sipa> bitsofproof maybr 16:55 <@BlueMatt> not used, but at least maintained 16:56 <@gmaxwell> bitcoind, bitcoinj is all I'm aware of that I believe is complete and maintained right now. 16:56 <@petertodd> jgarzik's stuff has broken scripting too - various really major bugs 16:56 <@sipa> libbitcoin may be still alive 16:56 <@petertodd> (which I need to fix...) 16:56 <@sipa> libcoin too 16:56 <@gmaxwell> bitsofproof,cbitcoin,jeff are incomplete but maintained. then libbitcoin, libcoin, bitcoinjs are complete and unmaintained 16:57 <@BlueMatt> oh, random question, how do people feel about implementing upgradability in bitcoinj so that spv clients can semelessly upgrade to full nodes? 16:57 <@gmaxwell> and purecoin, pybitcoin is incomplete and unmaintained, 16:57 <@petertodd> Even non-mining full nodes scare me 16:57 <@petertodd> Until there are multiple network implementations, propagation bugs can effectively cause forks 16:58 <@gmaxwell> BlueMatt: sounds good? One thing I'd like to see happen with the validation support in bitcoinj is badness proof support. There are three main kinds I'd like to see, and two are possible today. 16:59 <@petertodd> https://github.com/mb300sd/Bitcoin-Tool/ <- this is new too 16:59 <@BlueMatt> gmaxwell: elaborate? 17:00 <@BlueMatt> actually, bbl 17:00 <@gmaxwell> e.g. you're a regular spv node, someone then gives you a message that says <block XXX is bad, here is a transaction and a fragment, run your script checker and you'll see> 17:00 <@petertodd> https://github.com/mb300sd/Bitcoin-Tool/blob/master/Bitcoin%20Tool/Scripts/Script.cs <- C# script implementation 17:00 <@BlueMatt> Ill read scrollback 17:01 <@gmaxwell> BlueMatt: so then you check the fragment and verify the transaction is in the block .. then run your script checker... and the script fails validation. Then you broadcast the message to all your peers, and add thta block to a blacklist that makes you forever reject it. 17:01 <@gmaxwell> The three kinds of proof that I think are most interesting: Proof that a script doesn't validate, proof that the blocks contain a double spend (just two fragments, the later and earlier spends), and proof that the coinbase took too much subsidy. 17:02 <@gmaxwell> The last can't be done without a protocol change, preferably a hardfork. :( 17:02 <@gmaxwell> but it's really easy with a hardfork. 17:04 <@gmaxwell> In any case, the point of all this is: (1) in a world where most people run SPV nodes, if we have this then even a full honest full nodes would provide strong protection. (2) it would allow reduced nodes to participate in validation some. e.g. check 1% of signatures. 17:07 <@petertodd> "Proof that a script doesn't validate" <- any script proposal that allows for queries of any type needs to take the requirements of SPV proof for those queries into account very carefully. 17:07 <@petertodd> For instance, "Does UTXO exist? (but we're not spending it)" requries the UTXO set proofs. 17:08 <@petertodd> Ugly 17:10 <@petertodd> Easy to force really large proofs too... 17:14 <@amiller> i don't see what you mean easy to force large proofs 17:17 <@petertodd> Consider the scriptPubKey: "UTXO_EXISTS <DIGEST>", 33 bytes, yet each proof for each digest will be hundreds of bytes long, if not even more 17:17 <@petertodd> It's a big multiplier 17:17 <@petertodd> (even worse if the proof has to include the whole script...) 17:17 <@petertodd> (er, I mean transaction) 17:18 <@petertodd> like UTXO exists and it has some given output 17:18 <@amiller> gmaxwell, chanserv op add me so i can massage the channel topic? 11:29 < adam3us> luke-jr: but one sided properties are commonly in the users interests, because the merchant commonly has more power 11:29 < adam3us> luke-jr: eg payer anonymous ecash is more popular than payee anonymous (or double anonymous) its something analogous 11:30 < HM2> hmmm 11:30 < adam3us> luke-jr: the merchant should not be able to go rogue and out everyone''s ebook purchases or get hacked for the same info 11:30 < Luke-Jr> huh? I've never seen a person<->company contract that's in the person's favour 11:30 < adam3us> luke-jr: and thats a good thing? 11:30 < Luke-Jr> no, but I don't think reversing it is the solution :p 11:31 < adam3us> luke-jr: my point is it is in the users interests to have a chameleon hash signature 11:31 < adam3us> luke-jr: i dont think the merchant loses anything, he's receiving irrevocable bitcoin ecash 11:31 < Luke-Jr> I suppose in this case 11:31 < adam3us> luke-jr: its obvious he got his part of the contract 11:31 < HM2> Why not just take a hash of the contract and sign it. If Bob screws you you can show the world the contract and signature. 11:32 < HM2> err get Bob to sign it rather 11:32 < Luke-Jr> but it wouldn't make sense for long-term contracts 11:32 < adam3us> hm2: thats not a bad idea 11:32 < HM2> if Bob can't prove that there ever was a specific contract, what's the point in getting Alice to sign anything? 11:33 < adam3us> hm2: an interesting question.. maybe gmaxwell's argument is unravelling! 11:34 < adam3us> hm2: absent ecash component youd think bob needs to have an authenticated order or someone could tamper with it or change it 11:34 < HM2> I mean, you're basically after a 3rd party/publicly verifiable signature only when you know 1) the people involved, 2) and the hash of the terms. That just sounds like vanilla Schnorr signature to me. 11:34 < adam3us> hm2: but that could be more easily done, eg encrypt and MAC the message consisting of he order, and the bitcoin payment 11:35 < adam3us> hm2: and send it to bob, job done, no chameleon hash in sight 11:35 < adam3us> hm2: (and upfront demand bob sign the order details as a condition of paying him) 11:36 < adam3us> hm2: well you're also trying to prevent bob proving to third parties what his customers bought for their privacy 11:37 < adam3us> hm2: but it seems unecessary per above to use a chameleon hash, like you said get bob to sign it, then use integrity protection and encryption to prevent order tampering 11:37 < adam3us> hm2: i suppose that doesnt bind the contract to the receipt of the payment 11:37 < HM2> If Bob can't prove that Alice signed an order to someone else, what's to stop someone impersonating Alice and making orders? 11:38 < HM2> Alice can easily prove she did sign something, but how can you prove you didn't if Bob claims she did? 11:38 < adam3us> hm2: well on top of that alice is paying bob binding the hash to bobs payment address 11:39 < adam3us> hm2: alice is not revealing her identity 11:39 < HM2> I'm not following it at all 11:39 < adam3us> hm2: she is just binding a payment to a contract pseudonymously, so she could prove afterwards that she made this payment, and bob knew the contract terms 11:41 < adam3us> hm2: i mean its like ebay a bit alice pays bob for the ebook, he doesnt deliver or the connection mysteriously 'fails" she gets annoye and posts at least evidence that she paid for the book, and tht bob accepted the money so also saw the order details and accepted them by taking her money 11:42 < HM2> ok 11:42 < HM2> I think I'm with you now 11:43 < adam3us> hm2: i think if we did it the other simpler way, where bob signs the order, bob could deny all knowledge 11:43 < HM2> If a seller has a private key 's', and you have some contract c = Hash(terms). the buyer can pay to c*sG 11:43 < HM2> the buyer then has to know c*s to claim the funds 11:43 < adam3us> hm2: eg no alice owed me $2 personally that payment is unrelated to this disputed ebook as the two re not bound together 11:44 < HM2> at any pointer the seller can publish "terms", c, and sG and prove it 11:44 < HM2> why the complexity? 11:44 < HM2> i got buyer and seller around the wrong way, but still 11:45 < adam3us> hm2: i think you need to bind the things together so bob cant start to tell tall stories about how the payment he did receive (he cant deny as the payment is public) was for something else 11:45 < HM2> how could he? 11:46 < adam3us> hm2:well if there was no chameleon hash sig, just a normal sig from bob on the contract, bob could say "yes, and she never paid for it", and "oh that payment was for something else, i lent her money the other ay" 11:46 < HM2> I guess it becomes public that Alice sends a payment to c*sG so privacy is lost 11:47 < adam3us> hm2: no that can be ok eg c is H(r=random, contact) 11:47 < adam3us> hm2: without either party disclosing r thats indecipherable 11:47 < HM2> but both parties need to know r 11:47 < adam3us> hm2: yes thats where the risk comes because then bob could disclose it and alice doesnt trust him 11:47 < HM2> the contract is really decided by the seller and accepted by the buyer 11:48 < adam3us> hm2: so with the chameleon hash bob can change c after the fact 11:48 < HM2> hmm 11:48 < adam3us> hm2: c is fixed but he can find new r' and contract' that still add up t c because he has the private key so its not very convincing when he says look this payment was for ebook1 11:48 < adam3us> hm2: and then alice says no thats a lie it was for ebook2 11:49 < HM2> right 11:49 < adam3us> hm2: and as everyone presumes alice doesnt have bobs private key, they presume bob is lieing 11:49 < adam3us> hm2: so it seems that it does hang together though its a bit complicated! 11:50 < adam3us> hm2: and if you find another way to do it that has the same properties u probably have invented yet another chameleon hash - apparently there are multiple mechanisms 11:52 < HM2> I'm not convinced 11:54 < HM2> If one party can say "no this transaction wasn't for X, it was <insert anything>!" then they lose the ability to prove it was for any specific thing and the other party can screw them by sending them something else 11:54 < HM2> the burden of proof is then on the sending party to prove they sent the right thing 11:55 < HM2> but if they refuse to do so there's basically no come back 11:55 < HM2> if they screw say 1% of people nobody will find it suspicious 11:55 < HM2> they'll just think the party that can't prove the specific contract terms is the shifty one 11:56 < HM2> even though that may not be the case 11:57 < HM2> surely it's just easier if both parties remain pseudo-anonymous to one another and all contracts are verifiable by all 11:59 < nanotube> <HM2> I can't remember if it was one of the BC books or Cryptonomicon that had the offshore data haven project <- it was cryptonomicon. :) 12:00 < HM2> it appears there are a lot of Neal Stephenson fans in bitcoin :P 12:01 < HM2> who'dve thunk it 12:02 < nanotube> hehe 12:04 < HM2> talking of contracts 12:04 < HM2> i foolishly sold a TV on ebay the other week and the guy picked it up and paid cash. I gave him a receipt but i never got one from him 12:04 < adam3us> hm2: if only bob can forge contracts, whatever alice says is true 12:04 < HM2> no problems yet but he could potentially screw me 12:05 < adam3us> hm2: because there should not exist two contracts unless bob is playing games 12:06 < HM2> I actually offered to accept bitcoin and he looked at me strangely 12:06 < adam3us> hm2: i mean technically bob could change the contract to something of higher value and alice cold then falsely claim that equally plausibly but thts against bobs interests so he probably wont do it 12:09 < adam3us> hm2: "surely it's just easier if both parties remain pseudo-anonymous to one another and all contracts are verifiable by all" yes but unfortunately bitcoin is not payer anonymous 12:10 < adam3us> hm2: otherwise alice could create a new identity for the transaction, as is bitcoin largely links all payments to the true name for anyone who touches an exchang or a physical delivery purchase ever 12:10 < HM2> it is if you establish 2 wallets and don't transfer between them 12:10 < HM2> you just need to figure out a way to create closed loops 12:10 < adam3us> hm2: yes, but hwere are you going to get the money from 12:10 < HM2> I don't know 12:10 < adam3us> hm2: i agree if you have two pseudonyms that are isolated you can do it 12:10 < sipa> obviously from the bitcoin internal economy 12:10 < sipa> without any exchanges involved 12:11 < sipa> (i'm only half joking) 12:12 < HM2> a blind token system wouldn't be that hard to introduce would it? in a new protocol. 12:12 < HM2> withdraw a coin, deposit it a few days later, it's blind so nobody can connect the 2 12:12 < adam3us> sipa: i'm yet to get paid in bitcoin... but yes for bitcoin to become more self sustaining it could have more internal commerce, and a high enough number of people using it, that its easy to do in person cash in / cash out.. eg if everyone knows someone else in their extended friends family with bitcoin 12:13 < adam3us> sipa: i mean to get past a point where it would run fine even if most exchanges went offline, there is a point past which that can happen i think 12:13 < adam3us> sipa: i wonder how far out... a few years? 12:13 < sipa> adam3us: i have no clue 12:13 < sipa> bitcoin may grow there rapidly, or perhaps it runs into scaling issues before we get remotely close to that 12:13 < adam3us> hm2: the anonymous mixes are a bit restricted by the size of the anonymity set 12:14 < sipa> or some other non-technical issue appears (legal?) that pretty kills interest in it 12:14 < adam3us> hm2: you're only as anonymous as the number of other users minus nsa plant traffic 12:14 < HM2> well that goes for current pseudoanonymity as well 12:15 < adam3us> hm2: one idea is to run zerocoin as an alt-coin... nothing but zerocoins 12:15 < HM2> zerocoin is too far outside my knowledge range 04:54 < gmaxwell> I'm pretty sure I know how to boost such a proof to arbritary soundness using an error correcting code... but the POW might end up being rather large (tens of kb) for 128 bit security. 04:54 < petertodd> gmaxwell: Yeah, I came up with that idea myself, and as far as I could tell you get into a situation where "fraud" in the NI proof is what allows you to parallelize the problem. 04:55 < petertodd> gmaxwell: I don't know anything about error correction though. 04:55 < petertodd> sipa: Yes! Like my example of a consensus currency system where you just write transactions down on post-it-notes and hope everyone is honest... 04:55 < gmaxwell> petertodd: yes, thats always the problem you get unless you have a local test of the proof with probably of detecting fraud of at least p=0.5, once you have that you can boost up to make fraud simply infeasable. 04:56 < petertodd> gmaxwell: So how do these error correcting codes work? 05:00 < gmaxwell> petertodd: by expanding the state with additional binary relations e.g. parity checks which also must be true if the data is valid (it's easy to see how you can do that for a simple greater than or equality relationship). If you expand enough with the right structure the probablity of a random test (e.g. reading out one spot and the other values in the proof it is the parity of) failing can be made 0.5. Once you achieve that, ... 05:00 < gmaxwell> ... fiat-shamirizing a couple dozen of these tests makes fraud infeasable. 05:00 < gmaxwell> easier to explain with a whiteboard. 05:01 < gmaxwell> sipa: the sleep makes me think of http://weknowmemes.com/wp-content/uploads/2011/10/i-am-not-a-clever-man-comic.jpg somehow. "YOU MADE A POW FUNCTION THAT CALLS USLEEP?" "I AM NOT A SKILLED CRYPTOGRAPHER" 05:02 < petertodd> gmaxwell: Hmm... we're getting dangerously close to leaving joe-random in the dust; I'm going to have to do some reading. 05:03 < petertodd> gmaxwell: I take it no-one has even attempted to do a dumbed down explanation of that stuff yet right? 05:04 < gmaxwell> petertodd: I can explain it to you, but there is no dumbed down explaintion of it. Worst, most things talking about are talking about building proofs for arbritary poly-time (or NP) languages. 05:04 < gmaxwell> one for this set of values is a sorted list would be much simpler, like I could reason that one out on a whiteboard without much trouble. 05:05 < petertodd> Yeah, I don't really know what an "arbitrary poly-time language" is :/ 05:05 < petertodd> Sorted list sounds more promising. :) 05:11 < gmaxwell> lemme try the short explination over IRC, here is an example image representing an error correcting code http://www.spiral.net/hardware/graphics/tanner.gif message bits on the bottom, you feed them in and the wires just do xor, giving you those parity bits. 05:12 < gmaxwell> When you use them for communications you do things like take an errored message + parity bits, and construct the most likely message using some efficient decoding algorithim. But thats not relevant for using them in proofs. 05:13 < gmaxwell> if I gave you a message + parity, you could go and check all the edges and tell me easily if it was a non-errored message (and paritity), "A valid codeword for the system" 05:14 < gmaxwell> Thats straight forward. Turns out that if you construct a parity check matrix with the right graph structure (and a long enough ratio of parity bits to message bits), that if the codeword is invalid if you just just one or two bits (and their edges) that you'll have a 50% chance of detecting the error. 05:15 < petertodd> huh 05:15 < petertodd> and 50% iterated soon gets to nearly 100% 05:15 < gmaxwell> Right. 05:15 < petertodd> what kind of ratios are we talking about? 05:17 < petertodd> by "their edges" you mean the bits going into the XOR operation right? 05:17 < gmaxwell> yes. 05:17 < petertodd> which looks rather like a merkle tree... 05:17 < gmaxwell> Right, so there are graph transformations that take any existing error correcting code and expand it into the kind with the probablistically checkable structure. Generically they have quadratic growth, I believe, so they get big but they're regular. 05:17 < petertodd> "regular"? 05:18 < gmaxwell> repeated, e.g. you don't need to go and seralize out the whole thing. it's not a random graph. 05:19 < gmaxwell> so what you do is you write out a little set of booleian circuts to test your constrant and then outputs its truths, e.g. little binary comparitors.. And take this is a kind of degerate error correcting code. E.g. you've got inputs and then a bunch of 'true' outputs. And the constraints are all satisfied if and only if your data is good. 05:19 < gmaxwell> Then you take that graph and pass it through the transformation to one of these probablistically checkable graphs. 05:19 < gmaxwell> and then construct a merkle tree over it... and use the root of the tree to select your tests. 05:20 < gmaxwell> (because a parity check graph is just a satistifaction problem you can convert any program execution into one of these, but it gets inefficient fast) 05:21 < petertodd> so dumb question time: how do you know the circuits actually tested the constraint you thought they did? (given the partial information youre given) 05:22 < gmaxwell> validator knows the graph, it's fixed for the statement being proven. .. and all the state is under the proof. 05:22 < petertodd> right, because it's structure is regular? 05:22 < petertodd> (like a merkle tree would be) 05:23 < gmaxwell> so it gets point 2394892384 and it knows that it should be equal to 12319831 xor 32849284 xor 589583 xor 5837485743 (or whatever), and it gets those too. 05:23 < gmaxwell> right. or at least if you want this to be feasable it better damn be regular. :) The expansion itself is regular, but the whole thing is only regular if the thing you're checking is really trivial. 05:27 < gmaxwell> petertodd: it may help your understanding a bit to know that these are also called holographic proofs. :) 05:27 < petertodd> Hmm... lets try a toy problem, heck, a toy toy problem: So I have a list of bits, and I want to know if they are all zero. I construct my merkle tree over all the bits, and pick random samples. By that p=0.5 thing you said before, I can very quickly determine that at least half the bits are false with overwhelming probability, correct? 05:28 < petertodd> Now, the error corecting code business is basically taking that toy problem, and using binary relations in ways that "spread" out my tests to actualy have better coverage than one-test-one-bit. 05:28 < petertodd> Like a hologram where you're checking if the low-resolution fragment looks roughly right... 05:29 < gmaxwell> petertodd: yea, and actually a trivial code should work for that, i think. Repetition. like you virtually repeat your data enough times that you have a 50% chance of hitting any message bit with a single test. 05:30 < petertodd> Huh, so how do you "virtually repeat" the data? 05:31 < gmaxwell> hm. no straight reptition doesn't work (now that I write it out. :P oh duh right) 05:32 < gmaxwell> okay so initially you have p=1/s in finding your bad bit in a single test. 05:32 < gmaxwell> (s is size) 05:33 < petertodd> right 05:38 < gmaxwell> petertodd: so my brain isn't working since I don't remember the transform trick to get high success rates without looking it up :P I can show you how to increase it. 05:39 < petertodd> ha, better than nothing! 05:39 < gmaxwell> petertodd: e.g. take your s bits in your message and create s^2 pairs (all the pairs). Probablity of detecting a bad bit in the new data is 2/s instead of 1/s. :) 05:40 < petertodd> create a s-bit tuple and we can make the probability 1! 05:41 < petertodd> though I'll admit that s^2 pairs has less bandwidth to prove :P 05:41 < petertodd> there is something neat about that... 05:41 < gmaxwell> e.g. for s=4 you start off with 1/4 probablity. but in the s^2 form you have p=7/16. 05:42 < petertodd> hmm, very close to the p=0.5 threshold 05:45 < petertodd> now, I guess if we can fairly choose our PRNG seed still, we don't need to calculate all s^2 pairs right? like, if we did the merkle tree of, say, just s and then used it to pick pairs 05:52 < gmaxwell> ah dur, for that trivial example: 05:52 < gmaxwell> s=4 {0 1 2 3} 05:52 < gmaxwell> 01 01 02 03 05:52 < gmaxwell> 10 12 12 13 05:52 < gmaxwell> 20 21 23 23 05:52 < gmaxwell> 30 31 32 30 05:52 < gmaxwell> P=0.5 05:53 < petertodd> ? 05:53 < gmaxwell> those are the pairs if you count up the number of each number in the grid, you'll see there are 8 of each, and 16 total pairs. 05:54 < gmaxwell> had to replace the moronic XX diagonal with repeats of the neghbor code. 05:57 < petertodd> So seems to me we could do merkle(s), use that as the PRNG seed, then sample random pairs of from s by just picking pairs of (PRNG(i), PRNG(i+1) 06:00 < gmaxwell> totally OT but I have a puzzle that will blow your mind. 06:00 < petertodd> oh yeah? 06:01 < gmaxwell> Say there is a contest. You sipa and I are each going go be given a hat. The hat will be red or blue, assigned totally at random (by coinflip). We can't see our own hats. 06:02 < gmaxwell> We get sent into a room where we can see each others hats but we are permitted no communication _at all_. Then we leave the room seperately. 06:02 < gmaxwell> Each of us then must write down. Either Pass or the color of our own hat Red or Blue. 06:03 < gmaxwell> If at least one of us is correct and none are incorrect (e.g. correct pass pass is fine). Then we all win a million dollars. 06:03 < gmaxwell> What is the ideal strategy for us to use, and what our are chances of winning this game. 06:03 < HM2> 2 write down red, 1 writes down blue 06:04 < sipa> can we assume that we all have the same purpose? 06:04 < sipa> (winning) 06:04 < gmaxwell> we all want to win. and We ALL win. if at least one of us is correct and none are incorrect. 19:45 <@gmaxwell> I thought I mentioned x could be not on the curve! I think his code actually tests though. 19:47 < adam3us> gmaxwell: ok. just his response to your explaining that was "an invalid nonce means the attacker sends an x that's past p but less than 2^256." which is not the point at all! 19:47 <@gmaxwell> oh I didn't even notice that. 19:47 <@gmaxwell> (that he responded to that point) 19:48 < adam3us> gmaxwell: #11 - is it locked because he did that as the thread starter? 19:50 <@gmaxwell> No. I locked it because it was becoming a totally stupid war. If you'd like to post I can unlock it. 19:50 <@gmaxwell> I've been talking to the guy in PM and woah lots of misconceptions. 19:50 <@gmaxwell> adam3us: do you like my attack? 19:51 < adam3us> gmaxwell: yeah dont worry. it was him creating the flame war. 19:52 <@gmaxwell> Is there any client that has a "message" field that autosubmits the message to bc.i? 19:53 <@gmaxwell> guy in PM is telling me that his desktop client has a "message" field that he thought showed up on bc.i. 19:53 < BlueMatt> probably, but dont know which 19:53 < BlueMatt> probably like the bc.i desktop client 19:53 < BlueMatt> "my browser is my desktop!" 19:55 < adam3us> gmaxwell: your attack, IECS R=rPQ, k1||k2=KDF(R), send R.x, c=E(k,m), MAC(k2,c); but i take it he used ctr mode for AES for E 19:55 < adam3us> gmaxwell: oops R=rQ rather 19:56 <@gmaxwell> Yup. he used counter mode and a 64 bit MAC. 19:56 <@gmaxwell> (at first I thought he used a 32 bit MAC and I was going to post a demonstration, alas... by random chance it wasn't quite that weak) 19:58 < adam3us> gmaxwell: actually that was also was wrong R=rQ, k1||k2=KDF(R) but send S.x from S=rG, c=E(k,m), MAC(k2,c) .. thats better 20:03 < adam3us> gmaxwell: ok so then you send S.x, c'=0, m=counter, and increase counter until it passes the mac. consequently you get c=p xor E(k1,ctr0) and c'=p' xor E(k1,ctr0) and therefore c xor c' = p xor p'; and you know p' because the oracle told you so p = c xor c' xor p'. qed :) nice 20:09 < adam3us> gmaxwell: btw i presume you are aware of http://eprint.iacr.org/2011/615.pdf because you mentioned the RSA problem, they provide a security argument for shared-key ECIES & ECDSA though unless there is some burning reason to reuse keys like you said that is a generically bad idea 20:09 < adam3us> gmaxwell: (we may even have discussed that paper here... i forget) 20:11 <@gmaxwell> Ah, I didn't recall any argument for shared-key ECIES & ECDSA... I didn't even look for one, because considering the state state of security proofs for ECDSA I didn't expect to find any. 20:11 <@gmaxwell> I don't think it's pratically insecure of course, but ... I was just pointing it out as a generally good pratice. 20:14 < adam3us> gmaxwell: agreed. i would be worried about that argument and any assumptions it makes; sometimes proofs are artificial. it seems inherently dangerous/fragile inviting people to ask you to answer challenges involving the same d as used in ECDSA - we know how fragile ECDSA is already without deterministic DSA! wouldnt take much to push it over the edge, just single bit here and there 20:16 <@gmaxwell> yea, esp with a small mac potentially allowing you to use a decryption thing as a multiplication oracle of some sort. ... though the hash and AES certantly help. 20:16 <@gmaxwell> the guy is busy arguing with me about address reuse in private message now. 20:17 < BlueMatt> :( 20:17 < BlueMatt> bitcoin.org/bitcoin.pdf 20:17 <@gmaxwell> Already cited. 20:17 < adam3us> gmaxwell: well even just at the asymmetric level. eg say you could get timing from mac failure vs success or something. 20:17 < BlueMatt> iirc there's a section on that... 20:17 <@gmaxwell> Section 10. It's like a keyboard reflex. 20:17 < BlueMatt> heh 20:19 < adam3us> gmaxwell: u know on sci.crypt there was this annoying guy very young, school kid; some of the regulars clubbed together and sent him some crypto books, evidently he read them and eventually wrote a quite well regarded crypto library and got crypto employment if i recall. http://libtom.org 20:20 <@gmaxwell> Yea, I read sci.crypt religiously throught the 90s. 20:21 <@gmaxwell> endless "I have made an ultimately secure cipher because none of you can break it!" 20:22 < adam3us> gmaxwell: sometimes noob status + enthusiasm leads somewhere :) altoz tendency to /ignore forum handles not giving criticism in the way he like might not help his learning curve tho! 20:22 <@gmaxwell> yea, well, I've been responding to the guy. but ouch. 20:23 <@gmaxwell> lots of earnest enthusiasm, but also layered cluelessness. :) He seems to respect me (the fool!) so at least my conversation with him is having forward progress. 20:24 < BlueMatt> hey, I havent failed out of bitcoin yet (despite repeated efforts), so maybe he can prove useful :p 20:24 < BlueMatt> too 20:26 < adam3us> gmaxwell: the sci.crypt ones i enjoyed most were the new factoring methods :) but yes the "i challenge you to break my new cipher" were endlessly amusing also 20:30 < andytoshi> gmaxwell, adam3us: those factoring posts were still happening as of 3-4 years ago.. 20:30 < andytoshi> also thx gmaxwell for posting your break, i'll check it out 20:38 < andytoshi> gmaxwell: on https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29 it says 20:38 < andytoshi> By now, CTR mode is widely accepted, and problems resulting from the input function are recognized as a weakness of the underlying block cipher instead of the CTR mode.[18] 20:39 < andytoshi> i read that to suggest that altoz was safe from attacks such as yours 20:39 <@gmaxwell> ha ha 20:39 < andytoshi> which obtain a ciphertext which can just be xor'd with the desired message 20:39 < andytoshi> (not that i would go implementing such a system based on 30 seconds of wikipeiaing) 20:40 <@gmaxwell> nah, thats just what countermode does, turns a nice pretty blockcipher into a stupid stream cipher. :P 20:40 <@gmaxwell> I am personally not a fan of CTR mode. It is widely used and respected, and you can certantly get yourself into trouble with blockcipher modes too. 20:40 < andytoshi> huh, that's what it looked like to me 20:40 < andytoshi> but "one of two block cipher modes recommended by Niels Ferguson and Bruce Schneier" suggested i was being naive 20:40 < adam3us> gmaxwell: i reckon some of nsa $250m proto sabotage budget went into touting ctr mode... fragile & dangerous 20:40 <@gmaxwell> But this case is a nice example of how CTR mode can contribute to a cryptosystem being brittle. 20:41 < andytoshi> cool, i'll definitely work through your attack to make sure i know what's going on 20:41 < andytoshi> but my next flight is boarding, i gtg for now 20:41 <@gmaxwell> adam3us: okay, I feel better to hear you say that. I _think_ these sorts of things, but I try to not say them. :P 20:41 < adam3us> andytoshi: scroll up i did the math 20:42 < adam3us> gmaxwell: ctr mode seems like the dsa of cipher modes - inexplicably optimized for fragility 20:43 <@gmaxwell> well I know a lot of people (esp hardware people) just really would prefer stream ciphers. 20:43 < maaku> adam3us: in what way? 20:43 <@gmaxwell> GCM's popularity surprises me. 20:44 <@gmaxwell> maaku: fails totally completely to key/iv reuse and any amount of known plaintext. 20:56 < adam3us> gmaxwell: exactly any single reuse breaks it wide open; and there is no clear in-standard defined way to robustly avoid reuse so everyone does their own crappy time, counter, guid iv thing with semi public input or influencable input; similar to dsa, even the original dsa specified rng had enough bias that bleichenbaker figure out how to recover the private key in 1mil msgs 21:04 <@gmaxwell> Did a matonis or someone write some article extolling "DAC" lately, IRC seems to be getting flooded with jabber about them? 21:04 < Luke-Jr> DAC? 21:05 < jgarzik> gmaxwell, Vitalik is writing software for it as part of Dark Helmet^WWallet 21:06 < jgarzik> gmaxwell, Bitcoin Magazine did a series of articles, and Jerry Brito recently wrote http://reason.com/archives/2013/12/16/the-coming-robotic-world 21:07 < Luke-Jr> LOL @ Dark Helmet ref 21:07 < Luke-Jr> jgarzik: poke, never got a response on Fedora UNIX group for USB devices :P 21:08 < adam3us> jgarzik, gmaxwell: i think its more useful to call it a self-funding bot 21:09 < pigeons> DAC is the term protoshares/bitshares is using to mean "future app that will make our altcoin useful" 21:09 < adam3us> though i suppose they are hypothesizing about share-holder votes so there could be human owners; i think its more fun for a money making bot to go rent its own VPS with its own profit and own itself (right up until it hacked and loses its bitcoin stash:) 21:10 < Luke-Jr> wasn't it bitshares' guy who was recently proposing a license that forbids any usage of software by anyone who consents to copyright law? -.- 21:10 < adam3us> pigeons: yeah i saw DAC on invictus site, some of their rhetoric was cringe worthy 21:10 < jgarzik> DAC = Distributed Autonomous Corporation, AFAIK, which does not necessarily equal autonomous agent 21:10 < jgarzik> Some people appear to be using the term simply for an extranational / virtual corporation 21:10 < adam3us> jgarzik: this is true 21:11 < warren> Luke-Jr: to enforce that license you need to enforce copyright, rendering yourself unable to use your own software? 21:11 < Luke-Jr> warren: you don't need a license to use your own software :? 21:11 < Luke-Jr> :/ 21:12 < adam3us> the alt story: step1. make useless alt; step2. make up some BS buzz about why its cool; step3 premine/postmine the heck out of it; step4 profit. 21:12 < warren> well, the point is you need copyright to enforce such a license 21:13 < adam3us> corollary to alt story: screw up just about every param choice, mining function choice that you possibly can; and yet inexplicably still profit (protoshares!) 17:41 < petertodd> Yup, instawallet is already known to have a cold storage with about a million dollars in it. 17:42 < petertodd> Anyway, regardless of proving they have funds, even just the merkle-sum-tree of account balances is a big improvement. 17:42 <@gmaxwell> on a total tangent talking about the existance of micropayment systems. It would sure be nice if all these systems had a way to discover that they can use a system to system transfer vs a bitcoin payment for random user provided addresses.... 17:42 <@gmaxwell> and if they could do so without disclosing what service owns which addresses in advance. 17:43 < petertodd> Yeah, I'm thinking an email-like basic address sytem is a good idea, and ensure that all payments are encrypted or signed or somesuch, so only the recipient holding the seckey can do anything. 17:43 < petertodd> trustbits:pubkey@example.com? 17:52 < jgarzik> a nice identity system, mayhap ;p 17:53 < jgarzik> perhaps one that requires cost to acquire an identity 17:53 < petertodd> ....that's what the pubkey is for, to ensure that we don't need an identity system! 17:53 < petertodd> basically it should act kinda like a cheque, so that only if the receiver can then actually prove they have the seckey does the sender relase the fudns 17:53 < petertodd> *fudns 17:53 < petertodd> *funds 17:53 < petertodd> IE, if the DNS is hacked. 18:10 * jgarzik wants a global SIN (system id number) system. Anyone may acquire one anonymously. Perhaps it costs money, paid to a bot network, perhaps it requires a sacrifice. The main point is to -not- be able to generate millions of these identity records a day. 18:10 < jgarzik> Attach bitcoin addresses (for signmessage verification), GPG fingerprints/pubkeys, etc. to a SIN 18:11 < jgarzik> or anything else, like a nickname or fingerprint 18:11 < petertodd> I like the idea; can we call it garzik-sins? 18:11 < petertodd> Or garzik's sins? 18:11 < jgarzik> The act of obtaining one could be SIN'ing 18:11 < petertodd> This can be the public in-joke we tell the press, instead of the one about puppies... 18:55 <@gmaxwell> petertodd: well what I'd like is something like "I want to pay 1 BTC to 1jgarzik. So I consult a distributed hash table (ahh!) to find the public key for 1jgarzik, pJgarzik. Then I post to 1jgarzik E(pJgarzik, I am instawallet, reach me at xxy || I also can make mtgox payments || bitcoin_txn_paying_1btc). Then the controller of 1jgarzik responds back and says "oh, hi instawallet, I instead of this bitcoin payment, you can make a ... 18:55 <@gmaxwell> ... payment to mtgox account foo --pJgarzik" 18:55 <@gmaxwell> petertodd: so the idea is that any time you want to pay someone you can privately send them a proposed transaction and they can respond back, "no thanks, pay me some other way instead" 18:56 <@gmaxwell> and no one but the recipent learns of this offer. 18:56 <@gmaxwell> And unless they accept the offer you don't learn what their alternative accounts are. 18:56 <@gmaxwell> And the offer comes with a real transaction so you can't make fake offers to people to uncover their mtgox account numbers. 18:57 <@gmaxwell> (though even better: when jgarzik gets that offer he asks mtgox for a one time use account number and thats what he responds with) 19:47 < jgarzik> offer spam 20:08 < jgarzik> anyway, besides SIN'ing 20:10 * jgarzik wonders if anybody has come up with a good way to charge for an overlay network/darknet usage, i.e. a decentralized private network that is self-supporting (provided there are interested users who pay) 22:20 <@sipa> a*P + b*G: 110us ! 22:49 < jgarzik> it also strikes me that bitcoin-enabled bots, SIN'ing all over the place, would want a market for automatically bidding on things like storage space, CPU resources, ... 22:49 < jgarzik> (thus could reliable providers have well known SINs that grow respected over time) 22:50 < jgarzik> the market -- buyers, sellers and items being bought/sold -- are as private, or not, as you like 23:20 <@gmaxwell> jgarzik: so one way to do your decentralized private network thing is to have a whole bunch of not-decenteralized bitcoin denominated micropayment systems. And then people advertise which kinds of micropayments they accept... including supporting trading between two accepted kinds so that you can interwork two hosts that don't mutually trust a common micropayment system. 23:27 <@gmaxwell> sipa: so an interesting node... a script that says PUSH_DATA_TO_BE_SIGNED LSHIFT_AND_PUSH_BIT_OFF_END IF{push R1_1}{push R1_0} POP LSHIFT_AND_PUSH_BIT_OFF_END IF{push R2_1}{push R2_0} POP... RETURN TRUE when used as an AST-P2SH encodes a lamport checksig. 0_o 23:27 <@gmaxwell> s/node/note/ 23:27 <@gmaxwell> using 'no computation' just the AST branches. 23:29 <@gmaxwell> (the data being signed tells you which script-branch preimages you must disclose. 23:29 <@gmaxwell> ) --- Log closed Sun Mar 10 00:00:47 2013 --- Log opened Sun Mar 10 00:00:47 2013 03:03 <@gmaxwell> On the subject of Moon-rocket P2SH, a proposed solution to uneconomical to spend utxo is this thing I just put on my alt_ideas page (inspired by some talk in #bitcoin-dev): 03:04 <@gmaxwell> * Transaction cost prepayment: One problem is that it's possible to create UTXO that are unprofitable to redeem. 03:04 <@gmaxwell> ** Instead make every output specify a max_size, which is the maximum marginal increase in size from redeem this txout in a new transaction. 03:04 <@gmaxwell> ** max_size serialized as an unsigned variable length int minus whatever the smallest credible max_size is, (e.g. something like 40 for bitcoin) 03:04 <@gmaxwell> *** This makes sure people aren't incentive to write unspendable txn, perhaps a larger minimum max_size should be used, e.g. the size of the smallest secure TX_IN. 03:04 <@gmaxwell> ** Then for the 'cost' of a transaction use cost = MAX(size-sum_inputs(max_size),minimum_viable_txn_size) + sum_outputs(max_size) 03:04 <@gmaxwell> ** In order to economical align cost the blocksize limit should be based on it rather than size. 07:37 <@gmaxwell> lol https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas#Coin_of_the_moonmen 08:58 <@gmaxwell> oh amiller 08:59 <@gmaxwell> amiller: Get this. POW = H(header || nonce || H(utxo_lookup(nonce))). With this pow: Validation _is_ mining. 08:59 <@gmaxwell> if you have utxo lookups to perform, you are mining in the process. If you've run out of lookups to perform you just do ones at random. 10:28 < HM> hmm interest gmaxwell 10:29 < HM> gmaxwell: the problem i see with that is the hash rate will be abysmal 10:29 < HM> gmaxwell: perhaps 2 nonces with some mathematical relationship, so miners only have to do the lookup one in every X nonces 10:31 < petertodd> HM: the absolute rate of a PoW function is irrelevant 10:33 < HM> true, but once you have db i/o in there it's no longer a function of raw computation 10:33 < HM> keeping it dominated by one type of bottleneck is ideal 10:34 < HM> if it was 50% i/o and 50% computation then you have a more volatile rate 10:35 < HM> or perhaps not, but it complicates things 10:41 < petertodd> db io is just a type of computation 10:44 < HM> bah 10:44 < HM> all i'm saying is a pure number crunching like a hash doesn't depend on the i/o capabilities of the host. 10:45 < HM> your scheme renders avalon boxes useless for instance because the utxo queries will dominate 10:45 < HM> that's not necessarily bad, i would just suggest reducing the ratio of 1:1 hash:utxoquery 10:46 < HM> on the other hand maybe higher i/o keeps ordinary people in the game longer 10:50 < petertodd> it's meant to be an alt-chain, not an extension to bitcoin 10:50 < petertodd> and it's gmaxwell's scheme 10:53 < HM> indeed 10:54 < HM> I think memory hardness is the way forward 13:09 <@gmaxwell> odd that hm doesn't realize that I'm describing a memory hard pow. Should I have called it TrendyPow(tm) instead? :P 13:16 < jgarzik> RE decentralized network and micropayments: given a network, how to compensate each node, in miniscule micropayment amounts, for work they perform relaying? 13:16 < jgarzik> i.e. the old how-to-prove-you-did-work problem 13:18 < jgarzik> I guess you could ask the same question about bitcoin: presuming the existence of an off-chain microtransaction system, could there be some provable compensation method for people who simply run full nodes? 13:18 < jgarzik> You can test and sample, I suppose 13:35 <@sipa> 110us for a*P+b*G; 12us for key decompression; 26us for the scalar inverse in ECDSA (@&$*# slow OpenSSL); 11us for converting X to affine coords 13:35 <@sipa> total: ~160us for a full signature validation 13:36 < jgarzik_> Heh, maybe we can drop openssl dep soon 13:36 <@sipa> which means around 500k cycles, or only 2x as much as Ed25519 13:37 <@sipa> the same thing in naive OpenSSL is around 600us 13:37 < jgarzik_> How much validation code can be reued by signing code, if any, I wonder 13:37 < jgarzik_> *reused 13:37 <@sipa> most 13:38 <@sipa> signing is just a lot simpler 13:38 <@sipa> but for signing you actually want other algorithm, which don't leak key information via timing 13:39 <@sipa> that 26us for the scalar inverse should be doable in 3us or so, i have no clue why OpenSSL is so slow at that (it's the few parts of my code that still rely on OpenSSL, but it can easily be changed to GMP or so) 13:57 < HM> good work sipa 13:57 < HM> jgarzik_: dropping openssl is unlikely, you'll need something for SSL/TLS 13:58 < jgarzik_> Not for all apps / libs :-) 13:59 < HM> true 14:02 < jgarzik> Android IRC client is not too bad 14:04 < HM> Yaaic? 14:05 < HM> sipa: your numbers make me feel better about this rpc implementation i'm testing 14:05 <@sipa> HM: i'd be very glad to drop SSL/TLS and tell people to use stunnel if they really want to expose an RPC port to an untrusted network 14:05 < HM> 30,000 synchronous calls over localhost tcp / second 14:06 < HM> so 34us, won't be a bottleneck 20:02 < maaku> e.g., it's so expensive to get a security clearance that a contractor would rather hire someone that is already cleared than go through the process of getting someone new 20:02 < petertodd> maaku: exactly, people who like stability are least likely to jump ship and reveal secrets 20:03 < maaku> they're also more responsive to the b.s. legal arguments made to keep them from paying attention to this stuff 20:03 < petertodd> maaku: while the "hard to get new people" thing is a problem, because it means institutionally the system is biased to ignore warning signs 20:03 < jrmithdobbs> maaku: aye 20:05 < maaku> when the wikileaks stuff happened, we were being told that even reading 2nd-hand newspaper articles summarizing it would be violating clearances, even if it wasn't something you were cleared for in the first place 20:05 < petertodd> Air force pilots tend to have the same thing, because training is so horrendously expensive. I've got a family member who's a military pilot, and he said there's a bit of an inflection point during training where it changes from "drop them now because there's lots of expensive training coming up" to "don't drop them, because they've cost us a mint already" 20:05 < maaku> in other words "pay no attention or you will be fired and go to jail" 20:06 < jrmithdobbs> maaku: you got told that too? ;p 20:06 < jrmithdobbs> maaku: was the weirdest fucking conversation ever with my boss 20:06 < adam3us> blumatt, petertodd: i used that kind of search and if fail show closest miss for one of the offloadable kdf things 20:06 < jrmithdobbs> and i wasn't even working for the dod directly (not even contracted to them!) 20:07 < petertodd> jrmithdobbs: ha, good job. Maybe it's just a function of what kind of TLA people I meet, but I get the sense there's a lot of hatred for that crap, especially with snowden showing people are being lied to about the ramifications of what they're doing. 20:08 < petertodd> jrmithdobbs: (part of the discussion I had with that TLA agent was how I needed to know that the work I was doing would lead to ethical outcomes, and he agreed it's not a given) 20:09 < gmaxwell> petertodd: snowden leaks resulted in at least two people I worked with before quitting because they finally believed that the stuff they were working on was being used unethically. 20:09 < adam3us> sadly (for them) the IT security/crypto people in NSA even if now disgusted realizing the risks NSA were creating for society, if they quit are probaby somewhat unemployable as everyone will think they re an NSA mole or double agent, and nothing they say can be taken at face value 20:09 < jrmithdobbs> gmaxwell: oh you left? 20:10 < petertodd> gmaxwell: doesn't surprise me at all. possibly I was getting recruited because they've lost the smart people who tend to understand the bigger world - they need those people. 20:10 < gmaxwell> jrmithdobbs: (Juniper) 20:10 < jrmithdobbs> gmaxwell: ya didn't realise you had 20:11 < gmaxwell> jrmithdobbs: yea, I work for mozilla now. 20:11 < jrmithdobbs> oh nifty 20:11 < petertodd> adam3us: yup, and if you quit sooner rather than later, you miht at least be able to say "I didn't know, and quit the moment I did" 20:11 < jrmithdobbs> petertodd: but sooner was 2004ish 20:12 < petertodd> jrmithdobbs: yeah... though 2013 is still better than nothing 20:12 < jrmithdobbs> we've had 'good enough' evidence that far back. 20:12 < Luke-Jr> petertodd: if you didn't, you might get by keeping the job while you look and say you've been looking since you found out 20:12 < Luke-Jr> otoh, I guess anyone like that would be stupid if they didn't have savings to be able quit right away.. 20:12 < jrmithdobbs> Luke-Jr: 9 years? 20:12 < petertodd> jrmithdobbs: see, if you quit now, and people hire you and you act like a paranoid fucker trying to build systems that insiders can't break, well, then maybe you'll keep your job :P 20:12 < jrmithdobbs> heh 20:13 < Luke-Jr> jrmithdobbs: oh, I thought we were talking about when Snowden disclosed whatever 20:13 < jrmithdobbs> Luke-Jr: that was the final confirmation that got everyone paying attention but first leaks re: this were in 2004 20:13 < petertodd> Luke-Jr: heh, the logic at these agencies is simultaneously "fire people who have financial problems 20:13 < petertodd> " and "distrust people who have no financial worries at all" 20:13 < Luke-Jr> jrmithdobbs: yeah, I never figured out why Snowden's stuff was such a big deal 20:14 < jrmithdobbs> Luke-Jr: i'm just saying if you truly took 9 years to figure out the leaks in 2004 were 'true' and you were inside the agency, you were obviously not very important or not very smart 20:14 < jrmithdobbs> so you're stuck there 20:14 < Luke-Jr> heh 20:14 < jrmithdobbs> pretty much how gov jobs work 20:14 < petertodd> Luke-Jr: unlike previous disclosures it was far reaching, and had a clear response from the US government showing it was totally true 20:14 < jrmithdobbs> not isolated to tech 20:15 < jrmithdobbs> Luke-Jr: his leaks were very important though because of exactly how much was confirmed at exactly the same time from the same source, with evidence for all the claims 20:15 < jrmithdobbs> not that it's doing anything. 20:16 < petertodd> jrmithdobbs: IMO it's doing a huge amount, people are quitting at the agencies, and the tech industry is responding with technical measures 20:16 < jrmithdobbs> petertodd: like? 20:17 < petertodd> jrmithdobbs: HTTP v2.0 is likely to have mandatory encryption for instance 20:17 < jrmithdobbs> noone's responding with crap that they weren't already responding with so there's a handful of people doing some good stuff but it's the same people 20:17 < petertodd> jrmithdobbs: people are finally getting rid of the PRNG that was shown to be backdoored 20:17 < jrmithdobbs> these are technical problems and some of them are very hard, after all 20:18 < jrmithdobbs> petertodd: after it was said to be during it's confirmation process, ya, how effective that was! 20:18 < petertodd> jrmithdobbs: yes, but it's not impossible to make widespread ubiquitous survailance impossibly hard 20:18 < jrmithdobbs> petertodd: don't you DARE hold anything about that situation up as an example. 20:18 < jrmithdobbs> including the response. 20:19 < petertodd> jrmithdobbs: indeed, but now that we *know* that the NSA does exactly that, people feel confident enoiugh to stop using it without getting called paranoid! that's a *huge* change 20:19 < jrmithdobbs> petertodd: no but recent events haven't done anything to advance the work 20:19 < jrmithdobbs> and if they do it will be years before practical applications come from it 20:19 < petertodd> jrmithdobbs: proof that you're not a paranoid nutter is a huge change - this stuff now seems reasonable 20:19 < petertodd> jrmithdobbs: practical has already happened, again, people have switched PRNGs as an example 20:19 < jrmithdobbs> ya well, i knew i wasn't, i guess it's nice for the general public to agree now but i wasn't exactly screaming from rooftops about the subject either ;p 20:20 < petertodd> jrmithdobbs: archive.org is one of many sites that have switched to always https, wikipedia too 20:20 < jrmithdobbs> ya but we've had the good people at tor, ssl obsv, etc working with people on that for years now 20:21 < jrmithdobbs> saying it took a completely povable verifiable catastrophy to get people to listen is not a good thing. 20:21 < petertodd> jrmithdobbs: yes, working on, but it's always had pushback and hasn't been all that successful, proof on the other hand is a big boost to those efforts 20:21 < petertodd> meh, people tend to respond to catastophies... 20:21 < petertodd> human nature 20:22 < jrmithdobbs> yes well, we've had proof thanks to ioerror/etc's work from inside syria/china and other place mapping these things for ~3-4 years as well 20:22 < petertodd> yes, and that's syria and china, this is local 20:22 < jrmithdobbs> petertodd: the fact that some actually mostly unrelated leaks convinced them is not exactly a good thing 20:22 < petertodd> this is also on mainstream news, time and time again 20:22 < jrmithdobbs> petertodd: we've had the confirmation locally since about the time we had it in china ? 20:22 < petertodd> good or not, it's worked 20:22 < jrmithdobbs> (2004ish) 20:22 < jrmithdobbs> ;p 20:22 < petertodd> again, that's china, it's not the US! 20:23 < jrmithdobbs> no it's the us 20:23 < petertodd> how so? 20:23 < jrmithdobbs> us companies, writing software for us companies, covered by us patents, being sold for us dollars 20:23 < jrmithdobbs> how the fuck isn't it the us? 20:23 < jrmithdobbs> (cisco) 20:24 < petertodd> right, but that was being done in china. Snowden's leaks prove to US people that they are a target, that's a huge difference, and they did it in a way that got attention on a wide scale. 20:24 < jrmithdobbs> no 20:24 < jrmithdobbs> it was publically deployed in china 20:24 < jrmithdobbs> it was done in the us. 20:24 < jrmithdobbs> and this has been known. 20:24 < petertodd> Yes, publically deployed against Chinese citizens. That's the difference 20:24 < jrmithdobbs> the distinction is important. 20:25 < petertodd> Snowden made US citizens worried, and made it clear that what the NSA was doing was definitely something that should be illegal. 20:25 < jrmithdobbs> yes and they're not going to look to expand their markets? 20:25 < jrmithdobbs> in what world do you live in? 20:25 < jrmithdobbs> heh 20:25 < petertodd> People find it easy to assume they won't expand their markets locally - that's the difference between a normal person and someone with a touch of paranoia. 20:26 < jrmithdobbs> let's talk when practical results come besides discontinuing a prng that had been in use less than a year to any degree at all 20:26 < jrmithdobbs> and was never even available in most implementations of the spec it was in 20:26 < jrmithdobbs> can we talk about google still advocating rc4? --- Log closed Sat Sep 28 00:00:22 2013 --- Log opened Sat Sep 28 00:00:22 2013 --- Log closed Sun Sep 29 00:00:25 2013 --- Log opened Sun Sep 29 00:00:25 2013 --- Log closed Mon Sep 30 00:00:27 2013 --- Log opened Mon Sep 30 00:00:27 2013 --- Log closed Tue Oct 01 00:00:31 2013 --- Log opened Tue Oct 01 00:00:31 2013 22:06 < SpaceBlankey> helloooo --- Log closed Wed Oct 02 00:00:35 2013 --- Log opened Wed Oct 02 00:00:35 2013 12:44 < HM3> Silk road guy should have invested in determistic wallets. 12:44 < HM3> ho ho ho 13:12 < gmaxwell> hm? 13:13 < gmaxwell> HM3: why do you say that? 13:32 < sipa> HM3: you incremented! 13:34 < jgarzik> heh 14:30 < HM3> Indeed 14:32 < HM3> gmaxwell, i mean hierarchical wallets 14:32 < HM3> meant* 14:34 < sipa> HM3: why do you say that? 14:34 < HM3> Well it would have given him an opportunity to release keys so people can unlock their money 14:34 < HM3> the Feds likely have all the keys at this point 14:35 < HM3> If he was a pirate he'd have dumped the source code to the site and enough cryptographic info for people to reclaim their funds (and only their funds). It's all very sloppy. 14:38 < HM3> SR gave users the option to register an address where they would receive their funds in the event of a shutdown, it seems ideal scenario for a script of some kind 14:38 < HM3> Chances are all the users will get screwed all the same 14:53 < gmaxwell> it sounds like their systems have been compromised for a long time. 15:07 < midnightmagic> I wonder who "FriendlyChemist" was and what data he actually has. 15:28 < HM3> It wouldn't surprise me if none of the messages were encrypted 15:28 < HM3> people exchange a lot of addresses 15:28 < HM3> probably a lot of secondary busts gonna go down 15:29 < jgarzik> Prediction: MtGox US-side funds will be unlocked within 12 months 15:30 < HM3> yeah, good thinking 15:30 < jgarzik> (yes, this is on topic...) 15:53 < Luke-Jr> jgarzik: any reason? 15:54 < Luke-Jr> does that include withdrawl to US accounts? 15:54 < jgarzik> Luke-Jr, yes 15:54 * jgarzik has no inside info, just supposition based on close reading of public posts and documents 16:15 < jgarzik> In the SR indictment, it is the first time that bitcoin mixers were explicitly linked to money laundering charges, I think. 16:15 < jgarzik> or a "tumbler" as they call it 16:18 < Luke-Jr> kinda annoying to hear SR has been spamming us with "tumbling" 16:19 < sipa> what's tumbling? 16:20 < bizoro> I wonder what the US/FBI will do with the btc they have now, maybe solve the crisis... 16:20 < jgarzik> sipa, mixing 16:21 < gmaxwell> the complaints says that they were running transactions through a series of steps in order to conceal their origin. 16:22 < Luke-Jr> bizoro: huh? 16:22 < gmaxwell> e.g. A -> B -> C -> D -> E -> F and b,c,d,e are the same person in reality. 16:22 < bizoro> Luke-Jr, the FBI seized some btc... 16:22 < bizoro> not a lot I think =P 16:22 < Luke-Jr> bizoro: what crisis? how would it solve anything? 16:22 < Luke-Jr> more than I have at least, IIRC 16:23 < bizoro> I mean, pay some public eployees 16:24 < bizoro> anyway... you know how they got to the SR guy, was it tor's fault or he tried to sell the btc?! 16:25 < sipa> he posted a question on stackoverflow, under his real name 16:25 < bizoro> lol... no way 16:25 < sipa> this one: http://stackoverflow.com/questions/15445285/how-can-i-connect-to-a-tor-hidden-service-using-curl-in-php 16:26 < sipa> but changed his username shortly afterwards 16:26 < jgarzik> According to the Silk Road wiki, Silk Road's tumbler "sends all payments through a complex, semi-random series of dummy transactions, making it nearly impossible to link your payment with any coins leacving the site." [...] 16:27 < jgarzik> "Based on my training and experience, the only function served by such 'tumblers' is to assist with the laundering of criminal proceeds" 16:27 < jgarzik> gmaxwell, ^ 16:27 < sipa> "leacving" ? 16:27 < bizoro> everytime they block services like this, it gets stronger 16:28 < jgarzik> I was transcribing at high speed from PDF manually 16:28 < sipa> pl 16:28 < sipa> ok 16:28 < jgarzik> *leaving 16:28 < gmaxwell> he prefaced everything with that. 16:28 < gmaxwell> :P 16:28 < gmaxwell> Apparently having a captca before you get access to a site == criminality. (doh) 16:29 < sipa> heh? 16:29 < sipa> also, why is this wizards material? 16:31 < gmaxwell> because it's certantly not bitcoin-dev material! :P 16:31 < jgarzik> lol, pretty much 16:31 < jgarzik> #bitcoin-low-noise-but-OT-for-dev 16:32 * sipa suggests: #bitcoin 16:33 < jgarzik> too craptacular 16:33 < gmaxwell> currently flooded by druggies trying to get their coins back. :P 16:33 < jgarzik> mixing is an interesting nexus of tech and social and legal 16:33 < jgarzik> and economic 17:30 < HM3> apparently he bought the site from the previous owner. so the technical side is probably not all his work 17:31 < HM3> I do believe the entire piratebay infrastructure is open source these days 17:32 < HM3> it's a shame we won't get the same chance with SR, although I don't suppose the Bitcoin side of things was terribly interesting 17:33 < gmaxwell> HM3: where does that come from? 17:34 < HM3> where does what come from? 17:34 < gmaxwell> "he bought the site from the previous owner" 17:34 < HM3> apparently he isn't the first DPR. he did an interview with the mainstream media some time ago 17:40 < BlueMatt> he claims he isnt, the fbi disagrees, so.... 17:40 < BlueMatt> afaict 17:43 < HM3> I just think it's ironic he protected his customers by paying bribes and organising hits (if the court complaint is true), but not through technical means like exploiting the capabilities of the coin 17:43 < HM3> well, protected his income 17:43 < gmaxwell> that all sounded really weird. 17:44 < gmaxwell> there were a couple things in the complaint that I think were outright untrue. god knows. 17:45 < HM3> I guess using scripts in the blockchain for escrow or failsafes would make identifying SR transactions too easy 17:48 < sipa> gmaxwell: such as? i only looked briefly 17:49 < gmaxwell> sipa: e.g. it claims (on page 10) that the site had a section for listing hitmen. they was some low essay about how violence was wrong and how they wouldn't list weapons and such. I've checked with a couple people and as far as I can tell it just isn't true. 17:53 < HM3> Well even if the hitman thing is bollocks, they have his emails supposedly of him organising a hit 17:53 < HM3> I think than in itself is a crime if you go so far as to make payment 17:58 < gmaxwell> I think it will be impossible to prosecute him on that. 17:58 < gmaxwell> He asked the _victim_ for referral. They'd have to argue that he was both a moron _and_ a criminal mastermind. 17:59 < gmaxwell> I assume he'll argue that he knew that the other person was also the blackmailer. 18:00 < HM3> So much drama in the webcurrency 18:04 < Luke-Jr> gmaxwell: he paid the blackmailer off more than he asked? 18:04 < Luke-Jr> actually, less I guess 18:04 < gmaxwell> a lot less. 18:04 < Luke-Jr> I'd think they'd at least TRY? 18:06 < gmaxwell> they'll no doubt add it to the list of charges that they'll go after him with if he doesn't plead guilty. 18:07 < Luke-Jr> eh 18:07 < Luke-Jr> if they don't charge him upfront, won't his lawyer tell him "they don't think they can prove that, so ignore it"? 18:08 < Luke-Jr> I guess the harm in doing that is, they can't prosecute later if they find more evidence 18:08 < Luke-Jr> but Canada could :P 18:08 < Luke-Jr> actually, I wonder if the US *can* prosecute a MFH in Canada? :o 18:09 < midnightmagic> sorry "MFH"? 18:09 < Luke-Jr> Murder For Hire 18:10 < gmaxwell> Luke-Jr: nah, standard procedure in federal cases is that they initially charge you with a couple things, and then if you fight the charges they can add more... and they will literally add 100 more charges. 18:10 < Luke-Jr> midnightmagic: DPR paid $150k to have someone killed who threatened to leak names 18:10 < Luke-Jr> gmaxwell: but to omit MFH? that'd be like the biggest charge, no? 18:10 < Luke-Jr> I sure hope drug conspiracy is nothing compared to MFH 18:11 < gmaxwell> Luke-Jr: if someone had been killed it would have been, ... but can they even provide any evidence that they didn't just make the whole thing up? 18:12 < gmaxwell> I suspect that in general that may be part of the challenge here... what physical evidence will exist that shows that this guy was the right guy? Not just persusaive evidence but "beyond a reasonable doubt" 18:12 < Luke-Jr> gmaxwell: the evidence *against* it seems to assume it took place at the victim's residence.. 18:12 < Luke-Jr> gmaxwell: surely his PC has the private key for SSH? 18:12 < Luke-Jr> if not code 18:12 < gmaxwell> Maybe! I guess we'll find out. 18:13 < Luke-Jr> otoh, if they arrested him earlier than planned, maybe he got wind of investigation and deleted stuff 18:14 < gmaxwell> I can go create a forum account with "Luke Jr." as my name and then go posting some stuff advertising some online drug market place. e.g. how would you distinguish DPR being this guy from DPR being _me_ and me deciding to frame this guy? I think that only evidence found during the arrest could help them there. 18:14 < Luke-Jr> hmm 18:16 < Luke-Jr> where'd his income come from? ;) 18:16 < Luke-Jr> if he was framed, he'd have to have some other income 18:16 < Luke-Jr> it didn't sound like he did 18:16 < gmaxwell> right. But it also didn't sound like he was living it up either. 18:17 < Luke-Jr> of course not, that'd be beyond foolish 18:17 < Luke-Jr> if I were doing something crazy like that, I'd be saving up for a cruise ship to move out of the US 18:17 < Luke-Jr> :p 18:17 < gmaxwell> hah, as if everything else wasn't? I mean, as I normally say about criminals: not generally people who are making great life decisions. 18:17 < gmaxwell> (like ... wtf was he doing still in the US?) 18:18 < Luke-Jr> everything else was merely foolish 14:33 < andytoshi> ok, i'll keep thinking about it 14:34 < andytoshi> with the current "submit rawtx" interface it is really not clear to me how i can tell 'all outputs are unblinded, ok to collect sigs' 14:35 < andytoshi> because i'm thinking, i'll probably extend the transaction-submission window to a few days or a week, because if people want quick coinjoins, they're much better served by a fully automatic joiner like yours 14:36 < maaku> I have a different protocol for serializing join offers and proposals 14:36 < michagogo|cloud> Gah, I don 14:36 < michagogo|cloud> 't like thread necromancers 14:36 < michagogo|cloud> Took me a while to notice that https://bitcointalk.org/index.php?topic=2699.0;all was from 2011... 14:36 < phantomcircuit> petertodd, HR that limits itself to generic stuff is useful 14:37 < phantomcircuit> petertodd, HR that tries to manage is seriously negative value 14:37 < phantomcircuit> petertodd, an HR department that does things like makes sure payroll works correctly and makes sure to get a group health insurance that fits everybody's needs is very valuable 14:38 < phantomcircuit> it's just that most of them try to make business decisions they aren't even remotely qualified to make :/ 14:39 < phantomcircuit> (this is the typical engineers snide remarks about hr lol) 14:39 < andytoshi> maaku: and your protocol can badger people to unblind their stuff without identifying themselves? 14:39 < maaku> well, they have to reconnect with a new tor identity 14:39 < petertodd> phantomcircuit: yup, and HR where I am is the good type. Also remember that HR is very useful as a way to give employees a route to raise issues other than their managers. 14:40 < andytoshi> maaku: right, so if they don't do this on time, can you detect it? 14:40 < petertodd> phantomcircuit: e.g. if there's say, abuse or harrassment going on you need HR as a neutral third-party to fix the issue 14:40 < phantomcircuit> maaku, the only way to guarantee that is to monitor tor circuits 14:40 < maaku> andytoshi: people can reveal their blinding factors (thereby identifying themselves) 14:41 < maaku> if it appears that the join has failed 14:41 < phantomcircuit> by default the client has a minimum reset time for new identities to prevent people from DDoSing the relays with the guard flag 14:41 < andytoshi> ok, i see .. i don't think i can use the same strategy for a very-high-latency protocol 14:41 < phantomcircuit> unfortunately the control port will reply with OK even if it didn't actually cycle the identity 14:41 < maaku> ? 14:41 < maaku> this is designed for a high-latency protocol 14:42 < maaku> I don't think it'd scale very well to real time 14:42 < andytoshi> "if it appears the join has failed" could be after people have spent a day submitting transactions, then spent a day unblinding stuff 14:42 < maaku> the bids and proposed joins have round durations built into them 14:42 < andytoshi> and then one guy misses the window, doesn't want to identify himself, so he walks away and ruins it 14:43 < phantomcircuit> maaku, iirc older versions of the tor client are fairly aggressive with keeping hidden service circuits open 14:43 < andytoshi> so, right now i have a round duration for the submit-transaction phase, but then the signing phase can last forever 14:43 < gmaxwell> phantomcircuit: you use two distinct hidden services. 14:43 < maaku> phantomcircuit: that's completely unacceptable... i'll have to talk with some tor devs about this 14:43 < phantomcircuit> gmaxwell, ah yeah that would work 14:43 < maaku> but yes, it's distinct hidden services 14:43 < maaku> oh ok 14:44 < gmaxwell> yea, if you use two distinct hidden services you'll get the properties you want. 14:44 < phantomcircuit> maaku, the new identity feature doesn't even disconnect open circuits 14:44 < andytoshi> hey, cool .. with two hidden services i can refuse to merge transactions until they have been submitted in the clear to one, and unblinded by the other 14:44 < maaku> that's really bad... 14:44 < phantomcircuit> it just marks them as not to be reused 14:44 < phantomcircuit> it only works well with web browsers really 14:44 < andytoshi> wait, that still links inputs to outputs (for me) 14:45 < andytoshi> (sorry, i'll stop thinking out loud, have to eat anyway) 14:45 < gmaxwell> maaku: whats really bad? 14:45 < maaku> andytoshi: the protocol is this: if all blind signatures are submitted, but not all unblind messages received by the expiration, *everyone* involved who does not reveal their output gets DoS banned 14:46 < phantomcircuit> gmaxwell, im assuming there is an anonymity issue with signing every permutation of the outputs for a coinjoin 14:46 < maaku> gmaxwell: that "use new identity" doesn't actually stop using the old identity, if what phantomcircuit is saying is correct 14:46 < maaku> doesn't affect this application though, but bad in general 14:46 < gmaxwell> phantomcircuit: yes, because obviously you'd not sign the ones with your inputs but without your outputs! 14:46 < phantomcircuit> gmaxwell, right 14:47 < andytoshi> maaku: ok, i don't want to dos-ban people because i'm working over a few days and people get distracted or forget 14:47 < gmaxwell> maaku: the use new identity makes it expire the circuits it pegs up to exits, but I dunno what it does with hidden services; probably best to just use two. 14:47 < andytoshi> i'd rather a system where people who don't fully participate just don't get included 14:47 < gmaxwell> andytoshi: in a realtime / near realtime automated protocol those issues go away. 14:48 < phantomcircuit> gmaxwell, but lets say there is a client with coinjoin implemented in such a way that it's continuously doing it through various meeting points 14:48 < phantomcircuit> entirely transparently to the user 14:48 < maaku> andytoshi: that's the system I described ... your client will automatically broadcast your blinding token after the expiration, preventing you from being banned 14:48 < phantomcircuit> would resistance to withholding not be worth the reduced anonymity 14:49 < maaku> it's only people who don't reveal their outputs, and therefore can't prove that they did which get DoS points 14:49 < gmaxwell> phantomcircuit: you can resist witholding by just abandoning doing any blinding, and if someone withholds the server just drops them and asks everyone to retry... you could do several attempts per second or whatever, and you're banning the withholders ago you go. 14:50 < gmaxwell> and as maaku says, there is a relatively straight forward protocol that allows you to ban witholding parties and still keep the stronger privacy. 14:50 < phantomcircuit> gmaxwell, how do you ban anonymous parties? :) 14:50 < phantomcircuit> tell me and we'll get rich running a tor irc network 14:50 < warren> especially over tor 14:51 < phantomcircuit> wait what 14:51 < gmaxwell> phantomcircuit: trivially. 14:51 < phantomcircuit> s/get super annoyed/ 14:51 < gmaxwell> By banning their inputs. 14:51 < phantomcircuit> gmaxwell, except they're witholding the outputs not the inputs 14:51 < petertodd> Anyone else planning on going to the real world cryptography conference next month in NY? https://realworldcrypto.wordpress.com/ 14:51 < gmaxwell> phantomcircuit: yep no problem. 14:51 < phantomcircuit> so you'd have to be able to link the inputs and outputs to figure out which inputs to ban 14:51 < maaku> Well, it turns into an arms race where I don't think I'd say there's a "trivial" solution 14:52 < phantomcircuit> gmaxwell, if the join is cancelled you just ask everybody to reveal their input/output link and ban the input of the person who withheld 14:52 < warren> one doesn't need the privkey to propose someone else's inputs right? 14:52 < gmaxwell> petertodd: that sounds pretty good. 14:52 < phantomcircuit> then everybody generates a new key for the next round for their output 14:52 < gmaxwell> phantomcircuit: yep 14:52 < maaku> warren: they do in my design 14:52 < phantomcircuit> gmaxwell, i could see that potentially leaking info though since people do reuse addresses no matter how much we tell them not to 14:52 < maaku> proposals are signed by the inputs they provide 14:53 < petertodd> gmaxwell: bah, just noticed they're "sold out" - free event but registration required 14:53 < gmaxwell> phantomcircuit: the details are a bit hard to get right. 14:53 < gmaxwell> phantomcircuit: but there isn't anything fundimentally hard. 14:53 < phantomcircuit> petertodd, something tells me if you call them and ask they'll magically find room 14:54 < petertodd> phantomcircuit: yeah, gonna give that a go... zooko will be there so I'll give him a shout too 14:54 < gmaxwell> hm. wish I'd thought of it earlier. 14:55 < gmaxwell> I'm going to be on the east coast from the 17th to the 21st for the MIT mistery hunt already... don't think kat has booked tickets yet, so I could perhaps swing by nyc first. 14:55 < petertodd> gmaxwell: cool! 14:56 < gmaxwell> phantomcircuit: basically the bitcoin network itself already gives us a scarce resource we can blacklist: existance of a txout. ... if that turns out not to be enough we could have things like SINs that are required to play, which can be blacklisted using the same protocol. 15:00 < phantomcircuit> gmaxwell, SINs? 15:01 < petertodd> gmaxwell: sending an email to the organizers; want me to ask if you can get a registration as well? 15:01 < gmaxwell> phantomcircuit: expensive to create pseudonoymous identities, created by throwing away coin. 15:02 < gmaxwell> petertodd: yes please. If it turns out I can't come it shouldn't be a huge issue. 15:02 < phantomcircuit> ah 15:03 < andytoshi> petertodd: me too? (though i have no credentials, i understand if i'd just be weighing down your request) 15:03 < phantomcircuit> gmaxwell, yeah but nobody would want to do that if it was automated since they'd end up getting banned because they're on wifi at the airport or whatever 06:36 < sipa> if you see N sick monks, you will expect that they kill themself after N days 06:37 < sipa> if they don't, you have to assume you are the N+1'th 06:37 < sipa> so technically there is a communication channel: observing whether your peers stay alive 06:38 < gmaxwell> so this is a riddle from http://www.ocf.berkeley.edu/~wwu/riddles/hard.shtml but its not actually hard: 06:38 < gmaxwell> An evil king has 1000 bottles of wine. A neighboring queen plots to kill the bad king, and sends a servant to poison the wine. The king's guards catch the servant after he has only poisoned one bottle. The guards don't know which bottle was poisoned, but they do know that the poison is so potent that even if it was diluted 1,000,000 times, it would still be fatal. Furthermore, the effects of the poison take one month to surface. The ... 06:38 < gmaxwell> ... king decides he will get some of his prisoners in his vast dungeons to drink the wine. Rather than using 1000 prisoners each assigned to a particular bottle, this king knows that he needs to murder no more than 10 prisoners to figure out what bottle is poisoned, and will still be able to drink the rest of the wine in 5 weeks time. How does he pull this off? 06:38 < gmaxwell> --- 06:38 < gmaxwell> You'll all solve that right away. 06:38 < petertodd> sipa: note though how the monks need to be able to put themselves into a sequence for that strategy to work 06:38 < gmaxwell> petertodd: nah, they don't. 06:39 < gmaxwell> petertodd: its a quroum sensing thing. They all commit suicide at once. 06:39 < sipa> indeed, they don't 06:39 < sipa> from each point of view, he himself is the N+1'th 06:39 < petertodd> gmaxwell: if there are 8 monks, 4 of which are sick, the remaining 4 have no way of not all killing themselves, so it's never optimal 06:39 < sipa> but others will see that differently 06:39 < sipa> petertodd: eh sure, after 4 days they see the sick ones dead and everyone is happy 06:40 < HM2> gmaxwell, divide in to 10 x 100 bottle sets, blend each set 06:40 < HM2> you waste 10% of the wine 06:40 < HM2> but after 5 weeks you can drink the other 90% 06:40 < sipa> but he doesn't want to waste any wine except the poisoned one, i assume? 06:40 < gmaxwell> HM2: "that even if it was diluted 1,000,000 times, it would still be fatal" 06:41 < HM2> gmaxwell, and? 06:41 < petertodd> sipa: ok, so on day 4, when monks decide to kill themselves, how do the healthy monks know if they should kill themselves or not? all they know is that someone should 06:41 < gmaxwell> sipa: and yea, assume he doesn't waste. 06:41 < HM2> gmaxwell, the poison is only in one 100 bottle set 06:41 < sipa> petertodd: i don't understand; as soon as you see all originally sick people having killed themself, you know you can't be sick yourself 06:42 < HM2> gmaxwell, does the king need all the wine after 5 weeks? or is he happy with a steady supply? 06:42 < gmaxwell> HM2: I see what you're saying, but no, he's EVIL he wants all his wine (Except the poisoned bottle) 06:42 < sipa> good question 06:42 < sipa> without the 1-month delay it was easy :) 06:42 < sipa> oh 06:42 < sipa> got it 06:43 < petertodd> sipa: ok, so if exactly one person is sick it works nicely: I know someone is sick, everyone else I look at isn't sick, therefore it must be me. If there are two people sick though every monk sees one or two monks... and I got it finally. :P 06:43 < HM2> well if a prisoner dies on day N, you know the poison bottle was from day N-30 06:43 < HM2> (assuming 30 days is the kill time) 06:45 < HM2> you essentially have 30 x 10 = 300 bottles on hold, but after 30 days you've only covered 30% of the bottles 06:45 < HM2> so you have to mix the wine somehow during the process 06:45 < sipa> you can know which bottle is poisoned after exactly 30 days :) 06:47 < sipa> petertodd: :) 06:47 < HM2> i don't see how you can preserve 999 bottles if you have to mix the wine 06:47 < sipa> oh 06:47 < sipa> didn't take that into account 06:47 < HM2> on the other hand, i can't see a way to do it without mixing the wine 06:47 < sipa> you need to be able to take a sample from every bottle in any case 06:47 < gmaxwell> HM2: they can drink some from each bottle, they only need a drop. 06:48 < gmaxwell> We'll just imagine this doesn't spoil the wine. 06:49 < HM2> could you still do it (in a longer period of time) with 1 prisoner? 06:49 < sipa> no 06:49 < gmaxwell> sipa: so the really hard version of this that Kat and I independantly came up with and solved: What if, instead, you know exactly two bottles are poisoned. How many prisoners do you need? But we don't have a proof our solution is optimal. 06:49 < gmaxwell> HM2: well in a really long time, sure, sip from one bottle per month. 06:50 < gmaxwell> (and hope he doesn't die of natural causes first) 06:50 < sipa> gmaxwell: impossible with less than 19 prisoners 06:50 < sipa> though i don't have a contructive proof :) 06:50 < sipa> i think i can prove it's impossible with 18 06:51 < HM2> Ok, i have an idea 06:51 < gmaxwell> I can prove its impossible with less than 20. 06:51 < HM2> take 4 bottles per day 06:51 < HM2> give prison A samples from bottles 12, B gets 13, C gets 24, D gets 34 06:51 < gmaxwell> sipa: since prisoners are integers. you can't have .9 a prisoner. 06:51 < HM2> when the poison gets them, 2 prisoners will die 06:51 < sipa> gmaxwell: there are 1000*999/2 potentials outputs 06:51 < sipa> each equally likely 06:52 < HM2> but you're still only doing 4 bottles per day 06:52 < gmaxwell> sipa: where are you getting the /2 from? 06:52 < sipa> gmaxwell: the order of the poisoned bottles doesn't matter 06:52 < gmaxwell> sipa: oh indeed. 19 then. 06:52 < gmaxwell> (but yea, our solution is not at that bound) 06:52 < gmaxwell> (alas) 06:53 < sipa> #bitcoin-riddles 06:56 < HM2> you can do 6 bottles per day with a mixing strategy 06:56 < HM2> when 2 die you can determine which bottle on that day was poisoned 06:56 < sipa> 6 bottles per day? 06:56 < HM2> because there are 6 combinations of 2 in 4 06:56 < HM2> yeah 06:57 < sipa> where do you get that number? 06:57 < HM2> Prisoners A,B,C,D. Bottles 1-6. A = 125, B = 136, C = 246, D = 345 06:57 < HM2> 1 bottle is poisoned, 2 prisoners die 06:57 < HM2> always determinable 06:58 < petertodd> Lol! Someone claiming to be a Mastercoin investor just offered me a Bitcoin in exchange for giving them some pointers on their transaction encoding troubles - they still don't seem to have figured out that Bitcoin doesn't check if multisig pubkeys are actually real ECC pubkeys. :/ 06:58 < HM2> but that still only gets you 30 x 6 = 180 bottles tested after a month 06:59 < HM2> you can't do better on combinations in 4 either 06:59 < HM2> 6 is centre of pascals triangle 07:00 < HM2> so I must be barking up the wrong tree 07:02 < HM2> wait a minute 07:02 < HM2> there are 10 prisoners not 4 07:02 * HM2 facepalms 07:07 < HM2> so you can test 252 bottles a day? :| 07:08 < HM2> because there are 252 combinations of 5 in 10 07:08 < HM2> so after 30 days, 5 prisoners will die 07:09 < HM2> you can determine which of the 252 bottles you mixed was poisoned on the day in question 07:09 < HM2> so total time is 34 days 07:09 < HM2> given a precise 30 day lag time on the poison 07:10 < gmaxwell> you can solve this even if the timing is unreliable. 07:11 < HM2> :P 07:11 < HM2> is it? 07:12 < gmaxwell> Lets just say that it is somewhat unreliable, but enough to meet your deadline. 07:14 < HM2> well since my solution only takes 4 days, you can just space the test days out. Test, no test, test, no test, test, no test, test 07:14 < gmaxwell> the party is in 5 weeks however. 07:14 < HM2> that gives you +/- 24 hour margin and takes 7 days on top of your existing 1 month/4 week deadline 07:14 < sipa> not sure how timing is of any relevance 07:14 < sipa> but i haven't actually followed 07:14 < HM2> for 5 weeks total 07:14 < gmaxwell> sipa: it's not, HM2 is deftly evading the intended solution. 07:15 < HM2> it's a solution nonetheless? 07:15 < HM2> how many prisoners die in your solution? 07:15 < sipa> on average 5 07:16 < sipa> binomially distributed 07:16 < HM2> mine always kills 5 07:16 < sipa> you're so deterministically evil 07:17 < HM2> and wastes err 07:17 < gmaxwell> HM2: and you identify the unique bottle? 07:17 < HM2> sure 07:18 < sipa> oh, you're giving different mixer to the same prisoner before they die? 07:18 < sipa> *mixes 07:18 < HM2> yeah 07:18 < HM2> overlapping mixtures 07:18 < gmaxwell> and timing the death. 07:18 < sipa> got it; yeah that way you can use the timing 07:18 < sipa> but it's unnecessary :) 07:19 < HM2> I give up :) 07:19 < gmaxwell> HM2: yea, so imagine instead all poisoned die on the first of the month regardless of when they drank. 07:20 < sipa> or all prisoners will be beheaded in one month + one hour anyway 07:20 < gmaxwell> yea, he's evil afterall and they drank his wine! 07:20 < HM2> gmaxwell, i don't follow 07:20 < sipa> HM2: assume you cannot observe when a prisoner dies 07:21 < sipa> you only get to check back right before the party in 30 days 07:24 * sipa food 07:28 < HM2> what 07:28 < HM2> so the solution has to be diluting the wine 07:28 < HM2> hmm 07:28 < HM2> if you can dilute the poison below the deadly threshold 07:28 < HM2> then it may be possible to have a different mixing strategy 07:29 < HM2> such that the mixtures becomespoisonous again when combined 07:29 < HM2> (since realistically it should be an absolute of poison that's deadly, not a ratio of wine:poison) 07:30 < gmaxwell> how about another approach. You'd get the most information from a prisoner if he was 50% likely to live/die, right? (this was the kind of thing you pointed out for the hats problem) 07:31 < HM2> sure 07:31 < gmaxwell> do you have a scheme that results in each prisoner being 50% likely to live? 07:31 < HM2> ensure they sample half the wine 07:31 < HM2> 500 bottles 20:21 < gmaxwell> maaku: I think its really simple to implement and understand. If you pretend that all nodes are always online then _no one_ needs to store any third party data at all. Each wallet stores its own proofs. Walletless nodes and miners store nothing (just log2(history) hashes) 20:21 < gmaxwell> In the real world where not all wallets are online all the time, you'd need some archive nodes that store proofs for other wallets, they'd have storage like a bitcoin full node (a little worse due to tree ineffifiency but no worse than a full history archive)... they could be paid for the service of providing historical proofs for wallets who haven't kept up to date. 20:22 < gmaxwell> (e.g. I write my spend without the required proof, but it also pays you... now you can go provide the proof to make it a valid spend) 20:23 < maaku> i suppose.. i need to think about it 20:23 < maaku> it just intrinsically seems very odd to desire pushing work off of the miners onto the wallet apps.. 20:26 < gmaxwell> maaku: The key point is it's not "the work", it's "your own work". 20:26 < gmaxwell> Or at least kinda. 20:26 < warren> maaku: in our case we're thinking about this as a way to make expired coins spendable, which may reduce opposition to expiration 20:27 < warren> allowing the UTXO set to stay small and for old blocks to be pruned 20:28 < gmaxwell> maaku: there is no reason that such a scheme couldn't be coupled with all full nodes also providing the service of storing some of the utxo too. 20:28 < warren> hmm 20:29 < warren> gmaxwell: can this possibly create incentive to run full nodes? 20:29 < warren> the network needs that 20:29 < gmaxwell> This would create an incentive to run "archive" nodes. It would make running a full (verifiying node) dirt cheap. 20:30 < gmaxwell> (storage wise at least, perhaps not bandwidth) 20:34 < warren> well, we do need incentive to run archive nodes 20:35 < gmaxwell> in any case, I'm not sure that bitcoin could ever be evolved into this idea... but its an interesting idea regardless. 20:36 < gmaxwell> the prevelance of spv nodes which would become at least somewhat more expensive in this system, alone would make it hard. 20:52 < sipa> it is a very extreme form of pushing full node computations to clients 20:53 < gmaxwell> sipa: except it changes the scaling order at the same time. 20:53 < sipa> but making full nodes dirt cheap is certainly good for decentralozation 20:54 < gmaxwell> Instead of making all full nodes do work/storage proportional to the number of clients (/txouts/transactions/etc), it makes all clients do ~O(1) work/storage. 20:55 < sipa> right, full nodes are replicated 20:55 < sipa> clients aren't (typically) 20:56 < sipa> so any work moved from full nodes to client may be up to N times more expensive (with N the number of full nodes) 20:57 < petertodd> gmaxwell: remember that in the real world log2() scaling is bounded by k*256, as the universe is finite 20:58 < petertodd> gmaxwell: In addition wallets can always spend their old coins to reduce the size of the proofs, as a MMR isn't log2(history) for proof size, but log2(age) 20:58 < petertodd> gmaxwell: or to be exact, log2(age)*log2^2(history), but the latter term isn't very important 21:01 < petertodd> Something else I'd like to see in such a system is to make all transactions in a block be required to only spend transactions in previous blocks, not the current one, and then create a fixed ordering for txouts in the block. This would let you cheaply prove H(txout) existance, and in addition can be used for sharding. Spending unconfirmed coins is mainly used because you want to pay multiple people in one block interval, and that can always be replaced with transaction re-writing. 21:03 < petertodd> (basically proving that H(txout) exists or doesn't exist in n blocks now costs n*log2(m), not brilliant sure, but that's still fairly cheap and doesn't require full nodes to maintain txout indexes) 21:04 < petertodd> *expensive txout indexes 21:04 < maaku> gmaxwell: my point iswhy pay an external proof-generating service *in addition to* the miners transaction fees? 21:05 < petertodd> maaku: because specialization - why should operating specialist mining equipment and validation also be tied to having huge archives of old block data? 21:06 < petertodd> For that matter, why should fully validating to check for miner fraud be tied to having huge archives of old block data? 21:06 < petertodd> We want validation to be as cheap as possible to keep everyone honest, and we want validation to also have no barriers of entry. 21:07 < petertodd> IE for 1% of the cost, I should be able to validate 1% of the data. 21:07 < maaku> petertodd: miners just need the utxo set, not the full archive 21:07 < petertodd> maaku: The UTXO set can grow without bound, and likely will. 21:08 < maaku> yes, but still "utxo set" != "achives of old block data" 21:08 < petertodd> maaku: With MMR TXO commitments we can stop hassling every idiot who bloats the UTXO set, and for that matter, they aren't idiots anymore... 21:09 < petertodd> maaku: the UTXO set needs to be stored in full to be useful, so it's a bigger ultimate burden than old block data archives which can be partially stored and still be useful 21:09 < maaku> petertodd: no, it doesn't. you can do a proof-updatable version of the utxo indices 21:09 < maaku> where transactions come with proofs-of-inclusion for their inputs, and update proofs for their outputs 21:10 < petertodd> maaku: But without UTXO existance proofs you still need full nodes to store the UTXO set, and at that point MMR TXO commitments are much simplier. 21:10 < maaku> you can do utxo existence proofs though. that's what i was asking gmaxwell about - MMR vs UTXO-with-updatable-proofs 21:11 < petertodd> Yes I know - I thought of that idea ages ago myself, as did many other people. MMR TXO commitments are simpler is what it comes down too. 21:13 < maaku> meh, i'm not so sure about that. the index bip i'm working on is rather simple, and indexing offers additional benefits... what i'm trying to figure out is if there are things you can do in MMR which you can't in UTXO-with-updatable-proofs 21:13 < petertodd> The things you can't do are obnoxious things, like making parasitic consensus systems able to take advantage of the UTXO indexes to easily store their data. 21:15 < maaku> i think you can do the same in MMR 21:16 < maaku> as far as I can tell, the MMR tree is the same as the UTXO index, just (1) keyed by insertion order, and (2) spent outputs are left in place, right? 21:16 < petertodd> Nope, in MMR they either can't at all, because you implemented it without sorting at all, or they need to scan the chain. 21:16 < maaku> well it depnds on the app. you can still make proofs showing data inclusion, which is what I thought you meant 21:17 < petertodd> Yes, and on disk you literally end up with a huge file that you append too, and modify in place, and once enough outputs are spent you can drop sections of the file. Remarkably you can implement it with sparse files! 21:17 < petertodd> maaku: with UTXO proofs + what people want for SPV wallets getting my data is as simple as asking the next full node "hey, what txouts match <prefix>?" 21:17 < petertodd> maaku: (specifically I'm talking about what you're implementing) 21:20 < petertodd> Anyway, the key thing is can you do a UTXO commitment scheme, where you can expire old UTXOs? Because I couldn't figure out an efficient way to do the updates; maybe you can. 21:21 < amiller> i don't understand how you use mmr as a utxo 21:21 < petertodd> Like, if 99% of my UTXO's are long dead, can I still generate the UTXO tree efficiently, and still be able to throw away the majority of the data? 21:21 < amiller> i keep reading the page and i don't get it 21:21 < amiller> how do you prove it's still unspent if it isn't removed? 21:21 < petertodd> amiller: You prove that it hasn't been marked as spent. 21:22 < maaku> petertodd: yes, basically the same scheme with transactions carrying their own proofs, updated by owners or archive services for a fee 21:22 < maaku> the update itself requires no level-compression of the hash calculations 21:22 < maaku> but you can still store level-compressed tree on disk 21:22 < maaku> and just expand the skip-list into a sequence of internal nodes 21:22 < petertodd> maaku: Right, but to insert a new TXO in a radix tree I still need a lot of intermediary digests. 21:22 < maaku> so a 256-bit key requires 256 hash operations to authenticate 21:23 < amiller> petertodd, so it requires log n digests/modifications to mark it as spent? 21:23 < petertodd> maaku: Whereas for a TXO MMR appending a new TXO is cheap. 21:23 < maaku> yes, although it's also O(1) ... just with a constant factor of 256 21:23 < petertodd> amiller: correct 21:23 < petertodd> maaku: appending is O(1), with a constant factor of 1 21:23 < petertodd> (in MMR TXO commitments) 21:24 < amiller> who cares if appending is cheap if updating is log n anyway? 21:24 < amiller> i guess it's nice.. 21:24 < petertodd> Also in MMR TXO commitments in the general case, where your spending recent coins, the proof size stays small, whereas in UTXO radix trees the proofs get much larger. 21:24 < maaku> petertodd: given the availability of CPU-accelerated sha256, and/or GPU acceleration, i'm don't give much weight either way 21:24 < petertodd> amiller: But it's not, it's log2(age), which is much cheaper than log2(total # of transactions) 21:25 < petertodd> maaku: bandwidth is what matters, and MMR TXO keeps bandwidth down 21:25 < petertodd> maaku: CPU/GPU whatever is completely irrelevant compared to bandwidth 21:26 < petertodd> For instance if I respend a TXO that confirmed 4 blocks ago, my proof size is only k*2! 21:26 < maaku> petertodd: yes, i'm in agreement on bandwidth vs processing 21:26 < maaku> but log2(age) is not necessarily cheaper than log2(# *unspent* transactions) 18:56 < midnightmagic> jgarzik: There are some excellent talks at.. 28c3 I think.. with textual fingerprinting and analysiss, and open-source tools anybody can use. Very impressive to see what academics think is the state-of-the-art. 18:56 < jgarzik> Far beyond that -- statistics can read your mind ;p 18:57 < gmaxwell> indeed. 18:57 < HM3> i'm going to 30C3 this year 18:57 < midnightmagic> equally impressive is their assertion that newbs who know their text is being analyzed can fool the tools without any training. 18:57 < jgarzik> I read about an image recognition demo. Once you trained the model w/ a subject inside fMRI machine, the models were able to guess what the subject was visualizing 18:57 < jgarzik> you don't have to know how the brain works at all, to apply statistics 18:58 < HM3> jgarzik, but only things that have already been trained, surely 18:58 < jgarzik> computers are just too damned good at pattern matching 18:58 < jgarzik> HM3, today.. correct 18:58 < HM3> then I'll be dead before they get through my tinfoil house 18:59 < gmaxwell> people are good at pattern matching.. but each computer is like having a million kinda dumb people working on your problem. They really do change the power dynamics. 19:01 < HM3> reminds me of this computerphile video, where the guy reasons that useful AI is putting a pretty dumb machine in a carefully controlled environment, not making smart AIs to cope with complex environments 19:02 < HM3> like captcha processing. throwing a neural network at it works really well after a stack of bespoke preprocessing 19:02 < HM3> here we go https://www.youtube.com/watch?v=hcoa7OMAmRk 19:06 < jgarzik> "How DPR Got Caught", summarized from the criminal complaint: https://medium.com/p/d48995e8eb5a 19:06 < jgarzik> (nothing that hasn't already been said here just a useful summary) 19:07 < gmaxwell> jgarzik: notice the gap on 2? how'd they get the siezed webserver? 19:08 < HM3> 1.5 is seizing his email account 19:08 < HM3> what kind of private VPN keeps logs :S 19:09 < jgarzik> what percentage of VPNs are really honeypots... 19:09 < gmaxwell> HM3: what kind of underground drug markets keep logs? 19:10 < HM3> well messages need to be kept until they're read 19:10 < jgarzik> gmaxwell, definitely some handwaving in the complaint, glossing over compromise of the servers in some foreign country 19:10 < HM3> when you buy something on silk road the process involves messaging through the site, to give the seller your address, and get updates etc. 19:10 < gmaxwell> HM3: yea, but there are a bunch of extra logs apparently! 19:10 < HM3> yep. should have had the rack rigged with thermite :P 19:11 < jgarzik> IIUC, Tor has around 7000 relays. It seems well within existing technology and the ability of the NSA -- known to monitor the Internet at junctions all over the globe -- to observe all 7000 relays, and figure out which set of relays "bursts" during a observed Silk Road visits. 19:12 < HM3> jgarzik, you could be an optimist and say the intermediate steps are omitted because they're routine and don't actually add to the evidence 19:12 < jgarzik> and it seems doable to classify a node a "busy" 19:12 < jgarzik> pick up enough of these strands, and you can probably locate a popular Tor hidden service 19:14 < HM3> that's like tracing bitcoin transactions to IPs by making as many connections as you can, or tracing Bittorrent DHT queries by running a load of nodes in the DHT 19:16 < gmaxwell> HM3: I've heard from people running ISPs that they have had people trying to purchase IP space in a large number of /8s in order to do bittorrent dht poisoning. 19:16 < HM3> the protocol, like most of bittorrent, was fairly rushed 19:26 < midnightmagic> gmaxwell: A friend of mine was already doing that for TimeWarner, as of perhaps 10 years ago. I haven't personally witnessed him doing that, but he's getting a paycheque and lives in.. Japan right now I think. 19:45 * HM3 debates porting some parsing code written in Boost xpressive to Boost Spirit X3 20:48 < gmaxwell> great... bitcointalk hacked. 21:01 < midnightmagic> jesus 21:01 < midnightmagic> smf is way holier than i thought 21:12 < Luke-Jr> gmaxwell: really? :o 21:12 * Luke-Jr is uncertain if that is good or bad 21:14 < gmaxwell> and defaced by some moron 21:14 < Luke-Jr> who might be stealing cookies to run against the real site? 21:22 < HM3> How frequently is it hacked? 21:22 < HM3> Seems like a bad day for the largest bitcoin forum to go down 21:22 < HM3> Conspiracy ;P 21:23 < gmaxwell> it's been similarly defaced once before. 21:46 < jgarzik> The "murder for hire" was indeed a sting, 100% fake: http://www.baltimoresun.com/news/maryland/crime/blog/bal-silk-road-owner-ross-william-ulbricht-allegedly-tried-to-arrange-witness-murder-in-md-20131002,0,5476223.story 21:46 < Luke-Jr> jgarzik: both? 21:47 < jgarzik> $80k 21:47 < Luke-Jr> "rivals" - huh? blackmail isn't rival :P 21:54 < gmaxwell> jgarzik: holy @#$#@ 21:54 < gmaxwell> that is actually about the 80k hit! 21:54 < gmaxwell> Their chats took a turn when one of Ulbricht's employees got arrested in January after one of their arranged transactions. Authorities say Ulbricht worried that the employee would blow his cover and asked the undercover agent to have him killed. 21:54 < gmaxwell> Ulbricht said he had never killed a man or had one killed before, but it is the right move in this case, an agent wrote in court papers. 21:54 < gmaxwell> The agent led Ulbricht to believe that the killing had been carried out, including sending staged photos of the employee being tortured, and on March 1 Ulbricht wired $80,000 from an account in Australia to an account controlled by authorities. 21:56 < jgarzik> $80k first one staged, $150-300k second one not staged [by LEA] 21:57 < gmaxwell> yea. crazy. well so much about my idea that the 150k one was DPR just intentionally playing along with the blackmailer to scare him off.. 21:57 < gmaxwell> the fact that he really did think he had someone killed previously drastically lowers my probablity assessment of that. 22:01 < HM3> dumb question 22:01 < HM3> since it's 3AM 22:02 < HM3> S1 xor P1 = S2 xor P2 22:02 < HM3> if you know S1 and S2, xoring them together = P1 xor P2, right? 22:04 < HM3> yeah duh 22:04 < HM3> Christ, time for bed --- Log closed Thu Oct 03 00:00:37 2013 --- Log opened Thu Oct 03 00:00:37 2013 02:48 < wumpus> so much for his ideological spiel about a world without violence 02:49 < warren> You see, under the non-aggression principle you only have to worry about governments. Voluntary actors and corporations (merely pooled capital of voluntary actors) have no reason to be violent. 02:50 * warren read all that crap for a paper this past semester. 02:51 * Luke-Jr notes Roger Ver considers DPR to be a hero after all this <.< 02:51 < gmaxwell> platonic politics for spherical cows. 02:51 < gmaxwell> Luke-Jr: you should point roger to the MD charges. 02:51 < wumpus> usually when people say that they mean 'only my agression' or, 'only my group's agression' 02:52 < Luke-Jr> MD? 02:52 < gmaxwell> Luke-Jr: I pointed genjix to them and he said he'd have to reconsider his position (he too was going on about the hero stuff) 02:52 < gmaxwell> Luke-Jr: http://www.baltimoresun.com/news/maryland/crime/blog/bal-md-drug-attempted-witness-murder-charges-against-silk-road-owner-document-20131002,0,258931.htmlpage 02:53 < gmaxwell> apparently the $80k hit meantioned in the NY complaint's emails was actually a MD sting operation. 02:53 < Luke-Jr> is there a PDF of that? 02:53 < gmaxwell> and in that case my "well maybe DPR knew he was talking to the blackmailer all along" doesn't at all apply. 02:53 < Luke-Jr> gmaxwell: I did mention the MFH stuff, and the posters on Roger's page went on about "no proof" :/ 02:53 < gmaxwell> DPR wired 80k USD to some law enforcement in DC to have one of his staff members killed after he learned the staff member had been arrested. :( 02:54 < gmaxwell> Luke-Jr: http://s3.documentcloud.org/documents/801151/silk-road-owner-charged-in-md-with-drug.pdf 02:54 < Luke-Jr> thanks 02:54 < gmaxwell> This sounds much more solid than the incident in the NY one. 02:54 < gmaxwell> :( 02:55 < gmaxwell> I'm now honestly angry that they let this sonofabitch walk free for 8 months and gave him enough time to try to put out a hit on a second person! 02:57 < gmaxwell> and I suspect that the "success" of that first assassination is why he seemed so strangely eager to use it as a solution to his blackmailer problem. 03:09 < Luke-Jr> gmaxwell: no kidding 03:10 < gmaxwell> maybe someone actually is dead now because of it. 03:10 < gmaxwell> ... though I think thats unlikely. 03:13 < Luke-Jr> gmaxwell: on another note, I think it's awesome how the Maryland indictment uses past tense for SR :D 03:14 < Luke-Jr> hey, Maryland got "difficult to track" right (instead of anonymous) 04:13 < midnightmagic> say DPR wanted to prove he thought in advance, something was going on, and that he felt in advance there wasn't any hit happening. He could write various self-serving versions of it which conform to expected possible outcomes, and datestamp some hashes for each one, very nearly undetectable from one another using various namecoins. Then, depending on what actually happens, he magically whips out the most self-serving theory 04:13 < midnightmagic> which "proves" that in advance, he "knew" the cops were cops and no wrong-doing was happening. 04:13 < midnightmagic> how do the cops prove he wrote a dozen or a thousand of them? 04:19 < gmaxwell> thats why you couldn't use that sort of thing as a defense. 04:20 < gmaxwell> one of the reasons cops want money in these cases is to do kinda the opposite. 04:21 < gmaxwell> midnightmagic: I suppose if he timestamped one of those things with say, a $80,000 transaction fee... then you would have an argument which would convince _me_ that the timestamped thing was unique-ish, though selectively disclosed. 02:52 < gmaxwell> nah, this stuff is easy to improve in wikipedia, no one cares about it. :P 02:53 < gmaxwell> In any case, it's not exponential but indeed, it might be interesting. 03:07 < gmaxwell> in any case the short short of the rho algorithim: say you're looking for two hashes with the same 32 bit prefix. You pick a random starting value then truncate the hash output to 32 bits and use that to obtain your next point to check 03:08 < gmaxwell> then you keep going. Eventually you will loop. You can detect the loop in a bunch of different ways. Once you've looped you have a collision. 03:09 < Luke-Jr> hm 03:10 < gmaxwell> but the fact that you have to recompute part of your loop to actually find the other value, as well as the work required to detect the loop means this is slower than if you had the memory (and access to the memory were free). 03:10 < gmaxwell> There are schemes in between memorylessness and full memory that let you choose your tradeoff. 14:02 < amiller> ugh, i'm stuck on atomic cross chain transactions again 14:03 < amiller> https://en.bitcoin.it/wiki/Atomic_cross-chain_trading 14:03 < amiller> does this one work? 14:04 < amiller> it just uses timeouts and refunds and the whole hash of a secret thing 14:04 < amiller> so that a transaction that claims a reward on one chain must necessarily involve publishing enough information to claim the amount on the other chain 14:05 < amiller> and there's a longer timeout on the second chain 14:09 < jgarzik> amiller, as is self-evident, there is nothing really atomic there 14:10 < jgarzik> IMNSHO 14:10 < amiller> i'm willing to assume that the chains are *loosely* synchronized so that 48 hours doesn't elapse on one chain before 24 hours elapses on the other thouhg 14:13 < amiller> i can't come up with any way that one transaction could be completed and the other not 14:18 < amiller> i guess this requires a locktime though 14:19 < jgarzik> yeah 14:19 < amiller> i can't figure out if this would work with existing locktime 14:26 < amiller> gahh, i think this is just unreadable 14:26 < amiller> i can't interpret what "A creates TX1: "Pay w BTC to <B's public key> if (x for H(x) known and signed by B) or (signed by A & B)" 14:26 < amiller> A creates TX2: "Pay w BTC from TX1 to <A's public key>, locked 48 hours in the future, signed by A"" would actually be as a transaction 14:32 < amiller> if then else ops currently work nonstandard, right? 15:19 < amiller> https://gist.github.com/amiller/6923910/raw 15:19 < amiller> i think this works out. 15:19 < amiller> it's different than luxgladius. 15:19 < amiller> i don't know why i didn't come up with this one before while thinking through the luxgladius one though 15:34 < amiller> https://bitcointalk.org/index.php?topic=193281.msg3315031#msg3315031 15:34 < amiller> i can't tell if i'm currently out of my mind or just was previously out of my mind, it's tricky 16:02 < gmaxwell> So here is a fun POW idea: for each UTXO compute X_n = H(UTXO_n || H(header) || nonce) and then search two X_n such that X_n_1 - X_n_2 < target. it's UTXO semi-hard (time/memory tradeoff) but has a compactly checkable proof (just two UTXO fragments) 16:07 < gmaxwell> (oops one side needs to have a nonce of 0 or its not utxo hard, darnit, I had that right initially and then revised my message and broke that) 16:32 < maaku> gmaxwell: why is it valuable to tie UTxO with PoW? 16:34 < amiller> because otherwise there's not much incentive to actually store the UTXO 16:34 < amiller> especially as the UTXO gets much bigger, people might elect not to store it at all 16:35 < amiller> why buy an extra hard drive to hold the utxo, it doesn't help you mine and you could just buy another miner 16:35 < amiller> this isn't as much of a problem as long as the UTXO stays pretty small, which it seems to be doing so far 16:35 < amiller> but this is especially a prerequisite for any altcoinish idea that involves a larger UTXO 16:35 < amiller> and it doesn't hurt to use the mining incentive to incentivize storing the UTXO 16:37 < maaku> hrm, ok is there any reason to have a UTXO-POW if you have UTXO commitments? 16:39 < amiller> yes 16:39 < amiller> even if you odn't need the whole utxo to validate merkle-branch proofs 16:39 < amiller> you still need lots of people to construct/serve those proofs, cheaply 16:40 < amiller> those people can be the miners 16:40 < amiller> use the mining fee to subsidize some of the expense of validation (preparing the proofs) 16:41 < maaku> ok what i mean is if there is soft-fork commitment of the utxo hash to the coinbase 16:41 < maaku> (which is the current plan, i hope) 16:41 < maaku> then they are incentavised to have the UTXO set - their blocks will be ignored otherwise 16:42 < gmaxwell> maaku: imagine you have that.. and people go "ouch, these things are expensive to compute. Oh look, bob will generate them for us for only 0.01% of our mining income, we just need to connect to him to get the latest value".. and you get massive centeralization as a _result_ of your commitment. 16:42 < gmaxwell> but if the POW is UTXO hard then the communications bandwidth required to use bob is proportional to hashrate and prohibitive. 16:43 < maaku> but - different tack here - aren't you then requiring any full node to also maintain the whole utxo set to validate? 16:44 < gmaxwell> maaku: what I described can be validated against a utxo commitment (e.g. in the prior block) 16:45 < maaku> ok 17:00 < maaku> gah, i completely forgot about committing hashes of undo files 17:24 < amiller> does anyone have any idea wtf adam3us is describing 17:24 < amiller> i think it's good but i don't understand it 17:25 < amiller> i understand the idea of having homomorphic commitments to values (like instead of zerocoin, where you have to do one transaction per fixed-unit of currency) 17:27 < amiller> but i can't figure out what it has to do with proof of work 17:28 < gmaxwell> amiller: oh good, its not just me. 17:28 < gmaxwell> well actually I think I have a better idea of what it is than that. 17:30 < gmaxwell> Consider, you can do digital cash via blind signatures... so long as you can trust the blind signing guy to not double sign. So what if your POW were a blind signing algorithim? and the ability to double sign is removed by the difficulty in creating a block and the desire to not have your block invalidated via double signing. 17:30 < gmaxwell> I think thats what he is trying to describe. 17:39 < gmaxwell> amiller: i dunno why you say that "since pooled mining is *not* a systemic threat to decentralization in the same way" ... I think it is one, it's just one of lower magnitude, but not different degree. 17:39 < gmaxwell> the magnitude difference comes from the fact that miners can't vote with their feet, but we see in practice that they already vote with their feet super slowly with pools. 17:39 < gmaxwell> (e.g. stupid dos attacks are visible in the global hashrate) 17:39 < amiller> that's really not inherent to pooling thouhg 17:39 < amiller> just an implementation of it? 17:40 < gmaxwell> yea, you could pool for payments only, and that wouldn't have that risk. 17:40 < gmaxwell> But the cost of running a full node, varrious intelletual friction, etc. are also pro-centeralization. 17:41 < amiller> agreed, sure 17:41 < gmaxwell> but okay, fair point, your idea kills even the least harmful kinds of pooling. 17:41 < gmaxwell> e.g. just pooling payments. 17:42 < amiller> (edited to weaken my apparent endorsement of pooled mining :o) 17:51 < gmaxwell> amiller: https://bitcointalk.org/index.php?topic=309073.msg3315837#msg3315837 18:00 < Luke-Jr> I don't see how that would stop people from outsourcing mining 18:01 < Luke-Jr> on the contrary, it would just make it worse since the companies doing it would be less likely to give their clients any direct control over the miners 18:07 < amiller> i don't follow 18:09 < gmaxwell> Luke-Jr: the idea is that it makes it so the cloud company can easily and invisibly rip off their investors. 18:09 < Luke-Jr> they already can 18:09 < gmaxwell> The motivation may not be obvious to you because they can already do that, amiller is assuming a future world where the investors demand proof. 18:09 < gmaxwell> which they can currently provide. 18:10 < gmaxwell> e.g. if you buy x TH/s of mining the cloud can send you shares to prove that they're mining in a way that will pay you. 18:10 < Luke-Jr> i c 18:10 < Luke-Jr> so basically his idea makes it impossible for them to provide proof :P 18:10 < gmaxwell> Of course, no one does this, or even asks for it. But amiller assumes they will, and proposes to break that. Right. 18:11 < amiller> unbuild it and they wont come 18:11 < gmaxwell> their proof would be worthless because the solutions they find would be rebindable to pay them instead without anyone knowing who did it. 18:11 < Luke-Jr> imo not worth a hardfork <.< 18:11 < amiller> Luke-Jr, time will tell --- Log closed Fri Oct 11 00:00:25 2013 --- Log opened Fri Oct 11 00:00:25 2013 --- Day changed Fri Oct 11 2013 00:33 < jgarzik> bye bye Dwolla, we hardly knew ye 00:52 < maaku> jgarzik: ? 00:53 < jgarzik> maaku, they are stopping anything related to virtual currencies as of Oct 28 00:54 < maaku> ah 21:24 < HM3> :) 22:14 < amiller> :) 22:15 < gmaxwell> :-/ 22:53 < jgarzik> !!! 23:12 < HM3> https://www.imperialviolet.org/2013/07/18/hashsig.html 23:12 < HM3> great blog post on Lamport signatures 23:13 < HM3> I just found out agl (the above blogger) implemented the 'donna' plain-C impl of djbs curve25519 23:14 < HM3> been reading his blog for a while, so it was a nice collision of interests --- Log closed Sat Oct 12 00:00:03 2013 --- Log opened Sat Oct 12 00:00:03 2013 11:53 < nanotube> so my bitcoind node is averaging total connections in the 120s (out of 128 total), with 40-50 through tor. only one data point, but seems to suggest that open network slots are relatively few. 11:53 < jgarzik> indeed :/ 04:01 < warren> gmaxwell: and board markup can be within that, parsed within the signed message box, but raw text for manual verification 04:02 < gmaxwell> this way people using their own gpg signatures on messages aren't a nusance adding kilobytes of base64 data to everyone's screens. 04:02 < gmaxwell> yea, exactly. 04:02 < gmaxwell> so it doesn't break markup either. 04:03 < gmaxwell> warren: rails? Not go? :P 04:03 < warren> gmaxwell: whatever can be rapidly developed and is reasonably securable 04:04 < gmaxwell> most of the dynamic languages have been security disasters of various degrees. :( 04:04 < gmaxwell> rapidly developed and is reasonably securable ... = Java. 04:04 * gmaxwell ducks 04:04 < warren> haha 04:06 < warren> SMF has the ability to grab avatars from arbitrary URL's 04:06 < warren> I'm not sure how someone thought that was a good idea. 04:06 < warren> there is no reason a forum should be able to make outgoing connections 04:06 < warren> also ... bitcointalk's outgoing e-mail is spam binned or blocked at many ISP's 04:07 < warren> because spam is sent in PM's 04:07 < warren> forum TNG needs a egress spam filtering with moderation 04:10 < gmaxwell> warren: it should use tor for that. :P 04:10 < gmaxwell> oh a feature I want: block @#$@#@ third party images in posts. 04:11 < gmaxwell> It's crappy that anyone on the forum can get the IPs of anyone who reads their threads by inlining an image! 04:11 < warren> yeah 04:11 < gmaxwell> I bet it even works in PMs too, but I haven't tried it. 04:11 < warren> I'm curious why that's allowed at all. 04:11 < gmaxwell> it will be awesome beyond belief if there is another browser PNG remote code bug... 04:11 < gmaxwell> (there have been ones in the past) 04:11 < warren> gmaxwell: ooh... let people upload images ... but that's a premium feature 04:12 < warren> no privacy problem that way 04:12 < gmaxwell> sounds fine to me. also would reduce fucking stupid meme images, which I think is ducky but others may not agree. 04:12 < warren> they can use stupid meme images, if they pay 04:12 < warren> pay to pollute 04:13 < gmaxwell> yea. 04:13 < gmaxwell> I wish there were a way to distinguish normal signatures from advertising ones. I wish I could block only the advertising signatures (though I guess they're a good way to identify idiots) 04:13 < warren> people will bitch about losing the feature, but easy to explain with "privacy" 04:14 < warren> gmaxwell: ooh, Ignore button only for signatures 04:14 < gmaxwell> it has that already, in fact. 04:14 < gmaxwell> oh but it's not per user. 04:14 < warren> huh 04:14 < warren> oh 04:14 < gmaxwell> ah, also, might be interesting if you could subscribe to other users ignore feeds. 04:15 < warren> hahahaha 04:15 < warren> that would be awesome 04:15 < gmaxwell> Or be able to do things like ignore this if 2 out of {warren, theymos, gavin} has ignored. 04:16 < warren> don't want the logic to become too slow 04:16 < gmaxwell> (in theory you could replace a lot of banning with a default ignore subscription, though if mods were ignore subscribed, I'd want seperate personal and moderaor ignore lists.. as I ignore people pretty freely) 04:16 < warren> gmaxwell: would folks like a slashdot-like meta-moderation system? 04:16 < warren> good posts bubble up 04:16 < gmaxwell> I think slashdot has been an uniform disaster and I wouldn't use any forum that worked that way. 04:17 < warren> reddit is a disaster too? 04:17 < gmaxwell> I think my net karma in /r/Bitcoin is negative. 04:18 < gmaxwell> Because I've posted things like expressing concern about people centeralizing on popular web wallets or saying that I didn't think the promotion of illegal activity was good for bitcoin. 04:18 < gmaxwell> And I got groupthough downvote bombed. 04:19 < gmaxwell> (my reddit karma overall is very high, it's not like I do poorly in reddit in general... but it punishes strong voices who aren't in with the flow) 04:21 < gmaxwell> Now, ... a per subforum mode that let do a reddit style thing might be interesting. 04:21 < gmaxwell> E.g. press subforum would probably be neat with reddit ranking instead of most recent post bumps. 04:57 < midnightmagic> post bumps make me angry 04:57 < midnightmagic> aaaaangry 04:58 < midnightmagic> no.. wait, that's steven harper that makes me angry.. aaaaangry 06:19 < warren> gmaxwell: mind if we act as guinea pig for gmaxwell:external_ip? 06:26 < warren> gmaxwell: I'm going to make a bitcoin-0.8.5 branch with the large pile of stuff I backported/tested in litecoin-0.8.x too. 06:34 < petertodd> gmaxwell: make the forum have an underlying usenet-like architecture, so those interested can mirror whole copies. Prevent DoS w/ trusted signature schemes of the "maste server" and/or proof-of-sacrifice stuff 06:35 < warren> petertodd: with client-side encrypted warez ... 06:36 < petertodd> warren: heh, yup 06:36 < petertodd> warren: obviously moderators can handle that... 06:37 < warren> petertodd: can they? they have no idea what is stored there... 06:38 < petertodd> warren: right, and having no idea is grounds for them banning the message. (or not allowing it in the first place) 06:39 < warren> censorship! 06:39 < petertodd> allowership! 06:40 < petertodd> no seriously, I'm thinking you have what if fundementally a flood-fill, but use signatures to filter 06:40 < petertodd> *what is 06:40 < petertodd> and really, usenet is probably 95% of what we need... 06:42 < petertodd> heck, looks like there's some existing web-based usenet readers 06:43 < warren> ship it with monster truck sized training wheels 06:44 < petertodd> Exactly! it's totally ok if ther's still "bitcointalk.org", and if what it's usually doing is generating a PGP key on your behalf that it signs your posts with. 06:44 < petertodd> Also, you can still have ads: add them to messages the same way that bitcoin-development does in a separate mime bit. (you can have two sigs even...) 06:45 < petertodd> or just leave the ads on the http version - the usenet version doesn't have too 06:46 < petertodd> (kinda sad that my first thought with an awesome fully decentralized forum is how can we stick ads on it...) 07:26 < warren> gmaxwell: https://github.com/wtogami/bitcoin/commits/0.8.5-externalip backported your patch to 0.8.5. It seems to run ... no idea if it is working. 07:27 < warren> petertodd: any idea how to test if this is working? 07:27 < petertodd> warren: logs? tcpdump? 07:28 < warren> maybe a logprint when it transmits an advertisement? 07:29 < MoALTz> petertodd: figure out how to reward website operators for offering a service without using ads? not sure if there's a good way to do this though 07:29 < petertodd> yup 07:30 < petertodd> MoALTz: nah, real easy: we want to pay mods because they do useful moderation work, and we want to pay server operators because servers cost money 07:30 < petertodd> MoALTz: the latter is easy with http web stuff, just use ads! with nntp, charge for the service. For moderators, attach the ads to the messages they moderate if you want, or take money out of the other two categories. 07:35 < petertodd> crazy scheme: so moderators/forum operators are good for DoS attack control. Make people pay for that service by using a forgable digital signature, specifically one where between two parties, the receiver knows the sig is valid, but it's constructed in such a way that the receiver themselves can fake the signature. Thus when people stop paying for their feed, stop signing the data. Works best with a broadcast encryption scheme, though I don't know enough about the details of how to actually do that. 17:27 < warren> https://github.com/litecoin-project/litecoin/pull/81 we're going to guinea pig the externalip thing 17:27 < warren> anything else you want tested on <that other network>? 18:31 < adam3us> gmaxwell: less OT here it seems to me a pederson commitment can be used as a chameleon hash also have to check, maybe its well known - not sure 18:32 < gmaxwell> I was trying to come up with a way to use ECDSA as one (on the basis that people already have ECDSA code), but failed... I could only get one that worked for two messages and only if you knew them in advance. 18:33 < adam3us> yeah schnorr is just more flexible ... dsa is a bad algorithm 18:33 < adam3us> gmaxwell: pederson commitments are like two discrete logs and generalizes to many discrete logs called representation problem 18:38 < gmaxwell> adam3us: interesting, yea, I didn't think any of the other chameleon hashs failed to leak the private key. That was indeed also the claim of that paper. 18:44 < adam3us> gmaxwell: maybe its wrong... i find it hard to imagine i just invented two new chameleon hashes given how easy it was 18:45 < gmaxwell> it wouldn't surprise me, it's not the most in-demand cryptographic construct, and it's highly related to ZKPs, which you've been thinking about lately. 18:45 < adam3us> gmaxwell: check thread, but a=kG+mQ is hash, modified hash is a=k'G+m'Q which recipient can calc as he knows dG=Q, and k'=k+md-m'd 18:46 < adam3us> gmaxwell: u know there is a lot of interesting and practically useful stuff below what the academics call MPU minimum publishable unit 18:48 < adam3us> gmaxwell: its an interesting q if you can force that to be a valid ECDSA sig, would be like an existential forgery (sender) vs a real sig (rceipient) but i am not sure if an existential forgery can communicate anything other than a random number in place of a msg 19:31 < adam3us> gmaxwell: yeah i dont see how to make that work with ecdsa either.. oh maybe you can do this 19:33 < adam3us> gmaxwell: R=kG, r=R.x, s=k^-1(H(m)+rd) dsa sig = r,s (normal so far) a verify relation is sR =? H(m)*G+rQ 19:35 < adam3us> gmaxwell: so work backwards, choose r random, compute R=[r,f(r)], then H(m)*G, calc T = H(m)*G+r*Q 19:35 < adam3us> gmaxwell: ok now chose random s compute sR = T (ie s^-1*T = R) 19:36 < adam3us> gmaxwell: so far the R value is random and wrng and doesnt match r 20:16 <@petertodd> On the other hand, with opaque transactions, again, what's to stop the bank from creating inflated ones? But if you can audit that, they someone can just troll through the balance sheet and find them all out anyway. 20:16 <@petertodd> (though granted, movements would be harder) 20:17 <@petertodd> It's funny too how balances that sit untouched, can be relatively safely taken by the ledger in fraud/balance expiry. 20:17 <@gmaxwell> petertodd: I don't follow. The bank pays you 100 btc it doesn't have. You check your balance. Is the root correct? if so, then someone elses root will not be correct. 20:18 <@gmaxwell> well such a system would likely fund itself by periodic fees on inactive accounts, this also prunes the account database. 20:18 <@gmaxwell> (it would make txn paying itself from users 20:18 <@gmaxwell> and yea, it could rob inactive users and use that to pay other users... though they'd eventually be able to prove it. 20:19 <@petertodd> I guess that's basically my complaint: it relies on users checking for fraud 100%, and each user has to play their part. 20:19 <@gmaxwell> or rather, challenge it and the bank would be unable to prove it didn't. 20:19 <@petertodd> See, I'd say don't worry about balances, just do a straight up unspent txout list as usual. 20:20 <@gmaxwell> yea, but thats less private and also not so scalable. Proving that the bank has the funds to back itself and proving that it hasn't just randomly taken your money is probably the biggest concerns. 20:20 <@petertodd> Merkle sum the txout of course, but leave it at that. 20:20 <@amiller> i'm interested in something which is that normally there's no incentive to communicate information in a p2p network but in bitcoin there sort of is 20:20 <@gmaxwell> Consider the bank like things that put people's money with pirate. 20:20 <@amiller> in the sense that you want to publish proofs because it makes it easier for other people to build on your block rather than undermining it 20:20 <@amiller> same as wanting to obtain the proofs so you can be sure your'e working on a valid block 20:21 <@amiller> it's obvious how by encoding validation rules / proof of work puzzles you can incentivize both storage and computation 20:21 <@amiller> it's less obvious but still seems plausible that you can incentivize communication this way 20:21 <@petertodd> "Consider the bank like things that put people's money with pirate." <- ? 20:22 <@petertodd> Oh, wait, you mean the funds that took peoples money, and forwarded it to pirate. 20:22 <@gmaxwell> petertodd: when pirate poofed a bunch of other stuff poofed too.. bitcoin businesses and such, that has investors money, even an exchange like thing... 20:22 <@gmaxwell> Yep. Even when they were saying that they hadn't done that. 20:22 <@petertodd> Yeah, I see what you mean, you want to audit the backing funds first. 20:22 < HM> i take it nobody got their money back? 20:22 < HM> last i heard he was actually paying some back ? 20:23 <@gmaxwell> people who were paid before the implosion got paid. 20:23 <@petertodd> HM: he kept saying that to keep people hoping, and not suing him. 20:23 <@gmaxwell> and yea ^ that. 20:23 <@petertodd> (post implosion) 20:24 <@gmaxwell> petertodd: in any case, I think thats the biggest sorts of concerns. The UTXO thing would be better but also more complicated less scalable. 20:24 <@petertodd> gmaxwell: Yeah, I'll agree with you on that. Basically, build a client that makes checking for fraud periodically, and ensure people use it, and you're probably doing pretty well. 20:25 <@gmaxwell> so one thing to do would be for every account to be based on two keys, an encryption key for antifraud, and a signing key for spending. 20:26 <@gmaxwell> the system could public all the antifraud proofs, encrypted.. so that it can't tell whos paying attention. 20:26 <@gmaxwell> Moreover, people could hand over copies of their anti-fraud decryption keys to friends that they don't mind losing some privacy to. 20:26 <@gmaxwell> So the burden of checking could be shared. 20:27 <@gmaxwell> ALTERNATIVELY. the system could pay users to check. 20:27 <@petertodd> How so? 20:27 <@gmaxwell> e.g. you get an inactivity fee if you're not checking. 20:27 <@petertodd> Ah, so if the server doesn't get the occasional query? 20:27 <@gmaxwell> right. if the server doesn't get queries from you it deducts your balance until your balance is gone. 20:28 <@petertodd> So, the signing key can be ECC, and then the encryption key should be a private key, so the bank can't publish your details behind your back. 20:28 <@gmaxwell> If you're still querying though you keep a balance. Rather than prevent the theft we instutionalize it. :) 20:28 <@petertodd> And further more, the ledger should also publish the hash of the current anti-fraud proof, so you can always just give someone the proof, and they can verify it. 20:29 <@petertodd> Ha, I like the institutionalizaiton... Standard expiry time thing. 20:29 <@gmaxwell> Well, one way to prevent theft is to give people an honest way to get the same (averaged) gain permissably and within the rules. :) 20:29 <@petertodd> For sure 20:29 <@gmaxwell> but since everyone knows how it works, they can behave accordingly. 20:30 <@gmaxwell> if the bank can rob you if you don't check make it permitted to do so. (slowly) 20:30 <@petertodd> Also, note how if the leger is purely balanced based, we actually can do chaum tokens still. 20:30 <@petertodd> A chuam transaction just means an increment in the special outstanding token balance, followed by a decrement. 20:31 <@gmaxwell> right, there could be special accounts for outstanding chaums of different sizes. 20:31 <@petertodd> Yup, powers of two would be good. 20:31 <@gmaxwell> and the chaum validation key could be public. Though you couldn't prove that they weren't overprinting chaums. 20:32 <@gmaxwell> but only users with chaum in hand would have that risk. 20:32 <@gmaxwell> well I suppose you could, but were back to the registering thing. :) 20:32 <@petertodd> Yes, they'd be at risk the second every outstanding chaum token gets redeemed. 20:33 <@gmaxwell> I think people are not that uncomfortable with banks that themselves are single privacy points of failure though. I mean we have that for everything except cash. Use the bank via tor. 20:34 <@petertodd> Probably true really. 20:35 <@gmaxwell> mostly I'd like to see this on testnet, just as a tool to get more people to dork around with testnet... though if the code were available some fool would run it for real. :P I wish them luck. 20:35 <@petertodd> Oh, and it's interesting: withdrawls can be handled just fine using the "non-backing" store of value basically, in the reverse of deposits. So really without a lot of collusion you'd never figure out where coins are going on-chain. 20:35 <@petertodd> Yes, I think "release the code" is a very, very good model... 20:36 <@gmaxwell> yes, thats a good goal and I'd realized that too. 20:36 <@petertodd> Good. 20:36 <@gmaxwell> it also, again allows for more efficient withdraws.. batched, mtgox code, chaum tokens with some other system. 20:37 <@gmaxwell> The only think provable is that the bank holds a certian amount of money, and technically even that proof would only be available to balance holders, you'd make the txids of the holding txn part of the proof hashtree. 20:37 <@petertodd> That also gets you five types of transactions: in-system, proxy-withdrawl, proxy-deposit, real-withdrawl, real-deposit, with the latter two basically only ever happening for the ledgers main account. 20:38 <@gmaxwell> right. Well, and because the in-system traffic is only checked by the system and the involved users you can have whatever complicated rules you want. In system escrow txn? no problem. 20:38 <@gmaxwell> Reoccuring payments?!@# no problem. 20:39 <@petertodd> You know, you can just give the user a way to sign that they accept the balance on their account too, so you can expire old tx history. 20:39 <@petertodd> With part of that signature being over the master hash. 20:39 <@gmaxwell> indeed, then it actually converges on a consensus system. 20:40 <@petertodd> Include a bitcoin proper blockchain hash, and a timestamp, and you can constrain the time quite nicely too so you can do tx history expiration. --- Day changed Sat Mar 02 2013 12:18 < HM> but the advantage of a stack was scriptSigs and scriptPubkeys are easy to combine 12:18 < HM> and evaluate 12:18 <@sipa> which means it can be merkleized: you associate a hash with every node, and by just having the root hash, you can prove that a particular path through the tree belongs to it 12:18 <@sipa> HM: in practice, that is not the case anymore by far 12:19 <@sipa> plus it is hard to analyse 12:19 <@sipa> and actually terribly complicated to write actually useful complex scripts 12:20 < HM> wait, how does one path on an AST prove anything/ 12:20 < HM> ? 12:20 <@sipa> ok, so imagine you had in your script AST language a construct "if BOOL then X else Y", where X and Y are subtrees 12:20 < HM> how would you do multisig for example as an AST 12:21 < HM> that should be a simple example 12:21 <@sipa> you could have a node that requires a valid signature as input (input just becomes a list of values, and the AST refers to specific elements in it) 12:22 <@sipa> combine two such nodes with an AND, and you have 2-of-2 12:22 <@sipa> combine it with an OR, you have 1-of-2 12:22 <@sipa> use a COUNT operator to compute the number of valid signatures on top of 3 such sigchecks, and compare it with >=2, and you have 2-of-3 12:23 < HM> i'm struggling to see how you refer to vin provided values in a script 12:23 <@sipa> ok, so scriptSig just gets replaced by a list of values - no script or anything fancy 12:23 < HM> sure 12:24 <@sipa> our language has these nodes: DATA(X), with X an integer, returns the input value number X 12:24 <@sipa> AND(X,Y), requires X and Y both to evaluate to true 11:53 < jgarzik> it gets ever more expensive to set up a full node 11:53 < jgarzik> and all of them are unpaid 12:01 < jgarzik> Satoshi predicted bitcoin would eventually devolve into miners running the only full nodes that would be disappointing 12:13 < nanotube> bitcoind is also using roughly 500MB of ram. I've got 2G here, so i could up the connection count to like 512 and see how it likes it. 12:26 < nanotube> anyone checked out http://academiccommons.columbia.edu/catalog/ac:110756 ? i just found it, seems like if it would work for tornodes, it might also work for bitcoin nodes? 13:07 < jgarzik> nanotube, the no-wallet mode should help 13:10 < nanotube> personally i'm not hurting for ram on this vps, but yea the less ram it uses, the lower the barrier to running a node. 17:57 < gmaxwell> 09:01 < jgarzik> Satoshi predicted bitcoin would eventually devolve into miners running the only full nodes that would be disappointing 17:58 < gmaxwell> especially since there are only like 5 miners. :( 18:00 < gmaxwell> nanotube: I've had some ideas about a lottery to pay people that runs nodes... but I'm somewhat concerned that once you've gone down that path it's not hard for someone to outbid you with "My lottery pays 10% more, but you have to run this special node software which is detectable as special only to me that does <???>" (e.g. sends logs of all transactions back to a mothership, imposes new network rules, etc) 18:00 < warren> fully verifying or archival with all blocks? 18:00 < warren> miners don't even need full blocks... 18:01 < gmaxwell> warren: that assumption wasn't that it would be out of necessity. Once you've got a business that has you supporting the bitcoin network, .. having a few hundred gigs of diskspace for it isn't that big a deal. 18:02 < gmaxwell> so at least as the network rules are now, I don't think access to the historic blocks is the greater problem. 18:03 < gmaxwell> (ha, well I say that, but currently none of my nodes could spare more than 100gb for bitcoin... my standalone nodes are on 120gb SSDs, and I only have 270 gb free on my laptop.) 18:06 < warren> I suppose it's more important to have more listening fully verifying nodes than to have archival nodes. 18:06 < sipa> archival nodes can just be gttp servers 18:06 < sipa> or dropbox 18:07 < sipa> *http 18:07 < sipa> there is nothing hard about them, except storage and bandwidth 18:07 < gmaxwell> I really really don't like this bimodal thinking that some people are developing wrt a bright line between full vs archival. I think it's a receipy for disaster, because it provides no way to contribute partially: just a binary "enormous amounts of bandwidth and storage" or "not enormous". 18:07 < warren> would the future client automatically enforce integrity of that bootstrap.dat by keeping the checkpoints? 18:07 < sipa> right 18:07 < maaku> gmaxwell: an altchain using your utxo-pow, plus cross-chain trade exchanging altcoins for bitcoins? 18:08 < gmaxwell> recipe* 18:08 < sipa> heh, i want to get rid of checkpoints altogether 18:08 < warren> I know 18:08 < warren> hence I asked if there's any safe way to automatically enforce bootstrap.dat integrity without it 18:09 < gmaxwell> yea, checkpoints need to go, they're a huge cognitive landmine. :( 18:09 < warren> how so? 18:09 < gmaxwell> warren: they enforce it by having verified the chain. 18:09 < warren> aside from an excuses from the broadcast checkpoint people 18:09 < sipa> why would bootstrap.dat need to be integral? 18:09 < warren> isn't that what you meant by http or dropbox? 18:10 < sipa> no, i meant that there is nothing hard about archival 18:10 < sipa> it doesn't need spexial software 18:10 < sipa> it doesn't need low latency 18:10 < sipa> it dpesn't need trustable nodes 18:11 < warren> so it doesn't matter if it is corrupted or provided by a hostile entity, because it won't verify and come in sync 18:11 < sipa> yeah 18:11 < gmaxwell> warren: Because the notion of a decenteralized consensus is really alien to people, and so they flail around looking for a traditional trust model inside bitcoin. Then they find checkpoints and they say "aaahhh.. Now I finally understand how bitcoin really works" but really they don't understand it at all. Bitcoin has failed if the prodution networks consensus is ever set by checkpoints. The result is people constantly making lame ... 18:12 < gmaxwell> ... insecure proposals and then excusing them with "sprinkle more checkpoints on them!" which doesn't really solve anything because .. what? are we going to add another blockchain to chose these checkpoints-that-would-actually-matter? and what would secure that one? 18:12 < gmaxwell> warren: plus you can do a light validation of it that just checks its hashes... and then you compare the best block hash to your own chain on your own node, and then you are 100% sure that the bootstrap.dat is correct. 18:13 < sipa> people have somehow accepted that you don't need signatures before the checkpoints 18:13 < sipa> which is true, once you trust the checkpoints 18:14 < sipa> but it really is just a shortcut to avoid a trivial mislead-a-syncing-client attack, if we'd just disable sig checking for old blocks 18:14 < gmaxwell> And of course that stuff closes off thinking optimizations which are not so hostle to a trust free model: things like randomly verifying and alerting people on any violation. 18:14 < gmaxwell> s/thinking optimization/thinking about optimization/ 18:15 < sipa> they're an evil necessity once you accept the compromise of not checking all sigs 18:16 < sipa> with headersfirst syncing, you can safely disable sigchecking without checkpoints 18:16 < sipa> well, safely... not less safe than what we have now 18:16 < sipa> it's still a compromise 18:17 < gmaxwell> and there are more degrees available. 18:17 < gmaxwell> e.g. checking 1:1000 signatures in the historic chain is virtually as fast as checking none at all. But with many nodes, you are virtually assured that someone will notice any cheating ... drastically reducing the incentive to create a long fork that would be needed to attempt it. 18:17 < warren> "someone will notice" assumes others are not asleep to hear the warning 18:18 < warren> we have thousands of clients still running old versions that have perma-alerts ... asleep 18:18 < gmaxwell> warren: keep in mind you're already talking about that being predicated on an attacker replacing months of the chain. 18:19 < warren> true 18:19 < warren> ok 18:20 < gmaxwell> warren: I don't think it's worth the risk/code complexity at least in the short term but the response there could be automated ultimately. 18:20 < warren> are you thinking to do random sig validation, and also PoW validation? 18:21 < sipa> PoW + utxo everywhere, sigchecks after last checkpoimt: that's what we have now 18:22 < gmaxwell> warren: e.g. each node checks all the sigs for the blocks within the last two months of POW at current difficulty. And before that they check only 1:1000. (and if you have automatic response) if they find an invalid signature they could announce it, and the network could relay that announcement, and blacklist the block in question. (this last bit I don't think is worth doing in the short term) 18:22 < gmaxwell> (but I think it would be worth doing someday after utxo in blocks, with SPV nodes doing some randomized validation of their own) 18:23 < sipa> we could have something like pow + utxo everywhere, between 1 year and 1 month of PoW worth of burying and increasing % of sigchexks, and in the last month worth of PoW check everything 18:23 < sipa> my phone typing skillz are weak 18:24 < gmaxwell> This could be made stronger if it didn't just check the signatures in the last N POW-months of blocks, but also always checked all of them after a reorg. 18:24 < sipa> hmm? 18:25 < gmaxwell> sipa: e.g. say you check the last month of blocks. Then someone does a 1.25 month deep reorg. You'd still check all of those. So then a reorg could never insert invalid signatures. You could only get invalid signatures on startup... so an attacker could only trick new nodes, and his trickery would end as soon as everyone else got ahead. 18:26 < gmaxwell> basically it reduces an attacker issuing invalid signatures to isolation attacks instead of actually getting the network to accept an invalid signature as valid. 18:30 < gmaxwell> making that gate stateful kinda sucks. It could be better stated. "You will check all blocks higher than X, if you are aware of a header valid fork at X or prior which has at least Y work more than X", where Y could be something like a days worth. 18:31 < gmaxwell> so normally a new node would check only the last (say) POW-month's worth of signatures. BUT if that node is not isolated and sees a long fork at 1.25 months, it will check since 1.25 months ago. 18:32 < gmaxwell> I am very happy with this. I think the result is that it is only a bootstrapping time compromise. E.g. there could be a conspiracy of bitcoin users to have broken the rules in the past, but nothing worse than that. And that can be substantially closed with random checks before the cutoff. (the conspiracy would only work if it could be kept secret). 18:42 < jgarzik> http://www.wired.co.uk/news/archive/2013-10/12/us-internet-control 18:42 < jgarzik> sad side effect will be greater localization of data inside more represssive regimes 18:43 < sipa> perhaps more on-topic in dev? 18:43 < sipa> or rather, less offtopic 18:50 < nanotube> gmaxwell: as to your concern for "i pay you more to run my special node" <- how does that become /more/ of a concern than now? currently, someone can say "i'll pay you to run my special nodes" and users will be comparing "run bitcoin nodes for no compensation" to that. 18:50 < nanotube> i don't see how compensating our nodes could make that problem any /worse/ 12:27 < TD> (figure 1 shows lots of bouncing arrows between verifier and prover) 12:29 < gmaxwell> yea, okay, I hadn't seen their paper, just the code. Without looking I'm going to guess that their "contribution" was some interactive thing, but their source code appears to include basically pinocchio with the missing parts restored. (the pinocchio source code is incomplete: they used some microsoft internal pairing crypto library which they didn't release) 12:30 < TD> ah yes 12:30 < amiller> pantry seems to be based on an earlier protocol they built zataar which is pinocchio from scratch 12:30 < amiller> i think they mostly only used the c-to-circuits compiler frontend from zataar 12:31 < gmaxwell> I spent 5 minutes looking at their code ... didn't get as far as trying it because of the insane dependencies. 12:52 < amiller> from the paper it looks like there's only one round of interaction because all the pcp queries are in a batch, but it is private coin so you wouldn't be able to trust someone else's transcript 12:52 < amiller> that's way lamer than pinocchio unfortunately 12:52 < amiller> so tinyram is better yeah 13:53 < realazthat> amiller: mmm interesting 13:53 < realazthat> I'll look at it 13:54 < realazthat> TD[away]: I am not sure if tinyram base code is ready yet 13:54 < realazthat> but it is supposed to be available 13:54 < realazthat> I am unsure on licencing 13:54 < realazthat> you can mail eli 15:22 < sipa> petertodd: maybe better here 15:23 < petertodd> sure 15:31 < petertodd> sipa: parasitic consensus systems are going to be interesting, it's so damn easy to make them SPV compatible. 15:33 < petertodd> w/ TXO commitments, it'd be worth it to mak sure such systems have nice blockchain interaction libraries, that do some validation while they get their data, and can spit out approprite fraud proofs. 20:23 < gmaxwell> Damn. I really wish all those OP codes weren't disabled. 20:24 * sipa enabled OP_TURINGMACHINE 20:25 < sipa> *enables 20:26 < gmaxwell> (per Murphant on the forum) you could construct a transaction where alice pays to one of {alice in two weeks (nlock refund), alice + bob, bob but only if the signature provides a spv proof that a specifc transaction was mined} 20:26 < gmaxwell> such a proof would be pretty easy to construct with the splice operators. and not terribly huge by any means. 20:27 < gmaxwell> The idea being that alice pays bob to make publically disconnected transaction paying mallory. And if bob does, alice+bob sign and there is no linkage. If bob tries to cheat alice times it out and gets the refund. If alice tries to cheat bob blows her privacy by revealing he kept up his side of the deal. 20:30 < gmaxwell> It only needs script powerful enough to verify a SPV proof. e.g. provide txid X such that H(X|| non-public nonce) = Value in script, then a SPV proof that X was mined. 20:31 < gmaxwell> (of course with an AST script you wouldn't even reveal that the untaken branch of the script had a reveal-verifier, so no one could even tell that there was an airgapped payment made. 20:31 < gmaxwell> ) 20:59 < gmaxwell> I wonder how awful it would be if we added a hashtree opcode. 21:01 < gmaxwell> inputs: [hash] [tree size] [position of hash in tree] [bunch of branch hashes packed up] ... and it emits a root. 21:02 < gmaxwell> it could be used for spv-secure cross chain transactions. With an extra opcode to check a header against the chain, it could be used to do proof of another transaction to allow those airgapped transfers. 21:10 < amiller> script powerful enough to do spv-secure is the basic idea of P2PTradeX 21:13 < gmaxwell> I know. (if you noted in that thread I wasn't all that excited about that, over what you can do with a simple two-hashlock transaction) 21:14 < gmaxwell> I suppose there is a hashlock version of the an airgap payment too. 21:29 < gmaxwell> amiller: whos ya daddy? https://bitcointalk.org/index.php?topic=318122.msg3431242#msg3431242 21:32 < amiller> whoa 21:32 < amiller> that's neatttttt 21:34 < gmaxwell> (I just made some tweaks to make it more readable) 21:47 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=318122.msg3431242#msg3431242 < can we try this protocol sometime? I believe I owe you some coin. :) 22:20 < amiller> i guess i don't see what the point of it is exactly, if you had an ordinary trusted mixer to use you could send the thing to own fake address and then to bob 22:21 < amiller> i guess it reduces the cost of using a mixer that way 22:21 < amiller> er reduces the time by one transaction 22:21 < gmaxwell> amiller: there is no linkage in the transaction graph between alice and bob at all. They can be forever completely disjoint. 22:21 < amiller> although there are still transactions just one is an escrow 22:21 < amiller> they both interact with carol 22:22 < amiller> carol can use different addresses but this is true of any mixing service 22:22 < gmaxwell> e.g. no amount of coin-flow analysis would show coins from alice end up at bob. Sure. But carol doesn't need to be trusted, and presumably carol keeps her funds seperated. 22:23 < gmaxwell> amiller: yea, compared to j-random-mixer the mixer cannot steal (which means that the mixer can be strongly anonymous, which makes it less vulnerable to coercion: log or we break your fingers) 22:23 < gmaxwell> compared to coinjoin the transaction flow can be completely disconnected. 22:23 < amiller> so i can use this to mix with myself 22:24 < gmaxwell> yea, you could be alice and bob. 22:24 < amiller> i have to trust the mixer for anonymity but yes it can't steal my funds 22:24 < gmaxwell> Downside compared to coinjoin is that you can't blind the mixer, it learns the linkage. 22:24 < gmaxwell> since the transaction pattern is identifyable your anonymity set can't be bigger than all the people using similar transactions, alas. 22:26 < gmaxwell> (CJ has the benefit that the transactions are not distinguishable, except to the extent that they have unusual values or numbers of inputs/outputs... disadvantage that it can't produce a truly disjoint graph ... though arguable this doesn't either unless widely used) 23:04 < warren> petertodd: jdillon wrote to me. I'm still not convinced he's a real person. 23:06 < gmaxwell> I wondered for a bit if he might not be DPR until he seems to have showed back up. 23:07 < warren> huh. He did indeed disappear for a while. 23:08 < Luke-Jr> is it PGP signed? :P 23:08 < warren> PGP signed and encrypted 23:10 < Luke-Jr> anyone can encrypt :p 23:10 < warren> yes, signed 23:10 < warren> perhaps someone else got his key with the $5 wrench attack 23:10 < warren> to ask me if petertodd and gavin are the same person 23:11 < warren> *Some parts of the above are a joke. 23:12 < gavinandresen> ok, ok, I'll fess up. I am peter todd and jdillon and satoshi. 23:12 < gavinandresen> hired an actor to PRETEND to be peter at the bitcoin conference.... 23:12 < Luke-Jr> :P 23:12 < gmaxwell> hm. Have I ever seen gavin and PT at the same time?!? 23:12 < warren> gavinandresen: must be very confusing to keep all the opposing positions straight. 23:12 < Luke-Jr> gavinandresen: it'd be more belivable if the actor was playing Gavin <.< 23:13 < gavinandresen> warren: gets easier all the time, this project will make you crazy 23:13 < warren> gavinandresen: too late... 23:13 < gmaxwell> HAH 23:13 < gavinandresen> good point, you have to be crazy from the start to seriously consider getting involved 23:13 < warren> it turns out that gluing together coin control and watchonly isn't easy. 23:15 * warren quotes gavin on twitter. 23:15 < Luke-Jr> gavinandresen: wait, you're not warren too? 23:15 < gavinandresen> Luke-Jr: no. But I am RealSolid. 23:15 < warren> wow, I knew it! 23:16 < gmaxwell> We knew that. 23:16 < Luke-Jr> gavinandresen: then you're slacking. I haven't heard from you as RealSolid in a few weeks.\ 23:16 < gavinandresen> lol 23:16 < gmaxwell> Next time get brad pitt to play you in the conference too. 23:17 * Luke-Jr wonders if RealSolid ever finished his rewrite of SolidCoin/MicroCash/whatever-it-is-now 23:17 < warren> Luke-Jr: his exchange is too profitable to waste time on yet another coin 23:17 < warren> I expect one day everyone's deposits will be stolen when he disappears. 23:18 < warren> Or is arrested for some unrelated reason. 23:18 < Luke-Jr> heh 23:19 < warren> Would Bitcoin people sue for copyright infringement if he's ever identified? 23:19 < gmaxwell> Maybe RS is a social expirement I'm conducting in how disreputable a counterparty can appear before people will stop giving him their money. Current (revised) hypothesis is that it's unbounded. 23:19 < Luke-Jr> warren: doubt it 23:20 < gmaxwell> warren: poor guys has enough of his own problems. 23:20 < warren> Luke-Jr: I mean ... why not? You sue people with deep pockets. 23:20 < Luke-Jr> although that'd be entertaining to see 23:20 < Luke-Jr> warren: he has deep pockets? :p 23:20 < warren> Luke-Jr: have you seen his exchange recently? omgwtfbbq. very clever how he attracted a ton of deposits and grew to a massive size overnight. 23:21 < gmaxwell> well technically a pocket with a hole in it has no bottom. 23:21 * Luke-Jr wonders if any MIT licenses have been in court as a plaintiff 23:21 < gmaxwell> warren: what did he do? 23:21 < Luke-Jr> warren: I actually didn't know he *had* an exchange 23:21 < Luke-Jr> actually, I vaguely remember him asking me if I hacked it or something a few months ago 23:21 < Luke-Jr> but I never bothered to figure out what exchange he started 23:22 < gmaxwell> Luke-Jr: yea.. :( I was shocked to find this out about a month ago when he started posting around telling people to change their passwords, I ... though he was trying to trick people into giving up their passwords or something. 23:22 < Luke-Jr> so what exchange is it? :o 23:22 < gavinandresen> RealSolid and Zhou Tong both have exchanges, supporting gmaxwell's hypothesis 23:23 < gmaxwell> Luke-Jr: mcxnow 12:23 < petertodd> adam3us: and I proposed just mixing in the previous block hash for the same reason 12:24 < petertodd> adam3us: no, I mean an address book on your offline wallet that you enter in manually by a manually verified process (letter in the mail) simple and easy 12:24 < petertodd> adam3us: people *do* do that 12:24 < adam3us> petertodd: yes so the problem is its one use, you have to enter a new one each time 12:24 < petertodd> adam3us: yes, and add some trivial bit of derivation and you're done. 12:25 < adam3us> petertodd: sounds like a sub-wallet and chain code 12:25 < petertodd> adam3us: my point is anything *beyond* that, say you want to verify a payment request, is better handled by a PGP extension tot he payment protocol 12:25 < petertodd> adam3us: exactly, as I say, it's not hard 12:29 < adam3us> petertodd: see i the mid-term, once the bad-actors jump up over the next speed bump of payment request + client side trezor/offline wallet, some exchange or bitcoin processor is going to go under or lose its entire hot wallet, or have attackes redirectiong payments because they assume a web server is not remotely compromizable 12:29 < adam3us> petertodd: we know thats just-not-true, and as the biz level increases and the bitcoin price increases, people will happily burn a collectio of 0-days to disabuse them of that notion 12:30 < adam3us> petertodd: then the answer 'oh well they should've secured their site better' is no a clever answer - its a systemic risk from irrevocability and if we dont fix it the merchants will by adding revocability... 12:31 < petertodd> adam3us: so? put your payment protocol SSL key elsewhere - IIRC Gavin specifically made it use a subdomain for that reason 12:31 < petertodd> adam3us: the thing is we *can't* fix this for people in a sane way 12:33 < adam3us> petertodd: my argument is you can :) just assume (longer term) everyone is using some hardware wallet/token. now what do you do to help people authenticate one-use addresses in a simple native way. to say oh just make an HD sub-wallet and chain-code per recipient isnt fantastic as I dont think you can introduce them 12:34 < adam3us> petertodd: like i cant refer that to you, because its a point to point shared secret 12:34 < petertodd> adam3us: so is a HD sub-wallet and chain code 12:34 < petertodd> adam3us: sorry misread that 12:35 < petertodd> adam3us: right, but anything you try to do to refer someone else to me has you as a MITM... and OpenPGP WoT already puts tonnes of effort into solving that 12:35 < adam3us> petertodd: so if we replace shared secrets with identities i can tell you offline, yes look this is the static payment identity for this vendor 12:36 < adam3us> petertodd: but sub-wallet and chain code doesnt even help us if we're sitting side by side (in the end 2 end payment security view) 12:36 < petertodd> adam3us: yes, and a OpenPGP key is a static payment identity... don't re-invent the wheel 12:37 < petertodd> adam3us: it's also *way* more useful, because the infrastructure already exists to use it for other stuff, like send a PGP-signed email to customers 12:37 < adam3us> petertodd: i dont think you want to import pgp or x509 into bitcoin 12:37 < adam3us> petertodd: your trezor doesnt understand pgp wot nor x509 12:37 < petertodd> adam3us: we're not importing anything "into bitcoin" - we're using stuff for it's intended purpose 12:37 < petertodd> adam3us: why not? they're moderately high-end arm processors 12:38 < petertodd> adam3us: *not* supporting it just means that users are going to fuck up on the manual verification bit 12:38 < adam3us> petertodd: i am not even talking about wot even, just that there ought to be a published static address (payment identifier) and one-use payment addresses can then be signed by them 12:38 < petertodd> adam3us: published where? how? 12:39 < petertodd> adam3us: signed by what? 12:39 < adam3us> petertodd: but if you call that the recipient account number, its no more complex to understand than a credit card check digit 12:39 < adam3us> petertodd: the underlying one-use addresses no longer need to be displayed to the user 12:39 < petertodd> adam3us: add a new type of UID to OpenPGP called your bitcoin chain-thingy-whatever 12:40 < adam3us> petertodd: app-level signatures from the app context can sign their stuff, and leave the basic is this a valid one-use address (transactio number) from this merchant to en2en 12:41 < petertodd> adam3us: sign where? how? 12:41 < adam3us> petertodd: i think what you're saying is the architectural equivalent of having sendmail sign your key fingerprint 12:42 < petertodd> adam3us: somehow the verification has to happen *on the trezor* and you have to get a fingerprint of a key securely *to that trezor*. If you don't use CA's, people will validate fingerprints on their compromised box, if you don't use PGP, same deal. 12:42 < petertodd> adam3us: if you do use CA's or PGP, then you've made the whole ecosystem more useful for everyone, especially the PGP option 12:42 < petertodd> adam3us: signing stuff is easy, verifying keys is what's hard 12:43 < adam3us> petertodd: i claim its a layering violation to think of the payment request msg as a proof that the address is owned by the merchant, so in the app context there is a payment request say, it signs a one-use address, and some informtion abot what you're buying; but the underlying one-use address is signed by the merchant identity address (the base public key of the offline HD wallet) 12:44 < adam3us> petertodd: i am not saying dont use CAs i am just saying the architectural equivalent of dont use ssl transport on SMTP as an argument for not using PGP (end to end vs app level transport) 12:45 < adam3us> petertodd: the web app level and browser level is the payment request, x509 or other sig; the payment level uses differrent transport and has more secure key management 12:45 < petertodd> adam3us: and I'm saying the concept of a separate "merchant identity address" just introduces a whose new layer of exploits because users can't and won't have any way to verify that identity address other than CA's and PGP, so don't create separate systems. 12:45 < adam3us> petertodd: and no online app or client to attack 12:46 < petertodd> adam3us: yeah, and the payment protocol already supports separate keys by how it expects a cert for a subdomain 12:46 < adam3us> petertodd: the point is right now you have no way at the payent layer to validate the address is owned by the merchant. the payment request doesnt prove its owned by the merchant: it proves the merchants web scripting language signed it, but maybe from time to time compromised. 12:46 < petertodd> adam3us: now if you want to strengthen that, maybe make a third subdomain to sign for a long-term root or something, but don't make it a separate "merchant identity address" that the user will ever see (except in paranoid situations where they enter fingerpritns in manually) 12:47 < adam3us> petertodd: i dont think its unreasonble to see an account number and check its correct off your last paper bill or whatever 12:47 < petertodd> adam3us: you don't deal with users... 12:47 < adam3us> petertodd: pretty much all credit card bill pyment, online banking etc works tht way 12:48 < petertodd> adam3us: *could* work - no-one actually does that. 12:48 < adam3us> petertodd: the payent identifier is a simpler concept that more closely matches their banking understanding - it is the merchants ACCOUNT NUMBER 12:48 < adam3us> petertodd: err when you set up a payment ivia online banking you probably either type of cross check the account number 12:49 < adam3us> petertodd: this just slightly tweaks the bitcoin concept to more closely match user expectation, and improve verifiability 12:49 < petertodd> adam3us: yeah, and it always gets back to how did you get that account number... which in turn ges back to *you need to make the trezor support CA's and/or OpenPGP anyway* so use that mechanism rather than writing yet more code 12:49 < adam3us> petertodd: i am not saying dont do those parts, but i am saying they are best effort app level/browser level things. 12:50 < adam3us> petertodd: to avoid paying the wrong person you need a stable account number analog and this is it 12:50 < petertodd> adam3us: no, for the average user they are absolutely critical to support directly in the trezor 12:50 < petertodd> adam3us: the majority if transactions aren't going to be done by checking account numbers 12:50 < petertodd> adam3us: you *must* do as good a job as possible on that common case in a way that users actually use 12:51 < petertodd> adam3us: since you must do that work, re-use the end result for the paranoid case... 12:52 < adam3us> petertodd: thing is if you look at eg armory or bitcoin-qt there is a list of one-use adresses, these are transaction numbers, but users confuse them for addresses, all i am saying, and i dont see why its controversial, is the address should be signed by the hd wallet root that generated them 12:52 < adam3us> petertodd: then that thing - the hd wallet root address is the account number, nd you can display in conventional accounting format: account number, transaction number, merchant deescription, product description, units, cost 12:53 < petertodd> adam3us: it's controversial because it's useless :) 12:53 < adam3us> petertodd: foo youre just not appreciating the difference between layering it seems to me:| 12:53 < petertodd> adam3us: ok, account number == pgp fingerprint 12:53 < petertodd> adam3us: now you've re-used useful code and have a chance of getting better overall integration 12:54 < petertodd> adam3us: rather than Yet Another Signing System 12:54 < adam3us> petertodd: es but what use is a pgp fingerprint to a trezor or offline wallet, dont tell me you want to add that to the bitcoin source code 12:54 < petertodd> adam3us: damn right I do, because you have to for the common case 23:24 < warren> gmaxwell: the "mcxfee" are sort-of like preferred stock entitled to a proportion of fees paid by customers. You can buy and sell mcxfee's as yet another BTC/something pair on his exchange. A portion of the mcxfees were sold to finance interest payments on deposits in the exchange. Interest coming from that pseudo-equity sales made people feel that it isn't a ponzi scheme. So in came a ton of deposits and lots of crypto/crypto pair tradin 23:24 < warren> g. 23:24 < gmaxwell> Luke-Jr: https://mcxnow.com/exchange/SC < how you can tell 23:25 < Luke-Jr> lol 23:25 < warren> The exchange is notorious for "excitement" of pump and dumps, and payban ... pay a fee to make someone unable to talk in the trollbox for a duration of time. 23:27 < warren> Hence, deep pockets. It's a good time to identify and sue him for copyright infringement, as he has something to lose now. 23:27 < warren> and it would be very entertaining 23:27 < Luke-Jr> warren: afaik he ceased 23:27 < warren> Luke-Jr: how long did he infringe after notice? 23:28 < gmaxwell> https://coinjar.io/ < zhoutong, 23:29 < Luke-Jr> warren: no idea 23:31 < gavinandresen> I'm a happy coinjar.io customer, by the way-- cheapest / most convenient way to sell bitcoins here in Australia right now. 23:32 < Luke-Jr> >_< 23:39 < gmaxwell> Plus you get bonus chinese antiques absolutely free! 23:41 < Luke-Jr> this guy wants to do CPU mining on an average PC, using javascript throttled to not make the computer slow. 23:41 < Luke-Jr> am I being fair estimating longer than Earth's existence for $10 worth? 23:43 < warren> Luke-Jr: if enough people do it, Earth's habitable duration might shorten, complicating your calculation. 23:45 < Luke-Jr> I mean past existence. --- Log closed Tue Oct 29 00:00:56 2013 --- Log opened Tue Oct 29 00:00:56 2013 00:18 < petertodd> warren, gavinandresen: whoever jdillon is there's a lot of publicly verifiable proof-of-work and proof-of-sacrifice that's been involved to establish that identity :P 00:18 < petertodd> gmaxwell: we can tell if it's DPR by watching to see if his ideas get more or less intelligent now that the FBI is the puppet master 00:19 < petertodd> gmaxwell: so what opcodes do we need enabled? 00:20 < petertodd> warren, gavinandresen: BTW if anyone wants to establish intelligent-sounding sock-puppets, I'm willing to sell original, unpublished, crypto-coin theory for 1BTC a page, 0.5BTC if half-baked... 00:21 < gmaxwell> petertodd: none, I came up with a formulation that should work on the existing network. See link. 00:24 < petertodd> huh, I think I get it... 00:24 < warren> There's apparently a new DPR now. 00:24 < warren> The old one should sue for trademark infringement. 00:24 < petertodd> warren: oh yeah? mind, that's the whole point of that name... 00:25 < petertodd> warren: I'm also not going to be as surprised as I should be if the government can't prove their case; digital evidence is deeply untrustworthy. :( 00:26 < petertodd> gmaxwell: can you add some actual scriptPubKeys to your description? 00:39 < gmaxwell> petertodd: sure, this sound sane to you? This is the pubkey in the first transaction (ignoring the alice+carol branch) 00:39 < gmaxwell> scriptPubKey: [ OP_DUP OP_ROT OP_RIPEMD160 OP_EQUAL OP_VERIFY OP_ADD OP_RIPEMD160 PUSH_H(HX+Q) OP_EQUAL OP_VERIFY PUSH_CAROLPUBKEY OP_CHECKSIG ] 00:39 < gmaxwell> and this is what the scriptsig looks like: 00:39 < gmaxwell> [SIGNATURE PUSH_Q PUSH_X PUSH_HX] 00:43 < gmaxwell> and Carol's scriptPubKey towards bob is: [OP_RIPEMD160 PUSH_HX OP_EQUAL OP_VERIFY PUSH_BOBPUBKEY OP_CHECKSIG ] and the redeeming signature is [SIGNATURE PUSH_X] 00:43 < gmaxwell> (again ignoring the alternative carol+bob refund branch) 00:44 < petertodd> working on it... 00:45 < gmaxwell> so basically, to get paid bob must publish X for ripemd160(X) = HX. Carol can either get paid by alice's consent, or carol can instead use the knoweldge of X to redeem alice's payment, but that makes the alice/bob relationship public.e 00:47 < gavinandresen> gmaxwell: That OP_ADD is adding HX and Q ? 00:48 < petertodd> I was just about to say... 00:48 < petertodd> ADD is numeric 00:48 < petertodd> I think you want CAT which is disabled 00:48 < gavinandresen> ADD (and all the rest of the arithmetic ops) are crippled to only work on 32-bit numbers right now, too. 00:49 < petertodd> yup 00:49 < gmaxwell> aw crap, I forgot about that. @#$@#$@#($8324 00:49 < gmaxwell> (for some reason I thought it did bignum adds on hash outputs.) 00:49 < petertodd> gavinandresen: we're going to curse you until the end of time for doing that. (or until script v2.0, which ever comes sooner) 00:50 < gmaxwell> gavinandresen: and yea, it just needs some way of modifying the value that gets hashes because you can't disclose HX directly in the scriptpubkey 00:50 < gmaxwell> (if you want to keep the transaction private) 00:50 < gmaxwell> e.g. add, xor, cat, any of that would do. 00:51 < gavinandresen> mmm. Wish satoshi hadn't disabled the xor, that seems like it would be safe (never creates results bigger than inputs) and would be darn handy. 00:52 < petertodd> though OP_XOR was affected by the sign extension bug 01:01 < petertodd> gmaxwell: interesting how OP_EVAL could have worked here too, or OP_MAST_EVAL 01:14 < gmaxwell> petertodd: so I have a way of making it work I think but it's kinda awful. 01:14 < petertodd> gmaxwell: hang on, why not have Alice pay into 2 <ALICE> <CAROL> 2 OP_CHECKMULTISIG, and then require alice to sign a transaction spending that txout to RIPEMD160 H(X) EQUALVERIFY <carol> CHECKSIG prior to carol creating the txout for bob? it's almost as trust free 01:14 < petertodd> yeah? 01:15 < gmaxwell> because thats not private. 01:15 < gmaxwell> oh I see! 01:15 < petertodd> sure it is, carol only publishes the transaction if needed, the normal case is alice then signs her part of the checkmultisig with SIGHASH_NONE|ANYONECANPAY 01:15 < gmaxwell> Yea, you hide the alternative redemption by never announcing it instead of branching. 01:16 < petertodd> carol can spend at will 01:16 < petertodd> yup 01:16 < gmaxwell> Indeed. That works. Also makes the transaction look more indistinguishable! awesome. 01:16 < gmaxwell> So here is what I was going to point out. 01:16 < petertodd> ? 01:18 < gmaxwell> if you replaced the addition with Q with a cascasde of RIPEMD160 or HASH160 with IFs.. e.g. 64 x {RIPEMD160 or HASH160} then 'q' becomes a sequence of 64 trues or falses you send in to pick which mixture of hashfunctions to apply. 01:18 < petertodd> ha, yeah, I thought of that, and thought it too awful to contemplate 01:18 < gmaxwell> E.g. R(H(H(H(R(R(H(R(H(R(H(R(R(H...(HX))))) = constant in the transaction. 01:19 < gmaxwell> petertodd: in any case you solved it, go post. :P 01:19 < petertodd> heh 01:19 < gmaxwell> Yours is an improvement anyways, makes the transaction smaller, makes it indistinguishable from other kinds of escrow transactions on alice's side. 01:20 < gmaxwell> (in the case where alice doesn't cheat, of course) 01:20 < petertodd> yeah, I should write an app for this... 01:20 < petertodd> surely that's deserving of a coinjoin bounty reward, even if it's not coinjoin! 01:21 < gmaxwell> Yea, it's sort of interesting to compare this with coinjoin, it has different properties. I think both are complementary. 01:21 < petertodd> yup 01:23 < gmaxwell> petertodd: in CJ we can arrange so that _no one_ learns the input/output matching, which we can't in this. But in this we can make it so that the coins have fully disjoint history. .. of course, this isn't secure until malleability is fixed. 01:24 < gmaxwell> (since you could announce a mutant, break the precomputed refunds, and then perform a holdup attack) 01:24 < petertodd> yeah, but alice is trusting carol to pay bob anyway, so carol waiting until the first tx confirms isn't a problem 01:24 < gmaxwell> petertodd: alice isn't, in fact, if alice makes carol write a refund transaction before alice announces the escrow payment. 01:25 < petertodd> I mean, I guess you're right that carol could run with the money, but carol is the party that's easiest to fidelity bond here 01:25 < gmaxwell> no need to! 01:25 < gmaxwell> this is trust free if everyone has refund transactions. 01:25 < petertodd> yes, but since we can't have 100% secure refund, fidelity bond carol :) 01:25 < gmaxwell> oh because of malleability, yea but that'll get fixed. 01:26 < petertodd> maybe... I can write this app this weekend! 01:26 < gmaxwell> it has a lot of states. 01:26 < gmaxwell> alice writes the escrow payment demands an nlocked time refund before announcing it. Alice announces. Carol demands a bob-secret release transaction before paying bob. 01:26 < petertodd> sure, but something that can be run by hand shouldn't be too bad 01:27 < gmaxwell> Carol writes the bob paying transaction but demands a nlocktimed refund before paying him. 01:28 < gmaxwell> that in hand carol pays bob. Then it confims asks alice to pay up. If alice is unresponsive carol uses the stashed bob-secret release. or if bob doesn't redeem, she just gets her money back. 01:28 < gmaxwell> petertodd: got a better name for this than "airgapped payment"? 01:34 < petertodd> ooh, actually I think you could do a system where in the general case Carol's payment to Bob is a normal looking transaction too... 01:35 < petertodd> hmm... teleported payment? 01:37 < gmaxwell> petertodd: how? 01:38 < gmaxwell> I was trying to figure out if there was some way to abuse ECDSA but haven't come up with one yet. 01:39 < petertodd> have carol create txout 2 <carol'> <bob> 2 CHECKMULTISIG, and then sign her part of the txout with a transaction paying to HASH160 <hx> EQUALVERIFY <bob> CHECKSIG, Carol gives that partially signed tx to Alice, who then knows Bob can redeem the output via that tx at worst, while normally Carol would, once her payment is confirmed, just sign her part of the txout with a SIGHASH_NONE|ANYONECANPAY 02:39 < gmaxwell> e.g. You want me to permute some ballots but don't want me to cheat and replace them. 02:39 < gmaxwell> I produce 200,000 permuted sets and commit to a hashtree of them. 02:40 < gmaxwell> The hash tells me which ballot is the one ballot we're going to use, and then I reveal the log2(n) secrets required to recover all 200,000-1 other ballot sets and check my root. 02:41 < gmaxwell> so now we can do a secure shuffle and only send 2*log2(security parameter)+few hashes 02:50 < gmaxwell> it's an idea I'd like to publish but I just don't have the free cycles to actually determine if its been published before. 02:50 < gmaxwell> There are a bunch of little protocols you can get out of using tree-structured-secrets. 16:32 < midnightmagic> gmaxwell: I thought of a reason why proof-of-blockchain storage would still be useful. One could prevent access from all non-archival storage nodes who are connecting just to connect. You can be more sure they are at least helping store the blockchain, even if they may not necessarily do things like relay tx and just act as listening-post black holes. 16:33 < midnightmagic> plus ongoing validation could be if not guaranteed, at least tested for. 16:48 < Luke-Jr> sipa: cannot reproduce after make clean :< 16:52 < sipa> good! 16:54 < Luke-Jr> not really 16:54 < Luke-Jr> means there's some subtle bug in the build system *sigh* 16:54 < Luke-Jr> test_bitcoin seems to still be broken too :< 16:54 < Luke-Jr> (or again?) 16:59 < Luke-Jr> .. or am I running a stale bin :/ 19:55 < HM2> I love this channel 19:55 < HM2> I never feel dumber just idling here and reading the scrollback like some of the others on freenode --- Log closed Fri Oct 25 00:00:42 2013 --- Log opened Fri Oct 25 00:00:42 2013 00:29 < adam3us> musing (again) about whether there is an inherent need to order transactions via miner voting and longest chain algorithm 00:31 < adam3us> that is because the semantic is defined as first transaction is correct (and there is not really a first in a distributed system with unreliable network and untrusted nodes) so then voting and longest chain creates a proxy for first with a sequence of votes from block lottery winners 00:33 < adam3us> consider an alternate semantic: absence of a double spend implies validity, presence of double-spend implies invalidity, transaction aborted, and eg sender loses money sent (and fee) 00:34 < adam3us> in a network with that semantic, security relies on unjammability 00:34 < adam3us> but bitcoin already relies on that (otherwise hacked routers that can selectively delete packets in front of big pools can create problems) 00:34 < adam3us> no one awake huh? 00:38 < Luke-Jr> adam3us: and what of a double spend that occurs hours later? 00:38 < adam3us> yeah so i guess that would be defined as invalid 00:38 < Luke-Jr> retroactively invalidating the current transaction? 00:38 < adam3us> it doesnt give as much user choice of how many confirms to expect 00:38 < adam3us> no ignored as too late 00:38 < Luke-Jr> "too late" won't come to a consensus 00:39 < adam3us> well i was thinking if the spend is mined into a block as now, then you have a timestamp on the spend 00:39 < adam3us> then say both parties agree to 6 confirms 00:40 < adam3us> and so long as there are no double spends on the network in that time the transaction is deemed valid 00:41 < adam3us> so rather than different views of which transaction came first in a double spend triggering orphans (if the conflicting blocks happen close enough to at the same time) 00:41 < adam3us> they are valid, they just invalidate the conflicting transaction (if hey happen within 6 blocks of the original transaction) say 00:43 < adam3us> the next block mined on top refers to both branch hashes, as they are no longer considered to conflict 13:10 < jgarzik> gmaxwell, amiller, anyone played around with CP-ABE + bitcoin, that we're aware of? 13:12 < sipa> cp-abe? 13:12 < petertodd> adam3us: re: double-spends, remember that the blockchain serves as proof-of-publication: by defining the blockchain as where transactions are stored, participants can use their knowledge of the blockchain to be sure they know of every valid transaction in existance, and thus they know about all double-spends. 13:13 < petertodd> adam3us: dealing with attacks via information hiding is something I'm been thinking about a lot lately re: ideas to "shard" the blockchain data so you only have to keep up to date with part of it 13:17 < petertodd> adam3us: (by "they know about all double-spends", remember that you could make a bitcoin-like system where double-spends *are* allowed in blocks, but are invalid and are just useless data! it's only an *optimization* that the bitcoin protocol doesn't allow double-spends to be in the blockchain!) 13:17 < jgarzik> sipa, https://en.bitcoin.it/wiki/Distributed_markets#Pay_to_policy_outputs 13:19 < adam3us> petertodd: well maybe (about optimization), tho Luke-Jr said well what if the spend comes in later, when do you declare it too late to add a double-spend (invalidating a transactoin) 13:20 < amiller> jgarzik, i don't know of anyone that's used it, no 13:20 < amiller> jgarzik, i think i understand it pretty well and it's not too complicated 13:20 < amiller> i mean i don't see any obstacle to using it except you'd have to support a diff signature type 13:21 < amiller> you'd have to have a trusted issuer anyway though 13:21 < petertodd> adam3us: oh, your proposing something where both transactions are invalid? 13:21 < amiller> so i can't imagine the setup model is something anyone would buy 13:22 < adam3us> petertodd: well musing about the implications of that model yes, if there would be any advantage to be had by exploring it 13:22 < amiller> it's a lot of extra effort and complexity for having a trusted third party that could just be online and sign the transactions anwyay 13:22 < adam3us> why is a block so big anyway that 1MB starts to be a problem? doesnt it refer to the txids rather than include the text of the tx? 13:22 < petertodd> adam3us: right, problem there is it lets you grief anyone getting paid by the transaction. I've proposed stuff kinda like that, but only in the context of fidelity bonds 13:22 < jgarzik> amiller, true 13:22 < jgarzik> amiller, I was thinking of it in context of oracles and agents 13:23 < adam3us> cant a block therefore refer to a huge number of txs relatively compactly in a merkle tree? w 13:23 < petertodd> adam3us: with a better scripting language you could have a system where proof-of-double-spend can be used to destory the bond 13:23 < adam3us> yes thats true 13:23 < sipa> adam3us: a block's size refers to header + tx body 13:23 < sipa> adam3us: that doean't mean it needs to be traferred that way 13:24 < sipa> but the rule for limiting block sizes uses that 13:24 < jgarzik> I want to play with sending block header + list of TXs via UDP 13:24 < jgarzik> er, header + coin base + list 13:24 < petertodd> adam3us: Yes, but miners still have to have the bandwidth to process every transaction; this leads to what I call the censorship problem: if mining can't be done in a low-bandwidth way, mining has to be done out in the open, hence it gets regulated. We can design Bitcoin so multiple low-bandwidth participants can collectively validate the blockchain, but unless they can colabborate to also mine blocks transactions can be censored. 13:24 < adam3us> petertodd: there are signatures that are one-show, show two signatures you reveal the private key, that might be some discouragement (though a one use private key is inherently fairly harmless once its spent) 13:26 < adam3us> sipa: so why the discussion of limiting block sizes to 1MB if its just a compact collection of references to already sent transactions? 13:26 < petertodd> adam3us: yeah, lots of possibilities. Note w/ fidelity bonds that they actually need a real-time proof-of-publication system - if you don't have that, you can't know if the total amount of transactions being done right now attempting to defraud people (guaranteed by the bond) greatly exceeds the value of the bond. :( 13:27 < sipa> adam3us: because the rule already exists, and changing it is a hard fork 13:27 < sipa> adam3us: btw, the current p2p mechanism does in fact send a block in full 13:27 < petertodd> adam3us: remember too that currently there's way to do partial validation of blocks, or to product short proofs that a block is invalid/fraudulnet. If the blocksize is much larger, it won't be possible to valiate the blockchain at all without a low-bandwidth internet conenction because you won't be able to keep up. 13:27 < adam3us> sipa: does that mean data gets sent over the wire twice? 13:27 < sipa> but it's not an actual requirement, and changing the protocol is easy 13:27 < sipa> adam3us: yes 13:28 < sipa> but even if the protocol is changes not to send duplicates (like bip37 does), the hard rule remains defined over the actual block size 13:28 < adam3us> sipa: doh :) but changing that would mean blocks can be as big as you want practically and so maybe reduce this need for mining fees, though other than block size, its also about throttling spam (low value tx) 13:28 < petertodd> adam3us: sending full blocks has some advantages though in that it removes incentives to play games with propagation to disadvantage smaller miners. makes the system more reliable too as the worst-case and average-case propagation times are closer 13:29 < sipa> i am very uncovinced that the p2p tx broadcast mechanism will remain the primary way of delivering transactions to miners 13:30 < petertodd> sipa: sadly your probably right... out-of-band payments is really nasty this way, because it could be a strong incentive for pools to remain large :( 13:30 < sipa> yup 20:54 < jgarzik> sipa, thus the proposed "just email your draft to XXX, and the rest will happen" 20:54 < jgarzik> for the git-scared 20:54 < jgarzik> Linux kernel always had a process for people who did not want to touch git at all (sometimes it was necessary for legal reasons). You can always just email a patch against a tarball. 20:56 < gmaxwell> I do think we should have clear seperation from "crap random person produced" and something that has had some public support. 20:56 < jgarzik> commit access can be anybody trusted, even outside dev team. mainly must fulfill rule "BIPS editor + backups in case he goes crazy or gets hit by a bus" 20:57 < gmaxwell> E.g. no BIP number for things that are just submitted. 20:57 < jgarzik> indeed 20:57 < gavinandresen> jgarzik gmaxwell sipa: I'm thinking of cleaning up pull requests by closing anything with a merge conflict more than X months old. I'm wasting time constantly re-reading old requests.... 20:57 < jgarzik> gavinandresen, my standard is "rebased has been requested, and not responded to after X months" 20:57 < jgarzik> *rebase 20:58 < jgarzik> gavinandresen, kinder gentler to request a rebase first 20:58 < gmaxwell> gavinandresen: fine with me. To avoid bruised feelings you can say that it can be reopened with a new patch if someone would like to continue it. 20:58 < gavinandresen> I'll definitely say "reopen after rebase" 20:59 < gmaxwell> gavinandresen: note that random people can't actually reopen themselves (IIRC only people with commit access can) 20:59 * gmaxwell hops onto an airplane 20:59 < gavinandresen> gmaxwell: ok, I'll definely say "open a new request after rebase" 21:00 < gavinandresen> (they can link to discussion in old request, if it is relevant) 21:00 < gavinandresen> Wading through long discussions in old pull requests is a time-sink, too 21:00 * jgarzik wonders if github supports close-with-boilerplate 21:00 < gavinandresen> What do we like for X months? 21:00 < jgarzik> 2-3 21:01 < jgarzik> *poof* hops on the baby bedtime bus. 21:01 < gavinandresen> good deal, prepare for a flurry of closes.... 21:02 * sipa prepares by closing his eyes 21:02 < sipa> zZzZ 21:04 < Luke-Jr> I seem to have a PR rebase/fix period of about 3 months with my current workload :< 21:04 < Luke-Jr> too bad github doesn't make it possible for the author to reopen things 21:25 < petertodd> sipa: if we ever made a standard transaction type with scriptSig's with single byte pushes, then yes, the current ref implementation would reject it 21:26 < petertodd> sipa: point is if you do scriptSig << single-byte in the C++ code, it gets added with a PUSHDATA always 21:28 < petertodd> sipa: "< sipa> i git-sign all github merges i do now :)" <- careful, I *will* call you out on that if you ever don't :P --- Log closed Mon Oct 21 00:00:28 2013 --- Log opened Mon Oct 21 00:00:28 2013 00:52 < sipa> petertodd: i certainly sometimes won't; i don't always have access to my gpg key 00:53 < sipa> petertodd: right, i think i got that, but at some point lost that comment on github; is there any reason why we can't just fix that singke byte push at the same time? 00:54 < sipa> petertodd: i understand that functionally, it is not required now, as any transaction to which it applies is already non-standard 00:55 < sipa> but i'd rather just have a single version, which can later be moved from IsStandard to a network rule 00:59 * Luke-Jr wonders if we should start deploying some form of gmaxwell's antispam addresses in 0.9 so there's some overlap time 01:02 < sipa> given that the majority of clients don't even support sending to P2SH, i really doubt any will be implementing a new and less convenient one, as long as there are no clear benefits 01:03 < Luke-Jr> sipa: there are clear benefits, becoming more necessary every day it seems 01:04 < sipa> for the network, obviously 01:04 < sipa> not for them 01:07 < sipa> you don't have to convince me of the benefits, i'm just very skeptical whether the community would adopt a new address scheme in the first place 01:08 < sipa> with something like the payment protocol, this woukd be significantly easier 01:08 < sipa> but even in a best-case scenario, far from every transaction will use that 01:15 < Luke-Jr> hm 01:15 < Luke-Jr> does the payment protocol support something like this already? :/ 01:16 < sipa> no, it can't 01:16 < sipa> as it needs non-transparent client support 01:17 < sipa> but with a payment protocol, it's just client authors that needs to adopt it 01:17 < sipa> rather than everyone 02:29 < petertodd> sipa: right, so go off an update your pull-req to make that change :P 02:30 < petertodd> Luke-Jr: I'm kinda skeptical of P2SH^2 right now, given that my TXO commitments makes the UTXO set size much less worrying, and embedding data in the chain via pubkeys is still possible there 03:32 < sipa> petertodd: but it's an order of magnitude more invasive 03:33 < sipa> do you really think bitcoin could be converted into someday 03:33 < sipa> ? 03:34 < sipa> i consider it an idea worth exploring in an aktcoin, at least initially 04:04 < petertodd> sipa: invasive? I dunno, I think it's less invasive than UTXO commitments - the code is simplier for one. 04:04 < petertodd> sipa: Remember that TXO commitments with txin proofs scale in that you can always store some or all of the UTXO set to reduce bandwidth. 04:05 < petertodd> The main thing is to have a protocol where you can ask your peer for proofs of txins that you yourself don't know about, allowing you to drop UTXO's you don't think are going to be spent. (preferably even fully selectively) 05:05 < sipa> petertodd: i mean compared to transferring an address preimage along with transactions 05:06 < sipa> they're just so different degrees of 'different', that saying that one isn't necessary because the other fixes it in a better way isn't very relevant 05:06 < sipa> in a theoretical from the ground up cryptocurrency you are right of course 05:07 < sipa> but bitcoin has an actual economy and community around it that every change can be hard 05:08 < petertodd> oh, right, yeah, I agree that's invasive 05:09 < sipa> put otherwise: i see address preimages as something that is still bitcoin and can be integrated 05:09 < petertodd> Still I think TXO commitments have so many long-term advantages for scalability that they're worth it on that alone. 05:09 < petertodd> And I disagree with the idea that they're "not bitcoin" 05:10 < sipa> what is bitcoin can change over time of course 05:10 < sipa> but change likely needs to be gradual 05:10 < petertodd> And actually... maybe you can make the argument that TXO commitments are less invasive than P2SH^2 - they're only a validating node change, not a client-side change. 05:10 < sipa> huh? 05:10 < sipa> maybe i misunderstood it then 05:11 < petertodd> Hmm... and actually, I'll argue the TXO commitments are more gradual too, given they're a mining soft-fork. 05:11 < petertodd> sipa: TXO commitments is just taking a hash of a merkle mountain range of the TXO set, spent and unspent. 05:11 < sipa> but the sender needs to construct that, no? 05:11 < petertodd> no! 05:12 < petertodd> anyone between the sender and the miner can make the proof; initially senders would likely not bother implementing it, and everyone would be forced to have near-complete UTXO sets 05:12 < petertodd> but that can change gradually 05:12 < sipa> right, ok 05:13 < sipa> but the idea was to move storage away from validation nodes? 05:13 < petertodd> basically an implementation strategy would be 1) implement hashing code, 2) do soft-fork, 3) start adding networking protocol rules to be able to use proofs, 4) start working on fraud proof stuff, 5) eventually start using them to store less data 05:14 < petertodd> changing clients only really has to happen at the very end 05:14 < petertodd> potentially never 05:14 < sipa> i still consider it a far more invasive change :) 05:14 < sipa> but maybe that's because i understand it less 05:14 < petertodd> there's a lot more client code out there; lots of stuff assumes addresses have specific forms 05:15 < petertodd> besides, we need TXO commitments for scalability and fraud proofing in the long run. 05:16 < sipa> i find that an odd statement 05:16 < petertodd> why? 05:16 < sipa> would you have said that before you knew about that possibility? 05:16 < sipa> of course anything that improves scalability is an improvement 05:17 < sipa> but needing makes it sounds like it is the only possibility 05:17 < petertodd> yes, I got Gavin to agree months ago that fraud proofs w/ UTXO sets were a pre-condition to changing the blocksize for instance, and I still wanted them even if we didn't to make fidelity bonded banks more auditable 05:17 < petertodd> UTXO commitments are the other option, but they don't let you avoid storing the whole UTXO set 05:18 < petertodd> keep in mind that MMR TXO commitments are a form of UTXO commitment that just happens to also commit to all transactions ever made by accident :P 05:19 < sipa> i'm weighing the difficulty of change vs the scalability improvements over time 05:20 < petertodd> well Mike's view is that we'll magically apply enough social pressure that the UTXO set remains small so P2SH^2 isn't needed :P 05:20 < sipa> if you look at a longer time span, more scalability is likely worth it 05:21 < sipa> but that doean't mean we don't have short term problems that need fixing first 05:21 < sipa> like having a client that doesn't corrupt its database all the time for some people 05:22 < petertodd> but, is some data in the UTXO set a big enough problem in the next few years that we have to go off and change every bit of bitcoin-related software that assumes addresses are of a certain form? 05:22 < sipa> it's more about setting the right economic incentices than an actual short term problem i guess 20:08 < gmaxwell> (coinswaps require there to be two parties, one that wants altBitcoin and has bitcoin, one that wants Bitcoin and has altBitcoin... nice little trading business... but you need the bulk moves in order to not be constantly going broke on one side or the other) 20:09 < gmaxwell> and yea, in that case requiring 100 headers would be fine.. (but damn that would really bet nicer with a snark than 8kb++ of header data in the txn) 20:19 < andytoshi> arguably, this is exactly the way to experiment with snarks 20:19 < adam3us> andytoshi: unless its your bitcoins in the alt :) 20:20 < andytoshi> :P that's right, i keep forgetting these things are so valuable 20:23 < gmaxwell> IMO SINs are the best snark expirment. :P 20:25 < gmaxwell> BlueMatt: some extra points you might have already realized: the altcoin itself can do the "coinjoin". You make a tx there with a special ToBitcoin Txout and it adds a scriptPubKey to a list maintained by miners, and every {interval} that list is published in the block in a location that makes the proof for it really compact (e.g. at the top of the hashtree) and it has all the values and scriptpubkeys that need to move over. 20:25 < BlueMatt> yep 20:26 < BlueMatt> wait...can you do rolling outputs to the alt? 20:26 < gmaxwell> The next is that point I made about the redeem transaction being temporarly locked and 'reversable' via a longer chain means you don't need to have a long proof.. just a couple headers to prevent a dos attack, if someone cheats someone will unsteal the coins with a longer proof. 20:26 < gmaxwell> thats rolling outputs from the alt to bitcoin. 20:27 < BlueMatt> ie the alt always has one and only one output to it (if its in the standard form, anyone can create the next txn) that keeps track of all the outputs to the alt, and then to spend, you have to provide spv proof from the previous roll to the currnet chain? 20:27 < gmaxwell> yea thats what I was imagining the whole time. 20:27 < BlueMatt> ahh, ok, yea 20:28 < BlueMatt> somehow I was only picturing individual outputs and arbitrary spv proofs back some fixed distance 20:28 < BlueMatt> gmaxwell: some of us are slow :p 20:28 < gmaxwell> nah, then you get into granularity problems. :P sorry. 20:28 < gmaxwell> darnit I had one more idea and now I'm forgetting it. 20:29 < BlueMatt> yea, it seemed to not scale... 20:29 < maaku> BlueMatt: give altcoins an annual demurrage rate of 50% 20:30 < gmaxwell> oh, how they pay their miners? I figured miners in the alts would be purely paid by transaction fees.. in bitcoins. 20:30 < BlueMatt> gmaxwell: yes, thats something I was largely ignoring for complexity reasons...needs thought 20:30 < BlueMatt> maaku: hmm? 20:30 < amiller> that's a neat question, BlueMatt. 20:31 < gmaxwell> BlueMatt: oh ohoho the other point wrt security.... nothing stops bitcoin miners from also validating the altchains, they're just not required to. So if they do see a bogus proof they can just ignore it unless it gets into the chain. 20:31 < maaku> was reading the log; that's for experimentation in an altcoin without threatening bitcoin as a store-of-value 20:31 < BlueMatt> maaku: well, there are plenty of ways to accomplish it, I just wanted to do it while allowing good scaling/storing value in btc in altchains 20:32 < BlueMatt> gmaxwell: hmm, yes 20:32 < BlueMatt> fun 20:32 < gmaxwell> though I think since we're willing to tolerate long release times, the ability to unsteal with a longer header is pretty good. 20:33 < BlueMatt> yup 20:58 < valek1024> hello 20:59 < valek1024> can someone point me in the right direction for selling my 2011 first month of mint casascius bitcoin with the error in the hologram. the error is a misprint in the background of the hologram the casascius is missing the middle s 21:00 < BlueMatt> terribly, terribly wrong channel 21:01 < valek1024> ty bluematt i understand i am in the wrong place but as wizards should't you be able to help? 21:01 < maaku> ebay? 21:02 < BlueMatt> valek1024: no, we cant help, go elsewhere 21:02 < maaku> valek1024: we could design you a secure multi-party cryptographic auction protocol 21:03 < maaku> but finding buyers is your job ;) 21:03 < maaku> maybe #bitcoin 21:03 < valek1024> see that is helpfil 21:03 < valek1024> helpful 21:04 < midnightmagic> No. #bitcoin-otc for selling goods. 21:04 < valek1024> there is and was no reason to be rude sir, i was simply asking for help 21:04 < midnightmagic> #bitcoin will boot for that. 21:05 < BlueMatt> (we should too) 21:41 < adam3us> gmaxwell, BlueMatt: suggest to write this up and get further details and efficiency worked out. i think its potentially very useful to combat the remaining rationale for the existence of alts (other than enriching their creators, preminers and early rented vsp early miners before their no real transaction bubble bursts) 22:34 < gmaxwell> adam3us: it also adds to the scalablity dialog... but perhaps what we should do is just do a trial implementation. 22:35 < BlueMatt> gmaxwell: yes! 22:35 < BlueMatt> you should totally find time to do that 22:36 < adam3us> fantastic :) i can maybe help out in some way 22:37 < BlueMatt> keyword *you* 22:37 < gmaxwell> Tweedledee coin, and tweedledum coin. 22:40 < BlueMatt> heh, yup 22:41 < andytoshi> are the currently available snarks viable for a trial implementation? 22:41 < andytoshi> don't these proofs take days to generate? 22:47 < amiller> andytoshi, you can download pinocchio and use it now 22:48 < adam3us> andytoshi: if at all possible i would suggest to start with seeing how efficient it can be made without dependence on snark, bitcoin has simple & conservative crypto assumptions so far and that is a feature 22:48 < amiller> andytoshi, it unsurprisingly relies on a windows binary kernel to run the actual fast crypto, but most of their actual work is in python and they're almost done making it fully open 22:48 < amiller> andytoshi, it takes 15 seconds on a single core to prepare a proof about SHA1 on a small input 22:49 < amiller> andytoshi, you can also use pantry, it's fully open but has baffling dependencies and i haven't personally gotten past that 22:50 < andytoshi> awesome, i'll check them both out 22:50 < andytoshi> adam3us: i think you are missing the point :) 22:51 < adam3us> andytoshi: to not lose bitcoins and enable alts to respect the 21 mil digital scarcity? 22:51 < andytoshi> no, to be a wizard ;) 22:53 < adam3us> andytoshi: homomorphic encryption is cool too, but impractically inefficient. snark is cool and related and practically efficient, but has some newer crypto assumptions in my view. you dont want an alt to go up in smoke if someone finds a mathematical flaw in the deployed pairing params (eg) 23:01 < amiller> in my view, the effort of trying to optimize an implementation of traditional homomorphic encryption is almost certainly an overoptimization 23:02 < amiller> er premature optimization 23:03 < andytoshi> well, that'd be a research project in itself 23:09 < andytoshi> hey, pantry was developed partially here at UT austin 23:09 < andytoshi> i can track these people down and ask how to build it :P 23:11 < Luke-Jr> andytoshi: wait, you're in Austin? :o 23:12 < andytoshi> Luke-Jr: i started my ph.d. here this september 23:13 < andytoshi> i'm usually from vancouver 23:13 < Luke-Jr> andytoshi: doh, I was just there last week XD 23:13 < Luke-Jr> coulda met up 23:14 < andytoshi> oh! damn 23:15 < andytoshi> if we had a picture together, that'd show altoz that i'm not a sock puppet.. 23:16 < Luke-Jr> altoz is silly, complaining that we're being rude( ) when his posts are the only ones that strike me as particularly rude O.o 23:16 < andytoshi> yeah, i read through yours just to be sure, and that's my interpretation too 23:16 < andytoshi> all i did was post a link and say "don't be rude" :P 23:17 < Luke-Jr> about the rudest thing I did IMO was decide I wasn't responding to some stupid comments of his <.< 23:18 < andytoshi> " 23:18 < andytoshi> I am using ECIES, I think. I would need a more experienced cryptographer to examine the code to make sure, but it's fairly straightforward." 23:18 < andytoshi> this is his latest resposne to "are you using ECIES?" 23:19 < andytoshi> imo you should've been much ruder :P 23:20 < Luke-Jr> lol 23:27 < gmaxwell> andytoshi: only the pinocchio (without the pairing crypto backend. :( ) and the pantry system are available 23:30 < andytoshi> you mean the zk-snark stuff is not public? 23:34 < amiller> pantry and pinocchio are both zk-snarks 23:34 < amiller> there are three zk-snark implementations, pantry, pinocchio, and tinyram, of these tinyram is not yet available 23:36 < andytoshi> oh, i see, thanks 23:37 < andytoshi> i have only read the first couple pages of this latest paper, i think it talks a lot about the background 23:37 < andytoshi> so i'll try to get straight what's been happening in this field --- Log closed Wed Dec 18 00:00:05 2013 --- Log opened Wed Dec 18 00:00:05 2013 02:31 < gmaxwell> well pinocchio is only kinda public, the circuit generator is public, but without the underlying crypto libraries, it's not useful. 02:34 < gmaxwell> amiller: oh have they made the resot of pinocchio public now? 02:35 < gmaxwell> in any case, I think the obvious thing to do with pinocchio/friends is make a blind sin proof. Though I don't see how to do it without having an ecdsa verification under the proof... which is probably going to hurt a bit. 02:36 < gmaxwell> s/verification/signature/ in fact. 02:38 < gmaxwell> e.g. You make a proof of the statement X is the hash of a determinstic-signature of data Y, using a key, committed to by a SIN transaction paying >=Z in fees, spv connected to header Q. 02:39 < gmaxwell> Feed in the name of a site in Y "bitcoin talk" and X is an identity you use to log into the site that can be banned, and replacing it costs you Z bitcoin. 13:54 < gmaxwell> HOLY CRAP THAT TOOK TOO MUCH TIME 13:54 < gmaxwell> Here is the post I was looking for: https://bitcointalk.org/index.php?topic=20171.msg255631#msg255631 13:55 < gmaxwell> (I also, apparently, posted the same thing in response to claims that security could be paid by "assurance contracts": https://bitcointalk.org/index.php?topic=157141.msg1665607#msg1665607 ) 13:56 < gmaxwell> amiller: in any case, we've very close to the coin burning race with this thinking. 13:57 < gmaxwell> amiller: the "if someone double spends you, you make a child transaction that sends all the coins to fees just to make sure the dude double spending you can't turn a profit" 13:57 < amiller> quick offtopic (on topic?) question 13:57 < amiller> does theymos maintain rigours backups of the forum 13:57 < amiller> does anyone else help provide backups of it? 13:58 < gmaxwell> amiller: yes and yes. 13:58 < amiller> maybe bitcoin foundation would want to sponsor archival backups of resources like the wiki and the forums because there's tons of valuable data there 13:58 < amiller> ok 13:58 < gmaxwell> there are backups, encrypted to some set of keys. Some of the global mods have copies. 13:58 < gmaxwell> It would also be nice if the forum merkelized all the posts, and could publish roots that could be timestamped. 13:58 < gmaxwell> Some of the posts may be important in the furture to twarting patent attacks. 14:01 < petertodd> gmaxwell: would it be possible to make public post archives something that can be mirroed directly? 14:02 < petertodd> (in the clear) 14:02 < gmaxwell> You've got me. 14:02 < petertodd> I can certainely write the code to merklize/timestamp it all 14:02 < petertodd> ? 14:03 < midnightmagic> just love how merkle trees are going into everything these days 14:04 < gmaxwell> petertodd: it would probably be a relatively minor modification to the backup procedure to produce a hash root that could be spit out with the backup and timestamped to allow someone with the backup to do selective reveals. 14:04 < amiller> i bought merkletrees.org from namecheap (with bitcoins) 14:04 < midnightmagic> structured storage types would allow data mining if the data were public, too, based on timestamp and username.. forum-wide diffing would be cheap 14:05 < midnightmagic> amiller: glorious :) 14:05 < petertodd> gmaxwell: What form are posts stored in? I assume a mutable database right? 14:05 < gmaxwell> midnightmagic: I don't know that we (or at least theymos) necessarily wants to enable that. 14:05 < gmaxwell> petertodd: I assume. You know as much as I do. 14:06 < midnightmagic> merkle tree + timestamp, username, + link to forum individual message? 14:06 < gmaxwell> My only extra knoweldge of the forum is that I'm a subforum mod in two sections, .. and that means I have access to the staff and donor areas and have talked to theymos a bit more than $random_person. But I don't actually know that much. 14:06 < gmaxwell> Warren probably knows more about how the forums work than I do now. 14:06 < midnightmagic> SMF puts it all into a backend database like mysql. 14:06 < grau> lets be consequent and commit the merkle root of bitcointalk.org to the blockchain :) 14:06 < petertodd> gmaxwell: The 312668.msg3357169 bit in the URL's implies we've got sequential numbers to use. 14:07 < midnightmagic> petertodd: they are sequential numbers. 14:07 < gmaxwell> petertodd: In any case, the backups would obviously seralize messages in some order, so that could get treed. 14:07 < gmaxwell> posts can be edited. so any timestamp really needs to be "as of some backup". 14:08 < midnightmagic> the main drawback of SMF is prior-edits are wiped unless theymos is running something special to version them 14:08 < midnightmagic> (or a logged database backend I suppose) 14:08 < gmaxwell> Can someone else confirm that the forum is hacked again? 14:08 < gmaxwell> Reload as a non admin on the main page or something. 14:08 < gmaxwell> (someone reporting this in #bitcoin) 14:09 < petertodd> gmaxwell: Yeah, well maybe the absolutel easiest would be to just use opentimestamps - I've got code that can do a merkle mountain range where you feed it arbitrary digests, and it gives you top-level-digests to timestamp. 14:09 < sipa> gmaxwell: haven't visited the forum in weeks 14:09 < petertodd> gmaxwell: I'm not seeing anything. 14:09 < sipa> gmaxwell: how do i recognize it being hacked? 14:09 < grau> normal 14:09 < gmaxwell> sipa: some kind of javascript animation? :P 14:09 < gmaxwell> okay, crazy user. 14:09 < gmaxwell> thanks. I wanted to get a confirmation before I called theymos. :) 14:09 < sipa> don't see naything 14:10 < petertodd> gmaxwell: Basically this would give you a database of digests where you can easily extract a tiemstamp proof for an arbitrary digest. 14:14 < amiller> forum seems fine to me? 14:14 < gmaxwell> amiller: thanks, seems like the user has some weird dns issue. 14:14 < midnightmagic> forum is fine here also 14:15 < gmaxwell> petertodd: wrt signed advertisements, I'd assume that you'd sign all of them, and have some priority flag for addresses you consider most credible. 14:16 < petertodd> gmaxwell: that works 14:18 < petertodd> gmaxwell: huh, seems that SMF stores every single post in the database, so it should be easy enough to write a script to dump the posts, hash them, and timestamp them that way 14:19 < gmaxwell> petertodd: sure, I expect it to do that. I was just suggesting that it would go along with the backup data (since you'll need the posts too) 14:20 < petertodd> gmaxwell: yup. Anyway, the only obstacle is getting a copy of the data to work on. I suspect this could be a weekend project otherwise. 14:33 < jgarzik> sipa, gmaxwell: speaking of resetting testnet... new blocks are appearing every few seconds. some fool ASIC miner probably aimed his machine at it. 14:34 * midnightmagic suddenly wants to run on testnet. 14:56 < HM2> :} 18:21 < HM2> Hmm, I don't think anyone is going to write a JSON Spirit replacement in Spirit X3 yet 18:21 < HM2> it's riddled with odd behaviour and possible bugs 18:47 < warren> wait huh 18:47 < warren> forum hacked? 18:48 < sipa> not again 19:09 < Luke-Jr> which forum? 19:10 < pigeons> bitcointroll.org is up 19:17 < Luke-Jr> abitcoin.org is too 19:18 < sipa> someone claimed bitcointalk was hacked again, but that seemed incorrect 19:19 < warren> btc-e's top news from today is "Urgent! bitcointalk.org was hacked! Change your password ASAP!" 19:20 < warren> yesterday btc-e was down for a few hours they claim due to a DDoS attack 20:03 < gmaxwell> petertodd: So the MMR UTXO-LOG stuff. 20:03 < gmaxwell> petertodd: ISTM that the transaction sizes would grow forever. Because the spendability proofs would be log2(utxos ever) since you cannot do a storageless rebalance of a MMR. 20:04 < warren> MMR? 20:05 < gmaxwell> merkelized mountain range it's a kind of authenticated binary tree that has ~O(1) append. Its a petertodd neologism. 20:06 < gmaxwell> https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 20:09 < gmaxwell> warren: petertodd figured out how to make a mostly storageless bitcoin. But there is a trade-off: wallets have to actively monitor the network to process updates to their own utxo proofs or they will lose the ability to spend their coins. 20:10 < warren> that's a bit of a tradeoff =) 20:10 < gmaxwell> But full nodes and miners need basically no storage. (just ~log() hashes with respect to the size of the transaction history, and maybe block headers) 20:11 < gmaxwell> Wallets need storage ~log(total history size) * number of utxos they own. 20:12 < gmaxwell> Transactions must carry utxo update proofs, which are ~log(total history size) * UTXO spent (maybe somewhat smaller if the utxo are near each other in history) in size. 20:13 < maaku> gmaxwell: is this the updatable proofs that we had discussed earlier, if we remove PATRICIA level-compression 20:13 < maaku> ? 20:13 < gmaxwell> maaku: this is a simpler idea that is more general. 20:14 < gmaxwell> warren: if you had a cold storage wallet, for example.. to spend the coins you'd need to get current proofs for it... if you were not tracking them yourself, perhaps you could go find a kind node who has tracked all of them (requiring storage similar to bitcoin full node)... perhaps they'd sell you this data if you show then that your spend would pay them a fee. 20:14 < gmaxwell> maaku: Here is how I'd express the idea. Forget the UTXO tree stuff. 20:14 < warren> gmaxwell: we talked about this as a way to spend expired coins in the future after litecoin implements expiration 20:15 < maaku> hrm.. i'll study it. lack of a storageless rebalance seems like a big tradeoff :\ 20:15 < gmaxwell> maaku: imagine we have just a regular blockchain, and we append new txouts to it as they are created. We compute a binary tree over this whole thing... using a tree update scheme that has ~O(1) append. (thats the mountain range link above) 20:16 < gmaxwell> When someone wants to spend a coin, they give you a proof that shows you the coin is in the tree. Which is also the same data you need to replace that coin with a "deleted coin" entry and update the root. (by the same reason we can compose non-compressed proofs) 20:17 < gmaxwell> so miners and full nodes just need to store the leading edge of this tree (log2(history)) hashes. and any transactions they recieve will have enough data to let them mark the inputs elsewhere in the tree as spent. 20:18 < maaku> ok, so it's a perpetually growing tree, although you can safely prune branches that are fully spent 20:18 < maaku> what is the advantage over a proof-updatable index? 20:19 < gmaxwell> Right. and it grows with log() so.... thats no so bad. Also, proofs for spending recent coins would be smaller. So the proofs for old coins grow.. but recent coins would stay small. 17:19 <@sipa> #bitcoin-wizards: smoking cryptographic hasj since 2013 17:19 <@amiller> you can smoke trees and you can smoke hash, but only the bitcoin-wizards smoke hash trees 17:20 * petertodd slow claps 17:20 * amiller passes out 17:20 <@sipa> oh, it's hashish in english; even better 17:20 < weex> oh it's THAT kind of party :) 17:20 <@sipa> amiller: haha 17:25 <@petertodd> Say, everyone heard of that paper due to be released in another month or something on implementing chaum tokens within Bitcoin? 17:25 <@petertodd> Anyone managed a sneak peak of it? 17:25 <@amiller> yeah 17:26 <@amiller> those students came and hung out with me for a while 17:26 <@petertodd> Nice? How does it work? 17:26 <@amiller> my current advisor/host pays their advisor 17:26 <@amiller> well it's got an impractical thing about it 17:26 <@petertodd> ? 17:26 <@amiller> first of all it's a global pool of tokens 17:26 <@amiller> one for the whole chain 17:26 <@amiller> second, in order to avoid double spends, they maintain an already-spent lit 17:26 <@amiller> lsit 17:26 <@amiller> list 17:27 <@amiller> which has to be checked in order to validate each spend. 17:27 <@amiller> that's worst-case O(N) which is horrible 17:27 <@amiller> it would only be O(log N) if they just maintained a balanced merkle tree but that still sucks 17:27 <@petertodd> Yeah, but doable 17:28 <@petertodd> So, there basically the already spend list becomes a consensus thing? 17:28 <@amiller> yes 17:28 <@petertodd> Do they just make the list so big you can pick a coin at random from it? 17:29 <@petertodd> (I mean, the set of !in the list) 17:29 <@amiller> no it's basically like 17:29 <@amiller> uh well basically you can't see the list of things included in the accumulator 17:30 <@amiller> i'm not sure how to answer your question 17:30 <@petertodd> Ok, so there is a global accumulator though, and each transaction increments or decrements it? 17:30 <@petertodd> (this is sounded just like fidelity-bonded ledgers...) 17:31 <@amiller> so basically you deposit an ordinary coin into the accumulator 17:32 <@amiller> a blinded token gets added to the accumulator 17:32 <@petertodd> ok 17:32 <@amiller> now when you want to withdraw a coin, you provide an unblinded token and a proof that your unblinded token corresponds to _one of_ the blinded tokens stored in the accumulator 17:33 <@petertodd> Ah, and there is some crypto magic that lets you prove that? 17:33 <@amiller> yeah 17:33 <@petertodd> (wizardry beyond my beginner wizard level) 17:33 <@amiller> apparently they spent christmas break poring through the complete giant catalog of cryptographic accumulators looking for one 17:33 <@petertodd> I assume then that accumulator can grow to be quite large? 17:33 <@amiller> well the accumulator is just some wacky number field thing 17:34 <@amiller> so basically i don't think it grows at all 17:34 <@amiller> it's almost like folding hashes into hashes 17:34 <@petertodd> Hmm... weird, dunno how that would work. 17:34 <@petertodd> I mean, there is the clever trick of "what's the merkle hash of a 2^256 long string of zeros" but... 17:35 <@amiller> http://www.cs.jhu.edu/~goodrich/cgc/pubs/accum.pdf 17:35 <@amiller> this is one of the popular kinds of accumulators based on RSA numbers 17:41 <@petertodd> Hmm... I'm gonna have to read that very carefully... 17:41 <@BlueMatt> gmaxwell: ahh on the spv side, yes ok that is something Id like to do eventually 17:42 <@petertodd> Now, I assume if you have n items in this accumulator, the size of the underlying data must scale by n somehow right? 17:42 <@petertodd> Or do you accept some small possibility of collissions or something? 17:42 <@BlueMatt> gmaxwell: hmm...actually maybe Ill do that as my next project 17:42 <@petertodd> Oh wait, I found it, page 10: O(n) space 17:44 <@petertodd> Because basically, for fidelity-bonded banks/ledgers, I need to be able to have some audit log thing, and have a similar accumulator so any outsider can see that every token purchase and redemption was valid. Although ideally, proofs that they were invalid would be short too... 17:50 <@amiller> there's gotta be better accumulators than that 17:50 <@amiller> i don't see the point of an O(n) size one 17:51 <@petertodd> Well, presumably that can give you a 100% guarantee against collisions. IE there will never exist S1 and S2 such that A(S1) == A(S2) 17:51 <@amiller> something like that 17:52 <@gmaxwell> BlueMatt: there are two other kinds of proofs I forgot to mention (1) double spend alerts, which might fit into the same framework, and (2) proof that a block spends a txn which wasn't it the prior block's utxo set (which we can't do currently) 17:53 <@petertodd> Ok, lets see if I get the concept right: So one possible accumulator would be to construct a merkle tree of a bit field with one bit for every integer between 0 and 2^256. You can prove you added an integer to that set by showing the leaves for an operation updating the appropriate bit, and you can remove an integer with another set of leaves. (equally any deterministic binary tree works) 17:54 <@petertodd> You can't however take two such accumulators, and merge them in this example, without knowing all the bits involved. 17:54 <@petertodd> (well, without knowing S1 and S2) 17:55 <@petertodd> Equally, assign prime numbers in order, and just multiply your primes together, and then the resulting number is an accumulator. 17:55 <@petertodd> That one you can get the union of S1 and S2 easily, but large n's are a problem. 17:58 < HM> the computation under "a simple scheme" sounds expensive 17:58 <@petertodd> HM: I'm sure people have done better than that :P 17:58 < HM> for the dictionary 17:59 < HM> updates and deletions sound cheap 18:00 * HM continues reading 18:02 <@gmaxwell> BlueMatt: by 'doublespend alerts' I mean the mempool kind. ... in thinking about it it was a little annoying to me that they'd untimately enable miners to mine the more profitable of the two. but I guess attackers could give them directly to miners anyways. 18:10 < HM> I'm guessing the interval trick really doesn't work for transactions 18:10 < HM> to find out if Tx is in S 18:11 <@BlueMatt> gmaxwell: yes, essentially it would be nice to provide alerts which can prove a block is invalid in any of the possible ways a block can be invalid that spv nodes cant identify, though many of those arent possible 18:11 <@BlueMatt> re: doublespend alerts...meh Im still not a big fan of putting those in the standard p2p protocol 18:15 <@gmaxwell> BlueMatt: fine with me. I thought you liked them for some reason. I was only really noting that perhaps they'd fit into the same kind of framework, but perhaps not they have different DOS exposure since the rest are tied to blocks. 18:16 <@BlueMatt> gmaxwell: no, Ive always been against them (since like...years ago) 19:08 <@petertodd> Alright, I read over the accumulators stuff, and it seems to me that it isn't magic and doesn't help fidelity-bonded foo's. 19:10 <@petertodd> Basically, the key thing is you can use them to add a blinded token to an accumulator, and later prove that the token was in there, but only if every step gets witnessed. 19:10 <@amiller> there's lattice-based accumulators that are even fancier 19:10 <@amiller> i really don't understand this stuff very well either 19:10 <@petertodd> Oh yeah? Hmm... maybe more reading... 19:11 <@petertodd> I didn't see anything about an "authenticated add", but maybe I'm missing something. 19:11 <@petertodd> (specifically, a *signed* blinded token) 19:12 <@petertodd> Ultimately the problem to solve is how to stop the ledger from faking withdrawals. 19:13 <@amiller> i mean you're right that everything has to be witnessed 19:14 <@amiller> like only a valid transaction can update the accumulator 19:14 <@petertodd> Yeah, and you want token-to-token transactions. 19:14 <@petertodd> Although I kinda punt there and assume Tor is available and logs will be made public and randomly audited... 19:15 <@amiller> yeah no token to token transactions... well i mean i guess that wouldn't hurt anything 19:15 <@petertodd> Well, it kills my dream of off-chain tx's. :P But it'd make for a great coin mixer. 19:24 <@gmaxwell> petertodd: whats the problem for you right now? you make a public log available ... the bank can't inflate without it showing up in the log. 19:26 <@petertodd> gmaxwell: Well, the log will have a sum of all chaum deposits made right? Each token redemption will decrement that counter, but there is nothing stopping the bank from creating tokens that didn't correspond with withdrawls, however they're fraud is limited to the amount deposited because of the running sum. 19:27 <@gmaxwell> ah, because the bank can sign in hiding and people can't tell if a newly presented unblinded signature was a previously existing blinded one or just something the bank pulled out of its rear end. 19:27 <@petertodd> ...and actually, I skipped a step, because really any blinded token whose inner part isn't made public, can be fraudulently counterfitted, so clients should unblind their tokens and "register" them. 19:28 <@petertodd> If no clients do that, the bank can create an unlimited number, on the other hand doing so does create information leak possibilities. 19:28 <@petertodd> Exactly 19:29 <@petertodd> Now with an accumulator, I guess you could prove that the token was part of the accumulated value, and thus prove it really dis correspond to a deposit, or even token-to-token exchange. 19:30 <@petertodd> *did 19:30 <@gmaxwell> well, you could at the cost of some privacy, roll the keys, so that you'd know that the outstanding balance had to all be expressed in some window. 19:31 <@petertodd> Yeah, if not for the chaum part it'd be simple. 19:31 <@petertodd> You can have clients come back and do a unblinded register step for sure. 19:31 <@petertodd> Just hard to get good parameters to maintain privacy. 15:44 < adam3us> petertodd: its a cogeneration system: bitcoins & heat 15:44 < petertodd> yup! 15:47 < adam3us> luke-jr: "difficulty adjusted between the different POW algos by trying to make them equally rare" i was thinking you could have competing mining algos with independent dynamic difficulty targetting a chosen proportion of reward 15:47 < jgarzik> bitcoin water heaters. the next million dollar idea. 15:50 < adam3us> luke-jr: eg allow scrypt(iter=1) or sha256^2 to coexist on bitcoin 15:50 < adam3us> start with say 5% scrypt, 95% sha256 15:50 < adam3us> have independent difficulty that ajdusts to keep the ratio 15:50 < adam3us> in that way runawy asic easyness is automatically adjusted for 15:52 < adam3us> luke-jr: eg if one day someone succeds in making an scrypt ASIC that is 1000 easier, th difficulty of scrypt would be increased to keep at the target % of reward for that mining function 15:53 < adam3us> luke-jr: so i think you could repeat that eg have 10 mining functions, with 10% each reward, all dynamically adjusted, then the ASIC people will not have as much fun because they will be competing more against themselves 16:06 < gmaxwell> adam3us: the scrypt pow stuff is a pretty poor idea. E.g. it's a performance problem with ltc chain sync 16:10 < gmaxwell> oh lots of backscroll to read. 16:22 < adam3us> gmaxwell: i agree scrypt verification cost sucks by orders of magnitude vs hashcash 16:23 < gmaxwell> 10:46 < amiller> btw there's a fully open source alternative to pinocchio/tinyram out https://github.com/srinathtv/pantry/ 16:24 < gmaxwell> amiller: have you tried it? 16:24 < gmaxwell> wtf is with the dependencies?! KyotoCabinet, leveldb, fcgi? 16:24 < gmaxwell> also why PBC if they're using the seperate BN ate-paring library? 16:25 < sipa> PBC? 16:25 < sipa> ah 16:25 < sipa> pairing based crypto 16:27 < adam3us> gmaxwell: you might be able to design a better mem hard hash than scrypt they didnt care much about verif speed, and its memory cpu tradeable as that was a non-requirement - eg using something like the "An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees" http://hashcash.org/papers/merkle-proof.pdf by fabien coelho to verify in c*log2(n) instead of n for small c where n is the memory param 16:27 < gmaxwell> sipa: yea, there are basically two famlies of ways people are doing the backends for the general ZKP stuff. One is based on a pairing crypto knoweldge of exponent assumption and results in very small proofs (like .. 4 field elements which for the BN256 stuff are like 256 bits each), the other is a construction using fiat-shamir (hashtree based proof) 16:34 < odotan> hi 16:34 < gmaxwell> odotan: Hi. 16:37 < adam3us> gmaxwell: odotan and i were discussing timestamping, namespaces and relation to mining with the objective of reducing mining centralization or removing fees somehow (brainstorming) i suggeste we move it here as there was some discussion above... one sec pasting history for odotan 16:39 < warren> perhaps I shouldn't be amazed by the nut cases on the forum... 16:40 < gmaxwell> warren: hm? 17:03 < midnightmagic> oo I like reading stuff from nutcases. link? 17:03 < sipa> midnightmagic: bitcointalk.org :p 17:05 < midnightmagic> lol 17:07 < warren> midnightmagic: also http://www.theblaze.com/ 17:36 < Luke-Jr> [21:03:24] <midnightmagic> oo I like reading stuff from nutcases. link? <-- PM "one" <.< 17:44 < midnightmagic> ah HAH. It was Bertrand Russell! I found him. http://www.youtube.com/watch?v=Il7Kxw9TDBc what an amazing accent. 17:47 < midnightmagic> er.. woops, wrong channel. :( sorry about that 19:38 < amiller> midnightmagic, i remember when you were asking about that from a week ago! 19:46 < midnightmagic> amiller: :) 19:49 < midnightmagic> amiller: I've been looking for it for perhaps 6 months or so. I.. uh.. have trouble letting these sorts of things go. --- Log closed Sat Oct 26 00:00:45 2013 --- Log opened Sat Oct 26 00:00:45 2013 03:40 < warren> gmaxwell: I'm writing specifications for a next generation forum for theymos. I figure it would need some kind of cryptographic timestamp with versioning of posts to serve as prior art in defeating patents? 03:40 < warren> think of crazy ideas you think forum TNG should have 03:41 < gmaxwell> warren: talk to nanotube and midnightmagic, they're likely to have more thoughts than I do. 03:41 < warren> nanotube: midnightmagic ^ 03:41 < gmaxwell> I do think whatever it does it should enable cryptographic timestamping of posts, with some kind of efficient extraction so you can pull out a single timestamped post and have people verify it. 03:41 < gmaxwell> but thats not all that hard. 03:42 < warren> do you want the ability to permanently delte previous versions of posts? 03:42 < warren> that's a hard part 03:42 < warren> gmaxwell: that might be a good use to bring chronobit into the mainstream 03:46 < gmaxwell> Its fine if the server deletes them .. you should just be able to click a button on a post and get a timestamped and forum signed copy of your post (once one is available for it) which can always be verified, even if the post is deleted. 03:46 < gmaxwell> also means that if someone else saves your post before you delete it, they can prove to other people that it was previously there. 03:46 < gmaxwell> which I think is desirable. 03:46 < warren> yeah 03:46 < warren> very 03:47 < warren> accountability 03:48 < gmaxwell> well, I think allowing editing and stuff is fine, and I'm okay with old versions being throughly deleted... if you manage an edit before no one else sees it.. no harm no foul. 03:49 < warren> for most things yes 03:50 < warren> but if you're talking about priority dates 03:50 < gmaxwell> I think it might be interesting if the non-public forums were encrypted, with the keys stored encrypted with the accounts that have access to them, likewise for PMs. Basically the goal there would be to reduce the incentive to compromise the server in order to obtain the little non-public data it has. 03:50 < warren> if someone edited a post to add a tiny correction, they lost proof of the earlier date 03:50 < gmaxwell> warren: nah, they just save the earlier proof. 03:50 < warren> gmaxwell: not everyone anticipates that their earlier proof will be important years laer 03:50 < warren> later 03:51 < gmaxwell> could be optional to delete old versions of messages. Dunno. Or maybe make them only accessible to the user who used them. 03:51 < warren> gmaxwell: interesting, client-side encryption of PM's? You backup your own key. if you lose it, iyou lost only your PM's. 03:51 < gmaxwell> Access to old versions of messages could make some moderation problems worse. 03:52 < gmaxwell> warren: you make your PM key encrypted with your login password, so it gets backed up on the site... but a hacker who compromises your site now has to bruteforce your login password to get your PMs. 03:52 < warren> could that increase the legal hazard to the forum? forum has no ability to police using it as a medium for illicit activity 03:53 < gmaxwell> It has no legal responsibility to in the US, see S230. (in fact, forum spying on PMs is probably unlawful in the US) Besides, it could if it's made aware of it. 03:53 < gmaxwell> Though on that subject, retaining old versions accessible to all users has a moderation problem. 03:53 < gmaxwell> E.g. I fill a post with childporn links, then edit them out and replace it with puppy pictures. 03:54 < gmaxwell> Then I quietly tell all the other childporny people where to go find the hidden posts. 03:54 < gmaxwell> so if you do provide access to old versions it should probably be exclusively to the user or user + global admins. 03:55 < Luke-Jr> gmaxwell: meh, no different than a wiki 03:55 < gmaxwell> Luke-Jr: wiki provides good interfaces to view changes and find things in old versions. 03:55 < gmaxwell> (I describe that behavior because people were doing stuff like that in enwp at one point) 03:56 < gmaxwell> In any case, encrypted PMs wouldn't be there to have military grade security or anything, it's just a casual thing that reduces brittleness to hacking. I'd suggest that the forum not even tell users that their PMs are encrypted. If users want good security they should be doing GPG inside their PMs. 03:57 < gmaxwell> Another thing that should be supported: two-factor login via bitcoin signmessage. Hopefully devices like trezor will support that in a latter firmware. So then you could use your hardware wallet to auth you to the forum.. no more account hacks ever. 03:57 < warren> huh 03:58 < warren> sign message? 03:58 < Luke-Jr> gmaxwell: unless you sign every action, you can still get account hacks 03:58 < Luke-Jr> warren: 03:58 < gmaxwell> Luke-Jr: hm? site is SSL. 03:58 < Luke-Jr> you maintain an altcoin and you don't know signmessage? 03:58 < Luke-Jr> gmaxwell: if the server is itself compromised.. 03:58 < warren> Luke-Jr: oh, I missed that he said signmessage 03:59 < warren> Luke-Jr: that's impossible! =) 03:59 < gmaxwell> Luke-Jr: yea, sorry. I wasn't meaning also no server hacks I just meant not from user password stupidity. 04:00 < warren> the way I have his server setup right now it would be difficult for even remote php eval() to write anything to disk 04:00 < warren> forum TNG I'm going to suggest get rid of php entirely, either rails or node 04:00 < Luke-Jr> ew 04:00 < Luke-Jr> I'd do php before rails at least 04:00 < warren> ewwww, php 04:00 < gmaxwell> warren: a kind of dumb but easy feature: support some message parsing so that if you post a gpg signed message, the server will verify the signature, and if it can it strips out the gpg noise and puts in a Signed message icon. clicking it gets you the plaintext of the message so you can verify it yourself it you want. 04:00 < warren> php needs to die 04:01 < warren> gmaxwell: ooh, that sounds great. 23:23 < petertodd> maaku: you have full validation if there is 100% coverage of the data by validators; you don't need every individual validator to validate the whole data set fully 23:23 < petertodd> maaku: but you do need to make it possible for any one of those partial validators to prove the fraud they found cheaply 23:23 < amiller> it's not necessary for every full validator to be capable of validating anyone's transaction without their help 23:23 < amiller> full validators don't need to store backup copies of your private key for you, nor do they need to remember all the bits needed to prove your transaction is valid 23:24 < amiller> 10 different people can each submit their indivudal transaction validity proofs and anyone can validate the block consisting of those 23:24 < petertodd> amiller: thing is there's no such thing as a proof that something is valid, only a proof that something is invalid (modulo SCIP) 23:24 < petertodd> *compact proof 23:28 < amiller> what you should have to do is bribe miners not to burn work 23:28 < petertodd> amiller: huh? 23:28 < amiller> it hurts everyone, in a sense, when miners burn 23:28 < amiller> you have a weak/social/long term incentive to pay them *not* to mine 23:28 < petertodd> You can't bribe someone whos goal is to destroy the currency for whatever reason 23:29 < petertodd> Why is there an incentive forthem not to mine? 23:29 < amiller> there *is* an incentive for them to mine, but if you have coins, and you have stake, then you can pay them not to 23:29 < petertodd> How can I do that? 23:30 < amiller> by paying them to fight amongst themselves perhaps 23:30 < amiller> paying for forks 23:31 < amiller> 'defunding' the miners 23:32 < amiller> paying miners not to mine is the pure public good 23:32 < petertodd> how can you pay them to fight? at any given time modulo network latencies the miners can always mine on the best chain, and best has a clear consensus meaning 23:32 < amiller> because it didn't affect them, they get the monetary reward they would have had 23:33 < petertodd> remember when you burn coins in liu of work, *your* a 51% attacker on the chain you are re-orging 23:33 < petertodd> there's no priviledged position here 23:34 < amiller> it won't happen for very long anyway, the point is *you* lose the money you burned, fewer mining occured, but the miners got the same income they would have anyway 23:34 < petertodd> and it's all irrelevant, because as always part of being a profitable miner is mining on the chain that you think has the most support, and that means the next block that will be mined 23:35 < amiller> that may not be the only way to pay miners 23:36 < amiller> er, to pay miners not to mine 23:36 < amiller> the point is, there's your cheap proof of stake, i'm making an observation about what it can mean to burn a coin 23:37 < amiller> just sending it out isn't necessarily burning it because if it's useful to do so, everyone else might to it too, and then it had no effect anyway 23:39 < petertodd> burning coins in liu of work, as I'm advocating above, isn't proof-of-stake, it's transferrable-proof-of-work 23:41 < amiller> maybe there should be like a difficulty measure 23:41 < amiller> in terms of burned coins and work 23:41 < amiller> such that you can arbitrage 23:41 < amiller> if the cost per burned coin in proof of stake is different than what you could pay for mining power on the spot 23:41 < petertodd> I'm really not seeing why this should be any more complex than "If this chain wins, I'm happy to have x less BTC" 23:43 < amiller> look at it this way, if that's true, what's the most effective way to spend x btc to get that chain won? 23:43 < amiller> if you can do it by renting mining power then you can spend it on mining power 23:43 < amiller> if you can do it by paying a particular person somehow then you could do that 23:43 < amiller> if you can accomplish it the best by deleting it 23:43 < amiller> then you could do that, but it seems less plausible that you can't use it to your influence in some better way 23:44 < petertodd> sigh... the issue is we have effective long term ways - buy hashing power - but we don't have effective short-term ways 23:44 < gmaxwell> sweet. I just out cryptoed DJB. 23:45 < petertodd> the challenge is to come up with a way that's effective in the short-term, yet also works in the context of limited bandwidth jam-free networks 23:45 < petertodd> gmaxwell: ? 23:45 < gmaxwell> (well I suppose I should save the bragging for when he response conceding defeat) 23:45 < amiller> petertodd, how is paying for rented hash power not an effective way 23:46 < petertodd> amiller: because it's impossible to increase the supply without waiting! 23:46 < amiller> you can just take it from someone else 23:46 < amiller> you're assumign the attacker eclipses the world economy i think 23:46 < petertodd> amiller: no you can't! there is a limited amount in this world 23:46 < amiller> so you're talking about an attacker that has moved markets 23:47 < petertodd> amiller: markets aren't effient enough to say "hey, I want a few petahash in an hour" 23:47 < petertodd> reality just doesn't work that way 23:47 < petertodd> the whole point of this is to paper over the fact that the real world is ugly and slow 23:48 < gmaxwell> petertodd: DJB created http://safecurves.cr.yp.to/ see the rigidity page. I'm trying to convince him that the choice of generator must be documented too. 23:48 < petertodd> gmaxwell: ha, good job 23:48 < amiller> petertodd, then smash pots or something 23:49 < gmaxwell> he was trying to insist that there is nothing interesting that you can do with generator control in any cryptographic protocol. :P 23:49 < amiller> the point is if you just burn your money without burning something objective it doesn't have the same effect 23:49 < amiller> i'm trying to figure out how to articulate why that matters because what i think you're doing is ignoring the distinction or have already decided it doesn't matter 23:50 < gmaxwell> petertodd: so I sent him http://0bin.net/paste/Aqayl-V7cyFWqv5E#ju+Q69udt8UIOVxaMYV9AFSJLkr/V2FhT2Lke1S0wQU= 23:51 < amiller> tjat 23:51 < amiller> that's so cool gmaxwell 23:52 < petertodd> amiller: start from the end-goal: we want to come to a consensus that reflects the desires of the economic majority, and work backwards 23:52 < amiller> i don't think that makes any sense 23:52 < gmaxwell> amiller: yea, well I don't think it's so cool. It means that the curve in bitcoin could be somewhat backdoored, because we can't explain G. 23:53 < petertodd> gmaxwell: good job 23:53 < gmaxwell> We can explain all other parameters, but not G. I'm trying to save DJB's future curves from the same weakness. 23:54 < petertodd> amiller: again: so someone launches a 51% attack, stopping all transactions and/or rewriting some part of the blockchain, how do we divise a system where the response can be made fast enough that people don't just give up on the system before actual hashing power can be obtained? 23:54 < petertodd> amiller: hardware has leadtimes of months - there is *nothing* we can do about that, especially since we're using proof-of-work systems that are ASIC friendly 23:55 < petertodd> amiller: even if the proof-of-work system was 100% best mined by fully commodity hardware, it'd still take days to weeks to obtain it in a mad rush - there just isn't all that much computing power available for rent in a decentralized way 23:55 < petertodd> (the attacker might have already rented it all!) 23:55 < amiller> then outbid the attacker 23:55 < amiller> the attacker has limited funds 23:56 < amiller> or else the attacker has already one 23:56 < amiller> won* 23:56 < petertodd> amiller: "outbid" how? the real world doesn't always let you outbid 23:56 < petertodd> amiller: No amount of money is going to get Amazon EC2 to kick off their existing customers you know. 23:57 < amiller> i don't see why you are assuming it's sufficient to choose the chain based on something that shares some-but-not-all of the properties of proof of work 23:57 < amiller> how about in a pinch you just have gavin sign the blocks? 23:57 < petertodd> amiller: And I mean that: if you had sufficient money to make it worth their while, it'd take too long for them to verify that you were for real. 23:57 < amiller> i'm saying that burning coins doesn't have the same effect as burning power 23:57 < petertodd> amiller: heck, agreeing to just have gavin sign the blocks would probably take long enough that you'd be better off buying hashing power... 23:58 < amiller> agree in advance? 23:58 < amiller> and override it if he fires without cause 23:58 < petertodd> amiller: Then you have a system that's vulnerable to gavin... 23:58 < amiller> so what is the system vulnerable to 23:58 < amiller> that burns coins 23:58 < amiller> instead of work? 23:58 < amiller> you are implicitly assuming that there's no difference or that the difference isn't important 23:58 < amiller> i'm trying to understand what that difference is 23:58 < petertodd> amiller: Even worse, Gavin is vulnerable to the system - legally he'll be gone after for having the ability to control the system. 23:59 < amiller> i agree with both your explanation of the problem to be solved, and your reason why the gavin approach is vulnerable to something undesirable, so now lets try to get to the bottom of what vulnerability the burning coins might have over proof of work --- Log closed Fri Oct 18 00:00:04 2013 --- Log opened Fri Oct 18 00:00:04 2013 --- Day changed Fri Oct 18 2013 00:00 < petertodd> See, the more interesting thing, is if you have a system where you can burn coins, how does that affect things? For one it'll make more clear that confirmations matter. 00:00 < amiller> because maybe you can make an actual destroying-value thing that's more responsive 00:00 < amiller> the larger you are the less impact burning coins has on you 07:33 < gmaxwell> right, now if each samples the same half, thats not so useful. 07:33 < HM2> 2^10 = 1024 07:33 < HM2> so you divide the wine in to 1024 samples? 07:33 < HM2> :\ 07:34 < HM2> hmm 07:35 < HM2> so you give each prisoner a distinct 5-mixture from 100 bottle sets 07:35 < HM2> so they sample 500 bottles total 07:36 < HM2> that gives them a 50% chance of dying 07:36 < HM2> nope, that doesn't work 07:37 < HM2> how does a probabilistic solution help anyway? 07:37 < HM2> "My lord! there is only a 0.1% chance you will die if you drink this lovely 1758. It was a good year!" 07:38 < gmaxwell> ah, I wasn't suggesting that it was a probablistic solution, only that a maximum information one would give the prisoners 50% odds of dying (apriori) 07:38 < gmaxwell> because anything other than 50% wouldn't make good use of them. 07:38 < sipa> each prisoner is essentially one bit of information 07:38 < sipa> you want to maximize the entropy in each 07:43 < HM2> you only need to determine which of 1000 bottles is poisoned. so that's < 10 bits 07:43 < HM2> so i agree it should be feasible, but i've clouded my thinking now with mixing overlapping sets of wine 07:45 < HM2> you can easily divide the wine in to 10 x 100 bottle sets and mix 5 different sets together for each prisoner 07:46 < HM2> 5 will still be dead after 30 days, as in my solution, but i don't think you will be 100% certain of the result? 07:48 < HM2> but i totally give up for now 07:49 < gmaxwell> HM2: yea, if it doesn't just come to you later we'll tell you. :) (you've put some much time into it, it would be a let down to not let you solve it though) 07:49 < gmaxwell> you've probably worked yourself into a rut, it'll probably be obvious as soon as you stop thinking about it. 07:49 < HM2> i maintain i solved it and poison works like countdown ;P 07:51 < HM2> wait a minute 07:52 < HM2> isn't this just a parity problem 07:53 < HM2> hmm 07:54 < HM2> 0 to 1024 in binary 07:54 < HM2> 10 prisoners 07:54 < HM2> each get a coefficient of the radix 07:54 < HM2> so 1 prisoner drinks all the odd bottles 07:55 < HM2> another 1 in 4 07:55 < HM2> another 1 in 8 07:55 < HM2> etc 07:55 < HM2> if they die then you know a bit of the poison bottle number 07:57 < HM2> sipa, and it's less than 5 on average :P 07:57 < HM2> because there are less than 1024 bottles 08:05 < gmaxwell> HM2: tada. 08:09 * HM2 grumbles 08:20 < HM2> what sucks about that is my solution isn't even better for < 10 prisoners 08:34 < HM2> the monk riddle was harder 08:45 < gmaxwell> yea, well I mostly mentioned the evil kings riddle in order to present the version of it where exactly two bottles are poisoned. 08:45 < gmaxwell> which is harder than the monks riddle. 09:43 < HM2> gmaxwell, interesting 17:04 < Luke-Jr> gmaxwell: that guy is obviously trolling, but I don't think he's completely wrong about pull request purgatory. I've seen useless/silly things get merged while truly useful pulls sit ignored. 17:05 < gmaxwell> well I don't think he's being intentionally trolling. if he got confused about how things works thats a problem in and of itself. 17:06 < gmaxwell> Considering that he claimed bitcoin was written in typescript, I suspect he's not trying very hard... none the less, unfortunate that he didn't feel welcome. (and weird that he though a ~dead project welcomed him...) 17:06 < Luke-Jr> gmaxwell: comparing it with namecoin? I don't see any "defecting from bitcoin" in #namecoin 17:06 < gmaxwell> and yea, the pull process is bumpy. usless things are easier to merge: they're usually more obviously harmless. :) 18:51 < midnightmagic> petertodd: thanks for dust-b-gone btw 18:51 < midnightmagic> very much more convenient than waiting until my miners mine a block.. 18:57 < petertodd> midnightmagic: cool! 18:57 < petertodd> Luke-Jr: I was having some trouble getting coin-join txs mined on eligius - what are the current rules for a tx that has a single OP_RETURN, 0-value, output? 18:59 < petertodd> Luke-Jr: s/coin-join/dust-be-gone/ 19:02 < Luke-Jr> petertodd: data carriers are currently blocked entirely by Eligius, IIRC 19:03 < petertodd> Luke-Jr: right, but this scriptPubKey is just OP_RETURN, with no data 19:03 < Luke-Jr> hmm 19:03 * Luke-Jr pulls out the code 19:04 < petertodd> Luke-Jr: I picked that because I wanted the dust-b-gone utility to be absolutely clear that no-one other than miners could get any financial benefit from the coins destroyed 19:06 < Luke-Jr> http://codepad.org/L2J8i1HV 19:06 < Luke-Jr> I don't actually see anything that should change behaviour from mainline that would affect this 19:08 < petertodd> does the push-tx thing on eligius.st submit directly to the node that would be mining the transactions? 19:08 < Luke-Jr> yes 19:09 < petertodd> huh, weird 19:09 < petertodd> give me a sec; I'll make up a tx right now 19:13 < Luke-Jr> give me advance notice of the push; someones are IBDing from Eligius atm 19:14 < petertodd> 'k 19:16 < petertodd> well, it's getting rejected right now, so maybe a previous attempt is still in your mempool, but anyway here is what I tried to pushtx: http://0bin.net/paste/yuxubWzRRKtvj1QX#BFoxJ/sAq5pdwrkufd9BBSRmkYC+BPGKVWbDRHZlafY= 19:17 < petertodd> see how much easier replace-by-fee would make this? :P 19:19 < petertodd> oh, BTW, any objection to be making the TXO discussion we had the other day public? I mean, -wizards is semi-private simply by how it's a bit obscure, and there aren't public logs anywhere (AFAIK) 19:19 < Luke-Jr> which discussion was this? 19:20 < petertodd> two days ago, oct 17th 19:20 < Luke-Jr> I don't see any I participated in 19:21 < petertodd> yeah, I don't think you did 19:21 < Luke-Jr> well, then you don't need *my* permission :P 19:21 < Luke-Jr> just permission from those who spoke in it 19:22 < petertodd> heh, I wasn't asking you, although that you assumed that says something about the relative privacy of -wizards :P 19:23 < Luke-Jr> well, freenode policy makes that matter clear anyway 19:23 < petertodd> oh yeah? 19:23 < Luke-Jr> public channels need to have the log in the topic or onjoin 19:23 < petertodd> ah 19:24 < petertodd> specifically I'm asking because of this guy: https://bitcointalk.org/index.php?topic=314467.0 19:24 < Luke-Jr> gmaxwell: maaku: I think you guys were in the convo? 19:26 < petertodd> amiller: you too 19:27 < amiller> wat 19:27 < amiller> oh, yeah this should be public 19:27 < petertodd> amiller: mind if I make our conversation from two days ago re: TXO commitments public 19:28 < petertodd> amiller: thanks 19:28 < amiller> my understanding is this channel isn't even meant to be obscure, it's just that we discuss stuff that's too weird/frightening for someone trying to build bitcoind 19:28 < petertodd> same 19:29 < petertodd> I think setting up a public archive for this channel would be a good thing re: patents for instance 19:30 < gmaxwell> it's not meant to be obscure, though I have kinda avoided inviting people with ideas which I think are weird because the author is an idiot. 19:30 < petertodd> yeah, that's an issue too 19:31 < gmaxwell> e.g. if your idea is far out because you're dumb I tell you to go away, if its far out because its advanced or really speculative but still sane, I say join #bitcoin-wizards. 19:31 < gmaxwell> it's something of a personal failing that I don't respond really well to people who are agressively promoting jibberish. I'm working on doing better. :) 19:32 < gmaxwell> (if nothing else its at least a failing because my jibberish filter sometimes has false positives) 19:33 < petertodd> https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log <- this is it to be specific 19:33 < gmaxwell> (I'm happy that things here go however everyone else wants them to, but if we get too many people with batshit technobable I'll probably stop participating myself) 19:34 < petertodd> god help us if we need to make #bitcoin-sane-wizards 19:46 < petertodd> alright, replied: https://bitcointalk.org/index.php?topic=314467.msg3371043#msg3371043 19:46 < petertodd> bbl 19:47 < gmaxwell> petertodd: you also posted about the idea in the forum in the bitspam (or whatever it's called) thread. 19:51 < sipa> gmaxwell: i think you answered very politely to the open-source criticism person :) 20:16 < gmaxwell> sipa: thanks. 20:16 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=314467.new#new 20:17 < nanotube> hehe loved the riddles. 20:19 < gmaxwell> sipa: I came up with a slight enhancement to PT's MMR-tree idea, just the simple observation that if all nodes are required to store the N top most levels of the tree (by virtue of never including them in proofs), that wallets only need to monitor the fragments of blocks which are making update to parts of the tree where they have UTXOs. 20:20 < gmaxwell> sipa: e.g. you could have wallets 'bloom filter' blocks still in this model. 20:21 < nanotube> sad to say that while i was reading the blue/red hats one for clarifications, hm2's solution snuck up on me. >_< the monk one took a few hints from sipa before i grokked. poisoned wine was easy. and thanks for that riddles link, gmax. :) 20:21 < gmaxwell> (e.g. in addition to normal bloom filtering, they'd recieve the parts of blocks that modify any parts of the history where they have coins) 20:21 < sipa> gmaxwell: i really need to think hard about those MMRs 20:25 < gmaxwell> Crap crap. I solved some wizards relevant problem recently.. and I've forgotten to tell you all. I remembered it while writing that MMR post but then forgot it again by the end. 20:26 < gmaxwell> sipa: at the moment, the worst I can say about MMR is that enjoying its full potential requires more compromises than perhaps we can accept in bitcoin. 20:27 < gmaxwell> E.g. if you go 100% of the way to no one has the full history, then a bootstraping node must only have SPV security. 20:27 < gmaxwell> OHHHHHH 21:27 < amiller> petertodd, is this deterministic structure 21:27 < amiller> it's not randomized? 21:27 < petertodd> amiller: Yes actually, 100% deterministic consensus. 21:28 < amiller> the sturcture depends only on the number of elements and nothing about the contents of the elements i mean 21:28 < maaku> amiller: yes, as far as i can tell 21:28 < petertodd> maaku: Well, it's worth measuring, but keep in mind that there's lots of useful things you can do with UTXO abuse, and I'd rather we get out of the game of lecturing everyone about it. 21:28 < petertodd> amiller: Yup. 21:29 < amiller> i still don't see it 21:29 < amiller> do you have any more illustrations 21:29 < amiller> of like insertions 1 through 10 21:29 < petertodd> amiller: did you see gmaxwell's link on my paper about MMR's? 21:29 < amiller> or psuedo code for insertion 21:29 < amiller> i don't care about the hashes just the tree is fine 21:29 < petertodd> //github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 21:29 < amiller> yes i have been reading that 21:29 < amiller> yeah i got that 21:29 < amiller> i can't understand it 21:30 < amiller> pseudo code for append plz 21:30 < petertodd> OK, so get out a piece of paper, and put a bunch of dots along the horizontal axis. Now from left to right, pair a few dots, then pair those pairs etc. 21:30 < maaku> amiller: just imagine a standard Merkle list 21:30 < maaku> but without satoshi's weird handling of the last element, so it's O(1) updatable 21:30 < maaku> on an append at least 21:31 < petertodd> hell, here's python code that actually implements it: https://github.com/opentimestamps/opentimestamps-server/blob/master/otsserver/dag.py#L203 21:31 < petertodd> maaku: yeah, what's interesting is the naive way of building a merkle tree, going left to right and just promoting the left most odd element, naturally gives you a MMR 21:32 < petertodd> maaku: All I've done is observed that you can cheaply build it incrementally and deterministically, as well as update it cheaply and deterministicly. 21:32 < petertodd> *right most odd element 21:32 < amiller> https://github.com/opentimestamps/opentimestamps-server/blob/master/otsserver/dag.py#L396 i can't understand how this is O(1) 21:33 < petertodd> amiller: The append? technically it's O(log2(log2(n)) for n elements 21:33 < maaku> petertodd: yeah the way bitcoin actually does Merkle trees only makes sense because of the weirdness of how it's done using C++'s vector<> type 21:33 < amiller> oh 21:33 < petertodd> amiller: O(1) for short :P I mean, seriously, log2^2(n) does *not* grow very fast... 21:33 < maaku> i spent a long time trying to make sense of that when i first encountered it 21:35 < petertodd> maaku: Now what I don't get, is how can I update a UTXO radix tree without storing nearly all of it? Like suppose I have an ancient tx0, and I add tx1 where numerically tx0 and tx0 are very close to each other - how do I update the tree without having H(tx0)? 21:35 < amiller> still don't see why it's not log n 21:36 < petertodd> amiller: Not log n for append? 21:36 < amiller> right 21:37 < petertodd> amiller: Appending needs to touch only the "mountain tips", that is the perfect merkle trees already stored, and for n items stored you'll have log2(n) trees. (roughly) 21:37 < petertodd> amiller: I mean, it's actually whatever is the expression that gives you the number of perfect trees on average in n, but log2(n) is pretty close to that. 21:38 < amiller> then how do you get loglog n instead of log n 21:39 < maaku> petertodd: i'm not sure i understand the question. what you do to update proofs is walk the pruned proof-tree updating the pruned branches, as necessary 21:39 < petertodd> amiller: oh, sorry, I mispoke, so if you have n items, because the first perfect tree has log2(m) items, where m is whatever is the largest perfect tree, then the next largest, and so on, in total the number of perfect trees is about log2(log2(n)) 21:40 < petertodd> maaku: But that's it: I want a system where to be a full validating node you don't need to store the whole UTXO set. 21:40 < petertodd> maaku: Er, I mean, a mining node. 21:40 < petertodd> maaku: With UTXO radix trees you can validate, but you can't update the UTXO set. 21:40 < maaku> petertodd: where did I say you need the full set? you don't 21:41 < maaku> require incoming transactions to have their own proofs 21:41 < maaku> mempool proofs can be updated with using the delta-proof the blocks, as they come in 21:41 < petertodd> maaku: That covers spending a transaction, but it doesn't cover making a new transaction output. 21:41 < petertodd> maaku: I can delete items from the UTXO set but I can't add new ones basically. 21:42 < maaku> petertodd: ? work it out, it does work 21:42 < amiller> if i have 2^5-1 elements, i have a perfect tree of size 2^4, a perfect tree of size 2^3, etc. 21:42 < amiller> that's log, rather than a log log, number of trees? 21:42 < petertodd> maaku: I have tried to work it out, and I just don't see how it's possible. I mean, look at it this way, if you have *none* of the UTXO set data other than the last top level commitment, can you add a new txout to it? 21:43 < amiller> maaku, with utxo commitments of any kind, you never need to store the whole utxo set to validate a tx that comes with a proof 21:43 < amiller> a validating node doesn't just get given raw transactions and told to look it up 21:43 < maaku> petertodd: yes, because the update proof would consist of the path through the *last* index to where the output is to be placed, and then the data to put there 21:44 < amiller> it's given transactions and proof 21:44 < amiller> maaku, now the quetsion is what's required to take a raw transaction and build a proof 21:44 < petertodd> maaku: There is no update proof! It's a brand new txout. 21:44 < amiller> maybe you don't want an spv node to have to do it themself 21:44 < amiller> maaku, but suppose you are a storing node that has clients 21:44 < amiller> customers i mean 21:44 < amiller> for each addrses you care about, you may have to store up to 256 digests to support creating a proof for any transaction they have 21:44 < maaku> amiller: yes, someone somewhere needs to store the relevant paths to access coins in the utxo structure 21:44 < amiller> per coin they have 21:44 < amiller> maaku, yes but no one has to store *all* of them 21:45 < maaku> amiller: agreed 21:45 < amiller> each person interested in a utxo may have to store (and update) the proofs relative to those 21:45 < amiller> but they're not too many 21:45 < maaku> amiller: yes 21:45 < petertodd> amiller: Meh, call it appends are log2(n) if you want. :) I'd have to think through that one carefully, but anyway in any real situation there will never be more than, IIRC, 16 mountains or something like that so it's always pretty cheap. 21:45 < maaku> amiller: what are you arguing against? 21:45 < amiller> petertodd, well, it depends on whether they're growing unboundedly? 21:45 < amiller> i guess still ther'll never be too many 21:45 < amiller> but yes i'll call it log n until i'm convinced otherwise :3 21:46 < petertodd> amiller: Yeah, you can see how it's certainly less than the log2(n) height of a tree. 21:46 < maaku> amiller: it wouldn't be 256 digests - the proofs are stored level-compressed, so it's log2(unspent outputs) 21:46 < amiller> that assumes they're random 21:46 < amiller> which is maybe 21:46 < amiller> but sure 21:47 < amiller> also if you do it level compressed you can do the concurrent proofs but w/e 21:47 < petertodd> maaku: Basically you're describing a system where someone has to have every single historic UTXO ever created just in case someone happens to need to create a new UTXO that happens to be adacent to it in the radix tree, and that's not good. 21:47 < maaku> amiller: *stored* level-compressed, but expanded when used 21:47 < amiller> ok 21:48 < maaku> petertodd: no, i'm not. maybe you'll just have to wait for the bip to see 21:48 < petertodd> maaku: Whereas MMR TXO commitments are a system where you can throw out every bit of blockchain history, and still add new blocks. 21:48 < amiller> petertodd, oh, i see, you're right 21:48 < amiller> that's a good point 21:48 < amiller> you don't know what to hold on to 21:48 < amiller> in order to create a new address 21:48 < amiller> when you create a new address it's random bits 21:48 < maaku> to create a transaction you need *just* the path through the utxo set to your outputs 21:48 < petertodd> amiller: Yeah, you absolutely need the adjacent UTXOs to create the proof of modification. 21:48 < amiller> you'd have to go find people to query for each branch 21:48 < amiller> it's possible that the only people who had a relevant branch have gone and died 21:48 < petertodd> maaku: Yes, and that path needs at least one adjacent UTXO, which can be of any age. 21:48 < amiller> no one cares about them and they don't care about their coins 21:49 < amiller> but now it's a hazard for anyone creating a new address 21:49 < amiller> merkle mountain range fixes that just fine 21:49 < amiller> mmmm +1 insertion order sorted tree 21:49 < petertodd> amiller: Lol, I like the way you're describing it as a sorted tree. :P 21:50 < petertodd> amiller: Fortunately for the purposes of expiration it's sorted in the right order! 21:50 < amiller> every tree has a sort order, just sometimes it's a random permutation :o 21:50 < petertodd> amiller: Or I should say, pseudo-expiration. 21:50 < amiller> you can immediately forget it all 21:50 < amiller> it's great 21:51 < petertodd> amiller: Ha, yeah, it's one of those crazy systems that's almost too good: if everyone can forget it immediately, we damn well better hope someone doesn't. 21:51 < amiller> nah 21:51 < amiller> you remember if you care 21:51 < amiller> if you don't care then you forgot your private key anyway 21:51 < amiller> now here's the trouble is 01:40 < petertodd> now both input and output transactions are, in the general case, totally standard. (modulo the SIGHASH_NONE business... bit annoying that) 01:40 < gmaxwell> oh interesting, you applied the same transformation on both sides. now if everyone is honest its just a pair of 2 of 2 escrows. 01:40 < petertodd> yup 01:40 < gmaxwell> But if anyone is dishonest it becomes a set of interlinked hashlocked transactions. 01:41 * gmaxwell thinks for a minute 01:41 < petertodd> and if anyone is a shitty programmer we're in for a world of hurt :P 01:41 < gmaxwell> it'll be like namecoin 01:41 < gmaxwell> :( 01:41 < petertodd> how so? 01:41 < gmaxwell> get used for years by thousands of people and it won't matter if the transactions are really anyonecanspend. 01:42 < petertodd> until it breaks and we realize it doesn't actually work? yeah... 01:42 < gmaxwell> I note that the ABS() challenge transaction has free dinner sitting waiting for someone to take it. :P 01:42 < petertodd> needing eligius's help has problems here 01:42 < petertodd> ha, I know 01:42 < petertodd> shhh 01:43 < gmaxwell> petertodd: hm. I'm not actually sure your thing works. I don't see how you release the escrows. 01:43 < petertodd> what do you mean? 01:45 < gmaxwell> okay, nevermind I see it. 01:45 < gmaxwell> there are three layers of transactions going on here. 01:45 < gmaxwell> The default path, the refunds, and the anti-cheating. 01:46 < gmaxwell> transaction teleportation indeed. 01:46 < petertodd> yeah... I'll have to actually implement it to be sure I understand it myself :/ 01:46 < gmaxwell> Someone a while back was trying to propose a telportation protocol like this using 2of2 escrows, but he has nothing to prevent people from playing chicken (no hashlock idea) 01:47 < petertodd> figures, it's a nice idea, just tricky to come up with all three layers 01:47 < petertodd> like you need to be a wizard or something 01:48 < gmaxwell> heh. Yea, it needs all three layers to gain all it's magical properties. 01:48 < gmaxwell> its great that it looks like a pair of unrelated 2 of 2 escrows. 01:48 < petertodd> yup 01:48 < petertodd> also, note that Alice and Bob can be the same person :) 01:48 < gmaxwell> that'll give it a pretty good anonymity set. 01:49 < gmaxwell> yea, amiller pointed that right away.[6~[6~ 01:49 < petertodd> heh, it's not totally obvious... and it's probably best if it's possible that they aren't! 01:50 < gmaxwell> I think it's actually more useful as something where they aren't. Bitcoin is already private when you get paid. This makes you private when you pay (well, except towards carol) 01:50 < petertodd> yeah, and Alice can handle Bob's side of the transaction on Bob's behalf 01:51 < petertodd> turning this into a secure version of blockchain.info's send-shared 01:51 < petertodd> s/secure/trust-free/ 01:52 < gmaxwell> Yep. 01:52 < petertodd> I think the main thing that sucks about it, is that it can't be arranged to all happen in one step - the rounds-trips are a nuisance. 01:52 < petertodd> Also, waiting for confirms sucks. 01:53 < gmaxwell> yea well thats a reason to note that alice can logically run it for bob. runnning it alice/alice allows alice to unlink funds before selecting bob. 01:54 < gmaxwell> the next obvious thing to do is to partner with a mining pool, so that carol is issuing freshly mined coins. 01:54 < petertodd> ah, yeah that's good 01:54 < petertodd> right, so essentially make a wallet where you setup txouts in advance using this method 01:54 < gmaxwell> Otherwise you always have to worry about crappy carols going and mixing up the funds in the future. 01:55 < petertodd> could be interesting to do this with a pool that had a bit of hashing power, and just wait until they make a block with the desired output right in the coinbase! 01:55 < petertodd> not practically more useful, but nice PR 01:56 < petertodd> heh, and then shuffle the incoming coins through the coinbase via fees... 01:56 < gmaxwell> meh, sullys the airgap. 01:56 < petertodd> not if more than one pool is doing this and they're mining anonymously 01:57 < petertodd> but yeah, better to pay out to miners with the coins coming in instead 01:57 < petertodd> s/miners/hashers/ 01:59 < petertodd> anyway, at bare minimum the temporal ordering of the money going in and the money going out is disturbed, which is something coinjoin can't do 02:01 < petertodd> it'd be good to think if the efficiency can be improved - for instance can we construct the coins coming in such that they are actually being paid to someone who is getting coins out from a teleported payment happening simultaneously? 02:02 < gmaxwell> well, that hardly matters much if the transactions are conspicious unless it is very widely used. With them less conspicious its more interesting. 02:02 < petertodd> yeah, we need more multisig-using wallets to have any hope of this not looking interesting 02:03 < gmaxwell> petertodd: I think its hard to do that, because while the alice->carol payment could really go to sue, the cheating escapes are specific to alice->bob. 02:03 < petertodd> might be good to use new pubkeys for all this stuff, so that bob can get the privkeys so he doesn't need NONE|ANYONECANPAY 02:03 < gmaxwell> oh that always has to be a requirement for any protocol where you sign stuff you can't see. 02:04 < gmaxwell> otherwise you risk getting tricked into signing a transaction you didn't intend to sign. 02:04 < petertodd> oh, but see, here I'm not sure you are actually singing sutff you haven't seen 02:04 < gmaxwell> you are for refunds. 02:04 < petertodd> true 02:05 < petertodd> w/ your p2sh anti-mutability trick 02:05 < gmaxwell> In general I think this kind of thing can go forward assuming mutability is just fixed. We're on our way to fixing it, and having applications it breaks is the motivation to finish the job. 02:06 < petertodd> yeah 02:06 < gmaxwell> today people use totally insecure trusted protocols... so something like this where refunds are fragile is probably fine in the short term. 02:06 < petertodd> yup 02:07 < petertodd> of course, this is an example where an alterative implementation is fidelity bonding it all, and it'd be a good deal more efficient given that alice pay a simultaneous bob 02:07 < gmaxwell> sort of a bummer that there is no great way to coinjoin into and out of the thing. 02:07 < gmaxwell> Because the fact that carol learns the matching is lame. 02:08 < gmaxwell> you could sandwitch the thing inside coinjoins with extra transactions though. 02:08 < petertodd> yup 02:08 < gmaxwell> well I don't like anything that creates carol-inertia too much. 02:09 < petertodd> otoh, in a scheme where carol does learn, carol can always be paid off to get the logs 02:09 < gmaxwell> Because carol is a privacy point of failure and an attractive target. It's good that bonding carol doesn't make carol non-anonymous, but better if we can have lots of carols so that there is no obvious target to compromise... and all the really interesting traffic can traverse multiple carols. 02:10 < petertodd> so, here's the neat thing: there's an incentive to be carol too! you get new coins just as much as bob does 02:10 < gmaxwell> right thats why carol learning sucks, and its one way CJ is strictly superior, in that its not hard to totally blind CJ. 02:10 < gmaxwell> But I think in a world with both CJ and teleportation and lots of carols, logs are not so useful.. you get carols logs and the interesting traffic came in/out via another carol or via CJ. 02:11 < petertodd> sure, my point being though if you put this in a protocol, do it on a p2p layer and make the application play the role of both alice and carol when you want to get coins to pay bob 02:11 < gmaxwell> and while you could try to pay all carols chaum blinded CJ can't be bought, only flooded. 02:11 < gmaxwell> oh interesting. you make bob recieve your carol role coins perhaps. 02:12 < petertodd> It should all be wrapped up in a "Pay bob!" and depending on who wants to do what, you'd either pay Bob by being Alice, or pay Bob by being Carol and using Alice2's funds to pay Bob 02:12 < gmaxwell> so you could be alice or carol, whichever is in more demand, and bob either gets bob coins or carol coins. 02:12 < petertodd> yup 02:12 < petertodd> Or even, depending on amounts available you'll wind up using both types to pay Bob 02:13 < gmaxwell> Every time I see you falling 02:13 < gmaxwell> I get down on my knees and pray 02:13 < gmaxwell> I'm waiting for that final moment 02:13 < gmaxwell> You say the words that I can't say 02:13 < petertodd> lol 02:15 < petertodd> though, with non-trivial tx fee costs the pure fidelity bonded version will probably be popular too... 02:15 < warren> I made a Bitcoin 0.8.5 branch with all backports that we have in Litecoin plus a few features that aren't committed to 0.9 yet. 02:15 < petertodd> it's interesting though, because there will always be a lot of transactions whose value is such that fees don't matter much 02:15 < warren> I found a bug in watchonly in the process. 02:16 < petertodd> oh good 02:16 < gmaxwell> warren: \0/ 02:16 < warren> waiting for sipa to wake up 02:16 < warren> what should I call this branch ... 02:16 < warren> "plus" 02:16 < warren> "omg" 02:17 < warren> oh heck, I'm including NODE_BLOOM 02:18 < petertodd> heh 02:19 < petertodd> include Discourage fee sniping with nLockTime and you can really be living dangerously :/ 02:19 < petertodd> (and determine if anyone uses it...) 02:19 < warren> petertodd: how dangerous is that? 02:19 < warren> petertodd: I'd like people to actually use this branch 02:20 < petertodd> warren: lol, Luke's been testing it for ages actually with no problems, but some badly written wallet software still handles final nLockTime wrong :( 02:20 < warren> I'd like to include https://github.com/bitcoin/bitcoin/pull/2839 but testing in Litecoin OMG2 suggests it doesn't work. 19:28 < gmaxwell> the proof can start at the point the txn of interest was mined. 19:28 < BlueMatt> that gets pretty expensive? 19:28 < gmaxwell> I mean, it's 80 bytes per header. so not really. 19:29 < BlueMatt> very expensive if you hold the alt for an extended period... 19:29 < BlueMatt> well, no miner is gonna mine a tx that is 80 bytes*N where N is a few weeks/months of headers 19:29 < gmaxwell> BlueMatt: oh no, you don't do it over the life of the alt. 19:29 < gmaxwell> crazy no no thats not how it works. 19:30 < gmaxwell> you take some coin and assign it to a scriptPubKey that can be redeemed by anyone who provide a SPV fragment from the altcoin showing any of those coins being reassigned back to bitcoin, with a sum difficulty of at least X. 19:30 < adam3us> gmaxwell, BlueMatt: a 1:1 peg - doesnt that import security risk from the alt into bitcoin? (i suggested a 1 way peg "bitcoin staging" only so bitcoin is security firewalled) are we talking about the same area of feature 19:31 < gmaxwell> adam3us: only to the limit of the alt. say the alt was somehow totally insecure... you could then steal all the bitcoins that had been assigned to the altcoin. 19:31 < gmaxwell> but no more. 19:32 < adam3us> gmaxwell: hmm that might be ok 19:32 < BlueMatt> adam3us: what gmaxwell said (if you decide to put your btc in the alt, sucks for you) 19:32 < gmaxwell> BlueMatt: one problem there is that isn't really spv security, its "spv transcript" security, in that the bitcoin network isn't going to go out and find a longer chain. 19:32 < adam3us> BlueMatt: yes that is an acceptable trade off and already at risk with a 1-way peg 19:33 < gmaxwell> BlueMatt: But I did come up with a way to boost that to more like real SPV security with a bit more script power. 19:33 < BlueMatt> gmaxwell: well, ok, sum difficulty is one way...but very non-ideal 19:34 < gmaxwell> (you make the relase of coins back into bitcoin two phase. The first phase you do a header proof for the release.. and that gets mined.. but it can only output to a special holding script with the following rules: 19:35 < gmaxwell> after N blocks the releasing party can grab the coins. OR at any point, any party can show a longer chain to prove the release was bogus. and then they can only be redeemed with a new release on a chain longer than that one. 19:35 < gmaxwell> In any case I think most of the stuff thats been said of any technical substance on this is in the coinwitness thread (where I suggest using SNARKs for C to compact the proofs, though its not essential): https://bitcointalk.org/index.php?topic=277389.0 19:36 < gmaxwell> obviously if you compact the proofs things start sounding more interesting from a scaling perspective. 19:37 < gmaxwell> also if the headers of the altcoin form a MMR (insertion ordered binary tree) it may be cheaper to prove long spans of difficulty. 19:37 < BlueMatt> yea, though depending on cutting-edge crypto is ugly... 19:38 < gmaxwell> BlueMatt: well there are less ambitious (efficiency wise) ways to construct these proofs, but they're larger... though I'm not sure if we could get the direct proofs down with special support. Maybe. 19:38 < gmaxwell> SPV fragments can be pretty small. 19:39 < BlueMatt> yea, its all a bit expensive, really 19:39 < BlueMatt> it would be fun to be able to peg arbitrary altcoins to bitcoin as it really addresses the issues altcoins cause 19:40 < BlueMatt> allows them to innovate (ie risk people's money) while not costing bitcoin's digital scarcity/competing on store-of-value 19:40 < gmaxwell> BlueMatt: one way is easy just have them validate bitcoin too. 19:40 < adam3us> BlueMatt: agreed 19:41 < gmaxwell> BlueMatt: one point is that you could coinjoin your cross chain merges perhaps, to make them smaller. e.g. one proof and then a dozen transactions hop the gap. 19:44 < BlueMatt> gmaxwell sure, but if you only peg one-way its really not particularly useful 19:44 < BlueMatt> well, it is, but not as useful 19:44 < BlueMatt> gmaxwell: sure, you could limit to like 1 coinjoin'd alt->btc tx per day 19:45 < BlueMatt> but even that could be expensive 19:45 < gmaxwell> I dunno, I mean, it's a seralized transaction and spv proof, plus some additional headers. 19:45 < BlueMatt> well, if you have 100 alts all doing that, it does 19:46 < adam3us> BlueMatt: I like 1:1 peg idea, I only suggested 1-way peg to insulate security, if you can insulate security to the coins in the alt, thats even better 19:47 < BlueMatt> as long as you limit it to the people who transferred their coins... 19:47 < BlueMatt> gmaxwell: hmm... 19:47 < gmaxwell> lets say there are 2^12 txn per altcoin block, ... lets imagine you make the altcoin txn themselves hashtree so you can get to only their outputs.. so say maybe 64 bytes for the altcoin output, 384 bytes for the spv tree. 4 bytes for a spv index, and 12 80 byte headers = 1.4k. 19:48 < gmaxwell> it's bigger than a typical ecdsa signature, but not murderous. 19:48 < gmaxwell> and if they coinjoin the biggest parts (960 bytes of headers, 384 bytes of hashes) can be shared. 19:49 < gmaxwell> adam3us: yea, I don't think there is a security need to make it one way. If you can never "pull back" more from an altcoin than was sent to it, then only the holders of the altcoin are at risk. 19:50 < adam3us> gmaxwell: seems plausible indeed, i just didnt think of it in those terms at the time. good 19:51 < gmaxwell> the altcoin is also a bitcoin node, and monitors bitcoin for coins assigned to the altcoin, and then permits someone on the altcoin to emerge those coins from thin air.. and then when you want to send them back you make a special transaction in the altchain and prove you did it to bitcoin. 19:51 < adam3us> gmaxwell: i suppose the other thing is it itself requires bitcoin changes, perhaps non-trivial ones, and that is part of the reason for the exercise. 19:51 < gmaxwell> yea, unfortunately it requires changes to bitcoin. 19:52 < gmaxwell> we could _almost_ do it in script without the disabled opcodes, but there are enough little corners that I suspect we can't. 19:52 < adam3us> gmaxwell: but an interesting enough change perhaps for motivation to be there as it creates an avenue for value preserving experimentation 19:52 < BlueMatt> 12 blocks seems shallow to me given most altcoins have no miners... 19:53 * BlueMatt thinks this solves the "alt problem" 19:53 < adam3us> BlueMatt: probably have to overcome the merge mining / side chain incentive problems somehow 19:53 < adam3us> BlueMatt: yes i like it a lot :) 19:53 < adam3us> ***adam3us wants to destroy all new digital scarcity race alts 19:53 < gmaxwell> BlueMatt: namecoin's difficulty is 81% of bitcoin's. 19:53 < BlueMatt> gmaxwell: really? wow 19:54 < adam3us> gmaxwell: thats because of heavy merge-mining tho because its been around for a long time 19:54 < gmaxwell> I seem to recall telling you this at the meetup here too. :P 19:54 < gmaxwell> adam3us: sure, but this would be merged mined too. 19:54 < gmaxwell> Now, one annoying issue is that MM makes the @#$#@$@# SPV proofs much bigger. :( 19:56 < BlueMatt> gmaxwell: though it does mean bitcoin miners with bitcoin blocks can do more verification :) 19:56 < gmaxwell> basically doubles the hashtree size plus the size of a bitcoin coinbase. 19:56 < BlueMatt> (though not with existing disabled script opcodes) 19:56 < gmaxwell> in any case, its doable and not unrealistic. 19:57 < BlueMatt> personally, if there's one feature we should enable in bitcoin (testnet) its this 19:57 < gmaxwell> it's not even a hardforking change in bitcoin. 19:57 < BlueMatt> but, we need f**$@#%@ reviewers 19:58 < gmaxwell> it can be deployed like p2sh. 19:58 < BlueMatt> well, to re-enable the script opcodes... 19:58 < gmaxwell> well this needs a bit more than script opcodes, and really, to make it efficient it would probably best be implemented directly. 19:59 < BlueMatt> yes 20:00 < gmaxwell> one optimization would be to have only SPV security inside bitcoin for those proofs too. 20:01 < gmaxwell> E.g. the txn that releases coins in bitcoin has just a hash of the proof in its scriptsig. the actual proof must be provided along with blocks but only until they're sufficient burried in bitcoin. 20:01 < gmaxwell> (after all, if the emergence in the other chain has only SPV security, no reason to have better security in bitcoin) 20:01 < adam3us> gmaxwell: i was going to ask how does bitcoin know the transaction is non orphan on the alt? 20:02 < gmaxwell> adam3us: thats what the 12 or whatever headers are for from the alt. 20:02 < adam3us> gmaxwell: i might make it 100 like mining confirmations 20:03 < BlueMatt> 100 was fairly arbitrary 20:03 < BlueMatt> though I dont like 12... 20:03 < gmaxwell> whatever, the altcoin could actually signal it with something in its headers. 20:04 < BlueMatt> yea 20:04 < gmaxwell> the big problem with making it big is that it creates a release delay in moving the coins back. 20:04 < BlueMatt> meh, who cares 20:04 < BlueMatt> even if the release delay is a day... 20:05 < gmaxwell> there are altcoins with 30 second blocks that advertise confirmed = 3 blocks 20:05 < BlueMatt> meh, I dont care about altcoins that are working at dumb knob-tweaking, I'm talking about altcoins that do actually useful research 20:06 < gmaxwell> well, its a fungiblity thing. It's not really a bitcoin if it has a 24 hour ramp to move across. But one interesting thing is this: You could do CoinSwaps nearly instantly with reasonable security. So the real migration doesn't need to be fast because it's only needed to correct long term imbalances. 20:07 < BlueMatt> yep, thats what I was thinking 20:07 < BlueMatt> its really only to peg the value, not to act as something that need be traded regularly 20:07 < adam3us> gmaxwell, BlueMatt: yes agreed; cross chain atomic swa 20:08 < adam3us> gmaxwell: even with 1-way peg i was thinking it should have mostly balanced 04:36 < petertodd> jgarzik: also s/distributed consensus/decentralized consensus/ IMO 04:37 < petertodd> if we were merely distributed at least fixing a bug would be easy... 05:12 < gmaxwell> This sounds like the title of a paper which would be very useful when reading bitcointalk: "Optimal Error Correction Against Computationally Bounded Noise" 09:05 < jgarzik> petertodd, that's a good response 09:23 < jgarzik> petertodd, RE SIN private email (though my answer is of relevance here, perhaps): general advice from you and gmaxwell on SIN is to not reinvent OpenGPG with its key expiration/revocation/other features. 09:24 < jgarzik> That advice seems wise. However, it also seems like something a user would want (to revoke a SIN, handle the compromise case, etc.) 09:24 < jgarzik> Does OpenGPG permit integration of ECDSA as we use it -- just verify/sign messages, no crypto? 09:59 < petertodd> jgarzik: Yes. OpenPGP can have packets that only sign of course, and you can use one of the private signature algorithm numbers to implement secp256k1 directly. 10:00 < petertodd> jgarzik: The main disadvantage of OpenPGP is that libraries to work with OpenPGP directory kinda suck for now. 10:13 < jgarzik> petertodd, more than kinda 10:14 < jgarzik> petertodd, it is functionally the Tor situation: everybody tells you "Run This Binary, From This Anointed Codebase" 10:14 < petertodd> jgarzik: heh, well a direct OpenPGP library that's up-to-date doesn't exist except on Java... 10:14 < petertodd> jgarzik: there's a python library, but it's a few years out of date 10:15 < petertodd> OTOH you certainely could write enough to follow whatever you want for your SIN standard, and complete the library later 10:15 < jgarzik> true 10:16 < petertodd> I could use some OpenPGP library goodness myself for timestamping - I want to implement timestamping as a new signature algorithm. Something that you can't benefit from if you create yet another from-scratch standard. 10:17 < petertodd> You probably can also design SINs such that existing keyserver/wot infrastructure will be useful. 10:17 < jgarzik> petertodd, I think the existing keyserver/wot infrastructure is crappy and silly 10:17 < jgarzik> ;p 10:18 < jgarzik> way behind bitcoin community standards 10:18 < petertodd> I think you're very wrong on that actually; WoT is high-maintenance, but used correctly is very high security. 10:18 < jgarzik> petertodd, You've just described why it is crappy and silly :) 10:18 < petertodd> Even not used correctly it's a gigantic pain in the butt to compromise. 10:18 < jgarzik> petertodd, Most won't make the effort 10:19 < petertodd> jgarzik: So? Most don't make the effort, but equally many communities do and get to benefit from it. What'd be good is to have some centralized infrastructure used the same underlying mechanisms, so you can get the best of both worlds where appropriate. 10:20 < jgarzik> I try to target "most" not just high security types 10:20 < jgarzik> SIN/identity is for everyone, necessarily 10:21 < petertodd> Yes, but don't design systems that gratuitiously are incompatible; afterall like it or not but SIN/identity is equivalent to WoT, just with odd trust-graphs. 10:23 < petertodd> Not unlike how there exists the PGP Global Directory Verification Key and CA Cert Signing Authority (Root CA) 10:23 < jgarzik> Average people will never have keysigning parties 10:23 < petertodd> Who cares? 10:24 < jgarzik> I do.Most contact will be digital attestations from 10:24 < jgarzik> governments, corporations, etc. 10:24 < jgarzik> Or private party-party transactions 10:24 < petertodd> Whether or not people have keysigning parties has absolutely nothing to do with whether or not you make a system that is WoT-compatible, rather than gratutiously incompatible. 10:26 < jgarzik> If SIN's ECDSA can be packetized within OpenPGP, it need not be gratuitously incompatible. Compatibility with existing WoT is not a high priority, however. 10:27 < petertodd> Big question: what type of ECDSA do you want? OpenPGP has support for ECC already, although with snowden there's a chance they'll use different curves. 10:28 < petertodd> Get a copy of GnuPG >= 2.1 and you can try it out. 10:28 < jgarzik> bitcoin's curve and hash-fingerprint method, as specified in https://en.bitcoin.it/wiki/Identity_protocol_v1 10:29 < petertodd> Yeah, you can packetize all that stuff, initially by using the private signature algorithm numbers, and maybe later get an RFC assigned. I've looked into this stuff for OpenTimestamps. There's also per-signature annotation data possible, which is very extendable and would probably cover a lot of things. 10:30 < petertodd> You might also ask why are you so wedded to Bitcoin ECDSA anyway? Using standard RSA lets users make use of pre-existing hardware security stuff to keep their keys secure - a big win. 10:30 < petertodd> IE a bitcoin sacrifice can easily be a signature annotation. 10:32 < jgarzik> And there's no question the software landscape sucks. Everybody forks the same 1990s era codebase (patched up to modern crypto but not necessarily modern engineering standards). Ditto Tor. The packetization is baroque. But it's widely used, so rather stuck with the last. 10:33 < petertodd> Indeed it is. But baroque packetization and what not are going to be the easiest parts of the problem. 10:37 < petertodd> Keep in mind too how useful SINs added to OpenPGP would be: I'd love it if there was the infrastructure for my local government to attest that my PGP key was correct, and I'd love it if there was a nice way to sacrifice some Bitcoins in support of it. 10:38 < petertodd> There's no good reason to have a bright line separating the two - fundementally it's all web-of-trust anyway. 10:40 < petertodd> Incidentally, OpenPGP should have the notion of negative signatures: I'm signing to say I'm pretty sure this signature is wrong, or this person is untrustworthy. 11:00 < jgarzik> agreed there is no /need/ for a line of separation 11:01 < petertodd> yes, and the line of separation is actually harmful in that it makes useful things, like the government of ontario signing my PGP key, not possible 11:09 < jgarzik> OK back from meeting. Like I said, don't mind looking into wedding the two. Codebase is an obstacle; packetization is just annoying thing to complain about, but not change :) 11:10 < jgarzik> so a just-the-bits-I-need codebase library compatible with OpenPGP is option, like you mention 11:13 < petertodd> jgarzik: yeah, well as I said, I need one too because I want to do timestamping of PGP signatures 11:15 < petertodd> oh, and amir said he's got plans to improve the web-of-trust, and he likes python... 16:14 < phantomcircuit> sipa, ps that wasn't a joke 16:15 < sipa> don't worry, i wasn't planning on answering 16:16 < phantomcircuit> i didn't think you were :) 16:27 < skinnkavaj> Have anyone reviewed this yet? https://bitcointalk.org/index.php?topic=308972.0 17:53 < Luke-Jr> skinnkavaj: sounds like a contradiction. 90-bit isn't strong. --- Log closed Sat Oct 19 00:00:22 2013 --- Log opened Sat Oct 19 00:00:22 2013 00:11 < petertodd> jgarzik: http://www.rubygems-openpgp-ca.org/ <- interesting signing authority for ruby gems, the model could have some relevance when thinking about SINs 00:32 < gmaxwell> those people who's pow I was tearing apart a awhile back? they've posted a new one now offering a bounty to "convince [them] it's not better than scrypt" 00:32 < gmaxwell> I quote a line from their implementation: 00:32 < gmaxwell> fc::usleep( fc::microseconds(1000*1000*(1-_effort)) ); 01:02 < phantomcircuit> gmaxwell, lolololol 01:02 < phantomcircuit> gmaxwell, what's the bounty? 01:02 < gmaxwell> 30 BTC. Have at it. 01:03 < phantomcircuit> gmaxwell, goat them into making it more 01:03 < phantomcircuit> then claim it 01:03 < gmaxwell> Well, I know from my past expirence with them that they're claim any flaw is a placeholder, so collecting will likely be hard unless you really smoke them bad. 01:03 < phantomcircuit> gmaxwell, it's the mastercoin people right? 01:03 < gmaxwell> (and indeed, I'm sure the sleep for low difficulty really is just a placeholder honestly.. still crazy to see it there) 01:06 < gmaxwell> phantomcircuit: these people: https://bitcointalk.org/index.php?topic=313479.0 01:14 < phantomcircuit> oh 01:14 < phantomcircuit> shrug 04:43 < petertodd> gmaxwell: oh, that was fun to tear apart - I nearly wound up replying with a bunch of VHDL code 04:44 < gmaxwell> petertodd: hahah 04:44 < gmaxwell> I had fun de-memoryhardening their last one. 04:44 < gmaxwell> but it was even more of a toy. 04:45 < petertodd> gmaxwell: I actually sketched out a VHDL implementation of an ASIC, although I held off posting because I was sure there was enough detail there to make a fool of myself :P 04:45 < petertodd> what was there last one? 04:46 < warren> will they actually pay? 04:47 < gmaxwell> https://bitcointalk.org/index.php?topic=279771.msg2996823#msg2996823 04:49 < petertodd> sheesh 04:49 < gmaxwell> they they responded with a bunch of "oh it's not really done" and then rapidly put up a new one. 04:49 < gmaxwell> and apparently they have a new one still. :P 04:49 < petertodd> Though this is an interesting question: maybe it's not possible to make a proof-of-work algorithm where verification is symmetric, and yet doing the work must be sequential - there's a similar result from timelock puzzles IIRC. 04:51 < gmaxwell> verification is symmetric? 04:51 < petertodd> er, asymemetric 04:53 < gmaxwell> well does fiat-shamirizing my idiot solution to proof of storage yield what you want? POS the data you are working on, sort the leafs, build a new hashtree and construct a verification proof that convinces someone that it queries an sorted version of the list. 04:53 < gmaxwell> The proof would be somewhat bit, alas. 04:54 < sipa> wait, a PoW functiin that sleeps...? 14:40 < adam3us> amiller: i think you can almost do it (ZKP) - the thing that is eluding me is a blind proof of work where the work survives the unblinding operation and is encoded in representation problem format (like pederson commitment or brands credentials) 14:40 < adam3us> amiller: if you had that you could prove the number of confirmations on a coin > 6 without revealing the block 14:41 < adam3us> amiller: and with homomorphic values you could prove everything adds up before mining 14:44 < adam3us> amiller: there are a number of failed partially useful prototype blind proofs of works on this thread https://bitcointalk.org/index.php?topic=308009.msg3302321#msg3302321 14:46 < adam3us> amiller: and some related ones on this thread for secure offloadable KDF to harden brain wallets or encrypted wallets (that your attaker has the encrypted wallet file) https://bitcointalk.org/index.php?topic=311000.msg3341985#msg3341985 14:48 < adam3us> as close as I got was a "partial discrete log", however its really hard to get the work to survive unblinding like a close schnorr signature forgery (not an actual forgery but a number somehow close to a real one with an arbitrarily closeness metric) 14:51 < adam3us> amiller: "amiller: well committed transaction doesn't mean the transaction is valid ... adam3us: it does mean its not double spent however" i think you might be able to do build on that because committed tx prevents many miner abuses 14:55 < amiller> adam3us, how would you get fees for the committed tx 14:56 < amiller> because the committed tx still takes up utxo space it should have to be paid for 15:05 < adam3us> amiller: yes the commited tx has to include a clear text fee outside, which has to be sent from a clean/taint free address 15:06 < adam3us> in this way you can make tainted tx, fixing the taint problem (at least as far as miner influence) 15:06 < adam3us> curiously even if 99.9% of mining power dislikes and would like to block your tx based on who you are, how much you're paying or who you're paying it to 15:07 < adam3us> they are essentially powerless to do it, because you are using their power against themselves 18:56 < Luke-Jr> https://en.bitcoin.it/wiki/Myths#Bitcoin_makes_self-sufficient_artificial_intelligence_possible.2C_which_will_in_turn_become_self-aware_and_decide_to_exterminate_humanity 18:56 < Luke-Jr> ^ elaboration would be good 18:56 < Luke-Jr> and/or better arguments against it 19:24 < gmaxwell> heh. We should alsk MIRI to write the response to that one. 19:24 < Luke-Jr> MIRI? 19:25 < petertodd> Luke-Jr: lol! 19:25 < gmaxwell> Luke-Jr: http://intelligence.org/research/ 19:25 < Luke-Jr> interesting, didn't know that existed 19:26 < petertodd> Luke-Jr: I am a bit worried though, because just the other day an industrial robots safety controls malfunctioned and I got a damn hard kick to the groin... not quite sure what that means 19:28 < Luke-Jr> hmm 19:29 < petertodd> Maybe it's actually Litecoin that becomes self-aware? Or PPCoin? 19:29 < Luke-Jr> then I'd be dead 19:29 < gmaxwell> https://en.bitcoin.it/wiki/Myths#Bitcoin_makes_self-sufficient_artificial_intelligence_possible.2C_which_will_in_turn_become_self-aware_and_decide_to_exterminate_humanity revised answer. 19:29 < gmaxwell> maybe litecoin is self-aware but suicidal? 19:29 < petertodd> gmaxwell: ooh, maybe? 19:29 < Luke-Jr> lol 19:30 < Luke-Jr> gmaxwell: doh! Satoshi is AI! 19:30 < gmaxwell> (I was going for "Oh. Okay. ... hey, wait a minute! oh shit!" as the response to that response) 19:30 < petertodd> though if I were a self-aware AI, I'd want a PoW algorithm that was more general purpose 19:31 * petertodd is suspicious of NeuroCoin, the one with the neural-net based PoW algorithm 19:31 < Luke-Jr> I must have missed that one :o 19:31 < petertodd> lol, I'm sure if someone makes it it'll get adherents 19:31 < gmaxwell> petertodd: heheh. I'm imagining now an aprilfirst coin whos PoW is translating arabic phrases. :P 19:34 < petertodd> oh that's good... 19:34 < petertodd> or make one who's PoW happens to be running nuclear weapon simulations 19:35 < BlueMatt> brute forces encrypted information downloaded from *.nato.gov... 19:36 < petertodd> or maybe the wikileaks dump? 19:36 < BlueMatt> heh 19:36 < petertodd> prove your trying to crack the key? 19:36 * petertodd wonders if there's a known header that could be used to verify if a crack worked 19:39 < warren> As if this chat room wasn't already on the NSA watch list. 19:39 < petertodd> actually, that'd be interesting: the pow would have to be for you to prove you tried to crack it, using AES similar to how SHA256 works. Except actually cracking the key isn't something you make progress too, so you'd have to add a separate rule that an actual crack is worth a reward. 19:40 < petertodd> So force guesses to be done with a PRNG, and you need to show that your guess was generated by H(pubkey + nonce) 19:40 < petertodd> er, really H(merkle-root + nonce) 19:40 < sipa> warren: watch list? 19:40 < sipa> warren: i expect most of you to be nsa agents 19:41 < BlueMatt> petertodd: find decrypted data that is either the correct value or < target and use that as pow 19:41 < BlueMatt> sipa: you arent? you may be the only one 19:42 < BlueMatt> petertodd: or, better yet, decrypted data who's hamming distance is < target from the real header 19:42 < sipa> BlueMatt: i didn't expect you guys to be so honest about that 19:43 < petertodd> BlueMatt: doh, yeah, that's perfect 19:43 < warren> BlueMatt: compartmentalization 19:43 * BlueMatt goes to code that up for next april 19:43 < warren> who watches the watchers? 19:44 < maaku> warren: i do 19:44 < petertodd> sipa: ha, just the other day I had a TLA agent ask me if I wanted him to set up an interview with another TLA agent he knew. (serious) 19:44 < petertodd> sipa: said TLA agent said "I can't blame you" when I declined, pointing out my answer would have been different six months ago... 19:45 < sipa> wth? 19:46 < BlueMatt> what was the presentation at one of the blackhat-cons like a year ago that went into detail on all the info they were able to get on classified projects from linkedin? 19:46 < BlueMatt> it was really quite comical 19:46 < petertodd> sipa: snowden; it's caused a huge crisis of confidence within all these agencies, they've got a lot of people internally who are reconsidering why they work for the people they do 19:47 < petertodd> sipa: remember that things are sufficiently compartmentalized that it's not "in your face" that the stuff snowden leaked was actually happening, and they're good at putting people with politics more like mine in departments that don't have to know 19:49 < petertodd> sipa: nevermind the outright embarassment... a lot of what's been leaked shows these agencies *aren't* all knowing and all powerful - a big part of the draw at working in places like that is you're working with the best and brightest, but, snowden shows pretty clearly that you aren't 19:50 < sipa> k 19:50 < jrmithdobbs> petertodd: this is not particularly surprising 19:50 < sipa> i can't say i've sufficiently followed it all 19:52 < petertodd> jrmithdobbs: yup, money can only do so much. Something I think is especially striking is how it's been revealed that the NSA relies really heavily on highly scripted checklists so that very average techs can executed attacks without getting into trouble. 19:53 < petertodd> jrmithdobbs: or how the crypto-attacks they do have all involve what people have been suspecting all along, and don't involve math all that beyond what is know publicly 19:53 < jrmithdobbs> petertodd: you're assuming they're paying thatwell, and they're not 19:53 < jrmithdobbs> petertodd: even for the people creating said attacks 19:54 < maaku> hah they definately do not pay well 19:54 < petertodd> maaku: ha, personal experience? 19:55 < maaku> worked for the government / contracting, yes, spy agency no 19:55 < jrmithdobbs> petertodd: eg, the fake "outrage" over snowden's salary is hilarious to me, he was making a little above average for his experience on the west coast, not even that much above really 19:55 < petertodd> What I was told, is that the pay isn't much beyond private sector, but the benefits are very good, esp retirement benefits that really induce people to stay for their whole careers and stay loyal. 19:55 < maaku> if you're a civil servent yes 19:56 < jrmithdobbs> petertodd: those are just rationalizations people make, the benefits aren't that great and haven't been anywhere in the fed gov since reagan 19:56 < sipa> jrmithdobbs: what was his pay? 19:56 < maaku> after 25yrs you get full pension (low six figures), and then you usually 'retire' to a higher paying private job 19:56 < jrmithdobbs> sipa: like 125ish iirc 19:56 < sipa> 125k USD/year? 19:56 < jrmithdobbs> ya 19:56 < sipa> that's all? 19:56 < maaku> yeah you could snag that out of college in silicon valley, in the right industry 19:56 < jrmithdobbs> ya 19:57 * sipa hides 19:57 < jrmithdobbs> exactly 19:57 < petertodd> maaku: sounds like what I was told. Of course, you want to be careful with pay: you don't always want people who are pay oriented, especially in the short term. 19:57 < sipa> jrmithdobbs: wikipedia says 200k 19:58 < petertodd> Note how reports are snowden was paid a heck of a lot fairly early in his career. 19:58 < jrmithdobbs> sipa: meh, so he got the equiv of stock grants 19:58 < jrmithdobbs> good for him 19:58 < maaku> sipa: IIRC he filed an income tax for one year that was closer to 200k, but that was with additional income and was a one-time thing 19:59 < maaku> but nevertheless that's of course what the media quotes 19:59 < jrmithdobbs> maaku: ah 20:01 < maaku> the thing is these jobs are *very* stable. so they usually hire people below market rates, and they stay for the stability 20:02 < jrmithdobbs> ya so long as you can cope with the bs 05:24 < petertodd> well, without UTXO commitments and SPV nodes being able to ask peers for UTXO's I'm not sure that there's actually much difference between P2SH^2 and not - dust rules make UTXO bloat expensive anyway, so data-using apps naturally will spend their UTXO's just to keep things cheap 05:24 < petertodd> point is, right now you *can't* query the UTXO set, so there's no difference to storing data in it, vs. storing data in the blockchain in general 05:25 < sipa> but P2SH^2 dosn't let you query it either 05:26 < sipa> gtg 05:27 < petertodd> no, but if you can't query, simple things like dust-rules are fine because there's no *advtange* to storing your data in the UTXO set 05:28 < petertodd> It's something I like about MMR TXO commitments: they *don't* make it easy to prove the existance of a *class* of TXOs 05:31 < sipa> right, but p2sh^2 makes storing any data at all hard 05:31 < petertodd> no, it's still perfectly possible with P2SH multisig 05:32 < petertodd> not much more expensive than a bare CHECKMULTISIG that you spend 05:32 < sipa> true 10:41 < jgarzik> gmaxwell, JFYI check out @jgarzik or @matthew_d_green on twitter, there have been some good conversations reviewing ECDSA + bitcoin 10:41 < jgarzik> (twitter is fscking awful for referencing threads like this...) 10:42 < jgarzik> sipa, ^ 10:42 < jgarzik> https://twitter.com/pbarreto/status/392279389716504576 scroll up and down 10:47 < gmaxwell> what gibberish are these people spewing 10:47 < gmaxwell> of course it checks if the point is on the curve or the twist. 10:48 < gmaxwell> and our implementation checks signatures after creating them. 10:51 < gmaxwell> man, twitter sucks. 10:53 < gmaxwell> in addition to the email I sent you, I also posted this: https://bitcointalk.org/index.php?topic=285142.msg3118788#msg3118788 10:54 < gmaxwell> hm. but I don't seem to point out that bitcoin-qt validates after signing, (and I consider this a best practice) 10:54 < gmaxwell> I guess that should get put in neon lights someplace. 10:56 * jgarzik noticed that when adding signing to node-libcoin 10:56 < jgarzik> Just figured it was sane, good practice 10:57 < jgarzik> Didn't know that validate-after-signing was more important than that 11:02 < petertodd> jgarzik: I'll do my NODE_BLOOM bip as the first pull-req 11:02 < gmaxwell> yea, for our curve (which, like most, is not twist secure) bitflips during multiplies can result in you effectively using an alternative not-secure curve. The result won't validate... but it may be possible to recover private keys as a result. 11:04 < gmaxwell> though really, a better curve can only partially fix that: a bitflip in a pointer can just have the signature splat our your private key directly, if not validated. :P 11:07 < amiller> can anyone here tell me about DIANNA 11:07 < amiller> as far as i can tell it's the only elaborated idea that is susceptible to a kind of merge mining attack where you withold some data, and then later release it 11:07 < amiller> and someone who later sees it will choose the wrong chain because of timestamp order 12:21 < Muis> I thought of an alternative to proof-of-work, but I need some critic on it by someone with a sound knowledge of the bitcoin protocol 12:22 < Muis> so if anyone has the time/skills to review my idea, let me know! 12:57 < Luke-Jr> did gmaxwell resign as BIP editor? 13:09 < jgarzik> Luke-Jr, gmaxwell is fine too 13:10 < jgarzik> wiki-as-primary is not the best path forward, IMO 13:10 < Luke-Jr> sure, but I don't see why that means we should change BIP editor. gmaxwell has been doing a good job IMO :P 13:11 < jgarzik> TBH I simply was not aware of gmaxwell as BIP editor 13:11 < jgarzik> it seemed quite chaotic and unedited 13:13 < sipa> the 'editing' was just that he was the person to assign BIP numbers 13:28 < maaku> amiller: what's unique about the DIANNA merge-mine attack? 13:40 < maaku> you mean that you can simultaneously mine two or more forks, double-counting the PoW? 13:43 < gmaxwell> Yea, the only task I had was assigning the numbers when it looked like there was some agreement that there should be one. (No lack of desire to do more or less on my part, I'll do whatever people want) 18:51 < sipa> petertodd: care to explain MMR's in some more detail? 18:51 < petertodd> sure 18:51 < sipa> i can come up with a few datastructures that seem to match the general direction you're going in 18:51 < sipa> but i'd like to know exactly what you're thinking about 18:51 < petertodd> you read my thing on MMR's? 18:52 < sipa> no, where? 18:52 < petertodd> https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 18:52 < petertodd> doesn't mention that they are cheaply updatable, but otherwise it's complete 18:59 < sipa> ok, so you have an O(1) append, O(log(n)) updatable merkleized datastructure 18:59 < sipa> what do you store in it? 18:59 < sipa> transaction outputs, including their spentness bit, i suppose 19:00 < petertodd> yup, same as the UTXO set 19:00 < petertodd> though I was thinking that H(scriptPubKey) wouldn't be a bad idea - kinda the same effect as P2SH^2 19:00 < warren> Regarding https://github.com/bitcoin/bitcoin/pull/2900 I'm guessing that the people with working exploits really don't want to discuss it in public. 19:00 < sipa> so they are not indexed in any way - you have to know where a particular element resides 19:00 < warren> The discussion has been dysfunctional from people being unwilling to discuss it openly. 19:01 < petertodd> sipa: yup, which is good, because that's what lets you append without having any of the data 19:02 < petertodd> warren: yeah, it's a complex issue... frankly, meh :) 19:02 < petertodd> warren: mike, gavin and I disagree on philosophical, not technical grounds 19:03 < petertodd> sipa: vs. UTXO sets where any given append might need a UTXO from any point in history 19:05 < sipa> so, how much does a client need to know to update his wallet's txo set? 19:05 < sipa> later blocks will only build new nodes next to, or on top of his nodes 19:06 < petertodd> sipa: well, basically you want a complete path to the most recent commitment. Now every new block will tend to invalidate the latter part of that path, but the beginning is only invalidated when adjacent transactions are spent. 19:07 < sipa> petertodd: so, i wonder, what if instead of a single mountain range, you just have a single tree per block 19:07 < sipa> with its transaction outputs, ordered 19:07 < petertodd> sipa: right! and I think that's a good idea actually, although you still need the MMR to commit the state of all blocks 19:07 < petertodd> ordering transaction outputs is nice of course for proof reasons 19:07 < sipa> that means that once a tx is in a mined block, a wallet doesn't need to know anything anymore 19:08 < sipa> you might even optimize a bit, by scrapping outputs spent within the block itself already 19:09 < petertodd> yeah, see, I'm a bit divided on that actually: I'm not sure that outputs being spent within a block is conducive to compact fraud proofs 19:09 < sipa> i'm unfamiliar with the word 'conducive' 19:10 < petertodd> I was thinking that given that wallets basically never have a good reason to spend unconfirmed coins that someone just gave them, it's not unreasonable to say txs in a block may only spend txs prior to that block, provided that tx replacement is availalbe to rewrite txs to add new outputs when you make a few txs in a row 19:10 < petertodd> "making a certain situation or outcome likely or possible." 19:10 < sipa> i don't see why they'd never have reason for that? 19:11 < petertodd> basically just that it's dangerous re: double-spends generally, not to say it's absolutely never useful 19:11 < petertodd> anyway, I gotta think about that more 19:11 < sipa> well in many cases you do trust the sender 19:11 < sipa> in particular when it's yourself 19:12 < petertodd> yes, although if it is yourself, you could just as easily replace the transaction with one with more outputs 19:12 < petertodd> (usually) 19:13 < sipa> i guess you can build an MMR on top of the block's root state hashes 19:14 < petertodd> yeah, which is ugly... I dunno, I'm just inclined to leave it out if it looks at all complex frankly. We really want fraud proofs to have as few code-paths as possible. 19:14 < sipa> but the benefit is relatively small - you just need to maintain each block's top 19:14 < petertodd> They terrify me enough already. 19:14 < sipa> which grows linearly 19:14 < petertodd> ? 19:14 < sipa> the number of blocks grows linearly in time 19:15 < petertodd> oh, no, building an MMR on top of that is absolutely mandatory to be able to generate fraud proofs 19:15 < sipa> hmm? 19:16 < petertodd> basically the issue is that while the size of the block root hashes is small, the TXO commitments of them change constantly as transactions are spent, so it's unrealistic to expect a low-bandwidth client to have an up-to-date version of that, yet they still will want to be able to reject a block 19:17 < maaku> it might be true though that it is simpler for a light(er) client to work with an MMR of block root hashes 19:17 < petertodd> for instance, imagine if every txout spent in a block was from a different block - that could be a few thousand roots changed at once even with 1MB blocks 19:18 < petertodd> maaku: yeah, and MMR's of block roots help out for other reasons too 19:18 < maaku> i mean, opposed with a straight MMR over a linear sequence of txouts 19:19 < petertodd> maaku: yeah, I was thinking that doing the MMR over just the block roots was the way to go - one good reason is it makes it conveivable that multiple nodes could co-operate to create a block in a low-bandwidth per node way 19:20 < petertodd> also keeps txin proofs reasonable small, especially if it were done with 20-byte hashes 19:23 < sipa> so, each txin must give the merkle path from the prevout point to a known root 19:23 < sipa> which can be used both to verify that it actually existed, and to compute the new root 19:24 < petertodd> exactly 19:24 < petertodd> and what's also nice is those proofs can be easily composed, as well as updated. (similar to maaku's points re: composing radix trees) --- Log closed Tue Oct 22 00:00:31 2013 --- Log opened Tue Oct 22 00:00:31 2013 15:14 < gmaxwell> petertodd: RE: pay to contract... here is a snazzy #-wizards idea. 15:15 < gmaxwell> petertodd: merchant gives the proposed contract to the user along with a bitcoin pubkey and a pairing pubkey. 15:15 < gmaxwell> User picks a pairing pubkey and a bitcoin pubkey. 15:20 < gmaxwell> User sums the two pairing pubkeys to get a third, shared, pairing pubkey. 15:20 < gmaxwell> (darnit, lost power) 15:22 < gmaxwell> User uses the pairing pubkey and forms a chameleon hash on the contract. He then uses the pairing pubkey + contract hash as the contract with the merchants pubkey in a 1 of 2 pay to contract, with his other bitcoin pubkey in the other side. 15:23 < gmaxwell> The merchants accepts by redeeming the transaction. 15:23 < gmaxwell> The addition of the chameleon hash permits the merchant and the customer to cooperate to create alternative contracts. 15:23 < gmaxwell> So the blockchain is not evidence of the substance of their contracts if they don't choose it to be. 15:26 < gmaxwell> (One of the problems with pay to contract is that they make the existance of a contract public, so perhaps you could be coerced to providing the contract for a particular transaction) 16:47 < amiller> gmaxwell, petertodd one of you mentioned a python library for spamming the network with txs 16:47 < amiller> do you remember that 16:47 < amiller> i think it might have just been pyspend 16:47 < petertodd> ? 16:47 < amiller> not spamming the network but just taking a file and stuffing it in transactions 16:47 < petertodd> oh, the data upload script 16:48 < amiller> yeah that 16:48 < petertodd> that was inserted into the blockchain in marchish 16:48 < petertodd> I'm sure there's a pastebin of it somewhere 17:29 < gmaxwell> I almost forgot to do the obligitory internet sightseeing while in the UK. 17:29 < gmaxwell> Ah. There we go: "Sorry, the web page you have requested is not available through Virgin Media." 18:12 < midnightmagic> gmaxwell: what the hell? 18:14 < gmaxwell> censored internet. :) 18:15 < midnightmagic> gmaxwell: s/what the hell?/which website was it?/ 18:15 < midnightmagic> such crap. all they're doing is providing strong pressure to make an uncensorable internet. 18:26 < maaku> is that the porn legislation, or are they blocking other stuff too? 18:27 < warren> does the law actually require that? 18:30 < pigeons> they caught him for attempted circumvention of the queen's filter 18:33 < petertodd> gmaxwell: what do you mean by "pairing pubkey" ? 18:34 < petertodd> gmaxwell: and what's a good and practical chameleon hash? 19:10 < maaku> warren: my understanding was the the PM tried to push legislation, then backed off when there was outcry and some ISPs agreed to preemptively filter 19:11 < maaku> but i'm not in the UK and haven't been paying attention recently --- Log closed Wed Oct 23 00:00:35 2013 --- Log opened Wed Oct 23 00:00:35 2013 22:44 < gmaxwell> petertodd: any luck getting that coinjoin transaction mined yet? --- Log closed Thu Oct 24 00:00:38 2013 --- Log opened Thu Oct 24 00:00:38 2013 00:09 < amiller> petertodd, so about DIANNA 00:10 < amiller> it claims that by being requiring that it contains a hash to a prent block in the Bitcoin chain that it's invulnerable to a 51% attack on DIANNA miners, as long as there's no 51% attack on Bitcoin proper 00:11 < amiller> and that just absolutely doesn't work 00:12 < gmaxwell> I tried to tell people about that on some other recent MM thread, but my patience in arging with people is, in fact, not boundless. (shocking, I know) 00:12 < petertodd> I think we found a bug in gmaxwell 00:13 < gmaxwell> Unfortunately I wasn't able to come up with a crisp statement about the security model, at least in the general cause absent a lot of implementation details. 00:13 < petertodd> I haven't gotten around to reading it, but it's probably vulnerable to data hiding attacks where you timestamp your chain and release it later 00:14 < gmaxwell> petertodd: if bitcoin miners aren't also XXX miners then a tiny minority of bitcoin hashpower can insert $bad or whatever commitments for the other thing. What happens then depends on the details of how the other thing works. 00:14 < petertodd> I wouldn't assume it's worthless though; it looks like in specific conditions timestamping instead of proof-of-work can work, for consensus although the incentives get weird and you become subject to attack by bitcoin miners 00:15 < amiller> oh i think i get it 00:15 < amiller> okay it is how i thought it was before 00:15 < amiller> so it does have to be a valid bitcoin block 00:15 < gmaxwell> petertodd: perhaps not worthless, but strong statements like "as strong as bitcoin" can't be true. 00:16 < petertodd> amiller: yeah, that's the only sane way to do it 00:16 < amiller> ugh i can't tell whether "the longest dianna chain" is choosen just by chronological order in bitcoin or whether it adds up the difficulty 00:16 < amiller> i think there isn't even any code for this for me to dredge through 00:16 < petertodd> gmaxwell: nope, OTOH statements like "way stronger than your shitty MM chain" can be 00:16 < gmaxwell> amiller: haha this totally sounds like this discussion: https://bitcointalk.org/index.php?topic=313347.0 00:16 < amiller> anyway in either case it offers no security beyond being an otherwise merge mined chain so they're flat wrong 00:16 < petertodd> if there's no code I wouldn't put too much effort into it 00:18 < amiller> ok, deletd 00:19 < amiller> btw i'm working on a paper to submit to IEEE Security and Privacy, in 3 weeks, the academic security conference for bigshots 00:19 < amiller> it's a "systemization of knowledge", so kind of a survey, but this one is about protocols using bitcoin as a platform, and all the proposed ideas for modifying bitcoin and altcoins, etc 00:20 < amiller> i'd paste a link but it's in too poor shape atm :/ 00:20 < petertodd> oh yeah? I'm working on something about colored coins, which has kinda extended a bit into consensus systems in general 00:21 < petertodd> I'll post a link because I have no shame: https://github.com/petertodd/decentralized-consensus-systems 00:24 < gmaxwell> petertodd: https://bitcointalk.org/index.php?topic=317028.0 < perhaps they need some contract work done to produce nice proofs of ownership investors can check. 00:24 < petertodd> gmaxwell: good idea. 00:24 < petertodd> there was another group at the conf with a similar problem 00:25 < gmaxwell> if we're to have a future which isn't stuffed full of fractional reserve the tools need to exist soon so the community can force them onto people. 00:25 < gmaxwell> but it would be nice if someone who wanted them as a competative advantage would pay to get them built. 00:26 < amiller> what is the challenge with making a merkle tree storage-hard pow 00:27 < gmaxwell> no one who cares a lot about alternative pows has enough braincells to understand why such a thing would be desirable? 00:27 < amiller> i thought the scheme i described a long time ago that's based directly on dwork&naor memory-bound moderately hard puzzles works fine and is "asymmetric" in the sense that it's cheap to check rewgardless of how much work it takes 00:27 < gmaxwell> oh you mean for the proof of storage once. 00:27 < amiller> yes 00:28 < amiller> petertodd just reminded me about it 00:28 < gmaxwell> amiller: your stuff is more like "Proof of storage throughput over some data" 00:28 < amiller> right it involves reading instead of writing and reading 00:28 < gmaxwell> amiller: the storage-hard stuff we're talking about is proof of using up space. 00:29 < gmaxwell> (no real throughput component at all) 00:29 < amiller> and a merkle tree over it is too hard? 00:29 < amiller> oh 00:29 < amiller> but the space can be arbitrarily large 00:29 < amiller> as a parameter 00:30 < gmaxwell> amiller: yea. The idea is that you can use temporarily chewing up disk space as a gatekeeper to opening a peering connection, so that a diskspace bounded attacker can't use up all the connection capacity on the network. 00:31 < amiller> okay i think i see 00:31 < gmaxwell> (also has the benefit of basically zero hardware specialization gain, even stronger than any memory hard throughput function has) 00:32 < amiller> well i dont see about that 00:32 < amiller> you can make the memory hard throughput puzzle (or if you don't need it to be a scratchoff puzzle you can just do a single proof of tretrievability which is like one round of that) use arbitrary as much space 00:33 < petertodd> gmaxwell: and no, no luck in getting them mined 00:33 < gmaxwell> sure, but throughput puzzles at least have gains from making faster space. Bulk storage is one less thing to optimize for. And it can avoid an ongoing cost. 00:34 < amiller> well forget throuhgput, this isn't for mining 00:34 < amiller> it can be interactive challenge/responsse 00:34 < amiller> you can make them commit to an arbitrary merkle tree of power-of-two number of leaves n 00:35 < amiller> each leaf i consists of H(challenge || i) 00:35 < gmaxwell> amiller: for the goal I stated you need different state per every "server" or a client could have one copy of the data and connect to 100k servers. 00:35 * gmaxwell lets you talk 00:36 < amiller> okay so to make it a little easier do H(verifierID || i) for each leaf i 00:36 < amiller> (so they don't have to interact with you before preparing their disk) 00:36 < amiller> then verifier sends a challenge 00:36 < gmaxwell> and the challenge is? 00:36 < amiller> random string to use for this session or the next five minutes or whatever 18:50 < gmaxwell> nanotube: because presumably we don't have 99% of nodes being run by people who are out to make a profit doing it. Offering some money to run spy nodes (or whatever) would only switch a small percentage of the total nodes. 18:51 < gmaxwell> nanotube: vs if running a node were widely seen as a money making endeavor, perhaps it would switch most of them. 18:51 < gmaxwell> It's a concern, I'm not sure its a good one. 18:52 < gmaxwell> but I've seen with mining that introducing money into things creates a lot of weird effects. Pirate's hashrate buying service got a LOT of hashrate... 18:52 < nanotube> well, i see what you are saying. but i'm not sure if we model it with real variables, it's actually a concern. let's say currently we have N people running nodes for no compensation. 18:52 < nanotube> if we introduce compensation, we'll have those N people, plus P other people who would only run because of compensation 18:53 < gmaxwell> but will the N continue if there are M people running for pay where M >> N? Certantly my motivation to run nodes would be reduced if there were already plenty of them. 18:53 < gmaxwell> (My M is your P) 18:54 < gmaxwell> and in terms of network risks, the ratio of good to bad nodes can matter more than the absolute number of good nodes. E.g. if 99% of nodes are bad it doesn't matter if there are a million good nodes you'll only infrequently connect to one. 18:54 < nanotube> ok, let's introduce that factor also. :) 18:54 < nanotube> irc sucks for this, i'm going to write some text. 18:55 < gmaxwell> Sweet our model now needs an ordinary differential equation. :P 18:56 < nanotube> heh 18:57 < gmaxwell> I haven't tried to model it in detail because I expect that I can pick parameters that go either way and won't be able to decide between them. :( 19:10 < nanotube> http://pastebin.com/CfNMB85D <- really naive model... basically since marginal benefit to running a 'good node' is larger if we offer compensation, it seems we'd be no worse off. 19:10 < nanotube> the only catch is, if our offering compensation increases probability that evil will use that technique to do evil. 19:16 < gmaxwell> yea, thats something that I specfically argued when I talked to the tor folks about doing this in tor... that there may be a kind of initial hump in getting people to think of running nodes as a viable enterprise that currently keeps an attacker from doing it. 19:16 < gmaxwell> I'm not sure. 19:23 < nanotube> in addition to the hump, the big hurdle of developing the technology would be taken care of. 19:23 < nanotube> cf, how easy it is to create $fakecoin now that bitcoin is out there. 19:25 < nanotube> but for tor it's somewhat different, because it doesn't get /more/ expensive to run a node over time. for bitcoin it does, so the end game is dramatic shrinkage in node count. 19:26 < nanotube> that said, dunno if you're aware, tor has started some compensation scheme, where some nonprofit in the netherlands is going to pay 3500/month (total) to however many nodes register with the program, or some such. 19:26 < nanotube> so we get to learn from their experience on that front, a little bit. 19:28 < gmaxwell> I know, I'd passed on these concerns to them. (particularly pointing out that if they built the infrastructure so that any anonymous party could pay any tor node, that it might create some weird outcomes like pay-to-spy) 19:28 < gmaxwell> seems like they avoided setting things up like that, at least for now. 19:29 < nanotube> heh well, the government TLAs don't need to pay any third parties to spy. if nsa really wanted to take over tor, it'd only take them a trivial fraction of their budget to spin up like 10k tornodes, and make up significantly more than half of the tornet. 19:30 < nanotube> in fact... maybe 2k out of the 4k-some tor nodes already are government. ... 19:38 < gmaxwell> nanotube: perhaps, but paying third parties might be a more cost effective way to do it. ... and if you're some cybercrime group it might be an interesting thing to play with. 19:39 < nanotube> mm maybe... 19:40 < nanotube> i'm surprised the tor router project doesn't seem to have taken off. beyond a wiki page on setting it up https://trac.torproject.org/projects/tor/wiki/doc/OpenWRT 19:40 < nanotube> they could be selling pre-torified buffalos 20:05 < warren> someone we know here expert in embedded systems is thinking about selling bitcoind low power appliances 20:10 < nanotube> aka, netbook with bitcoind on it? :P 20:13 < warren> headless 20:14 < warren> probably ARM with 2GB RAM 20:17 < nanotube> mm 20:18 < warren> businesses often don't use their bandwidth at night when the office is empty, so if it costs them very little in power, they could run high capacity listening nodes at least all night and throttle back or stop listening during the day. 20:27 < gmaxwell> nanotube: one interesting point is that evil vs good pay is probably not mutually exclusive. 20:28 < gmaxwell> nanotube: e.g. you get payed X to run a good node, and if it also spys on users, you get Y too. 20:29 < warren> hmm, headless bitcoind appliances would need some kind of autoupdate mechanism ... 20:29 < warren> the maker could sell subscriptions to good/evil parties 20:30 < warren> It's amoral, it's just business! 20:36 < nanotube> warren: and while you are at it, put a tor node on the appliance also. that way bitcoin network will become less blockable, and if you turn on relaying by default (with some small transfer cap) you benefit the tor net also. 20:37 < nanotube> gmaxwell: hmm good point. 20:37 < warren> they probably won't like exit node by default 20:37 < nanotube> warren: sure not exit, just relay 20:37 < warren> nanotube: I'm not the one designing this thing 20:37 < warren> he just mentioned he might do it 20:37 < nanotube> warren: well, yea, i mean, pass it along :) 20:38 < nanotube> gmaxwell: but that just means it's cheaper to be evil. :) 20:39 < gmaxwell> nanotube: well it means that if someone else is paying the activitation cost to make a pure profit motivated person run a node, an evil party can redirect most of that effort at far lower cost. 20:40 < nanotube> yes. so s/cheaper/much cheaper/ :P 20:40 < gmaxwell> evil only has to pay enough to move people from good to evil, not to run a node. 20:40 < gmaxwell> yea. 20:41 < nanotube> but many forms of evil can be tested for and not paid. e.g., transaction validation and relay variances, etc. 20:41 < nanotube> spying, not really. but... everything that goes through through the bitcoin network is public anyway. so i'm not sure how much use there is in evil-spying for pay. 20:42 < gmaxwell> yea, spying can't be tested except by the evil master, and rule changes that trigger in the future can't be tested for. (well evil master could kinda test for them, but not anyone else) 20:42 < gmaxwell> nanotube: ::shrugs:: bc.i has monetized their own spying pretty well they post people's IPs and then charge people to use their mixer service. I believe its their only revnue source now. 20:43 < warren> s/mixer/shared send/ 20:44 < nanotube> do you think they'd make less money on the mixer if they didn't post people's ip addresses? :P 20:48 < gmaxwell> I do. Though I only have the informal evidence of people showing up in IRC angry that the bitcoin blockchain recorded their IP addresses, from time to time. (::facepalm::) 20:49 < gmaxwell> (and then seeing people direct them to the mixer thing) 20:49 < warren> perhaps delisting for a fee could be another revenue source =P 20:50 < gmaxwell> cheaper to just block them. 20:56 < jgarzik> gmaxwell, definitely not their own revenue source 20:56 < jgarzik> gmaxwell, hint: advertisements on the front page float by unpredictably 20:57 < gmaxwell> oh hey, I just came up with an almost secure way to selectively hang up on nodes which connect to lots of other nodes. 20:57 < warren> oh? 20:59 < gmaxwell> using cryptographically private bloom filters: http://www.reddit.com/r/programming/comments/1ixoov/cryptographically_private_bloom_filters/cb91uj9 21:00 < gmaxwell> the idea is that your peers give you an encrypted list of their peers. You can then encrypt your list of peers, send them to the peer and have the peer reencrypt them, and then you can decrypt the result and tell what peers you have in common. 21:01 < gmaxwell> I say almost secure because if some node was hated by lots and lots of nodes, those nodes could lie and say he was connected to them, in order to encourage other people to drop connections to that node. 21:01 < gmaxwell> but ignoring that attack, this would let you be able to do something like hang up on peers that are already connected to half your other peers. 21:01 < gmaxwell> without disclosing who is connected to who. 21:02 < gmaxwell> (your peers would limit the number of queries you could perform, so you couldn't just test all nodes against their lists) 21:03 < warren> "you" being a connection or an IP? 21:03 < warren> and does that fail if you change your IPv4, or ipv6? 21:04 < gmaxwell> nah, I don't think so, since they could just limit the queries globally. E.g. I won't answer more than X queries per day or whatever. 21:05 < warren> so you can make the entire system just stop working 21:06 < warren> gmaxwell: this could be defeated by simply randomizing the from addresses, combining all the data into a surveillence net 21:07 < gmaxwell> I'm not talking as much about surveillence as I am about connection satuartion. 21:08 < gmaxwell> Today you can fill up all connection slots on the bitcoin network with 1 IP. With some easy fixes we could increase that you needed 124 IPs. 21:08 < gmaxwell> But making it take more than 124 IPs seemed mostly unsolvable to me, perhaps its not. 21:09 < gmaxwell> making surveillence a little harder would be a nice side effect. 21:09 < warren> ooh 21:09 < warren> there's more low hanging fruit to raise the cost of filling all listening slots 01:31 < phantomcircuit> jgarzik, with ssds it's the firmware 01:31 < jgarzik> phantomcircuit, the latter comment, when investigated at Red Hat, turned up stupid app behavior 90% of the time 01:31 < phantomcircuit> it's not uncommon at all for an ssd to completely fuck up where things are written 01:32 < jgarzik> I was L3 on that for years 01:32 < phantomcircuit> yeah that's not surprising 01:32 < petertodd> The great thing about embedded systems development is "know your hardware" can mean reading the datasheet for your 8-bit uC's and getting a timing diagram showing under exactly what conditions EEPROM cells get corrupted. :P 01:33 < petertodd> Heck, on the wall by my desk I have one of my artworks that does exactly that with a carefully calculated set of VCC hold-up caps. 01:50 < jgarzik> petertodd, "the pool uses compressed keys, while the blockchain.info client only uses compressed keys" 01:50 < jgarzik> petertodd, should one of those be "uncompressed"? or am I just confused? 01:50 < petertodd> doh! 01:50 < gmaxwell> the latter is uncompressed 01:50 < petertodd> yeah, client is uncompressed 01:51 < phantomcircuit> jgarzik, i get a good laugh out of bc.i 01:51 < phantomcircuit> they operate a service which allows you to purchase bitcoins and then obscure their origin 01:51 < phantomcircuit> quite literally money laundering 01:51 < phantomcircuit> herp derp 01:52 < petertodd> money laundering isn't what you think it is... 01:52 < gmaxwell> jgarzik: so the difficulty in getting people to use petertodd's dust-b-gone is starting to make me doubt my prior thought that "wallet applets" could be a viable way to introduce new wallet features. 01:52 < petertodd> the purpose of money laundering is to make money have a *legit* origin, bc.i is just making it have no origin at all 01:52 < phantomcircuit> petertodd, useful money laundering is the first 01:52 < phantomcircuit> legal money laundering is either 01:52 < gmaxwell> petertodd++ but that doesn't mean bc.i might not get into a regulatory mess. 01:53 < phantomcircuit> you'd be an idiot to launder money through bitcoin anything 01:53 < phantomcircuit> but that doesn't mean doing so isn't illegal 01:53 < petertodd> well if we keep repeating my point over and over we might change the discussion... :) 01:53 < gmaxwell> in any case, they've been warned! (and at least renamed their "mixer") 01:54 < phantomcircuit> they've had legal council refuse to represent them because their business is obviously in violation of uk law 01:54 < gmaxwell> we need someone to make a catchy music video like https://www.youtube.com/watch?v=7E0ot9iJm_k (terrible secret of space) which just repeats over and over again "the purpose of money laundering is to make money have a *legit* origin" 01:54 < Luke-Jr> is that the legal definition? 01:55 < phantomcircuit> Luke-Jr, the legal definition is to obscure the origin 01:55 < jgarzik> gmaxwell, not sure I was party to a "wallet applet" discussion. I did notice that some wallets like Hive are direct-integrating with gambling and exchange sites via plugins. 01:55 < phantomcircuit> however that's not very useful for actual criminals 01:55 < gmaxwell> in the US there isn't just one legal definition there are dozens (hundreds? easily if you count state laws) of laws that possibly interact with money laundering. 01:55 < phantomcircuit> none the less the definition is what it is 01:55 < jgarzik> gmaxwell, RE dust, I just think there should be background defragmentation 01:55 < phantomcircuit> gmaxwell, bc.i is a uk company 01:55 < jgarzik> gmaxwell, perhaps via coinjoin. mix + dedust 01:56 < petertodd> gmaxwell: yeah, that's the real issue - better for something like bc.i to not be operating at all if they want to be safe, chances are even operating a wallet is legally risky 01:56 < gmaxwell> jgarzik: ah, I'd thought you'd were at least in the past I'd bought into an idea that things like background defragmentation and such could potentially be introduced with contrib/ grade side-car applications. As a way of reducing the time to getting features in the core codebase. 01:56 < gmaxwell> jgarzik: yea, petertodd's dust-b-gone is a coinjoin dust discarder. 01:57 < gmaxwell> Luke-Jr: I'd guess that if you are pedantic about the law that in some states its probabably unlawful to accept money.. ever. just due to poorly constructed laws that interact in unexpected ways. 01:57 < phantomcircuit> petertodd, its better that they do one thing at a time 01:58 < jgarzik> gmaxwell, some pedantic interpretations of US law imply you should file forms for every cash transaction, anywhere, regardless of whether you are consumer or merchant or peer 01:58 < jgarzik> especially if you cross state or international borders 01:58 < Luke-Jr> gmaxwell: IMO trying to change the definition to workaround laws isn't a viable option 01:58 < jgarzik> nutters 01:59 < gmaxwell> Luke-Jr: I'm not suggesting it to workaround the law. 01:59 < Luke-Jr> the elegance of CoinJoin is that it isn't concealing anything; it's just discarding unnecessary information 01:59 < petertodd> jgarzik: which reminds me of idiotic people are for continuely pointing out cash as why bitcoin won't be banned; lots of jurisdictions are doing everything they can to ban cash 01:59 < gmaxwell> Luke-Jr: the reason I suggest making the definition more clear is just because the broken one used in bitcoin land (mostly inspired by half understanding tv crime drama) just doesn't make sense. 01:59 < Luke-Jr> gmaxwell: a music video to promote a definition that differs from the legal definition, would be just that IMO 01:59 < jgarzik> My on-going prediction, since 2010, has been that bitcoin will be regulated as cash is currently regulated. 01:59 < jgarzik> in US and elsewhere 02:00 < jgarzik> with all that implies 02:00 < gmaxwell> Luke-Jr: I don't think that what I'm saying is distinct from the legal definition. (I also didn't mean it seriously) 02:00 < petertodd> jgarzik: right, so it'll be illegal to have bitcoin wallets with large amounts of bitcoins in them, and gradually those amounts will decrease to the point where bitcoin is effectively banned 02:00 < Luke-Jr> petertodd: huh? 02:01 < Luke-Jr> is there some law saying I can't bury large amounts of cash in my backyard? :/ 02:01 < jgarzik> petertodd, I'm waiting for the first attempted prosecution when someone flies across a US/international border without declaring the > $10,000 in bitcoins they were carrying. 02:01 < petertodd> jgarzik: meanwhile bitcoins, when discovered, will be seized routinely the same way large amounts of cash are under civil forfeitture laws 02:01 < gmaxwell> Luke-Jr: the legal definition is very complicated. the idea that anything that conceals the origin is money laundering is a toy version of the law. The idea that money laundering == giving an apparent legitimate origin to money is another toy statement of the law. The latter has the benefit of actually explaining _why_ people launder money at least... 02:01 < petertodd> Luke-Jr: in some european countries yes 02:01 < gmaxwell> Because just doing the first, in the US at least, actually does you very little good. 02:01 < petertodd> Luke-Jr: for instance IIRC italy has banned all cash transactions for any reason over 1000 euros 02:01 < phantomcircuit> gmaxwell, the problem is that the definition you use is based largely on how strict law enforcement wants to be 02:01 < petertodd> jgarzik: bingo 02:02 < gmaxwell> jgarzik: so I might attempt a declaration of bitcoins when returning from vancuver at the beginning of november. I don't have anything scheduled for the week after that... it would be interesting to see what happens. 02:03 < Luke-Jr> petertodd: that's a cash *transaction* 02:03 < jgarzik> in terms of US "climate", it is noteworthy that government types are also concerned about consumer privacy. 02:03 < jgarzik> A handful of Large Businesses (Fortune 1000) have also expressed concern about business transaction privacy. 02:03 < petertodd> gmaxwell: lol, I like how you're giving a week for that... 02:03 < jgarzik> it is easy to look over a shoulder at starbucks, if you can spot a payment address, and chain-stalk that person 02:03 < petertodd> Luke-Jr: yes, and meanwhile large amounts of cash get routinely seized in the US on suspicion of being involved with drugs, and it's damn near impossible to get it back. 02:03 < gmaxwell> in particular I could arrange it so that bitcoins I have with me are likely to increase in value while I'm at IETF and cross the threshold. 02:04 < petertodd> Luke-Jr: other countries have direct capital controls on cash 02:04 < gmaxwell> jgarzik: or the minimum wage drone at starbucks hired a week ago is doing the chainstalking. 02:04 < Luke-Jr> gmaxwell: how are the bitcoins "with you"? :p 02:04 < petertodd> jgarzik: one of the ironies is that Bitcoin could be simultaneously considered as being too private, and prone to "money laundering", and too public, and thus banned for privacy reasons 02:04 < gmaxwell> Luke-Jr: that would be part of what the excercise is for exploring. What does customs think that definition is? 02:05 < jgarzik> One argument I do think could be made: the coins are "in the cloud". Control of the coins (keys) are what the owner holds. Not sure if that could be legally useful, but it seems like it might be. 02:05 < jgarzik> petertodd, indeed 02:06 < phantomcircuit> <gmaxwell> in particular I could arrange it so that bitcoins I have with me are likely to increase in value while I'm at IETF and cross the threshold. 02:06 < jgarzik> petertodd, depends on which prosecutor is writing their next Shakespearean piece 02:06 < phantomcircuit> gmaxwell, the us border patrol will arrest you if you fail to declare the changed amount 21:51 < petertodd> amiller: Fortunately I think you can securely do a "pay to help me get this ancient txout mined" service with a joint transaction. 21:51 < amiller> you can have updates 21:51 < amiller> and if you aren't relatively alive to hear the updates 21:51 < amiller> and eveyrone forgets intermediate state before you get yours 21:51 < amiller> then you might not be able to find it from anyone 21:52 < amiller> say you send a new coin to yourself, then you go into a coma for 50 years, then come back 21:52 < amiller> can you spend your coin 21:52 < amiller> all the tips have changed 21:53 < petertodd> amiller: Yeah, it absolutely could happen, although it's likely there will always be at least one person with a copy out there somewhere. 21:53 < amiller> kinda? 21:54 < petertodd> The other thing is that keeping your wallet updated is actually depecently cheap because you only need to watch for transactions that modify your proof. In addition if you update your proof once, the chain data you need to update it again is much lessoned - just the transactins that changed the lower part of your proof as the upper part is more recent. 21:54 < amiller> maybe you still want to do proof of storage over the whole tree to be sure 21:55 < petertodd> amiller: Yeah, it's hard to say... I suspect that given that everything is easily fraud proofed, we can skip proof of storage so long as finding fraud is rewarded somehow. 21:55 < amiller> no i mean 21:55 < amiller> you want to encourage people to store the data 21:55 < amiller> if it's plausible that someone who should be enabled to spend it might not have that data 21:55 < petertodd> amiller: Right, but the "pay to spend" system works fine for that. 21:55 < maaku> ok i see what you're saying now, but i hadn't thought it was a concern since the signer has control over the transaction id... they can always pick a new one that they can find a path for 21:55 < amiller> no it doesn't 21:55 < amiller> you can pay to spend if someone has the data 21:56 < petertodd> What we need is to encourage people to *validate* the data, which != storing it. 21:56 < maaku> assuming they don't pay an archive node to find a path for them 21:56 < amiller> but you can't pay them ahead of time to store it and update it forever 21:56 < amiller> okay here's a thing is 21:56 < petertodd> maaku: Yeah, but that basically means those archival nodes need to be found every !@#$ time you create a transaction, or even for that matter just to add coinbase outputs to the set. 21:56 < amiller> maybe if i know i'm aobut to go into a coma or am afraid of it 21:56 < amiller> and want to purchase go into coma for 50 years insurance 21:56 < petertodd> amiller: No, but they can make a business decision that there's enough demand. And anyway, as I said, updating your proofs is incremental. 21:57 < amiller> i can sponsor a bounty that rewards people over time for doing proofs of storage of whatever is the most valid node 21:57 < amiller> it doesn't matter if it's incremental if the point is that i go away for a long time then come back 21:57 < amiller> i'm not interactive and receciving updates during that time 21:57 < petertodd> amiller: Well, you know how you do that? You create nLockTime'd transactions! To spend the txs way in the future they have to prove them! 21:58 < petertodd> When they brodcast the proofs, you can reuse that data to prove your own transactions! 21:58 < petertodd> *broadcast 21:58 < amiller> that's not a great solution for minor economic reasons and periodic proofofstorage is better somewhat 21:58 < amiller> if it seems like you have a poor chance of being the winner then there's no reason to do it 21:59 < petertodd> But this is the thing, we *want* people to be able to expire ancient data! Think 300 years in the future when transactions in the first 10 years of blocks just don't ever happen. 21:59 < petertodd> This is the only thing that can keep the blockchian data required to mine from growing without bound. 21:59 < amiller> i agree that this should be set by market forces of people who want it or are willing to insure themselves 21:59 < amiller> if i go into a coma and haven't paid for lifesupport then it's my problem 21:59 < amiller> if i or someone gracious wants to pay somehow to keep my data validated then ok 21:59 < petertodd> Yeah, and market forces are enough, we do *not* need to add proof-of-storage to the consensus protocol. 22:00 < petertodd> Where as with UTXO commitments, you absolutely do need proof-of-storage. 22:00 < amiller> i'll let that slide for now 22:00 < amiller> petertodd, yes, agreed, because with the utxo trie you never know *which* bits you'll need for appending new data 22:00 < amiller> which is an outstanding revelation 22:01 < gmaxwell> 18:04 < maaku> gmaxwell: my point iswhy pay an external proof-generating service *in addition to* the miners transaction fees? 22:01 < gmaxwell> Right now, ~no one is paid for it. And miners (if you mean the guys who own asics) 22:01 < gmaxwell> don't do it at all... you could argue that the pool op is paid for that 22:01 < gmaxwell> service but it's only as an accidental side effect, and it highly incentivizes 22:01 < gmaxwell> centeralizing that ability. vs letting each user keep their own or pay for 22:01 < gmaxwell> their own retrevial very naturally scales and doesn't create a 22:01 < gmaxwell> centeralization incentive, I think. 22:02 < petertodd> amiller: Yeah, MMR TXO also naturally has good access requirements, which mean that archiving data to tape and so on is very practical. 22:02 < petertodd> amiller: (even when you want to be the "help me mine my txout" service) 22:03 < petertodd> gmaxwell: Did you see how paying to help get a txout mined can be done in a trust free manner too? Just create a transaction spending the txout that gives some BTC to the service - if they can't get it mined they don't get paid. 22:03 < amiller> that's a crap solution 22:03 < petertodd> amiller: ? 22:04 < amiller> it's not good for replication 22:04 < petertodd> amiller: Why do you need to replicate? 22:04 < amiller> like, you'd prefer to have the reward for that paid in some way that encourages several people to have it 22:04 < amiller> because that service doesn't have terribly much incentive to store it redundantly 22:04 < amiller> they'd miss out on the future rewards i suppose 22:04 < petertodd> amiller: Well sure, but frankly that's impossible with math. 22:05 < amiller> no it isn't 22:05 < amiller> that's what pow does 22:05 < gmaxwell> petertodd: well almost. Say you make two versions, one paying a and one paying b. A fails to do the lookup. B does it. When A hears the transaction from B he can attach B's proof. ... find for the user bad for the service. 22:05 < amiller> that's the whole point of this massively replicated apparatus we have 22:05 < petertodd> amiller: No, proof-of-work simply proves a bunch of work was done, it doesn't prove that the work was done in a geographically separated set of disaster resistant datacenters. 22:05 < amiller> it doesn't *prove* that, but it *causes* that 22:05 < amiller> that's exactly what it causes 22:06 < amiller> incentivizes, rather 22:06 < gmaxwell> amiller: thats the users own darn problem, if he wants great storage he can pay for it. Importantly, it doesn't have the commons resource problem of making everyone pay for something that only benefits one user. 22:06 < petertodd> gmaxwell: Yeah, those services are going to want to either mine the txs themselves, or have meatspace contracts. 22:06 < amiller> agreed with both of those 22:06 < petertodd> gmaxwell: Well, actually you can fidelity bond those contracts... 22:07 < petertodd> amiller: I dunno about causes that... just look at pools... 22:07 < gmaxwell> yea, and it's super cheap to maintain your own if you're already running a FVN 22:07 < amiller> petertodd, pools are geoseparated disaster resistant data centers, it's hosted mining that's the problem 22:07 < gmaxwell> and to have tit for tat mutual watching agreements in communities of interested. 22:08 < petertodd> amiller: Pff, we're talking like a dozen pools at most - that's not very convincing disaster resistance compared to the thousands (probably) of full nodes. 22:08 < amiller> petertodd, no i mean the pool operators don't matter, the fact is pool participants all have gpus at their homes 22:08 < petertodd> amiller: Anyway, as gmaxwell said "It's your own fucking fault if your wallet becomes unspendable!" 22:08 < amiller> if you make a storage hard pow then it's the mining devices that are the replicated storage 22:08 < petertodd> amiller: GPUS != blockchain data 22:09 < petertodd> amiller: ok, true, but we're not changing the proof-of-work algorithm 22:09 < petertodd> amiller: maybe in some alt-coin 22:09 < amiller> yes you are, when it becomes obvious you have to 22:09 < petertodd> gmaxwell: sorry if I slightly misquoted you there :P 22:09 < amiller> what i'm *not* saying is that you'd have to make it mandatory that the consensus puzzle is over the whole merkle thing 22:09 < amiller> one option is to make it so you can pay to have it included 22:09 < gmaxwell> releastically the required redundancy for txout data is only three or four copies, lets say. But for decenteraization we need tens or hundreds of thousands of full nodes. And the risk of not having enough copies should be born by the owners of the data which was inadequately replicated but bitcoin makes it a risk for the whole network. 22:09 < petertodd> amiller: people in comas for 50 years waking up to not being able to spend their wallets isn't a good reason :P 22:10 < amiller> so you can pay to have whatever replication factor you want 22:10 < amiller> i'm not arguing any particular solution here because it's not settled 11:21 * BlueMatt isnt sure exactly which "payment channels" is being discussed, but if its done right, it can be all two-party (no blockchain) until the end and then only a few txn can be put in the chain to complete it 11:22 < BlueMatt> (without any trust) 11:22 < petertodd> BlueMatt: Ah, yeah, that's jspilman's version. Nice to see the wiki got updated with it. 11:23 < BlueMatt> anyway, I know mike is actually implementing it, so ping him 11:28 < petertodd> BlueMatt: cool 11:29 < BlueMatt> afaik its pretty far along too 11:31 < petertodd> any client code yet? 11:31 < BlueMatt> hmm? 11:32 < petertodd> I mean, like a demo for an application? 11:32 < petertodd> that'll be the hardest part I think 11:32 < BlueMatt> no idea 11:34 < petertodd> ok, just thinking, lots of subtle issues re: backups and other stuff with protocols like these 11:34 < BlueMatt> entirely depends on how long your channel is 11:34 < BlueMatt> if the channel lasts a few hours...meh 11:34 < petertodd> same problem with chaum tokens: you need to have a reliable way of storing multiple copies immediately of the token, or in this case, the refund tx 11:35 < BlueMatt> sure, if it lasts a month you want to store the state of the channel in the wallet 11:35 < petertodd> it can be skipped initially, but for production... 11:35 < petertodd> well it's a matter of how many coins you are putting in limbo, 0.01BTC, no worries, 1BTC, that's another matter 11:48 < jgarzik> heh, yeah. I was thinking a payment channel that lasts ~24 hours. Definitely some wallet state storage, to think about. 11:48 < jgarzik> but really, I'm off-chain agnostic. The more off-chain systems out there, the better. 11:49 < jgarzik> Would be interesting to see an open source package out there replicating The Big Tor User out there. 11:50 < petertodd> well, one guy contacted me saying he's working on one in his spare time, and I'm meeting with what sounds to be a much more professional effort next week that will include some trusted hardware 11:51 < petertodd> actually, I think just implementing a merkle-sum tree package is worth it - a few companies at the conf said they were interested in that kind of transparency 11:51 < petertodd> like the bitcoin fund guys 11:53 < BlueMatt> bitcoin fund: we fund useless crap 11:53 < BlueMatt> or at least not stuff that is reasonably high priority 11:54 < petertodd> BlueMatt: which fund do you mean? 11:54 < BlueMatt> you mean the guys who offered how many thousands to split wallet and core? 11:54 < petertodd> no, I mean bitcoinfund.eu, the guys offering bitcoins as a professional investment fund 11:55 < petertodd> those guys are crazy, and I wonder if they are really legit 11:56 < BlueMatt> they do have /some/ money...no idea how much it really is, but they kinda picked a random thing and put a big bounty on it 11:56 < petertodd> heh, emphasis on some 11:56 < petertodd> might just be enough to have a nice website... 11:56 < BlueMatt> by off-chain, you do mean off-chain for a while, then sync up the difference in one txn? 11:57 < BlueMatt> oh, no I meant the crazy guys who offered money for split 11:57 < BlueMatt> A few devs have gotten donations from them 11:57 < BlueMatt> relatively sizeable ones 11:57 < petertodd> ah, ok, so they've shown they're for real 11:57 < petertodd> to some extent 11:57 < BlueMatt> if only they'd put up a big bounty on adding more test-cases 11:58 < petertodd> BlueMatt: not sure exactly what the off-chain gusy who have contacted me lately really mean, I'll find out more later 11:59 < petertodd> Indeed. You've done a lot of hard work, but there is so much more to do. 11:59 < BlueMatt> what Ive done hasnt even scratched the surface of the edge cases that exist, tbh 11:59 < BlueMatt> if you fail the tests-cases there, you really were oblivious when implementing 11:59 < BlueMatt> at least, fail more than a few-line fix 12:04 < petertodd> Absolutely. I found lots of stuff re: nLockTime that's not tested, just to name one example. 12:04 < BlueMatt> even coverage reports of the tests show suckage... 12:05 < petertodd> Well, foundation says they're going to hire two more tech staff. 12:06 < BlueMatt> good to hear, can we make one of them full-time test engineer? 12:06 < BlueMatt> s/one/two/ 12:06 < sipa> peter vessenes asked me if i wanted to work on bitcoin full-time 12:06 < sipa> but i prefer not giving up my job now 12:06 < BlueMatt> if sipa wanted to work on bitcoin full-time there are around 10 companies that would make it happen... 12:07 < sipa> he was certainly not the first to ask :) 12:09 < midnightmagic> sigh. I have an account with exchangezone too. 12:09 * midnightmagic doesn't like being on lists. 12:09 < BlueMatt> midnightmagic: known terrorist 12:11 < petertodd> sipa: heh, I know the feeling, I even had my old boss from when I was 16 at a software summer job call me up asking if I wanted to start something bitcoin related 12:11 < sipa> heh 12:11 < sipa> now, if i could work more on bitcoin without giving up my job... that'd be nice :) 12:12 < BlueMatt> sipa: spend 10 years, invent a time machine and poof 12:12 < petertodd> sipa: make it your 20% project to do off-chain tx's, and confuse all of Mike's critics... 12:12 < sipa> abstruse goose 249? 12:13 < BlueMatt> sipa: yes 12:13 < BlueMatt> petertodd: doesnt mike already do bitcoinj as 20% time? 12:13 < petertodd> BlueMatt: what I would give to tell my 18 year old self... I was so excited when I found out about hashcash 12:13 < sipa> petertodd: i'm going to try to make getting aecp256k1 optimized in openssl my 20% project 12:13 < sipa> secp256k1 12:14 < BlueMatt> you want to merge something in openssl? 12:14 < petertodd> BlueMatt: exactly, so if sipa does something geared towards decentralization said critics will be rather confused about googles intentions 12:14 < BlueMatt> heh, good luck 12:14 < petertodd> sipa: seems reasonable to me 12:14 < BlueMatt> petertodd: Im not sure anyone reads bitcoinj development as google's intentions..... 12:15 < petertodd> BlueMatt: http://www.reddit.com/r/Bitcoin/comments/1e680k/maybe_this_is_why_google_pays_coredev_mike_hearn/ 12:15 < petertodd> jdillon is a pseudo-troll of course 12:16 < BlueMatt> hah 12:16 < BlueMatt> well, people are stupid... 12:17 < petertodd> indeed, but equally I get attacked for my supposed motives too 12:18 < BlueMatt> well, ok, I stand corrected 12:18 < BlueMatt> s/anyone/anyone reasonable/ 12:19 < petertodd> well, Mike and Gavin are included in those attacking me for my motives 12:19 < BlueMatt> I meant for reading google motives into mike's work 12:19 < BlueMatt> your motives arent clear anyway... 12:20 < BlueMatt> Ill attack you for your results though 12:20 < petertodd> Indeed, they aren't clear, but by that standard neither are Mike and Gavins, or Jeffs, or a zillon other people. Attack results and ideas, it's just nicer that way. 12:21 < petertodd> After getting $6k worth of mostly anonymous donations, I know full well that I'll probably never know the motivations of people making stuff happen. So talk about what they make happen. 12:21 < petertodd> Actually, $7.5k includng pre-video donations. 12:22 < BlueMatt> hint: no one cares about your donations 12:22 < petertodd> Good, they shouldn't. 12:22 < petertodd> But it's a great example of how knowing about the motivations behind something is often an exercise in futility. 12:23 < petertodd> *trying to know 12:23 < BlueMatt> its not always that hard... 12:24 < petertodd> Well, if you want to play that game, then guys like jdillon can have fun attacking Mike. It's just a matter of perspective. 12:25 < BlueMatt> either Im being clear as mud or your ignoring what Im saying (most likely the first, Im distracted) but I need to get back to being distracted (read: work) 12:25 < petertodd> heh, have fun 12:25 < BlueMatt> :) 12:26 < midnightmagic> I don't understand why people engage the trolls so much. Ignoring them doesn't make them stronger. 12:29 < midnightmagic> And I don't really mean the people who come in to -dev with a chip on their shoulder about something. Half the time they just think they can do something better. I mean the real destructive elements like the press page guys, or MP. 12:35 < jgarzik> It's a tough call 12:35 < jgarzik> Trolls rope innocent people into buying their line of B.S. 12:36 < jgarzik> When I respond, it's mainly to provide an alternative viewpoint, not directly respond to the troll. But that gives the trolls gas for further trolling, so it's not a great solution. 12:40 < petertodd> Standard social theory would say that acknoledging trolls at all just gives them social status, which you really don't want to do, on the other hand people not familiar with the scene don't have any idea what the social status of anyone is, and they will read and misunderstand bad arguments. 12:40 < petertodd> So have someone else argue on your behalf. 12:42 < jgarzik> ;p 12:43 < petertodd> Similarly, why write software, when you can convince other people that the software should be written? 12:43 < BlueMatt> shell accounts? 12:43 < jgarzik> petertodd, That's what I do already :) 12:44 < petertodd> BlueMatt: Nah, that'd take up a pile of time. Better to convince a small group of your ideas and let it spread. 12:44 < jgarzik> petertodd, (1) write troll patch, (2) watch someone else come along and do it better, more completely 12:44 < jgarzik> c.f. wallet encryption 12:44 < jgarzik> the friendly term is being a catalyst 12:44 < petertodd> Lol, good job. 12:44 < BlueMatt> problem is, your troll patch had bugs that still appear in bitcoin today 12:45 < jgarzik> I declare myself blame-free :) 12:45 * BlueMatt can always fall back on the "I didnt merge it" 12:45 < petertodd> I managed to pull that off kinda with replace-by-fee, but the more complete version had O(n^2) scaling... 08:39 < sipa> and it is limiting in the sense that it requires encoding some basic form of betacoin's transfer rules in bitcoin 08:39 < gmaxwell> no no, 08:40 < adam3us> for my part i think 1-way (and more practically 2-way) pegged side-chain is the best new bitcoin idea of 2013. i hope its possible. 08:41 < gmaxwell> sipa: the script is a proof "Betacoin say 2 btc can come back to bitcoin to scriptpubkey 1234 + a bunch of betacoin headers". I'd also come up with an idea that required the txout scriptpubkey in such a transaction could be such that it had a minimum time it could be spent from, and before that the transfer canceled with a longer chain of headers. 08:42 < gmaxwell> so then bitcoin is totally blind to betacoin's rules, except for how betacoin headers works, how how betacoin communicates moves back to bitcoin. 08:42 < gmaxwell> from the betacoin side the transfer from bitcoin could be similar or betacoin could watch the bitcoin chain, the latter is probably better. 08:43 < gmaxwell> if the whole transfer is slow and cumbersome and requires a 8 kbyte transaction it doesn't really matter, since if you have two parties you can just to an atomic coin swap. 08:44 < gmaxwell> the cross chain teleports are only needed to balance liquidity. 08:44 < gmaxwell> (so if there are more coins wanted on the betacoin chain than exist there there is a way to satisify the demand) 08:45 < gmaxwell> also means that if you can fake out the teleport method e.g. with a huge betacoin reorg, you can make betacoin fractional reserve, but you never inflate bitcoin. 08:47 < gmaxwell> presumably this could be stronger in practice than in theory because if bitcoin miners were all betacoin miners they could generally refuse to mine suspect betacoin proofs, or themselves be prompt about providing contradiction-proofs that aborted the trasnfer in a soft-security fashion. 08:48 < gmaxwell> "no no, there is a compeating betacoin fork as good/better than this one, abort this transfer until someone can show an even better betacoin proof" 08:49 < adam3us> sipa: the 1-way peg also could consider a longer term version of the market providing liquidity based on later settlement, eg if the network bootstraps to become credible, or if multiple sensible people and orgs make an approximate indication that they plan to switch over with in 18-mo - 2yrs to a hyopthetical sipa-led rewrite 08:50 < adam3us> sipa: as after the switch over the rest of the bitcoins are moved over to the new network and the liquidity providers can earn the arbitrage profit they were aiming for 08:50 < adam3us> sipa: (wrote about somewhere on the tldr 1-way peg thread) 08:51 < adam3us> (what a choice pay gbp 5 to extend free airport wifi or type a password into a *windows* machine. yup i paid) 08:51 < gmaxwell> plus imagine all the great drama we'll get in two way pegs. people creating altcoins that can two-way-peg with bitcoin (because why not make the facility completely generic so anyone can hook up a new chain to it?) just with the intention of leaving it insecure so they can steal all the coins that move over. 08:52 < gmaxwell> LHR 45 minute wifi is robbery. 08:52 < brisque> adam3us: just spoof your MAC. 08:52 < adam3us> gmaxwell: i could tumble the mac i guess, but too late 08:53 < adam3us> gmaxwell: i was thinking really should ptu a script to tumble th emac on network connect anyway - privacy principle. probably nsa is tracking mac s somewhere in utah 08:54 < brisque> adam3us: changing your MAC doesn't stop that, you can just look for wifi cards announcing what networks they're looking for and then compare that to the google skyhook database to find their home address. 08:54 < adam3us> gmaxwell: also it a rather nice argument against scamcoins (still need a better word to describe param-tweak/get-rich-quick from genuine innovation) and why did you start a new digital scarcity race? we were discussing that above in relation to coingen. 08:55 < adam3us> gmaxwell: and it seems likely the min-bar will just go up slightly to things like primecoin, or other artificial uninteresting or stupid changes that are just above the param-tweak and come with a semi-plausible to novice argument and white paper. (Like NXT 08:55 < brisque> adam3us: out of my own curiosity I set up a wifi dongle looking out onto the street that did something like that. incredibly effective when people walk around with phones in their pockets. 08:56 < adam3us> brisque: i think bitcoin has a problem. once a competent grey-hate gets too tempted the base band phone p0wning will harvest $ms of coins in automated attacks. we need hardware fast. 08:57 < adam3us> someone who shall remain nameless to protect their own stupidity showed me a phone with 500btc on it ('doh!) 08:57 < adam3us> (an otherwise i guess reasonably competent CS degree programmer type of person) 08:58 < brisque> adam3us: I was more talking about privacy violations by phones announcing people's home addresses every few seconds. I'd really like to see sensible hardware too though, the Trezor looks quite nice. 08:59 < brisque> adam3us: I personally predict a piece of commodity hardware will be hacked to create a secure but cheap USB based wallet. there's quite a number of children's toys that have been turned into RF analysers and other tools. 08:59 < adam3us> brisque: not sure if 2014 will be the year, but a year RSN we will surely see baseband and targetted DSL IP# hacks from bitcoin big change identified IP# from bitcoin users who dont use tor to spend from large coins; the only hope is air-gaps IMO, or TPM (arm trustzone, intel TPM etc) 09:00 < gmaxwell> adam3us: someone with a typo squat on a popular bitcoin service domain and a java exploit for IE that I was seeing get investigated recently had stolen several hundred btcs in a few days time. 09:00 < gmaxwell> so the bar is still pretty low 09:01 < brisque> adam3us: doesn't really have to be a specifically designed hardware. anything would do. I saw photos of a childrens toy that would make an excellent Trezor type device with a lot more features (full keyboard) than the real thing. 09:01 < adam3us> gmaxwell: the stupidity factor never ceases to amaze. its scarcy that people are not being hacked way more. 09:01 < brisque> adam3us: there's some constraints, but the hardware doesn't have to be complex. you don't even need to have a hardware RNG on board. 09:02 < adam3us> brisque: you said about wifi network advertising networks it wants. it works that way? no waiting for announce, requesting ssid ? the client broadcasts all the wifi ssid it knows?? 09:03 < brisque> adam3us: a wifi client announces sequentially every wifi network it knows, every 10 seconds it ruins "hidden" SSID by sending out the name and MAC of the routers it knows. 09:03 < adam3us> sipa: so are you getting the 2-way peg bug yet? ;) 09:03 < sipa> adam3us: let's call them "silly alts", "delusional alts" and "flawed alts" :) 09:03 < brisque> adam3us: this is the childrens toy I was talking about. you could certainly port a hardware wallet to this. http://d4c027c89b30561298bd-484902fe60e1615dc83faa972a248000.r12.cf3.rackcdn.com/imagepicker/4494/thumbs/IM.jpg 09:04 < adam3us> brisque: on noes! i guess the mac-tumbler script i need to write needs to flush the ssid cache also 09:05 < adam3us> brisque: i like the QR code as optical isolation connection that "visual btc" setup 09:05 < adam3us> brisque: of course it helps if the value could be signed so the input tx history doesnt need to be sent to work around that bug 09:06 < brisque> the IM-me is missing a camera so a QR code is out of the question. the sticking point is that you can't use sound because of the must-see-every-input issue of transactions. 09:06 < brisque> a device like this with more IO (a camera mainly) would be able to replace trezor with cheap commodity hardware. 09:07 < brisque> if the must-see-every-input bug was fixed in 0.9, you could almost push a TX via sound, it's just too heavy as it stands. 09:07 < adam3us> sipa: i guess someone could do a zoo-ology catalog of them. the variety of stupidity and greed in involved is hilarious. some of them even bootstrapped to semi-respectability by first-mover advantage. i think one test maybe zero real-transactions (non speculator), lack of clients, lack of any development, lack of any plan to obtain real-tx 09:09 < gmaxwell> people would never believe the zooology wasn't all made up 09:09 < adam3us> brisque: as i recall gmaxwell guestimated 2 years to fix the sig malleability bug; not sure what the guestimate would be on the no signed values bug. depressing. hence enthusiasm for 2-way peg. in the old thread on 2-way peg gmaxwell said (in relation to my question if this itself could get implemented given the other bugs) was that yes but this (2-way peg) is the one change to rule them all 09:10 < adam3us> gmaxwell: crypto-zoology :) 09:10 < gmaxwell> adam3us: also why bother with baseband hacks and zero days, when you can just ask people to give you their money: https://bitcointalk.org/index.php?topic=393593.msg4274997#msg4274997 09:11 < gmaxwell> adam3us: yea, a two way pegging facility is fully general. I mean its a way you could completely replace the protocol in a totally consentual way, start up mergemined two-way-peg and move all the funds to the new chain over time. 09:11 < brisque> adam3us: if dogecoin can do a hard fork in 10 days, I'm sure gmaxwell can come up with some crypto-magic to get bitcoin's done in 20. 09:12 < gmaxwell> having a hard fork is not a problem, avoiding one is. 09:12 < gmaxwell> suggested two way peg stuff doesn't actually need a hardfork, might not even be any easier with one.. it's just new scriptpubkey features, at least if it stays at the quasi spv security level. 23:00 < amiller> it costs $100 to defend against a $100 attacker 23:00 < amiller> okay but how about we just spend $10 but then if a $100 attacker attacks, we'll just be safe anyway 23:01 < petertodd> gmaxwell: yeah, which is interesting, because if the community knows there are defenses, that itself helps keep the faith in the system high 23:01 < petertodd> amiller: No, the defense doesn't have to be cheap, it has to have a short leadtime. 23:01 < petertodd> amiller: If it was $100 for every $10 the attacker spent, it'd probably be ok too, but it has to be possible to respond quickly. 23:01 < amiller> i don't think it counts if you do it retroactively 23:01 < amiller> but hm. 23:02 < amiller> so you build a huge force field but you leave it unpowered 23:02 < amiller> if you detect a missile you raise the shields 23:02 < gmaxwell> amiller: petertodd is arguing that if you can defend instantly, you could put up to 100% of the money the attack would cost you into the defense. 23:02 < petertodd> amiller: Ha, yes kinda! The huge force-field is the huge number of coins sitting around in people's wallets basically. 23:02 < gmaxwell> amiller: and if everyone does that the attacker can basically never win if their winning is defined as a gain within the system. 23:02 < amiller> the coins aren't real value though 23:02 < amiller> if everyone spends them all then you still have the same vlaue 23:02 < amiller> nothing was spent 23:02 < gmaxwell> amiller: not everyone, the people getting ripped off. 23:02 < amiller> the suckers who decided to defend? 23:03 < petertodd> gmaxwell: yeah, part of my argument is also that you need the attackers to know this, and not really want to try 23:03 < petertodd> amiller: They're not suckers; they're people with transactions that would otherwise be reversed. 23:03 < gmaxwell> amiller: you pay me 5 btc. then reorg that transaction out. I say fuck you and convert that 5 BTC into POW on the old chain. 23:03 < amiller> that's a weird argument though 23:03 < amiller> you can't burn money you can't only give it to everyone else 23:03 < amiller> you can only* 23:04 < petertodd> amiller: Right, but by burning it, you're giving it to the people you actually want to: the other pre-existing participants in the system. 23:04 < gmaxwell> if miners were not hardware, what peter todd suggests could just work via fees. 23:04 < gmaxwell> pre-existing participants in the chain you want to survive. 23:04 < petertodd> gmaxwell: Yes, if we had replicators we'd implement my scheme in hardware. :) 23:05 < gmaxwell> yea, if the miners were free but only took power when used, then it would work. You'd just have huge latent hashpower that turns on when there is an attack. 23:06 < amiller> that sounds good 23:06 < petertodd> Exactly! And we can even learn how the dynamics of this stuff work with proof-of-sacrifice blockchains, like the zookeyv system I proposed a few months ago. 23:06 < gmaxwell> petertodd: here is your POS: nodes pick the most profitable to mine chain. 23:06 < petertodd> gmaxwell: my POS? 23:06 < gmaxwell> you can convert coins to proof by just making the chain you like more profitable. 23:07 < amiller> so pos is exactly bribing the miners anyway :o 23:07 < gmaxwell> amiller: there is a subtle difference!!! 23:07 < petertodd> amiller: which would work, expect that miners have fixed capacity 23:07 < petertodd> amiller: *except 23:07 < gmaxwell> amiller: say 60% hashpower is evil and stays on the less profitable chain. The network still ignores them. 23:07 < gmaxwell> Because "fuck you, our consensus is the most profitable chain" 23:08 < petertodd> gmaxwell: well remember that "profitable" can also mean "my business is profitable because my transaction went through and I got paid" 23:08 < amiller> so no one picks the longest proof of work they only pick the most profitable chain? 23:08 < gmaxwell> petertodd: and you can conver one to the other by spending to fees. 23:08 < petertodd> gmaxwell: we can have this entire discussion if there is no block subsidy 23:08 < petertodd> gmaxwell: yup 23:08 < gmaxwell> amiller: longest POW would, I guess be the tiebreaker for differences in short term profitablity? I haven't fully thought this out. 23:09 < petertodd> and in the zookeyv system, the consensus key-value thing, profitable is soley "my DNS records are what I want them to be" 23:09 < amiller> maybe longest pow is nothing but an expensive focal point? 23:09 < petertodd> *solely 23:09 < gmaxwell> amiller: "profitable" includes the notion that it's likely to be the winner. So you can use other symmetry breakers like most pow work as part of your profitable figure. 23:10 < gmaxwell> The devil is how they balance. 23:10 < amiller> symmetry breakers is silly to make expensive thouhg 23:10 < amiller> if that's the only explanation for the role of pow then that's not compelilng 23:10 < warren> <petertodd> [15:08:17] maaku: With MMR TXO commitments we can stop hassling every idiot who bloats the UTXO set, and for that matter, they aren't idiots anymore... 23:10 < warren> petertodd: so does this mean you give up on keepbitcoinfree? 23:10 < petertodd> gmaxwell: yeah, in zookeyv if it's implemented as a strict DAG there can be the problem that there's no incentive to build on anything but your own records 23:11 < petertodd> warren: keepbitcoinfree isn't just about UTXO's 23:11 < gmaxwell> none of the MMR stuff solves bandwidth. 23:11 < petertodd> warren: Though in general I suspect you *can* create consensus systems that allow for arbitrary numbers of transactions, but they look radically different than bitcoin. 23:11 < amiller> bandwidth is payers problem though 23:12 < amiller> spend your utxo sooner so it costs less 23:12 < petertodd> amiller: bandwidth can prevent you from detecting fraud... 23:12 < amiller> oh you're assuming probabilistic validation or something? 23:12 < petertodd> amiller: yes, there's just no other way than sharding, and that's got ugly issues - I'm sure I can come up with a proof that any such system always suffers from the risk of data deletion 23:13 < petertodd> amiller: and the only way to prevent that is force mining - whatever form it takes - to require some kind of proof-of-stake-ish consensus to make sure that if the txout owners chose to they would be able to keep up with updates to their little shard of the txout set 23:14 < petertodd> s/force/for/ 23:15 < maaku> ? 23:15 < maaku> are you assuming scaling beyond the limit of a single pipe being able to carry block updates? 23:15 < petertodd> maaku: yes 23:15 < petertodd> maaku: beyond any individual internet connection in the world in fact 23:16 < amiller> grubmel, i can't figure out what it is you can you achieve by actually *burning* value *for everyone* instead of just disbursing it at random to everyone else in the system 23:16 < petertodd> amiller: destroying a coin == disbursing it to everyone else 23:16 < petertodd> amiller: so why not make things simple? 23:16 < maaku> is that even worth considering? 23:16 < amiller> yes and pow = burning it for everyone 23:17 < amiller> they're different and the difference may be important 23:17 < petertodd> amiller: point is we need an artifical form of proof-of-work, and that's the best we can get that operates in limited-bandwidth jam-free networks 23:17 < amiller> no it's not artificial 23:17 < amiller> it's fake 23:17 < amiller> disbursing to everyone != actually destroying something 23:17 < maaku> 1Gbps is what, 600k tps? 23:18 < petertodd> amiller: who cares what exactly it is? what's important is that it gives us a way of coming to consensus about what is the best chain 23:18 < amiller> that's not it 23:18 < amiller> they both give you a way of coming to consensus if everyone or enough people follow the protocol exactly 23:18 < amiller> what it doesn't explain is how the difference affects the incentives to come to consensus rather than doing something else 23:19 < amiller> you can forgive a proof of stake 23:19 < petertodd> maaku: a ideal system should be able to operate with individual nodes having nothing more than a tin can and string, so lets see how close we can get to that 23:19 < amiller> if everyone decides to you could just distribute the money right back to the person who staked it in there 23:19 < amiller> and there would be no system loss, no friction 23:19 < amiller> you can't forgive the burning of energy 23:20 < maaku> i'm as wary as the next guy to saying '640k is enough for anybody', but really i don't know a single application that would require *public* consensus over that many transactions 23:20 < petertodd> amiller: look, it's really simple: I want a way of saying "this chain is the best chain" without having access to mining power 23:20 < petertodd> amiller: That's it! 23:20 < amiller> but you want it in a rational system with anonymous players! 23:20 < amiller> or else i suggest just having one guy with a private key that signs it 23:21 < maaku> ok, maybe i'm missing something again, but how do you have full validation (which miners have to do), without access to the blocks? 23:21 < petertodd> amiller: yes, which makes it hard, and the best I can think of is being able to create a little bit of data that says "if this chain is the best chain, I'm happy to give up 1 million FOO TOKENS from the foo-system ledger" 23:21 < amiller> petertodd, if you're a dictator you can just raise everyo'nes taxes by 1 foo each 23:21 < amiller> and recoup your costs 23:21 < amiller> and actually no one hurt 23:22 < amiller> you can convince them all it was good for them to give you that power 23:22 < petertodd> amiller: Now you add up all the other little bits of data saying similar things, and you say "well, block 12345 has a lot of people willing to give up foo tokens if it's the best, so it's the best!" 23:22 < petertodd> amiller: huh? 02:39 < gmaxwell> But the site learns nothing about which bitcoin were yours... or nothing about identities you use on other sites !Y. 02:40 < gmaxwell> and if the proof takes a cpu hour to compute, well that actually doesn't reduce the usefulness all that much. 03:01 < BlueMatt> can I ask a dumb question?...whats a sin in this context? 03:02 < maaku> google identity protocol 03:02 < maaku> oh gribble's not here 03:03 < BlueMatt> ahh, ok 03:03 < BlueMatt> my google-fu was looking in the wrong places 03:03 < maaku> https://en.bitcoin.it/wiki/Identity_protocol_v1 03:03 < maaku> yeah 03:04 * maaku is still waiting for someone to come up with a v2 protocol so we can have a lively debate about the merits of original SIN 03:06 < BlueMatt> has anyone even started implementing identity protocol? 03:09 < BlueMatt> ahh, yes, there is 03:11 < BlueMatt> heh, ofc jgarzik wrote it in node.js... 03:33 * gmaxwell groans at maaku's pun 03:38 < BlueMatt> hey, its better than HD wallets 03:39 < gmaxwell> I continue to think HD wallets is a perfectly good name. 03:39 < BlueMatt> I continue to disagree (though considering how often I'm mia, thats rarely useful) 03:40 < gmaxwell> ;;ticker 03:40 < gribble> MtGox BTCUSD ticker | Best bid: 500.5, Best ask: 500.97, Bid-ask spread: 0.47000, Last trade: 500.97, 24 hour volume: 48505.69491744, 24 hour low: 500.5, 24 hour high: 774.9899, 24 hour vwap: 628.33712 03:40 < gmaxwell> oops wrong window. :P 03:40 < BlueMatt> well, thanks for reminding me to buy cheap coins :) 09:21 < jgarzik> maaku, gmaxwell: pun already made: http://garzikrants.blogspot.com/2013/08/original-sin.html 10:56 * Luke-Jr ponders how to respond to altoz this time. 11:12 < andytoshi> i think he's just going to keep claiming not to be able to read what you're saying 11:13 < andytoshi> if you PM him, idk if he'll receive the message if you're on his blacklist 11:34 < gmaxwell> Luke-Jr: I advise just dropping it. 12:12 < gmaxwell> Luke-Jr: I cracked his cryptosystem 12:12 < Luke-Jr> lol 12:12 < andytoshi> wow, nice 12:22 < gmaxwell> This is what I sent him: 12:23 < gmaxwell> Incidentally, I can compromise your cryptosystem for a single message with 2^64 known-ciphertext queries to a decryption oracle. E.g. you run a server that decrypts messages and returns the results and I obtain the ciphertext of a message someone else created (which the oracle refuses to decrypt for me, otherwise this would be trivial), and after making ~2^64 queries to your decryption oracle I can decrypt the unknown message. 12:23 < gmaxwell> This isn't the most grievous of weaknesses, but its somewhat surprising, and I could imagine someone using this in a way which made it actually exploitable for something. 12:23 < gmaxwell> I'm being a bit oracular because I thought you might enjoy figuring out what I'm thinking. 12:24 < gmaxwell> (I was hoping it would be 2^32 queries then it would be reasonable to put up demonstration code) 12:24 < gmaxwell> (alas) 12:25 < andytoshi> brute-forcing the keyspace would be 2^256? 12:27 < andytoshi> ah, no, he is using aes-128 12:28 * gmaxwell refrains from giving hints. 12:29 < Emcy> im just wondering what oracular means 12:29 < Emcy> guess synonym verbose 12:29 < andytoshi> Emcy: i think, you have to submit questions to gmaxwell, and he will decide whether to answer them 12:31 < andytoshi> or rather, altoz does 12:31 < gmaxwell> Emcy: Where I say that I'm being oracular, I'm referring to the point that oracles of the classic sort answer questions in riddles. 12:32 < Emcy> "In Classical Antiquity, an oracle was a person or agency considered to interface wise counsel or prophetic predictions or precognition of the future, inspired by the gods." 12:32 < Emcy> hmm thats my werd lernin for today 12:33 < Emcy> how dod you get to know so much about crypto? Do you have any formal math background? 12:33 < gmaxwell> In my attack description I'm using the world oracle in the sense used in cryptographic lit. ... an oracle is some black box that performs some function. E.g. a remote server that signs messages for you or decrypts things for you would be an example of an oracle. 12:35 < gmaxwell> well I majored in math before I dropped out of college... but no, I was just one of those annoying kids who read most of the books in the library and remembered a few of them. 12:36 < Emcy> hmm ok pretty cool 12:36 < Emcy> its one thing to learn the maths it another to break someone elses maths 12:37 < Emcy> i had a tutor once who impressed upon me the difference between learning by rote and the power of original thought 12:37 < Emcy> he said the former end up tutoring in college and the latter end up tenured in university 12:37 < gmaxwell> I think a lot of people are short changed by education which focuses on learning by rote. 12:38 < gmaxwell> haha 12:39 < gmaxwell> The annoying thing about breaking cryptosystems is that even when you find a neat flat it usually only gets you 99% of the way there, but you can't expand it to a full compromise because of some accidental detail which isn't _just right_ for the attack to work. In this case I think it would actually work (I guess I could go weaken it further to be completely sure). 12:40 < gmaxwell> s/flat/flaw/ 12:40 < Emcy> is 2^64 queries to some soerver actually viable though 12:41 < gmaxwell> Yes it is, though not enough to demonstrate easily. 12:41 < gmaxwell> Or at least close enough to viable that its a surprising weakness. 12:41 < gmaxwell> Emcy: e.g. what if the "server" is a bitcoin trezor like device in your possession? 12:42 < Emcy> cry 12:42 < gmaxwell> But I mean that that often weaknesses are such that even allowing for "unreasonable" freedoms like 2^64 queries to a blackbox decryptor you still can't break it. 12:42 < Emcy> at least 2^64 packets over the actual internet though. Seems like a faff. Suppose you could be in no rush though 12:43 < gmaxwell> (It's hard to say if thats unreasonable or not, depends on the applications. Thats the bummer about generic constructs) 12:44 < gmaxwell> Emcy: yea, before I looked at the code again I thought it would be 2^32, in which case it would have been trivial even over the internet. 12:44 < Emcy> still i think 2^64 or 64 bits or whatever is not something you want to see in any cryptosystem any more afaik 12:44 < gmaxwell> right. 12:45 < Emcy> 2^32 is only like 4 billion right 12:45 < gmaxwell> Right. 12:46 < gmaxwell> If there is also a simple software bug I can reduce it to one query. 12:46 < andytoshi> Emcy: things like decryption-oracle attacks are fairly standard in cryptography and there is a lot written about them 12:46 < andytoshi> like "Random Oracles are Practical" by Bellare and Rogaway is a paper the wizards pointed me to 12:46 < Emcy> would that be how the wifi hacks work 12:46 < gmaxwell> But I suppose that for some definition of "bug" thats always the case, e.g. bug: gives up the private key. 12:47 < andytoshi> wifi attacks i think showed up on matthew green's blog.. 12:47 < Emcy> you packet inject until you get enough back to recover the key 12:47 < Emcy> the router is the oracle? 12:48 < andytoshi> ah, yes 12:48 < andytoshi> http://blog.cryptographyengineering.com/2011/09/when-things-fall-apart-part-1.html 12:48 < gmaxwell> Emcy: yea, well, the wifi attacks are very specialized... WEP uses RC4 which is a stream cipher, you put in a key, it puts out an infinite stream of 'random' bits. These bits get xored with the packets. 12:49 < gmaxwell> If RC4 were a perfect, you wouldn't be able to learn anything useful about the key just by knowing some of those random bits. 12:49 < gmaxwell> RC4 is far, far from perfect. 12:50 < gmaxwell> If you know some data in a packet, you can take an encrypted packet, xor it with the data you know, and you'll learn the output of RC4 in those known positions. 12:50 < gmaxwell> So the WEP attacks usually work by replaying an encrypted arp request (which you reconize by the size). The router acts as an orcale producing a stream of ARP replies which are encrypted. 12:51 < gmaxwell> But you know some bits of the arp replies because they're fixed in the packet syntax. 12:51 < Emcy> ha i was right 12:51 < gmaxwell> and some because they copy data from the arp request. 12:52 < gmaxwell> So you gather a bunch of rc4 output with different initilization vectors (incremented in every packet), and you can setup a system of equations that derrives the key. 12:53 < gmaxwell> Nothing _quite_ so fancy is needed for this encrypted message thing. 12:54 < Emcy> what you described doesnt seem so fancy to me 12:54 < Emcy> just seems like pattern matching 12:55 < Emcy> you just need enough pattern 12:55 < gmaxwell> sure, the gist of it is simple, the math somewhat less so. 12:55 < Emcy> sure 12:56 < gmaxwell> I find that nothing accomplished by men is actually all that complicated once put into the right terms. Otherwise we couldn't accomplish it. 12:56 < Emcy> do we have any systems that are too complex for a single mind to grasp alone? 12:56 < Emcy> layout of a modern CPU perhaps 12:58 < gmaxwell> sure, but you break them down. 12:58 < gmaxwell> And all the parts are sensible in isolation, and the overall design ignoring the details 12:58 < gmaxwell> It's actually quite reasonable to build software systems which are vastly beyond the ability of one person to comprehend at least all at once. 12:59 < Emcy> yes, but things get interesting when someone goes wrong due to an emergent property of how the parts interact. And no one can figure it out because no human has the cubic centimetres of brain required...... 13:00 < Emcy> i wonder if humans have a system like that anywhere 13:00 < Emcy> the OPERA neutrino thing maybe? that stumped em 18:54 < amiller> np --- Log closed Sun Sep 22 00:00:05 2013 --- Log opened Sun Sep 22 00:00:05 2013 00:08 < warren> darn, wouldn't have the gitian linux -> mac cross compile goal have been a worthy grant proposal? 00:09 < warren> too late now 01:47 < amiller> i'm going to call my new abstraction of the hashcash puzzle, "Scratch-Off Puzzles" 01:47 < amiller> since proof-of-work isn't quite the right definition after all 01:48 < amiller> also i'm going to write a series of papers called "Money from Scratch," "Decentralized Storage from Scratch," etc. 01:49 < gmaxwell> I might have complained about "Scratch-Off Puzzles", but those justify it 01:49 < amiller> it's a solid three-way pun 01:49 < gmaxwell> "Scratch-Off Puzzles" sort of suggests that there is a dealer. 01:49 < amiller> especially the bootstrapping problem implied by "Money from Scratch" is the best 01:49 < amiller> yeah. 01:49 < gmaxwell> (I suppose the network actually is a dealer, but it has no secret) 01:49 < amiller> is it the "puzzle" that suggests that? 01:50 < amiller> scratch-off challenge is almost better 01:50 < gmaxwell> The finiteness of the scratch-off contributes too, but it's actually correct... it's actually finite due to the network acting as a dealer. 01:51 < amiller> it might not be a "puzzle" if it's not guaranteed to have a solution 01:52 < amiller> riddle, etc., has the same connotation 01:53 < gmaxwell> it's not hard to describe a construction where a solution is guaranteed, I think. e.g. a keyed permutation, network state is one input, you search for a key. Pigeonhole principle says there is always a solution. 01:55 < amiller> it doesn't seem like that's important in any case, i mean it's low enough probability it would happen with sha2 right 01:56 < gmaxwell> right. (in fact, because how how we're setup where we have >256 bits of input I wouldn't be surprised if it were actually impossible to have no solution, though we can't prove that) 01:57 < amiller> even if it's a random oracle it's possible to have no soultion 01:57 < gmaxwell> just pointing out, you can actually create a sutible structure where you _can_ prove that... if you care. 01:57 < amiller> because bitcoin doesn't use the full infinite domain of the hash function, it has a bounded size header 01:59 < gmaxwell> It could turn out that sha256^2 has no output with >74 leading zero bits, even with infinite length inputs. 02:00 < amiller> yes but if it were a random oracle, that would happen with probability zero 02:01 < amiller> it could happen with nonzero probability to "sponges", since those have bounded internal state 02:01 < amiller> i think sha2 is closer to a sponge 02:03 < gmaxwell> (dunno if you noticed, but we now have a hash with 73 leading zeros) 02:08 < gmaxwell> I'm wondering if it would trick anyone if I wrote a obfscuated paper describing some fictitious attack on SHA256 that produced some of bitcoins very low value outputs. esp since the input will look random. 02:09 < gmaxwell> I wonder if you could use bitcoin's biproduct to break some protocols which are secure under random oracle. 02:09 < gmaxwell> er byproduct. 02:09 < amiller> that's a cool observation. 02:09 < amiller> no one cares about the zeros 02:10 < amiller> but it's definitely non-random, it's a pickable (not just recognizable) pattern, like 123456789 02:11 < gmaxwell> well, it just means you can get lots of sha256 inputs that give you a common prefix. E.g. a DHT that stored things by content hash uniformly distributed to nodes with <2^32 nodes would be totally devastated by a feed of bitcoin shares. 02:11 < amiller> yeah, perfect 02:12 < gmaxwell> amiller: because bitcoin is sha256^2 the inputs to sha256 that produce the low values are quite non-obvious. 02:13 < gmaxwell> (I previously verified that our shares wouldn't break freenet, they add extra data to the hash) 02:13 < gmaxwell> Otherwise we would and a trivally modified bitcoin fpga farm could break freenet pretty good. :( 02:14 < amiller> did you write anything about that 02:14 < amiller> er, mention it anywhere 02:15 < gmaxwell> (nodes will move their locations to split up the hash space better but it's insanely unlikely that two locations will ever become close enough to split hashes sharing a 32 bit common prefix) 02:15 < gmaxwell> I went and asked the freenet developers what was in their hash, but thats it. 02:16 < gmaxwell> (freenet locations are randomly generated, and then the network swaps them to optimize so if the keys are non-uniform 02:16 < gmaxwell> I expect lots of DHTs are vulnerable to something like this, but since they're generally made of fail I don't know that it matters. 02:17 < gmaxwell> I'm sure the serious cryptographers would go "see, random oracle assumptions suck"; But this attack works with a real random oracle too. 02:18 < amiller> it's really fun trying to define the reward-claiming part of the puzzle 02:18 < amiller> because the proof-of-work puzzles and client-puzzles don't 02:18 < amiller> the fun part is that since i want to include the stealable puzzle stuff, i'm being careful not to say you have to choose the message before starting 02:18 < amiller> so it's something like non-malleability 02:19 < amiller> given just the scratch-off-proofs generated by arbitrarily many other parties, who dedicate it to messages m1, m2, m3, .... , however many, that doesn't give you any help in producing a scratch-off-proof dedicated to some other message m 05:36 < warren> jgarzik: https://github.com/bitcoin/bitcoin/issues/2770#issuecomment-24756647 05:37 < warren> jgarzik: you said you had people that could reproduce the macos corruption? severely delayed but here's a build to test. GPG signed. 05:38 < warren> jgarzik: we have a dedicated machine to doing our builds, setup we *think* in exactly the same way gavinandresen does it, we aren't certain. 16:14 < warren> jgarzik: saw the above? 16:15 < jgarzik> warren, da --- Log closed Sun Sep 22 22:19:31 2013 --- Log opened Mon Sep 23 01:10:29 2013 --- Log closed Tue Sep 24 00:00:09 2013 --- Log opened Tue Sep 24 00:00:09 2013 07:29 < warren> I'm not sure how to respond to https://github.com/bitcoin/bitcoin/pull/3008 07:32 < warren> truthful response? "I think you're backwards in reasoning on every part of your explanation. Your existing spam solution is terrible and entirely insufficient, and dropping the 0.01 size limit will make spam worse. And the part about a zero fee 26KB tx... is impossible." 07:34 < warren> also "This 10KB -> 1KB change will mean how many extra wasted bytes in the permanent blockchain for dust combiners? Previously they could combine 67 inputs in one output. This kind of user DOES care about fees and is willing to wait many blocks for their 10KB tx to sneak in." 10:27 < petertodd> warren: the 0.01 thing makes it not much more expensive to put data in the UTXO set, think about it 10:27 < petertodd> warren: also, do the math for how many extra wasted bytes that actually is, it's not much... 10:53 < gmaxwell> warren: I don't think the 0.01 thing matters pretty much at all, after looking at the txn. 10:54 < gmaxwell> people will pay their 0.0001 BTC fee, and then make a minimum size output. No one is going to make a 0.01 output to avoid the fee and then use it on an unspendable output, as that would cost more. 10:55 < gmaxwell> 0.01 = >$1 now, ... the new anti-dust rules are more compariable to the original 0.01 intent. 11:53 < adam3us> is there a proposed method to work around mutability of ECDSA signatures for the purposes of making dependent transactions (that depend on one or more of the outputs of a previous transaction)? 11:54 < adam3us> eg broadcast the dependent transaction twice once with each mutation txid=H(msg,r,s) and txid'=H(msg,r,-s)? 11:55 < adam3us> and can you on an output with zero value? 11:57 < gmaxwell> adam3us: There are more mutabilities than that one sadly. 11:58 < gmaxwell> We're slowly fixing them. E.g. bitcoin(d/-qt) git will now only produce the smaller possible S value. We'll also no longer relay varrious forms of garbage DER encoding that openssl still accepted. 12:42 < adam3us> that may be a slightly fragile approach - if they re notionally all fixed, and people start relying on that for big transactions/high value contracts, and just one more DER openssl bug is found boom 12:43 < adam3us> what about as a one fix instead saying validation must be done (any sigs valid etc) but the txid = H( msg, pub-key ) instead of H( msg, sig ) 12:43 < gmaxwell> adam3us: our proposal to fix it is to rigidly parsing so openssl is irrelevant. 12:43 < adam3us> as msg includes locktime, sequence, and inputs 12:44 < adam3us> ok 12:44 < gmaxwell> adam3us: getting the sig out of the txid could help but that would be a very deep hardforking change, .. and it's actually tricky to make secure. E.g. what happens when you first get one with a bad signature? 12:44 < adam3us> reducing use of openssl to bare crypto is probably for the best, its defect rate is not fantastic 12:46 < adam3us> i guess my robustness comment is you then have a new security assumption - that there is no signature or encoding mutuability remaining 12:46 < adam3us> (well that assumption is already there except the mutability bugs are deterring reliance on such scripts for now) 12:46 < gmaxwell> adam3us: right, we're still a long way from that in any case.. right now we're just slowly moving towards it. 12:47 < gmaxwell> but I agree that before you can take it for granted you really need to do a lot of final review. 12:48 < midnightmagic> jgarzik: Can you tell your employer that it would be really helpful if a user could request more than one payment address for a single transaction? :-) 12:49 < midnightmagic> :-( 16:22 < petertodd> gmaxwell: nope, well, not yet anyway :) figuring out how to do that is my next goal... but I suspect that always runs into issues of censorship, where someone manages to get the only copies of some part of the txo set and prevents people from spending their coins 16:22 < gmaxwell> petertodd: well the whole problem with this set of issues is that you can't have an "autonoymous cold wallet" 16:22 < petertodd> gmaxwell: I think you need a proof-of-stake scheme for that; force miners to prove they have the consent of some majority (floating) of the people holding txouts 16:23 < gmaxwell> keeping your own data sounds great, except you require the person keeping it to be eternally vigilent. 16:23 < petertodd> gmaxwell: yup, I think that's unsolvable unfortunately 16:23 < gmaxwell> well, it's not, but I don't like the solutions. 16:24 < petertodd> what do you think solutions to that might be? 16:24 < gmaxwell> You need a one way accumulator that doesn't grow, so you can tick off spent coins. 16:25 < petertodd> Point is accumulators always either grow, or the proofs that your coin is in the accumulators require updating. 16:26 < gmaxwell> petertodd: sure, but what if the accumulator only tracks spent coins? Of course something that doesn't grow at all can't be collision free... 16:27 < gmaxwell> e.g. MMR to prove your coin existed, and then some kind of cryptographic accumulator that to check that it hasn't been spent. 16:27 < petertodd> gmaxwell: Right, now you can get down to 1 bit per txout for a spent coin accumulator, but you're not going to get lower than that... and if you do the numbers on an accumulator with acceptably low risk of collission it needs to be huge. 16:29 < petertodd> *probabalistic accumulator 16:30 < gmaxwell> so an interesting thing is that the bitstring can never have a weight greater than 21e14. I wonder if that helps. 16:30 < petertodd> ? 16:31 < gmaxwell> you can never have more than 21e14 unspent coins. 16:31 < petertodd> what do you mean by "the bitstring" though? 16:32 < gmaxwell> the spentness data. 16:33 < gmaxwell> I guess it doesn't really help, even though the number of 1s is limited the potential storage is still infinite. 16:33 < petertodd> oh, you mean by how many satoshis can be in circulation? 16:33 < gmaxwell> right. 16:33 < petertodd> yeah, those satoshis can be respent over and over again 16:33 < gmaxwell> sure but if they are they take away a 1 and move it elsewhere. 16:34 < gmaxwell> I was thinking about how an efficient representation of the bit array is minimum size for all spent and for none spent, and largest when p=.5 16:34 < K1773R> petertodd: hehe, i tested that script (download not uploading to chain) and it worked slowly 16:35 < petertodd> gmaxwell: Ah right. 16:36 < petertodd> K1773R: which script? 16:38 < petertodd> gmaxwell: It's interesting how you could think in terms of capping the whole UTXO set such that every human being could hold some bitcoins - a gigabyte of bits if represented properly 16:39 < petertodd> Represent it such that the actual UTXO scriptPubKey has to be provided along with an appropriate proof. 16:39 < sipa> you probably want some per-human granularity above "something/nothing" 16:40 < petertodd> sipa: The value of the UTXO would be part of the proof you are asked to provide to spend it. 16:41 < sipa> ah 16:44 < petertodd> sipa: anyway, the other part of that observation, is how the UTXO set could also be nothing more than H(outpoint) truncated to, say, 160bits, giving you 160 giga bytes - also reasonable. 16:44 < petertodd> Again, make transactions provide the outpoints they're spending. 16:47 < petertodd> (note how close this proposal is to P2SH) 17:08 < K1773R> petertodd: https://github.com/runn1ng/namecoin-files 17:19 < HM2> lol 18:00 < amiller> i have been thinking about a weird idea 18:00 < amiller> i am not sure whether it's possible to even state this clearly 18:00 < amiller> one of the main points of this one bitcoin economics paper is that following the stated rules is only a "focal point" 18:01 < amiller> http://www.weis2013.econinfosec.org/papers/KrollDaveyFeltenWEIS2013.pdf 18:01 < amiller> it would conceptually be easy to perturb various rules and if everyone switches all at once, then there's not obstacle to doing so 18:01 < amiller> like a hardfork change requires nothing more than a hardfork 18:01 < amiller> could there be a way to bake in the rules so that it would be hard to perturb them without breaking the whole thing? 18:02 < amiller> there's something like a lower bound, which is that everyone could just stop working on bitcoin and switch to some other protocol all at once 18:02 < amiller> but then the transaction history would all be different and such 18:02 < amiller> there's no way to prevent everyone leaving bitcoin and participating in some other protocol instead 18:02 < amiller> but a hardfork change is different because it builds on the previous history 18:02 < gmaxwell> arguably thats the most ethical way to change the rules, but evaporation is a risk. 18:03 < amiller> so something like error correcting code 18:03 < amiller> where the validation code is built into the history somehow 18:03 < amiller> i mean you could embed the source code to the validation rules in the history 18:03 < amiller> like a commitment to it 18:03 < gmaxwell> E.g. people would be forced to change only by economic realityies and network effect, but not by the software. 18:03 < amiller> but it's not binding 18:03 < amiller> maybe there's a way to build the validation code commitments 18:03 < gmaxwell> amiller: well you could make it binding. and use a majority vote. But voting for rules is not actually just. 18:04 < amiller> into everyones public keys 18:04 < gmaxwell> Democracy isn't a virtue, its a compromise. 18:04 < amiller> so that if you perturbed the valiadtion rules at all 18:04 < amiller> you would get no security whatsoever 18:04 < amiller> so it's like every slightly changed ruleset using the same transaction history would be trivial/broken 18:04 < amiller> then the only way to proceed would be to commit transactions satisfying the correct rues 19:42 < gmaxwell> petertodd: you going to try to do a windows binary for dust-b-gone or should I try to nag someone else to do it? 19:42 < petertodd> gmaxwell: nag someone else - I don't have a copy of windows to do it on 19:45 < gmaxwell> petertodd: nor do I. :) OK. 19:47 < petertodd> gmaxwell: fwiw there hasn't exactly been many people using it... 19:48 < gmaxwell> petertodd: yea, I know, but no drool and clickly way to run it is one barrier. 19:49 < gmaxwell> I saw someone trying who was hung up on some python dependencies.. I think the windows exe magic stuff fixes that too. 19:49 < petertodd> gmaxwell: yeah, I think I helped that guy --- Log closed Wed Oct 16 00:00:13 2013 --- Log opened Wed Oct 16 00:00:13 2013 04:42 < warren> http://mastercoin-explorer.com/ <--- Mastercoin actually exists? 04:42 * warren hasn't been paying attention 04:44 < warren> huh. this thing is just another litecoin-0.6.3 clone 04:48 < warren> oh wait, there's actually two coins called mastercoin 04:51 < gmaxwell> lol 04:59 < sipa> are there any english dictionary words $W for which {$W}coin doesn't exist? 05:33 < wumpus> lol 05:33 < wumpus> starting to doubt it 05:33 < wumpus> almost looks like someone implemented my random altcoin generator idea 05:34 < warren> Does it get listing on an exchange on the first day, upload to github, post to bitcointalk, etc? 05:34 < warren> =) 05:36 < wumpus> it doesn't get listing on an exchange (that'd need help from one of the exchanges), but generating a name, generating a ruleset, uploading to github, posting to bitcointalk, sure :-) 05:36 < warren> steal a random picture from google images for the logo 05:37 < warren> automate more steps and more people will do it! 05:37 < wumpus> yeah or just generate a random color for the bitcoin logo and put a different letter in it 05:37 < warren> hah 05:41 < sipa> you should make it a game 05:41 < sipa> you can tweak only N parameters 05:41 < sipa> but if your altcoin takes off, you level up 05:41 < sipa> and you get to change more things in your next coin 05:42 < warren> sipa: game administrator might have to be centralized ... 05:42 < sipa> is that a problem? 05:42 < sipa> checkpoint broadcasts are ok as well, no? 05:43 < warren> seems anything is OK there. 05:51 < wumpus> good idea, 'coin tycoon' 05:52 < sipa> tycoin! 05:52 < wumpus> :D 05:52 < gmaxwell> thaicoin? 05:53 < gmaxwell> what currency symbol could it use? 05:53 < gmaxwell> I know, the Thai baht symbol! 05:53 < gmaxwell> (if its not already taken) 06:08 < gmaxwell> sipa: http://bitcoin.sipa.be/speed-lin-2k.png you're off the scale again 06:08 < warren> Bitcoin is THAT awesome. Off the scale. 06:14 < gmaxwell> warren: you ever offload that bfl you bought onto someone else? :P 06:14 < sipa> gmaxwell: my bitcoind is down it seems :( 06:14 < warren> gmaxwell: yeah, and I feel guilty about it now. 06:15 < warren> gmaxwell: I'm considering just giving his money back and eating the loss even though contractually I don't need to. 06:17 < warren> gmaxwell: I 06:17 < warren> I'm hearing nothing about deliveries now, and people who ordered months before me are reporting no deliveries, so the guy who bought mine is screwed. 06:17 < gmaxwell> hm. Did they suddenly go quiet? 06:18 < gmaxwell> I know people who had SC order recenly (couple weeks ago) got their piles of singles alternative. 06:18 < warren> recently?! 06:18 < warren> huh 06:18 < warren> gmaxwell: my April 2013 order didn't ship yet 06:19 < gmaxwell> no no I mean they recently recieved stuff, not recently ordered. 06:19 < gmaxwell> Ordering back in 2012. 15:04 < gmaxwell> phantomcircuit: e.g. it can just ban their input for N hours, if you want, you're free to choose the paramters to make it reasonable. 15:04 < petertodd> gmaxwell: done 15:05 < petertodd> andytoshi: sorry, just sent it already 15:05 < gmaxwell> andytoshi: what part of the world are you located in? 15:05 < andytoshi> no worries :) 15:05 < andytoshi> gmaxwell: austin 15:05 < andytoshi> it's a $300 flight 15:05 < petertodd> andytoshi: ah, if you were local I'd say just sneak in :) 15:05 < andytoshi> :P 15:05 < petertodd> andytoshi: $100 flight for me 15:06 < andytoshi> hopefully in a year or two i'll have the connections here for the university to fund me.. 15:07 < phantomcircuit> gmaxwell, so interesting thought (which im sure someone else has had) coinjoin combined with outputs broken up into standard sized pieces would make it effectively impossible to run conventional money tracing algorithms 15:07 < andytoshi> maaku, gmaxwell: i understand your blinding protocol now, thanks 15:07 < phantomcircuit> as it stands with coinjoin you wouldn't be very protected if you were merging with significantly different amounts from everybody else 15:07 < gmaxwell> phantomcircuit: 15:07 < andytoshi> i'd still like to have multi-day joins, and it's too inconvienient if there's a possibility of invalidation 15:07 < petertodd> phantomcircuit: yeah, my post-dark-wallet write-up was going to suggest that merge-avoidance + coinjoin is a powerful tool 15:07 < phantomcircuit> but if all the outputs were powers of 2 15:08 < phantomcircuit> well now 15:08 < phantomcircuit> good luck with that 15:08 < phantomcircuit> petertodd, i actually already do something sort of like this with the intersango cold storage 15:08 < petertodd> phantomcircuit: should do it as a slider basically saying "I'm willing to pay up to x% more fees for better privacy" 15:08 < petertodd> phantomcircuit: oh cool 15:08 < phantomcircuit> i exploded it into lots of standard sized outputs ages ago 15:08 < phantomcircuit> and every so often do it again 15:08 < phantomcircuit> im sure it's not actually safe 15:09 < phantomcircuit> but it means that finding it is at least non trivial 15:09 < gmaxwell> phantomcircuit: yes, if all the outputs are equal sized you have perfect information theoretic anonymity among all the players. (or if they nicely factor then you have privacy proportional) 15:09 < gmaxwell> phantomcircuit: thats also why andytoshi's tool tells you which output values are most popular... so you can match them up. 15:10 < phantomcircuit> ah 15:10 < phantomcircuit> gmaxwell, yeah i was just thinking like 15:10 < gmaxwell> if the outputs aren't matched up (or at least factor nicely) then CJ just has the benefit of breaking 'taint' analysis assumptions about common key ownership. 15:10 < gmaxwell> Which is good to do, but not very private. 15:10 < phantomcircuit> 1/0.5/0.25/0.125 etc etc down to the point at which it would be dust 15:10 < phantomcircuit> and then whatever dust there is would pay to the meeting point as a small fee 15:11 < gmaxwell> oh interesting, a fixed cascade. 15:11 < phantomcircuit> or even as a transaction fee 15:11 < phantomcircuit> gmaxwell, yeah then you REALLY couldn't follow anything 15:11 < phantomcircuit> (also it protects against someone intentionally making a weird output size very popular to trick you) 15:12 < andytoshi> hmm, i like this idea 15:12 < gmaxwell> if you're putting in 10 btc though, you really probably don't want to recieve it back as a zillion 0.125 btc outputs. 15:12 < petertodd> phantomcircuit: kinda reminds me: I was thinking coinjoin w/ ANYONE_CAN_PAY is useful because it lets you easily up tx fees by adding dust txin's as needed 15:12 < phantomcircuit> gmaxwell, with HD wallets and public derivation you could even pay everybody like that 15:12 < gmaxwell> petertodd: yea but right now doing anyone can pay makes the CJ transactions very distinguishable. 15:13 < petertodd> phantomcircuit: yeah, we need a way in the payment protocol for recievers to state how many extra addresses they're willing to have payments spread over 15:13 < phantomcircuit> gmaxwell, 10 btc would come back to you as 8/2 15:13 < petertodd> gmaxwell: yup, works best if everyone uses cj... 15:13 < phantomcircuit> gmaxwell, you would still need to be merging approximately the same amounts 15:13 < andytoshi> gmaxwell: if you had, say, fixed output sizes of 10, 5, 1, 0.5, 0.1, that should suffice 15:13 < andytoshi> restricted output sizes* 15:13 < phantomcircuit> but even if you weren't at the very least the smaller amounts would be perfectly anonymous 15:13 < gmaxwell> andytoshi: really? someone puts in 1 someone else puts in 10. .. now they get no privacy under that scheme. 15:14 < phantomcircuit> gmaxwell, i forget what's the default dust limit for an output? 15:14 < andytoshi> well, you'd combine it with the 'most popular output' scheme 15:14 < gmaxwell> phantomcircuit: e.g. if you get an output of X no one who put in <X would be in the same anonymity set as you. 15:14 < petertodd> Anyway, fixed output sizes are all well and good, but in addition to that you can do value matching: party #1+n to the CJ intentionally picks the same output value for some or all of their txouts as a previous party. 15:14 < phantomcircuit> is it 0.0005 ? 15:14 < andytoshi> but yes, that could be the case 15:14 < helo> 0.00005something 15:14 < phantomcircuit> gmaxwell, right 15:15 < petertodd> Or, even more sophisticated, some output value that is the sum of their txin's and your txins, or some similar strategy. 15:15 < gmaxwell> andytoshi: in any case you can do something like where the biggest output is <= the smallest input, and then you have octaves and you randomly assign people's coins to outputs. 15:16 < maaku> phantomcircuit: coin size doesn't actually matter ... you're only mixing with the people participating in the transaction 15:16 < maaku> and from transaction to transaction you can very the output sizes 15:16 < petertodd> *sum of a subset of their txins and your txins 15:16 < andytoshi> i'd like that, but there's still edge cases (that aren't too extreme) where i'm asking people for 20 addresses 15:17 < gmaxwell> andytoshi: and paying their 10 BTC input as a zillion .125 outputs. :P 15:17 < phantomcircuit> maaku, right but lets say you have 1 input for 200 btc and we explode that into outputs for 128/64/8 15:17 < phantomcircuit> maaku, and there is 1 other input for 10 btc 15:17 < phantomcircuit> only the 8 btc output is anonymous 15:17 < phantomcircuit> the 128 and 64 are both clearly linked to the 200 btc input 15:18 < phantomcircuit> ahah wait 15:18 < gmaxwell> phantomcircuit: ENOTENOUGHDATA 15:18 < phantomcircuit> that's wrong 15:18 < gmaxwell> phantomcircuit: if there are two people with 200 BTC inputs, you're great. 15:18 < phantomcircuit> you can have multiple inputs yourself 15:18 < phantomcircuit> so 10 inputs for 10 BTC and 2 outputs for 50 BTC tells you nothing about who is who 15:18 < gmaxwell> sure sure, I'm trying not to assume that the inputs themselves are already somewhat anonymous. 15:19 < gmaxwell> The hard case is where all the data going in is know, if you're secure in that case you're secure in the easier versions. 15:19 < phantomcircuit> gmaxwell, right neither am i 15:19 < phantomcircuit> gmaxwell, if you have exactly 2 inputs both of which are not anonymous and outputs which are larger than one of the inputs 15:19 < phantomcircuit> then those outputs are clearly linked to the larger input 15:20 < maaku> phantomcircuit: if you perform three 2 party mixes, then you've reduced taint of your original input down to 1:8 ... even if there are a thousand other particpants with that output size 15:20 < maaku> your output is still only one of those eight, and definately not one of the other 992 outputs 15:20 < phantomcircuit> maaku, taint is such a terrible measure :/ 15:21 < maaku> well im speaking loosly, not giving taint any specific meaning 15:21 < phantomcircuit> maaku, if you take the larger outputs and merge them receiving ever smaller outputs (ie exploding them into a standard size) then you eventually end up with tons of tiny outputs that are super annoying 15:21 < gmaxwell> The word you want to use is "anonymity set". 15:21 < maaku> in coinswap you do benefit from the size of the crowd, but not coinjoin 15:21 < maaku> phantomcircuit: you don't have to explode your outputs, that's what I'm saying 15:21 < gmaxwell> well coinswap crowd benefits would currently be ~0 due to the fact that escrow transactions are basically non-existing, though that'll change. 15:22 < phantomcircuit> ideally you could get a distribution of who controls the inputs 15:22 < phantomcircuit> maaku, if you dont control your outputs to be standard sizes you'll run into fuzzy statistical matching that is actualyl very very sophisticated 15:23 < phantomcircuit> maaku, in general "dirty" money flowing around the banking system isn't traced by following each hop but rather is traced using fairly broad statistics 15:23 < gmaxwell> phantomcircuit: sure and you can reduce the distribution to a single number the entropy of the distribution. 15:23 < andytoshi> i think having a 'most popular output', and a small set of standard sizes, would suffice 15:23 < andytoshi> then i'd spin up multiple joiners with different standardsizes 15:23 < phantomcircuit> gmaxwell, hmm 15:24 < maaku> "you'll run into fuzzy statistical matching that is actualyl very very sophisticated" I don't think this is correct 15:24 < phantomcircuit> maaku, the attempts at tracing bitcoins on the network to date have been ... how do i put this nicely? ... not sophisticated 23:25 < phantomcircuit> gmaxwell, in general i suspect the best he could hope for is to recover 20 BTC at the time tradehill (version one) was liquidated 23:25 < phantomcircuit> iirc it was actually formally and legally liquidated in chile 23:26 < phantomcircuit> there might be a transfer agreement specifying liabilities... but i doubt it 23:26 < phantomcircuit> it's like there's a guy who owes intersango 511 BTC 23:26 < gmaxwell> phantomcircuit: right, so there you go, time to shut down intersango. 23:26 < phantomcircuit> but it was from when that was worth 4k USD 23:27 < phantomcircuit> there is no way we could get a court to find that he owes us 408k USD instead 23:27 < phantomcircuit> gmaxwell, im going to try changing the business model relatively soon hopefully that will align the costs with the fees 23:27 < phantomcircuit> and people will stop thinking their 10 EUR transfer will be executed immediately 23:36 < pigeons> i met jared and the tradehill folks at the money202 conference in vegas a few months ago and was kind of suprised they show their faces 23:36 < pigeons> the whole san fransisco crows with him, jesse powell, jonathan ryan owens, jared kenna etc 23:36 < pigeons> *crowd 23:36 < pigeons> *money2020 23:53 < phantomcircuit> pigeons, afaict jered himself doesn't intentionally screw people over 23:53 < phantomcircuit> it just kind of happens 23:53 < phantomcircuit> the others though? well that's a different story 23:53 < pigeons> ok, well makes me wary 23:54 < phantomcircuit> total 90degree shift here 23:54 < phantomcircuit> one server with vmware or multiple servers 23:56 < pigeons> probably whatever your admin prefers 23:57 < pigeons> i prefer multiple servers on my own projects, but i for some reason like it all on vmware when its someone else's project, easier for me to keep striaght ofr some reason 23:58 < phantomcircuit> pigeons, im the admin 23:58 < phantomcircuit> yeah i guess individual servers 23:58 < pigeons> of course if you're paranoid there are always break out of the guest and compromise the host bugs that take years to even get leaked 23:58 < phantomcircuit> bleh have to buy switches and shit then 23:59 < pigeons> probably more and more such bugs the way they don't really virtualize the video cards --- Log closed Tue Nov 26 00:00:08 2013 --- Log opened Tue Nov 26 00:00:08 2013 00:00 < phantomcircuit> hmm 00:00 < phantomcircuit> true 01:48 < Ryan52> cfields: Oh, okay. Sorry about that, I should have provided a status update, I totally fell asleep last night trying to rest my eyes before doing so... I'm on my way out to play cards now, but I'll comment on your commit (or alternate preferred means of providing those details?) tonight. 01:49 < Ryan52> cfields: And no problem regarding missing my pong, please let me know if the results are urgent, and I can try to put a rush on it. 02:28 < cfields> Ryan52: nah, nothing urgent. I just don't want it to go stale 02:29 < warren> cfields: has anyone tested your new gitian targets? sorry I'm too swamped personally now. 02:30 < cfields> warren: not yet. I'm trying to sucker Ryan52 into it :) 02:30 < warren> We'll toss some coins to Ryan52 for doing it and improving it if necessary. 02:31 < cfields> great 02:32 < cfields> Ryan52: i suppose you're not able to trigger the osx db corruption? 02:32 < warren> cfields: I'm pushing builds to all the people who complained to ask for testing of your patch 02:33 < cfields> ok 02:33 < warren> litecoin too 02:33 < cfields> warren: it's a stab in the dark, but there's some logic to it 02:56 < Ryan52> cfields: yeah, understandable, I'll give it a try once I figure out gitian. WRT mac osx, I wish, but my client has been happily downloading blocks for days (perhaps starting with a bootstrap would have somehow been more effective for testing?). 02:56 < Ryan52> s/mac osx/mac osx corruption/ 02:56 < warren> Ryan52: bootstrap.dat will be no different in testing as corruption people experience seems to be mostly after full sync 02:57 < Ryan52> warren: yeah, that was my assumption, I wasn't sure if it was valid. thanks for confirmation. 02:58 < Ryan52> I thought maybe throwing stuff at it while it is busy downloading/validating/etc might make reproducing faster, but it was a long shot. 02:59 < warren> nah, reproducers have been as simple as "clean shutdown" and start it again 03:13 < warren> cfields: so folks want qt5 with autotools, but there's no qt5 in macports yet? 03:14 < Emcy> anyone think its worth getting a topic for bitcoin put on usenet 03:15 < warren> no 03:15 < Emcy> :( 03:15 < wumpus> warren: demand for qt5 doesn't come only from mac 03:17 < warren> wumpus: I know 03:17 < wumpus> the newer ubuntus also come with qt5 by default 03:17 < warren> and lack db48? 03:18 < wumpus> yes 03:18 < warren> is anyone going to get rid of bdb? 03:18 < wumpus> as it is now, it looks like we're getting rid of the wallet before getting rid of bdb 03:19 < Emcy> only the wallet uses bdb 03:19 < wumpus> (well, at least to make wallet optional, and use nowalletmode by default) 03:19 < wumpus> yes Emcy 03:19 < Emcy> its simple, we kill the wallet and we kill the bdb lol 03:21 < wumpus> it wouldn't solve the problem, of course, as people that want to use the wallet are still stuck with bdb, but the wallet component will always need it for backwards compatibility anyhow :/ 03:22 < wumpus> we can't just say 'hey, you can't use your old wallet.dat's anymore!' 03:23 < warren> cfields: do still plan on redoing the win32 gitian deps? 03:23 < warren> cfields: tarball instead of zip, version upgrades, etc. 03:24 < Emcy> look sipa will get around to it one day 03:24 < Emcy> theres in only one of him 03:24 < wumpus> I'm not sure Emcy, I think he lost interest in the wallet part as well, he's focused on improving the block handling now 03:25 < Emcy> rightly so 03:25 < wumpus> which is also a much higher priority 03:25 < wumpus> there are many wallets, but there is only one full node 03:25 < Emcy> i wouldnt like to see the wallet part fall into such disrepair that someone jsut says fuck it and comments it all out one day 03:26 < Emcy> i suppose thats a danger if no one works on it for years 03:26 < wumpus> the nice way would be to seperate it out into a different part 03:26 < Emcy> i was surprised to see gavins old headers first branch on the github the other day too like 2 years old, so it could happen 03:27 < wumpus> we just don't have enough interested developers 03:27 < Emcy> wumpus i wouldnt like to see a functioning reference client be fractured into parts 03:28 < Emcy> im sure it makes sense to nerds but thats how you turn the project into a plaything for just the tech elite 03:28 < wumpus> *everyone* with C++ skills could say any day "hey, let's improve the wallet" and improve the code and submit a pull 03:28 < Emcy> well there are like 150 people with commits on the github but most of those are one or 2 03:29 < gmaxwell> seems to be a lot more interest in reimplementing the basic underlying stuff. 03:29 < wumpus> but as it looks now, on the long term we need to focus the bitcoin projects on its core responsibilities 03:29 < wumpus> which is the P2P and block chain handling 03:29 < Emcy> but yes im surprised there hasnt been more interest from all the rest of the talented people out there 03:29 < wumpus> gmaxwell: yes, many people get stuck in the 'let's reimplement this to learn' part 03:30 < Emcy> with bitcoin being like a new frontier of computer sceince or whatever......thought that would attract the brainboxes. Perhaps even academia for more than shitty papers here and there 03:31 < midnightmagic> Emcy: Nobody wants to be the one that broke bitcoin. 03:31 < wumpus> Emcy: and splitting up the project doesn't have to mean anything changes for end users, we couuld still package a full node with wallet if there is demand for that, it will just consist of multiple parts internally 03:34 < wumpus> Emcy: well there is lots of focus on bitcoin as a currency or speculation vehicle, but almost none on the open source project 03:34 < Emcy> right 03:35 < Emcy> goes along with my suspicians that all the price wanking is hurting bitcoin the project in subtle ways 03:35 < wumpus> we're extremely good at attracting traders and gamblers though, but expecting them to learn to code between their adrenaline binges would be expecting too much :-) 03:35 < midnightmagic> :) 03:36 < Emcy> but there are many parts of the sytem that can only be engineered on in situ 03:36 < Emcy> because no one knows how the fuck it will behave otherwise 03:38 < Emcy> i wonder if some team could get an EU grant to do bitcoin stuff 03:38 < Emcy> theres a team that gets EU money to code a functioning 100% decentralised torrent client i think 03:39 < Emcy> tribler? I think thier solutions was MOAR DHT though 03:39 < gmaxwell> maybe there should be a gambling interface that shims into GCC. "Will this line of code compile? Bet now!" 03:40 < wumpus> hehe, and a code editor that combines statements using a slot machine 03:41 < gmaxwell> spliting out the wallet is important for a lot of reasons. It is somewhat crazy that our private key handling wallet process is exposed to the internet. With the wallet seperated we could do a lot better sandboxing of all the processes. 03:41 < warren> gmaxwell: that might be the cause of the macos x corruption 03:41 < Emcy> and threading of things that should be threaded 03:41 < gmaxwell> oh some sandboxing thing? 03:42 < warren> gmaxwell: no, "Will this line of code compile? Bet now!" 03:42 < wumpus> or with speculation 'this line of code is now worth 3 mBTC, invest in it to make it worth more!' 03:42 < gmaxwell> ah! 03:42 < gmaxwell> lol 03:42 < Emcy> as long as you can still compile a binary with all the parts forming a functioning client, it would be ok 03:42 < Emcy> as long as it doesnt end up like PGP 10:09 < HM> if (!BN_mul_word(x, i)) { ret=-1; goto err; } 10:09 < HM> if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; } 10:10 < HM> very simple 10:10 <@sipa> indeed 10:11 < HM> is it just 2 possible values? 10:11 < HM> p/n is the cofactor isn't it? 10:11 < HM> which is 1 10:11 <@sipa> yes, n is 2^256 - 2^128 approximately 10:12 <@sipa> so the chance of it being >n is even exceedingly small 10:14 < HM> very cool 10:14 < TD> HM: the same code exists in bitcoinj in a more readable form 10:14 * HM covers sipas ears 10:14 < HM> more readable than sipa's code you say? :P 10:14 <@sipa> HM: i make no claim my implementation of key recovery is good 10:15 <@sipa> it's a straightforward implementation of the algorithm in SEC1, but it could be much more readable 10:15 < TD> well, you can't really make openssl based code readable 10:15 < TD> https://code.google.com/p/bitcoinj/source/browse/core/src/main/java/com/google/bitcoin/core/ECKey.java#464 10:16 <@sipa> some parts can be abstracted into functions, variables can be more readable, ... 10:16 <@sipa> also, i'm not actually convinced i use the BN_CTX api correctly - it may leak 10:17 <@sipa> (something i learnt when reimplementing Hal's optimization) 10:18 < HM> TD: i prefer ther C++ :P 10:18 <@sipa> HM: feel free to compare with the OpenSSL-using code in https://github.com/bitcoin/bitcoin/pull/2061/files 10:18 < TD> each to their own :) 10:20 < HM> yeah that code is nice 10:21 < HM> I think that FLV optimisation, or whatever it is called, it well outside my grasp atm though 10:21 <@sipa> the reason why it works, i don't understand either 10:22 <@sipa> but given the mathematical property, i understand why this is correct and gives a speedup 10:23 <@sipa> HM: also, originally it was this code by Hal: https://bitcointalk.org/index.php?topic=3238.msg45795#msg45795 10:26 < HM> hmm 10:27 < HM> is it going to merge sipa? 10:27 < HM> or are you waiting for a cryptoangel to come down and bless it? 10:32 < HM> i think the bad bit is you're duplicating code from OpenSSL 10:36 < HM> offtopic but hilarious: 10:36 < HM> http://blog.evernote.com/tech/2011/05/17/architectural-digest/#comment-455 10:36 < HM> "Before Evernote, I spent five years building high-end cryptographic systems for government customers" 11:23 <@sipa> HM: i'd hope to get that into 0.8.1, but i doubt gavin likes to merge it without some big-ass crypto guy signing off on it 11:23 <@sipa> maybe rightfully so 11:25 < gavinandresen> I'd be ok merging it as an off-by-default "if sipa-turbo-transaction" option that people who are CPU limited wanted to use, could use.... 11:26 < HM> lol "sue sipa mode" 11:26 <@sipa> hmm 11:27 <@sipa> i'm currently actually trying to write an ECDSA implementation from scratch, with all operations specialized for secp256k1 11:27 <@sipa> trying to see if i can beat OpenSSl :p 11:29 < HM> including your own bignum ops? :p 11:31 <@sipa> yes, i already have a specialized implementation for arithmetic modulo the secp256k1 field size 11:31 <@sipa> which has a function that does an integrated multiply-and-modulo or square-and-modulo 11:32 <@sipa> i haven't compared it with OpenSSL's montgomery multiplication (which is in assembly!) but it beats (naive) GMP by a factor of >4 11:32 < HM> nice 11:33 < HM> Bernsteins implementation of curve25519 was written in his own assembly language and translated to x86 using his own translator :| 11:33 < HM> I'm not sure if he wrote his reference of Ed in the same language 11:33 < HM> haven't looked at it 11:34 <@sipa> well i use a trick i read in the ed25519 paper, namely using 5 uint64_t's (with 52 bits in each) instead of 4 11:34 <@sipa> so you need somewhat more multiplications, but you can add several together before doing a carry 11:35 <@sipa> it needs 47ns for a field multiplication on my 3.1GHz i7 11:35 <@sipa> and doesn't have any assembly code 11:35 < HM> 52 x 5 is 260 11:36 <@sipa> the last one only has 48 bits :) 11:36 < HM> so the top 4 are 0 11:36 < HM> keeps code simple i guess 11:36 < HM> that doesn't sound particularly tricky 11:37 <@sipa> well the trick s verifying that for any allowed input you never overflow any internal variable 11:37 < HM> why is avoiding the carry ideal? 11:37 <@sipa> because 64-bit addition with carry is slow 11:37 <@sipa> (and hard to do in C...) 11:38 < HM> i guess 11:38 < HM> i wrote a divideby58 function that uses 24 bits in uint32_t words 11:38 < HM> the top byte just becomes the carry 11:38 <@sipa> and it allows you to do field additions, subtractions and multiplications with small constants without any carry 11:38 < HM> since 58 takes 6 bits 11:39 < HM> but i was just bored 11:39 <@sipa> just add/sub/mult the respective uint64_t's together 11:39 <@sipa> if you can prove they won't overflow 11:39 < HM> yeah 11:40 < HM> http://pastebin.com/rRcrYUm8 11:41 <@sipa> anyway, the result is a field doubling in 361ns 11:41 <@sipa> eh point doubling 11:41 <@sipa> i haven't implemented addition yet, or compared with openssl 11:41 < HM> sounds fast 11:42 <@sipa> i suspect it's at most a factor 2-3 faster than openssl, but may be a lot less 11:45 < HM> you should look at compiler intrinsics for 128bit operations if you want to push it further 11:45 <@sipa> i use those 11:45 <@sipa> you can't do 64*64 multiplication otherwise 11:47 < HM> sure you can 11:47 < HM> won't be fast though 11:48 <@sipa> well there is no way to do a native 64*64 multiplication in one instruction that keeps the upper ,64bit of the output otherwise 11:48 <@sipa> better? 11:49 < HM> I am satisfied :) 12:57 <@sipa> gavinandresen: -turbo added :) 13:05 < gavinandresen> cool, I look forward to the TurboUltraPlus version 18:04 <@sipa> \o/ 725ns for a point addition 18:42 < HM> that seems pretty slow 18:42 < HM> you can do better 18:43 < HM> sipa: you should really normalise that in cycles. 18:44 < HM> or cycles per byte 18:44 < HM> hmm 18:49 <@sipa> well, to give any meaningful number: a rough guess is 3x faster than OpenSSL 18:50 < HM> good work 18:51 < HM> I would find the code interesting as well 18:51 <@sipa> though i'm pretty far from a full implementation, it's just the field & group operations for now 18:52 * HM nods 19:08 < ielo> hi 19:19 < HM> hi ielo 19:19 < HM> the address format is really weird in bitcoin 19:20 < ielo> why 19:20 < HM> well the hash is converted in to base58 in big endian 19:20 < HM> so the first byte is the most significant 19:20 < HM> then it's reversed 19:20 < HM> so it's now little endian 19:20 < HM> then the front is padded, if applicable, with 1's 19:21 < HM> which means you're semantically adding 0's to the least significant end 19:21 < HM> makes no sense 19:22 < ielo> but all of those parts are useful like the key hash and checksum no? 19:23 < HM> right, it's a composite structure, so it really has no endianness 19:25 < HM> https://github.com/bitcoin/bitcoin/blob/master/src/test/data/base58_encode_decode.json 19:26 < HM> a naive conversion of say 00eb... will treat it as a big endian bigint and output L9ED... 19:27 < ielo> but in what situation would that happen 19:28 < HM> the mainline client does it 19:29 < HM> https://github.com/bitcoin/bitcoin/blob/master/src/base58.h#L64 19:31 < HM> e.g. if you had "10000" and divided it by "10" the BN_div and append op actually produces "1000" 19:31 < ielo> / 19:31 < ielo> / Why base-58 instead of standard base-64 encoding? 19:31 < ielo> / - Don't want 0OIl characters that look the same in some fonts and 19:31 < ielo> / could be used to create visually identical looking account numbers. 19:31 < ielo> haha 19:31 < ielo> thats curious 19:32 <@sipa> HM: https://github.com/sipa/secp256k1/blob/master/secp256k1.cpp 19:33 < HM> hmm 19:33 < HM> there are some microops you can still do there i think 19:34 < HM> micro optimisations 19:34 <@sipa> i have no doubt about that 19:34 <@sipa> but much is compiler-dependent at that point 19:34 <@gmaxwell> next that gets converted into ASM. :P 19:35 <@sipa> well, that's what i mean: if you want to optimize further, you're probably better off generating the assembly, and tweaking that 19:35 < HM> i doubt it 19:36 <@sipa> for example i do keep a 128-bit accumulator throughout the first multiplication stage in SetMult 19:36 < HM> you should benchmark it in more than 1 compiler though 19:36 < HM> perhaps intels 19:36 <@sipa> in an earlier version, i took the resulting shifted output into a uint64_t, and added to that to obtain the next __int128 19:37 <@sipa> in theory, that is faster, as i know the top 64 bits are zero 19:37 <@sipa> however the generated code was slower 19:37 <@sipa> so there is certainly room for improvement at the assembly stage 19:38 < HM> 100 million 19:38 < HM> how long does it take roughly 19:38 <@gmaxwell> well, not like the compiler is going to output PCLMULQDQ on its own. 19:39 <@sipa> HM: 2.5 minutes here 19:39 <@sipa> it's actually 200 million additions 19:39 <@sipa> but i wanted to avoid always adding the same number 19:39 < HM> I'm going to try something 19:40 <@sipa> feel free :D 19:41 < HM> i only have an i5 480M in this laptop so might take a while 19:41 <@sipa> gmaxwell: it does output mul and adc instructions, which is what i need 19:42 <@sipa> (64-bit multiply with 128 output, and addition with carry of two 64 bit values) 19:42 <@sipa> i think it however generates a few add instructions too many 19:42 < HM> i wonder how much overhead is due to the lack of inlining in the openssl version 19:43 < HM> plus those CTX structs 19:45 <@sipa> those CTX's are actually very efficient 19:46 <@sipa> they cause algorithm to reuse the same variables throughout many iterations 19:46 <@gmaxwell> thats the sort of thing that the cpu will handle well too usually. 19:47 <@sipa> gmaxwell: well you don't want malloc()/free() inside your tight crypto loops 19:56 < HM> hmm 19:56 < HM> well 19:58 < HM> takes over a microsecond here 19:58 < HM> 3m30 19:59 < HM> 2.2 Ghz core 19:59 < HM> 2.67 actually :| 00:00 < petertodd> But what's nice about that, is by making burning coins possible, you can give nice lower-bounds on how much it'd cost an attacker to attempt to re-org the chain! 00:00 < petertodd> That's actually a good thing! 00:00 < amiller> i don't think so? 00:01 < amiller> burning coins is already possible, just make it a softfork thing 00:01 < amiller> i guess you're just arguing that people should take advantage of that and start doing it 00:01 < petertodd> Why not? In reality they could rent the hashing power, maybe, and you have no strong idea if it's possible. 00:01 < petertodd> Huh? What does a soft-fork have to do with anything? 00:02 < amiller> it's only a soft fork change to have consensus-by-burn isn't it? 00:02 < petertodd> No, it's very much a hard-fork change. 00:02 < amiller> why 00:03 < petertodd> Because it means sometimes a block with less real work is the winner. 00:03 < amiller> just make a transaction that burns the coin and has an encoded message containing the block you like 00:03 < amiller> only for a short time though 00:03 < petertodd> Doesn't matter, that's a hard-fork change. 00:04 < petertodd> Heck, what's ugly is how hard it is to implement this in a low-bandwidth SPV compatible way - you'd need some fancy NI proof thing, and they're all bulky. 00:05 < gmaxwell> forget bulky one of the deep advantages of bitcoin is that assuming a very small amount of blackboxing (hash functions and ecdsa) joe-coder can basically understand the whole thing, or really believe he can understand it. 00:05 < amiller> i don't see how it couldn't be a soft fork 00:05 < gmaxwell> add too much wizardy and it becomes incomprensible. Considering the insecurity of namecoin thats a serious liability. 00:05 < amiller> it falls under a particular kind of bribe-the-miners appraoch 00:05 < amiller> it's just instad of appealing to their own bonus, you're just saying that it's a good altruistic thing to have this property built in 00:06 < petertodd> gmaxwell: Yeah, though I will point out that if I understand this we probably have a hope of making a description that's joe-coder understandable. :P 00:06 < petertodd> gmaxwell: NI proofs are possible to explain without that much math 00:07 < gmaxwell> some of them are. 00:07 < petertodd> amiller: you could have a situation where a block has no work done at all to mine it, and it's valid only because of the burns 00:07 < amiller> uh, hm, i see 00:07 < petertodd> gmaxwell: yes, and all the ones I'm envisioning for this stuff are in that class, because I failed calculus 00:08 < petertodd> amiller: or in a different system, it is valid, but is on a chain that's way shorter than the attackers chain 00:08 < petertodd> amiller: yet the attacker's chain is still defined as not the winner 00:08 < amiller> okay i agree with the first part 00:08 < gmaxwell> I have been explaining everything I learn in this space to my girlfriend, so I have a pretty good idea of the effort to explain things. I can explain it but the explinations take hours before they cross the point of being useful. So ability to explain isn't enough, the explaination has to be shorter than their attention span. 00:09 < amiller> i wonder if you shouldn't consider a new rule like "choose the block that has desirable transactions in it" rather than "choose the longest block" a soft fork change 00:09 < amiller> you'd have to convince everyone to go on it or you'd have a split among people who did and people who didnt 00:09 < petertodd> gmaxwell: yeah, don't get me wrong: all these advanced distributed consensus ideas are less joe-coder friendly than Bitcoin v1.0, but we're pretty far from the point where it's impossible to explain 00:09 < amiller> i guess that's the main quality you want to express by hard fork 00:10 < gmaxwell> splits are pessimal though.. and you could be malicious easily e.g. make two forks one randomly pays 1e-8 btc to half the users, one randomly pays 1e-8 to the other half. 00:10 < petertodd> amiller: basically remember that anything in the block headers is guaranteed to be changable only by a hard fork - we're changing the very core of the consensus algorithm here 00:11 < amiller> suppose you made it so that a block was technically valid even if it had self-decided difficulty 00:11 < amiller> that's a DoS problem primarily 00:11 < petertodd> gmaxwell: for sure - tie-breaking in many cases is pretty damn ugly 00:11 < amiller> but you could make that hard fork change, and by soft-fork rules still maintain everyhting as normal 00:12 < amiller> in otherwords you would use softfork policy to enforce the same difficulty policy we have now, so no tiny valueluess bloat blocks 00:12 < petertodd> gmaxwell: mainly I'm proposing this stuff because it gives a democratic-ish and automatic way for the community to directly fight an attacker; the fact it works well in more specific scenarios is just luck 00:12 < amiller> once you applied that hard fork change, then it would only be a soft-ish fork to change it to preferring proof-of-burn rather than proof-of-work at some exchange rate 00:12 < petertodd> amiller: no, that'd be a hard-fork too 00:13 < amiller> it's neither a soft fork nor a hard fork 00:14 < petertodd> amiller: if you have a situation where an older client can't come to consensus with the majority of hashing power, it's a hard-fork 00:14 < amiller> but you're changing the definition of hash power 00:14 < amiller> technically the older client will continue to come to consensus with the majority of hash power 00:14 < petertodd> amiller: yes, hence we've got a hard fork! 00:15 < petertodd> amiller: I mean, I'd call changing the pow algorithm from SHA256^2 to scrypt to be a hard-fork 00:15 < amiller> what about adding a bit to the difficulty expression 00:15 < amiller> so that the work is twice as hard at the same difficulty level 00:15 < amiller> normal miners would get it right half the time 00:15 < petertodd> amiller: again, hard fork 00:15 < amiller> eventually the hash power would take over though 00:15 < amiller> not a hard for 00:16 < amiller> that's unambiguously a soft fork 00:16 < petertodd> amiller: yes, but now a less than majority of hashing power can lead the older clients astray 00:16 < amiller> no it can't 00:16 < petertodd> amiller: yes it can, specifically a 25% attacker 00:17 < amiller> i think you've just misunderstood my example or i made some error in describing it 00:17 < petertodd> you made it twice as hard, therefore someone with half as much strength can create what looks like a valid chain, hence a 25% attacker 00:17 < amiller> no i self impose a rule that's twice as hard 00:18 < petertodd> yes, which means the majority of hashing power is now doing twice as much work, but the older clients don't know that, and they then think a 25% majority is a 50% majority 00:18 < amiller> oh 00:19 < amiller> uh... yeah, sorry 00:19 < petertodd> hehe, that'll make for a good problem in my upcoming textbook on decentralized consensus systems :P 00:20 < amiller> that's somewhere in between a hard fork and a soft fork then lol 00:20 < amiller> because it gives a slight advantage but not a complete one to the smaller attacker :o 00:21 < amiller> you still want everyone to change their client but they might not 00:21 < petertodd> yes! you can have changes that are hard-forks to fully validating nodes, and soft-forks for SPV nodes 00:21 < petertodd> in my textbook I'll have to define a hard-fork very clearly! 00:21 < amiller> are you really writing a textbook 00:22 < petertodd> lol, but I'm starting to seriously think about it... 00:25 < amiller> ok so having coin burning as an option would be a hard fork, (even if it were syntactically already permitted somehow) because it would require changing the consensus definition of clients 00:25 < petertodd> yup 00:26 < amiller> so back to the difference between burned-work and burned-coins 00:29 < amiller> profitdriven miners pick the chains to work on that give them the most profit 00:29 < amiller> clients pick chains according to their code? 00:29 < amiller> is there any notion where a client picks the chain based on some incentive? 00:29 < amiller> i suppose the client picks the chain that's most likely to be sustained by other miners 00:30 < amiller> but it has to choose which miners it cares about! 00:30 < gmaxwell> amiller: the most important thing in a consensus system is to come to a consensus... :) of secondary importance is to come to a consensus which doesn't screw you over. 00:30 < amiller> the client probably picks the chain that's most likely to be sustained by the miners that make the kind of blocks other clients you interact with choose 00:30 < amiller> yeesh it's still circular 02:45 < jgarzik> I hope I'm not being overbearing: https://bugzilla.redhat.com/show_bug.cgi?id=1020292 02:46 * jgarzik generally feels that most people, including smart hackers, Just Don't Get It when it comes to distributed consensus, forks, and bitcoin security. 02:46 * jgarzik should have written that blog post, when the Debian thing surfaced 03:01 < warren> jgarzik: sigh, I was hoping they would understand 03:02 < warren> jgarzik: perhaps it's time to discuss the underlying policy purpose of the no library duplication rule 03:15 < warren> jgarzik: hmm, I like the way you described it. I think Peter Lemenkov is not among the more experienced people there. let's see how spot responds... 04:33 < petertodd> jgarzik: "This sounds very strange to me. If it's true, and Bitcoin is so fragile due to changes in underlying libraries, then it looks like a potential attack vector." <- might be worth it to go ahead and say that yes this is a problem, but right now the state-of-the-art does not know how to remove this risk 04:34 < petertodd> jgarzik: helps give the guy the impression that you're listening to him, while making it clear why his first impression is an incomplete understanding 14:06 < HM> the EC stuff sounds like it'll dominate 15:56 <@sipa> swap OpenSSL for GMP: down to 136us 15:56 <@sipa> (though haven't validated whether the results are correct) 16:36 < HM> nice 16:39 < HM> sipa: did you optimise exponentiation yet? 16:40 <@sipa> sure 16:43 <@sipa> there are not many optimizations left that i know about 16:48 < HM> Still, a four fold performance increase over current bitcoind? 16:49 <@sipa> something like that 16:49 < HM> that's sweet 16:59 <@sipa> the worst part: creating bug-for-bug identical signature decoder 17:06 < HM> well you can be lazy and leave out the bugs 17:06 < HM> I'll forgive you 17:07 <@gmaxwell> No, we won't. Not matching the bugs would be a bug. 17:07 <@sipa> not matching the bugs means a potentially forking client 17:08 <@sipa> though i'm well aware of which violations of DER-encoding for signatures appear on the network, and matching those isn't hard, i can't know what else OpenSSL might accept 17:08 <@sipa> trivial solution: use OpenSSL to do the signature decoding :) 17:27 < nanotube> what if openssl decides to fix the bugs at some point? 17:27 <@gmaxwell> nanotube: bitcoin is over. 17:27 <@gmaxwell> :P 17:28 < nanotube> heh 17:28 <@gmaxwell> this is one of the reason that having external libraries define our normative blockchain behavior is surprisingly risky. Most other software doesn't have the suicide pact for bug preservation we do. :P 17:29 < nanotube> indeed 17:29 <@gmaxwell> In my eyes the whole of the blockchain code would be some hermetically sealed single set of C files which don't even call any libc functions, beyond those needed to allocate memory and use the disk. :P 17:30 <@sipa> nanotube: it's not bugs as such: they accept ill-formatted signatures; in many settings, that is wanted behaviour 17:30 <@sipa> the problem is that it implicitly defines a hard network rule for us 17:30 < HM> gmaxwell: *C++ files :P 17:30 <@gmaxwell> The old and now increasingly depricated internet "be forgiving in what you accept" 17:31 <@gmaxwell> HM: If C++, it would really properly be a subset. it shouldn't use STL containers. Their _exact_ visible behavior is not defined. 17:31 <@gmaxwell> (or at least it would have to be very careful in how they were used) 17:32 <@gmaxwell> Basically it can't use implementation defined behavior. In C I know how to do this, I'm sure it's possible in C++ but I don't personally know how. 17:32 < HM> the STL containers let you use custom allocators 17:33 < HM> i'm not sure what in particular you're worried about 17:34 <@sipa> gmaxwell: you could copy the STL headers into the project if you're really worried :) 17:34 <@sipa> they're not system dependent 17:34 <@gmaxwell> sipa: good luck getting them to compile with any random compiler! :P 17:35 <@sipa> gmaxwell: obviously you copy g++'s source code into the project as well :p 17:35 <@sipa> and the linux source code 17:35 <@sipa> and the design docs of your CPU.... oh wait 17:35 < HM> SeaBIOS for open bios 17:35 < HM> then run the whole thing in a virtual machine 17:35 <@gmaxwell> But yea, there you go limitations on my C++ clue. I'm sure there are ways to avoid implementation defined behavior (avoiding implementation bugs perhaps tricker in C the compilers are now tested against random ASTs for agreement among implementations, including implementations like CompCert) 17:36 <@gmaxwell> sipa: if the compiler isn't buggy then your exposure is just malloc and disk io not working. 17:36 < HM> malloc isn't reliable 17:36 <@gmaxwell> But there is a _big_ difference between bug and implementation defined behavior. 17:36 < HM> Linux will happily allocate more memory than you have 17:36 <@gmaxwell> HM: sure it is. It is always successful. And if it fails you reboot. :P Have you not done embedded system design? 17:37 < HM> oh right, that's how it's done 17:39 < HM> this is boned 17:39 < HM> i'm running 50 copies of a client binary to test a servers fairness 17:39 <@sipa> hmm, how hard would it be to make bitcoin depend on GMP? 17:39 < HM> the clients are quitting after 1 minute 17:39 <@sipa> it's LGPL 17:41 < HM> LGPL is fine? 17:41 <@sipa> first check why they get such good performance, maybe a similar algorithm can be implemented directly 17:41 < HM> one instance takes 7 seconds, 100,000 iterations 17:41 <@sipa> but 160us -> 130us is pretty significant... 17:41 < HM> 50 instances seem to finish in 1 minute... 17:42 < nanotube> <gmaxwell> The old and now increasingly depricated internet "be forgiving in what you accept" <- yea, that always struck me as introducing some perverse incentives. :) 18:05 <@gmaxwell> nanotube: it's widely considered to be a bad idea now in many circles, esp anywhere in remote proximity to HTML. 18:06 <@gmaxwell> in IETF meetings people will say something like that and then get called out "no, we used to think that. And now we know were were stupid." 18:06 <@gmaxwell> inexactness means you need a faithful emulation of every set of possible bug permutations, rather than just exact emulation of the bugs in the standard. :P 18:09 <@gmaxwell> 14:32 < HM> the STL containers let you use custom allocators 18:10 <@gmaxwell> Because they have exposed non-normative (implementation defined) behavior. 18:11 <@gmaxwell> conformant software could be written which can detect which STL implementation it uses. Which means if they are used care must be taken to make sure none of that behavior leaks into the externally visible behavior of the system. 18:21 < HM> why is this a problem for a blockchain server 18:21 < HM> i'd rather have a system faulty and fault tolerant than something coded for the space shuttle but written like it's the 70s 18:26 < HM> i agree generally on external libraries though 18:33 < midnightmagic> be fogiving in what you accept implies that imperfectly-specified standards (even SUSv3 has endless argument around it requiring clarification notes from Austin group) don't force everyone else to conform to your interpretations. 18:34 < midnightmagic> it's not particularly evil to allow something outside your state machine to come in, and discard it, it promotes interoperability. 18:34 < midnightmagic> HTML is something else. 18:35 < nanotube> <b>what you <i>say</b> about html?</i> :) 18:41 * nanotube suspects that the badly formed html just killed everybody's clients. or brains. >_> 18:44 * sipa reboots 18:45 < HM> be forgiving in what you accept 18:46 < HM> or whatever the correct quote is, merely means accepting the reality of imperfect implementations 18:47 < HM> imagine if a bitcoin implementation had a bug in it that was subtle and hard to discover 18:47 < HM> and 50% of the network began using that implementation 18:47 < HM> if you're overly strict and just exit when that bug is detected half your network vanishes 18:47 < HM> sometimes limping on, when it doesn't damage integrity, is just better 18:49 < nanotube> HM: missing a step there. before it gets to 50%, the first guy who uses it and realizes nobody is seeing his transactions, will report the bug if everyone is strict. 18:49 < nanotube> it'll only get to 50% if everyone is not strict 18:50 < nanotube> but i guess if bug only happens very rarely... it's possible. 18:51 < HM> *exit or disconnect 18:51 < nanotube> but then i don't know if it's actually better to accept some invalid transactions just because 50% of the network is using a buggy implementation that thinks it's valid. 18:53 < nanotube> probably best to respond with some error msg, rather than quietly disconnecting 18:55 < HM> it depends on the bug 18:55 < HM> i mean with bitcoin you could be talking about crippling and economy 18:55 < HM> bad software gets widely used, this is an unavoidable fact 18:56 < HM> users are slow to patch and upgrade 18:56 < HM> being liberal in what you accept just makes life easier 18:57 < HM> i don't know who came up with the original phrase, or what they were referring to, but i always take it to mean tests should focus on output as well as input 18:57 <@sipa> HM: that problem is one we'd have today if one implementation uses openssl and another uses something elae 18:57 <@sipa> and they are compatible for every use that exista in the chain 18:57 <@sipa> but there is one weird corner case, that nobody knows aboit, which openssl accepts and another implememtation doesn't 18:59 < HM> what is that? 21:11 * sipa just corrected a bug in an algorithm on wikipedia! 21:22 < HM> lol which one? 21:22 < HM> the sad thing is i probably learned it from it 21:23 <@sipa> http://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#wNAF_method 21:30 < HM> no Monty Ladder? 21:32 <@sipa> no need for a constant-time algorithm when verifying 21:33 < HM> true 22:10 <@sipa> 126us \o/ --- Log closed Mon Mar 11 00:00:49 2013 --- Log opened Mon Mar 11 00:00:49 2013 18:31 * sipa validates the main chain using his own ECDSA implementation 18:33 < HM> >) 18:33 < HM> are you profiling ? 18:34 < sipa> i'm using -benchmark to measure validation speed 18:35 < sipa> seems my CPU can do some 20k validations per second 18:35 < sipa> but it's only the beginnen of the chain, so not too much parallellism possible yet 18:35 < sipa> oh, validation failed 18:37 < sipa> ok, just a failed signature parsing 18:37 < HM> :} 18:37 < sipa> see, i warned you about bug-for-bug conformance! 18:39 < HM> i haven't even got around to bootstrapping Bitcoin Wallet on my phone yet 18:55 < sipa> anyway, apparently one more usage of non-canonical sigs that even exists in the chain that i wasn't aware of that it was allowed 18:57 < HM> how different can they be? 18:58 < sipa> the 'errors' i knew about: negative R or S values (they're just interpreted as unsigned), values with excessive 0 padding in front 18:59 < sipa> the one in block 135105 that i didn't know: an extra 0 byte at the end, without increasing the length descriptors 18:59 < sipa> so just a valid sig, with a 0 bytes appended to it 18:59 < HM> right, well ignoring length is definitely a bug 23:40 < gmaxwell> (the coinswap is simpler from a protocol perspective because you just prove this relation externally to me, then we can just make parallel hashlocked payments knowing that one will reveal the other without a public linkage. --- Log closed Sat Jan 11 00:00:25 2014 --- Log opened Sat Jan 11 00:00:25 2014 01:00 < shesek> gmaxwell, oh, that's very interesting! hashlocked transactions always seemed like a great solution if we could get rid of the link it creates on the blockchain 01:01 < shesek> 40mb isn't ideal, but isn't too awful either given that its exchanged privately between two users and shouldn't be done too often 01:17 < shesek> the transactions would look somewhat unique if its used as the primary transaction method and not just as a fallback in case of cheating, though I don't know how much of a problem that is if its commonly used 01:56 < Guest85612> ethereum discussion on the front page of HN : https://news.ycombinator.com/item?id=7041628 02:06 < justanotheruser> maaku: do they have some prevention from people making infinite loops? 02:06 < justanotheruser> If I wanted to attack the currency I would just mine an infinite loop into the blockchain 02:13 < gmaxwell> shesek: oh well there is another way to eliminate the link, but the protocol has a number of steps, which in practice results in a lot of engineering trouble. 02:13 < gmaxwell> shesek: https://bitcointalk.org/index.php?topic=321228.0 02:14 < shesek> with coinswap and 4 transactions? 02:14 < gmaxwell> okay so you'd seen it then, yea. It would work but the state machine required to actually do it while easy to chart is a real pita. 02:14 < shesek> yeah, I know, but this is a much more elegant solution 02:15 < shesek> though, as I mentioned above, being somewhat identifiable as transactions meant for that purpose is somewhat problematic until this is commonly used 02:16 < shesek> if there are only two transactions in a whole day that uses hashlocked transactions its quite easy to link them together 02:17 < shesek> maaku, too bad its down though 02:18 < shesek> someone from HN posted it to pastebin: http://pastebin.com/NCGRv74u 02:21 < shesek> oh, seems like it was published for some time now... I didn't hear of it until now 02:25 < gmaxwell> shesek: you need to review the coinswap page. 02:25 < gmaxwell> shesek: the innovation there is that if the transaction goes through successfully the public never sees the hashlock (!), it looks like a set of multisignature transactions. 02:26 < shesek> are you talking about coinswap or the new idea you had? 02:26 < gmaxwell> (2 of 2 at a minimum, but no reason that you couldn't throw in a garbage pubkey and make them 2 of 3s to be less irregular) 02:26 < gmaxwell> shesek: coinswap. 02:26 < gmaxwell> but that cost is that the protocol has a bunch of stages. 02:26 < shesek> that "they look unique which can link them" was referring to your idea posted here, not to coinswap 02:26 < gmaxwell> oh! okay yea. 02:27 < gmaxwell> Well you could perform the same transform to this, but then you lose the fact that its simpler. :P 02:27 < gmaxwell> in any case, lots of uses for hashlocked transactions. so perhaps they'll be common at some point. 02:30 < shesek> yeah, lots of interesting uses for them. I even have something for atomic exchange between altcoins (I think that was your idea originally?) laying around somewhere on my harddrive, though in a very very early stage 02:31 < shesek> its possible to spread out the transactions over a random period of a few days to weeks, which should help until they're more commonplace 02:31 < gmaxwell> yea, I'd proposed the non-private version of that pattern for exactly that purpose. 02:32 < shesek> (^ is regarding the transactions being unique) 02:34 < justanotheruser> gmaxwell: regarding our proof of stake discussion yesterday, how do I prevent a miner from paying tx fees to themself and using the new UTXO as their proof? Should I require them to use a time lock on their bitcoin payment with a tx fee? 02:51 < shesek> gmaxwell, btw, I'm not really familiar with the current solutions for keeping other participants from linking your input/output in coinjoin, but I was thinking about a tor-like onion encryption to pass messages around, where you would onion-encrypt it with N participants, exposing the input and output at different "peel levels" 02:51 < shesek> does something like that makes sense? 02:52 < shesek> I assume it was probably already solved in some more elegant way, I should probably read some more about how coinjoin should work 13:50 < gmaxwell> andytoshi: mostly I think a reduction in failed signings is worth it, and if the tool itself were misbehaving you're likely screwed. 13:52 < andytoshi> gmaxwell: agreed 13:52 < andytoshi> i wish i didn't need to demand a wallet passphrase in a program that is openly communicating with my server 13:52 < andytoshi> the optics are terrible 14:22 < jgarzik> Bitcoin blockchain torrent updated, 70% of previous bootstrap.dat is re-used. https://bitcointalk.org/index.php?topic=145386.0 14:46 < _ingsoc> Does anyone know if Vitalik Buterin hangs out on Freenode? 15:37 < wyager> So who's read the ethereum whitepaper? 15:38 < wyager> It's very interesting, but I think it might prove very difficult to manage 15:57 < maaku> wyager: incentives for computation is wrong 15:57 < wyager> How so? I'm not particularly enamored with the incentive model, but I thought it seemed OK 15:57 < maaku> there's no point in paying miners fees for computation, when the miners are not doing the compuation 15:58 < wyager> Aren't they? 15:58 < maaku> no 15:58 < maaku> validating nodes are 15:58 < maaku> most miners are not validating nodes 15:58 < justanotheruser1> everyones doing the computation, only the miners are getting paid right 15:58 < maaku> and worse, they are getting paid proportional to hash power 15:58 < maaku> which has nothing to do with the computation 15:58 < wyager> So when a program broadcasts a transaction, every single validating node broadcasts the transaction? 15:59 < justanotheruser1> maaku: why wouldn't the miners be validating nodes? If they had something invalid in their block it would get rejected right? 15:59 < maaku> *every single validating node computes the transaction 15:59 < maaku> justanotheruser: no, nearly all miners use pools 15:59 < wyager> What about when, during the course of a contract/program executing, it sends a transaction? Does that happen like a real person/bot sending a transaction? 15:59 < maaku> and a pool only needs to run a single validating node 16:00 < justanotheruser> maaku: oh, I see what you're sayinh 16:00 < maaku> e.g. GHash.io and BTC Guild each only need to run one validating node 16:00 < maaku> and yet they together get more that 50% of the reward 16:01 < maaku> and the thousands of people running validating nodes for non-mining purposes get nothing 16:01 < maaku> (but still have to run the computation) 16:01 < wyager> OK, but I guess that still makes some sense if the point is simply to prevent logic bombs rather than to compensate the people running the contracts 16:02 < justanotheruser> I wish there was a way to reward validating nodes. But I don't think there is without risky sybil 16:03 < maaku> the best approach is to make it truly cheap to run validating nodes 16:03 < maaku> and/or make it so they are not required 16:03 < justanotheruser> maaku: what do you mean "make it so they are not required"? Wouldn't them not validating make them not validating nodes? 16:05 < maaku> make it so that whatever application you needed a validating node for, you don't anymore 16:05 < maaku> e.g. because you have a succinct proof of validation (so you don't need to validate it yourself) 16:07 < justanotheruser> ok 17:15 < gmaxwell> so, actually implemented my ZKP, a proof of sha256 is 47mbytes. 17:16 < gmaxwell> (for ~123 bit security) 17:18 < gmaxwell> and validation requires about 1 million EC multiplies with the generator and about 4 million hash operations. 17:20 < sipa> that's a proof for "i have some input you don't know, which hashes to X" ? 17:24 < gmaxwell> Yes basically its just the cost of running SHA256 under my NIZK proof system. So not just "I have" but any trivial operation along with it. Like "X is the hash of something that begins with 'sipa'" would have the same cost. 17:24 < gmaxwell> or for 2x that cost I can do my "Z is the xor of the preimage for hashes X and Y" 17:25 < gmaxwell> now I should go see if ripemd160 can be done with fewer gates. 17:33 < andytoshi> this is really exciting, thanks for doing this work gmaxwell 17:35 < petertodd> gmaxwell: +1 17:36 < sipa> indeed, very nice to see some things actually being done 17:36 < sipa> instead of the mostly talk here :p 17:40 < justanotheruser> gmaxwell: Is this related to SNARK? 17:44 < andytoshi> more of a NARK :P --- Log closed Sun Jan 12 00:00:35 2014 --- Log opened Sun Jan 12 00:00:35 2014 14:48 < michagogo|cloud> Hmm, remember how I replayed the Bitcoin blockchain onto an altcoin from coingen that used Bitcoin's genesis block and parameters? 14:49 < michagogo|cloud> Looking at the log, I don't think the blocks made it to the other peers... 14:49 < sipa> yes 14:49 < sipa> oh? 14:49 < shesek> michagogo|cloud, how come? 14:49 < michagogo|cloud> I don't know 14:50 < shesek> perhaps there weren't any other peers? :P 14:50 < michagogo|cloud> But the version messages carry the normal block height 14:50 < shesek> were you connected to nodes? 14:50 < sipa> maybe you just OOM'ed the node you sent it to, when it tried to reorg? 14:50 < michagogo|cloud> Idk 14:50 < michagogo|cloud> Looking at the logs, I don't see a couple hundred thousand getdatas... 14:55 < michagogo|cloud> There are all the 2014-01-09 06:21:10 ThreadRPCServer method=submitblock 14:55 < michagogo|cloud> 2014-01-09 06:21:10 SetBestChain: 14:55 < michagogo|cloud> 2014-01-09 06:21:10 ProcessBlock: ACCEPTED 00:09 < petertodd> no, that can't be it: "0", "IF 0xba ELSE 1 ENDIF", "opcodes above NOP10 invalid if executed" 00:09 < petertodd> er, I mean: ["0", "IF 0xba ELSE 1 ENDIF", "opcodes above NOP10 invalid if executed"], 00:10 < gmaxwell> if your ass is handed to you, don't just fix one thing at a time, go back and carefully check whole areas. 00:10 < petertodd> I added tests for every single invalid opcode months ago back when I got provably unspendable standardized 00:10 < petertodd> yeah, good way to do it 00:10 < petertodd> but not what businesses want to hear... 00:10 < gmaxwell> petertodd: seems they didn't open an issue. maybe they went and found out that they'd since been added. 00:11 < gmaxwell> well, I'm unsure of what their business is. 00:11 < gmaxwell> My best guess is that they're being paid by some wealthy bitcoin entity as a hedge against ecosystem monoculture. 00:11 < gmaxwell> (but thats 90% speculation and 10% a result of discussion with them) 00:11 < maaku> gmaxwell: i talked to them for 45min over lunch at the conference, and walked away still not knowing what their business is 00:12 < petertodd> hmm... last change to the script unittests was when I documented some OP_RESERVED weirdness, aug 25th 00:12 < gmaxwell> maaku: okay you had an similar expirence to me then, I basically got the impression that I was being lied to because they didn't want to disclose it. 00:12 < maaku> but that's a better theory than anything i came up with 00:12 < gmaxwell> and from that I was speculating beyond there. 00:12 < petertodd> gmaxwell: ha, a hedge against monoculture by making something vulnerable, lovely 00:12 < phantomcircuit> gmaxwell, my guess is they're being paid by a wealthy bitcoin person who is a fool 00:12 < petertodd> gmaxwell: sounds like they're as misguided as amir is 00:13 < petertodd> gmaxwell: and gavin last I heard from him 00:13 < gmaxwell> petertodd: well, as I said, I think they're doing more effort to be compatible than most alt implementations. 00:13 < gmaxwell> not enough, obviously. And they've replaced real compatiblity with slavish duplication of bitcoind. (well, could be worse) 00:14 < petertodd> this type of stuff is why fraud proofs are going to be great fun :( 00:14 < gmaxwell> but I'm not quite able to tell how much they understand, they're too quick to agree with me. 00:15 < petertodd> tell them some pure BS and see if they challenge you on it :P 00:15 < Luke-Jr> who is "they"? O.o 00:15 < gmaxwell> well, I don't really gain anything from knowing that they're dangerous. Since they're dangerous anyways just becuase all alt implementations have some danger. 00:15 < gmaxwell> Luke-Jr: conformal 00:16 < gmaxwell> latest fun with them is that their pure go crypto is excruciatingly slow, even compared to openssl. "Don't worry, checkpoints!" 00:16 < petertodd> we need a market so we can short alt-implementations, maybe do a prediction market on it 00:16 < petertodd> god help us... 00:16 < gmaxwell> they're also doing some really insane stuff to work around their decision to use sqllite. 00:16 < petertodd> ha 00:17 < gmaxwell> E.g. they constantly rewrite indexes because inserts with the index are too slow. 00:17 < petertodd> sheesh 00:17 < gmaxwell> So they batch up a bunch of changes then drop the index and add them then recreate the index. 00:18 < Luke-Jr> lol 00:18 < petertodd> if the large-block crowd get their way it'll be fun watching implementations explode due to performance fuckups 00:18 < gmaxwell> I wouldn't be surprised if this implementation couldn't keep up with 1mb blocksize, in fact. 00:18 < phantomcircuit> gmaxwell, that's actually a very common thing to do with sqlite 00:18 < gmaxwell> It's slow enough that this is a concern. 00:18 < gmaxwell> phantomcircuit: I know but that doesn't make it a good idea! 00:19 < gmaxwell> right now it works because the utxo set only has a few million entries. 00:19 < phantomcircuit> sqlite indexes dont include the WAL portion until it's flushed 00:19 < maaku> sqlite? seriously? *shudder* 00:19 < phantomcircuit> yeah sqlite is not designed to be fast 00:19 < phantomcircuit> their stated goal is to replace flat files 00:19 < gmaxwell> one of their blog posts goes on extolling its virtues. 00:19 < phantomcircuit> for like config files 00:20 < Luke-Jr> ew 00:20 < Luke-Jr> who'd want a binary format for configs? 00:20 < Luke-Jr> even XML is better 00:20 < maaku> ugh 00:20 < phantomcircuit> Luke-Jr, well compared to the binary files that lots of stuff uses it's an upgrade 00:20 < gmaxwell> in any case, we need to get off our asses and fix a lot of stupid sharp corners with the reference software if we don't want things like this to be a problem for the ecosystem. ("oh no, you can't implement new feature X because implementation Y is slow as shit!") 00:20 < phantomcircuit> like firefox used to use a custom binary format for everything 00:20 < gmaxwell> (or worse, "because we depend on implementation Y and no one is maintaining it now.") 00:20 < phantomcircuit> which they replaced with sqlite3 files 00:21 < petertodd> gmaxwell: well IMO the right thing to do is just run your services behind trusted ref implementation nodes 00:21 < petertodd> gmaxwell: trust the ref implementation and do no verification at all 00:21 < phantomcircuit> gmaxwell, it would be very helpful for alt implementations if the rules were split up into network/soft/antiddos 00:22 < gmaxwell> so crap like bitcoind + wallet seperation, spv bootstrap, initial sync time, watching wallets, coin control, etc. all need to get fixed, because they're all really easy to fix in a crappy greenfield implementation. 00:22 < gmaxwell> we're fortunate that btcd copied as many of bitcoind's design flaws as it did. :P 00:23 < gmaxwell> (I mean, lucky in that if they'd made it moderately better in user facing ways but did so without commitment to network consistency, or performance, it might be bad for the network) 00:23 < maaku> sqlite actually would be better than bdb for the wallet... 00:23 < petertodd> gmaxwell: ok, so add SPV and partial UTXO modes to bitcoind, and leave it at that 00:23 < gmaxwell> maaku: yea, probably. BDB, for all its warts, actually got a lot of things right though. 00:23 < jgarzik> maaku, I'm suspicious of that claim 00:23 < petertodd> gmaxwell: make sure it continues to be useful for miners 00:23 < jgarzik> maaku, sqlite is SQL on top of a lower level BDB-like system 00:24 < jgarzik> what do you think sqlite indexes are? 00:24 < maaku> jgarzik: i mean better than locking wallets to a specific (outdated and large) bdb version 00:24 < jgarzik> Using SQL would move some intelligence out of the client and into the database layer 00:24 < maaku> and better debugging support 00:25 < phantomcircuit> sqlite3 isn't safe really 00:25 < maaku> (sqlite executable would replace pywallet) 00:25 < jgarzik> maaku, by locking to sqlite3 instead? 00:25 < jgarzik> six of one, half-dozen of the other 00:25 < phantomcircuit> maaku, i've had sqlite corrupt databases entirely on more than one occasion without any obvious reason 00:27 < petertodd> IMO the wallet should be designed such that the core of it can be a strictly append-only file 00:27 < jgarzik> petertodd, yes, that has been said many times on #bitcoin-dev 00:28 < petertodd> sure, have indexes for speed, but there should be some part of it that can literally be set to append-only in the fielsystem flags 00:28 < jgarzik> petertodd, even a rough sketch of append-only by sipa and myself was discussed 00:28 < petertodd> jgarzik: I know, that's why I'm bringing it up :P 00:29 < jgarzik> one problem is appending in block-aligned sizes 00:29 < petertodd> jgarzik: you mean re: partial writes at the device level? 00:30 < maaku> jgarzik: why does that matter, assuming you are checksumming appends? 00:34 < gmaxwell> because losing the last N appends kinda stinks. .. though with misdirected writes and eraseblock relocation screwups becoming common now with ssds... I dunno how important HDD durability models matter anymore. 00:35 * maaku smells a grad student project for someone with academic connections 00:35 < petertodd> maaku: you mean someone with industry connections to figure out what the !@#$ hardware is doing? :P 00:37 < maaku> heh 00:37 < maaku> i'm not sure industry would really know better 00:37 < maaku> not institutionally at least 00:37 < gmaxwell> my thought was if we're going to a determinstic wallet thing, we should just splat out 64 bits of the master public key with every @#$@# write to the file... so recovering any few kilobytes of it is enough to at least recover your @#$#@$ private keys. 00:38 < maaku> you'd have to find the engineer that actually debugs these bizaare failure modes 00:38 < gmaxwell> er s/master public/master private/ 00:38 < gmaxwell> you assume they debug them. I assume they just replace the product. Time to market! 00:38 < maaku> gmaxwell: some customers get the special treatment 00:39 < petertodd> maaku: the nice thing is there are very few suppliers out there who actually do this stuff, so you'd only need a dozen contacts to cover it all 00:39 < maaku> i know someone who does basically the same thing for HP, debugging weird NonStop errors for clients like air traffic control and NASDAQ 00:40 < petertodd> maaku: half a dozen is probably good enough for 90% of the storage devices out there 00:40 < maaku> but most of the problems he solves are introduced by HP because HP engineers have no idea how the hardware failure modes really work... 00:40 < jgarzik> gmaxwell, maaku: it matters for both hardware and kernel reasons. Kernel really really likes page-based I/O, and you wind up with atomicity of pages at multiple levels. Applications crossing page boundaries or updating a single page multiple times can cause corruption. Also, for hardware, you want sector-aligned -- usually page-aligned gets you that for free. As gmaxwell points out, this matters less on SSD, but in some ways it is stil 04:22 < gmaxwell> there is no good infrastructure for delayed non-selective disclosure. 04:22 < gmaxwell> which is actually what you'd want there. 08:46 < HM3> lol at least the forum hack had a sense of grandeur 10:13 < jgarzik> http://thegenesisblock.com/analysis-silk-roads-historical-impact-bitcoin/ 10:13 < jgarzik> Correlates various SR events with bitcoin price charts 13:40 < midnightmagic> jgarzik: Hah! I've been right all along! 13:41 < midnightmagic> <-- is getting major ego boosts from confirmation of years-long assertions. --- Log closed Fri Oct 04 00:00:40 2013 --- Log opened Fri Oct 04 00:00:40 2013 --- Log closed Sat Oct 05 00:00:42 2013 --- Log opened Sat Oct 05 00:00:42 2013 17:13 < HM3> wow a bitcoin full-node daemon written in Go 19:07 < warren> anyone familiar with entropy sources available to the linux kernel? I'm configuring the new bitcointalk.org server and need to feed more entropy into the VM... 19:07 < K1773R> warren: HD IO increases it, otherwise you have to use a TRNG as seed 19:07 < jgarzik> warren, you're running rngd? 19:08 < warren> jgarzik: 16 core xeon server seems to lack intel hardware rng ... 19:08 < warren> not sure what kind of hardware thi sis 19:08 < warren> Starting rngd: can't open entropy source(tpm or intel/amd rng) 19:08 < warren> Maybe RNG device modules are not loaded 19:08 < warren> [FAILED] 19:08 < jgarzik> warren, TPM RNG works too 19:08 < jgarzik> warren, also, check for unused video or audio hardware (audio-entropyd, ...) 19:08 < jgarzik> bbiab 19:09 < warren> hm 19:09 < warren> jgarzik: virtio-rng.ko is only for inside guests right? 19:17 < warren> no TPM, no hw rng, no audio or video input available 19:17 < jgarzik> warren, correct, virtio-rng only for guests 19:17 < jgarzik> warren, can you PM (or just show) a pastebin of lspci? 19:18 < warren> http://pastebin.com/5XQhL36B 19:20 < K1773R> warren: http://www.vanheusden.com/te/ 19:20 < jgarzik> warren, is video connected to anything, like a KVM? 19:21 < K1773R> warren: ^ always works 19:21 < warren> jgarzik: right now yes, but it will be removed I think 19:23 < warren> jgarzik: is the video usable as rng with or without something plugged in? 19:24 < jgarzik> warren, probably 19:24 < warren> jgarzik: it has KVM and it will remain forever 19:25 < jgarzik> warren, might have a second port unused, etc. 19:26 < gmaxwell> warren: http://www.issihosts.com/haveged/ 19:26 * jgarzik reconsiders 19:26 < jgarzik> all this is pointless. Spend BTC on bitcoinstore.com and buy an entropy device ;p 19:27 < jgarzik> tell people to plug it in 19:27 < gmaxwell> the entropy keys are not available anymore. 19:27 < gmaxwell> :( 19:27 < gmaxwell> (they'll take your order but have no idea when they'll ship them) 19:28 < warren> http://www.vanheusden.com/ved/ hmm? 19:31 < warren> oh, video4linux =( 19:31 * warren tries haveged and te 19:31 < gmaxwell> haveged works very well, and the high and low watermark keep it doing the right thing... of course perhaps its randomness is garbage. 19:32 < warren> it works well, just it might not be good? =) 19:32 < gmaxwell> The software behaves well: runs as much as it needs to, keeps the kernel filled to at least the low watermark, etc. 19:32 < gmaxwell> but I provide no cerfitication on the quality of its randomness. :P 19:36 < K1773R> warren: did you check http://www.vanheusden.com/te/ ? 19:36 < K1773R> gmaxwell: are we talking about simtec's product? 19:38 < warren> K1773R: I did, but haveged was available as a package and it got gmaxwell's non-endorsement, so ... easy 19:39 < gmaxwell> K1773R: http://www.vanheusden.com/te/ is yuck compared to haveged just due to entropy pool management. 19:39 < K1773R> gmaxwell: ACK 19:39 < K1773R> didnt know about haveged 19:39 * warren trying to figure out virtio-rng ... 19:40 < gmaxwell> haveged addresses the fact that the kernel's pool is too darn small... it pregenerates like 1mbyte of randomness, and then will track how full the pool is and feed in at a measured pace. 19:41 < gmaxwell> Everything else just dumps a bunch on the pool at once and thus doesn't get credited... which matters if you care about keeping /dev/random from blocking. 19:42 < K1773R> wow haveged is awesome :) 19:42 < warren> aside from not "perhaps its randomness is garbage" part 19:42 < gmaxwell> yea, just don't read the code. (I contemplated integrating it into bitcoind and managed to not choke on the resulting vomit) 19:45 < gmaxwell> warren: well, it passes tests at least... 19:46 < K1773R> i ordered some of these http://www.entropykey.co.uk/ almost a year ago, didnt get mine yet :( 19:46 < gmaxwell> K1773R: yea. :( 19:47 < warren> heh, bitcoin uses a screenshot? amusing. 19:50 < gmaxwell> yea, in windows. 19:53 < K1773R> gmaxwell: can you recommend http://www.vanheusden.com/ved/ ? 19:55 < warren> K1773R: I'm amused that the thing he recommended had praise of "managed to not choke on the resulting vomit". 19:56 < gmaxwell> K1773R: I looked at it before and concluded its entropy estimation was bunk. Running it couldn't be harmful however. (likewise with their audio one) 19:56 < gmaxwell> warren: there are lots of ways software can be good/bad. 19:56 < gmaxwell> Go look at the havage source code, it's a engineering disaster of crazy C macro abuse. But its handling of the kernel is excellent. 19:57 < gmaxwell> But I wouldn't recommend it as the only entropy source for a high security application because I'm unconvinced that their cache timing stuff is actually all that random... and not just determinstic based on some really complicated cpu-internal state. 19:58 < gmaxwell> but I use it on my hosts that have randomness supply issues. 19:58 < gmaxwell> it's good just for its management of the too small kernel pool. 19:58 < gmaxwell> (changing the kernel pool size requires patching and recompiling, ... kinda cruddy if you want to stay with a distro kernel) 19:59 < K1773R> yea, should be a kernel option... 19:59 < warren> wget http://reddit.com/r/somewhere and pipe to rngd. Random garbage source. 19:59 < gmaxwell> it was a proc settable thing until there was some bug related to it 20:00 < K1773R> warren: lol 20:00 < gmaxwell> warren: yea, totally secure against someone with no access to reddit. :P 20:00 < gmaxwell> might as well "echo "my scheme is to run a cron that curl http://reddit.com/r/somewhere into /dev/random" > /dev/random" :P 20:13 < warren> jgarzik: https://fedoraproject.org/wiki/Features/Virtio_RNG 20:14 < warren> jgarzik: dang, sounds like RHEL6's libvirt doesn't actually know how to launch qemu with the virtio-rng-pci tihng 20:25 < midnightmagic> so awesome: https://www.usenix.org/conference/woot13/page-fault-weird-machine-lessons-instruction-less-computation 20:32 < warren> jgarzik: my mistake, I see RHEL6 updated its libvirt! 23:38 < sipa> haveged ftw --- Log closed Sun Oct 06 00:00:44 2013 --- Log opened Sun Oct 06 00:00:44 2013 --- Log closed Mon Oct 07 00:00:47 2013 --- Log opened Mon Oct 07 00:00:47 2013 17:32 < maaku> so, wizards: how worth it would it be to have a validation index structure that supports transitive/commutative updates? 17:32 < maaku> (U -> A) & (U -> B) -> (U -> AB) 17:35 < gmaxwell> it's certantly worth it if it has ~no cost. I think our conclusion before is that it prevents you from doing level compression, which for index on txid's is fine, because level compression buys you very little there. 17:37 < maaku> It doesn't affect level compression on disk, just the number of hash operations. 17:39 < maaku> A proof right now would be about ~40 SHA-256 blocks; removing level compression of hashes would bump that up to about 290 SHA-256 block - so *a lot* more CPU time 17:40 < maaku> but my suspicion is that even without sha256 cpu instructions the database is still going to be the bottleneck... 17:41 < maaku> of course those hashes would be eating away at cpu/gpu resources used for ecdsa validation 17:55 < maaku> i guess benchmarking is the only real answer here 18:02 < gmaxwell> sha256 is stupidly fast even without cpu help. 18:02 < gmaxwell> 1us per operation or whatever. --- Log closed Tue Oct 08 00:00:50 2013 --- Log opened Tue Oct 08 00:00:50 2013 --- Log closed Wed Oct 09 00:00:53 2013 --- Log opened Wed Oct 09 00:00:53 2013 --- Log closed Thu Oct 10 00:00:57 2013 --- Log opened Thu Oct 10 00:00:57 2013 02:35 < Luke-Jr> ok, so the BitShares guys said this isn't a secret..: 02:35 < Luke-Jr> memory-hard PoW using the birthday problem 02:36 < Luke-Jr> finding a solution can use GBs of RAM, yet verification is cheap 02:36 < Luke-Jr> thoughts? :p 02:38 < warren> Luke-Jr: time to start your own scam coin! 02:39 < gmaxwell> Luke-Jr: Not a new idea, I think (pollard-rho POW on my alt ideas has that property), I think. But it has a time memory tradeoff so you don't have to be any particular amount of memory hard 02:39 < gmaxwell> e.g. you can half your memory and just search 2x more points. 02:40 < gmaxwell> e.g. say you're trying to find two values with the same initial 32 bits. You decide in advance that you're only going to consider solutions that begin with a 0 bit. 02:41 < gmaxwell> Now you will have to check 2x more values, but you only need half the memory. 02:42 < warren> at some level of TMTO it becomes faster due to memory bandwidth? 02:43 < Luke-Jr> gmaxwell: isn't it exponentially faster the more memory you commit to it? 02:48 < gmaxwell> Luke-Jr: no, alas. Man wikipedia sucks. 02:48 < gmaxwell> lemme find you an actually informative citation 02:49 < gmaxwell> Here: http://eprint.iacr.org/2012/731.pdf 02:49 < Luke-Jr> XD 02:50 < gmaxwell> (for some reason WP doesn't describe pollard rho as applied to general memoryless collision search) 02:51 < Luke-Jr> hmm 02:51 < sipa> perhaps improve it then? :p 02:51 < Luke-Jr> Wikipedia is improvement-resistent. :p (but doesn't hurt to try I guess) 02:51 < Luke-Jr> gmaxwell: I wonder whether memoryless ASIC would be much faster than memory-as-ASIC in this case 14:18 < gmaxwell> MoALTz: refunding doesn't work becuase it may not be the in-kind miners block who ultimately has the transaction 14:18 < gmaxwell> (consider reorgs) 14:48 < adam3us> gmaxwell: "well I don't mind create two different signatures the signers could always create infinite more." well its a little different - if the users client created two signatures, maybe he has it in his state, but if a third party can then create a third signature algebraicly from the two signature that would be yet one more thing to watch out for, eg what if your computer crashes part way, and he signature is recalculated but the message 14:49 < adam3us> not that i so far see a way to do even that somewhat contrived mutability 14:52 < gmaxwell> adam3us: It's true but thats just yet another argument to use drandomized DSA. 14:52 < adam3us> absolutely :) 15:01 < gmaxwell> (2r,2^-1s) doesn't appear to work. 15:03 < gmaxwell> (obviously that doesn't mean that no such issue exists, but at least the simplest possible attempt didn't work) 15:05 < gmaxwell> e.g. in sage, http://0bin.net/paste/tGoT890fHgUhmhxT#YvA84LJPZQBrCNSP3msD0NM1m2lK2iFE5PyzDWMyzv0= 15:06 < adam3us> no that was broken there is an r in the s calculation s=k^-1(H(m)+rd) 15:06 < adam3us> so can correct k, but not r so far 15:08 < amiller> apparently there will be a dedicated Bitcoin workshop at the Financial Cryptography conference next year 15:08 < amiller> they'll accept papers by november 24 15:09 < amiller> nicolas cristin is the leader of it 15:09 < amiller> that's pretty cool, it's about time, and also that's a good venue 16:37 < adam3us> re manipulation of r,s other than r,-s this way of expressing the sig verification process looks more plausibly malleable than the s definition (r,s)r=([kG]x, k^-1(H(m)+rd) might suggest 16:38 < adam3us> k=s^-1*r*Q - s^-1*H(m)*G 16:39 < adam3us> sorry kG = s^-1*r*Q - s^-1*H(m)*G 16:40 < adam3us> or r = s^-1(r*Q - h(m)*G) 16:40 < sipa> .x 16:41 < adam3us> r.x yes 16:41 < sipa> well, no, but i see what you mean :) 16:41 < sipa> r = ... .x 16:41 < adam3us> ok;) 16:45 < adam3us> which can also be written rs = rQ-H(m)G 17:13 < gmaxwell> r = s^-1(r*Q - h(m)*G) < with r on both sides of the equation this makes it sort of hard to changes S to solve for r 17:20 < sipa> r = (r/s*Q - h*G).x 17:21 < sipa> R = R.x/s*Q - h*G 17:22 < sipa> oh 17:22 < sipa> R = (R.x*Q - h*G)/s 17:41 < gmaxwell> (you lost me on the Q, unless its the order, but I don't follow that) 17:47 < sipa> Q is the public key 17:48 < sipa> the tricky thing is that R is both used as an EC point, and its x coordinate as a scalar 17:52 < adam3us> i think its easier to work with (non EC) DSA notation but alternatively one can work with the point 17:52 < adam3us> eg i am thinking about hostile R values such that [R]x = H(m) 17:54 < adam3us> you dont need to know k' such that k'G = R with that property just choose R = (H(m),f(H(m))) for example 17:55 < adam3us> then the hard part try to solve for s --- Log closed Tue Sep 24 19:47:20 2013 --- Log opened Tue Sep 24 19:47:38 2013 23:17 < petertodd> warren: same, although child-pays-for-parent would be good to implement first, that is implement the relaying changes so that groups of transactions are relayed at once 23:18 < warren> petertodd: that sounds helpful 23:18 < warren> petertodd: would there be any arbitrary limit of how deep the unconfirmed chain can be? 23:19 < petertodd> gmaxwell: *effectively* getting the sig out of the txid is a very easy change: just make signatures be on the scriptPubKey's or even scriptPubKey:value's your spending rather than txid:n 23:21 < petertodd> warren: doesn't have to be beyond the limit of "how much data I'm willing to accept from a peer in one go" 23:21 < petertodd> warren: 32MiB is that limit in some places 23:26 < gmaxwell> petertodd: no, that leaves you with all the really @#$#@ non-uniqueness problems. 23:26 < gmaxwell> "Am I spending this output or that?" 23:27 < petertodd> gmaxwell: if you don't re-use addresses there's no issue... and if you do, that's your own fault (and including value mitigates that somewhat) 23:28 < petertodd> gmaxwell: soft-forking change too, because it can be done as a new signature type 23:28 < petertodd> gmaxwell: you'd still want to keep txid's, but they're only a hint really (and for backwards compatibility) 23:39 < petertodd> gmaxwell: oh, brainfart, scriptPubKey:value is the only way to do it because of fees, so yeah, do that and you're set. from the transaction's point of view, who cares what exact txid was used to satisfy the input? 23:40 < gmaxwell> petertodd: ... 23:40 < petertodd> gmaxwell: obviously creating two scriptPubKey:value's is unwise in this scheme, but don't do that... 23:40 < gmaxwell> You don't control that. 23:40 < petertodd> gmaxwell: don't control what? 23:40 < gmaxwell> Other people paying you. 23:40 < gmaxwell> This basically reintroduces the duplicate txid problem. 23:41 < petertodd> gmaxwell: sure you do: new system is that when you give someone an address, you actually give them a way to generate scriptPubKey's on your behalf, be it ECC or something as dumb as a nonce 23:42 < gmaxwell> petertodd: but then they pay you twice from non-strongly seralized systems. 23:42 < petertodd> gmaxwell: heck, failing that, do scriptPubKey:value:block:tx#... 23:42 < gmaxwell> can't spend unconfirmed outputs, which then defeats the whole issue with worrying about the malleability, nothing is malleable once confirmed. 23:43 < petertodd> gmaxwell: fair enough 23:44 < petertodd> gmaxwell: then just make it possible to leave out the txid in the signature hash calculation, usually it'll be there, but for special applications hash something else to be sure malleability doesn't bite you --- Log closed Wed Sep 25 00:00:12 2013 --- Log opened Wed Sep 25 00:00:12 2013 01:53 < phantomcircuit> warren, :) 17:41 < warren> perhaps mastercoin should be encouraged to bloat testnet 17:41 < warren> then it gets dumped with testnet4 17:42 < sipa> ha 17:54 < gmaxwell> I think their marketing precludes them from using testnet. 17:54 < gmaxwell> would be nice if someone could convince them! 18:05 < warren> "testnet has no IsStandard() enforcement so you can do any transaction you want!" 18:05 < warren> "the fees per KB will be lower, making mastercoin cheaper to operate!" 18:06 < sipa> and it's technically just as useful for them --- Log closed Thu Sep 26 00:00:16 2013 --- Log opened Thu Sep 26 00:00:16 2013 --- Log closed Fri Sep 27 00:00:19 2013 --- Log opened Fri Sep 27 00:00:19 2013 18:12 < gmaxwell> so, I've come up with a way of exploiting ECDSA on the basis of controlling the generator. 18:13 < gmaxwell> basically, if you select G to be some multiple of someones public key, then you can forge signatures as being from that public key, without ever knowing the private key. 18:14 < gmaxwell> I don't think this is a problem for us, since of course all our pubkeys would be generated after the generator was fixed. :) 18:14 < gmaxwell> But there you go. 18:17 < sipa> so, say there is a secret private key x 18:17 < sipa> then you choose G to be n times ... what? 18:18 < sipa> G = n * (x * G) ... 18:18 < sipa> ok, so n has to be 1/x 18:19 < sipa> how can you do that without knowing x? 18:20 < gmaxwell> sipa: no no, say there is an existing public key P. (forget how it was generated). I can pick the generator as P*X for some X and then sign messages as P even though I do not know P's discrete log. 18:21 < gmaxwell> (perhaps P is some nothing up my sleeve number) 18:23 < sipa> but P = G * p 18:24 < sipa> (whether you know p or not) 18:24 < sipa> i'm just saying that the notion of a public key sounds meaningless without having the generator 18:25 < gmaxwell> Right it's not really a 'public key' anymore. It's just an "apparent public key" 18:26 < gmaxwell> for example. Say bitcoin was stupid and send "expired coins" to a pubkey of SHA256("expired"). I could pick G so that I could spend those coins. 18:27 < sipa> ok, say you have P 18:28 < sipa> a valid point on the curve 18:28 < sipa> now you choose G to be n*P 18:28 < sipa> then by definition, P's corresponding private key becomes 1/n 18:29 < sipa> or in other words, by choosing G, you're choosing P's private key 18:29 < sipa> ... of course you're able to spends coins using it, then 18:30 < gmaxwell> Yea, did we really know this before? At least before figuring this out, I thought the only thing you could do by controlling G is forge the signature of a single message. 18:31 < sipa> right 18:31 < sipa> no, i actually never realized that 18:32 < sipa> the realization is that if you're choosing G in terms of an existing public key (however generated), that public key's private key becomes apparent 18:33 < sipa> so, we should actually demand that the generator point has some property that makes it unlikely to be the multiple of something known 18:33 < sipa> why isn't G something like (0x333333333333...33333, <whatever needer>) 18:35 < gmaxwell> or just (1,whatever) + (whatever,1) ? 18:35 < sipa> right 18:35 < sipa> SO 18:35 < gmaxwell> yea, I have no idea. Its irritating. I won't disclose how much time I've spent thinking about this purely because I can't see why the generator isn't some obvious value or at least chosen for performance. 18:35 < sipa> satoshi works for certicom 18:37 < gmaxwell> yea, I can't figure out any attack for this which is at all interesting. We have no nothing up my sleeve pubkeys in bitcoin. We never use pubkeys from other systems as our pubkeys, etc. 18:38 < sipa> right 18:39 < sipa> all it can do is make an apparent nothing-up-my-sleeve number in fact not be a black hole 18:39 < sipa> but that's all it could be in bitcoin: a proven black hole 18:39 < gmaxwell> if 1bitcoineaterdontspend were really a pubkey (if we even had addresses for pubkeys) then I could have made it so those coins were spendable. 18:40 < sipa> yup 18:40 < sipa> for one single address --- Log closed Thu Jan 02 00:00:47 2014 --- Log opened Thu Jan 02 00:00:47 2014 01:30 < michagogo|cloud> But why force someone who wants to mine namecoin to set up a bitcoind? 01:30 < michagogo|cloud> :-P 01:32 < justanotheruser> michagogo|cloud: Are you saying they shouldn't mine bitcoin, only namecoin? 01:38 < gmaxwell> michagogo|cloud: you don't have to setup a bitcoind. 01:38 < gmaxwell> michagogo|cloud: just produce namecoin blocks with dummy (invalid) bitcoin parents. 01:39 < brisque> nothing really stopping there being namecoin only pools is there? just nobody would want to lose out on the BTC profit. 01:43 < Luke-Jr> gmaxwell: don't even need parents.. 01:44 < Luke-Jr> oh 01:44 < Luke-Jr> I see 01:46 < Luke-Jr> yes, I think namecoin is vulnerable here 01:46 < Luke-Jr> I think a better solution would be to use the POW hash as the prevblock header ;) 01:47 < brisque> Luke-Jr: I've done almost no research into namecoin, does it allow for SPV clients? 01:50 < brisque> actually I can answer that one. it's a 0.7 fork so it doesn't support bloom filters, but you can still do some lite verification with the block header and merkle tree. 01:54 < michagogo|cloud> justanotheruser: I was jokingly saying, what if someone wanted to do that? 01:59 < gmaxwell> brisque: you can't really do spv name resolution with it, however. 02:00 < Luke-Jr> brisque: not even that 02:00 < Luke-Jr> what gmaxwell said 02:00 < Luke-Jr> to actually use it, you need a full client 02:00 < brisque> if there was a DNS-namecoin proxy it could prove using the merkle tree and header that the data is valid and in a block though, right? 02:01 < Luke-Jr> brisque: it can't proove the data isn't replaced/stale 02:01 < brisque> sounds like I need to read up on it's design. that makes sense though. 02:02 < brisque> I was forgetting name resolution isn't static like a transaction is. 02:05 * andytoshi-logbot is logging 02:10 < gmaxwell> brisque: it could be made possible with some modest design changes. 02:11 < gmaxwell> https://bitcointalk.org/index.php?topic=21995.0 02:16 < brisque> gmaxwell: that's interesting. for old blocks that would presumably get resource intensive though. 02:17 < gmaxwell> hm? 02:17 < gmaxwell> brisque: I would only expect nodes to retain the data structure as of the tip. 02:18 < gmaxwell> (to reorg they would keep undo data, like we do for blocks) 02:20 < brisque> yep, I follow. 02:20 < brisque> at this point I'm convinced that you've written a post on the forum about every topic conceivable, it's just buried in bitcointalk nonsense. 02:28 < CodeShark> yeah, agreed, brisque - it would be nice to organize all of gmaxwell's forum posts into a coherent reference :) 02:29 < CodeShark> I just don't have time nor focus to sift through all the forum crap 02:30 < brisque> CodeShark: I'd read that, maybe a coffee table book of failed altcoins too 02:33 < gmaxwell> I've actually considered hiring someone to do that. 02:34 < gmaxwell> (to go index everything I've written and make summaries) 02:35 < brisque> damn, I was getting excited for the coffee table book. 02:37 < brisque> gmaxwell: provided all of your 3000 posts aren't almost BIPs in length, I'd be happy to do that though if you wanted. they're usually quite interesting reads unto themselves. 02:39 < brisque> gmaxwell: I particularly enjoy that you used interrobangs in 2011. 02:51 * andytoshi-logbot is logging 02:52 * andytoshi will manually paste everything the logbot missed over the last hour into the logs -- this outage was (semi)planned as the logbot was getting a virtual sound card installed 02:54 < brisque> andytoshi: nothing important was said anyway, just me being impressed by gmax'wells crazy punctuation. 03:01 < BlueMatt> early beta preview: http://coingen.bluematt.me/ =D 03:01 < CodeShark> haha! 03:01 < CodeShark> nice 03:01 < brisque> BlueMatt: that's absolutely brilliant 03:02 < andytoshi> ha ha! 03:02 < brisque> BlueMatt: might want to drop the pricing if you really want to flood the market though. 03:02 < andytoshi> i love the prefilled "MagicCoin" 03:03 < BlueMatt> brisque: yea, havent fixed that up yet 03:03 < CodeShark> BlueMatt: wasn't it you just a few days ago after we talked about this who was so adamantly opposed to making it easier for people to make alt coins? :) 03:03 < CodeShark> or was that someone else? 03:04 < BlueMatt> no 03:04 < BlueMatt> I absolutely hate altcoins 03:04 < BlueMatt> hence why I built this 03:04 < brisque> BlueMatt: making it free for the no-source version and paid to remove the branding would probably be best for maximum impact, then you end up with a situation where you have people too cheap to pay for the removal of the branding being shown as such. 03:04 < BlueMatt> brisque: not sure yet...the server isnt free... 03:05 < BlueMatt> really havent decided yet 03:05 < CodeShark> you stole my idea :p 03:05 < CodeShark> j/k 03:06 < CodeShark> it was only a matter of time before it got built 03:06 < BlueMatt> plenty of people have been discussing it for a long time :P 03:06 < brisque> BlueMatt: completely up to you naturally, it would have maximum impact if you could undercut people offering this as a manual service though. 03:06 < BlueMatt> yep 03:06 < BlueMatt> yea 03:06 < andytoshi> oh god, we're gonna have people on #bitcoin asking which alt generator is the cheapest 03:06 < andytoshi> ...and people answering them 03:06 < CodeShark> yes, brace yourself 03:07 < brisque> BlueMatt: do you have an address I can throw a tip to? I'll throw you some for the effort when I'm near my cold wallet next. 03:07 < warren> brisque: there should be an option with a 100 BTC minimum to set the exchange bribe amount. 03:08 < brisque> warren: I like that too 03:10 < brisque> BlueMatt: probably needs a couple more variables now that I'm looking at the altcoin forum. starting difficulty, target time, that sort of thing. 03:11 < BlueMatt> brisque: put up a donation address 03:11 < BlueMatt> brisque: yep, its still fairly early 03:11 < CodeShark> starting difficulty should be minimum difficulty - the other parameters are starting time, block reward rule, retargetting rule, and magic bytes (which might be best to just choose randomly) 03:11 < BlueMatt> the scrypt option doesnt even work yet 03:11 < CodeShark> and while you're at it, allow dynamic linking to a block header hash function 03:12 < BlueMatt> also need to put up something like pre-mine a single block and put up a "accept anything" peer that bootstraps the initial network 03:12 < CodeShark> and make sure not to make the same mistake as litecoin and use two separate block hash functions 03:12 < CodeShark> the PoW hash function for blocks should also be used for block identifiers in the protocol 03:12 < kyrio> magic bytes need to be random 03:12 < BlueMatt> magic bytes are random 03:12 < kyrio> oh 03:12 < brisque> BlueMatt: made a tip transaction, I'll go sign it and broadcast it later. 03:12 < BlueMatt> brisque: thanks 03:12 < kyrio> >p2pool networks.py config included 03:13 < CodeShark> and just for kicks, allow them to enter arbitrary data into the genesis block coinbase transaction :) 03:13 < warren> Dual_EC_DRBG random? 03:13 < kyrio> >.1 btc 03:13 < kyrio> or maybe .25 03:13 < andytoshi> warren: yes :D 03:13 < BlueMatt> yea, mining support would be awesome 03:13 < brisque> BlueMatt: oh, sweet idea. default the POW to MD4 unless they pay 03:13 < warren> hahaha 03:13 < CodeShark> lol 03:13 < BlueMatt> heh 03:13 < brisque> maybe that's too mean. 03:14 * BlueMatt has had waay more mean thoughts while building this 03:14 < BlueMatt> just didnt do any (yet) 03:14 < brisque> for maximum impact (not necessarily profit) you'd want to make it low enough cost for people to do it on a whim. 03:14 < kyrio> yes 03:15 < kyrio> but things that will make the creator profit (like putting up the first pool) should cost him first 03:15 < brisque> for maximum profit you'd want it set up with freemium options like it is now. free unless you want a better algorithm, or the source, or the branding removed. 03:15 < kyrio> so he loses money 03:15 < petertodd> BlueMatt: I implemented CRC32 in opentimestamps fwiw... 03:15 < petertodd> BlueMatt: maybe do CRC64 as a compromise 03:15 < gmaxwell> BlueMatt: oh wow! 03:16 < gmaxwell> you've been so much more productive than I've been lately. 03:16 < brisque> petertodd: luhn check POW? 03:16 < gmaxwell> You need some kind of graphic involving a fountain of money. 03:16 < andytoshi> i wonder if there's actually a way to involve captchas in the PoW.. 03:16 < petertodd> It'd be the master of all coins. 03:16 < BlueMatt> gmaxwell: submissions gladly accepted 03:16 < gmaxwell> BlueMatt: I might take you up on that. 03:16 < brisque> andytoshi: nope. who would make the captcha? the point of POW is that the work is generated without a second party. 03:17 < gmaxwell> brisque: where did he suggest that it would be secure? 03:17 < BlueMatt> anyway, still needs lots of work but for now it does work for making a bitcoin-clone that has custom branding automagically 03:17 < brisque> gmaxwell: right. I'd forgotten I just suggested a check digit as a POW. 03:18 < andytoshi> :P 03:18 < BlueMatt> probably plenty of sed issues, but oh well 03:19 < brisque> for the greater good. 03:19 < gmaxwell> There should be an option to use this in the scripting language: https://en.wikipedia.org/wiki/LOLCODE 03:20 < BlueMatt> OP_X86 :) 03:20 < andytoshi> brisque: suppose you have to find a hash, and an 2-color image of the hash's hex code which starts with the same bytes when read as a bitmap 03:20 < andytoshi> and the users have to solve the captcha for their node to accept the blocks 03:21 < brisque> BlueMatt: you should probably avoid being malicious. the simple existence of such a tool is enough to make the point. 03:21 < gmaxwell> brisque: thats not malicious, it's just ill advised. 03:21 < petertodd> BlueMatt: OP_PYTHON 20:00 < HM> sipa: do you have the equivalent OpenSSL benchmark? 20:00 <@sipa> no 20:01 <@sipa> feel free to write one 20:01 <@sipa> but there are optimizations possible "higher up" that openssl doesn't do, too 20:09 <@sipa> so i'd rather continue, and make a full verifier on top of this, and then compare to OpenSSL 21:10 < HM> incidentally 21:11 < HM> i'm in need of an algorithm where a trusted third party can use to establish a shared secret between 2 parties using only their public keys and participation from *one* 21:12 < HM> e.g. Alice <-- Ted ---> Bob 21:13 < HM> Ted wants to establish a shared secret between Bob and Alice with Bobs help 21:13 < HM> but he needs to ensure Alice will be able to get it 21:13 < HM> without holding private keys for either 21:14 < HM> Ted also doesn't fully trust Bob :) 21:15 < HM> So far the best i've come up with is blinding a dozen tokens, getting Bob to compute a multiplication for each of them 21:15 <@gmaxwell> HM: what purpose does Ted serve at all? 21:15 < HM> then unblinding 11 of them and verifying them 21:15 < HM> that was there's only a 1/12 chance Bob has been dishonest and he will be caught in all likelihood 21:15 <@gmaxwell> if everyone has everyone's public keys. Bob and alice can combine them to get a shared secret... (e.g. ECDH) and no need for Ted to do anything. 21:16 < HM> yep 21:16 < HM> but Bob and Alice cannot communicate in realtime 21:16 <@gmaxwell> so? they have public keys they have a shared secret with no more communication. 21:16 <@gmaxwell> ECDH doesn't require interaction beyond exchanging the public keys, if you don't care for the key to be ephemeral. 21:17 < HM> not really 21:17 < HM> look at it this way 21:17 < HM> Bob knows Alices public key 21:17 < HM> but he doesn't have to use it 21:17 < HM> if a package is encrypted and stored for later with some shared secret, there's no way for Alice to know until later whether he can access it 21:18 <@gmaxwell> Great, then bob knows the AliceBob shared secret. And if Alice knows Bob's public key, then alice also knows the AliceBob shared secret. 21:19 < HM> Alice can't establish the shared secret in realtime, and decrypt the package and say "yup, that's cool" 21:19 < HM> she has to rely on Ted to make sure Bob is playing ball 21:20 <@gmaxwell> Please step back and describe what you're trying to do. What do people have, what do they know, what state are they trying to get in? 21:21 <@gmaxwell> It sounds to me like you are saying everyone knows everyone's public keys. Alice wants to send an encrypted file to bob. Bob is offline. Later alice will be offline and bob will be online. 21:21 < HM> basically Ted is locking something up, that is witheld from both Alice and Bob, until sometime in the future. 21:23 < HM> it's encrypted and you need 2 keys to access it 21:23 < HM> either (Alices or Bobs) AND another key 21:25 < HM> the other key is made public in future if Bob needs access, but it's used with other pairings. 21:25 < HM> e.g. (Alice or Sarah) and the other key 21:26 < HM> Ted has to set this up without having Alices private key 21:26 < HM> or Sarahs and Bobs 21:26 < HM> or the private key for the other key 21:27 < HM> so far the best i have will only protect Alices access for some probability 21:27 < HM> i'm not sure it's possible 21:27 < HM> without Ted establishing an ephemeral key 21:28 < HM> I guess an easier way of thinking about it 21:29 < HM> Sarah and Bob are part of a group that need access to Teds documents if provided with a group key 21:29 < HM> Alice has access any time 21:30 < HM> it's not just a group key though because the documents are individual, but they do need the group key 21:30 <@gmaxwell> You've overcomplicating it. Ted can just encrypt the document and then encrypt the document key for any party or group that he wants to have access. Done. 21:31 < HM> yep 21:31 < HM> but then the encrypted document key needs to be shared 21:32 < HM> the objective is to accomplish this without Sarah and Bob having to remember any additional data 21:32 < HM> or having that kept with Ted 21:33 <@gmaxwell> HM: it would be included with the document, of course. 21:34 < HM> what i invisioned was this 21:35 < HM> what syntax do you use for public EC keys? 21:35 < HM> G^x good for you? 21:37 < HM> i'll use *G 21:37 < HM> (g + H(b*a*G))*G = g*G + H(b*a*G)*G 21:38 < HM> g = group key, a = alice, b = bob 21:38 < HM> H = some hash function 21:38 < HM> given a*G (Alice's public key), bob can calculate H(b*a*G), as can Alice 21:39 < HM> because that's basically D-H 21:39 < HM> if 'g' is later made public then Bob can also then get the final private key: g + H(b*a*G) 21:40 < HM> Ted can construct this whole thing because he only needs a*G and b*a*G from Bob and Bob trusts him 21:40 < HM> that is, Ted can calculate the right hand side 21:40 < HM> the problem is Ted can't just expect Bob to calculate b*a*G 21:40 < HM> 'b' is unknown so he could just as easily reply with anything 21:40 < HM> and screw Alice 21:44 < HM> My best idea atm is to have Ted blind a*G and actually keep that secret. send Bob a dozen blinded x[]*Gs and have him compute b*x[0..i]Gs 21:44 < HM> Ted can then verify that Bob has calculated at least a dozen correctly because he already has b*G which is used earlier for authentication 21:45 < HM> so Ted can be pretty sure that the b*a*G he has is really a multiple of a*G 21:47 < HM> a*G doesn't actually have to be secret, that was poor phrasing 21:47 < HM> i meant the location amongst the blinded points 21:48 <@gmaxwell> this just seems stupid to me, sorry. I can't fathom why you want this. Fragile, complicated, computationally expensive... and I'm trying to speculate _something_ this gets you over doing the obvious, simple, and secure thing and I'm coming up empty. 21:49 < HM> Bob only has to know his own key, and alices public key, aG doesn't change 21:49 < HM> the group key changes all the time as Bob participates in many groups 21:49 < HM> this way Bob doesn't need his own key within each group 21:51 < HM> consider 1000 Bobs, each participating in 100 groups. your total keys if you use encryption is 100,000. which Ted has to keep safe until both Bob and Alice have at least received a copy 21:51 < HM> with this scheme you only need 1000 keys held by 1000 bobs (no work for Ted, already required) and 100 group keys 21:52 < HM> and Ted doesn't really have to keep much safe. he can make the right hand side completely public 21:53 < HM> damn, i've lost my nick list 21:53 < HM> hopefully that makes sense 21:54 <@gmaxwell> HM: I now send you off reading: http://en.wikipedia.org/wiki/Broadcast_encryption 21:56 < HM> hmm stateless users, sounds promising 21:58 < HM> i think the idea of traitor tracing is what i was getting at with blinding 21:58 < HM> since if Bob decides to do anything other than a multiply with their key they risk detection by Ted who will ban their ass 21:59 < HM> the broadcast analogy seems spot on though thanks 22:01 <@gmaxwell> You should read the cited papers, there has been a moderate amount published on this (a bunch by IBM people, oddly) 22:02 < HM> i think where it varies is Bob actually has 2 way comms with Ted 22:04 < HM> see the appeal is Alice can just talk to Ted any time and use her 2 keys ('g' and 'a') to produce the private key from bG 22:04 < HM> and later public 'g' but never 'a' 22:04 < HM> Ted never has to provide anything he hasn't had for a long time, just knowledge that the whole thing happened 22:05 < HM> hell Alice may evne sync regularly and download Teds logs 22:05 < HM> Ted is just an extension of Alice 22:05 < HM> who doesn't have her private key 22:07 < HM> *later publish 'g' 22:07 < HM> I'll scour the web for papers later, it's 3am. Night --- Log closed Tue Mar 05 00:00:41 2013 --- Log opened Tue Mar 05 00:00:41 2013 00:04 < amiller> mmm scouring the web for papers 00:04 < amiller> i like this channel 08:02 < HM> I've thought up a better analogy to my problem 08:03 < HM> I'm going to write it up properly 16:39 * HM wonders how sipa is getting on with his speedy secp256k1 implementation 17:11 <@sipa> HM: patience, i don't have that much time to work on it 17:12 < HM> well at least you use the time you do have productively 17:12 <@sipa> haha 17:14 < HM> :| 17:14 < HM> I wasn't be sarcastic 17:14 < HM> being* 17:21 <@sipa> i didn't assume so 17:21 <@sipa> it's still a funny remark 17:21 < HM> why so? 17:23 <@sipa> ok, maybe i have a weird sense of humor 17:23 < HM> or maybe I have no sense of humour ! 17:27 <@sipa> it is uncertain whether continuing this discussion would constitute 'using my time productively' 17:28 < HM> I think that is unlikely 17:28 < HM> Carry on --- Log closed Wed Mar 06 00:00:42 2013 --- Log opened Wed Mar 06 00:00:42 2013 14:54 < HM> Is there a signature algorithm that mainains signer privacy? 14:54 < HM> e.g. where public key recovery isn't possible but you can still verify it if you know the public key 14:56 < HM> the only tweak i can think of is still the public key in as a salt to the message hash 14:57 < HM> Schnorr signatures allow key recovery as well 14:58 < HM> *stick the public key 15:17 <@sipa> HM: just xor the signature with a bit of data that you make part of the pubkey 15:18 <@sipa> or better, symmetrically encrypt it with a key that becomes part of the pubkey 15:19 < HM> yeah i thought about the latter 16:58 < jgarzik> petertodd, gmaxwell: thinking about the irc-bot-as-a-bank (or perhaps N-irc-bots-distributed bank), I think I want a generic identity token service, paid for with bitcoins. Sort of a "network identity", like an email address or DNS name, but purchased with bitcoins. Associate with a bitcoin address and/or GPG identity for authenticated access 16:58 < jgarzik> Anybody done that before? 16:58 < petertodd> Nope, IE fidelity bond style or something else. 16:58 < petertodd> ? 20:27 < gmaxwell> petertodd: So I figured out how to make fraud proofs safe from an engineering perspective. You'll love it. 20:28 < gmaxwell> petertodd: recall one concern we have about fraud proofs is that because they make fraud worthless to try, the damn code won't work right. And then the fraud proofs themselves will be an enormous consensus failure liablity... because eventually someone will create fraud and the proof itself will only partially work. Or they'll make a false fraud proof and kill non-fradulent blocks. 20:29 < gmaxwell> petertodd: The solution: All blocks are required to commit to two versions of the block. One is the real block, the other is required to be fradulent. 20:29 < gmaxwell> petertodd: and the a fraud proof is used to kill the fradulent one. 20:29 < gmaxwell> so the fraud proof code becomes essential and applies to every block. 20:30 < gmaxwell> (note that I said you'll love it, I kinda expect everyone else to hate this idea) 20:30 < gmaxwell> guess I'll go post it before I forget it again. 20:32 < sipa> It is etched forever in my IRC logs. 20:33 < midnightmagic> i hate the idea! 20:33 * midnightmagic ducks 20:34 < HM2> sipa commits his logs in to the blockchain 20:34 < sipa> yeah, using this method: http://xkcd.com/378/ 20:51 < gmaxwell> Luke-Jr: did you get a chance to look at petertodd's OP_RETURN transaction and see why eligius isn't taking it? 23:21 < amiller> gmaxwell, unless it's randomly fraudulent or something that wont have the desired effect 23:22 < amiller> if it could be 'any' fraud, then everyone would just throw it softballs 23:22 < amiller> only 1% of the fraud check codebase would be tested and any real fraud would still get through 23:22 < maaku> petertodd: i consider what I say on #bitcoin-wizards public 23:22 < maaku> but thanks for asking 23:23 < gmaxwell> amiller: I dunno about that, if the reference implementation did not throw softballs then there would at least be some fraction of non-softballs and that would be enough to see that its tested. 23:23 < amiller> unrelated: thanks for your recent post in that utxo thread, it's a good summary of all the cool ideas 23:24 < gmaxwell> I suppose it could actually require the fraud to be of a specific type, and you just don't know which block is which. 23:24 < maaku> petertodd: i think that's a very good point re: patents 23:24 < maaku> and logging #bitcoin-wizards 23:24 < gmaxwell> e.g. prior block hash picks the fraud, ... but I'd worry somewhat that adding more network rules has its own risks. 23:27 < amiller> right now the main defense against people mining without checking the whole history is that there's no command line parameter in the reference client to override the start point 23:27 < amiller> (er, well, that and the fact you need to start from the beginning to get a utxo index) 23:27 < gmaxwell> amiller: yea, no accident that there is no way to do that. 23:27 < amiller> we should be able to rely on something like spv security with that 23:27 < gmaxwell> but thats ... uhhh fragile. 23:28 < amiller> it would take some kind of economic thing i guess 23:28 < amiller> but what we *hope* is that people *want* to check back as far as they can 23:28 < amiller> that it's *cheap* enough for them to be able to do so 23:28 < gmaxwell> because eventually something like btcgo (which has insanely slow ecdsa validation) will just offer a don't validate anyhting mode, I guess. 23:28 < amiller> and to the extent that it requires the public good of everyone dragging around enough data to do so, and being willing to share it when needed, that should be incentivized as well 23:29 < amiller> also it really only is a problem if *miners* haven't validated 23:29 < amiller> because everyone else is gonna be spv anyway 23:29 < petertodd> amiller: who's going to to run the full nodes for the spv nodes to connect too? 23:30 < amiller> so the cost to validate as a function of how far back you want to go is (part of) what determines how far back people will check 23:30 < petertodd> gmaxwell: I'm starting to think maybe the think to do is 1) make fraud detection profitable, and 2) make creating fradulent blocks cheap or even free 23:31 < gmaxwell> petertodd: subsidy rewarded to the provider of the fraud notice? :P 23:31 < petertodd> gmaxwell: yes! 23:32 < gmaxwell> kinda like your mining via successful fraud idea. 23:32 < petertodd> lol, yeah 23:32 < petertodd> mainly I want to make it possible for people to cheaply test out fraud detection 23:32 < petertodd> and equally, force everyone else to verify because it's cheap to commit fraud to rip off the non-verifying community 23:33 < petertodd> obviously actually getting the right set of incentives will be hard, but I think the very general idea has merit 23:33 < amiller> i like the concept of "anti-fragile" here 23:33 < amiller> we're best off encouraging a constant balanced supply of fraud and fraud detection 23:34 < petertodd> that's a very good term for it 23:34 < amiller> people should get frauded, a little bit 23:34 < petertodd> look at how non-standard transactions catch up so many alt-implementations, yet it hardly gets tested because only eligius mines them (and I think they might not be right now) 23:34 < amiller> maybe you can force fraud detection to have holes 23:34 < amiller> that would encourage some frauds to get through 23:35 < amiller> maybe everyone has a different hole 23:35 < amiller> but they're all different 23:35 < amiller> that way you can make a fraud, it gets through *someone*, bad luck for them you take their fraud bond 23:36 < amiller> if there's a systematic error then it will be *really* profitable to make it 23:36 < amiller> because you'll take everyone's punctured fraud checker bond 23:36 < petertodd> yeah, that's part of it too, you want people to have incentives to, say, test miners that aren't checking 23:36 < amiller> but generally there will always be some level of success with it 23:37 < petertodd> the idea of having every block commit to two different blocks is an interesting one, though it's almost like you want to be able to prove fraud in the form of "neither block is fraudulent" 23:38 < petertodd> heck, maybe make the de-facto rule be "extend the first block, except when it's been proven fraudulent", which allows miners who get away with non-detected fraud to have their rivals do useless work 23:41 < amiller> what you don't want is mutually assured destruction though, where no one makes the fraud, and no one checks the fraud, because they both overestimate the effectiveness of the others, and then all the missiles are rusted 23:41 < amiller> that may or may not have made any sense 23:41 < amiller> but the point is that there *should* be a healthy amount of fraud in the stationary case 23:42 < petertodd> right, but it's not MAD, because you're only actualy punished if both blocks are fraudulent 23:53 < amiller> MAD wasn't the right analogy 23:53 < amiller> put it this way, who's going to be *paying* for the costs of the constant fire drills 23:54 < petertodd> the only cost is that you need more confirms for a tx to be sure 23:55 < petertodd> the auditing *should* be done anyway 23:56 < amiller> i think you're missing my point but i only have a weak grasp of my point anyway so maybe i'll bring it up again if i have a solution in mind :o 23:57 < petertodd> ha 23:59 < gmaxwell> the important thing is to make firedrills cheap. 23:59 < gmaxwell> then even counting on a few altruists to do them isn't a big deal. --- Log closed Sun Oct 20 00:00:13 2013 --- Log opened Sun Oct 20 00:00:13 2013 --- Day changed Sun Oct 20 2013 00:00 < petertodd> and people don't get accused of being satoshi by large companies for doing them :P 00:00 < gmaxwell> what company accused which of us of being satoshi? :P 00:02 < petertodd> when coinbase kept on getting forked by those weird transaction a: they assumed I did it specificly to kill them and b: at one point one of them even said something that was basically along the lines of "only satoshi could have known enough to make the tx" 00:02 < petertodd> kinda funny really 00:03 < gmaxwell> petertodd: was it you that killed btcgo? 00:03 < petertodd> btcgo? 00:04 < petertodd> what's btcgo? 00:04 < gmaxwell> the conformal software btcd stuff. 00:04 < petertodd> huh, not familiar with it, I assume it's written in go right? 00:04 < gmaxwell> Killed on testnet by invalid script stuff inside an unexecuted OP_IF branch. 00:04 < petertodd> when was this? 00:04 < gmaxwell> couple weeks ago. 00:05 < petertodd> nah, I've been busy 00:05 < gmaxwell> they announced that it was "done" and within a day or two it was forked on testnet. 00:05 < petertodd> ha 00:05 < gmaxwell> I think they think I did it, as they seemed a bit irritated at me about it. 00:05 < petertodd> I did add a test case for something similar to that though in the unittests 00:05 < petertodd> and there were already unittests for specific versions of that anyway 00:06 < petertodd> ...why do I get the feeling that my branch of python-bitcoinlib probably is more conformal than btcgo... 00:07 < gmaxwell> They're putting in more effort than most alt implementors. 00:07 < gmaxwell> esp after getting bludgeoned once or twice. e.g. they pass the block pulltester. 00:07 < petertodd> I'm pretty sure the unittests would have caught that one. 00:08 < gmaxwell> They complained the unittests didn't have that case. 00:08 < gmaxwell> I asked them to open an issue, lets see if they did. 00:08 < petertodd> "0", "IF RESERVED RESERVED1 RESERVED2 ELSE 1 ENDIF", "RESERVED ok in un-executed IF" 00:08 < petertodd> for instance 00:09 < petertodd> oh, was this a un-named opcode? 00:09 < petertodd> maybe that's what they tripped up on 00:09 < gmaxwell> unfortunately they didn't take the approach I suggested with pulltester: complete your implementation, when you are really convinced that its correct only then run pulltester. 02:06 < petertodd> jgarzik: that was brought up before actually with stored value cards, and IIRC whether or not the transaction "actually" happened on some server somewhere wasn't considered to be as important as simple pragmatic problems of verifying them at borders 02:06 < phantomcircuit> they have done it before for someone entering with CAD 02:07 < gmaxwell> obviously I wouldn't bring a bunch of coin unless I was planning on playing the declariation game. 02:07 < petertodd> phantomcircuit: well, keep in mind that having amounts just over the limit violates laws in other ways 02:07 < gmaxwell> oh well, thats perhaps a problem then. I guess I need to consult an attorney first. bleh. 02:08 < phantomcircuit> petertodd, if you have funds which are your own and you declare it then it's entirely on the discretion of the border patrol agent 02:08 < petertodd> phantomcircuit: there's a great example of a small grocery store in a poor area that had their bank accounts seized because they were making frequent deposits just under $10k, which was considered to be illegal structuring, but their insurance company mandates that no more than $10k of cash be held... 02:08 < phantomcircuit> although given that if they confiscate it that indirectly goes towards paying their salary 02:08 < phantomcircuit> im not thinking you have good odds 02:09 < petertodd> phantomcircuit: yeah, proceeds from civil forfeitture should always be destroyed and returned to society in the form of deflation to keep the incentives right 02:10 < gmaxwell> or at least sent to a maximally far away place. E.g. added to social security of the nation's general fund. 02:11 < gmaxwell> (arguably the US would be silly to return it as deflation: people all over the world use USD, keeping the benefit of our forfeitures nationally local isn't too much to ask) 02:11 < petertodd> gmaxwell: ok, use it to fund legal aid :P 02:11 < gmaxwell> ohh hey, thats a neat idea. 02:11 < gmaxwell> give it to the public defenders. 02:12 < petertodd> yup 02:13 < petertodd> kinda the same thinking as to why I think if your ever charged with something, and the prosecution can't get a conviction, even on only some of the charges, you should always get compensation - use it to pay for legal aid 02:14 < petertodd> what's really nice about that is it helps avoid the prosecution piling up charges as a threat 02:14 < petertodd> problem is courts are relatively corrupt because judges, prosecution, and law enforcement all know each other - just human nature 02:15 < gmaxwell> well also corrupt because most people who are charged are actually guily... encourages a kind if laxity. 02:15 < petertodd> yup 02:16 < petertodd> places like japan with 99.7% conviction rates are scary... 02:16 < jgarzik> scary... but it's a headline, too 02:16 < petertodd> it also encourages other abuses "so what if we beat the suspect a bit? he's guilty anyway" 02:16 < jgarzik> some cases just aren't brought unless they are highly likely to be won 02:16 < jgarzik> well s/some// 02:17 < petertodd> jgarzik: yes, but that doesn't change the dynamics of the system re: laxity 02:17 < petertodd> and for that matter public opinion 02:17 < jgarzik> I'd be willing to bet the general public knows that some innocents go to jail 02:19 < petertodd> meh, general public don't give me much faith re: skepticism 02:21 < petertodd> I mean, heck, in highschool one friend of mine accused the other of raping her... and reality is I'll never know what happened. But so many people who I say this too just don't understand how it's possible to not be sure. ("But your supporting rape culture!" "The bitch was lying of course!") 02:22 * jgarzik kicks xchat 02:37 * jgarzik looks at the clock, and decides it is far too late. *sniff* Ah, yearn for the days when I would code until 5-6am, and get up at noon. 08:20 < adam3us> musing about double spend protection - to what extent other models are possible vs some unavoidable / most efficient pattern t the existing logic 08:21 < adam3us> so eg double spends are not broadcast, so 0-confs are not secure until wait for the conf 08:21 < adam3us> an alternative discussed by a few people , double spends are broadcast (even broadcast at high priority), then you get a negative notification so if you wait a while 08:22 < adam3us> eg 20 sec maybe you get some indication 08:22 < adam3us> i was wondering if the reason it is how it is because its sort of attractive to have a positive indicator, even though it can be retracted later (a different spend ends up in the confirmation) 08:23 < adam3us> vs a negative indicator (waiting for absence of conflicting spends) 08:23 < adam3us> though i think the net result is the same 15:48 < HM2> I wonder if a taxi driver will give me a discount for paying in bitcoin 15:48 < HM2> costs almost as much for a taxi at an unreasonable hour to my local airport as it does for an extra night in a hotel to avoid it 16:07 < jgarzik> heh 18:54 < Luke-Jr> petertodd: markdown sucks, as does having to use pull requests for every minor BIP change :P 18:55 < Luke-Jr> BIPs actually began as a git repo, but that died quickly.. :p 18:58 < sipa> yeah, the wiki used to be just a dump of the repository 18:59 < sipa> but it didn't take long before people just used the wiki pages without pullreqing the changes 19:02 < petertodd> sounds to me like a lack of proper change tracking! 19:02 < petertodd> sheesh 19:02 < sipa> it's just too inconvenient 19:02 < petertodd> could always use git-submodules, lol 19:03 < petertodd> sipa: that's what my co-workers say about revision control... :/ 19:03 < petertodd> oh well, the people have spoken :( 19:03 < sipa> welk the repository still exists 19:03 < petertodd> oh yeah? 19:03 < gmaxwell> It would probably be okay for 'finished' BIPs. 19:03 < sipa> we could bring it up ti date 19:04 < sipa> genjix/bips iirc 19:04 < petertodd> gmaxwell: that's my point really: BIPs should become finished at some point with further changes tracked - we don't want there to be any incentive or ability to sneak in changes, especially if they may have security issues 19:17 < sipa> agree there 19:19 < petertodd> well, maybe I'll take my bloom bip and do up a bip repo with subtrees or somesuch for sake of argument 19:19 < petertodd> work through how it could be done in a more user-friendly way 19:21 < petertodd> probably something where only a disaster will change people's minds - at work every time they try to build a backup of a piece of equipment it seems opinions about revision control soften... 19:23 < sipa> clearly we just need a wiki whose storage backend uses git :) 19:24 < petertodd> you realize one exists right? 19:24 < sipa> i didn,t know, but my guess would have been yes :) 19:24 < petertodd> I've actually used it for an art project, and it worked really well for us 19:25 < petertodd> the artists (well author) got a nice GUI to play with, and yet we still got really solid revision logging, versioning and backups. 19:25 < petertodd> s/author/authors/ 19:27 < petertodd> https://github.com/gollum/gollum 19:27 < petertodd> I think that's what we used, was a while ago 19:27 < petertodd> the actual git repo of course is totally generic and doesnt say what software was used to make it! 19:35 < sipa> petertodd: i still don't get what your concern is with the canonical pushes pullreq? 19:36 < sipa> is there a case where we create things that this pullreq would reject? 20:30 * jgarzik volunteers petertodd for some work and runs 20:31 < jgarzik> git repo is clearly superior. Should be easy enough to get a bot that copies to read-only wiki pages. 20:32 < jgarzik> Getting committed to the git repo should be a Big Deal, and presumes that rounds of discussion have proceeded 20:33 < jgarzik> I would probably publish a BIP queue too, for trail balloons, works in progress, kinda like IETF draft 20:33 < jgarzik> much much lower barrier to entry 20:34 < gmaxwell> Having a queue would be a great idea. I will make that happen. (Queue can just be a wiki page, I think) 20:44 < jgarzik> gmaxwell, the points about source code control stand, IMO 20:44 < jgarzik> gmaxwell, I would prefer hash-sealed BIPs 20:45 < jgarzik> gmaxwell, it's a bit lame that we don't, being bitcoin and all 20:47 < jgarzik> A robot that pushes git repo changes to wiki should be straightforward 20:47 < gmaxwell> jgarzik: oh absolutely, I agree. I don't think that source control is worth forcing on people for BIPs which are early in life. It absolutely should be used when they're "done". 20:48 < gmaxwell> but we're not even (yet) using signing in GIT... so "being bitcoin and all" isn't itself that compelling yet. :P 20:48 < jgarzik> gmaxwell, how about "email jgarzik the latest draft, and he will stick it in the git repo for you"? 20:48 < gmaxwell> (well, okay, signed tags) 20:49 < gmaxwell> It's not me you need to satisify. I'm happy with source control. 20:49 < jgarzik> gmaxwell, as a process proposal, to make the barrier of entry low, and address the "SCM not worth forcing..." complaint. 20:50 < sipa> i git-sign all github merges i do now :) 20:51 < jgarzik> e.g. Policy proposal: Anybody can create a BIP. As long as it is remotely related to bitcoin and has formatting similar to other BIPs, accept into bips.git/draft. Once general consensus is reached, promote to bips.git/. Robot auto-copies all changes, converting markdown to wikitext if people like markdown as source. 20:52 < jgarzik> I'll volunteer at BIPS editor, but I think whole dev team should have commit access to bips.git 20:52 < jgarzik> *as 20:52 < sipa> i'm sure people will complain that the developers of just one clientr shouldn't have privileged access 20:53 < jgarzik> model loosely after IETF draft -> IETF RFC process, albeit with less time and bureaucracy ;p Some BIPs come together in days, some in months or years. 20:53 < sipa> note that extra process does scare people away 15:59 < jgarzik> warren, tempting. I was hoping to wait for the first beta, and then try a reinstall, hoping that EFI was simply fixed at that point 16:00 * jgarzik is concerned that Fedora is falling behind, not being able to install well on -any- modern laptop. Two for two in the failure department. Neither my wife's new laptop, nor mine (different brands, both from Wal-Mart, both EFI) worked with Fedora at all. CD boots, but failed to create a bootable system. 16:00 < warren> jgarzik: I made that Fedora 18 with epoch++ to prevent yum from upgrading it. maybe that isn't a good idea. I dunno 16:02 < warren> jgarzik: is this after mjg59 left RH? 16:02 < jgarzik> warren, heh, he's coming back 16:02 < jgarzik> but yes 16:03 < warren> coming back? really? 16:04 * gmaxwell waits for warren to ask mjg59 in another window. :P 16:04 < warren> nah 16:05 < warren> jgarzik: I also have a stack for Fedora that allows you to use gitian easily. --- Log closed Sat May 25 00:00:22 2013 --- Log opened Sat May 25 00:00:22 2013 00:37 < amiller> why is there no theoretical model for the internet 00:37 < amiller> the internet looks nothing like the point-to-point connected networks in my distributed systems textbook 00:37 < amiller> not even close 00:37 < amiller> https://upload.wikimedia.org/wikipedia/commons/d/d2/Internet_map_1024.jpg the internet looks liek this right 00:39 < warren> not enough tubes 00:40 < amiller> what is IP supposed to do even if it works correctly 00:40 < amiller> how much does an ip address cost 00:40 < amiller> are they cheaper in bulk 00:40 < amiller> how much does traffic cost, that's cheaper in bulk too isn't it 00:40 < amiller> is it cheaper if i do anycast message in a bottle style 00:41 < amiller> is there any commuications model that includes skywriting and batsignals and billboards and radio jamming 00:41 < weex> there should be 00:46 < amiller> the whole thing needs more proof of work 00:46 < amiller> everywhere 00:46 < amiller> pow all the things 01:19 < amiller> also merkle all the things 01:19 < amiller> these are related --- Log closed Sat May 25 02:24:27 2013 --- Log opened Sat May 25 02:25:45 2013 --- Log closed Sun May 26 00:00:35 2013 --- Log opened Sun May 26 00:00:35 2013 19:41 < warren> Heh. LTC is trading at $3.141592 19:58 < gmaxwell> warren: is there any way to get USD out of an exchange that trades in LTC? 19:58 < gmaxwell> IIRC people used LR to get money out of btc-e... 19:58 < warren> gmaxwell: apparently the last method (OKPay) was killed in the last week 19:59 < warren> gmaxwell: mtgox apparently still intends to trade LTC and NMC, just a question of when... I'm guessing their legal trouble is slowing things down. 19:59 < warren> gmaxwell: weexchange allows LTC withdrawal to USD in an indirect way 20:00 < warren> weexchange <=> bitfunder LTC --- Log closed Mon May 27 00:00:37 2013 --- Log opened Mon May 27 00:00:37 2013 --- Log closed Tue May 28 00:00:40 2013 --- Log opened Tue May 28 00:00:40 2013 00:28 < weex> gmaxwell: bitfinex will do wires and just added LTC 21:35 < midnightmagic> warren: OKPay was killed from btc-e, or OKPay was killed in general? The website's still up. 21:36 < warren> midnightmagic: why are you asking me, as if I know anything about this? 21:38 < midnightmagic> warren: because you're the one that said so? "16:58 < warren> gmaxwell: apparently the last method (OKPay) was killed in the last week" 21:39 < warren> midnightmagic: oh. it seems they are stopping dealing with bitcoin in general. they stopped with mtgox too. 21:39 < midnightmagic> Ah. 22:02 < Luke-Jr> OKPay blocked MtGox too I hear --- Log closed Wed May 29 00:00:43 2013 --- Log opened Wed May 29 00:00:43 2013 09:54 < jgarzik> midnightmagic, yeah, OKPay dropped bitcoin in general 09:54 < jgarzik> Definitely a wave of [expected] enforcement actions 10:00 < petertodd> Personally I'm really curious to see if they go after localbitcoins and bitcoin-otc in any way. 10:06 < jgarzik> petertodd, They took down exchangezone.com, which was surprisingly similar 10:07 < jgarzik> exchangezone.com did do some holding of funds, though, IIRC, so not quite the same target. 10:07 < petertodd> localbitcoins holds fund 10:08 < petertodd> they have a SMS escrow-like service where you SMS to release the funds to the receiver so you don't have to wait for confirmations 10:08 < jgarzik> petertodd, veeerrryyyy interesting 10:09 < petertodd> and they operate in a 139 countries, so guaranteed they break the law somewhere 10:10 < petertodd> hosted in germany FWIW 10:52 < jgarzik> petertodd, yeah I figured that. Though I thought it was hosted in Finland. 10:52 < jgarzik> I think a Finn runs it 10:58 < petertodd> Figures. Same ISP as easywallet 10:59 < petertodd> Be interesting to see how the foundations lobbying plans go. 10:59 < petertodd> Patrick Murck seemed pretty reasonable at the conf. 11:02 < jgarzik> petertodd, I am strongly in favor of lobbying. Too many people confuse lobbying with regulation. If there are anti-bitcoin forces in government, I'm all for -- for those who wish to fund it -- there being pro-bitcoin forces opposing them. 11:03 < jgarzik> There seems little danger IMO of lobbying making life worse for bitcoin. There will never be a wonderful, regulation-free life that crypto-anarchists want, but maybe it can be made less bad. 11:04 < jgarzik> I'm happy with the nature of bitcoin, and by its nature it cannot really be outlawed. 11:04 < jgarzik> I do agree w/ Adam B that a regulatory regime is quite possible, targeting c.f. mining pools 11:04 < BlueMatt> the internet (tm) in general needs more lobying 11:04 < petertodd> Agreed. As Patrick said, you almost certainely can't get unregulated exchanges, but you may be able to reduce or eliminate regulation on virtual currency transactions, and in any case you can't make it worse. 11:04 < BlueMatt> but bitcoin too 11:05 < petertodd> Even when you are doing things that are made illegal by regulation, just having the lobbying there to make them easier, and/or reduce penalties to something sane, is a big win. 11:05 < jgarzik> I do fear the day when a court order requires a bitcoin operator to refuse spends of bitcoin 0x1234 11:06 < jgarzik> mtgox already does this a bit 11:06 < jgarzik> agreed 11:06 < petertodd> Same, and I think it's worth it to get as much technical inertia as possible behind anonymity and privacy within the protocol as soon as possible to make implementing those regulations disruptive. 11:07 < petertodd> That's why we realy, really don't want to be in a situation where the code is already there, AKA blacklists of any sort. 11:08 < petertodd> Too bad the math for an efficient zerocoin doesn't exist yet... 11:09 < jgarzik> Part of staving off regulators is interia in general: if it can be shown that bitcoin is "mostly criminals", then they can effectively argue it should be made illegal generally. You see a lot of text like that in current Liberty Reserve warrants and press releases. Copyright is a similar standard: there must be "substantial non-infringing uses." 11:09 < jgarzik> Thus, getting "regular users" on boat is critical 11:10 < jgarzik> Criminal use is inevitable, just like with the US Dollar. The challenge is non-criminal use :) 11:10 < jgarzik> Technically, with a court order, I fear a US/non-US fork :( 11:10 < petertodd> Well, non-criminal use worries me... Bitcoin isn't a great payments system for a lot of reasons, and I firmly think that we'll see more stuff like Mintchip made to combat it in that arena. 11:11 < petertodd> Granted, Bitcoin does have a very legit use unrelated to that: investing in an asset class totally different from any other. But even that can be portrayed badly. 11:11 < jgarzik> I think it's fine for value transfers, where you can wait for the confirmations. If you cannot wait the requisite amount of time, ideally, you should be using a companion payment network. 11:12 < BlueMatt> jgarzik: spv clients :p that settles on the main bitcoin network 11:12 < jgarzik> BitPay is interested in "payment channels", I wonder if they would get behind an effort to run off-chain payment networks 11:12 < petertodd> Sure, but it's a whole new currency, and this and that and... if the Canadian Mint was smart they'd promote Mintchip heavily internationally. After all, it's more private than Bitcoin, mostly. 11:13 < jgarzik> heh, a lot of the Liberty Reserve press and comments were also pointing out that LR was "more private and anonymous than bitcoin" 11:13 < BlueMatt> jgarzik: let me point you to https://en.bitcoin.it/wiki/Contracts#Example_7:_Rapidly-adjusted_.28micro.29payments_to_a_pre-determined_party 11:13 < BlueMatt> "Mike Hearn is working on an implementation of this protocol in bitcoinj. Please contact him for more information." 11:14 < jgarzik> BlueMatt, nod, though that's dependent upon nLockTime AFAICT 11:14 < BlueMatt> no 11:14 < BlueMatt> it depends on nLockTime being non-standard now (with some ability to function if it becomes standard) 11:17 < Luke-Jr> nLockTime isn't non-standard.. just if it hasn't passed 11:17 < BlueMatt> sorry, it depends on that, not all of it being nonstd 11:18 < petertodd> jgarzik: I really hope someone does that. I'm totally ok with it being a closed paypal-like system - there's always room for alternatives 11:18 < petertodd> jgarzik: ha, yeah, compared to having all your pseudonyms on the blockchain 11:19 < petertodd> BlueMatt: jeremy spilman came up with a better protocol that doesn't need nLockTime 11:20 < petertodd> jgarzik: Ideally you'd start with an open-protocol, where users/merchants/etc can choose what keypairs they trust, and then build upon that. 11:20 < BlueMatt> petertodd: not 100% sure, just skimmed that mail, but I think the new one on the wiki is the same 11:20 < BlueMatt> petertodd: and (again) it depends on nLockTime being nonstandard up to lock time 21:09 < adam3us> petertodd: not obviously, but maybe i am speaking 21:10 < petertodd> hmm... maybe actually a router could work, in the sense that you might not know what incomprehensible data packet sent to your peers was garbage padding vs. the real data 21:10 < adam3us> petertodd: i was thinking eg an instance generator that results in a FHE program running that knows its own keys and is bound to the program hash that is publicly verifiable like provably fairly generated 21:11 < petertodd> sure 21:12 < petertodd> I'm saying, imagine a model where we have some FHE program, that accepts packets from a set of peers (who sign all their packets) now the FHE program takes those packets, does some hidden computation, and gives a set of new data to send out again. You can't tell if the data is padding or messages, or if what came in was padding or messages. 21:12 < adam3us> petertodd: seems like it can potentially match TPM but purely virtually 21:12 < petertodd> Exactly. Now I don't think this will work if every peer in the system is compromised, but it could be useful if only a subset are. 21:13 < adam3us> but if the instance generator works, you can encrypt msgs for it and only an instance of the verifably fairly generated tor mix program could decrypt the data and sign the result 21:13 < adam3us> like virtual remote attestation 21:14 < petertodd> yup 21:14 < adam3us> i am suspecting such things maybe logically possible, but just to do anything basic is so ridiculously inefficient that people dont look at it uch 21:15 < adam3us> mike hearn gave a ref to some recent eprint fhe but its so hard to decipher what the actual perf is 21:16 < adam3us> they need a benchmark like decrypt one AES block 21:16 < adam3us> if it takes a week on a supercomputer we know to come back in a few years and look what they've optimized 21:16 < petertodd> huh 21:17 < petertodd> yeah, I can't claim to know too much about that stuff 21:17 < adam3us> its just to say, for it to be interesting to go read their stuff in detail, you want to know when they say "more efficient blah blah than x" what we're talking about 21:18 < adam3us> 1GB FHE keys and weeks per AES encryption 21:18 < adam3us> its all done at public key operation per individual and or or gate 21:18 < adam3us> that you have to build a virtual cpu out of 21:18 < adam3us> so its horrendous 21:18 < petertodd> yup 21:33 < adam3us> the other problem with FHE is because its software it can be snapshotted and rolled back and have its network inputs replayed 21:33 < adam3us> like a vm 22:26 < jrmithdobbs> gmaxwell: i'm so annoyed by the haskell documentation ... all of it by anyone basically ;p 22:26 < jrmithdobbs> it's all so academia focused 22:26 < gmaxwell> adam3us: there are some more FHE results claiming much higher performance. (e.g. an AES block in like two seconds) 22:27 * gmaxwell reads backwards 22:29 < gmaxwell> petertodd: yea, codecs I work on are technically munitions, but the ITAR regulations are effectively dead letters for free software in the US thanks to DJB. 22:29 < gmaxwell> (codecs which can code speech at or under 2400 bps are scheduled) 23:28 < realazthat> speaking of SCIP 23:28 < realazthat> I writing an interpreter/assembler/disassembler 23:28 < realazthat> for tinyram 23:29 < realazthat> then hopefully completing the backend 23:29 < realazthat> (I highlight "SCIP" :P) 23:36 < gmaxwell> realazthat: are your tools working yet? :P 23:37 < realazthat> the interpreter is working-ish 23:37 < realazthat> there are no doubt some bugs left, they should be usable in less than a week 23:37 < realazthat> same with the assembler 23:37 < realazthat> I haven't done the disassembler yet 23:38 < realazthat> I have to speak to Eran Tromer to work out some ambiguities I have 23:38 < realazthat> and get some test files 23:38 < realazthat> arithmetic works 23:39 < realazthat> I'll put it all on github 23:39 < realazthat> the LLVM backend is still stalled though 23:39 < realazthat> because it is huge infrastructure 23:40 < gmaxwell> I want to do a SIN-blinder at some point... 23:40 < realazthat> whats that? 23:41 < realazthat> something zero-knowledge? 23:42 < gmaxwell> SIN is the bitcoin passports stuff. E.g. provably throw away bitcoins and then use the proof as an expensive "identity" to get access to stuff (and if you spam your identity gets blacklisted) 23:42 < gmaxwell> The problem with SIN is that you end up giving a linkable identity to the services you use, plus they learn something about your finances by looking at the coin history. 23:42 < realazthat> ah and SCIP can help with that I assume 23:43 < gmaxwell> So the idea is that you run the SIN verification in zero-knoweldge and emit a unique ID which is just the hash of a signature of the service name. 23:43 < realazthat> and you want to see if you can write up the assembly for it 23:43 < realazthat> awesome heh 23:43 < gmaxwell> So the service learns that you have a valid sin, and they get a unique ID for their service that they can blacklist. but they don't learn which sin is yours, and two sites can't correlate their users. 23:44 < realazthat> cool 23:44 < realazthat> actually I had an idea similar to SIN 23:44 < realazthat> but not distributed 23:44 < realazthat> centralized 23:45 < realazthat> I thought that a major problem of FOSS games is that there is little to lose by hacking/spamming 23:45 < gmaxwell> it's also somewhat important to do this now when the SIN idea is not widely deployed... because you want your sins to be constructed in a way that their proof is as cheap as possible to turn into a ZKP. 23:45 < realazthat> the to-pay games have this advantage; so it would be nice for a service to take a deposit and identify ppl, so they are "perma banned" 23:45 < realazthat> but this is similar 23:46 < realazthat> anyway, I can make code available as early as tomorrow, but it would be buggy 23:46 < realazthat> ie. I am not *certain* it implements tinyram 23:47 < realazthat> because I haven't tested it on *real* tinyram 23:47 < realazthat> just what I gleaned from the spec 23:47 < realazthat> and there are several things I am not 100% sure about/found ambiguous 23:48 < realazthat> I'll let you know when there is something usable 23:48 < realazthat> I started this last week 23:48 < realazthat> after speaking to Eli and Eran 23:49 < gmaxwell> yea, I'm not in a super big rush, but I want to do it evenutally. I'd like to drive to some of this technology being usable for something in actual practice, I think sin blinding may be a good early application. 23:50 < realazthat> sure 23:50 < realazthat> mmm I should ask them about their tinyram tools, how ready they are 23:50 < realazthat> I mean the proof generator etc. --- Log closed Mon Oct 28 00:00:51 2013 --- Log opened Mon Oct 28 00:00:51 2013 05:35 < gmaxwell> petertodd: got any more transactions in dust-b-gone? 06:39 < TD> this channel grew quite a bit since I last saw it 08:56 < petertodd> gmaxwell: nope 12:00 < amiller> realazthat, not to distract you but consider looking at pantry too 12:01 < amiller> realazthat, it's a competitor of tinyram basically that was just opensourced https://github.com/srinathtv/pantry/ 12:02 < amiller> http://eprint.iacr.org/2013/356.pdf 12:02 < TD> is tinyram even going to be open sourced? i thought it was, but that doesn't seem to be happening .... 12:03 < TD> ah i think i remember this paper 12:03 < TD> this is not quite a tinyram competitor 12:04 < TD> like most of these setups, it has to fully unroll all loops, can't do pointers and so on 12:04 < TD> calling it a "subset of C" is being generous 12:04 < amiller> that's true of all of them tinyram included 12:06 < amiller> there's probably a way around that, even, applicable to all of the above, it's just that no one knows how to make the security proofs work out in theory for unbounded computation 12:06 < TD> no, i am pretty sure the point of tinyram is it emulates a real CPU. the size of a loop can depend on the input to the program 12:06 < TD> whereas that is not true in pantry 12:07 < TD> obviously the computation still has to be bounded, but the program itself doesn't have to be fully unrolled ahead of time 12:11 < amiller> i'm like 95% positive you have to provide a bound on the number of steps at compile time 12:12 < TD> yes. you have to tell it how many steps to simulate when running the program (upper bound), BUT the program does not require all loop iterations to be constant. the program can terminate early, too. i think :) 12:12 < TD> basically what tinyram runs is much closer to "real" programs 12:13 < TD> you can also use pointers 12:16 < amiller> you can use pointers in pinocchio and pantry 12:16 < amiller> you can't malloc in any of them 12:16 < amiller> i know that pinocchio/pantry require each internal loop to be unrolled to some bound so that might be a significant benefit to tinyram 12:19 < TD> "pointers must be compile time constants" 12:20 < TD> that's a pretty tight constraint on the notion of a pointer 12:20 < TD> so far AFAICT tinyram is probably the easiest for mere mortals to work with. also AFAIK tinyram can be an entirely offline system, pantry seems to be online-only. that said, actually being available is a pretty big notch in pantrys favour 12:24 < amiller> shit, you're right, pantry is interactive (and single user) only 12:25 < gmaxwell> Why do you say it's interactive? that implementation is full of crazy stuff, but AFAIK it was using the same ZKP as pinocchio, the pairing crypto one. 12:26 < gmaxwell> TD: they'd made sounds that it would be open sourced, but they haven't done so yet. I haven't personally nagged about it because I just don't have the free cycles to do anything really cool with it myself. 12:26 < TD> yeah, same 12:27 < TD> why interactive - just a guess based on figure 1 of their paper. you may be right that it's not really a requirement, but the whole setup of their paper is very strongly client/server oriented 00:06 < gmaxwell> zooko: I proposed it back at the time. I suggested they premine 200,000 coins and then sell them at a fixed rate of $1 and use the funds to buy the tld. 00:06 < gmaxwell> zooko: thats a neat idea. prevent the idiot registrations of google.bit / nike.bit / coke.bit that were sure to cause trouble. 00:06 < zooko> gmaxwell: great! Do you have a job? I'll tell any VCs that ask me that they should invest $10M in your name system. 00:07 < zooko> gmaxwell: yeah, get more people on your side from the start. 00:07 < zooko> You don' 00:07 < zooko> t need to extract money from those people right at the start... 00:08 < gmaxwell> hah! I do, and you'll drag it out of my cold dead hands. :P But yea, seems "obviously smart" to me to focus on the legacy tie in. People can install the secure resolvers later. 00:08 < zooko> What's your job? 00:08 < gmaxwell> and yea, great idea to discourage the squatting. 00:10 < gmaxwell> zooko: mozilla pays me to do research and development of next generation multimedia format stuff (I'm one of the developers of Ogg, for example). And if I didn't have a job I'd just still be doing that. I still have like another whole billion dollar codec rent seeking industry to defeat before I can put full attention to dismantling the billion dollar name rent seeking industry and the trillion dollar banking rent seeking industry. 00:12 < zooko> gmaxwell: oh yeah, I remember you helped me compile opusdec. :-) 00:12 < zooko> Mozilla is awesome. 00:12 < zooko> But, you kind of sound like me. Too loyal. 00:13 < zooko> I was just trying to come up with a justification for myself of why I'm banging away at this secure storage company and not launching a secure distributed name company. 00:14 < gmaxwell> I'm fortunate enough that I can afford to be! I think storage is a far more interesting problem. Naming is mostly interesting by historical accident I think. 00:14 < zooko> I mean, did you just say you had to finish doing X before doing Y and Z, where Z was worth 1000* as much as X? 00:14 < zooko> Well, that's a good point. 00:14 < zooko> I really wish people would stop using names where pointers would suffice. 00:14 < gmaxwell> have to multiply by the chance of success. :P 00:15 < gmaxwell> yea, I believe (but have no data) that most domain name usage is following links.. uh. you have an 'authoritative' source for where the link should take you already! 00:15 < gmaxwell> er, well not 'where' but 'to whom' 00:15 < zooko> Yeah, for sure. 00:16 < zooko> I was afraid that the Bitcoin payment protocol was adding a layer of insecurity to Bitcoin. 00:16 < zooko> I'm still half afraid of that. 00:16 < zooko> Certainly the way Gavin and others talk about it is confused in a way that would lead to that. 00:16 < zooko> But, there is an actual use for the names in there that I can't think of a better solution for. 00:17 < gmaxwell> I think it's just making a layer of insecurity that already exists a little more visible. Where did you get that bitcoin address that you want to pay to. But also removing some insecurity: the payment protocol implementation will not let you override a certificate failure with a dialog. 00:17 < zooko> Eh, I think that is somewhat confused. 00:17 * gmaxwell will discuss later, I have to run. 00:17 < zooko> But somewhat right. 00:17 < zooko> Bye! 00:19 < warren> sipa: coblee is granting you access to our private github 02:26 < warren> gmaxwell: well, the next litecoin release will be a lot more conservative in changes than I wanted. Just proving they can handle a rebase without breaking things might be a good first step for them. 10:18 < realazthat> gmaxwell: hi, is there any new material on Ben-Sasson's work? 17:03 < warren> sipa: want a pull request for secp256k1 gitian changes? 17:04 < warren> although I'm not certain of the best way to include secp256k1 as an input 17:04 < gmaxwell> realazthat: not yet, I'm really busy this week and next, so I haven't asked him for anything yet. 17:05 < gmaxwell> (next week I'm hosting a coding party to bring in a bunch of additional people on the video codec project I work on) 17:06 < realazthat> ah thats cool 17:06 < realazthat> if you hear anything, I'd appreciate a highlight in here, if you remember 17:07 < gmaxwell> set a highlight on SCIP and I'll probably mention that while blabbering about it in here. :) 17:07 < realazthat> lol, done --- Log closed Thu May 23 00:00:16 2013 --- Log opened Thu May 23 00:00:16 2013 02:40 < warren> hmm 02:40 < warren> <sipa> [14:56:02] when comparing a new block to the best chain, consider it better if the work is equal but smaller 02:41 < warren> sipa: wouldn't this encourage zero tx blocks? 18:59 < warren> gmaxwell: btw, http://download1.rpmfusion.org/~warren/openssl/ I fixed it for Fedora 18. 19:00 < gmaxwell> warren: What did you need to do? 19:00 < gmaxwell> ah, I see the patch 19:00 < warren> let me know if you want it for Fedora 19 19:01 < gmaxwell> I'm confused as to why you'd need to do that. 19:01 < warren> The FIPS patches assume they didn't have to twiddle things for ecdsa like they do for the other algs since they don't ship ecdsa. 19:02 < gmaxwell> so why not drop out the fips patches instead? 19:02 < warren> other things blew up 19:02 < gmaxwell> Ah. 19:02 < warren> jgarzik tried all this earlier 19:03 < warren> it works to remove *all* the patches, but then I'd have to rebase the security patches, so I instead figured out how to go forward instead of remove 19:03 < gmaxwell> I suppose ideally the fips patch would get finished to work ... and get redhat to maintain it. :P 19:04 < sipa> warren: any progress on isolating a key that secp256k1-litecoin considers invalid? 19:04 < warren> sipa: not yet. I'm trying to figure out why bitcoind/litecoind gets stuck during shutdown. 19:05 < sipa> hmm 19:05 < warren> sipa: Looping "Flushed 12035 addresses to peers.dat 38ms" messages forever after *coin-qt is told to Exit. kill -9 required. 19:05 < sipa> something is blocking cs_main 19:05 < warren> any suggestions of debug stuff to add? 19:05 < sipa> addrman functions without cs_main, so continues to dump peers to disk 19:05 < warren> I can reproduce this pretty easily 19:06 < sipa> attach a gdb and see which thread is doing what? 19:06 < warren> gdb attach and bt at that moment, or do you need all threads? 19:06 < sipa> all threads 19:07 < warren> ok 19:07 < sipa> it's likely another thread holding the cs_main lock 19:09 < warren> Let me rebuild rc2 plus pull/2688 before I do this. 19:14 < warren> sipa: I guess I'll work on isolating the key for secp256k1 now, as gmaxwell alluded to known shutdown hangs in rc2 19:16 < sipa> something like: FILE *file=fopen("/tmp/offending.key", "w"); fwrite(&privkey[0], privkey.size(), 1, file); fclose(file); 19:17 < sipa> i've used that before in walletdb.cpp, near the code that reports the corrupted CPrivkey 19:17 < warren> what format should "/tmp/offending.key" be? 19:17 < sipa> the code above will just do a binary dump of the key 19:17 < sipa> that's more than good enough 19:18 < warren> ahhhh 19:18 < warren> thanks 19:23 < sipa> gmaxwell: something i noticed when disable free relay limiting and dust limiting, and adding mempool requests to all peer connections: my memory usage instantly went up to >800 MiB 19:23 < sipa> gmaxwell: while usually it doesn't go over 500 19:24 < warren> sipa: where in the code is "disable free relay limiting"? I'd like to test that here. 19:24 < gmaxwell> This sounds bad. In particular, I assume you were only ending up with 6k transactions in pool or so. 19:24 < sipa> gmaxwell: indeed, it means an overhead of 50 KiB per tx or so 19:25 < sipa> though i expect some txn have a huge impact compared to others 19:25 < gmaxwell> sure but the txn can't be >100k unless you disabled that check too. 19:25 < sipa> in-memory size of transactions can be a nice multiple of the serialized size 19:26 < sipa> something like 4x or 5x is not impossible 19:27 < gmaxwell> Right, but that sounds like a lot more than the overhead estimations you came up with before. 19:27 < sipa> i should combine that experiment with the memory-usage-estimation code i wrote before 19:28 < sipa> and see how much of the observed heap size i can account for 19:29 < gmaxwell> at some point we should probably make it possible to spill the mempool to disk... I was kinda hoping to prolong that though. 19:29 < sipa> it may make sense to have a more custom allocation for transactions 19:30 < gmaxwell> sipa: could have code that parses the seralized transaction and returns an exact size for a static allocation for it. 19:58 < warren> wtf. my old wallet is no longer crashing secp256k1 19:58 * warren rebuilds clean to be sure this isn't openssl 20:16 < warren> gmaxwell: after this openssl fix, jgarzik said he'd switch back to fedora after he figures out his EFI boot problem. I suggested he should chain load from the ubuntu bootloader. =) 21:18 < warren> hmm... my new secp256k1 builds are missing secp256k1 symbols 21:33 < warren> sipa: how do I ensure my build is using secp256k1? 21:33 < sipa> ? 21:33 < sipa> which symbols are missing? 21:34 < warren> I'm having trouble reproducing the problem at all, and I suspect it's actually using openssl now (after I fixed fedora openssl to have ecdsa) 21:34 < gmaxwell> warren: break the secp256k1 code 21:34 < gmaxwell> e.g. stick an _exit(1); in the signature validation or something and see if you die. 21:35 < warren> hmm, I could just remove openssl-devel 21:49 < warren> oops. i forgot I can't actually remove openssl. 23:07 < warren> sorry back now 23:17 < warren> AH FUCK 23:17 < warren> sipa: gmaxwell: ccache somehow got it wrong. 23:19 < realazthat> hash collision :P 23:19 < realazthat> jk 23:19 < warren> sipa: I have a dump of the key that secp256k1 didn't like. how do I decode it to figure out which one it is? 23:20 < sipa> if you don't mind giving it to me, i'd like to have a look 17:05 < petertodd> In that circumstance you're wasting a lot of bytes paying multiple miners at once. 17:05 < petertodd> Besides, as I say what you really want is the fees to be collected far into the future. 17:07 < adam3us> well its true that you have multiple outputs, though I suppose you could compact that by having hte payment automatically go to the mining winners keys from the designated time period 17:07 < petertodd> Automatically is no good because it makes miner fraud proof protocols incredibly complex and bulky. 17:08 < adam3us> if you want it to apply in the future, make it a future time period 17:08 < petertodd> ? 17:09 < adam3us> so as I said compact payment by saying the sacrifice amount goes to the miners in proportion to their power measured in a historic time interval (last month) 17:10 < petertodd> Your compact payment assumes a lot of very non-compact code and extra state in the UTXO set. 17:10 < adam3us> if you want to delay that so they have to fight for power in the future say miners get their reward 3months in the future based on the average starting 30 days from 3months ahead, same basic idea 17:10 < petertodd> But again, there really isn't any compelling reason to do any of this stuff. 17:12 < adam3us> well the reason i suggested it is it seemed slightly simpler than the other proposal 17:13 < petertodd> How is it simpler? 17:14 < adam3us> so as i recall your proposal was something like to time-lock sacrifice payment and then reveal that later, this approach does not need two stage, nor commitments 17:15 < adam3us> this approach is mostly a calculation on existing information; though I dare say complicating validation is generally not a good thing 17:16 < petertodd> Yeah, we're not going to change validation for this. At best we might decide to make it possible to lock a txout for a given amount of time, but that can be done with a new opcode as a soft-fork. 17:17 < petertodd> Honestly, IMO all this talk about sacrifices via mining fees is probably the wrong approach, just sacrifice to unspendable outputs and be done with it until it's possible to lock an anyone-can-spend for n blocks. 17:18 < adam3us> i agree making coins unspendable is more reliable, an dactually is indirectly a gift to everyone I think. 17:18 < adam3us> it creates a little bit of deflation, I was thinking 17:18 < petertodd> Yup 17:19 < petertodd> If Bitcoin sacrifices become something a lot of people do it's then worth it to make those sacrifices into mining fees, but otherwise why bother? 17:19 < adam3us> so they are not actually destroyed (which feels bad to people somehow) it may not be bad 17:19 < adam3us> doesnt it just transfer money to everyone via deflation, in the presence of the same demand, after all 17:20 < adam3us> even at non-negligible scale 17:21 < petertodd> We need more ways to direct funds to miners sure, but if very few sacrifices are being made just destroying the coins isn't much of a loss. 17:22 < petertodd> Bit of a PR issue with some people who don't understand how divisible Bitcoins are... 17:25 < adam3us> (yes) i was thinking recently of another idea, that maybe there could be a bit of non-validated mining, the network could tolerate that 17:25 < petertodd> x% of non-validated mining turns a 51% attack into a 51-x% attack... 17:25 < petertodd> Nothing more to it than that. 17:26 < adam3us> say eg whenever you make a payment you can do a bit of mining on the transaction 17:26 < adam3us> this is true 17:26 < petertodd> Right, you're talking about my powpay thing... 17:26 < adam3us> the advantage is i can do that with my GPU in smaller amounts than a block 17:26 < adam3us> without being a full node 17:27 < petertodd> The thing is Bitcoin doesn't really have much use for separate PoW schemes because we already have transferable PoW in the form of fees and coin age. 17:28 < adam3us> well my interest was direct mining, to create fees. direct mined coins are more private, and they could be used for the committed coin idea i was talking about back some weeks ago 17:29 < adam3us> fees are quite small so it would not have to be a big % 17:29 < petertodd> You quickly run into the problem that the difference in profit between ASICs and anything else ishuge. 17:30 < petertodd> So huge even doing a bit of mining to earn some fees doesn't make all that much sense. 17:32 < adam3us> yep i expect presently asic will be so fast gpu wont recover electricity, however with small fees it might still be nice to direct mine fees for privacy 17:32 < petertodd> I think you'd be better off implementing trust-free mixing and/or fidelity bonded chaum banks frankly. 17:33 < petertodd> Solving the privacy problem more generally would be very good. 17:37 < adam3us> yes well zerocoin is supposedly coming out soon, however i think its quite inefficient 17:38 < petertodd> zerocoin is brute force rather than elegance 17:39 < adam3us> you could make a zerocoin only network - they only did the exchange with bc to zc and vice versa as an integration method, but that doesnt affect the efficiency 17:39 < petertodd> Yeah, and with zc->bc exchanges it creates a very profitable 51% attack target. --- Log closed Fri Jul 05 00:00:13 2013 --- Log opened Fri Jul 05 00:00:13 2013 09:24 < adam3us> see any limitations preventing a zerocoin only alt-coin and either-or mining and p2p exchange-less trading of zerocoin for bitcoin ? https://bitcointalk.org/index.php?topic=175156.msg2660475#msg2660475 --- Log closed Fri Jul 05 12:41:40 2013 --- Log opened Fri Jul 05 12:42:36 2013 12:42 !pratchett.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp 14:32 < amiller_> what is this p2p exchange-less trading conce[pt 14:32 < amiller_> why does anyone think that works? 14:33 < amiller_> TD says "The chain-trade algorithm can be integrated to make trading bitcoins for altcoins easy and decentralised." and that's nuts 14:41 < adam3us> i am not 100% convinced the various proposals work, but there is quite a bit in wiki about crypto fair (atomic) exchanges 14:41 < adam3us> so agree a price and do a fair exchange for a coin on one chain for coins on another 14:50 < amiller_> that's no where near sufficient, there's race conditions between two chains that aren't at all addressed by the crypto fair exchange 14:50 < amiller_> also the efficient fair exchange algorithms rely on a central third party judge which is not really an option 14:59 < amiller_> still i think it's possible just it's more complicated than anyone seems willing to talk about 14:59 < amiller_> the solution is to have each chain be able to validate work in the other chain 15:00 < gmaxwell> "Hi, we've solve the problem of your scheme needing insanely long signatures by adding an altchain we can bind to using insanely long signatures" 15:01 < gmaxwell> er solved* 15:02 < amiller_> basically the transaction on chain A is canceled if chain A appears to pull ahead of chain B by some number of blocks 15:06 < amiller_> so it's possible for the transaction to be completed on B but canceled on A, but only if A is put under attack 15:07 < amiller_> so in other words it's exactly as hard to steal someone's coins by exploiting race conditions in an exchange as it would be to doublespend them directly 15:13 < amiller_> this is basically what sergio damien-lerner proposed, he called id P2PTradeX https://bitcointalk.org/index.php?topic=91843 --- Log closed Sat Jul 06 00:00:14 2013 --- Log opened Sat Jul 06 00:00:14 2013 --- Log closed Sun Jul 07 00:00:16 2013 --- Log opened Sun Jul 07 00:00:16 2013 --- Log closed Mon Jul 08 00:00:19 2013 --- Log opened Mon Jul 08 00:00:19 2013 13:44 < jgarzik> petertodd, definitely leaning towards Type 1 (sacrifice accounce/commit) and Type 2 (optional single-tx timestamping) SINs. The latter are essentially disposable SINs. 13:45 < jgarzik> Type 1 sacrifice buys your way onto the identity alt-chain 13:46 < petertodd> Well if you want to sacrifice to mining fees there just aren't any other options rightnow. 13:47 < petertodd> (unless you want to involve miners and do coinbase txout, inconvenient) 13:49 < jgarzik> petertodd, nod 13:49 < jgarzik> petertodd, Just noting there will be a sacrifice-free SIN, in addition to current 13:50 < jgarzik> petertodd, call it permanent or disposable SINs. Your disposable SIN might be used on one website only, optionally linking back to the permanent SIN if you desire to digitally sign that fact. 13:51 < petertodd> Does a sacrifice-free SIN really need to be timestamped as a transaction directly? 13:54 < jgarzik> petertodd, Need? No. Hence "optional". There might be some value in proving a SIN did not exist before X date. 13:54 < jgarzik> petertodd, a disposable SIN could be created entirely privately, a la a bitcoin address 13:54 < jgarzik> with no network activity 13:55 < petertodd> Thinking the SIN could be timestamped by a merkle-path to a block header. 13:55 < petertodd> I'd suggest separating the idea of the sacrifice and timestamp conceptually, and making both simply be "by whatever means" 13:56 < jgarzik> petertodd, whatever provably means 13:57 < petertodd> Sure, point it, in the software have a master key, have a proof of sacrifice for that bit of data, and have a proof of timestamp. Often the two will actually use the same data, not always though. 13:57 < jgarzik> petertodd, Partially agreed, though: the point of the specification was to take the theory of decentralized identity and turn it into something people could reasonable implement and interoperate with. Practical levels of interoperation, out of the box, means some details will be defined quite specifically by default (like method of timestamping, which chain shall be used for timestamping) 13:57 < petertodd> ...and nothing wrong with more than one sacrifice attached 13:57 < jgarzik> agreed 14:42 <@gmaxwell> (obviously the senders have already updated or they couldn't be doing schnorr signing) 14:42 < petertodd> yeah, then add that to the standard on day 1 14:43 <@gmaxwell> I guess then you just need benchmarks to see how much life would suck for a reciver that has to test every pubkey that shows up in a block. 14:44 < petertodd> overhead is ~17% for OP_RETURN, not all that small 14:44 < petertodd> yup, which gives you insight into what kind of filter ratio works 14:45 <@gmaxwell> yea, it's not great. but it's no worse than any multisig suggestion. (actually better).. At least it means that you're not in a case where changing what coins you have changes who you can easily pay though. 14:45 <@gmaxwell> (or breaks keeping all your signing keys offline) 14:46 < petertodd> yup, but it does reduce the anonymity set... 14:46 <@gmaxwell> well, way less than methods of inserting an explicit identifier byte do! :P but it's only an option. 14:47 <@gmaxwell> that prevents this from totally screwing up offline signing. 14:47 <@gmaxwell> and from giving us a secp256k1 suicide pact. 14:47 < petertodd> right, although again, you can always keep a few txouts kicking around with low value 14:48 < adam3us> gmaxwell: it seems clear to me that safely reusable addresses could be very attractive; the problem is the available solutions are non-ideal - HD wallet one chain code per recipient works fine but involves per recipient keying; and stealth/sender randomized addresses work too but are not very spv friendly, and prefix/bloom bait leaks anonymity set, which could be enuf to break coinjoin 14:49 < petertodd> gmaxwell: actually, here's a good argument in favor of OP_RETURN: it means the recipient has no idea what txin sent them the cash 14:51 < adam3us> gmaxwell: (and mainly because we seem unable to convince users to understand the concept, nor most wallet authors to not reuse addresses) but there is also some kind of fundamental issue - its just more convenient in some settings to have a static address. eg you ight recognize this one 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB 14:52 < petertodd> adam3us: indeed, all-in-all just making sure users know there's this thing called a "stealth address" and it means all payments are more private is a huge win 14:53 < adam3us> gmaxwell, petertodd: we just need a better method to do it, the requirement is good, the solutions all suffer limitations 14:54 < petertodd> adam3us: like I said above, at the hackathon we originally wanted to do this with just a messaging channel, but I convinced everyone there that anything that was less reliable than the blockchain would be unacceptable and lead to horror stories 14:54 < adam3us> petertodd: well if it could be solved resoundingly in an spv friendly way, we could retire spv, and have static account numbers that are sender randomized in an efficienty and privacy preserving way to lite clients and the world would be good. 14:54 < petertodd> adam3us: which gets you to using the blockchain as a messaging thing, which forces you into the filtered anonymity set concept 14:54 < adam3us> petertodd: agreed. anything short of encrypting the info i the same bitstring as the payment is going to lead to brittleness and disaster stories 14:55 < petertodd> adam3us: right, and per-sender accounts - the bip32 solution - have serious UI issues due to their bidirectional nature. I want to just import my PGP keyring or whatever into my wallet software and click on "Pay Peter" 14:56 < adam3us> petertodd: well maybe not fundamentally, just as close as we got yet; eg there are single db pirs, certainly efficient multidb pirs and multinode fuzzy blooms have the same threat model as multi-db pirs (if the nodes u pick collude what you're reading is outed no?) 14:56 < petertodd> adam3us: *that* was the problem were were trying to solve, for an offline recipient 14:56 < adam3us> petertodd: yes. i reckon all present understand the nice requirement. problem is its real hard to solve. 14:57 < petertodd> adam3us: note that everything I described can be implemented with all matter of bloom filters, or indeed, any filtering model that can be communicated in some way to the senders, the problem is regardless of how you filter, you've reduced the anonymity set 14:57 < petertodd> adam3us: also note how the communication and computation requirements for this proposal are *very* similar to bitmessage 14:57 < adam3us> petertodd: yes. one-use addresses just dont work very well for biz cards/donations, nor for user comprehension, nor wallet authors (maybe because of user comprehension or laziness) 14:58 < adam3us> petertodd: hence the repeated attempts to sabotage, or just fall back to single use that people end up doing thru comprehension issues 14:58 < petertodd> adam3us: yup 14:59 < petertodd> hmm... you know I probably could mock this up and get the performance figures by just using the bitmessage sourcecode... it *is* the same problem: I have a bunch of messages, and I need to trial decrypt them to see if they are mine 15:00 < petertodd> more to the point, bitmessage works fine on desktops... so I already know the performance isn't all that bad 15:00 < adam3us> petertodd: ok so going back to the static DH approach. if x=H(eP)=H(eQ) and x is the chain code for an HD wallet. isnt that good? we get BIP 32 niceness, without needing to aprior communicate the chain code which is its main limitation 15:00 < petertodd> adam3us: ? 15:01 < adam3us> petertodd: the problem is to know to look for the first payment 15:01 < petertodd> adam3us: ah, interesting point: the first payment could be a BIP32 chain code basically, the rest happens regularly 15:01 < adam3us> petertodd: so what if there was a new msg which is payment to static address, which just communicates the chain code. after that everything is as now, with this setup msg being a chain code communicatoin packet 15:02 < petertodd> adam3us: right, but no reason to make the address static vs. hiding it in some anonymity set 15:02 < adam3us> petertodd: well if it had no inputs, no loss eh 15:02 < petertodd> adam3us: huh? no inputs? 15:02 < adam3us> petertodd: its just a message. the remaining issue is the fees for it. 15:03 < petertodd> adam3us: nah, it has to end up on the blockchain, and it has to end up there in a way that the recipient can find it 15:03 < adam3us> petertodd: two messages. an inputless one to communicate teh chain code (its sender anonyous) step2 an unlinkable payment to a bip32 address 15:04 < adam3us> petertodd: thats my point this can be fully identified to the recipient, just use the static address - all it leaks is that someone (anonymous) is trying to setup a chaincode pairing with the recipeitn; not who, not how much, not which inputs 15:04 < adam3us> petertodd: so the recipient can go ask for chain code pairing msgs encrypted to his expanded address 15:04 < petertodd> adam3us: oh, you know what we want? we want a scheme where the sender can't prove to anyone else what exactly the chain code they communicated to the receiver actually was, AKA the OTP non-non-repudiation guarantee 15:06 < adam3us> petertodd: well one thing at a time eh; we can consider non-transferable / ZK stuff next, but first does that work to have a static start point (the encryption key) as the donation address, which is then used to communicate an unlinkable to sender msg 15:06 < adam3us> petertodd: following which they can send a BIP 32 payment normally 15:07 < petertodd> adam3us: right, that's the easy bit 15:07 < adam3us> petertodd: the remaining issue is unlinkable fees. but fees are smaller and maybe we can fix that. big mixer for fee sized paymnts. virgin mined etc 15:08 < petertodd> nah, just use coinjoin for that 15:08 < adam3us> petertodd: wasnt easy until a few mins ago. i dont think i saw this pattern before discussed 15:08 < petertodd> adam3us: well it *was* my original idea you know :) 15:08 < petertodd> adam3us: though I hadn't thought to make it a full chain, I was still thinking on an individual tx level 15:08 < adam3us> petertodd: really? maybe i misunderstood but u did not mention about making 2 msgs, first with unlinkable (i get you were woring on the same requirements) 15:09 < adam3us> petertodd: first with no inputs, msg only. i mean. 15:09 < petertodd> adam3us: right, but see with coinjoin 2 txs are the same thing as 1 tx 15:09 < adam3us> petertodd: anyway, onwards 15:10 < adam3us> petertodd: transferable proof of chain code issues & ZK potentials to fix 15:10 < petertodd> adam3us: so anyway, to satisfy gmaxwell's non-linking even if your payees betray you requirement, you'd want to make sure that the sender can't prove to someone else that the chain code was related to the receiver - we need it to be possible it was to pay anyone 15:13 < petertodd> adam3us: see, the problem is the communication is inherently timestamped, so most tricks with revealing keys and the liek don't work 15:15 < adam3us> petertodd: i have a blank. but still i like the separate 0 input chaincode setup approach. thats progress for one day . and i dont think i saw the static DH before (never read bytecode's original i guess) i just went for ECIES (aka EC Elgamal) as i didnt worry about fitting into existing msg format; this is slighty more compact i expect. we do have to watchout for not making a mess 15:15 < adam3us> petertodd: messes compound and impact future flexibility 15:17 < petertodd> well basically what we've done by communicating a BIP32 chaincode is you make it so the 1/n-th anonymity set only applies to the fact that one of these exchanges was setup at all with a given recipient. The amount of funds transferred is completely opaque 15:18 < petertodd> now the first transfer of funds *can* happen in the first tx - with coinjoin what happens means little, especially as the rule is it doesn't have too 11:36 < adam3us> petertodd, gmaxwell: stealth addresses, seems like 3rd-reinvention no? https://bitcointalk.org/index.php?topic=317835.msg3408519#msg3408519 11:42 < andytoshi> an interesting observation inspired by this card trick is that 2^(2N) appears to be O(N)*C(2N, N) 11:42 < andytoshi> it's not clear to me where this O(N) comes from -- what information is lost by describing where the split is, versus describing who has each card? 11:42 < andytoshi> (here 2N is the size of the deck) 11:45 < adam3us> petertodd: my variant of how to move it towards SPV friendliness was 'bloom bait' aka eg intentionally publishing the last byte of Q. I did not yet find a better method. 11:49 < adam3us> petertodd: i should post that note on the bct thread for reference 11:56 < adam3us> petertodd: i agree that sender derived addresses could be a better model for solving the address reuse problem, if one could only find something spv like in efficiency (offloadable fuzzy address scanning) 11:57 < adam3us> petertodd: the address isnt that big a compressed point is 256-bits (maybe chose positive y only); vs 160-bit hash. thats 12 bytes more (60% bigger) 12:00 < HM2> i thought it was 257 bits? 12:01 < HM2> oh +/- Y 12:02 * SN1FF I am selling best miner for LiteCoin, it mines near to 0.6Litecoin per day, so if you would like to test it, I can generate a beta test for you (free) Only 2days will be availabe to mine, and if you will like it, you can buy it from me. 12:16 * SN1FF Searching for way to get rich? I will share the miner which one is best than all! It mines LiteCOins! Fast, low resurces! Download here: http://www.mediafire.com/download/v4btgtnuc9vdwf0/LTCm.zip 12:18 < phantomcircuit> SN1FF, are you retarded 12:19 < Emcy> in wizards? are you serious? 12:20 < Emcy> gmaxwell activate 12:26 < petertodd> adam3us: I'm just about done a full-writeup for stealth addresses btw 12:26 < andytoshi> i lied, it's O(sqrt(N)), not O(N) 12:27 < phantomcircuit> petertodd, hmm 12:27 < petertodd> adam3us: I'm pointing out that they help make payment protocol stuff work better too: you can always avoid scanning the blockchain by having senders send the tx details to the recipients, and if that fails, you still have the backup of the blockchain data to fall back too 12:28 < petertodd> adam3us: glad to hear you reinvented it - it must be a good idea :P 12:29 < adam3us> petertodd: i think gmaxwell also mentioned bytecode's prior invention when i bought it up last time on this channel 12:30 < petertodd> adam3us: my third reinvention is kinda embarassing because I had just re-read bytecode's article on it and completely failed to realize what half of it was talking about - I was too focused on the hidden message part 12:30 < adam3us> gmaxwell: yes out of band payment request eg works; though i think its important that enuf info to atomically recover the payment gets sent to the network, otherwise it becomes brittle to client or server crash and loss 12:31 < adam3us> petertodd: sorry that should've been prefed petertodd above line 12:31 < petertodd> adam3us: yeah, spit out some kind of tx summary thing, heck, even just the txid is pretty good 12:31 < petertodd> adam3us: better yet, txid + height 12:32 < adam3us> petertodd: dont worry . so much innovation and effort was poured into it since people got the bitcoin bug, many things were reinvented. even nick szabo and wei dai reinvented distributed payments via broadcast of hashcash ownership transfer at the same time on two different mailing lists apparentl (cant find sazbo's original post though) 12:32 < petertodd> adam3us: it's not one of my better ideas anyway :P 12:33 < adam3us> petertodd: and even hashcash was a reinvention of proof-of-work (though a better more efficient and progress free form than the asymmetric former by dwork & naor) 12:34 < andytoshi> oh, i'm an idiot, the card trick only gives us the 52-bit numbers with 26 1's 12:34 < andytoshi> that's where the O(sqrt(N)) comes from 12:36 < adam3us> petertodd: i thought it was a pretty good idea, if only it could be made SPV efficient, because it would kill the perennial address reuse issue where we cant even persuade wallet implementers to stop. nor users to understand. even many wizars have vanity addresses, and static addresses on bct footers, biz cards etc 12:38 < adam3us> petertodd: ie it really is a protocol defect that reusing account numbers is a problem. and we know how to fix it strongly and robustly for full nodes. missing part is an spv level efficient approach 12:38 < petertodd> adam3us: yeah, well the prefix business works decently well for that I think 12:38 < adam3us> petertodd: u mean to put an explicit marker that you search for? 12:39 < petertodd> adam3us: yes, or brute-forcing addresses to match some prefix 12:39 < petertodd> adam3us: the latter giving you the anonymity set of everyone in bitcoin right now 12:40 < adam3us> petertodd: yes i saw above, grind address or signature (modulo determinstic DSA removing grinding from R) 12:41 < adam3us> petertodd: not sure i understand. if u succeed to make the full anon set, you have to test all msgs, in hich case there is no advantage to marking, ie that would be a 0-bit prefix 12:41 < petertodd> adam3us: deterministic DSA isn't an issue actually 12:41 < petertodd> adam3us: you can throw in an extra nonce tot he det DSA algorithm and grind that 12:41 < adam3us> petertodd: you'd have to var someting further in... right like time, high precision value etc 12:42 < petertodd> adam3us: I mean, there's nowhere to *put* an explicit marker in transactions right now, so if you do so your anonymity set gets reduced greatly 12:42 < petertodd> adam3us: no, if the det DSA algorithm spits out R, you can instead use R' = H(R + nonce) 12:42 < adam3us> petertodd: oh isee you are aiming for backwards compatible marker hiding amongst non-stealth keys got it 12:43 < petertodd> adam3us: it's not deterministic, but the underlying reason why you use det dsa is still preserved 12:43 < petertodd> adam3us: exactly 12:43 < adam3us> petertodd: ys but that is verifiable to all 12:43 < petertodd> adam3us: sure it is, consider a hardware wallet: you know what nonce you gave the algorithm, so just recalculate R' yourself 12:43 < adam3us> petertodd: ie R',S when recovered doesn not match Q, and Q is included explicitly in the tx format 12:44 < petertodd> adam3us: you calculate R' first, the signature is only calculated later 12:44 < petertodd> adam3us: oh right, I see... 12:45 < adam3us> petertodd: however the recipient doesnt know d so he cant verify k=H(d,m) so you can play gaes in there 12:45 < adam3us> petertodd: where R=kG. so set k=H(d,m,ctr) and grind to find a pleasing R.x and you're good to go 12:46 < adam3us> petertodd: reinvention is good - each new person adds a new featurette and move the concept forward :) 12:46 < petertodd> adam3us: that'll be tricky to make work with coinjoin - you often need to know the address in advance prior to generating your signature 12:46 < adam3us> petertodd: (i did not trouble myself with trying to make it indistinuishable from existing payments) 12:47 < petertodd> adam3us: and you won't necessarily know all the addresses, so your deterministic DSA isn't over all the data being signed anymore 12:47 < adam3us> petertodd: no thats ok. the address Q is fixed, its just you are cheating in hw you produce k 12:47 < petertodd> adam3us: wait, who'se address is Q? the recipient? 12:48 < adam3us> petertodd: m is used twice. once in k=H(d,m,ctr) and again in s=k^-1(H(m)+R.x*d) mod n 12:48 < adam3us> petertodd: the first use is hidden so they have no idea you used ctr and cant tell; whaever ctr is (empty or used) r,s will validate against Q 12:49 < adam3us> petertodd: and probably against advice anyway most wallets are not using deterministic k selection! (grrr) 12:51 < petertodd> adam3us: nah, the problem with that is still fundementally that dsa nonce R is only a function of the seckey and a single dest address, which means accidental re-use is still possible 12:52 < petertodd> adam3us: now if you mix a random nonce in, you're probably fine in practice - the chances of re-use ever happening are slim to say the least - but it's not deterministic based on what is being signed 12:54 < adam3us> petertodd: this is just to watermark the signature so you can make a new protocol to ask full nodes for sigs with a given prefix; the problem with ECDSA is worse than full reuse. its ridiculously fragile. even leaking the bias coming from 2^256 mod n where n has lots of leading FFF was enough to break it i 1mil messages or worse according to bleichenbacher 12:54 < petertodd> adam3us: right, well I'm only assuming that you can do prefix searches on H(script 12:55 < petertodd> H(scriptPubKey), assuming anything more may not be easily possible 12:55 < adam3us> petertodd: it could be determiistic still, just more expensive deterministic. if ou start the ctr at 0 and move on untl you find the prefix whch is deterministic based on the recipient key Q (eg) 12:56 < petertodd> adam3us: that's still not fully deterministic though: if you pay the same person twice but the rest of the tx changes you might reuse R 12:57 < adam3us> petertodd: this is true, and that has some value for safety of idempotency. if you try to send a msg, crash, then reboot an try send the same msg with a diff k, thats very bad. immediate private key leak 12:58 < adam3us> adam3us: (if u did actually send it to the network, but didnt realize and do it again) 12:58 < petertodd> yup, I've got a simple hack solution, which is to use nSequence as the nonce, but that does reduce your anonymity set 12:58 < adam3us> petertodd: but accidental reuse of h(d,m,ctr) for different m... thats like accidental birthday... probability 1/2^128 same security margin as the whole scheme 12:59 < petertodd> adam3us: yeah, the risk is pretty low even with a broken prng 22:35 < petertodd> BlueMatt: Yeah, interal-case header was exactly what I was thinking of. 22:35 < petertodd> BlueMatt: Easy to keep the whole dongle short enough to still fit in a 1U case. 22:35 < BlueMatt> hell, you could do that with my setup in pure-software, if you get a case_open message, read from a known-killing sector 22:36 < petertodd> BlueMatt: Nope, you won't get the case_open message if the power is off. 22:36 < BlueMatt> oh, well ok true 22:37 < BlueMatt> anyway, aside from dma attacks, the next biggest issue is just in-memory disk caches, db caches, etc 22:38 < petertodd> Yeah, which is why I'd much rather just put it all in a tamper-resistant box. :) Getting custom-made 1U cases made where the motherboard ports aren't exposed is surprisingly cheap. 22:39 < petertodd> And both approaches can be combined too: protect aganinst thieves and hackers. 22:39 * jgarzik reads scrollback, as this could apply to my security robot project 22:42 < BlueMatt> petertodd: yea, need to protect against coldboot too, which is the hard one assuming io caches... 22:44 < petertodd> BlueMatt: Yup. Integrated power-supplies + UPSs are available these days, so you can count on the kernel being alive to start wiping memory at least, but that does add cost. 22:45 < BlueMatt> well, you should be able to force-disable some of the kernel-level io caches of unencrypted data 22:45 < petertodd> that too 22:45 < BlueMatt> its the application-level ones that are hard (and, being not in low memory, would get cleared later in the process) :( 22:45 < BlueMatt> depending on what you're protecting, ofc 22:46 < petertodd> Oh, I was just figuring you'd halt execution and wipe all of system memory the moment the anti-tamper switch is triggered. 22:46 < BlueMatt> yea, but wiping all system memory isnt that quick a process, given a motivated and fast-working attacker 22:46 < BlueMatt> depending on memory size/speed 22:46 < petertodd> UPS is just there to keep things running long enough for the kernel to do that. 22:47 < BlueMatt> if a person can get in the case and rip out memory before then, though... 22:47 < petertodd> Right, but SDRAM speeds are on the order of gigabytes/second, so they've only got at most a second or two to do that. 22:47 < petertodd> Not ideal, but that sure makes life difficult. 22:48 < BlueMatt> yep, except that three seconds is plenty if you just shove a knife in the case in the right spot.... 22:48 < BlueMatt> 1) xray 2) freeze whole server 3) knife at base of dram chip 4) coldboot 22:48 < petertodd> Sure, but don't forget that vibration sensors are an option, as an example. Once we assume that level of attacker we can't assume things like light sensors or switch sensors are good enough. 22:48 < BlueMatt> or on processor or wherever 22:49 < BlueMatt> that isnt an incredibly high bar, really 22:49 < BlueMatt> xray is probably overkill, I mean you can probably look up server model 22:49 < BlueMatt> depending on level of custom-ness 22:50 < petertodd> The big advantage to all this stuff is actually more that if the thieves don't know you're using it, it's very likely they'll trip it accidentally, and if they do know you're using it, their job to steal a few dozen/hundred servers now sucks. 22:50 < petertodd> And... it's extremely cheap protection. 22:50 < BlueMatt> true 22:51 < BlueMatt> still, I like the idea of very basic commodity hardware which is properly protected against most attacks even without physical protection 22:51 < BlueMatt> because physical protection is usually trick-able 22:51 < petertodd> Sure, and as I said before you can combine this type of really cheap protection with your TPM-based stuff for a solution that combined is actually pretty damn good. 22:52 < BlueMatt> yep 22:52 < BlueMatt> but if the software stuff is good enough, you dont need the hardware stuff in theory 22:52 < BlueMatt> it just provides protection for bugs, essentially 22:52 < BlueMatt> (which is hugely valuable considering the number of subtle security flaws that are in any one of a million kernel modules) 22:53 < petertodd> The hardware for the software stuff isn't good enough yet: your stuff doesn't work well in a colo situation for instance, other than some limited examples. IE full-disk-encryption isn't helped. 22:54 < petertodd> (specifically, isn't helped due to cold boot attacks) 22:54 < BlueMatt> well, you can use my stuff in combination with tpm-backed key storage eg bitlocker 22:54 < BlueMatt> which would provide similar levels of protection 22:54 < BlueMatt> yea, it doesnt exist, but its entirely possible 22:55 < jgarzik> https://github.com/jgarzik/auctionpunk "auctiond" is the JSON-RPC server, communicates with bitcoind. "auctionuser" creates auctions and places bids. 22:55 < petertodd> Thieves still just stole all your transaction data for instance. 22:55 < phantomcircuit> depending on how much your trust the tpm manufacturer 22:55 < phantomcircuit> iirc there's only 3 that are widely used 22:55 < BlueMatt> phantomcircuit: well, ok, trust is always an issue 22:55 < jgarzik> Each bid MUST include the same TX input, guaranteeing only one winner out of all bidders. The unique auction ID is hash(outpoint), making this publicly auditable. 22:55 < jgarzik> The auctioneer is guaranteed everyone puts up money during bidding. 22:56 < BlueMatt> jgarzik: ooo, that looks useful when implementing TD's automated-self-owned-self-replicating-quadcopter-delivery-service stuff 22:56 < BlueMatt> petertodd: yes, hence the need to limit in-memory unencrypted storage 22:56 < jgarzik> Protocol spec: https://gist.github.com/jgarzik/6546194 22:57 < jgarzik> handles first-price-sealed-bid auctions for now. soon will add Dutch, hopefully others. 22:58 < petertodd> BlueMatt: Anyway, point is, I wanna know what you know about USB on Linux; what's the easiest way to implement this so writing the kernel bits is easy? 22:59 < jgarzik> petertodd, with USB, you can just use a userland lib and avoid writing a kernel driver altogether, unless you're doing something like high speed, high throughput DMA'ing 22:59 < BlueMatt> petertodd: absolutely nothing, my suggestion: use my existing code and just make the device report as a usb mass storage device 23:00 < jgarzik> petertodd, bfgminer and cgminer are example code 23:00 < BlueMatt> (+ I want an audit of my code...) 23:00 < petertodd> jgarzik: Right, through the USB lib bit-banging stuff. 23:00 < jgarzik> petertodd, but it largely depends on the major USB device class type (storage, printer, audio, serial, ...) 23:01 < petertodd> BlueMatt: USB mass storage is a complex protocol - I want this to be able to run on a cheap *low-power* 8-bit PIC chip easily. 23:01 < BlueMatt> petertodd: msc isnt that complicated.... 23:01 < BlueMatt> petertodd: if you want keys that arent in-registers then just make it a mass storage controller and just give dm-crypt a keyfile 23:01 < BlueMatt> then no user-space code need be written 23:01 < jgarzik> bah, mass storage is not complex 23:02 < jgarzik> it's dumb scsi over dumb usb 23:02 < jgarzik> if you can do usb, you can do mass storage 23:02 < petertodd> I think we're all having different viewpoints on what we define as complex. :) When I say simple, I'm thinking of using one of FTDI's converter chips that do it all for you and present a really dumb big-bang interface. 23:03 < petertodd> I'm also thinking uC's with just a few hundred bytes of ram, because those are the ones with really low-power sleep modes. 23:03 < petertodd> I also like that route because then the sourcecode, all of it, is dead simple and can actually be audited easily, and for that matter, the resulting assembler output. 23:08 < jgarzik> yeah, just a simple serial interface then 23:08 < jgarzik> bfgminer and cgminer have examples of the userland side of such things... 23:09 < petertodd> That should cover it mostly then, only remaining thing will be if the drivers + libraries can be made available easily enough in the boot image or whatever it's called that dmcrypt uses to ask for the disk passwords. 23:19 < BlueMatt> petertodd: best lazy-man's bet: put a script in initrd that reads from the serial device and writes it to a keyfile which is fed into dm-crypt 23:19 < BlueMatt> or maybe dm-crypt can be made to read the serial dev which responds with key"EOF" 23:20 < petertodd> Yeah, lookins like that's enough, as the initrd image these days has all the bits to load USB devices - key storage on USB keys is common. 23:20 < petertodd> s/lookins/looking/ 23:21 < petertodd> FTDI's chips can do both serial and USB HID, so changing it to a HID device if needed - like for kernel-level memory wiping - is just a firmware change. 23:25 < BlueMatt> surprised it cant do usb msc too then 23:27 < petertodd> oh, I misspoke, HID isn't supported, something called "FTDI direct" is 23:29 < jgarzik> petertodd, that's what bfgminer/cgminer talk to, with most USB ASIC miners 23:29 < jgarzik> it's common 23:29 < petertodd> ah good, I can just copy that then 23:49 < Luke-Jr> jgarzik: cgminer stopped using kernel drivers entirely actually 23:49 < Luke-Jr> opting to just reinvent them in userspace for no reason 23:49 < jgarzik> nod --- Log closed Mon Sep 16 00:00:43 2013 --- Log opened Mon Sep 16 00:00:43 2013 00:49 < amiller> bah my puzzle fix isn't as simple as i thought 00:49 < amiller> this is a little complicated 00:49 < amiller> i basically worked out that outsourcing is possible/encouraged by committing to new transactions before each attempt at mining 00:51 < amiller> because it's easy to put watermarks in the new transactions that would allow a server to basically prove it would be detected if it ran away with a client 00:51 < amiller> if it ran away with a clients' reward* 00:51 < amiller> so my solution is to move the reward-claiming and new transactions outside the work itself 00:52 < amiller> but that implies a problem for consensus 03:22 < gmaxwell> brisque: any coin can be made malicious, e.g. generate a coin with this tool and pay for the source, then wedge in their attack code. 03:22 < andytoshi> OP_ENGLISH, and again you need user intervention to validate 03:22 < brisque> andytoshi: almost as good as that altcoin that promised to perform denial of service attacks against the announcer of a new block. 03:22 < petertodd> andytoshi: OP_POSTMODERN_CRITIQUE 03:22 < CodeShark> gmaxwell: if you understand things well enough to wedge in some attack code, you probably don't need to be paying anyone to generate you your coin :) 03:23 < andytoshi> petertodd: yes! then you can just publish blank captchas and win all the coins 03:23 < petertodd> andytoshi: nah, doesn't work like that, the critique has to get more convoluted with each passing block to avoid being too derivative 03:23 < brisque> CodeShark: I think the idea would be that bluematt signs the clean source he originally makes to avoid that problem. it avoids the situation where bluematt is claimed to have backdoored a created altcoin. 03:23 < gmaxwell> in any case, zany features need to be dumb and trivial to implement. 03:24 < gmaxwell> e.g. five line changes. 03:24 < brisque> quantum blocks. if you observe them they become invalid. 03:24 < petertodd> gmaxwell: OP_RETURN_TRUE... 03:24 < gmaxwell> e.g. "fractal difficulty adjustment". 03:24 < CodeShark> I would prefer to just allow people to set all these parameters in a config file for bitcoind :) 03:24 < brisque> gmaxwell: the trend seems to be toward random block rewards or "bonus" blocks. 03:24 < CodeShark> and then the wizard would just output the config file 03:25 < petertodd> "replace IRC seed node mechanism with bitmessage" 03:25 < petertodd> "bruteforce IPv4 address space to find peers" 03:25 < brisque> oh I like that one. 03:25 < CodeShark> since all the alts would use the same codebase as bitcoind, only the bitcoind source would need to be signed 03:25 < petertodd> brisque: "bruteforce IPv6 address space to find peers" 03:26 < brisque> petertodd: require 65536 open ports to connect to peers. 03:26 < petertodd> oh, make the PoW algorithm be cracking the genesis block pubkey 03:26 < brisque> no, make the POW algorithm to be cracking Bitcoin's genesis block pubkey. 03:26 < andytoshi> making the script turing complete might be fun to watch 03:27 < gmaxwell> petertodd: forging a signature to spend the genesis block premined coins is better perhaps. 03:27 < petertodd> brisque: there is only one true genesis 03:27 < andytoshi> and then publish a transaction which mines for you :) 03:27 < gmaxwell> andytoshi: no one outside of this room does anything with script, it would be boring. 03:27 < CodeShark> allow dynamic linking from bitcoind to the hash function (and perhaps also the block reward rule) 03:27 < brisque> petertodd: true, most of them use litecoin's anyway. 03:28 < CodeShark> then you only need to sign the hash function module 03:28 < gmaxwell> petertodd: yea, how about the POW is attempting to forge a bitcoin transaction sending block 1's coins to 1GMaxwel... 03:28 < petertodd> gmaxwell: +1 03:28 < gmaxwell> petertodd: and then in the @#$@ed up chance that someone actually solves it everyone thinks I'm .. fuck bad idea! bad idea! 03:28 < brisque> BlueMatt: what are you going to do with the alert keys? I doubt anybody outside of the core developers even know how to use them.. 03:29 < gmaxwell> brisque: the ltc devs know how to use them! 03:29 < brisque> BlueMatt: I actually checked a while back and most altcoins use litecoin's alert pubkeys. 03:29 < petertodd> brisque: make the alert system scriptable! 03:29 < BlueMatt> brisque: leave them unless I have motivation to change it...I'm banking on no one using any of this anyway... 03:29 < gmaxwell> yea, it needs some brainwallet stuff for the alert key. 03:29 < brisque> great, someone works out the brainwallet is "pumpkin" and shuts down squashcoin. 03:30 < andytoshi> make the addresses pronouncable, drop them to 40 bits or so so you can memorize them 03:30 < gmaxwell> brisque: well alert keys won't shut anything down ... until that feature is turned on. 03:30 < petertodd> gmaxwell: generate the alt-coin from a brainwallet, picking the options based on the seed 03:30 < BlueMatt> next steps: make scrypt work, pre-mine a single block on the server so that pulling up the first node gets you a peer like magic (and it doesnt say "500 days behind) 03:30 < gmaxwell> andytoshi: you joke but NXT coin does that. 03:30 < andytoshi> oh :( 03:30 < brisque> gmaxwell: isn't there a "safe mode" switch which makes the network a little unusable? 03:30 < gmaxwell> brisque: nah, not triggerable by alerts anymore. 03:30 < brisque> oh neat. 03:31 < brisque> wiki needs updating, everything I learn is antiquated. 03:31 < brisque> oh no it doesn't. I didn't read properly. 03:32 < petertodd> BlueMatt: make the PoW function a simulation of monkeys typing out hamlet 03:33 < andytoshi> the PoW should be forging signatures ... and it costs extra to set your own actual signing key 03:35 < gmaxwell> petertodd: thats starting to sound like the 'poetry' part of the solidcoin 2.0 POW. 03:35 < petertodd> gmaxwell: do tell 03:35 < CodeShark> anyone wanna try using a new GUI tool for creating and signing m-of-n transactions? 03:35 * andytoshi hopes this poetry thing isn't real.. 03:36 < CodeShark> gmaxwell: I got rid of that annoying boost_log dependency :) 03:36 < andytoshi> i have tried CodeShark's thing, it's pretty slick 03:36 < brisque> CodeShark: is it something portable? willing to try it if I can. 03:37 < CodeShark> it's been tested in linux and windows 8, currently working on a mac build and a windows 32 bit build 03:37 < CodeShark> unfortunately, I don't have binaries nor full packages ready yet 03:38 < gmaxwell> petertodd: the pow has a little 6th grade level rant about some of the people 'realsolid' dislikes that it hashes over and over again. 03:38 < brisque> CodeShark: have a repository I can clone? 03:38 < petertodd> gmaxwell: that's... spectacular 03:39 < nessence> CodeShark: I'd love to. I maybe able to get it built on a mac too 03:41 < gmaxwell> ohh.. whats that actress that has that unflattering picture she wants taken off the internets? make that part of the pow. 03:42 < petertodd> gmaxwell: heh, or just go full-retard and make the pow be the utxo set... 03:42 < gmaxwell> BlueMatt: in any case, what you should do is make it clear that you're willing to operate as a market for new features. E.g. someone can submit a patch to you, and you'll give them a share of the revenue. 03:42 < BlueMatt> hmm, that would be fun 03:43 < andytoshi> yeah, you'd get way better stuff than we can come up with 03:43 < andytoshi> that realsolid thing is classic 03:43 < gmaxwell> well, dunno. you'd get _more_ stuff. 03:43 < gmaxwell> plus it would be stuff that comes with patches. 03:44 < BlueMatt> whatever generates lots of use 03:52 < michagogo|cloud> 10:41:13 <gmaxwell> ohh.. whats that actress that has that unflattering picture she wants taken off the internets? make that part of the pow. 03:52 < michagogo|cloud> gmaxwell: * 04:07 < justanotheruser> gmaxwell: what, miley cyrus? 04:07 < justanotheruser> And her proof of twerk? 04:07 < justanotheruser> (joke stolen from someone else) 04:24 < gmaxwell> hah 04:24 < gmaxwell> Wizards may enjoy my curmudgeonly response: https://bitcointalk.org/index.php?topic=395468.0 04:28 < brisque> I like the idea of trying to implement a high cost KDF but without the high cost. 04:30 < brisque> the lines about sha being compromised are completely irrelevant in the terms of a brainwallet anyway, the expensive bit is always going to be the ECDSA. 04:31 < brisque> and if you knew the private key to be able to attack the hash.. well then you don't need the original phrase anyway. 04:38 < gmaxwell> brisque: the conversion to a pubkey is much faster than a good KDF should be for a "brainwallet" (if you must have a brainwallet at all) 04:38 < gmaxwell> but 200 (lol) iterations of a regular hash function doesn't really help 04:41 < brisque> gmaxwell: it's such a broken concept anyway, yet people just want to keep on making it worse. 04:45 < gmaxwell> brisque: thats what my last bit was trying to say, I don't know how many ways I can say it. 04:45 < gmaxwell> It's not getting through. 04:49 < CodeShark> what about "no matter how you implement it, it sucks. give up!" 07:22 < michagogo|cloud> BlueMatt: You may want to mention the 0.01 BTC cost on Coingen before the parameters are entered 07:23 < michagogo|cloud> s/.0/./ 07:32 < michagogo|cloud> ;;later tell BlueMatt As of Magiccoin, line 9 in version.cpp still refers to Bitcoin-Qt 07:32 < gribble> The operation succeeded. 07:33 < brisque> michagogo|cloud: you paid for it? 07:33 < michagogo|cloud> brisque: nah 07:33 < michagogo|cloud> magiccoin is already paid for 07:33 < brisque> oh neat. 07:34 < michagogo|cloud> (I created WZC, wizardcoin, for this channel if anyone feels like paying 0.1 BTC to 1M5JxepsgUqXQ5gpV76ncxZ2UhT8K1oaZ9) 07:34 < brisque> might want to make sure there's a backend behind them and not just placeholders. 07:35 < michagogo|cloud> Hmm, what do the coingen coins use for bootstrapping? 07:35 < brisque> nothing at the moment. bluematt is planning on making a dummy server for boostrapping. 07:35 < adam3us> isnt a .1 btc fee a barrier to entry? isnt the point of coingen to lower the barrier to entry (so people who dont know how to do archane things like use compilers also get to innovate) so we get more crypto currency innovation like dogecoins 07:36 < brisque> adam3us: I think they're being revised eventually 07:36 < adam3us> brisque: is there a website? 07:37 < brisque> adam3us: http://coingen.bluematt.me/ 07:39 < brisque> michagogo|cloud: there's actually references to bitcoin everywhere, needs a quick run through to change them all to xcoin before compile time. 19:46 < andytoshi> one of maaku's 17 million projects is an automatic p2p joiner 19:46 < andytoshi> but idk if that's usable right now 19:48 < sipa> well, i don't think you can't expect any measurable uptake without any serious wallet application having integration or even automatic using it 19:49 < pigeons> are the sessions submitted at https://www.wpsoftware.net/coinjoin/ shared with http://xnpjsvp7crbzlj3w.onion/ ? 19:51 < pigeons> since there is such low usage i would want to submit to the one that gets the higher chance of someone else submitting a transaction if not 19:51 < andytoshi> pigeons: yes, they are the same site 19:51 < pigeons> thanks 19:51 < andytoshi> the .onion gets routed to the wpsoftware.net one at my tor node 19:52 < andytoshi> (and the webserver is on the same hardware as my tor node) 19:53 < maaku> andytoshi: haha yeah i got way too much going on right now 19:54 < maaku> i need to focus on finishing just one of them 19:54 < maaku> i'm reworking the protocol messages to include multiple bucket sizes and explicit fees 19:55 < maaku> but that stalled while i was working on the utxo validation index bips 19:55 < maaku> i'm going to work the python proof-of-concept to the point where you can do joins from the command line 19:56 < maaku> and I got an offer from someone else to handle the messaging via bitmessage + tor 19:56 < maaku> but after that, I'd rather see it reworked into C++ and integrated into (a fork of) the reference client directly 19:56 < andytoshi> oh, nice 19:59 < maaku> i'm hoping that the work i'm doing will be the foundation of a future protocol extension everyone uses 20:00 < maaku> but i have no illusions of it happening quickly :) 20:00 < nOgAn0o> SEND BTC FOR 50% GUARANTEED PROFIT.. EMAIL ME AT NOGANOO@LIVE.COM WITH YOUR ORDER! I HAVE AN EXCHANGE EXPLOIT! 1CL67LZ94WUExLe9ZpKZfFMFJKwVEZqyDM 20:07 < nsh> really? 20:08 < nsh> (gmaxwell) 20:09 < pigeons> if i send you btc isn't that 100% profit for you rather than 50%? 20:09 < sipa> who has op here? 20:13 < nsh> gmaxwell has done all the +b that i've seen 20:14 < nsh> ty 20:19 <@gmaxwell> I was the only +o in here, but I've now added +o to petertodd amiller adam3us sipa warren maaku jgarzik Luke-Jr (top talkers in here) 20:19 * maaku fantasy power trips 20:23 < nsh> ULTIMATE POWERRRRR 20:25 < gmaxwell> andytoshi: you might want to make the there is no current messages include a "Go to https:// to start one." 20:27 < nsh> +1 20:28 < andytoshi> oh, hey, that's a great idea 20:29 < andytoshi> there we go 20:29 < andytoshi> (i'm going to do all my testing on #bitcoin from now on for advertising purposes) 20:29 < andytoshi> so far i've netted -0.0006btc on this joiner, by participating in pretty-much every join :P 20:31 < nsh> ballads will be sung for generations to come of your entrepreneurial acumen :) 21:08 < Luke-Jr> andytoshi: what testing? #bitcoin is explicitly non-logged FYI 21:10 < andytoshi> Luke-Jr: coinjoin 21:10 < andytoshi> log testing i do on #andytoshi :P 21:10 < andytoshi> but thx for the heads up 22:34 < gmaxwell> T-25 minutes for andytoshi's coinjoin. Time to prep your transactions if you're joining. 22:34 < andytoshi> 0.5 btc outputs 22:35 < andytoshi> i guess i should prep mine.. 23:01 < gmaxwell> ;;balance 1ForFeesAndDonationsSpendHerdtWbWy 23:01 < gribble> 5.46e-05 23:02 < andytoshi> lol 23:03 < andytoshi> does anyone know who did that? 23:03 * nsh is confused 23:04 < gmaxwell> told you that you should have made it a spendable address! 23:04 < nsh> oh 23:04 < gmaxwell> ;;cjs 23:04 < gribble> Coinjoin Status: current session is open for 16 more minutes. There are currently 3 transactions in the pot. The most popular output value is 0.5. 23:06 < nsh> what's the current 'accessibility' of coinjoin? 23:06 < gmaxwell> andytoshi: ^ that should probably say max(count(most_popular),ntransactions) to avoid disclosing the number of players when it wouldn't be obvious from the inputs. 23:06 < gmaxwell> nsh: you can use andy's thing if you can spend via a raw transaction. 23:07 < gmaxwell> It's actually slightly safer than a normal raw transaction, since it prevents to common all coins to fees failure mode. 23:07 < andytoshi> hmm 23:07 < nsh> how hard would it be to let any-random-noob perform the rawtx spend safely? 23:08 < nsh> (i assume it would be better for privacy is the barrier-to-entry for coinjoin was as low as possible) 23:08 < nsh> or bc.i users can do it now? 23:09 < gmaxwell> nsh: yea, ultimately there needs to be dumb wallet integrated tools. But getting there requires more expirence with the technology, so tools like andy's n00b unfriendly one are a stepping stone. 23:09 < nsh> right 23:09 < gmaxwell> nsh: bc.i has something they're calling "coinjoin" which is really only kinda coinjoin. As it depends on you trusting bc.i to do the right thing. 23:09 < nsh> (wasn't being critical in any way, just wondering how to increase the utility) 23:09 < nsh> but i guess not trusting bc.i much more than people already do? 23:10 < gmaxwell> (really part of the premise I had in promoting this style of txn is that we can't really get wide adoption if its predicated on additional trust, because the trust is a cost too) 23:10 * nsh nods 23:10 < gmaxwell> yea, if you're already using Bc.i you're already exposed, it's not really too much worse. 23:10 < nsh> right 23:11 < andytoshi> gmaxwell: what should the display say if i'm actually publishing max(count(most_popular),ntransactions) ? 23:11 < andytoshi> "there are something like 3 transactions in the pot" 23:12 < gmaxwell> andytoshi: "there are ~N transactions in the pot" 23:13 < nsh> the awesome liability-reducing power of the tilde 23:13 < nsh> :) 23:28 < andytoshi> holy shit, these cj's get confirmed fast 23:28 < andytoshi> less than a minute this time 23:29 < nsh> there's good marketing for you :) "want faster confirmations *AND* increased privacy? use coinjoin!" 23:29 < gmaxwell> andytoshi: I guess you should share a link to the txn in #bitcoin worse the slight loss in privacy to show people that its real. 23:30 < nsh> (just add a tilde if it's not actually faster on average) 23:31 < andytoshi> i've got to jack up the fees required fee tho, that time the fee was 0.00035786 23:31 < andytoshi> and i only demanded 0.00024 from people, so it's possible that i wound up paying most of that myself 23:32 < andytoshi> :S 23:33 < nsh> charge slightly over the odds and disburse the difference as a faucet or something 23:33 < nsh> maybe 23:33 < gmaxwell> andytoshi: set fees to whatever sane value you think they need to bet to get people to use it, I'll pay you out of the CJ bounty fund (or, if the other signers don't agree, out of my own pocket) later. 23:34 * nsh nods 23:35 < andytoshi> well, i'm not too concerned about the personal loss, but rather what happens when i'm not involved with a join 23:35 < andytoshi> i suppose i could attach a faucet.. 23:36 < andytoshi> right now, the only person outside of this channel i've heard comment on the fees said they were "practically nothing" 23:37 < gmaxwell> really the problem with the fees is that they dork up going from round valued outputs to round valued outputs. 23:37 < andytoshi> yeah, that's really irritating 23:37 < nsh> could you have a dummy input and output in every join that soaks up the fee, ehm, jaggedness? 23:38 < nsh> (from some holding wallet run as part of the service) 23:38 < nsh> no, that doesn't make sense 23:38 < gmaxwell> right. :P 23:38 < nsh> shh, it's late 23:39 < gmaxwell> andytoshi: could do that if he basically gave people fee tokens. e.g. send in some coin to andy and he gives you a fee token, and then you can use that in multiple txn to pay your fees (meaning andy just pays them). But it's a lot of complexity too much for a simple manual process. 23:39 < andytoshi> well, if it was always us, i could do something like that, since i trust that people here would pay up if i asked 23:39 * nsh nods 23:39 < andytoshi> i definitely don't want to add complexit 23:39 < nsh> you even simplified the word! 23:40 < nsh> :) 23:40 < andytoshi> for now i bumped the fee up from 8000 to 10000 satoshi, since that's rounder ;) 23:40 < gmaxwell> yea, but I suspect we'll not learn more if it's just us. What I think we should try doing is these daily ones for a few days and see if we get any more players. 23:40 < andytoshi> and in this case, we would have paid the minimum network fee even if everyone had only given 10k sat 23:40 < nsh> i wonder if you could make it a wee bit "gamier" to entice people 23:41 < nsh> (not quite gambling, but some chance element that adds 'fun') 23:41 < andytoshi> it's tough without increasing complexity .. i could do something like give all the donations to a random participant 23:41 < andytoshi> but then they'd have to provide an additional address alongside the rawtx 23:41 < gmaxwell> well and then you'll un round one of my pretty round coins. you bastard. :P 23:41 < nsh> but can that be done without trusting that you aren't getting backhanders to pick certain people to win? 23:41 < andytoshi> :P 23:42 < andytoshi> nsh: lol nope 23:42 < gmaxwell> nsh: not without making it more complex. 23:42 < nsh> is there a way to add some randomness to dispersal in script 23:42 < nsh> i thought there was an OP that gave a random bit... 23:42 < nsh> as an artefact of something or other 23:42 < gmaxwell> there isn't but there are ways to do that but not without making it more complex. 23:42 < nsh> ok 23:43 < gmaxwell> part of the point is that these txn should be generally indistinguishable from ordinary ones except perhaps that they have many equally sized outputs. 23:43 * nsh nods 23:43 < gmaxwell> so that they're hard to exclude from tracing tools, and if a tracing tool starts excluding them, it'll be easy to make 'fake' CJ transactions. 23:43 < nsh> hmm, how would that help? 10:04 < pigeons> not too dumb, just less concerned about the ideals of the issue and more concerned with getting a transaction done 10:05 < jtimon> so I could as well make a falsefreicoin covenant with a demurrage that goes to me instead of miners 10:05 < jtimon> sell them into existence for bitcoin at 1:1 ala mastercoin 10:06 < jtimon> but if bitpay moves from bitcoin to falsefreicoin nobody will notice the difference 10:06 < adam3us> jtimon: it might work :) look at all the scamcoins 10:06 < jtimon> scams work for a while 10:06 < pigeons> and external factors will use these tools to force the social and economic environment so that using amlcoin is either simpler and easier, or the only option for the things the user/business/customer wants to do 10:06 < jtimon> let's see how the scamcoin thing looks in a year 10:07 < adam3us> jtimon: so you agree that bitcoin with no access to exchange services is almost certain to have a lower price? 10:07 < adam3us> jtimon: indeed i hope the scam coins all die :) 10:08 < jtimon> would have a much lower price, yet, I just don't believe anything in the world can close all bitcoin exchanges at once 10:08 < pigeons> no access to large public, in the open, exchange services? because exchange services can take many forms 10:08 < jtimon> why would btcchina care about nsacoin? 10:08 < pigeons> why does it have to be at once? 10:08 < adam3us> jtimon: and similarly i agree with your concept that a freecoin is worth more than an amlcoin in a way slightly perhaps analogous to virgin coins being apparently already worth a premium over used coins 10:09 < pigeons> it inches toward more useful to merchants and users as bitcoin inches aways from it 10:09 < adam3us> jtimon, pigeons: well access to btc-china for non-chinese resident is not given. watch the 10% spread bitstamp to mtgox. 10:09 < jtimon> pigeons if it's one by one, btc will start with more exchanges than nsacoin and your arguments are reversed: nsacoin are worth nothing because you can only trade them in 1 exchange 10:09 < stonecoldpat> adam3us: do you mean that a freshly minted coin from miners, has a premium over previously used coins? 10:10 < adam3us> stonecoldpat: apparently yes. there was someone selling virgin coins for a premium 10:10 < stonecoldpat> haha fantastic 10:10 < pigeons> well my argument isnt about price, im not concerned with the price, im concenred that amcoin adoption and usage forces out bitcoin adoption and usage 10:11 < adam3us> pigeons: yes but jtimon asserts that the freecoin->amlcoin leakage would be stemmed if freecoins become worth a lot more than amlcoin so the price comes into it. i expect the reverse in net tho there are economic forces pushing in both price directions 10:11 < jtimon> stonecoldpat: I think only if they can buy them anonymously since this way "nobody" knows the source 10:13 < stonecoldpat> jtimon: yeah i guess so - its quite interesting ti has a premium, i guess zero coin should be renamed virgin coin - although the coins link to prev transactions is defo an interesting problem 10:14 < adam3us> jtimon: i would like it if this were the outcome (two alt form, and most people dont use amlcoins) however the regulators have high control over the interfaces to the banking network so it seems the loss of fungibility would create a stronger price down force than the freecoin prefering audience would be able to counter with their econoomic preference 10:14 < stonecoldpat> although removing a coins link* to prev transactions is defo interesting 10:15 < adam3us> stonecoldpat: i suppose another indication is apparently people pay fees to mix coins to reduce the link 10:15 < pigeons> i think even without building toolkits to give regulators/etc an easier time, it will still be an uphill challenge to keep this sort of thing from happening through less technical means not integrated into the protocol 10:16 < stonecoldpat> adam3us: yeah ive seen that mentioned in a few papers (think someone thought of a protocol to do it too without third party?), if i had bitcoins to mix i perosnally wouldnt trust them though 10:17 < jtimon> stonecoldpat: coinjoin solves it by anonymous p2p mixing 10:17 < jtimon> coinswap is even more effective 10:17 < adam3us> pigeons: yes. bitcoins decentralization comes from users controlling code. what happens when microsoft makes an auto-updatable microsoft bitcoin wallet, or apple. lots of captive users subject to the proxy decisions of central risk point with a history of government backdoors/over-compliance 10:18 < adam3us> stonecoldpat: yes coinjoin does that (trustless mix, the mix cant take your coins) 10:19 < pigeons> not that innovation should be abandoned because it can be abused, but the potential consequences should be taken very seriously 10:19 < adam3us> pigeons, jtimon: i'd sooner focus energy on trying to architect to defend against that kind of centralization risk (eg committed tx) than getting too far with potentially decentraliztion-risky expansion of script language language power 10:20 < adam3us> pigeons: which is to say probably covenant risks were considered by satoshi during his selection of the script-language. i expect. 10:21 < adam3us> road to hell is paved with good intentions, pragmatic programmers, fun science experiments etc. 10:21 < pigeons> hey, we can learn whatever lessons we can from freimarkets authorizers and such hopefully 10:21 < jtimon> adam3us: maybe satoshi didn't thought that much about the language choice 10:22 < jtimon> of course p2p currencies rely on free software, despite Nestcoin users ignoring that 10:22 < adam3us> pigeons, jtimon: well just to say consider virality risk as a security defect, and make sure new script feature dont introduce it. 10:22 < jtimon> what is the commited transactions risk? 10:23 < adam3us> jtimon: commited-tx is a mechanism to reduce the policy control from centralization in miners. 10:23 < adam3us> jtimon: by making them mine on opaque blobs so they have no information to form policy decisions on (they cant tell who is paying who how much at the time of mining) 10:25 < jtimon> by the way, some of your argumentation against covenants sournd to me like that: "bitcoin will fail because people will prefer easy-to-use proprietary clients and then they'll get screwed" 10:25 < jtimon> oh, I remember 10:25 < adam3us> jtimon: free software. yes but if someone commercial makes a nice shiny wallet, maybe people will use it. watch skype success while there were free FOSS voip at the same time 10:25 < jtimon> I though it was another risk 10:26 < jtimon> again, unlike you I'm not very concerened about the censor miners "problem" 10:26 < jtimon> but that's not a problem with voip, only with skype 10:27 < jtimon> it's like saying "linux is flawed because many people prefer windows or macos" 10:27 < adam3us> jtimon: hmm yeah but i've been here before, was worried about CA risk, and it turns out that i was basically right, even tho everyone at the time was like ... nah they wouldnt do that, it would be detectable ,etc and now we see the NSA spent billions doing just that. 10:28 < pigeons> i'll have to read that discussion. i've always been of the satoshi/luke-jr school that miners decide what transactions to include. but satoshi's views where from when all nodes were mining and there could be a wider marketplace for transactions 10:28 < adam3us> jtimon: its not a bitcoin flaw, but it could become a problem perhaps. clients are individually less powerful. 10:28 < jtimon> that's another fallacy adam3us, just because you were right that time it doesn't mean you're right this time, argument of authority 10:29 < adam3us> jtimon: ha ha, yes you are right. i just mean as an example that seeming paranoid by todays horizon of considerations doesnt mean you are wrong 10:30 < jtimon> nothing wrong being paranoid, I agree 10:30 < jtimon> just happens that the points where I get paranoid and where you get paranoid are not the same 10:30 < pigeons> jtimon: i agree with your characterization of the argument, "a danger to bitcoin is users taking least resistance paths" but i disagree that means "linux is flawed because of windows" i think its more " be aware of this tendency and engineer more p2p enabling choices to be least resistance" 10:31 < adam3us> pigeons: yes committed tx aims to change that. minrs have no clue what they accepted. users chose. pairs of consenting users should be able to pay each other with no censure, or decide their own policy. 10:32 < jtimon> I agree that having an in-chain anonymous transfer mechanism could be would for several reasons 10:32 < jtimon> I think it could operate alongside a "public" one 10:33 < jtimon> but I tend to like more petertodd's inputs-only transactions (although it's less developed) 10:33 < adam3us> jtimon: there is an argument that if miners became too centralized, they may try to block non-public ones (or transactions with non-public xfer in their history) 10:34 < jtimon> maybe because I tend to get lost in your crypto spell scrolls...I mean...formulas 10:34 < jtimon> yeah, we discussed it other day at lenght 10:35 < jtimon> my argument was that censor miners would rapidly go out of business 10:35 < adam3us> jtimon: the counter argument is that if clients consider evidence of suppression of non-public xfer as an invalid mining event, then hostile miners form an alt-coin with no users, and so they make no profit 10:35 < adam3us> jtimon: i agree. its like the amlcoin argument u made in some ways. 10:35 < jtimon> of course, I was assuming the distribution has ended, that risk is higher now I guess 10:36 < adam3us> jtimon: not if its done right because users would ignore those miner, so the hostile-miner is on a chain that becomes orphaned or like an alt-chain that is irrelevant 10:36 < jtimon> and I guess is also good that freicoin only has 3 years of issuance ;) 4Mined by AntPool sc0 https://eternalhiat.us Uw 16:08 < adam3us> also the race is not normally random either - i would think the proportion of legitimate first within the propagation delay would be in relation to mining power, as even within the 15 sec propagation delay probably mostly its not that close 16:09 < adam3us> (driving the proportion the network that believes each win is first) 16:10 < amiller> is there a bitcoind command to inspect the trickle queue 16:10 < gmaxwell> I've also been thinking about in and out seperation. What if a node was really two nodes from the perspective of transaction relaying: one that only has outbound edges, and one that only has inbound edges. The outbound edged node would be protected from self selecting connectors without a sybil attack. 16:10 < amiller> like to see the current number of elements in there, average time each items been in there, etc 16:10 < gmaxwell> amiller: gdb and go find them? :P 16:10 < amiller> thx :) 16:13 < adam3us> can multiple miners in a pool vote for different fork? i think so when the client is doing its own validation? 16:14 < gmaxwell> adam3us: only p2pool. absent bitpenny, solo mining, and p2pool the only miners are the couple pools. The 'miners' people with hardware are mostly just people who are selling SHA256 computation to actual miners. They have very little visibility and basically no control over the mining process. 16:15 < gmaxwell> Luke was pushing for people to migrate to the getblocktemplate protocol which would have substantially put hashers in the mining loop... but slush did an endrun with a secretly developed protocol (stratum), which won in the market place because it used less bandwidth... but left hashers as blind as they are with getwork. 16:16 < adam3us> gmaxwell: that sucks - i thought getblocktemplate was the future 16:17 < gmaxwell> Luke's BFGminer software does make _some_ use of the limited visiblity that exists from the block headers. E.g. it can detect when a pool tries to mine a fork against its own prior work and can then switch. 16:17 < gmaxwell> adam3us: well, maybe it is still.. since subsiquently we did come up with another way of using it which is lower bandwidth. ("coinbase only mining" e.g. you only get your coinbase txn from the pool, everything else you do locally, and you merge the coinbase from the pool with your local work)... but the software for that doesn't exist yet. 16:18 < adam3us> so eligius at 15% plus whatever % direct mining < 18% so then the remaining 67% is a blind slave to a miner 16:18 < gmaxwell> People do use GBT some, but as said stratum is lower bandwidth (because it doesn't send transaction data to miners and really most hashers don't actually understand the tradeoffs here. 16:18 < Luke-Jr> adam3us: GBT is still the future - just further out now 16:19 < gmaxwell> Even most of eligius' miners are on stratum, as eligius supports stratum too (can't deny the market 16:19 < Luke-Jr> now it needs to wait for the ability to compete on bandwidth with stratum, instead of just getwork 16:19 < phantomcircuit> gmaxwell, that also has the problem that the pool then has to do a ton of work to verify the submitted shares 16:20 < Luke-Jr> or at least a strong advantage 16:20 < adam3us> it seemed to me you could talk udp to a pool; just send it partial wins of what ever difficulty chunk you like 16:20 < Luke-Jr> phantomcircuit: not really 16:20 < gmaxwell> Luke-Jr: another way GBT could be used is to turn a pool's hashers into fast block announcers the way p2pool does. 16:20 < phantomcircuit> Luke-Jr, with coinbase only? 16:20 < phantomcircuit> Luke-Jr, that's what i was talking about 16:20 < gmaxwell> phantomcircuit: no they don't. Beyond spot checking accidentaly misconfiguration ... the intentional case is precisely identical to blockwithholding which can _never_ be detected. 16:20 < Luke-Jr> phantomcircuit: you can cache most of the hashing 16:21 < Luke-Jr> gmaxwell: bfgminer does support that, but I don't think anyone uses it :/ 16:21 < adam3us> so far it seems like even GBT is handing out work, this is unnecessary; the client can chose a random starting point and pay to pool address 16:21 < phantomcircuit> Luke-Jr, yeah im just saying that someone intentionally being a nuisance could continuously rearrange transactions 16:21 < adam3us> in that way the client can chose its own work size to suit its power 16:22 < Luke-Jr> adam3us: share difficulty must be predetermined at least 16:22 < gmaxwell> adam3us: you can send flags to GBT, e.g. request only a coinbase (+header).. I don't think such a flag exists today but it would be trivial to add. 16:22 < phantomcircuit> adam3us, as it stands most pools are issuing 64bits of work per stratum notify 16:22 < Luke-Jr> gmaxwell: pretty sure it does, just not implemented yet 16:22 < phantomcircuit> which is tons 16:22 < adam3us> phantomcircuit: my point is its a waste of interactive bandwidth and round-trips 16:22 < Luke-Jr> phantomcircuit: but stratum can only subdivide in 8-bit chunks, so multiple proxies would chew it up fast 16:22 < adam3us> all you need technically is the pools reward address 16:22 < gmaxwell> Luke-Jr: we could promote miner announcement as a feature which helps with this silly news (in two ways, prevents a pool from being a delayer, and also makes honest pools faster to announce) 16:23 < Luke-Jr> adam3us: for some pools.. 16:23 < phantomcircuit> Luke-Jr, well... theoretically you could allow miners to just submit anything with the right prevblock hash and coinbase output then calculate the apparent difficulty of the share and use that instead 16:23 < phantomcircuit> Luke-Jr, it would be fair but only over a large sample 16:23 < gmaxwell> phantomcircuit: no you can't! 16:23 < gmaxwell> phantomcircuit: would you give 25 btc to every miner who finds a block? :P 16:23 < phantomcircuit> gmaxwell, yeah you can but it ends up being a mini lottery 16:24 < phantomcircuit> gmaxwell, no? 16:24 < adam3us> gmaxwell, Luke-Jr: well if someone can figure out a way to reduce miner centralization while addressing the story that would be a nice side-effect win 16:24 < gmaxwell> phantomcircuit: thats what using the apparent diff would do. :P 16:24 < phantomcircuit> gmaxwell, uh no it wouldn't 16:24 < gmaxwell> phantomcircuit: sure it would ... what is the value of a diff 510929738.01615179 share 16:24 < gmaxwell> also WTF HAPPENED TO THE DIFFICULTY 16:24 < gmaxwell> did it just nearly double?!@$# 16:25 < gmaxwell> like .. I thought it was 310 this morning?! 16:25 < phantomcircuit> gmaxwell, nodes would be incentivized to submit everything they found 16:25 < phantomcircuit> so you'd get flooded with diff=1 shares 16:25 < phantomcircuit> technically it would work but it would be super annoying 16:25 < phantomcircuit> and also pointless since you could just count everything as 1 16:25 < Luke-Jr> gmaxwell: there http://bitcointroll.org/?topic=324413.msg3492597#msg3492597 16:26 < gmaxwell> phantomcircuit: in any case, GBT has what is needed, minus someone implemeting a request flag to say "don't send any transactions" and a response flag that says "I'll pay you so long as you have this coinbase, you can change everything" 16:26 < gmaxwell> Luke-Jr: can you add some config examples for BFGMINER? 16:26 < gmaxwell> e.g. how do you configure the announcement? 16:26 < phantomcircuit> Luke-Jr, ha that's neat 16:27 < Luke-Jr> gmaxwell: I think you put #allblocks in the bitcoind pool URI 16:27 < gmaxwell> Luke-Jr: also, you should revise to say "it's not possible for pools to do this without miner cooperation" or something like that. 16:27 < Luke-Jr> -o gbt.mining.eligius.st:9337#allblocks 16:27 < Luke-Jr> err 16:27 < Luke-Jr> -o un:pw@localhost:8332#allblocks 16:27 < gmaxwell> Luke-Jr: cool, so you can even announce to other pools in addition to local stuff. 16:28 < gmaxwell> like -o 1apple:x@gbt.mining.eligius.st:9337#allblocks -o un:pw@localhost:8332#allblocks ? 16:28 < Luke-Jr> gmaxwell: like this? 16:28 < Luke-Jr> http://bitcointroll.org/?topic=324413.msg3492597#msg3492597 16:28 < Luke-Jr> gmaxwell: you *can*, but they'd likely reject it :P 16:29 < Luke-Jr> http://codepad.org/oKSM9yUT 16:29 < gmaxwell> Luke-Jr: you should fix eloipool to accept notification of blocks that way. :P 16:29 < Luke-Jr> gmaxwell: ? 16:29 < Luke-Jr> oh, .. maybe 16:29 < gmaxwell> Luke-Jr: e.g. if someone mining on another pools finds a block and submits it to you, might as well take it and give it to bitcoind... though you might do some santization to prevent DOS with old blocks. 16:30 < Luke-Jr> gmaxwell: yeah, hard to do because to check we'd have to hash the block 16:30 < gmaxwell> In any case, post "just add -o un:pw@localhost:8332#allblocks as a backup pool to bfgminer and it will send all blocks you find to your local bitcoin daemon" 16:30 < gmaxwell> Luke-Jr: just check the prev== current prev. and difficulty over target. thats enough.. 16:30 < Luke-Jr> gmaxwell: checking difficulty means hashing it 16:30 < gmaxwell> just hash the header. 16:31 < gmaxwell> check prev, which is a compare, hash the header which is what you do to check if a share is good already, no? 16:31 < gmaxwell> an advantage of getting people to put eligius in their configurations is that you turn other pool's miners into block monitoring drones for you. 16:31 < gmaxwell> Plus you get people to setup eligius as a backup pool. 16:32 < gmaxwell> (some of whom won't care if they get paid if it falls over to it....) 16:32 < gmaxwell> plus you can announce it as a change you made to address the issue, which sounds nice. 16:34 < Luke-Jr> gmaxwell: currently we check the user and coinbase-scriptSig-prefix are known before we hash 16:34 < Luke-Jr> and wizkid057 is whinign about server overload stuff, although I can't imagine why it'd overload so easily 16:37 < gmaxwell> Luke-Jr: sounds broken, the hashing of the header should be superduper fast. hm. 16:37 < Luke-Jr> not faster than comparing two strings :P 19:49 < petertodd> sipa: that's not what I mean actually, I mean does the script have access to things like txins, txouts, blockchain headers? 19:49 < sipa> petertodd: for bitcoin, no 19:49 < jtimon> jrmithdobbs I mean simpler than Joy, not simpler than the current one 19:49 < sipa> petertodd: well, generalizing the hashtypes may be useful 19:50 < maaku> sipa: if you give the script access to the transaction, block header, and utxo data, a lot of interesting covenant-related stuff becomes possible 19:50 < sipa> but that's not really an interesting discussion - i'm being intentionally conservative here 19:50 < gmaxwell> maaku: it's pretty hard to write a compact script to do things with that access however. 19:50 < petertodd> sipa: yeah, where I'm really more focused on something you'd need for MSC, day job and all :P 19:51 < gmaxwell> It would be nice if people would write some hypothetical scripts. 19:51 < maaku> gmaxwell: hard to write a compact script? howso? 19:51 < petertodd> gmaxwell: that's also on my priorities list 19:51 < gmaxwell> E.g. we know that enabling xor or add on hash outputs gets us a bunch of things, and what we have to do to get those things. 19:51 < maaku> do you mean the interpretor, or the script(s)? 19:52 < gmaxwell> maaku: no, go write a script using the disabled opcodes that and a hypothetical PUSH_OUTPUT_N and PUSH_INPUT_N that achieves a non-trivial covenant. 19:53 < gmaxwell> it's pretty easy to end up with a painfully complicated script just to do something conceptually simple. 19:53 < petertodd> maaku: you ever written any assembler code? 19:53 < maaku> ok, you mean in bitcoin script, yes 19:53 < sipa> jtimon: an AST is really equivalent to a stack language where every operation only consumes the N last entries (with N known before evaluating them) and produces a single one 19:53 < maaku> petertodd: look at the scripts we have in the back of the freimarkets paper ... yuck 19:53 < sipa> and you have end up with a single output 19:54 < jtimon> sipa, yeah, this http://en.wikipedia.org/wiki/Abstract_syntax_tree 19:54 < maaku> that's why I'd like a more powerful scipting language - even with opcodes re-enabled it's still a mess 19:54 < gmaxwell> maaku: but the problem with more powerful is that as soon as you color outside the lines you're back to a mess. 19:55 < sipa> jtimon: yeah sure, just saying that it can't be harder to implement, it's pretty much a subset of what we have now 19:55 < jtimon> I meant that something like joy seems more powerful, thus simpler for the scripting language users 19:55 < sipa> scripting language users? 19:56 < sipa> i don't care about that - go use a compiler if necessary 19:56 < jtimon> the hackers writing bitcoin scripts 19:56 < gmaxwell> sipa: well there are complications, because we'd want M-AST but the merkelization should be optional... because it doesn't make sense to merkelize something which is smaller than the hash and which you don't need to keep private. 19:56 < jtimon> sipa: good point 19:56 < jrmithdobbs> gmaxwell: btw speaking of language semantic stuff ... please go yell at someone to implement higher order kinds in rust so that functor can be implemented correctly already ;p 19:56 < gmaxwell> Thats what an assembler is for. Plus for any real use of this you'll want an assembler with a theorem prover in it so you can actually know if your script works. 19:56 < sipa> jtimon: i care about easyness by which an implementation (script interpreter) can be judged to be correct 19:57 < maaku> sipa: is there a specific AST that is a good match to bitcoin? 19:57 < sipa> give me a day and i'll write you one 19:58 < gmaxwell> E.g. when eligius proposed using a multisig script for controlling their emergency pool recieving address the policy they decided they wanted was (X and Y) or ((X or Y) and NofM(Q,R,Z...)) and we wrote a script to achieve that... but we had no way to tell for sure that it was safe! 19:58 < maaku> i just mean i'm wondering if you had something in mine, like lisp/scheme or the spineless, tagless machiens of Haskell 19:58 < gmaxwell> and it wasn't so simple that you could just look at it and tell for sure it was safe. 19:59 < maaku> jtimon: btw theorem prover mentioned by gmaxwell is why you'd want static typing 19:59 < gmaxwell> (for _sure_ not just 'sure'... as it would potentially have hundreds of BTC assigned to it in a day) 20:00 < petertodd> gmaxwell: so these theorem provers, what kinds of languages don't they exist for? 20:00 < gmaxwell> so it would be nice if I could throw that into a theorm prover and ask it "is there any way to satisify this script that doesn't provide sixX or sigY" 20:01 < jtimon> oh, gmaxwell, I forgot that open problem 20:01 < gmaxwell> petertodd: the provers themselves are seperated from the languages, and there exist tools to convert code into inputs for them for a variety of languages. 20:01 < sipa> maaku: ok, there's a data stack that is initially populated with the script inputs (scriptSig data pushes), and a program, which is a serialized abstract syntax tree 20:03 < sipa> maaku: AST nodes are: access[i] (retrieves the i'th element on the stack, counting from the top, and returns it without modifying the stack) 20:03 < gmaxwell> In C I use a tool called frama-c that can drive a dozen different backend provers. (probably one of the best of the provers for proving things about program execution is http://alt-ergo.lri.fr/ ) 20:03 < sipa> maaku: const[x] (just returns x) 20:03 < petertodd> gmaxwell: exactly, so I assume for non-turing complete AST's basically the provers are easier, but as you're saying, sounds like they exist for interpreted stuff as well - hence the desire to have a prover available is not directly a consideration for the language itself (at the consensus layer) 20:04 < jrmithdobbs> petertodd: they exist in compilers like he wants, even, for that matter 20:04 < jrmithdobbs> petertodd: (haskell does some forms of this during compilation) 20:04 < sipa> maaku: let(expr1,expr2), which evaluates expr1 and puts it on the stack, evaluates expr2 using that modified stack, and then pops the element again 20:04 < gmaxwell> petertodd: certantly the language design could influence how easy it is to have a prover. For C it's a complete cluster@#$@ and the provers are not terribly complete E.g. there is no _sound_ prover for the full C language. 20:04 < sipa> maaku: and then some basic arithmetic/crypto/string/... whatever operators 20:05 < maaku> sipa: i see. thank you this helps 20:05 < gmaxwell> petertodd: because things like pointer deferences make life insanely hard for the provers. (though, they're not completely impotent) 20:05 < petertodd> gmaxwell: right, and again, this sounds like you're just getting pushed to what I've always thought is the most obvious way to do it: merklized forth 20:05 < sipa> maaku: you can map this indeed to a lazily evaluated functional language 20:05 < sipa> maaku: which would for example mean you don't need to evaluate expr1 in a let, if its expr2 never refers to it 20:05 < jrmithdobbs> also, I'm somehow watching 3 different conversations about this same basic subject in 3 different channels in the same window at the same time and I have no idea how that happened but it's confusing 20:06 < gmaxwell> yea, I do think that stack langauges can result in easy life for the prover, though there is still the free variable of how types work. 20:06 < maaku> sipa: i've been favoring strict over lazy due to implementation compleity and risk of consensus errors 20:06 < maaku> does the laziness gain you anything? 20:06 < sipa> speed 20:06 < jrmithdobbs> sipa: tbqh, a limited haskell98 with no IO monad would be perfect and without IO the runtime gets tiny 20:06 < gmaxwell> maaku: if we merkelize the untaken branches it also can get you improved privacy and reduced program size. 20:07 < jrmithdobbs> sipa: something like fay 20:07 < maaku> jrmithdobbs: more than that Haskell core language is quite simple and probably something worth looking at, or the even more low level STG machine in GHC 20:07 < jrmithdobbs> sipa: which is haskell98->js compiler sans typeclasses (so no monads period) 20:08 < gmaxwell> maaku: e.g. if your transaction can be redeemed way X or way Y and Y is some 4of5 of 5 pubkeys ... then you (1) save all that space in the transactions spending it way X, and also (2) don't disclose the details of way Y unless you use it. 20:08 < sipa> yeah, adding a choose operator that evaluates one of two branches, and takes a hash for the other, is easy enough to add here 20:09 < gmaxwell> One thing to keep in mind is that what we put in a scriptsig does _NOT_ need to be a copy of the program. What goes into the scriptsig is a _witness_ that proves the program was correctly evaluated. This doesn't require including the whole program. 20:09 < sipa> yup 20:09 < jrmithdobbs> ya that's the key part satoshi missed i think 20:09 < gmaxwell> This mental model obviously applies directly to the snark stuff, but it even works in conventional execution. 20:10 < jtimon> gmaxwell not with p2sh, does it? 20:10 < sipa> so, to elaborate a bit further 20:10 < gmaxwell> jtimon: we're talking about a generalization of P2SH that works recursively, effectively. 20:11 < sipa> you associate a hash with every ast node 20:11 < maaku> gmaxwell: what was that point about merkelizing in response to? 20:11 < gmaxwell> sipa: I still think you need to have non-hashing nodes in your AST, because its wasteful to hash for a single operation. 20:11 < gmaxwell> 17:06 < maaku> does the laziness gain you anything? 20:11 < sipa> gmaxwell: yup, that's easy to do 20:12 < jtimon> gmaxwell so you're saying that without the snark you need the merklization for what you want, got it 20:12 < jrmithdobbs> that question seems so backwards to me 20:12 < sipa> instead of associating a hash with every node, you only associate one with every "tree piece" 02:33 < amiller> already there are other smaller bitcoin knockoffs like litecoin (which now has its own silk road, uh oh) that basically differ only because they go faster 02:34 < warren> amiller: I looked at their SR-clone, it is wayyy faster and a nice web design at least. 02:35 < warren> amiller: I'm concerned of their recent x10 price spike, and possibly more coming, only to be smashed by their complete lack of developers and an unmaintained client. 02:35 < amiller> there's been some thought into relativistic finance that is less interesting than bitcoin but still goes over some basic ideas: http://www.alexwg.org/publications/PhysRevE_82-056104.pdf 02:36 < amiller> that's the most famous one that basically says you want to place your hedge fund headquarters at the right spot between orbiting financial centers you want to possibly arbitrage between... 02:38 < amiller> ah dammit i can't find the last paper i wanted to show 02:39 < warren> I'm sorry for contributing to -dev devolving away from -dev. 02:39 < warren> I can't help it sometimes. 02:40 < amiller> yeah http://www.biosystems.physik.lmu.de/paperpdfs/money_momentum_p_a.pdf 02:41 < amiller> there's a view of how different currencies might interact 02:41 < amiller> it's an analogy to particles and anti particles and conserved quantities thereof 02:42 < amiller> it's interesting in part because it's about transferable credits associated with a particular issuer 02:42 < amiller> so as a financial model it's closer to opentransactions or ripple or even colored coins 02:43 < amiller> i think the two particles interacting is the right way to think about what would happen if coins between multiple chains needed to be transferred 02:45 < warren> you mean randomness 02:45 < warren> two manic depressive entities on each side of a trade 02:49 < amiller> not randomness 02:49 < amiller> more like localized atomic interaction 03:07 < andytoshi> amiller: i think coins across multiple chains is the right way to think about particles ;) 03:10 < amiller> there are some really interesting forms of money 03:10 < amiller> early forms of accounting basically 03:10 < amiller> since multiple currencies is really more about accounting than anything else 03:10 < amiller> http://www.jstor.org/discover/10.2307/40697984?uid=3739704&uid=2&uid=4&uid=3739256&sid=21101834916641 03:10 < amiller> the orginally tally, the 'split tally', is a lot more interesting 03:10 < amiller> than the tally you're probably used to just drawing things on boards 03:10 < amiller> it's a split tally, that sort of resmebles bitcoins scriptsigs and scriptpubkeys 03:11 < amiller> where one piece is needed to be presented to redeem the value promised by the other 03:12 < amiller> there's also an old kind of money called the bulla 03:12 < amiller> https://en.wikipedia.org/wiki/Bulla_(seal) 03:13 < amiller> it was a way of sealing something valuable inside a lump of clay with seals on it so that it remained tamper proof 03:13 < amiller> so it's like carrier money 03:14 < amiller> old testament technology 03:15 < andytoshi> very cool 03:15 < andytoshi> i wish i had time to read up on all this stuff 03:18 < cads> thanks for the papers amiller 03:18 < amiller> glhf 07:43 < warren> So I want to learn how to programmatically interface with bitcoind. I figure it might be helpful to implement a SD-clone on testnet in order to encourage "realistic" garbage tx's to test the blockchain handling as we move forward with 0.8.1 hard-fork testing? Note that I disapprove of SD. I don't post this in -dev because I'm not sure about the legality of running a fake test money gambling service. 07:57 <@gmaxwell> "no no, your honor, testnet money is _double fake_" 07:57 < sipa> is "faking" nilpotent? 08:12 < warren> I realize that might be a stupid worry. I just don't want to broadcast intent like that for something that I would actually do if I'm not sure. 08:12 < warren> about the legality 08:13 < warren> and maybe this won't even be helpful? If so I'll do something else. 08:13 < warren> I just figure people actually USING testnet would be a good thing. 09:07 < warren> gmaxwell: and dude. I'm really sorry I've been annoying you these past few weeks. My stress has been really high trying to do this thesis all this time, and I have to learn better to deal with stress than to unproductively discuss crazy and unproductive things and make dumb jokes. When I'm past this a month from now, I really would like to learn more about Bitcoin and do things that are helpful. I would appreciate guidance if this curren 09:07 < warren> t idea would be helpful or not. 09:09 <@gmaxwell> I don't think it's worth doing if you're not also interested in trying more efficient variations. If you just want to generate txn on the network you can do that without running a service. 09:16 < warren> oh. I figured random user behavior that mimicked the real network would be helpful for a simulation, but I guess it doesn't matter if we're only concerned with the quantity of transactions from block to block. The thing is I'm not really interested in thinking about or helping gambling to be more efficient. I think they should stop spamming the chain entirely, do most things in-house, and only payout when they withdraw. 09:28 < warren> OK, I'll think of something else more useful. 09:34 <@gmaxwell> warren: sure but you could artificially generate the 'random user behavior' in a way that was pretty faithful with basically no more effort, plus the advantage of repeatability and no risk or ambuity about legality. 09:34 <@gmaxwell> e.g. it's only really interesting if the users are the subject of the experiment instead of the system. 09:39 < warren> gmaxwell: Watch the bitcoin mempool and reproduce those txn in testnet of similar quantity, KB size, age and fee behavior? 09:42 <@gmaxwell> yea, even make a model with parameters fit from the actual network. one fun test would be to also try on a private testnet with difficulty 0 (comment out the POW check) and see how fast it can run. 09:43 < warren> Oh. Accelerate the simulation. Don't wait for real-time mining. 09:44 < warren> gmaxwell: was testnet in a box fixed? 09:45 <@gmaxwell> warren: testnet in a box is fine but testnet in a box doesn't have the pow disabled. You can just isolate some regular testnet nodes and remove the pow check. 09:45 < warren> gotcha 09:45 < warren> g'nite 21:30 < andytoshi> has much thought been given to how an altchain could pay people to run full nodes? 21:30 < andytoshi> or bitcoin, for that matter.. 21:47 <@gmaxwell> andytoshi: the best I have along those lines is "validation is mining", where you have a POW which is a memory hard function based on performing UTXO queries. 22:58 < andytoshi> i wonder if simply charging for IBD would do it 22:58 < andytoshi> though i suppose there's probably no way to get bitcoins for payment until you've got a blockchain :P 22:59 < warren> IBD? 22:59 < sipa> initial block download 23:05 < warren> gmaxwell: how would that POW be transmitted and kept track of? 23:06 < warren> oh. I see. nevermind. 23:22 <@gmaxwell> andytoshi: charging for IBD == ~no one validates. In general the whole idea of blockchain consensus's security involves assuming that an attacker can't partition the network "because information wants to be free" hard to hide the best chain. 23:27 < warren> gmaxwell: was your earlier comment a suggestion that an alt chain to pay for validation would be a good idea? 23:32 <@gmaxwell> warren: No. Try reading andytoshi's question again. 23:33 < warren> argh. sorry. back to thesis. 23:53 < andytoshi> warren: i'm also working on a thesis, i understand ;) 23:53 < andytoshi> wait, not a thesis, a term paper.. --- Log closed Sat Mar 16 00:00:26 2013 --- Log opened Sat Mar 16 00:00:26 2013 04:46 < cads> has any thought been given to using techniques from crypto-currencies to device a decentralized education and accreditation system? 04:47 < cads> they say that when all you have is a hammer, everything looks like nails 04:48 < cads> I've been learning a lot about BTC lately, and I had a silly idea about how something like it might be used as a form of social currency, and in particular to help drive online education communities 04:49 < cads> in these communities, education is cheap or free, but the problem, as I see it, is that they do not offer and real world incentive to study hard enough to really grasp the material. 04:49 < cads> The student has to be a self motivated learner and provide the incentive via his own love of pure learning 04:50 < cads> there is secondary incentive - skills learned in free online classes transfer to employable skills. 04:52 < cads> however this is hard to accept for many learners, who might ask "how do I prove what I know without a degree" 04:52 < cads> online classes like coursera offer the coursera badge of completion for any class that a student completes with a passing grade, and eventually this may be recognized by universities and businesses 04:53 < cads> but coursera is just one centralized authority 04:53 < cads> I'd like to propose a system in which online classes award a decentralized learning currency to students that complete the class 04:54 < cads> the value of currency awarded is determined by the network in some way I only speculate on so far 04:55 < cads> for example, students could bid a certain number of their current education coins on a class. This determines the desirability and hence market value of the class, and determines how many coins are awarded to students. 04:56 < cads> That already has a bunch of vague spots and even a couple flaws I can think of, and I won't speculate on how the payoff per class should be determined, for now 04:57 < cads> my idea is that students will be able to use the education coins to register themselves in free online classes. 04:57 < cads> they do not need coins to join - the classes are free 17:54 <@gmaxwell> adam3us: did you see my commends about the ed25519 multupliers apparently requiring the scalar to have the high bit set?! 17:55 < andytoshi> gmaxwell: fwiw we can remove that requirement 17:55 < andytoshi> and even maintain timing resistence 17:55 <@gmaxwell> sure we can, but we lose their good existing implementation and become formally incomaptible, which is lame. 17:56 <@gmaxwell> andytoshi: there was also something about requiring the scalars to be a multiple of 8 which I didn't understand at all. 17:56 <@gmaxwell> and I assume its just confused. 17:56 < andytoshi> yeah, i didn't get that either, i was hoping a wizard would be able to clarify 17:56 < andytoshi> or that somebody on crypto.SE would step in 17:56 < andytoshi> somebody not confused * 17:56 < nsh> where is this discussed? 17:57 < nsh> (or specified) 17:57 < andytoshi> nsh: http://crypto.stackexchange.com/questions/12425/why-are-the-lower-3-bits-of-curve25519-ed25519-secret-keys-cleared-during-creati 17:57 < nsh> ty 17:57 < andytoshi> i posted that a few days ago, gmaxwell is continuing without context :P 17:57 * nsh smiles 17:57 <@gmaxwell> andytoshi: I didn't remember you posted it, it got left up in a tab. 17:58 <@gmaxwell> the responses there are just confused. 17:58 < BlueMatt> gmaxwell: the internet only works when you respond and correct them :) 18:00 <@gmaxwell> well I can correct the highest bit thing I know why it does that, though it's crappy and overoptimized. 18:00 <@gmaxwell> the *8 thing I have no freeking idea 18:10 < adam3us> gmaxwell: yes i am also not sure what the formula is achieving... djb paper is obtuse, but i guess he does answer email. or we should ask on sci crypt cc him or they have some dev resources for the lib? 18:13 < nsh> -- 18:13 < nsh> Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed (e.g. the output of SHA256 on some random input). The seed is then hashed using SHA512, which gets you 64 bytes (512 bits), which is then split into a (the first 32 bytes) and a . The left half is massaged into a curve25519 private scalar by setting and clearing a few 18:13 < nsh> high/low-order bits. The pubkey is generated by multiplying this secret scalar by (the generator), which yields a 32-byte/256-bit group element 18:14 < nsh> -- https://www.readability.com/articles/gswpw12d 18:14 < nsh> just quite blaze "massaged into ... by setting and clearing a few .. bits" 18:15 < nsh> so no particular indication the author (Brian Warner from Mozilla) thought much of the reasoning 18:17 <@gmaxwell> it's not surprising that points have a special form, it's very surprising that scalars have a special form. The high bit set is for timing attack resistance in the multipler. I can only assume that the low bits is some other psycho performance optimization. 18:18 < adam3us> gmaxwell: its kind of remiss that they dont explain in the paper really 18:43 < andytoshi> gmaxwell: https://www.wpsoftware.net/coinjoin/ should be working 18:44 < andytoshi> as discussed with CodeShark, it strips scriptSigs, which may cause problems for complex use cases 18:46 < petertodd> andytoshi: cool, just submitted a tx 18:48 < petertodd> gmaxwell: yeah, but the r value is public, which lets anyone who knows the stealth address deanonymize you - you might as well just use the txid:vout 18:48 < petertodd> andytoshi: hmm, got " Sorry, this session was not found. " 18:48 < andytoshi> petertodd: yeah, and it's claiming that the session is -92 minutes old 18:49 < andytoshi> sorry, one moment 18:49 < petertodd> andytoshi: now -94 minutes :p 18:49 < andytoshi> oops, permission error 18:50 < andytoshi> should be good now 18:50 < andytoshi> but you'll have to resubmit 18:50 < petertodd> just did 18:52 < petertodd> cool, anyone else want to submit? 18:52 < andytoshi> sure, i'll submit one 18:53 < petertodd> andytoshi: "The most popular output value is 0.0005" <- treating the fee as popular 18:53 < andytoshi> yeah, i noticed that :P 18:53 < andytoshi> probably not a useful behavior 18:53 < petertodd> yeah 18:55 <@gmaxwell> adam3us: the number of the points isn't @#$@#$@#$@ prime. it has a @#$@#$@ cofactor of 8. 18:56 <@gmaxwell> petertodd: wtf. no. the r value is _exactly_ like your public key. 18:56 <@gmaxwell> K is the cooresponding private key. 19:00 < petertodd> gmaxwell: ah I see what you mean, that works 19:02 < andytoshi> petertodd: cool, i joined you 19:02 < petertodd> andytoshi: cool, so I sign when the tx closes right? 19:02 < andytoshi> yeah, if the window is open it should play a chime 19:02 < andytoshi> in 5 minutes 19:04 < petertodd> andytoshi: a nice feature would be to list not just popular output values, but also combinations of input values that you might want to match 19:04 < andytoshi> in future, it will not use donations in computing the popular outputs 19:04 < petertodd> andytoshi: though obviously that gets complex :) 19:04 < andytoshi> petertodd: yeah, agreed, the devil is in the details 19:04 < amiller> andytoshi, that's cool 19:04 < andytoshi> gmaxwell suggested just showing all the output values which appear at least twice 19:05 < andytoshi> or an arbitrary one, if none do 19:05 < CodeShark> you could also use a second transaction to further split outputs 19:06 < CodeShark> hmmm, although if not careful, that can leak information 19:06 < petertodd> andytoshi: "The current session is open for -0 more minutes." 19:06 <@gmaxwell> The current session is open for -0 more minutes. 19:07 < andytoshi> petertodd: lol, it won't go actually negative 19:07 < andytoshi> agreed, i should fix that bug 19:08 < petertodd> andytoshi: signed and submitted 19:08 < CodeShark> you could have all inputs be the same value, then have each submitter send a change output 19:08 < andytoshi> cool, one sec, i'll just verify 19:09 < CodeShark> participants could create specifically denominated outputs beforehand 19:09 < CodeShark> to use as inputs in this transaction 19:09 < andytoshi> i submitted too, in a minute it should give us a txid 19:09 < andytoshi> CodeShark: also a good idea 19:10 < andytoshi> it's hard to say what would be best, and all the ideas proposed involve a lot of work ;) 19:11 < petertodd> andytoshi: fee is a bit low 19:12 < petertodd> andytoshi: off by one digit 19:12 < andytoshi> really? 19:12 < CodeShark> requiring specifically denominated outputs should be easy to implement from your perspective - you just need to have multiple "rooms" for different denominations, ensure the inputs are the same value. you do need a txindexed database to query against to get input values, though 19:12 < CodeShark> err, specifically denominated inputs 19:13 < andytoshi> petertodd: the code uses 1500 satoshi / kb 19:13 < petertodd> andytoshi: it's 688 bytes, so the fee should be at least 0.0000688 BTC 19:14 < andytoshi> oh, i am off by a power of ten 19:14 < andytoshi> shit 19:14 < petertodd> heh 19:14 < CodeShark> the 0.1 room, the 1.0 room, the 10.0 room, etc.. :) 19:15 < andytoshi> really 19:15 < andytoshi> ? 15000 seems wrong 19:15 < andytoshi> 10000* 19:15 < CodeShark> you might also want to charge the fee proportional to the number of bytes contributed 19:16 < CodeShark> for each participant 19:16 <@gmaxwell> you don't know the bytes in advance, alas. 19:16 < CodeShark> well, you don't know the signatures 19:16 <@gmaxwell> though you can compute a conservative estimate but it makes it hard to use. 19:16 < petertodd> andytoshi: int64 CTransaction::nMinRelayTxFee = 10000 19:16 <@gmaxwell> CodeShark: which is almost all the bytes. 19:16 < andytoshi> i'm already using a conservative estimate 19:16 < petertodd> andytoshi: 15000 is a good value 19:16 < CodeShark> but you can estimate the signature size 19:16 < andytoshi> ok, that's what i'm going to use then 19:17 < andytoshi> i'll have to jack up the minimum donation 19:17 < petertodd> andytoshi: I wouldn't worry about maybe too high fees myself 19:18 < andytoshi> ok, so the site now demands 10000 satoshi from each participant 19:18 < andytoshi> from that, it submits 15000/kb to network fees, and keeps the rest (if any) 19:18 < petertodd> andytoshi: heck, scriptSigs are limited to 520 bytes or something IsStandard - that's not that much more than the usual scriptSig size, so just assuming that with absolute min fees wouldn't be a big deal 19:18 < CodeShark> another way to deal with the fee calculation is have each participant specify a change output - then you calculate fees on your end and set the value accordingly 19:20 < CodeShark> as a convention, for instance, the first output of the transaction can always be treated as the change output 19:20 < CodeShark> or the last 19:20 < andytoshi> CodeShark: i don't think that much complexity is needed 19:20 < CodeShark> of course, you should shuffle it on your end before signing is done 19:20 < CodeShark> point is you could set the fees yourself 19:20 < andytoshi> yes, there is shuffling done 19:21 < CodeShark> without requiring the participants to calculate the fee 19:21 < CodeShark> makes it easier to use :) 19:21 < andytoshi> CodeShark: if they want ease of use they can just send a ton to the donation address ;) 19:21 < CodeShark> lol 19:22 < andytoshi> petertodd: should i fix our transaction and try to resubmit it? my node has not seen it yet for example 19:22 < andytoshi> i'd have to pm you for a new signature 19:22 < petertodd> andytoshi: sure 19:22 < petertodd> andytoshi: or fix the site and I'll just do another join 19:23 < andytoshi> the site is fixed, but it won't let you put the same inputs in 19:23 < petertodd> ah 19:24 < andytoshi> yeah, quite frustrating 19:24 < andytoshi> gimme a couple minutes.. 19:30 < petertodd> just started a fresh tx if anyone wants to join 19:31 <@gmaxwell> pretty high minfee now. 19:32 < petertodd> gmaxwell: low compared to the value of my time :P 19:33 <@gmaxwell> yea, its not bad. 14:02 < gmaxwell> petertodd: okay, so I've got an idea for a solution to your asymetrically memory hard POW function. I'd give it an 90% chance of working, and a 50% chance of being practical. 14:04 < gmaxwell> petertodd: here is how you do it. First define some function that consists of a fixed sequence of adds and multiplies which cannot be algebraically simplified without knowing the values in question. E.g. I think x=a*b+c*b+c*b+c works 14:04 < gmaxwell> petertodd: now, go find a fully homorphic encryption scheme... e.g. supports both adds and multiplies. 14:05 < gmaxwell> petertodd: now when the client connects you give him a,b,c under homorphic encryption with a key known to you and tell him to run the operation chain for difficulty steps. He memorizes results. 14:06 < gmaxwell> When he finishes he tells you the last one, and you challenge him for intermediate values however often you like. 14:06 < gmaxwell> Because you know the keys and the values of a,b,c you can compute the outcome directly, while he's forced to operate sequentially (under the slow homorphic encryption too) 15:08 < gmaxwell> maaku: Oh I just saw your coinjoin thread. I will be really sad if you aren't able to get funded to work on this. 15:10 < maaku> i would be suprised if i didn't - there's lots of deep pocketed people that want privacy for their bitcoins, but we'll see 15:11 < maaku> sometimes for nefarious reasons i'd rather not support, but i don't see how to add privacy without also enabling that 15:12 < gmaxwell> Right thats my view too. Thats just a nature of technology all of it is dual use. 15:13 < maaku> gmaxwell: what i'm trying to do is make it so that only you know which outputs are yours, without requiring a complex multi-party computation and all the requisite overhead 15:13 < gmaxwell> And if some of the flow of nefarious funds can be redirected to help out the public, then great. 15:13 < maaku> unless of course you're only joining with one person other person 15:14 < gmaxwell> maaku: right. So, some party is acting as a "hub" that e.g. merges up the signatures. Why can't they just pick the ordering at random? 15:15 < maaku> gmaxwell: that was my protocol before, and it has the disadvantage that although the mapping is obscured through blind signing, the hub can keep records 15:16 < maaku> but if the protocol is the hub manages collecting blinded tokens, signing them, and then colledting unblinded signatures, and *then* sorts by unblinded signature value 15:16 < maaku> the hub has no way of knowing any more than anyone else what the ordering is 15:17 < gmaxwell> maaku: What kind of records? I assumed that the unblinded outputs would be returned to the hub over a seperate anonymous connection. 15:18 < maaku> true 15:19 < maaku> ok all the sorting does is provide a deterministic ordering, so the hub isn't required for the last step (building the transaction) 15:19 < gmaxwell> (that requirement is kind of lame, considering that there really does not exist a good solution for those tor is good enough for casual privacy at least) 15:19 < maaku> that means the protocol already has the feature i wanted. cool 15:19 < gmaxwell> maaku: okay good I think we're on the same page. 15:20 < gmaxwell> and yea, making the sort a function of some data known to all the particiants is fine and good and might simplify it in practice. Don't use data in the transaction to sort however, you don't want CJed transactions to be more identifyable in the blockchain than the need to be. 15:21 < maaku> yes, sort the signatures of the outputs, not the outputs themselves 15:21 < maaku> yeah i'm not happy with revelation over an anonymous connection, but it seems we're venturing into somewhat unexplored territory to avoid that... 15:22 < maaku> hopefully it's something that can be added later 15:22 < gmaxwell> well, at least I do think the multiparty computation route requires _only_ sorting. ... which isn't so bad. But I think trying to do that at the front would be suicide. 16:11 < nanotube> fwiw, i run full node on my main comp. and following that discussion spun up another node on a vps. gmaxwell wanna peer? :) 16:12 < gmaxwell> nanotube: make it accept hidden service connections too? see doc/tor.md :) 16:13 < nanotube> good idea. 16:14 < gmaxwell> My laptop is 5yljdotwhmx65nlk.onion my main mining node at home is outbound only right now, but I should fix that. 16:15 < nanotube> ok. i'll get tor up in a bit. 16:16 < nanotube> is it possible/advisable to run a single node behind both tor and non-tor? 16:17 < nanotube> i see it is possible, as per doc. is it advisable? :) 16:19 < gmaxwell> If you're using tor for privacy, no. If you're using it to provide network services, yes since you'll bridge tor-world and non-tor-world. 16:20 < gmaxwell> eventually we'll have to deal with DOS attacks coming via hidden services... (thats actually part of the motivation for the "asymetrically memory hard POW" I was nattering on above)... 16:21 < gmaxwell> so in theory the only real downside to doing both right now is that maybe a hidden service only dos attack takes out your node on both networks at once. I think thats an acceptable risk right now. 16:47 < nanotube> heh yea, i was taking a walk and realized that if i'm doing it for network health, it'd probably be good to bridge, since if everyone was tor-only it wouldn't work. come back and see you've confirmed my thinking. :) 16:51 < gmaxwell> in the future I expect that smarter networking will constrain resources so that a dos attack on one side only hurts that side. 18:23 < gmaxwell> oh god, someone some stupid reporter got the idea that the node wedging transactions were the result of someone creating bitcoin out of thin air by successfully mining a block 18:24 < gmaxwell> and it took an excruciating amount of effort to break them of the mental model where nodes simply trust everything in a block and security comes "because no one person can make a block" 18:30 < phantomcircuit> gmaxwell, lol reporters 18:30 < phantomcircuit> gmaxwell, http://pastebin.com/raw.php?i=Hjrrg3kX 18:31 * gmaxwell types /axwell whew 18:33 < phantomcircuit> gmaxwell, 18:33 < phantomcircuit> ""Isn't anonymity one of the biggest reasons lots of people support Bitcoin?" one member of bitcointalk.org asked last month, in a comment echoed by other users. "So that the centrally controlled banks/governments don't control personal transactions or even have records of those private transactions?"" 18:33 < phantomcircuit> makes me want to cry 18:35 < gmaxwell> I love it that they don't attribute there, because the guys name was problably like JohnGaltDickSlapperCyberCunt1996 18:36 < phantomcircuit> https://bitcointalk.org/index.php?topic=274186.msg2938172#msg2938172 18:36 < phantomcircuit> actually it's just Chronikka 18:36 < phantomcircuit> sooooooo 18:39 < gmaxwell> maaku: thanks for that RapidBalls thread. :P 18:39 < gmaxwell> maaku: phantomcircuit actually has wallet fixes that make the behavior not-exponential.. but I wasn't super eager to point them to them when it sounded like they were doing something spammy (lines you correctly read between even when they couldn't 18:40 < gmaxwell> ("rapidballs" totally sounds like a forum username too) 18:40 < phantomcircuit> gmaxwell, there's actually still a ton of hilariously inefficient behavior in the wallet 18:41 < phantomcircuit> but it's all acting on structures in memory 18:41 < phantomcircuit> so 18:41 < phantomcircuit> shrug 18:41 < phantomcircuit> i would however really like to break out the protocol rules into rule modules 18:41 < maaku> heh, got an unexpected 0.5btc got out of it.. which is lucky because my first inclination was to be a snarky douchebag and I almost was 18:41 < phantomcircuit> since at the moment network rules and soft node rules and anti dos rules are all mixed together 18:42 < maaku> newbie named RapidBalls spamming the network is asking for it ;) 18:43 < phantomcircuit> gmaxwell, sipa do either of you have any ideas on the structure/naming for classes that contain the network/soft/antidos rules? 18:43 < phantomcircuit> i was thinking something as simple as a class with static const methods 18:45 < gmaxwell> maaku: yea, in any case, to keep up your contracting business there I thought I'd tell you about phantom's fixes. 18:47 < phantomcircuit> lol 18:56 < midnightmagic> nanotube: which write-up was that again? 18:58 < midnightmagic> (that convinced you to spin up another node)? 18:59 < maaku> yeah thanks i didn't know about phantomcircuit's fixes 18:59 < phantomcircuit> maaku, did you manually create transactions for them or something? 19:00 < maaku> no, just told them about blocksize limits and such. they're really new to this 19:01 < maaku> he's making something like 500 transactions/minute, and wondering why bitcoin is behaving slowly 19:02 < phantomcircuit> why is he creating 500 transactions/minute... 19:02 < phantomcircuit> yeah my patches would improve his bitcoind performance but he'd just end up with a bunch of unconfirmed transactions 19:03 < gmaxwell> phantomcircuit: because his name is "RapidBalls" what do you think? 19:03 < phantomcircuit> lol 19:03 < phantomcircuit> so because he's being a dick 19:03 < phantomcircuit> got it 19:03 < gmaxwell> the username alone tells me its some derpy gambling site that hasn't figured out that they can do something other than one transaction per bet. 19:03 < phantomcircuit> or that 19:03 < gmaxwell> I promise that that their visa handling people would shut of their service faster than you can say "rapidballs" if they started running 500tx/minute. 19:05 < phantomcircuit> yeah for sure 19:06 < phantomcircuit> 500tx/minute is maybe what something like walmart does 19:06 < phantomcircuit> on a saturday at peak hours 19:07 < phantomcircuit> gmaxwell, so in trying to improve the reliability of automated withdrawal request processing 03:49 < warren> sigh, *this* might be the reason for the apparent "bad luck" of p2pool. Just a few orphans here or there can make it look bad over short time scales especially since the pool finds blocks infrequently. 03:49 < petertodd> what do you mean '*this*'? 03:50 < warren> Lots of home users with asymetric bandwidth, uploading slowly. 03:50 < petertodd> ah, yes absolutely 03:50 < petertodd> people really don't realize how much bandwidth you need to upload blocks fast enough to keep orphans down 03:50 < warren> People have been commenting on the "bad luck" of p2pool forever and nobody mentioned this as a possibility. 03:51 < petertodd> Really? Shit, I thought I mentioned it publicly a few times in the small blocks stuff... I probably forget to mentiuon P2Pool specifically. 03:51 < warren> The block forwarding thing could be made better if the p2pool nodes also connected their bitcoind's together, so "INCOMPLETE BLOCK" won't happen. 03:51 < warren> They can't choose tx's anymore, but at least they're all reference. 03:52 < warren> or rather, INCOMPLETE BLOCK would happen less often 03:52 < petertodd> Yeah, it'd be a good idea. You'd need to come up with a central tx chosing algorithm, and at that point, you can actually semi-ditch bitcoind... 03:52 < warren> ah! p2pool already has RPC access to bitcoind. It could just addnode right? 03:52 < petertodd> Yup 03:53 < warren> do you have any way to read the bitcoind's IP:PORT from RPC? 03:53 < warren> it could addnode but it has no way of knowing *what* to connect to 03:53 < petertodd> No, but you don't need to. Just read ~/.bitcoin/bitcoin.conf 03:53 < warren> No, I mean the foreign node:port, which is what your addnode would need. 03:53 < petertodd> Ah, just have them tell you. 03:53 < warren> ahhh 03:54 < warren> Some people were talking about integrating p2pool-like functionality directly into bitcoind. Perhaps this would be easier that way. 03:55 < warren> (not a great idea for other reasons, like you would have lots of extra code in the reference client) 03:56 < petertodd> Yeah, we're moving towards removing stuff from the bitcoinc lient not adding. 03:58 < warren> INCOMPLETE BLOCK FOUND seems to happen ~50% of the time here 03:58 < warren> so p2pool could be propagating the block faster in some cases, and slower in others 03:58 < petertodd> Interesting, have you read the p2pool code to figure out what's goign on? 03:58 < warren> no, never thought what INCOMPLETE meant 03:58 < petertodd> read it 03:59 < warren> and I heard the block forwarding thing was added because block submission on some nodes was failing entirely 03:59 < petertodd> lovely... 03:59 < warren> on LTC p2pool most of the nodes are actually failing block submission right now 03:59 < warren> and nobody noticed for months due to the block forwarding 04:00 < petertodd> nice 04:01 < warren> block = share.as_block(self.tracker, self.known_txs_var.value) 04:01 < warren> if block is None: 04:01 < warren> print >>sys.stderr, 'GOT INCOMPLETE BLOCK FROM PEER! %s bitcoin: %s%064x' % (p2pool_data.format_hash(share.hash), self.net.PARENT.BLOCK_EXPLORER_URL_PREFIX, share.header_hash) 04:01 < warren> self.known_txs_var.value ... that's probably it. 04:02 < petertodd> makes sense 04:02 < warren> so ugh... there is a *real* cost to decentralized mining 04:03 < petertodd> for sure, and that's the cost *now* with 1MB blocks, hell, more like 150KB blocks really... 04:03 < warren> which can be minimized with peer optimization, putting your nodes in nearby data centers or upgrading your upload bandwidth, connecting directly to other nodes, using reference clients that link to each other... 04:03 < petertodd> ....all things that cost money ultimately 04:04 < warren> some of that can be automated. but yes, other things cost. 04:04 < warren> It's worthwhile for ASIC owners probably. 04:04 < petertodd> yup, it's the things that gavin and mike don't get: every cent spent on bandwidth is a cent not spent on hashing power 04:04 < petertodd> for now, only because ASICS bring in stupid amounts of money 04:05 < warren> the alternative for ASIC owners is to mine on a centralized pool, increasing risk to the network, and losing income from DDoS attacks on the centralized pool. 04:05 < petertodd> although, what that says is ASIC owners have reasons to just point it at BTC guild... 04:05 < petertodd> nah, a big ASIC miner should be mining solo 04:05 < warren> well, big in aggregate 04:05 < petertodd> but a small one should go for the biggest pool with hopefully the most resources to fend of dos attacks 04:06 < warren> DoS yes, but centralization is dangerous if the pool is compromised or http://xkcd.com/538/ 04:06 < petertodd> but that's my point, the individual ASIC own doesn't care 04:06 < warren> You want to destroy Bitcoin? forget fancy hardware. Just kidnap two pool owners. 04:06 < warren> *done* 04:06 < petertodd> centralization costs everyone, not just them 04:06 < petertodd> absolutely 04:07 < petertodd> and it's most likely to happen when starting a new pool is hard... like with Mike's crazy world where just getting access to the UTXO set in it'sentirety is tough 04:07 < warren> yes, I really dislike those elitist arguments 04:08 < petertodd> he works at the biggest server *manufacturer* in the world, what do you expect? 04:08 < warren> oh, which? 04:08 < petertodd> Google. They make all their hardware from scratch 04:08 < warren> petertodd: this is largely why I'm interested in working on litecoin. their users already accept anti-spam, so I have lots of flexibility to try better anti-spam ideas there. I don't need to fight the political battle in bitcoin. 04:08 < warren> oh 04:09 < warren> Right now their anti-spam mechanism is a blunt instrument, HIGH FEES ON EVERYONE AND EVERYTHING. I aim to make those fees more targeted to encourage and discourage certain behaviors. 04:09 < petertodd> I had an interview there for a job with their hardware division actually, it's huge. 04:10 < petertodd> It was for a firmware testing position, and I'm analog electronics, so I'm not surprised I didn't get the job. :P 04:10 < warren> =) 04:11 < petertodd> If anything, it shows how desperate they were for people that they flew me down even after I made it clear I had no intention of a career change. 04:11 < petertodd> I like the "make it expensive" anti-spam rules myself, but they are only practical with small block sizes. 04:12 < warren> litecoin blocks are indeed small. =) 04:13 < petertodd> blockchain can grow 1MB per block, with 4x more blocks per hour 04:14 < warren> I intend on checking if any past blocks were bigger than 256KB or 512KB and if so shrinking the hard-limit. It won't be risky after the majority of miners switch. 04:14 < petertodd> ah, see that would be a good thing 04:14 < petertodd> (I looked into attacking litecoin via spam, and figured it was too expensive, namecoin on the other hand is doable) 04:14 < warren> probably don't want to go all the way down to 4x smaller, since tx sizes aren't 4x smaller 04:15 < petertodd> more important though: work on off-chian tx systems, they'll help bitcoin and every alt-coin 04:15 < petertodd> even simple stuff like auditing is a big win 04:15 < petertodd> and multisig coin storage to reduce hacks 04:15 < warren> my interest in litecoin is primarily to prove that fee-based anti-spam incentives work, because I'm really angry about the bitcoin situation. 04:15 < petertodd> what, data in the chain? 04:16 < warren> No, the elitist arguments, and the blind belief that "fee competition" will somehow solve our problems. 04:16 < warren> bullshit. 04:16 < warren> Just throw more hardware at the problem 04:16 < warren> Satoshi's design is perfect. Stop questioning it. 04:17 < petertodd> wait, so you think throwing more hardware is a solution, or the dumb way to fix it? 04:17 < warren> dumb 04:17 < petertodd> good 04:17 < warren> You can use fee-based incentives to encourage and discourage all kinds of behaviors that are beneficial to the overall network growth. 04:18 < warren> Discourage externalizing costs. 04:18 < petertodd> but see, I *do* have a blind belief in fee competition, so to speak, because I'm happy to spend $5 per tx if off-chain tx's work and are adopted widely 04:18 < petertodd> we can live with 1MB blocks basically forever even if every block is exactly 1MB 04:18 < petertodd> it's what we all signed up for, and in that scenario, spam doesn't bother me one bit 04:18 < warren> "what we signed up for" is a logical issue here 04:19 < petertodd> heh, well, it's what the source says 04:19 < petertodd> satoshi wasn't thinking too far ahead 04:19 < warren> satoshi got a LOT right 04:19 < petertodd> ...and a lot wrong too 04:19 < warren> He forgot to realize that UXTO cost isn't reflected in the fee formula. Oops. 04:19 < petertodd> that's a BIG one he got wrong 04:20 < warren> yeah, and that's a key one a few devs fight 04:20 < petertodd> he never thought of fidelity bonds :P 04:20 < petertodd> (and I say that as someone who both invented them, and likes to make fun of them all the time) 04:20 < warren> anyway, I can't win this battle directly with bitcoin, so i'm going to prove it with litecoin. 04:21 < petertodd> well, good luck 04:21 < warren> I'm trying to push in arbitrary behavior incentives, including "punish uncompressed keys with yet another fee for no good reason" 04:21 < warren> excuse for all of this is "Hey you're unaffected with coin age." 04:22 < warren> and also "we're lowering the normal-sized tx fees. Just don't spam and you're fine." 04:22 < petertodd> hmm... I'd suggest you focus on the UTXO business, and do so directly, don't get into the game of punishing specific tx types 04:22 < petertodd> if fees become valuable, miners will behave rationally 04:23 < warren> fees are already too valuable there, even the pool owners want fees to go down (for non-spam) 06:03 < warren> I'm booking my trip to the Vegas conference. anyone else going? 06:03 < warren> there's a hidden discount code 06:03 < adam3us> warren: yeah i think so 06:03 < adam3us> warren: oooh nice ... do share :) 06:03 < petertodd> warren: vegas? 06:03 < adam3us> warren: (not booked yet)... btw fair warning it seems to be relatively non-tech 06:04 < warren> adam3us: I'm a MBA/law student 06:04 < adam3us> warren: reiner is presenting, otherwise suits 06:04 < petertodd> adam3us: yeah, and by sticking to ordering, you are forced to deal with incentivising mining separately, which can be an advantage rather than just giving it a hope and prayor 06:04 < adam3us> warren: i am talking about people who cant code, or probably fully understand bitcoin protocol if they had to to save their life 06:05 < adam3us> petertodd: yes that is a nice side effect- many incentives and attacks become weaker if you're attacking opaque blobs of your adversary, worst you can do in many cases is random DoS that costs you money 06:06 < warren> adam3us: you mean any of us fully understand the bitcoin protocol? =) 06:06 < warren> I don't think Satoshi understood it fully. 06:09 < adam3us> warren: satoshi - maybe... the full implications at the limits of game theory are complex. but the whole thing is amazing so bucket loads of kudos to satoshi 06:11 < petertodd> adam3us: see the tx fees/latency thing is something I've lately realized should be worried about - specifically how orphans incentivize mining centralization 06:24 < adam3us> so bitcoin hw security. seems like the risk is going up. at some point someone with $1m worth of zerodays is going to burn them to steal $10m worth of bitcoins. and there are people with access to zero days 06:25 < adam3us> i think the solution is hw wallets like trezor and armory offline 06:25 < petertodd> armory says they'll have useful multisig soonish 06:28 < adam3us> petertodd: my other thought is any 2fa for services can not be disconnected from teh tx 06:28 < petertodd> adam3us: ever see my 2fa sceme with multisig txs? 06:28 < adam3us> petertodd: ie it must resolve to the tx, on an offline wallet with a display 06:28 < adam3us> petertodd: no but that sounds like you already had the same thought 06:30 < petertodd> adam3us: well I was thinking use bip32 to generate one of the keys, and then use a OTP scheme to generate the other. Now when you initialize it, you pre-generate all the pubkeys for the OTP scheme, and then transfer coins to the resulting addresses. Every OTP code you reveal has in effect authorized the expenditure of some fixed amount of BTC. 06:30 < petertodd> adam3us: it's not "interactive", but the security is very understandable and predictable, and the scheme can be done on paper 06:43 < warren> adam3us: fail. conference fee paying has no bitcoin option. 06:43 < adam3us> petertodd: well i mean like say an exchange, it holds your coins and fiat 06:43 < petertodd> adam3us: ah, outsource the risk to them, which is reasonable too 06:44 < adam3us> petertodd: rather it should do the type3 exchange. it green signs only 06:45 < adam3us> petertodd: then the 2fa is the user signs with their multisig key after reviewing the transaction 06:45 < adam3us> petertodd: they should issue their usdcoin also with an offline issuing key, block chain validated, again 2fa signed by multisig 06:46 < petertodd> adam3us: yeah, gavin outlined something similar to that actually 06:46 < petertodd> adam3us: 2fa auth to the holder, and then they coutner-sign 06:46 < adam3us> petertodd: in that way the exchange cant steal or be hacked 06:46 < adam3us> petertodd: and their only signing key (issue/redeem) is air gapped 06:47 < adam3us> petertodd: people are going to have to do type3 exchange sooner or later or bad things are going to happen 06:47 < petertodd> type3 exchange? 06:48 < adam3us> petertodd: so where the exchange has no coins at risk 06:48 < petertodd> ah right 06:48 < adam3us> petertodd: type2 i was calling where they have only fiat at risk (like bitalo finally is working on) 06:49 < petertodd> well, there's also type2.5, where the exchange can't steal, but if they lose the key you're fucked 06:49 < adam3us> petertodd: after having their previous exchange owned/insider attacked or something - only because they learnt the hard way! 06:49 < adam3us> petertodd: yes. i think you want a timelocked reimbursement for the multisig in case exchange goes rogue, disk crash, out of biz, etc 06:50 < petertodd> absolutely, although actually handling that is hard - lots of ugly state and software messyness 06:50 < adam3us> petertodd: of course your usdcoin are toast anyway - thats down to queueing up as a creditor of the type 3 exchange 06:50 < petertodd> owning USD is inherently not a type3 scenario :P 06:50 < petertodd> regardless of how directly you own it 06:51 < adam3us> petertodd: i think its the new model really i cant see anything else working as you're just putting up a fat perfect crime target, people will burn zerodays, hack certificate authorities, bribe employees, physically break into server rooms... its all coming 06:52 < adam3us> petertodd: i suspect even the 1000s of snowden level guys at NSA and other intelligence agencies with access to their grey-market zerodays, and the grey hat hackers who developed and sold them the zerodays will sooner or later go darkside 06:52 < petertodd> adam3us: I remember saying to gmaxwell months ago that I was hesitant to write anything remotely real related to fidelity bonded banking until I had some remote attest capable TPM hardware to use 06:52 < adam3us> petertodd: eg btcarmory.org is a malware clone of bitcoinarmory.com professionally cloned web site, presumably designed to steal your offline armory wallet 06:52 < petertodd> nice... 06:52 < petertodd> yes, bad software is a nasty one too 06:53 < petertodd> heck, whenever I've used bitaddress.org I've always entered in my own randomness :P 06:54 < adam3us> petertodd: people are going to steal code signing certs or obtain by document forgery. even happened to micrsoft something like that ... fool the RA process of a CA 06:54 < petertodd> yup 06:55 < petertodd> excellent reason to avoid auto update for tha tmatter... also spread your coins across multiple wallet implementations 06:56 < adam3us> petertodd: i think even code signing is bad... signing keys can be compromised, compelled sig on TLA malware version by court, compelled signing key disclosure things like that 06:56 < adam3us> petertodd: maybe its time to publish software hashes to the block chain and forward secure signatures 06:57 < petertodd> forward secure sigs? 07:04 < adam3us> petertodd: kind of like forward secrecy for encryption 07:05 < adam3us> petertodd: you destroy old signature keys so you couldnt forge and resign an old one with the same key 07:06 < adam3us> petertodd: http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf 07:06 < petertodd> ah right 07:07 < petertodd> see, just timestamping signatures in bitcoin works well too for that 07:07 < adam3us> petertodd: the main thing is they found a way to have a sequence of public keys and deleted old private eys compactly, otherwise ou could just state an intent to use each sig only once 07:07 < adam3us> petertodd: yes it maybe functionally similar in effect 07:08 < petertodd> I keep meaning to update opentimestamps with OpenPGP support, but that'll be a fair amount of work... 07:08 < adam3us> petertodd: also there is a way to do one use signatures where the signature key can only be used once, 07:08 < petertodd> how does that work? I mean, how could you enforce that? 07:08 < petertodd> (well, without a consensus key-value system anyway...) :P 07:09 < adam3us> petertodd: its quite simple you pre-generate R=xG and make it part of the address, so Q'=H(Q,R) 07:09 < adam3us> petertodd: now people will only accept as valid a signature with that specific R value 07:09 < adam3us> petertodd: brands uses it for one-show certificates. 07:09 < petertodd> I guess I'm not following 07:10 < adam3us> petertodd: the interesting thing is if you go ahead and reuse R, and sign two idfferent messages, you can do that but you leak our private key via simultaenosu equation 07:10 < petertodd> ah right, figures, my point was, that's not a scheme where you can't re-use a signature, that's a scheme where you damn well shouldn't, but a validator without perfect knowledge can't tell the difference 07:10 < adam3us> petertodd: so ecdsa sig Q=xG, R=kG, s=(h(m)+rd)/k, r=R.x 07:10 < petertodd> (knowledge of all sigs made) 07:10 < adam3us> petertodd: ok 07:11 < petertodd> my point being that with a consensus key-value system, you can define the signature as valid if it's the one setting a given key to a given value 07:11 < adam3us> petertodd: yes, but it becomes unconvincing - why would you sign twice, it tells you this is invalid, if you can combine it with time-stamping to order them, thats it 07:12 < petertodd> right, but then the attacker signs twice, so you have three in total, and you still need the consensus system to figure out which was first 07:12 < adam3us> petertodd: yes. it could be interesting though because any miner could ake the private key and spend it to himself instead 07:12 < petertodd> right, so in some cases you can treat it like a fidelity bond 07:13 < adam3us> petertodd: and it prvoides cryptographcally enforced one-use addresses re Luke-Jr attempt to incentivize secure use 07:14 < petertodd> yeah, but s/enforced/boobytrapped/ :P 07:14 < adam3us> petertodd: yes i guess so. it could even be specificed who benefits eg put the double spend address in the address 07:14 < adam3us> petertodd: the one downside is yo have to be really careful with sw failure, spending is not idempotent 07:15 < petertodd> yea, and that's damn ugly 07:15 < adam3us> petertodd: accidentally pay twice due to system crash during a spend and lose your money 16:37 < petertodd> helo: agreed, they *do* have tradeoffs with regard to pow. However I would argue that for full-nodes "botnet-centralization" isn't a risk, so avoiding asics makes a lot of sense. 16:37 <@gmaxwell> maaku: but I'll grant you that if bitcoin had been asic (/gpu) resistant then it would have been mostly botnets. 16:38 < petertodd> helo: anyway, it's rather hypothetical: bandwidth kills you way before you need asics to process the blockchain... 16:38 <@gmaxwell> petertodd: I don't believe you can avoid asics. 16:38 <@gmaxwell> petertodd: at best you could lower then to some small factor advantage, but the competativeness of mining means that eventually that small factor will be enough that only the specialized hardware survived. I thought you agreed about this? 16:38 < petertodd> gmaxwell: sure you can, like I've said before making asics a small integer multiple more efficient rather than hundreds of thousands of times is a huge win 16:38 <@gmaxwell> I don't think it's a win. 16:39 < petertodd> gmaxwell: well, I agreed with the first half, the second half I don't: if censorship becomes prevalant, it's ok if blacklisted transactions cost some small multiple more to get mined 16:39 <@gmaxwell> e.g. if the asics are 10x advantaged then asics farms in the lower 50-tile worldwide power can put everyone else completely out of profitablity. 16:40 <@gmaxwell> okay, maybe there is something there.... but censored miners have an uphill battle, e.g. like having to hide their operations. 16:40 < petertodd> sure, but a hill is far more likely to be surmounted than a cliff 16:52 < jtimon> asics cannot by avoided by definition, by asics I mean specialized hardware 16:53 < maaku> jtimon: yeah, but the petertodd's goal i think would be to have a pow whose specialized hardware is the everyman's computer 16:54 < jtimon> you could design an algorithm targeted for certain architecture, that's all 16:54 < maaku> e.g., memory-hard and requiring complex computational capability, which would make something like the AMD APU the best system to use 16:55 < petertodd> well, absolute lowest cost will likely be custom hardware, but if it's a matter of custom PCB's and maybe some FPGA's linking it together, you've made a cottage industry that's fairly decentralized vs. ASICs which are hard-centralized. 16:56 < petertodd> and if off-the-shelf PCs aren't *too* large of a difference, people may still very well mine with them for reasons like "because I can" and "hey, free heat!" 16:56 < maaku> petertodd: ASICs will always win out, by double-digit factors I would wager 16:56 < jtimon> to matcht the "majority's architecture" you would need to both 1) predict the futterre 2) cause it, by imposing a favourite arch 16:57 < petertodd> maaku: well, I'm arguing single-digit factors, so we're in agreement roughly :P 16:57 < jtimon> no, maybe not both, sorry I'm... 16:57 <@gmaxwell> good luck powering a common cpu with just a 2 layer pcb. 16:57 < petertodd> jtimon: target RAM and you're within ballpark - heck, litecoin's PoW seems to have decent FPGA performance 16:58 < helo> how would the security-via-difficulty achieved with a novel proof of work and the expected value of nc2 block rewards + fees compare with capitulating to bitcoin merge-mining? 16:58 < petertodd> gmaxwell: 8 and even 16 layer PCB production is pretty decentralized, easilly two orders of magnitude more decentralized than ASIC production 16:58 < maaku> nc2? 16:58 < helo> (namecoin2) 16:58 < jtimon> the main problem is what is the target 16:58 <@gmaxwell> petertodd: okay, I'll grant that. 16:59 * nsh wonders what the unit of decentralization is 16:59 < helo> cost to attack? 17:00 < petertodd> nsh: person dollars? 17:03 < nsh> mmm, maybe 17:03 < jtimon> maaku if petertodd wants to impose a low level architecture that's more philosophical than techincal, what is the "layman arch" of the next year? 17:05 < petertodd> re: ASICs vs FPGA's, this paper suggests numbers ranging from mid double-digits to even low single digits: https://dl.acm.org/citation.cfm?id=1117205 17:05 < jtimon> I think we all overestimate pow 17:05 < jtimon> the rules are the chanel 17:06 < petertodd> suggesting a mem-hard PoW is likely to be FPGA implementable without *that* large of a gap 17:06 < maaku> jtimon: I was being devil's advocate :) 17:06 < maaku> you know I'm diehard pro-ASIC 17:07 < jtimon> what's more important 17:07 < petertodd> FPGA development isn't as decentralized as off-the-shelf PC, but it's still a lot better than ASICs 17:07 < jtimon> we shouldn't be targeting archs 17:07 < maaku> petertodd: i don't know, i think you're likely to get custom, non-von-neuman memory architectures for that 17:07 < maaku> i think people who analyze these things are thinking too much in the box 17:07 < petertodd> jtimon: memory vs FPGA vs ASIC are arch classes; they're fundemental 17:08 < petertodd> maaku: that's the point of FPGA's: you can cheaply make all kinds of crazy non-von-neuman memory architectures 17:08 < jtimon> we should be targeting problems that are common goods and not confilictive with the incentive structure 17:08 < petertodd> jtimon: huh? 17:09 < jtimon> gmaxwell knows how it could go all wrong if we target something "too useful" as pow 17:10 < jtimon> seriously, targetting archs is wrong, even html5 js could be implementedlow level in a way you don't expect now 17:11 < petertodd> jtimon: that's completely unrelated to what I'm talking about... with the one exception that the more competitive the pow is on off-the-shelf hardware, the easier it is to use for things like anti-sybil 17:12 < petertodd> jtimon: again, I'm not arguing for targetting architectures. 17:12 < jtimon> what do ou mean by competitive"? 17:12 < jtimon> what resources are we measuring? 17:13 < jtimon> what are we optimizing for? 17:14 < petertodd> jtimon: I want cost per hash for high-capital-cost ASIC implementations to be as close as possible to cost-per-hash on hardware that is less custom, off-the-shelf pc's are the extreme of less custom, gpu's slightly less so, standard fpga dev kits less, fpga's on custom PCB's even less, etc. 17:14 < petertodd> you pull off that trick by targetting PoW that makes use of RAM as much as possible, because RAM is fairly generic. *how* you target ram is tricky though 17:14 < jtimon> I first of all 17:15 < maaku> petertodd: or you make efficient asics into the commodity, off-the-shelf category 17:16 < jtimon> we willl all code parallel without noticing in the near future thanks to some fancy lib beter than cuda, so please don't anti-gpu 17:16 < petertodd> maaku: and you never will because of the nature of ASIC manufacturing. it may be "commodity", but the world economy appears to be unable to support more than maybe three or four top-of-the-line ASIC manfacturers, and they have a huge advantage over their lesser competitors 17:16 < MoALTz> petertodd: you want to support general computation? 17:16 < jtimon> but everybody has gpus or could have 17:17 < jtimon> I don't but I rented ne for villages gours 17:17 < jtimon> hours 17:17 < jtimon> one 17:17 < maaku> petertodd: so? monopoly/duopoloy on manufacture of asics is not the same as controlling the hashpower itself 17:19 < petertodd> maaku: it's very close to it, those companies can put restrictions of hashing power they produce overnight, for instance they can only sell it to authorized and licensed miners, or build backdoors into the hardware itself 17:20 < jtimon> wait, wait, how are monopoly miners changing the rues again? 17:20 < maaku> to the first that's why we have incentive structures that reward them for widespread distribution (which thankfully the freemarket provided and we didn't have to setup) 17:20 < maaku> the second is a hollywood threat 17:20 < petertodd> maaku: vs. to control FPGA's, let alone generic CPU's, they're forced to put restrictions on a huge industry - that's much harder politically. Not impossible, but much harder. 17:20 < petertodd> maaku: incentives mean nothing to a government that decides Bitcoin needs to be regulated 17:21 < jtimon> I didn't heard that part, maybe I don't get the solutions because I don't undesrtand the problem 17:21 < petertodd> jtimon: by 51% attacking us until we accept their new rules 17:21 < jtimon> why would we accept their new rules 17:21 < petertodd> jtimon: because if we don't we don't have a currency anyway 17:21 < helo> so with asic/memory-hard pow, there would likely be a varying mining script ('header, sha256, sha256' with bitcoin)? 17:22 < maaku> petertodd: and that's the one scenario where we'd realistically switch to scrypt or something else 17:22 < jtimon> chanell 1: morgan and rothchilds 22565554 petachashes 17:22 < jtimon> chanel 2: the rest of the world 100 moderatohashes 17:22 < petertodd> maaku: ah! you mean you'd be glad people like me had researched the problem and had solutions ready. 17:22 < maaku> it's nonsense hollywood threat. no government is going to spend 100's of millions of dollars to construct such an eleaborate scheme with so many moving parts 17:22 < maaku> when it can be so easily undone 17:22 < maaku> (i worked for the government I know ;) 17:23 < maaku> petertodd: ok, I shouldn't have said scrypt - SHA-3 would be more my tastes 17:23 < jtimon> that's the best part of bitcoin: you cant's change the rules unless theres consensus BY THE USERS 17:23 < petertodd> maaku: they don't have too, they tell intel/globalfoundries and tsmc to include cheap lockout circuit in every ASIC they produce so they have a bitcoin kill switch 17:24 < petertodd> jtimon: nope, without mining the rules aren't very useful 17:24 < maaku> petertodd: which you can see with an electron scanning microscope 17:24 < maaku> you want to be useful, organize an effort to image asic chips 17:24 < petertodd> maaku: so what? you have no choice but to buy ASICs that have it if you want performance that doesn't suck 17:24 < jtimon> that's true 09:12 < adam3us> the other annoying thing about airport wifi is i have a pay as you go 3g sim with 3GB/month data allowance for gbp 2/day for UK on any day used, but the wretched thing never works, and i think i grabbed the wrong replacement sim when i was leaving. 09:13 < brisque> gmaxwell: that story is terrible. 09:16 < adam3us> is there anyway to get above SPV security i wonder in a sensible level of bitcoin main changes that doesnt just have both protocols in the client (or a link to a beta validator running in parallel) 09:17 < gmaxwell> well spv security can mean multiple things there is communicationless spv which is what you get when someone hands you a proof and you're happy, and normal spv when you can go out and seek more evidence. 09:17 < gmaxwell> I think we can get it the latter of those two. 09:17 < gmaxwell> More than that implies validating the rules 09:17 < gmaxwell> which implies embeding the rules in bitcoin 09:17 < gmaxwell> and all of the data needed to check the rules 09:18 < gmaxwell> and short of snarks or something, I think thats probably not realistic. (well and not realistic with snarks today regardless but maybe in a few years) 09:19 < adam3us> brb 09:30 < adam3us> gmaxwell: well say hypothetically a client that speaks both bitcoin v1 and bticoin v2 protocol with a pegged side-chain connecting them 09:31 < adam3us> gmaxwell: eg less of a general competition between 2a, 2b 2c etc side-chains but more the next version of bitcoin with fork requiring bug fixes on it, running in parallel with real-value transferred via the 1:1 peg by those who need the 2.x features, eg 1.x for value storage and 2.x for anything other than basic tx (say) 09:36 < adam3us> adding insult to injury this gbp 5/hr wifi is failing I think because of the web injection urls timing out. grr 10:21 < brisque> regarding hardware wallets. 10:22 < brisque> I was looking into various bits of hackable hardware, looking at the specs and everything. realised it's a little pointless when you can get a 6" laptop from Alibaba for 30 pounds or so. 10:23 < brisque> that's all you'd need for a super effective offline device really, and it's cheaper than the Trezor ever was. 10:25 < gmaxwell> brisque: but bulky. 10:26 < brisque> gmaxwell: one of these would work too http://en.qi-hardware.com/wiki/Ben_NanoNote 10:26 < gmaxwell> (also: thats why I didn't order a trezor) 10:26 < gmaxwell> yea, but stupidly expensive. 10:26 < gmaxwell> I actually looked at getting a nanonote for wallet use. 10:26 < gmaxwell> it's not true of trezor but in theory a hardware wallet could be tamper resistant too. 10:27 < gmaxwell> your cheap laptop will suck when the evil made pops the keyboard and adds a keylogger chip. 10:27 < gmaxwell> s/made/maid/ 10:28 < brisque> that's why I was thinking of consumer hardware that can be hacked. the childrens toy I mentioned has almost everything you need, including a wireless pink USB dongle. the issue is that you have to open it to get to the serial ports to flash it. not something you can convince everybody to do. http://d4c027c89b30561298bd-484902fe60e1615dc83faa972a248000.r12.cf3.rackcdn.com/imagepicker/4494/thumbs/IM.jpg 10:29 < gmaxwell> wow neat 10:29 < gmaxwell> what cpu? 10:29 < brisque> that's the other sticking point, it's CPU is a little short on memory. 10:29 < gmaxwell> though wireless usb dongle may mean a rather large attack surface area. 10:30 < brisque> the low memory is ultimately what makes it useless sadly. 10:30 < brisque> works as a RF spectrum analyser though. 10:31 < gmaxwell> why would it make it useless as a signing device? 10:31 < gmaxwell> surely it has enough for that. 10:31 < brisque> http://www.ti.com/product/cc1110f32 10:32 < brisque> 32kB flash, 4kb of RAM 10:32 < gmaxwell> could be used as a signer no problemo. 10:33 < gmaxwell> though uh, perhaps not with wireless. 10:34 < brisque> yeah. my thinking is that there's got to be another dirt cheap childrens toy with an LCD, keyboard and some decent IO that can be hacked into a deterministic wallet. 10:34 < gmaxwell> but, of course, that also makes it easier to tamper with 10:34 < brisque> camera for QR codes, or audio, or even USB pretending to be a HID would work perfectly for this. 10:35 < brisque> isn't the assumption that with a hardware token, your coins are compromised anyway? 10:35 < gmaxwell> hm? 10:36 < brisque> any KDF on an embedded device would make it useless, and no matter what you do the seed is going to be extracted. 10:36 < brisque> I've seen hardware that's meant to destroy keys before, it's not all it's cracked up to be. 10:36 < gmaxwell> nah, you can make successful extraction of the seed pretty hard and make it be destructive. 10:37 < gmaxwell> (be destrutive meaning an intruder couldn't tamper and put it back) 10:37 < gmaxwell> and yea, sure concerted 'offline' effort by an expert you can't be safe from, but certantly it's better if your curious teenager couldn't extract the keys easily. 10:38 < gmaxwell> not saying mandatory: trezor fails this too as I understand it, but it would be preferrable. 10:38 < brisque> there was a game console that did something like that. had a chip with the ROM, and a battery backed RAM chip with a secret key. on boot it XORed the two to get the executable. any screwup meant you lost the RAM chip and had to pay a pile of money for a new one. 10:39 < gmaxwell> yea there are all kinds of interesting things you can do, and then also embed the stuff in epoxy with embeded tripwires that cut power to the ram if cut. 10:40 < brisque> that's all doable, but that wasn't my aim with this concept. a dirt cheap hardware device holding a seed is preferable to a computer running windows and java. 10:40 < gmaxwell> fair enough. probably more interesting to reduce the interface exposure. 10:41 < brisque> QR codes would be ideal, then audio, then you're back to pretending to be a USB HID. are there any other "airgapped" ways of getting TX data to a device? 10:43 < gmaxwell> hid doesn't get you bidirecitional, does it? 10:43 < brisque> it does. the device can pretend to type, and the host can flash the caps lock key. 10:43 < gmaxwell> lol! 10:43 < gmaxwell> thats going to be rather slow 10:44 < brisque> doesn't the trezor pretend to be HID? 10:44 < gmaxwell> no clue 10:44 < gmaxwell> you need to transfer several kb. 10:44 < brisque> yes, the Trezor pretends to be HID too. 10:44 < gmaxwell> man the things you need to do to make windows happy 10:44 < gmaxwell> I would have just made it a usb serial device, but I guess those need drivers in window 10:44 < brisque> being driverless was probably the aim. 10:45 < brisque> 10kB/s using the caps lock light.. 10:46 < gmaxwell> crazy, still a bit slow 10:46 < gmaxwell> how about usb storage... plug unplug plug. :P 10:46 < gmaxwell> and sign and enter your pin on the device itself while unplugged. 10:46 < jgarzik> caps lock light - ha, creative! 10:47 < brisque> well for me wanting to hack something, that's probably going to let the host flash the device which is undesirable. I'm really just throwing ideas around. 10:47 < jgarzik> jumping airgaps is all the rage, these days. NSA or private community alike. 10:49 < brisque> doing it usefully is the issue though. I don't want to have to listen to my CPU buzz with a parabolic microphone to get Bitcoin TX data to an embedded device. 10:49 < gmaxwell> obviously why having a device with a minimized surface area matters. 10:49 * gmaxwell looks at gox and hurrays 10:50 < brisque> gmaxwell: I wanted a Ben NanoNote just to play with, doesn't look like anybody sells them anymore. 10:51 < brisque> by the looks of things, the easiest and cheapest airgap transmission is audio. if people hated dialup modems they're going to hate me screaching 200kB of previous outputs at them. 10:51 < gmaxwell> brisque: harder to setup bidirectional. 10:52 < gmaxwell> how about a usb device immitating a sound device? 10:52 < brisque> USB sound cards are cheap as chips, you can get one that works on any linux device for a few dollars. 10:52 < gmaxwell> and then you can easily just get 192kbit/sec in each direction using two bits per sample, and it would be completely inaudable if addressed to the wrong device. 10:52 < brisque> bonus, you can do transfer over audio to a phone. 10:54 < brisque> imitating a USB sound device would be doable though. matching a generic driver on the host would mean no attack surface. 10:54 < brisque> could also have audio output, then connecting to a cellphone would work. 10:55 < brisque> bonus mode, make adaptors so that transactions can be signed over phones, 56k style 10:57 < jgarzik> I continue to be stunned that mtgoxUSD receives the trading action that it does 13:33 < justonegy> hello 13:33 < justonegy> anywhere here who can help with ubuntu build? 13:33 < justonegy> or rather wants to.. 13:39 < michagogo|cloud> justonegy: What about it? 13:39 < michagogo|cloud> (though this is most likely off-topic for this channel...) 13:40 < justonegy> I'm trying to build and its difficult to find information 13:40 < justonegy> EXCEPTION: N5boost12interprocess22interprocess_exceptionE 13:40 < sipa> #bitcoin or perhaps maybe #bitcoin-dev 13:41 < justonegy> checking for Berkeley DB C++ headers... default 14:06 < justonegy> no one want to help? 14:07 < justonegy> trying to fix this issue and there is just no information and the debug info is non existent 14:08 < sipa> please, not here 14:08 < jcorgan> #bitcoin-dev is better, and, you need to provide a bit more info 14:25 < midnightmagic> lol, one more reason why having a maid is crazy. 14:25 < midnightmagic> if yer in a house and can't vacuum your own floors, you're in the wrong damn house. 18:37 < petertodd> 1CounterpartyXXXXXXXXXXXXXXXUWLpVr <- crazy, 107BTC sacrificed for some "protocol for the creation and use of decentralised financial instruments such as asset exchanges, contracts for difference and dividend payments" 21:14 < petertodd> gmaxwell: oh, maybe I did miss some older ones 21:15 < gmaxwell> (and 0.0004 should greatly improve the odds) 21:15 < petertodd> ah, yeah I think I did 21:15 < petertodd> well, it'd be a conflict now, so I just resent the old ones 21:16 < gmaxwell> 0bin? 21:16 < petertodd> http://0bin.net/paste/j5LLNLEDS7WFsf3S#XJaGGObQv3VZyuUFWSScsbMHFvyMStuXTGzzhrion7c= 21:16 < gmaxwell> nicely, if the second one fails I can merge these myself. :P 21:16 < petertodd> nice that OP_RETURN is now standard... 21:17 < petertodd> enough git head nodes that it's propagated across all my nodes at least 21:20 < gmaxwell> with them merged Total: 0.00227106 21:21 < gmaxwell> this is the merged one: http://0bin.net/paste/4kgGct5K+guuOdY8#7u9CCxfYaOz//nFCqfII5xS53sYx1V0oQSX7i2RjTuQ= 21:26 < petertodd> that GHash.IO is performing an investigation sets a very bad precedent IMO 21:30 < gmaxwell> phantomcircuit: how so? 21:30 < gmaxwell> er petertodd 21:30 < petertodd> lol 21:30 < petertodd> the idea that miners have any responsibility towards zero-conf users is dangerous 21:30 < petertodd> for instance it means you can't change your mempool acceptance rules 21:31 < petertodd> and raises ugly questions about what to do in the event of DoS attacks 21:31 < gmaxwell> well, changing your rules is a bit different from making a bunch of doublespends yourself and then paying the procedes to miners. 21:31 < gmaxwell> investigation doesn't mean conclusion either. like... uh .. if they don't _know_ how that was happening, thats .. bad. 21:32 < petertodd> so? it's a slippery slope. For instance is it ok that Eligius blocks some tx's from ever entering it's mempool, allowing a 10% double-spend attack? 21:32 < gmaxwell> I mean, if they don't know and can't just answer it suggests that they're not actually in control of their own stuff. 0_o 21:33 < gmaxwell> vs eligius filtering where wizkid or luke can step right up and say "yea, we block txn that look like X" 21:34 < petertodd> well such is renting out hashing power... 21:34 < gmaxwell> sure... which no one who cares about their investment in hardware should ever do... 21:34 < gmaxwell> Which I assume will be their answer, because it's an easy out regardless of the real cause. 21:35 < petertodd> ...except when they've already sold it all on an exchange, and the peopel on the exchange figure they can sell it to the other sucker before anything happens 21:35 < gmaxwell> well, there is still the value of the hardware itself. 21:36 < petertodd> what value? CEX doesn't own it anymore if I understand their business model correctly 21:36 < petertodd> just maintenance, and that could be negative value if they ever screw up 21:36 < petertodd> (negative to CEX) 21:36 < gmaxwell> moral hazard in any case you can rent out your hashpower fine, so long as few enough other people do it too. 21:37 < gmaxwell> I wasn't sure how much of the hardware cex had sold off as shares it's never been priced attractively. 21:37 < gmaxwell> but fair point... 21:39 < gmaxwell> what a mess.. you hardware fractionalized and sold to people with no control over it.. who then mine at a single enormous pool which is full of these miners that can't vote with their feet. 21:39 < petertodd> well, assume they sold it all off, and then screwed up the contract such that they couldn't get out of supporting it for people at a price that wasn't profitable. They're incentive is to actually destroy Bitcoin. 21:40 < petertodd> More likely, they don't have any strong incentive *not* too... 21:43 < gmaxwell> The maintenance fee is estimated as $0.30 / kW x hour: $0.17/kW electricity cost + $0.09 data centre upkeep + $0.04 hardware repair/maintenance. 21:44 < petertodd> Sure, and screw up that contract in some way... You want an unconditional "out" clause, but eventually someone in the business is going to mess that up. 21:44 < gmaxwell> at the moment their hosting is 3.15% of the mining returns. looks like its structured so they can't get screwed. 21:46 < petertodd> Eventually someones going to mess that up. Also remember that their ROI is %3, so the amount of money sufficient to make it in thier interests to do something that damages Bitcoin is significantly less than for their customers. 21:47 < gmaxwell> right. Agreed. some stupid doublependy thing that doesn't return much could easily double their profit. 21:48 < gmaxwell> lol the users get dinged for another 3% pool fee. 21:51 < petertodd> well, a painless 3% is pretty attactive to a lot of people 21:51 < gmaxwell> there is a calculator on their site that shows 1 GH will net 0.08 BTC over its life.... and currently on their market 1GH/s sells for 0.09. :P 21:52 < petertodd> ha 21:52 < midnightmagic> *-/ 21:52 < gmaxwell> their calculator assumes 50% hashrate growth per month. which is probably low for the near term, and in the longer term their operating fees eat the profits regardless of how you set it. 21:53 < gmaxwell> oh great, they are saying they'll have short selling by november 16th. 21:56 < petertodd> yeah we're fucked 21:57 < gmaxwell> Is there anything I can do about the high stale counts on the GHash.IO pool? 21:57 < gmaxwell> The stale and duplicate shares are kept to the minimum, however we do not guarantee low stale and duplicate shares on 3rd party hardware mining at out pool. 21:57 < gmaxwell> 0_o this is in the faq on the cex.io site. 21:58 < gmaxwell> We are conducting business as a legitimate UK based company. We will not be able to disappear, as we are governed by UK laws. 22:00 < gmaxwell> When conducting Bitcoin Transfer Transactions with a Bitcoin user who is not a Member, CEX.io responsibility shall be further limited to ensuring the transfer of the necessary technical data to the Bitcoin peer-to-peer network. 22:01 < petertodd> "* At any point in time we may elect to turn into a Cayman Islands company, and such act will not constitute a disappearance" 22:03 < gmaxwell> CEX.io may by notice to Members discontinue or modify the Platform and/or revise or terminate these Terms at any time. 22:05 < gmaxwell> Additionally, we may, in appropriate circumstances and at our discretion, suspend or terminate Accounts of Members for any reason, including without limitation: ... (6) unexpected operational difficulties, 22:06 < gmaxwell> sounds like: 'although you cannot see us, we are technically visible in that we are opaque to optical radiation and thus have not disappeared.' 22:06 < petertodd> heh 22:08 < gmaxwell> I can't find any terms related to the actual hardware. 22:12 < petertodd> the sad thing is how even with fancy ZI stuff to let hashers steal block rewards and stuff, it still doesn't solve the problem of hosted mining 22:12 < gmaxwell> petertodd: the older one (at least!) went through! 22:12 < petertodd> nifty 22:12 < gmaxwell> petertodd: the miners here can't even tell the hardware exists. 22:12 < petertodd> exactly 22:13 < gmaxwell> much less that they're not being robbed on it. 22:13 < petertodd> and if they keep getting their expected dividend, who'se to say they're really being robbed? 22:14 < gmaxwell> you could create a bitminter.io and pay a few weeks of dividends as people pile in to buy cheap "fasthash" gigahashes... and then just walk. 22:14 < petertodd> ha, for sure! 22:14 < petertodd> no hardware required 22:19 < gmaxwell> in any case you saw my initial response on that post "meh". I've never been one to think that just because your door is unlocked that its okay to rob you, but an unconfirmed gambling site is ... well I don't know what to think about that. but the fact that it looks like the pool or cex was earning a profit from it is interesting. 22:21 < petertodd> double-spend warnings are going to make this really interesting given that gavin's planning on implementing them by broadcasting the whole tx 22:23 < gmaxwell> if you don't broadcast the whole tx it's hard to verify they're correct... and just sending, e.g. pubkey,sig or whatever doesn't let you do things like ignore ones that still pay you. 22:23 < gmaxwell> so yea... 22:23 < gmaxwell> heh 2013-11-12 03:11:42 CWalletTx::GetAmounts: Unknown transaction type found, txid 499e80a173ee095d44b1c3503c5d00015222a2d7c17a2140fa16f28eeeda8b93 22:24 < petertodd> never mind that you can always rebroadcast a sig from an earlier tx if you do it with just hashes 22:24 < petertodd> (due to address re-use) 22:24 < gmaxwell> indeed. 22:24 < gmaxwell> "what ashame!" 22:24 < petertodd> it'll be a good time to push direct replace-by-fee, and incentivise it by making some double-spends with, say, 0.5BTC fees 22:25 < petertodd> won't surprise me if people try to push making miners ignore blocks that contain things they think are double-spends of course... but that has lots of ugly consequences 22:26 < gmaxwell> very bad for convergence. 22:26 < gmaxwell> esp if you flood the network with concurrently broadcasted doublespends. 22:26 < petertodd> yup, and makes any mempool difference practically a forking bug 22:26 < amiller> No one ever seems to bother doing a secure multiparty lottery 22:27 < amiller> in multiparty computation there are auctions and fair exchanges and stuff like that 22:27 < amiller> Adam Smith is quoted as saying "there can never be a fair lottery" but we should be able to do exactly that 22:27 < amiller> you would absolutely need a non-EU model or rationality to even analyze the lottery under terms like that 22:27 < petertodd> why would I want to do that? I'm a trustworthy guy. 22:28 < amiller> what does trustworthy have to do with participating in a lottery? 22:28 < petertodd> I'm running the lottery, you can trust me to do it fairly. Why trust all this crypto shit? It's probably designed by the NSA anyway. 22:29 < gmaxwell> amiller: most of this mpc stuff isn't even secure in an model where an attacker is active. 22:29 < gmaxwell> most of it is against a model where the attacker is curious but won't compromise the protocol. 14:28 < gmaxwell> e.g. coding 5 checksigs and then a truth table over them would likely not be the best way to represent that multisig. The truth table is smaller than the branching stuff, but if we had hash compression of untaken branches the branching stuff would be smaller. 14:29 < gmaxwell> So I was wondering if there might be an efficient representation for truth tables where that _wouldn't_ be the case, e.g. where no 1 bit prefix can factor out at least two of the interior tests. 14:30 < gmaxwell> e.g. there is no such x input wire that makes the table insensitive to more than two or more other wires. 14:31 < nsh> beats me 14:34 < Taek42> Would Pierce's logic help any? 14:45 < amiller> i'm interested if anyone here has looked at ethereum http://ethereum.org/ethereum.html 14:45 < amiller> vitalik's attempt at making a broader script language for contracts 14:46 < amiller> the main interesting thing is you can have a "contract", which is like a persistent utxo, it receives data inputs from transactions, it has a special register-like thing representing a "balance" of conserved currency, and it can contains instructions that "send" from that balance to some other contract 14:49 < pigeons> i dont know what can be done about it, and obviously its not a technical issue, but when i look at different smart contract proposals, not usually directly bitcoin related, i wonder about how sometimes a party to the contract would need to be an expert in the execution platform and the language to be sure the contract he is agreeing to, maybe written by the other party will do what he expects. i guess that's no different than "real world" "du 14:49 < gmaxwell> pigeons: you got cutoff at than "real world" "du 14:49 < pigeons> real world "dumb" contracts 14:50 < pigeons> not that anyone can protect everyone from potential ripoffs all the time, but some people would try to fool people. contract does X, but it does not 14:50 < gmaxwell> pigeons: but sure, part of the point is that "standard" contracts can be formed which get reviewed by experts. But its absolutely an issue, and its part of the reason that the simple forth-like encoding in bitcoin is pretty good simply becasuse it actually isn't TOO terrible for the right kind of expert to evaluate them. Likewise, their non-turing completeness makes it possible to make tools that analize them and present to you ... 14:51 < gmaxwell> ... all the ways of satisifying them. 14:51 < pigeons> right 14:59 < maaku_> gmaxwell: if you allow non-valid pubkeys and sigs for the ones which are not required, isn't that enough? 14:59 < maaku_> e.g. the pubkey script is OP_TABLE for x,y,a,b,c 15:00 < maaku_> the scriptSig is x-pubkey x-sig y-pubkey y-sig OP_0 OP_0 OP_0 OP_0 OP_0 OP_0 15:00 < maaku_> er-no, you need to check that the pubkeyhashes match, nevermind 15:01 < andytoshi> amiller: i've seen it mentioned a few times here, so i think somebody (not me) has looked into it 15:02 < amiller> ok. it's possible i've pasted it here before too. 15:02 < amiller> having a) contracts that persist through multiple transactions and b) a way of sending value from one to another are both new 15:02 < amiller> and far more relevant to discuss imo than the red herring of turing completness 15:03 < maaku_> well, open-txns does that 15:03 < maaku_> but new as a bitcoin proposal i suppose 15:03 < maaku_> it fails spectacularly at managing DoS potential with its TC scripts 15:03 < gmaxwell> amiller: well I think the covenants post I made shows the kind of farscial mess you can make with that stuff. 15:04 < gmaxwell> I'd be more interesting in someone giving a clear example which can't just be replaced with an interactive protocol. 15:04 < amiller> chess game 15:04 < gmaxwell> I'm sure ones exist, but I mostly drew a blank. 15:05 < amiller> the reason you can't do multiple round protocols with bitcoin including covenant script is that you can't condition future txouts on the current txout 15:05 < gmaxwell> amiller: what, you have the program verify your chess witness? One of the players will just stop moving once he sees that he'll lose but before the transcript is finished, exponential advantage for cheating. 15:06 < amiller> ok so you do the standard trick for adding fairness by having a move timer 15:06 < amiller> if you fail to publish a valid move within k blocks you forfeit 15:08 < gmaxwell> amiller: okay, fair enough. 15:08 < amiller> so. maybe it's still possible to do this with covenant 15:08 < amiller> because you can make the input claimable with evidence that there is a blockchain with sufficient length that includes corresponding transactions etc. whatever 15:09 < amiller> maybe you can always transform any other smart-contract system into one with the current semantics and using chain proofs like that. 15:09 < gmaxwell> amiller: in any case, its _always_ possible without making the network evaluate turing complete code, because you can just outsource script processing via a snark. 15:10 < amiller> yes turing complete is completely irrelevant here 15:11 < amiller> i think the semantics of the chess game example are pretty clear and that makes it a good example, it's just not an obvious business case financial impact kind of thing, that's the only problem with it 15:11 < gmaxwell> Then what is? you can allow arbritary data from the chain just by extracting it and presenting it to the program. 15:11 < amiller> including a proof that a suitable transaction doesn't exist? 15:12 < amiller> like if i wanted to time out the player who fails to publish a chess move, i would want to show that the current chain has k blocks and does not contain a valid move 15:12 < gmaxwell> why would you even publish the moves? you'd use a dominating spend like I proposed for anti-cheat in the coinwitness thread. 15:13 < gmaxwell> Basically if someone tries to time out redeem the game, the output is covenant locked so that it can be spent by either a longer witness or after a final timeout. 15:14 < gmaxwell> Was I clear enough there? sorry. I don't actually know how much of what I'm talking about you've read. 15:14 < gmaxwell> I didn't want to repeat it all if you've read it all. 15:14 < amiller> i've at least skimmed both threads but i am pretty sure i don't understand many details correctly 15:15 < gmaxwell> amiller: the idea is that to redeem the prize in our chess game you either present proof you've seen a complete transcript for the game in which you've won OR 15:16 < gmaxwell> if the time is past a timeout, AND you present a transcript where your move is last then you can spend it with a transaction whos TXOUT is constrained, such that: 15:16 < gmaxwell> it can be spent after a final timeout (some time from now) OR it can be spent by a similar constrained transaction which a somewhat advanced final timeout and proof of a witness of a longer transcript. 15:17 < amiller> witness of a longer transcript than what 15:17 < gmaxwell> that the longest seen so far, it accumulates. 15:17 < amiller> here's an edge case though 15:17 < amiller> suppose player 1 has a timeout 15:17 < amiller> but player 2 does *not* have a timeout 15:18 < amiller> player 1 publishes his move in time 15:18 < amiller> player 2 pretends that he didn't see the first move, and shows a long transcript and tries to redeem the timeout 15:18 < gmaxwell> He can't, because player 2 can't produce a longer transcript on his own. 15:19 < amiller> player 1 can't just try to timeout player 2 because player 2 isn't on the clock, but you would want to prevent player 2 from omitting the published move 15:20 < gmaxwell> amiller: e.g. player 1 moves, player 2 tries to redeem an empty transcript. Player 1 says fuck you and publishes a 1 move transcript. Player 2 can either give up, or present a 2 move transcript. If he does the latter player 1 can present a three move transcript and so on. 15:20 < amiller> when is the coin irrevocably spent? 15:20 < amiller> if this can keep going on 15:21 < gmaxwell> when the transcript can grow no more, or when someone finally misses an update timeout. 15:22 < gmaxwell> and sure, it's probably possible in chess (it is possible in go) to setup a case where the game goes periodic-stalemate in which case it could go on forever if no party will yield. But the evaluation model doesn't matter there. 15:23 < gmaxwell> (e.g. you can't solve this by having proof of publication) 15:52 < jtimon> gmaxwell, for your non-disclousure key logic problem 15:54 < jtimon> any boolean ecuation can be turned into the form (a * c * e) + (b * c * e), wait 15:54 < jtimon> let me look at your example 15:54 < jtimon> well, no 15:55 < gmaxwell> the 2 of 3 can be expanded into (a&&b or b&&c or a&&c) 15:55 < jtimon> the point is to build a tree with N or branches 15:55 < jtimon> n OR branches 15:56 < jtimon> a tree in which width is OR and deep is AND 15:56 < jtimon> argh 15:56 < jtimon> words don't come easy 15:58 < jtimon> and anything can be expanded to that structure 15:59 < jtimon> to get the coins you only need to reveal the relevant branch 15:59 < jtimon> sorry, I'll smoke a cigarrete while trying to translate that to english 16:01 < gmaxwell> jtimon: right, but because hiding a branch still costs you a 256 bit hash, it doesn't save you anything to hide a branch that only contains one key, its better to just test it directly at the current level. 16:02 < gmaxwell> e.g. you would not represent a or b as a else {b} 16:07 < jtimon> ?I don't understand the e.g. 16:08 < jtimon> but about the hidden branch hash cost 16:08 < jtimon> it is on the scriptSig, not the scriptPubKey, does it really matter? 16:08 < jtimon> well, yes, sorry 16:08 < jtimon> not that much, but still matters 16:18 < jtimon> <maaku_> it fails spectacularly at managing DoS potential with its TC scripts 16:18 < jtimon> I'm not so sure about that 16:19 < jtimon> my understanding (and I'm not sure I understand the proposal) 07:54 < adam3us> TD, gmaxwell: i admit some fault with coingen.io also (I was stting opposite mappum when he registered the domain), not a new idea apparently, but I yacked about how cool it would be a bunch with BlueMatt and put him up to it. maybe it'll back fire in interesting ways, but the intent is humorous clearly and genuine: to deflate param tweaks 07:56 < adam3us> TD, gmaxwell: and its actually serious. it seems to me that alts are stifling actual innovation. if u think about it inmany ways bitcoin innovation has virtually stalled since 2009. thats why i want to kill param-tweaks, and think pegged side-chains are the bet new idea since 2009 in bitcoin period. 08:02 < adam3us> about ethereum i talked to vitalik about it, not sure i mentioned this part or not, that while fees is a solution to the halting problem in a Turing Complete complete script language; however the history of java byte code interpreter sandbox escapes could give it a massive, repeating, binary failure, where each sandbox escape results in theft of all coins (and maybe bitcoins) 08:15 < adam3us> aka there is a reason bitcoin script is functional, no iterators/recursion, and most of even the stylized/simplified/cut-down script language is itself disabled. ripple dont seem to appreciate this risk and their draft script language looks turing complete. in open transactions, chris showed me he has pluggable script language interpreter hooks and jscript, lua etc but thats just code because he likes generalized clean code. 08:54 < andytoshi-away> justanotheruser: logs are at http://download.wpsoftware.net/bitcoin/wizards/ ... if you msg andytoshi-logbot with 'help' i think it'll tell you 08:55 < andytoshi-away> sipa: re 'someone should write a "what to think about before making an alt" document', i'm planning to write something like that this weekend 08:58 < TD> adam3us: you wouldn't try to steal all coins simultaneously, that'd be dumb 08:59 < TD> adam3us: it'd just be treated as an outage 08:59 < TD> you'd want to steal 1% or something like that ... 09:00 < adam3us> TD: if these coins are pegged bitcoins, you'd want to steal as many as possible. it depends on the reaction mode to stemming the loss. if its like the many exchange/processor thefts like say sheep market place (the largest?) because of the irrevocability maybe you may not even care if u empty the alt chain in one go on the way 09:01 < adam3us> TD: what re people going to do? issue and deploy an emergency bitcoin patch to reject this specific side chains re-conversion? that sounds centralized and fed policy like 09:01 < TD> we were talking about ethereum i thought? 09:01 < adam3us> TD: but you may well be right for detail reasons that the optimal exfiltration 09:02 < adam3us> TD: oh yeah sorry :D 09:03 < adam3us> TD: i guess that depends on the market cap and the liquidity and intent of the sabateur. why are they killing the alt. to make money or because they want to do a 'scorched earth' to borrow a petertodd'ism to prove a point 09:04 < adam3us> TD: lot of people might be quite upset and litigious about it if the market cap was like non-trivial at the time. dangerous thing to do possibly even via Tor. 09:04 < adam3us> (sorry i was still in pegged side-chain mode so misinterpreted your observation) 09:04 < TD> anyway, most of the java sandbox escapes especially these days are not issues with the bytecode verifier but rather with the huge libraries or native code that they call out to 09:04 < TD> presumably ethereum would not have anything in the way of libraries or big surface area APIs 09:07 < adam3us> TD: interesting point, yes i never went looking at the root cause of the repeated sandbox failures, but if thts accurate the risk might be a bit lower. but anyway i guess you can say its a brittle failure mode and more risky than bitcoin as a value store as a result. not only could a big bug collapse value like, but some worse things i think, like taking control simultaneously of all online nodes. 09:07 < TD> sure 09:07 < TD> code execution is always tricky 09:08 < TD> ironically, i suspect the JVM may end up being one of the safest sandboxes around. given how massively and repeatedly it's been attacked by hardened hackers compared to most sandboxes 09:08 < adam3us> (could happen to btc also, but higher risk as their code is basically an abstract interpreted asm with memory and iteration, pointers. very flexible. more like executing x86 interpreter) 09:08 < TD> if they keep plugging away at it for enough time, and if you restrict the API surface area, it could end up being kind of robust 09:10 < adam3us> TD: yes. but it seems in some ways that btc is surfacing whole new levels of code assurance. if there's a $1bil reward sitting on the table for entire system value exfiltration, more resources nd resourceful people get in, or lose their ethical behavior $ limit filter, seemingly empirically many otherwise trustworthy people have such limits) 09:11 < adam3us> just to say maybe its more interesting to sandbox escape ethereum (if btc was using that model right now) than sandbox vm escapes. it only takes one. 09:11 < TD> yeah. it makes me wonder if one day it'll simply become impossible to make any changes to the code at all because the legal/financial risk of making a mistake is so high 09:11 < TD> either that or every bitcoin developer will be anonymous and work from behind Tor 09:11 < adam3us> TD: yes i think so 09:11 < TD> neither outcome seems desirable 09:11 < TD> still i guess banks manage, sorta, somehow 09:12 < adam3us> TD: the Tor thing is interesting. i think people who get into exchanges and btc biz dont realize the risk they are putting themselves, their family etc at. if they get enough value inside a server, they have become like a bank. at the high end what do we need like thebunker.net or fortress with servers in it. seems like banks or physcal security need to be part of the picture with multsig eventually 09:14 < adam3us> TD: yes, that seems part of the genuine value of banks, they have structured governance (cross checks) physical security, personnel vetting, alarms, perhaps monitored security at managers houses. they had to think about it all and manage it. that is actual value. 09:14 < TD> probably. one reason why i'd never run an exchange or bitbank. however, exchanges are needed, so .... someone has to take that risk. w.r.t the rest of it, well, it's MIT licensed and disclaims all responsibility for everything 09:14 < TD> though i imagine some people will eventually ignore that and try their luck in courts anyway 09:14 < adam3us> TD: what u mean sue for losses due to code bugs? 09:15 < TD> well, or for any other kind of excuse. or patent lawsuits or whatever. 09:15 < TD> i mean as the amount of value goes up, anything could happen 09:16 < adam3us> TD: was vaguely wondering if one could retain unseizability property while protecting your self or your exchange or your processor (some server or equipment or paper under the service operators and employees control) from physical duress, by multisig the whole thing with a physical security provider of one part of the multisig. the RA aspect of the bank multisig is typically weak also. tho they do a lot of risk management 09:17 < WOODMAN> morning warriors 09:17 < TD> they're also insured 09:18 < adam3us> TD: like cheque sigs are not verified under 30k i hear. but if u wire 20k you can do that with some lame, malware attackable security. exactly insurance and risk management. 09:18 < WOODMAN> anybody been around on this technology since early days, i have a decent question if its ok? 09:18 < WOODMAN> brb 09:19 < andytoshi-away> WOODMAN: usually, try #bitcoin-dev first 09:19 < adam3us> TD: but i think what backs it all up is the revocability, usually when things go wrong they can undo the tx, they have ID, so they can recover even withdrawn funds, and insurance covers the rest 09:20 < adam3us> TD: btc lacks that. and if we introduce it (certainly can do revocable, easy using irrevocable + multisig escrow) then the disput resolution costs come back in and btc tx costs same as credit card. so we cant win. the remaining new avenue is to some smart contract magic 09:20 < WOODMAN> what is this site? 09:20 < TD> yep. it might turn out in the long run that irreversible transactions are simply something humanity can't handle, when the amounts of value being handled get too high 09:20 < WOODMAN> https://bitcointalk.org/index.php?topic=11606.0 09:20 < TD> (too hard to build secure software systems) 09:20 < adam3us> TD: was ever thus. ecash (irrevocable fast settlement) and slow cash just dont interface together well 09:21 < WOODMAN> i believe i bought bitcoin in 09 09:21 < adam3us> TD: yes. maybe that is an answer. large payments typically can tolerate being slow, and the parties having recourse enough to tolerate the revocability. 09:21 < WOODMAN> i never set up a client....bought from someone who put it on a USB and sent it to me....me never wanting to store on computer cause of hacking and never planned on selling, as there was no market at that time 09:21 < andytoshi-away> WOODMAN: #bitcoin please 09:21 < WOODMAN> i found this link and it discusses that you can put bitcoins on a USB 09:22 < WOODMAN> ah come on andy 09:22 < andytoshi-away> though i did enjoy the second post saying 'screw that, just use mybitcoin' :) 09:22 < WOODMAN> be a sport 09:22 < sipa> WOODMAN: #bitcoin, now 09:22 < WOODMAN> ahora! 09:22 < WOODMAN> im banned from there 09:22 < sipa> (you're very welcome to follow the discussion here, or contribute, but basic questions are completely off topic) 09:22 < TD> or post to bitcointalk 09:23 < WOODMAN> too many indians , not enough chiefs 09:23 < WOODMAN> this could be problem with open source 09:24 < WOODMAN> got another bitcoin IRC where they respect free speech? 09:24 < WOODMAN> or is this all funded by soros? 16:31 < HM> it's not a bad idea 16:32 < gmaxwell> ... it rally has absolutely nothing to do with the json rpc code. 16:33 < HM> it does lol 16:33 < gmaxwell> Why are you saying that? 16:34 < HM> because it reads json right off the 0mq socket 16:34 < HM> passes calls to the existing json code 16:34 < HM> gets replies, and reps it back 16:34 < gmaxwell> Are you being a fool just to irritate me? 16:35 < HM> https://github.com/bitcoin/bitcoin/pull/2415/files 16:35 < HM> https://github.com/bitcoin/bitcoin/pull/2415/files#L5L944 16:35 < HM> notice it makes existing JSON RPC functions non-static 16:35 < HM> https://github.com/bitcoin/bitcoin/pull/2415/files#L3R322 <-- reads and writes json off the 0mq socket here 16:35 < HM> it's just an observation, i'm not being critical 16:36 < HM> it's the smart thing to do when you have an existing rpc implementation 16:37 < gmaxwell> okay, I see the source of the confusion here. 16:37 < gmaxwell> Since I commented on it the guy added a bunch of extra commits that do wrap the json rpc stuff. 16:37 < gmaxwell> You have my apology. 16:38 < gmaxwell> The original code did not do that. 16:38 < HM> tis ok, review a lot of stuff 16:38 < HM> you review* 16:38 < gmaxwell> I don't know that I like that. 16:38 < gmaxwell> will have to contemplate. 16:47 < HM> meh, I'm sure RPC isn't a priority 16:49 < HM> sipa mentioned splitting it up in to components, e.g. wallet stuff and transaction stuff --- Log closed Sun Apr 07 00:00:15 2013 --- Log opened Sun Apr 07 00:00:15 2013 --- Log closed Mon Apr 08 00:00:16 2013 --- Log opened Mon Apr 08 00:00:16 2013 15:06 < gmaxwell> HM: I was surprised to see you complain about rust's syntax. I guess ocaml and haskell (and C++, in different ways) have distorted a bit of what "bad syntax" is, but a major goal for rust is making advanced language functionality more accessible to programmers by avoiding highly irregular and cryptic syntax. 15:06 < gmaxwell> HM: the rust devs spend a lot of time thinking about discoverability and obviousness of the syntax. .... if you've got some specific syntax nits, and they're not just personal preference but things you've found will actually bite people, you should go bug the rust lists, because they can still fix syntax nits. 15:23 < HM> the pointer types are insane 15:23 < HM> and it contains unnecessary terseness 15:23 < HM> i don't believe the numbers of characters i can type a second is the bottleneck of programmer productivity 15:26 < HM> in C++ you have weak_ptr and shared_ptr and unique_ptr, which are verbose, but at least you can't make one moments brain fart and use the wrong pointer type 15:27 < HM> example 15:27 < HM> for [1, 2, 3].each |item| { ... } 15:28 < HM> ick 15:28 < HM> anyway, I reserve my right to find it horrid 15:31 < HM> I read up on Rust a few months back 15:31 < HM> right now I can't even remember which pointer is which 15:32 < HM> let y = @*x; <-- i have no idea what this does 15:40 < HM> C++ also has that for loop syntax btw 15:40 < HM> for (auto i: {1,2,3,4,5}) { 15:42 < HM> auto can be replaced by int, double, or any type implicity convertible from an arithmetic type 15:44 < HM> you could probably implement all of Rusts garbage collection semantics by replacing weak, shared and unique ptrs with types that used your garbage collector 15:52 < gmaxwell> You can't generally do GC in C++ because you can't reliably keep pointers from 'escaping' the box. I know it works in theory, but it doesn't work in practice as confirmed by many parties. 15:53 < gmaxwell> HM: Most of the time using the wrong pointer type in rust will result in something that fails to compile and gives you a useful error. 15:53 < gmaxwell> I dunno if thats enough, indeed. 15:53 < HM> because you can always call operator-> on a smart pointer and pull out the raw pointer? 15:54 < gmaxwell> HM: yes, and because actually using them results in you leaving around pointers in local memory, inside other objects, etc. 15:55 < HM> sure, but raw pointers were inherited from C 15:55 < HM> you don't have to use them 15:56 < HM> Rust has the nice luxury that its concurrency and garbage collection can be designed to work well together 15:56 < HM> in C++ you have neither as part of the standard library or language spec 15:56 < gmaxwell> You can try to legislate against it, but even when you control the codebase this observably doesn't work well (there are reasons why it must be violated, or why container objects violate it while you're not looking) - though I'm the wrong person to be debating that. 15:56 < HM> (well except std::thread) 15:57 < gmaxwell> The rust people would argue (with plenty of data to back it up), that in C++ you're basically encouraged to do the 'wrong' thing at all turns due to inertial, legacy, and complications of the right thing. 15:57 < gmaxwell> inertia* 15:57 * HM shrugs 15:57 < HM> i think it's more that you can, and people are lazy 15:57 < gmaxwell> The idea is that rust tries to make it so that when you're lazy you do the right thing. 15:58 < gmaxwell> I dunno if they'll be successful, but thats very much the goal. 15:58 < HM> I like the premise of Rust 15:58 < HM> it's the closest thing out there atm to actually being a new C 15:58 < HM> or C++ 15:59 < gmaxwell> And they make the compiler more able to detect the wrong things, facilitating that in the language when they can, and they make you explictly request the wrong behavior (e.g. it takes more work) 15:59 < HM> yep 16:00 < HM> I spent like 2 days this week gone just staring at C++ errors containing type names longer than this conversation 16:00 < HM> i hate it 16:01 < HM> but it's not such a burden to use words instead of symbols all over the syntax map 16:01 < gmaxwell> yea, and partly that comes from really deeply core features of C++ being implemented not as part of the core language but via templates. 16:01 < gmaxwell> You say this, but java's verbosity is a major reason people oppose it. For things which are components a programmer should be using daily it's not clear that its a good thing. 16:02 < HM> sure 16:02 < HM> but const, volatile, shared, "local", would have been good short readable alternatives to ~, @, &, * 16:03 < HM> in a new language, you don't have to worry about squeezing things in to reserved names and syntax constructs 16:03 < gmaxwell> e.g. if you can't keep the pointer types in your head clearly mapped to their symbols you're going to be making a lot of other (perhaps non-detectable errors). There is a right thing to make sugar and a wrong thing. Keep in mind that they're also at least trying to have some appeal to people who believe that specifying types is a huge burden programers shouldn't have to deal with. 16:03 < HM> get back to me when you have a highly parenthesised line of code containing half a dozen @, ~ and &s 16:04 < HM> another example 16:04 < HM> C++11 got hammered for using an ugly lambda syntax 16:05 < HM> ...Rust is using the same syntax for all functions 16:05 < HM> fn recursive_factorial(n: int) -> int { } 16:05 < HM> C++11 lambda: 16:05 < HM> [](int n) -> int {} 16:05 < HM> almost the same 16:06 < HM> I think they've made a tonne of really bad choices 16:07 < HM> at least C++ had the excuse of having to maintain some semblence of backward compatibility with 30 years of C and C++ source code 16:08 < HM> and what about this 16:08 < HM> `fmt!` is a macro that statically verifies a format string. 16:08 < HM> println(fmt!("%d", *item)); 16:08 < HM> eesh 16:09 < HM> Boost.Format got formatted strings right 16:09 < HM> don't make the programmer encode type information twice 16:09 < HM> %d = double 16:09 < HM> the compiler already knows the type of item 16:09 < gmaxwell> the C++ lambdas are panned because the syntax is complete moonlanguage especially when its anonymous. Seriously you're complaining that the prototype puts the return type on the right? 16:10 < HM> no, i'm questing why they changed it from C or C++ at all. 16:10 < HM> questioning 16:11 < HM> and kept a lot of other bad garbage around 16:11 < gmaxwell> because the C style leads to severe visual (and in C++ parsing) ambiguity. 16:11 < HM> just because it's familiar 16:12 < HM> what about other weirdness 16:12 < HM> let i: int = 50; 16:13 < HM> let i = 100u; 16:13 < HM> let i = 100i32; 16:13 < HM> one minute the type info is on the left, the next it's on the right 16:13 < HM> ok, so that's copying Cs integer literals 16:13 < gmaxwell> In the latter case the type of i is inferred by the data its being assiged to. 16:13 < midnightmagic> This week, on language wars.. some guys discuss the relative merits of C++ vs. Rust, absent twkm! 16:14 < HM> but in C++ you can do "auto i = 50ul;" 16:14 < HM> or unsigned long i = 50; 16:14 < midnightmagic> HM: May I enquire as to where you were originally complaining about Rust syntax? 16:14 < HM> in -dev 16:14 < gmaxwell> HM: typing litterals is something that can't be avoided... but the actual language feature you're complaining about there is the inference. E.g. let i = foo(); works and gets the type from foo's return. 16:14 < midnightmagic> oh 16:15 < HM> let y: uint = x as uint; 16:15 < HM> ^ wtf? 16:15 < gmaxwell> yes, thats a cast. 16:16 < gmaxwell> same as float x = (float)double_returning_function(); so that static analysis tools know you mean to do it and won't whine about the narrowing. 16:17 < HM> auto x = (float) double_ret_func(); 16:17 < HM> only typed the type i want once 16:17 < HM> the Rust code has 2 operators/keywords and you type it twice 16:17 < gmaxwell> HM: you might well be completely right, what do I know. Smarter people than I create this stuff... C++ is just an endless _sea_ of total wtfs. I don't assume the C++ designers were morons, though it often seems so I assume language design is subtle and hard. 16:18 < HM> it is 16:18 < HM> and C++ is disgusting 16:18 < HM> but I think Rust should have done better given it's starting fresh 23:00 < petertodd> systems designed for that assumption are far more robust when something goes wrong 23:00 < amiller> eh well i'm intrigued in either case.... in that case the point to make is that this is possible 23:01 < amiller> it's easy to provide a high resolution realtime _lower-bound_ for proof of work 23:01 < amiller> whether it's good or bad to do so... i don't now 23:01 < petertodd> well keep in mind that the fast internet connections we take for granted between nodes may not always be possible 23:02 < petertodd> bitcoin users may be forced to tor, and worse, tor can certainely get more unreliable/need totally different alternatives 23:02 < amiller> yeah no kidding. 23:02 < amiller> to be clear i live in fantazy wizard land where about half the bitcoin mining power is on mars 23:03 < petertodd> I guess part of your fantasy is FTL comms... :P 23:03 < amiller> no i'm hard sci-fi, special relativity is the crucial limitation that makes things weird 23:04 < amiller> and ascii bernanke was put in the blockchain as a warning against relying on mysterious leaders correctly setting global parameters... 23:04 < amiller> anyway yeah the normal block rate determines like the maximum coarseness bound for proof of work samples 23:04 < petertodd> heh, well, so mars has a second chain I hope? 23:04 < amiller> hehehe well since you asked... 23:05 < amiller> mars and earth participate in a largest global coin that is shared between them 23:05 < amiller> but pretty much most of the volumes of their economies are conducted on smaller planet-localized chains 23:05 < petertodd> amiller: https://bitcointalk.org/index.php?topic=158756.msg1786069#msg1786069 (bottom) 23:05 < amiller> that run so much faster that it's hard for people on mars to get much profit from running on the earth local chain 23:06 < amiller> people tend to shift more of their mining power to the earth-mars joint chain when mars's orbit brings it closer to earth 23:06 < petertodd> LOL! 23:06 < amiller> and of course when it's solar eclipsed they might as well be isolated 23:06 < amiller> also sometimes a colony gets knocked out of orbit and no one knows whether we'll ever hear from them again 23:06 < amiller> in that case their chains diverge 23:07 < amiller> if they sometimes come back, eitehr there is a remarkably painful reorg process or they just agree to have separate histories 23:07 < amiller> s/sometimes/somehow 23:07 < petertodd> we're gonna need #bitcoin-scifi at this rate 23:07 < petertodd> and #bitcoin-steampunk 23:09 < amiller> i think blockchains will follow the 4 F's of evolutionary biology 23:09 < petertodd> ? 23:09 < amiller> feed, fight, flee, and mate 23:09 < petertodd> ah 'mate' 23:10 < amiller> i meant fuck 23:10 < petertodd> don't tell me you've been working on making merkle AST's have sex 23:13 < BlueMatt> petertodd: sadly, thats a fairly easy process.... 23:13 < BlueMatt> well, mate maybe, sex not so much 23:13 < amiller> i think bitcoiners need simultaneously more imagination and more formal modeling, we've seen absolutely nothing yet as far as 'bitcoins final form' or w/e goes 23:13 < amiller> the value of the fantasies is when it puts theoretical limits / invariants in focus 23:14 < petertodd> changing bitcoin is so difficult Bitcoin may well be in it's final form... 23:14 < amiller> or to put it another way, bitcoin is an intergalactically brilliant idea :D 23:14 < amiller> i couldn't possibly disagree more 23:15 < amiller> the whole 21million coins thing is like a teenager getting a tattoo of his first girlfriend on his forehead 23:15 * BlueMatt picks the middle 23:15 < amiller> i guess i menat first girlfriend's name but w/e 23:15 < BlueMatt> actually, limited supply (pick your number, doesnt matter) is quite a brilliant solution 23:16 < BlueMatt> imnsho 23:16 < amiller> the BTC is limited, but the alternate cryptocurrencies with identical design are ridiculously abundant 23:16 < BlueMatt> and do you see them with long-term adoption? 23:17 < amiller> i see them as growing to the point that they threaten and reveal the emperor's nakedness of bitcoin's scarcity 23:17 < petertodd> cryptocurrencies have ridiculous first mover advantage issues 23:18 < amiller> how plausible is it that there will eventually be a consensus among 'newcomers' to dismiss that first mover advantage 23:18 < amiller> class of 2013 rules!@!! 23:18 < BlueMatt> let me rephrase, do you see bitcoin having gotten the kind of adoption it has (and thus providing more for the altcoins) without it? 23:19 < amiller> i think it was a good choice for the time 23:19 < amiller> everything else about bitcoin is so foreign and unexpected that making it like 'gold' which everyone has a shared understanding about helps. 23:19 < amiller> also i don't think this is a bad thing because i think bitcoin will happily gobble up new technology/ideas as they catch on 23:19 < amiller> as long as the first mover advantage is respected 23:20 < amiller> their value can always be grandfathered in 23:21 < amiller> i don't think bitcoins' current financial model comes even close to resembling what will come shortly after though 23:21 < amiller> ripple trust is more scarce than cryptogold 23:24 < amiller> ripple trust is also the only financial model with any sound theoretical footing, e.g. http://www.econ.wisc.edu/workshop/trust_and_social_collateral.pdf 23:27 < amiller> or to put it another way, _where we're going, we don't need gold_ 23:29 < amiller> on the other hand we definitely _will_ still need a magic irreversible ledger in the sky 23:33 <@gmaxwell> amiller: nah, I think ripple is unlikely to survive. You'll at a minimum need to get a new name for it. 23:34 < amiller> yeah mb i meant "credit network trust" 23:34 < amiller> or social collateral 23:34 < amiller> social collateral is what i meant 23:34 <@gmaxwell> (as an aside ... forum users are now getting flooded with offers of $20-$30 for their accounts, because people want in on the XRP goldrush.) 23:34 < petertodd> gmaxwell: still?! 23:35 <@gmaxwell> I haven't checked where it is now, but the complaints from users only started about a week ago. 23:35 <@gmaxwell> but they might be about older messages. 23:35 < petertodd> well, regardless that's just silly 23:35 < amiller> i'm so pissed at ripple and ryan fugger selling out the trademark to idiots i can't see straight 23:36 < amiller> and yet i'm also glad they're doing so much work on their api and interface 23:36 < petertodd> yeah, it's a very nice name, hard to come up with good names 23:36 <@gmaxwell> perhaps I'll suggest to theymos that he make 100 old accounts appear out of SQL INSERT magic and go cash in. :P 23:36 < amiller> petertodd, beyond that it has like 10+ years of heritage 23:36 < petertodd> amiller: yup 23:36 < petertodd> amiller: the sort of heritage where it would have been totally ok to use the ripple name for even a few implementations 23:37 < petertodd> and actually get it right 23:37 < amiller> ripple.com has a shitty new video out that includes the phrase "80% is the threshold for mathematical certainty" 23:37 < amiller> i'm so mad and yet maybe it will be net positive, the work they're doing 23:37 < petertodd> oh dear 23:37 < amiller> i can actually withdraw bitcoins 23:37 < amiller> against my social trust lines. 23:38 < petertodd> honestly, ripple to me smells of engineers not getting how complex social trust relationships are 23:38 < amiller> via bitstamp the first operating "gateway" (where gateway means illegally operating msb) 23:38 < amiller> see the social trust part is the part that works. 23:38 < petertodd> although, I do want to see the fincen guidance on ripple, that could be hilarious 23:38 < amiller> they got all of that right 23:38 < amiller> the part that looks craziest and awfulest about them i think is actually the part that's fine. 23:39 < petertodd> heck no, the social trust bit is where it falls falt on its face because it's too complex and time consuming 23:39 < amiller> i couldn't disagree more 23:39 < petertodd> can it work? sure, but it's a lot of work 23:39 < petertodd> it's why I see ripple as making sense b2b, not p2p 23:39 < amiller> what they fail at is not understanding anything about byzantine/decentralized consensus 23:39 < amiller> not b2b 23:39 <@gmaxwell> amiller: yea, thats the annoying part to me, people are obsessing over the ripple-ish parts and ignoring the sketchy XRP stuff, the decenteralized part, etc. 23:39 < amiller> b2b is inherently about government regulation 23:39 < amiller> p2p also maybe is too much work 23:40 < amiller> what else would you call it c2c? community to community? tiny faction to tiny faction? 23:40 < petertodd> no, business to business just means betwen entities big enough that accounting is an accepted activity 23:40 <@gmaxwell> unfortunately the regulatory enviroment will make us P2P some stuff that really ought not to be P2P. 23:40 < petertodd> which if they're smart will be their goal... 23:41 < amiller> petertodd, you should read a little about the theory of self enforcing contracts and credit networks 23:41 < petertodd> man I gotta make some computational oracles happen 23:41 <@gmaxwell> And there is even some indicators that some regulatory bodies are actually willing to go "p2p? oh. Well we give up" note fincen offering guidence which is different for decenteralized and non-decenteralized cryptocurrency! blew my mind. 23:41 < petertodd> amiller: that's my whole point, the fact that you need to read anything is why it's a bad idea for person to person 23:41 < amiller> gmaxwell, yeah omg! 23:41 < amiller> i shat myself when fincen provided a "definition" for "decentralized currency" 23:42 < petertodd> I'm not going to believe for a second the initial guidance actually means anything 23:42 <@gmaxwell> I think that the decenteralization actually takes away some of the distractions that makes regulatory meddling seem more justified. 23:42 < amiller> i think it's justified 22:13 < Ryan52> cfields: Yes, verified the MacOSX10.6.pkg in my downloaded .dmg matches. 22:14 < cfields> ok, great. So if anyone else want to try to build with gitian, i can provide that file to spare you the trouble 22:15 < warren> cfields: it's available to anyone with an apple dev account? 22:15 < Ryan52> cfields: I'm working my way through the rest of the list to verify, but will have to stop halfway through that and leave in a couple minutes. Can come back in ~5 hours to finish it, but I'll submit my work in progress. 22:15 < Ryan52> warren: if you're willing to download the 4GB .dmg it's a part of :) 22:15 < cfields> warren: yea, it's necessary to build. Anyone who's built bitcoin for osx has downloaded it at some point 22:15 < warren> 4GB!? 22:16 < cfields> warren: only one file is needed from it, and it's ~50mb iirc 22:16 < warren> cfields: so the gitian VM must be *much* larger, or you extract something from it? 22:16 < warren> ah 22:16 < cfields> which is why i'm offering to provide that file to anyone who needs it, rather than going through that mess 22:16 < warren> as long as Ryan52 verified it I want the 50MB file 22:16 < warren> I don't have much time 22:17 < Ryan52> Yep, I also recorded the sha256 of the .dmg it came from, in case somebody wants to compare notes on that, at some point. 22:18 < Ryan52> (tho as long as the 50MB file is fine, that doesn't make much difference) 22:18 < cfields> 2ad43957613642f29166dd452662a2adeecb8b69e01ca373f2cb47fbe42764fc xcode_3.2.6_and_ios_sdk_4.3.dmg 22:19 < warren> oh, I have that 22:19 < Ryan52> 2e666a972c616a35fed5790265fb5aa61ef74ea7c36e4e5a11261df00008822c Downloads/xcode_3.2.6_and_ios_sdk_4.3.dmg 22:19 < Ryan52> That is odd. I wonder if Apple embeds our developer ID, or if mounting it causes the checksum to change. 22:20 < warren> hmm, what macports has sha256sum? 22:20 < Ryan52> (mine is of a copy before mounting) 22:20 < warren> Ryan52: oh damn 22:20 < cfields> Ryan52: hmm, maybe. that's good to know 22:20 < cfields> so the dmg checksum is uninteresting, but the pkg counts. 22:21 < Ryan52> Right. 22:21 < warren> how do I get sha256sum on mac? 22:22 < cfields> shasum -a 256 22:23 < cfields> Ryan52: not sure what list you're verifying? 22:23 < warren> I wish macports gnupg worked. it fails to build. 22:27 < Ryan52> cfields: the list of checksums in your download script. 22:28 < cfields> Ryan52: i'm not sure what there is to verify manually? 22:30 < warren> cfields: as noted earlier, check against download sources of various linux distros and ports to be sure it's exactly the same as what everyone else is shipping. If something is very new and not widely distributed yet, then manually examining the diff from the old version. 22:31 < cfields> mm, ok 22:31 < warren> cfields: if we're giving people a download.sh and hard-coded checksums we better be damned sure we didn't accidentally pull in something bad 22:31 < cfields> fwiw, i reused the tarballs i already had laying around mostly 22:31 < warren> that's fine. another paranoid check is worthwhile. 22:31 < cfields> meaning: existing win32/linux dependencies 22:31 < warren> oh? I noticed you upgraded boost. 22:31 < warren> you upgraded nothing else? 22:31 < cfields> so before going to that trouble, might want to see if we're already using em 22:32 < cfields> for the more complicated ones i took the macports version 22:32 < warren> Ryan52: the checksums already in contrib/gitian-descriptors/*.yml have been verified by me and the entire litecoin team redundantly. 22:32 < cfields> so that i could more easily re-use their patches 22:32 < warren> cfields: did you upgrade qt? 22:32 < cfields> yes, x.y.5 22:33 < cfields> 4.8.5 i think? 22:33 < Ryan52> Here is my WIP "notebook": http://pastebin.ca/raw/2478933 22:33 < cfields> same reason. Notice it has about 30 patches in play. I didn't want to waste the macports work on that 22:33 * Ryan52 has to go do other things for some hours, but can continue looking at things in a long while 22:34 < warren> Ryan52: if we're satisfied with this, time to move on to the external ip review. 22:34 < warren> Ryan52: write a good report on what you reviewed, how and maybe debug print patches 22:34 < cfields> also worth noting that regardless of any investigation, these are the versions that have been in-play on osx due to their use in macports anyway 22:34 < warren> I did that myself but I might have missed something. 22:34 < Ryan52> I did try to see if there were gitian-descriptors already, but not many did have them. 22:35 < cfields> you guys are really getting a bit ahead here, anyway. First step is to have someone else verify that it builds and works, then discuss with the other devs whether the approach is reasonable for releases or not 22:36 < Ryan52> Hm, okay. So should I just document my verification of the MacOSX10.6.pkg then, since that's the only I was really "done" with? Where is best to do that? 22:37 < cfields> Ryan52: how bout commenting on my commit, so it's visible to anyone else looking over it? 22:38 < cfields> at github, that is 22:38 < Ryan52> cfields: Alright, wasn't sure if there would be a more relevant PR or BR, thanks! 22:39 < cfields> Ryan52: i'm still not quite sure how to handle it. need a recommendation from a veteran 22:39 < cfields> gavinandresen: ping 22:40 < warren> BR? 22:41 < Ryan52> warren: bug report, sorry I abbreviate too much sometimes :) 22:42 * Ryan52 isn't sure if that is proper github terminology, since it calls them issues, doesn't it? 22:45 < Ryan52> cfields: Here's your comment: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1#commitcomment-4688671 22:45 < cfields> Ryan52: thanks 22:54 < warren> 9c5424e26fb10836ebfc602d61d5e4f984a9ce33d327877dd51405b08b977ac5 xcode_3.2.6_and_ios_sdk_4.3.dmg 22:54 < warren> looks like it does change it by mounting =( 22:55 < Ryan52> eh, as long as the pkg matches we have verification. that sure is annoying tho. --- Log closed Mon Nov 25 00:00:06 2013 --- Log opened Mon Nov 25 00:00:06 2013 00:41 < gavinandresen> cfields: hmm? 00:42 < cfields> gavinandresen: I have a working POC for deterministic dmgs built from linux. I need a bit of group-think on how to proceed. Suggestions? 00:43 < cfields> POC in that the process is ugly. The result seems stable. 00:43 < gavinandresen> what makes the process ugly? 00:44 < cfields> gavinandresen: mainly patching the shit out of qt/boost to get it built cross-arch cross-platform 00:44 < gavinandresen> mmm. That IS ugly. 00:44 < gavinandresen> Hard to review, hard to be sure the patches are correct.... 00:45 < cfields> gavinandresen: well, they're 99% taken from macports... 00:45 < cfields> so the argument really isn't valid, it's just been covered up until now 00:45 < cfields> so before going further, i'd like some kind of concensus on the goal. Namely: Should it aim to be useful for everyday building? Or aim for gitian release builds only? 00:46 < gavinandresen> release builds only, in my opinion. And maybe pull-tester builds. 00:46 < gavinandresen> I'm certainly not going to cross-compile in a linux VM to develop 00:46 < warren> I test gitian builds in dev all the time, personally. 00:46 < cfields> sure, pull-tester was the main target i had in mind 00:47 < warren> cfields: are all the static libs built into a deterministic deps tarball to use as an input? 00:47 < cfields> warren: not currently, but it'd be simple to get em to that point 00:48 < warren> cfields: that would help substantially 00:48 < gavinandresen> cfields: if it helps, I think it is time to drop 32-bit and OSX 10.5 support. 00:48 < gavinandresen> Maybe even drop 10.6 support. 00:49 < cfields> I'd be pretty opposed to dropping 10.6, but 10.5 and 32bit i would agree with 00:49 < cfields> but that's tangential to this discussion, neither of those added any complication to this process 00:49 < gavinandresen> ok 00:50 < gmaxwell> cfields: I am advised that 10.9 has been backported to * and was also advised that if we wanted anyone at apple to care we'd need to be on at least 10.7 and building in 64 bit. 00:50 < warren> * ? 00:51 < cfields> gavinandresen: i suppose i'm just looking for a bit of guidance as to how to proceed. It works, but it's ugly. If it's only for gitian, ugly doesn't really matter. 00:51 < cfields> I suppose I should re-define ugly. qt/boost are heavily patched either way. It's either macports or homebrew or us. 00:52 < cfields> so ugly means: a nasty build-script that either completes or fails gloriously 00:52 < gavinandresen> and relies on a very specific version of boost/qt, I assume? 00:52 < cfields> well I used the versions that macports use, so we could borrow their patches 00:53 < gavinandresen> That doesn't sound horribly ugly just document the process of upgrading. 00:54 < cfields> Sure. It's the same as upgrading any other gitian deps. Just on a bigger scale for osx. 00:55 < cfields> gavinandresen: this probably explains better than me rambling about it: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1 00:55 < jgarzik> is there an OSX that works in VM? 00:55 < jgarzik> that would be useful 00:55 < cfields> jgarzik: none legally, so it tends to be avoided if it's done publicly 00:55 < cfields> (build-slave, pull-tester, etc) 00:56 < gavinandresen> cfields: can we avoid putting all those patches in our tree? Maybe run a script to fetch them from macports ? (with just the macports public key in our tree) 00:58 < cfields> gavinandresen: if that's what you'd prefer, but seems that would only make it more complicated? 00:58 < cfields> I suppose your goal is to differentiate between our changes and theirs? 00:59 < gavinandresen> yes, if we are going to extend trust to MacPorts then better to make it explicit. 00:59 < gavinandresen> (if we are going to CONTINUE to extend trust....) 00:59 < cfields> i wasn't going to say it ;) 21:43 < petertodd> sipa: You expecting payment protocols? 21:43 < sipa> yes, i don't like that 21:43 < sipa> petertodd: yes 21:43 * BlueMatt beats jgarzik with a wet fish 21:43 < petertodd> sipa: Well... that's a long, long, long way off. 21:44 < sipa> petertodd: but what has that to do with anything? 21:44 < petertodd> sipa: After all, a UTXO set copy is a requirement for a validating node, which means the RPC should support it. 21:44 < gmaxwell> petertodd: funny multibit works just fine (cough on the fine part...) without any of that stuff. 21:44 < sipa> petertodd: wallet can perfectly keep track of their own transactions 21:44 < petertodd> gmaxwell: Right, by just downloading blocks. 21:44 < sipa> petertodd: no need to depend on any non-authorized data 21:45 < gmaxwell> petertodd: no, it uses bloom filterd blocks. 21:45 < petertodd> sipa: Remember, I did say UTXO in the *RPC*, not as a network visible thing. 21:45 < petertodd> sipa: Network visible is insane I agree. 21:45 < sipa> petertodd: i don't care, whatever protocol you use to let wallets and bitcoind communicate 21:46 < sipa> petertodd: and an address-indexed UTXO set isn't even enough for all wallet applications - you need the full transactions anyway to produce a ledher 21:47 < jgarzik> sipa: More seriously... I proposed a similar split on #bitcoin-dev a few days ago. Was looking into a fork(2)-based firewall between RPC/wallet/GUI and "everything else" (blockchain engine, really) 21:47 < jgarzik> sipa: would be trivial to split even further, once that happens 21:47 < sipa> agree 21:47 < petertodd> fork(2) is a clever way to do it, and easy to get started on 21:47 < gmaxwell> jgarzik: this has been said _lots_ of times in the past. By too too I think. I don't think anyone disagrees... doing that would let us do nice sandboxing eventually. 21:48 < jgarzik> I even researched Windows compatibility, RE fork+pipe: http://msdn.microsoft.com/en-us/library/edze9h7e%28v=vs.80%29.aspx 21:48 < sipa> no need for pipes; network sockets will work fine? 21:48 < jgarzik> sipa: fork+pipe is a nice existing model, can become sockets later 21:49 < jgarzik> sipa: but no big deal either way 21:49 < sipa> right 21:50 < jgarzik> in current code's context, The Program would fork off (re-run the exe, in Windows' case) the blockchain engine. The Program would be RPC/wallet/GUI etc. 21:51 < jgarzik> gmaxwell: Well, from my perspective it seemed like everybody disagreed, when BlueMatt's big work was held in favor 21:51 < jgarzik> I prefer a more heavyweight messaging boundary (like pipe / network socket) 21:51 < petertodd> jgarzik: That also means you can make a very secure strictly non-wallet RPC interface that lives with the blockchain engine. - blockheaders and what not only 21:52 < petertodd> jgarzik: (or as a third process) 21:52 < gmaxwell> we don't need a zillion processes please. :P 21:53 < BlueMatt> jgarzik: meh, CBlockStore never worked out because it was never mergeable at the time I had free time to maintain it (along with many other issues) 21:53 < sipa> jgarzik: that was just making a hub structure for different components to communicate instead of ad-hoc... the idea was that some parts could move to other processes as well 21:53 * petertodd has shares in micron 21:53 < BlueMatt> realistically, it needs to happen in pieces, not at once 21:53 < sipa> yeah 21:53 < sipa> one of the things i'm "waiting" for, is CodeShark's split of main/core 21:54 < BlueMatt> CodeShark is working on this? 21:54 < gmaxwell> I don't see a reason for more than three proceeses p2p network / block(+block rpc) / wallet(+wallet rpc / optionall gui) and maybe the p2p and the block part are one process. 21:54 < petertodd> gmaxwell: right, that's exactly what I'm proposing 21:54 * jgarzik bets he can complete a fork()er before CodeShark ;p 21:54 * BlueMatt ponders writing CBlockStore part 1 version 4... 21:54 < jgarzik> mmmmm, competition 21:54 < BlueMatt> or am I on version 5 now? 21:54 < gmaxwell> then we can get to pick between pulls 21:55 * BlueMatt gives up and goes back to writing a bitcoinj full verification engine no one uses 21:56 < jgarzik> One "blockchain engine" process should manage p2p and block database, IMO. Does not seem a need to split further (but who knows 'til ya get there) 21:56 < gmaxwell> BlueMatt: If I send you a fruit basket will you stop being sore about that? :P 21:56 < jgarzik> and that would be a natural splitting point for a further bitcoind/rest separation. 21:56 < sipa> jgarzik: core/main split has nothing to do with that; it's just that main right now has a) very low-level stuff (definitions of CTransaction/CBlock/...) and b) very high-level stuff (management of block db, verification, ...) 21:56 < petertodd> jgarzik: Keep in mind I'm specifically thinking of an RPC interface that would serve up data locally completely unauthenticated. 21:56 < jgarzik> petertodd: yes 21:56 < sipa> jgarzik: idea is that the low-level stuff moves to core.h/.cpp, so that +- everything loses its dependency on main 21:57 < jgarzik> petertodd: a blockchain engine would use something like that 21:57 < jgarzik> sipa: ah ok. +1 21:57 < BlueMatt> gmaxwell: which one, CBlockStore or bitcoinj? 21:57 < BlueMatt> gmaxwell: and, no, I just like to bitch 21:58 < gmaxwell> BlueMatt: CBlockStore XXIVXI (the revenge) :P 21:58 < sipa> after that, i'd like to have a "block manager" or something, which just maintains CBlock's that are being worked on in memory, refcounts, and has a background thread for syncing them to disk 21:58 < gmaxwell> 2013-03-29 01:57:53 block index 716145ms 21:58 < gmaxwell> :P 21:58 < BlueMatt> valgrind? 21:58 < gmaxwell> yea. 21:59 < BlueMatt> gmaxwell: also, the amount of work that went into CBlockStore... 21:59 < BlueMatt> anyway... 21:59 < jgarzik> essentially all wallets, and other fun petertodd apps, are query clients for the public blockchain dataset 21:59 < BlueMatt> yes 21:59 < jgarzik> some apps might want additional indices we don't care about, to make things like searching for bitcoin address easier 22:00 < petertodd> yup, timestamp verification is you canonical example where a pure blockheader thing would be useful, fidelity bonded banking/ledgers needs searchable UTXO sets at the other extreme 22:00 < sipa> i do like to see a split (not necessary separate processes, but at least funcionality-wise independent) between archival block storage (with optionally some indexes) and UTXO maintainance (with optionally some indexes) 22:01 < petertodd> sipa: Good idea - needs to be done long-term conceptually for agressive SPV with a healthy network after all. 22:02 < sipa> SPV has nothing to do with that :p 22:02 < sipa> as it has neither 22:02 < petertodd> sipa: brainfart - s/SPV/pruning/ 22:02 < sipa> ok 22:03 < petertodd> speaking of: blockchainbymail.com 22:04 < BlueMatt> hahahaha 22:04 < petertodd> It was going to be my April Fools joke, but then someone went off and did it so I gave them the domain. :P 22:09 < warren> petertodd: would be great if the only way to order the blockchainbymail is with bitcoin. 22:11 < petertodd> sigh, recursion... 22:12 < petertodd> related: I'm thinking for a merklized AST what makes sense is merklized forth. The forth dictionary concept is perfect for it, and means you have a simple, easy to implement language already used for embedded andother things (and bitcoin scripting) along with all the usual nice things like editor modes and what not 22:12 < sipa> did you mean: recursion? 22:12 < BlueMatt> sipa: no he meant recursion 22:12 < sipa> BlueMatt: the recursive kind? 22:13 * petertodd is an analog electronics designer, just so you know. 22:13 < sipa> petertodd: dude, what are you not? 22:13 < petertodd> sipa: well, I'm not an expert at anything... 22:19 * jgarzik ponders the bandwidth of QR codes 22:19 < jgarzik> Could a 1MB block fit on a single, printed 8.5" x 11" page? 22:20 < jgarzik> easy enough to have multiple QR codes 22:21 < sipa> jgarzik: there's even a standard for that 22:22 < petertodd> 400dpi works out to 1.87MB at 1 bit per dot 22:22 < petertodd> so I'm guessing no, but it's not far from possible 22:23 < petertodd> computer data storage on paper used to be a thing 22:32 < jgarzik> so 22:33 < jgarzik> header + coinbase tx + list of TX hashes is sufficient to recreate a full block byte-for-byte, assuming fully cached TX's 22:33 < jgarzik> correct? 22:33 < sipa> yes 22:42 < petertodd> Merkle Forth: So you've got your parameter stack and return stack, and are thus at the point where you can recreate Bitcoin scripting. Now the interesting thing to do is add TPM functionality, which means a PCR opcode and stack to allow you to select what you want to consider as the start of the current trusted block of code. Then add an encrypted stack, as expected encrypted with H(sec|PCR tip), and some sort of monotonic counter thing. That should give you enough to do trusted computing with an extremely stable API, and that API itself can be just AST heads of useful library function calls that may actually be implemented directly in C or whatever rather than the opcodes themselves. 22:43 < petertodd> Now off-chain tx's with trusted hardware is just a matter of agreeing on a common program that will manipulate the counters representing value attached to the private keys, as well as agreeing on what signatures sign the classes of hardware you can trust. 22:44 < petertodd> With some careful design you can probably even use the programs themselves to prove fraud/compromised trusted hardware, basically by just providing a program that should have run, and some kind of execution trace proving it didn't do that, at least in many cases. 22:45 < petertodd> Equally, that also makes designing redundent hardware easier, as you can reuse the execution traces to determine if two sealed up uC's runningt he code executed the code in the same way on the same data. 00:10 < andytoshi> midnightmagic: lol, i formally skipped two grades, but my attendence was ~0 so it didn't matter, just let me get out earlier, so i'd recommend it 00:11 < midnightmagic> oh cool 00:11 < petertodd> andytoshi: huh, must be a regional thing that they settle in Toronto 00:11 < midnightmagic> yikes. 00:11 < andytoshi> midnightmagic: agreed re iranians, the one guy i know is so much fun 00:11 < gmaxwell> Its not something that was widely publicized, I think I only knew it was possible as a result of talking to some prof at the local community college who'd done it himself in the 70s... I caused a number of other people to do it. 00:12 < petertodd> andytoshi: also people from Iraq, Palestine, Afghanistan etc. 00:12 < midnightmagic> then again I personally have never met a single US'ian I didn't love so.. dunno if I'm just a people lover or plain lucky 00:13 < andytoshi> petertodd: cool, also know only one iraqi, two afghanis, no palestinians.. vancouver is all east asia and india 00:13 < petertodd> midnightmagic: it's interesting just how much iran has changed for so many of the iraneans I know - practially a different country now compared to the 70's or so 00:13 < midnightmagic> yunan province chinese are awesome 00:13 < midnightmagic> lol 00:13 < petertodd> midnightmagic: most of the ones I knew had grown up here - it was their parents who fled 00:14 * midnightmagic tries to think of a people that irritate him and fails. 00:14 < petertodd> midnightmagic: aussies? 00:15 < andytoshi> haha 00:15 < midnightmagic> petertodd: Hrm, yeah maybe. There's some weird misogyny stuff going on there. But NZ make up for it 00:15 < petertodd> ha 00:15 < petertodd> good, cause my mom's an aussie, and my brother lives there :P 00:15 < midnightmagic> :-) 00:16 < midnightmagic> my cousin is marrying an aussie, he's like the ultimate man's man, great guy 00:16 < petertodd> lol 00:16 < midnightmagic> (in the awesome way, not the chauviniat way) 00:16 < petertodd> sounds about right 00:17 < midnightmagic> :-) 00:18 < petertodd> actually the one group I didn't like at ocad was about half of the Jews from Israel - see, one half left Israel because they couldn't stand the violence, and the other half left Israel because they couldn't stand the violence... and you'd, roughly speaking, have one half of that group be "peachniks", and the other half be downright frightening if you ever got them talking about the security of Israel. Very bizzare in the context of an art ... 00:18 < petertodd> ... school to say the least. 00:19 < petertodd> Really good example of how utterly polarizing that issue can be with people unfortunately. :( 00:30 < gmaxwell> At the IETF many of the Israel folks are super duper heavy pro-surveillance-state (enough that its conspicuous). I've observed this create some pretty awesome dissonance in hallway conversation with americans of jewish dissent. "Goverment tracking and logging everyones activity, surely there is no historical precident for the abuse of this kind of infrastructure!" 00:34 < petertodd> gmaxwell: ha, sounds about right. Really bothered me the one time I heard one of the more militant of them talk about the "Palestine problem" as something that needed a final solution. 00:35 < gmaxwell> Final Solution. Get the case right. 00:35 < petertodd> gmaxwell: good example of how perceived safety works too... the people I knew from Palestine, heck, even Gaza, never seemed to have that kind of hostility. 00:36 < petertodd> gmaxwell: I'll assume they were quoting Ariel Sharon, who gets quotes as saying that in lowercase. :/ 00:37 < gmaxwell> I can't even pretend to understand the geopolitics there, but it is interesting to see how different social/cultural backgrounds color positions and perspectives. 00:38 < gmaxwell> I've also seen some people from places with severe organized crime and corruption problems see antisurveillance technology as problematic. In particular because the badguys there have unequal access to it, and because surveillance is _sometimes!_ successfully used against them. 00:39 < petertodd> Yeah. Really unusual that too given there were just as many Israels I ran into it who were truly passionate about the peace process and ending violence; kept running into one of my teachers at protests related to it. 00:39 < gmaxwell> I wonder how different the US perspective on the NSA might be if it were also used to root out a bit of serious corruption in government here and there. 00:40 < petertodd> I think that's a very good point: the middle-east people I knew from OCAD were the first to pick up on the NSA stuff other than tech people I knew. 00:40 < petertodd> While I've yet to hear any Russians bothered by it. 00:43 < petertodd> Of course, Toronto also had the G20, which I think *really* turned public opinion against the police locally with how badly it was handled. First time in my life that all the major papers quite direclty accused the police of lying. 00:43 < petertodd> I think that's rubbed off to survailance stuff in general, at least based on the way people seem to talk about the NSA. 00:44 < andytoshi> petertodd: where i live, there is a general distrust of the "american police state", especially since many vancouverites drive to and from seattle routinely 00:44 < petertodd> andytoshi: interesting! due to border guards? 00:44 < andytoshi> petertodd: yes 00:45 < andytoshi> the american border guards are idiots and agressive, and we all know people who've been barred from the country for trying to bring dope over 00:45 < andytoshi> about 25% of the time you are 'randomly selected' to go stand in line for several hours while they take your car apart 00:45 < petertodd> andytoshi: heh, might have something to do with my co-workers dislike too: we've had hundreds of thousands of dollars worth of really sensitive equipment destroyed by border guards pulling it apart :( 00:46 < petertodd> andytoshi: took the second occasion before they realized they'd jsut have to ship stuff by hand 00:46 < andytoshi> when i fly to the US, customs entering the US is fascinating to watch because the non-canadians have to do the police-state record-all-ten-fingerprints thing 00:47 < andytoshi> meanwhile canadians get a special treatment because they would never put up with that, and they are still hostile to the guards and vice-versa 00:47 < petertodd> andytoshi: it's canadians too sometimes... 00:47 < andytoshi> ..and the poor europeans are basically being strip-searched, watching canadians glare at guards as the stand 2 inches over the line they were told to stand behind 00:48 < andytoshi> petertodd: canadian guards? driving in i have had them be assholes before, though they have never taken my car apart 00:48 < andytoshi> flying in, the "customs" process involved them asking if i went to school in the US 00:48 < andytoshi> i said yep, the guy said ok, sure 00:48 < petertodd> heck, I had a friend who tried to go into the states in the middle of summer, with her dog in her car, and they forced her to leave said dog in the car while they interregated her. The whole time they just stonewalled her as to what was happening to her dog, saying they didn't give a damn. Of couse, in reality it was just a pressure tactic and they'd let it out and gotten it some water, but... 00:48 < andytoshi> jeez 00:48 < petertodd> andytoshi: oh, I mean they give the fingerprint treatment to canadians sometimes 00:49 < andytoshi> oh, i got that when i first got my F1 status 00:49 < andytoshi> very annoying, i'll have to replace those fingertips when i get out of school <.< 00:49 < petertodd> ha 00:49 < petertodd> take up quarts glass blowing, and be clumsy 00:49 < andytoshi> :P 00:51 < petertodd> I was impressed with the european border control when I went to the dark wallet hackathon, which was held in an abandoned building with known cyber-terrorist Amir Taaki: didn't ask me a single question 00:51 < andytoshi> haha, excellent 00:53 < andytoshi> is amir a "known cyber-terrorist"? 00:53 < andytoshi> haha, i see, i've never read his wiki page before.. 00:53 < petertodd> I sure hope so! I've got an image to maintain 00:54 < andytoshi> https://en.wikipedia.org/wiki/Amir_Taaki#Activism would certainly classify him as a terrorist in america 00:55 < petertodd> agreed, and Esperanto?! evil 00:55 < phantomcircuit> only on tuesdays 00:55 < andytoshi> that wiki page also claims he is on forbes' top 30 entepreneurs of 2014 00:55 < andytoshi> ..which was published tomorrow o.O http://www.independent.co.uk/news/business/analysis-and-features/meet-the-worlds-next-billionaires--from-mashables-pete-cashmore-to-bitcoin-renegade-amir-taaki-9042710.html 00:55 < petertodd> andytoshi: um... yeah... I belive that guy when he says he's penniless 00:56 < andytoshi> oh, no, that's today's date up top, the article is a week old :P 00:57 < phantomcircuit> petertodd, im pretty sure he has at least like 00:57 < phantomcircuit> 100 euros 00:57 < andytoshi> yeah, the article credits him for darkwallet, but that seems pretty hard to monetize 00:57 < petertodd> phantomcircuit: and one pair of unwashed sweatpants 00:57 < andytoshi> i assume jon matonis was involved in that list .. 00:57 < petertodd> andytoshi: lol 00:57 < phantomcircuit> petertodd, im pretty sure he has only one pair of everything 00:58 < phantomcircuit> maybe he has two shirts 00:58 < petertodd> phantomcircuit: probably both scavenged 00:59 < phantomcircuit> eh probably not quite 00:59 < phantomcircuit> maybe his mom bought them 00:59 < phantomcircuit> (that's always a good way to get new clothes) 00:59 < petertodd> phantomcircuit: works best when you're parents live in northern canada... and they invite you home for chistmas 00:59 < phantomcircuit> which is why i get a nice laugh at people accusing him of doing things for bad reasons 01:00 < phantomcircuit> it's just not how he operates 01:00 < petertodd> yup, he's very genuine 01:00 < warren> jgarzik: older versions of osx run in a heavily hacked kvm 01:00 < warren> jgarzik: it's quite a pain 01:00 < warren> jgarzik: I found it easier to buy an old macbook with a broken screen, put it into a data center and ssh->vnc in 01:00 < gavinandresen> I asked Apple developer support about building in a VM, and they basically said "No." 01:01 < cfields> gavinandresen: ok. I'm happy to clean up and document the patching process. Atm it's just one hammer after another, just wanted to get the thing built/working 01:01 < jgarzik> heh 01:02 < cfields> gavinandresen: but ofc that hinges on whether or not you think the goal is useful. If it's deemed not worth the hassle, obviously there's no sense in continuing 01:03 < gavinandresen> cfields: we're on the ragged edge of what we can support with the developers we've got right now, in my humble opinion. 01:03 < gavinandresen> Adding another build environment 01:03 < cfields> hehe, my writing makes me sound so dickish. the above translates to: "think it's worth pursuing?" 01:04 < cfields> gavinandresen: well there is no new environment really. It's just existing environments doing cross-builds 01:04 < gavinandresen> In the grand scheme of things, gitian building gives geeks the warm fuzzies, but doesn't matter diddly-squat to end users. Who are using lightweight wallets anyway. 01:07 < cfields> gavinandresen: given that line of reasoning, there's no need to do linux releases if distros are handling them. 01:07 < phantomcircuit> cfields, oh god no 01:08 < gavinandresen> A good test for whether it is worth continuing: I think we should switch to qt5 for the 0.9 release. How much extra work to get the osx gitian build working? Could anybody besides you do it in a reasonable amount of time? 01:08 < cfields> Not arguing one way or another, but that seems at odds with current development 01:08 < phantomcircuit> the distros are NOT handling them 01:08 < warren> cfields: the distros are really messing it up 01:09 < cfields> heh, just evaluating data-points. I'm not suggesting anything at all 01:09 * gavinandresen notices there is no qt5-mac yet in macports 01:10 < cfields> gavinandresen: i have qt5 up and running on my macbook somewhere 01:10 < cfields> taken from the binary release 01:10 < gavinandresen> cfields: me too! Not using it because autotools..... 01:11 < cfields> gavinandresen: heh, 9235th hint received 01:11 < cfields> gavinandresen: i was planning to knock that out after the dmg. seems i got my priorities reversed. 01:11 < warren> cfields: there's a 200 unit bounty! 01:11 < gavinandresen> mmm. It is always a question of priorities: gitian-built OSX is a would-be-nice for me, not a priority. 01:12 < gavinandresen> qt5 is a priority, because there's a nasty bug in the payment protocol on Windows that is fixed by qt5 01:12 < cfields> gavinandresen: well i resigned from my job and there's a sizeable bounty for the dmg. So in this case the priority was food and shelter :) 01:13 < cfields> gavinandresen: what's the timeline for .9 release? 01:13 < gavinandresen> cfields: Release candidate sometime in January 01:13 < jgarzik> 1 day 01:13 < jgarzik> +/- 100% error factor 01:14 < jgarzik> headers-first sync doesn't seem to be moving? 01:14 < jgarzik> or did I miss something 01:14 < gavinandresen> headers-first sync isn't a showstopper feature for 0.9 01:14 < gavinandresen> it is on my 'nice-to-have' priority list, too. 01:14 < gavinandresen> (way up near the top of that list) 01:14 < gmaxwell> this should probably be in #bitcoin-dev 01:15 < cfields> gavinandresen: if qt5 is that much of a necessity, i can switch gears and get it knocked out this weel 01:15 < gavinandresen> yup 01:15 < cfields> *week 01:15 < cfields> i was under the impression it was just a shiny new toy to play with 01:17 < gavinandresen> cfields: yes, please! qt5 is necessary for 0.9.... 01:20 < cfields> gavinandresen: ok. I suppose win32 is top priority, then? 01:21 < cfields> gavinandresen: given that it may cause headaches in linux/osx due to it being new and relatively unpackaged, it'd probably be best to attack it in chunks 01:21 < cfields> meaning: push in support for win32 before it's supported across the board 01:34 < gavinandresen> cfields: okey dokey 01:50 < warren> gavinandresen: what in particular about 10.7 and "anyone at apple to care"? 04:09 < michagogo|cloud> 5:14:50 <cfields> ok, great. So if anyone else want to try to build with gitian, i can provide that file to spare you the trouble 04:10 < michagogo|cloud> Erm, is that file legally redistributable? 05:03 < gmaxwell> I noticed something on the latest surprisingly bad Shamir paper. 05:03 < gmaxwell> ... it was also on the other one, but I didn't notice it there. 05:03 < gmaxwell> Acknowledgments. This research was supported by a research grant provided by the Citi Foundation. 05:05 < TD> huh 05:05 < TD> that is indeed what it sounds like 05:38 < gmaxwell> https://news.ycombinator.com/item?id=6793270 05:40 < TD> yes, i've been wondering what happened to shamir .... 05:45 < TD> makes me wonder if the R and A carried more of the weight than the S 06:02 < Ryan52> heh, a friend of mine was bragging to me the other day that he knows "the S in RSA", in response to the shirt I wore having "RSA" mentioned on it. I guess that may not count for quite as much as he had hoped now. :) 07:18 < Emcy> citi foundation you say 07:18 < Emcy> as in the bank 07:18 < gmaxwell> As in the bank. 07:19 < Emcy> guess were past the laughing at us stage then 07:20 < Emcy> you should see some of the 'papers' on filesharing which various Ass. of America groups have bankrolled 07:21 < gmaxwell> Emcy: did you see me say the same thing on reddit?! 07:21 < Emcy> um no? 07:22 < gmaxwell> Emcy: http://www.reddit.com/r/Bitcoin/comments/1reuwq/vigorous_debate_over_shamirrons_supposedly/ 07:22 < Emcy> i stopped going on the bitcoin reddit because it comes across as mainly a huge price pump engine/death to the foundation noticeboard 07:23 < gmaxwell> hah, that about characterizes it, yup. 07:24 < gmaxwell> I'm pretty sure my net karama in that subreddit (and only that one) is negative... because I keep saying edgy things things like "Bitcoin is uncertan and has risks too" :P 07:24 < gmaxwell> Emcy: in any case, see my comment there: http://www.reddit.com/r/Bitcoin/comments/1reuwq/vigorous_debate_over_shamirrons_supposedly/cdmjbze 07:33 < Emcy> nulldc? 07:36 < Emcy> " the existence of a surprising link between the two mysterious figures of the Bitcoin community, Satoshi Nakamoto and DPR." 07:36 < Emcy> oh fuck right off with that shit 07:36 < gmaxwell> yea, its crud. 07:37 < Emcy> this is why satoshi stayed anon, and people still question why 07:37 < gmaxwell> News flash: Two bitcoin users used a common exchange! 07:37 < Emcy> i never knew satoshi ever used an exchange 07:39 < sipa> it's not about satoshi :p 08:15 < wumpus> one of the early adopters used an exchange! 08:16 < gmaxwell> wumpus: someone had to go first! 08:16 < petertodd> Emcy: really remarkable that Satoshi and DPR both used an obscure digital store-of-value system 08:18 < wumpus> hehe 08:18 < Emcy> i bet they both use the toilet too 08:18 < Emcy> half life 3 confirmed 08:19 < petertodd> Emcy: it's going to be sooo weird when it turns out that satoshi was a facehugger 08:19 < gmaxwell> Whats a facehugger? 08:19 < Emcy> what now 08:19 < petertodd> http://static1.wikia.nocookie.net/__cb20080712194334/avp/images/b/bb/Alien-The_Facehugger.png 08:20 < Emcy> and the human is the banks rite 08:20 < petertodd> hehe, yup 08:20 < Emcy> heh now watch this chatlog get used in congressional testimony as to why bitcoin was designed to be a parasitic force on the great and the good 08:21 < gmaxwell> If the banks were as tough as sigourney weaver they wouldn't need so many bailouts. 08:22 < petertodd> gmaxwell: nah, banks are the alien queen - sigourney weaver is credit unions, and satoshi is the nuke they should have used from orbit... 08:22 < petertodd> ...only way to be sure 08:22 < Emcy> no theyre more like the female lead from the new prometheus film....totally useless but got out of an extremely hairy situation when they really shouldnt have 08:23 < petertodd> Emcy: ha 08:23 < petertodd> Oooooh, there's an alt-coin that hasn't been made yet: HR Giger Coin 08:24 < petertodd> "You're funds are well protected by proof-of-sexual-sacrifice" 08:24 < Emcy> yeah, the logo is an alien dick penetrating some chimera ass 08:24 < petertodd> Brings new meaning to the term "fidelity bond" 08:24 < Emcy> ahuehue 08:36 * gmaxwell checks the channel hes in 09:00 < pigeons> petertodd: sounds like a good additional feature for https://bitcointalk.org/index.php?topic=294383.0;all 09:21 < TD> boggle 09:31 < cfields> michagogo|cloud: by itself, no 09:31 < cfields> michagogo|cloud: you can jump through a series of hoops to get it completely legally 09:31 < cfields> michagogo|cloud: in fact, everyone who has ever built on osx has already done so, it's a requirement 09:50 < jgarzik_> Interesting point by BTC guild op, https://bitcointalk.org/index.php?topic=338452.msg3670185#msg3670185 09:50 < jgarzik_> Makes me want to accelerate my mempool expiration plans 09:53 < TD> or just optimise that algorithm 09:53 < sipa> i started working on a quick patch to use BIP37 full-block-match for block relaying 09:53 < sipa> but it's hard to do know, if we need integration with orphan handling 09:53 < TD> how so ? 09:53 < sipa> implementation reasons 09:54 < sipa> doing that after headers-first is probably much simpler 09:54 < sipa> and safer too, as it will allow validating the header ahead of time 09:54 < TD> maybe you could send the headers-first code you've got to gavin? 09:55 < sipa> the former pull request is public 09:55 < sipa> around christmas i'll have time, i guess :) 10:38 < Emcy> is any pool not capping thier blocks 10:38 < Emcy> i think only eligius? 18:25 < warren> bored hacker was the risk we're concerned about? 18:25 < gavinandresen> warren: "many of us" ? be specific, please. 18:25 < petertodd> warren: not exactly a strong guarantee, but it takes pressure off and lets all kinds of solutions be worked on. 18:25 < warren> gavinandresen: perhaps you didn't notice that nearly everyone is in favor of it? 18:26 < petertodd> warren: bitcoin-qt development happens by rough consensus, nearly everyone with strongly opposed minority isn't rough consensus 18:26 < gavinandresen> warren: I was under the impression that sipa/jgarzik/gmaxwell did not feel strongly about it. And I'm listening to Mike Hearn very carefully, because bitcoinj is ACTUALLY USING THE FEATURE 18:27 < gavinandresen> It seems extremely likely that match-only bloom filters will be the default way of propagating nodes in the 0.9 release, too. 18:27 < gavinandresen> (to help address the orphan cost / high transaction fee problem) 18:27 < warren> sipa jgarzik gmaxwell were actually in favor. 18:27 < gavinandresen> ^propagating nodes^propagating blocks 18:27 < sipa> i'm in favor of NODE_BLOOM yes, but i don't think it's urgent 18:27 < petertodd> sipa: +1 18:28 < warren> OK, it isn't urgent enough for 0.8, I agree. 18:28 < sipa> also, match-only bloom filtering has no DoS risk, it can always be available 18:28 < petertodd> sipa: yeah, match-only bloom filtering has nothing to do with the real intent of NODE_BLOOM 18:28 < sipa> it's just a side effect of nicely fitting in the same protocol 18:29 < gavinandresen> I'm already hearing the "why am I getting merkleblock messages when I don't have NODE_BLOOM set" complaints 18:29 < warren> gavinandresen: part of the problem with bitcoinj is its scary absolute reliance on using only the DNS seeds, not asking nodes for peer addresses and not remembering any. It also has no facility to query peers for service bits and deciding not to use that peer. We're looking at fixing that. 18:29 < petertodd> sipa: yup, and as match-only becomes more developed my NODE_BLOOM bip should be updated to figure out how to differentiate them 18:29 < warren> gavinandresen: how is that true? there aren't any NODE_BLOOM nodes yet. 18:30 < sipa> warren: he's prognosticating 18:30 < gavinandresen> warren: if we implement NODE_BLOOM but make an exception for match-all, then that is a wart that future developers will wonder/complain/obsess-over .... 18:31 < petertodd> gavinandresen: yes, which means letting the discussion sit for a bit while that's hashed out is perfectly reasonable. 18:31 < warren> gavinandresen: let's have the full policy discussion for 0.9, no rush for now. We have problems with other implementations of full nodes and future pruned nodes that can't service bloom. 18:31 < warren> gavinandresen: sorry for pushing for 0.8, it's not ready, I agree. 18:31 < gavinandresen> good, we all agree 18:32 < sipa> warren: you mean 0.10 and 0.9 i think 18:32 < sipa> 0.8 has been out for half a year or more 18:33 < petertodd> warren: the question isn't "can't service bloom", it's "don't want too/it would be best if they used their resources in a different way" 18:33 < petertodd> warren: sure, some can't, but that's not the interesting part 18:37 < cfields> which ubuntu version did we end up upgrading gitian to for win32 builds? 18:37 < warren> cfields: 12.04 18:38 < cfields> blah 18:38 < warren> cfields: let's have a fourth VM! =) 18:38 < warren> cfields: you found that any distro clang is good enough? 18:39 < cfields> warren: i just had the fun of ripping out my nightlies and confirming that raring's default clang works 18:39 < warren> trouble there is it isn't LTS 18:39 < petertodd> gavinandresen: re: high fees, if you can get 0.1s latency, and 500KB/s bandwidth between hashing power, 0.1mBTC/KB fees are profitable with 1MB blocks - if you care about the issue, tell BTC Guild, GHash.IO, Eligius and BitMinter/Slush to run some nodes doing private peering and do 1MB blocks and you're done. 18:39 < cfields> without a big hassle, i can't test anything lower. so for my POC, i'm going with raring 18:40 < cfields> if it turns out that it works with earlier versions, that's a bonus 18:40 < petertodd> gavinandresen: if they don't listen, well, that says a lot about pool incentives... 18:40 < warren> cfields: want me to create a 12.04 VM for you to login and test? 18:41 < cfields> warren: nah, nothing's automated. so it's not an easy test, i'd have to recreate my entire env. 18:41 < cfields> i'll script something up as agnostic as possible 18:41 < gavinandresen> petertodd: I'm trying to get out of the business of "Everybody Do What Gavin Says" 18:42 < warren> cfields: if we can figure out how to use new-linux to compile old-glibc compatible binaries, we can have the same VM for all gitian. 18:42 < petertodd> gavinandresen: ok, I'll do 18:42 < petertodd> *do it 18:42 < gavinandresen> petertodd: excellent 18:42 * gavinandresen rubs his hands together like Mr. Burns 18:43 * petertodd rubs his hands together like the board that Mr. Burns is accountable too 18:43 < cfields> warren: aiming for a single abi isn't reasonable to me. someone else can attempt if they'd like, but i won't be spending my time on that 18:43 < warren> petertodd: was that ever featured in an episode? I don't recall. 18:43 < petertodd> warren: it got left out for dramatic purposes 18:44 < petertodd> warren: quite serious I'm really interested to see how pools react to this stuff - it can be taken as a solid sign of centralization after all 18:45 < petertodd> warren: what I'm also interested in, is trying to figure out if this latency/bandwidth stuff - the limits of the "jam free broadcast medium" model - is inherent to the design of Bitcoin and by extension other possible consensus systems. 18:47 < petertodd> warren: e.g. suppose you had a system where multiple blocks could have the non-conflicting parts of them re-merged - how does that change the profitability vs. hashing power effect? can you get a system where the dE/dQ isn't positive, maybe zero or even negative? I dunno. 18:47 < sipa> petertodd: you know about amiller's blockdag idea? 18:47 < petertodd> sipa: that's exactly what I'm talking about 18:48 < petertodd> sipa: could be especially important for p2pool for instance - and it's easiest to implement there 18:48 < sipa> not really, if you say "non-conflicting parts" 18:48 < petertodd> ? 18:50 < amiller> i never got very far on it 18:50 < amiller> it's along the lines of stuff you've talked about anyway petertodd 18:50 < petertodd> amiller: ah, I was going to ask if you had published it 18:51 < amiller> i have rambled about it once or twice in forum posts and bitcoin-dev 18:51 < sipa> petertodd: blocks would refer to a single "valid predecessor" node, but also to 0 or more other blocks of which only the PoW is merged, not the transactions 18:51 < petertodd> sipa: right, and in this case, if merging the PoW also rewards those who did that work in some way, then you may be able to make profitability not so heavily dependent on hashing power and latency/bandwidth 19:15 < amiller> no one's going to like it, but i'm vaguely headed towards a notion of incentive-compatibility in a world of context-dependent values of things 19:15 < amiller> basically the path to that is to realize that miner fees may be in the form of color coins 19:15 < amiller> and you can't prevent miners from being motivated by overlay values 19:40 < gavinandresen> amiller: If "nobody" likes it, then it should be easy to prevent. Just have miners "discourage" blocks that they don't like. We haven't done any of that yet, but the more I think about it the more I think that is the way miners will solve collective-action problems 19:41 < amiller> i mean no one's going to like it just because it challenges the notion of "one true currency" that makes things simpler 19:41 < gavinandresen> amiller: ah, ok. 20:13 < Luke-Jr> gavinandresen: that only works if it's something non-debatable with unanimous consensus against it 20:14 < Luke-Jr> to discourage blocks that are mining legitimately, even if everyone dislikes something, is nothing short of a conspiracy to 51% really 20:14 < gavinandresen> Luke-Jr: doesn't have to be unanimous 20:15 < gavinandresen> if miners are using a variety of policies for how to break block-chain-race ties, then that is perfectly OK 20:15 < Luke-Jr> oh, sure 20:15 < Luke-Jr> I thought you meant deliberately forking 20:16 < gavinandresen> if miners don't know exactly how ties are being broken, all the better. 20:16 < gavinandresen> No, when I say "discourage" i mean relay all orphans, and if there is a tie, use some policy to decide which fork to follow 20:17 < Luke-Jr> makes sense then 20:18 < petertodd> There's also the argument that relaying all orphans levels the playing field between those with and without a lot of nodes, although I'm not 100% convinced - relaying orphans done badly uses up bandwidth that could be used for something else. 20:18 < petertodd> Relaying orphans would be damn convenient though to get good stats... 20:19 < warren> petertodd: just peer with all nodes to get good stats... 20:19 < gmaxwell> I don't think thats obvious at all. Relaying orphans is against your self interest in some cases, e.g. if it helps nodes end up on a different chain than the one your node prefers. 20:20 < petertodd> warren: and if knowing about orphans is ever profitable we've just incentived an attack 20:20 < gmaxwell> For example, non-relaying of orphans means that a inconsistent hardforking glitch is more likely to pick the least common denominator chain instead of leaving some nodes hardforked. 20:21 < Luke-Jr> let the receiver choose whether he wants it ;) 20:21 < petertodd> gmaxwell: IIRC I mentioned something very similar to that in my discussion about the 30% propagation incentives 20:21 < Luke-Jr> btw, I assume "orphans" here is being used to mean stale blocks.. 15:14 < petertodd> A chaumian bank could just as easily encrypt it's database and give that to the client in the same way. 15:14 < gmaxwell> petertodd: true but you'd have to transfer the whole thing each time. 15:15 < petertodd> But you still have to transfer the list of spent tokens with zerocoin 15:16 < gmaxwell> oh darn, right the accumulator update proof still requires you to have the accumultor. 15:16 < petertodd> Yup 15:16 < petertodd> in zerocoin the accumulator size doesn't grow IIRC, but the spent tokens do 15:17 < petertodd> also if I understand it with zerocoin the witness required to prove a coin is actually related to the accumulator at a given state - if you want to apply the witness to the most recent accumulator you need to apply every transaction to that witness 16:28 < gmaxwell> hey. So. Lamport signature. Say your private key is 16384 256 bit values. The public key is hash tree root over 16384 256 bit hashes of those values. 16:30 < gmaxwell> To sign, you hash the message and the public key. And you use the results to uniformly pick 9 of the 16384 secrets to reveal. 16:30 < gmaxwell> You reveal hem along with the fragments that connect them to the root. 16:31 < gmaxwell> so the signature size is 4.3kbytes or so. Why is this not secure? 16:38 < sipa> is there any reason to assume it's not secure? 16:38 < gmaxwell> I mean, I'm suggesting a variation on lamport which is smaller and which should be more secure under multiple signatures with the same key. 16:40 < gmaxwell> Classical lamport with a tree public key has the signature disclose 256 preimages and 256 hash secrets. I propose instead to disclose only a few, controlled by the hash of the key and the message. And prove that they're the right ones by showing that they're part of the key's hashtree. 16:57 < gmaxwell> ah. okay so that proposal has only 64 bits of security against a rebinding attack by a quantum attacker. --- Log closed Wed Jul 10 00:00:25 2013 --- Log opened Wed Jul 10 00:00:25 2013 --- Log closed Wed Jul 10 10:10:45 2013 --- Log opened Wed Jul 10 10:11:21 2013 --- Log closed Wed Jul 10 16:48:47 2013 --- Log opened Wed Jul 10 16:49:01 2013 --- Log closed Thu Jul 11 00:00:28 2013 --- Log opened Thu Jul 11 00:00:28 2013 --- Log closed Fri Jul 12 00:00:30 2013 --- Log opened Fri Jul 12 00:00:30 2013 --- Log closed Fri Jul 12 09:51:44 2013 --- Log opened Fri Jul 12 09:52:18 2013 --- Log closed Fri Jul 12 12:46:07 2013 --- Log opened Fri Jul 12 12:46:20 2013 --- Log closed Fri Jul 12 12:57:54 2013 --- Log opened Fri Jul 12 12:58:20 2013 --- Log closed Sat Jul 13 00:00:57 2013 --- Log opened Sat Jul 13 00:00:57 2013 21:07 < amiller__> making some progress on the bitcoin for researchers front 21:07 < amiller__> well more to the point, i can report that other people are making progress 21:08 < amiller__> arvin narayan an assistant prof at princeton is interested in working openly on bitcoin things, and pointed out that it's strange there's no tutorial or survey for researchers https://docs.google.com/document/d/1OGLD6YssxABjvcIdGMqXW-EkZnv6g52iLSUdJrxldJg/edit 21:09 < amiller__> matthew green is also an assistant prof in cryptography and applied security and has sort of started a project he views as a "planetlab for bitcoin" but is basically a similar concept as "scamcoin" 21:09 < petertodd> amiller__: I've got someone interested in a tutorial/survey you can try it out on BTW. 21:09 < amiller__> the zerocoin guy 21:10 < petertodd> amiller__: Not a perfect test, because they know me and I've talked to them about Bitcoin before, but the guy admitted the other day that he still didn't understand enough about mining to understand some statistics questions I was asking. 21:10 < amiller__> h 21:10 < amiller__> m --- Log closed Sun Jul 14 00:00:59 2013 --- Log opened Sun Jul 14 00:00:59 2013 --- Log closed Mon Jul 15 00:00:02 2013 --- Log opened Mon Jul 15 00:00:02 2013 --- Log closed Tue Jul 16 00:00:05 2013 --- Log opened Tue Jul 16 00:00:05 2013 --- Log closed Tue Jul 16 06:14:42 2013 --- Log opened Tue Jul 16 06:15:12 2013 16:28 < gmaxwell> oh, hey, doing non-interactive cut and choose would let you do things like reasonably compact 1024 of 2048 multisig transactions via (sufficiently powerful) script. 16:31 < gmaxwell> e.g. the pubkey commits to a hashtree of M allowed voters (h1), the signature provides a hashtree (h2) over N approving voters, signatures for a sufficient number of voters selected via CSPRNG from (h2), and the connecting hashtrees. 16:33 < gmaxwell> e.g. a 128 bit security 1024 of 2048 could be done in about 9.5kbytes. 17:42 < petertodd> Nice! 22:53 < petertodd> Note though, this only works in scenarios where creating the signature is expensive/one-time, otherwise there's no cost to keep trying until the cut-n-choose gets lucky,. 22:54 < petertodd> So you could do a two-stage tx in this method, if committing to a signature provably costs you something. (like fees paid to a miner in the future) 22:55 < gmaxwell> petertodd: you don't have to if the cut and choose picks enough points you will expect to do >2^128 (or other security parameter, your choice) hash operations before you get one that only picks your chosen values. 22:57 < gmaxwell> obviously it creates some slop right around the threshold, I suppose it would be better for things that required a supermajority. 22:58 < petertodd> gmaxwell: yeah, I'm thinking those edge cases where that's much harder, or for sets that aren't all that large 22:58 < gmaxwell> yea, if the set isn't that large acceptable security starts demanding you provide all the signatures. 22:58 < petertodd> what's the equation for hash functions required vs. proof size exactly? I seem to remember it's not all that forgiving in many cases 23:11 < gmaxwell> It actually works out less well than I thought, because the probablity that the hidden set does not contain a opposing voter drops off much less rapditly than the probablity that it contains only one supporting voter. 23:13 < petertodd> yeah, I worked it out for trying to do NI cut-n-choose on sacrifice proofs and it was ugly 23:17 < petertodd> idea I had: do a partial UTXO set mode where you build the UTXO set based on what txouts you have verified, starting at the most recent block 23:17 < petertodd> it's interesting, because you can then validate transactions that spend from that partial set with good confidence 23:18 < petertodd> hence such nodes can safely relay transactions and be useful to the network, and over time download enough blocks to become full nodes as well 23:18 < petertodd> makes for a nice SPV->partial UTXO->full node progression 23:19 < petertodd> the scary thing though is you could safely mine in this mode as well... safe from your perspective anyway 23:19 < gmaxwell> e.g. for the probablity that your revealed values are the only good ones: product(1/(1024-x),x,1,13)<=1/2^128 which is good, but the "are no false ones" can never have a probablity better than 1/(n-1). 23:20 * Luke-Jr ponders why petertodd's remote didn't update with --all :/ 23:20 < petertodd> Luke-Jr: my remote? 23:20 < Luke-Jr> petertodd: on github. probably their fault 23:20 < petertodd> Luke-Jr: ah, what code are you interested in? 23:21 < Luke-Jr> petertodd: preparing to do another next-test spin 23:21 < Luke-Jr> so.. everything 23:21 < Luke-Jr> well, everything there's an open pullreq for anyhow :x 23:22 < Luke-Jr> hmm 23:22 < petertodd> Luke-Jr: heh, the mempool rewrite is partial, I only did the pull-req because I wanted to run the pull-tester against it... :P 23:22 < Luke-Jr> petertodd: well, at least this way you'll annoy me and get a rant if it breaks gitian? :p 23:23 < petertodd> Luke-Jr: heh 23:23 * Luke-Jr dunno why the pulltester doesn't use gitian yet 23:23 < Luke-Jr> second --all found codeshark's not updated either 23:23 < Luke-Jr> stupid git 23:24 < petertodd> oh, reminds me, so in the mempool code, I created a CMemPoolTx subclass of CTransaction and use that subclass to store the extra mempool-related data - is that considered good C++ practice? 23:25 * petertodd hasn't done serious C++ programming since highschool. 23:25 < Luke-Jr> petertodd/correct-isfinal-isstandard and discourage-fee-sniping need rebase 23:26 < Luke-Jr> petertodd: bad in our case, at least - the transaction should be capable of being in multiple distinct mempools 23:27 < petertodd> I wanted to avoid that additional layer of indirection - leads to some ugly code 23:27 < petertodd> you'd need to do ref counting too in that case 23:28 < Luke-Jr> good thing boost has pointers to handle that for us <.< 23:28 < Luke-Jr> side rant about rebasing: it prevents anyone from maintaining a real fork of the codebase 23:28 < petertodd> I know, but from what I see we've avoided those constructions everywhere else 23:28 < Luke-Jr> effectively forces centralization on the project 23:29 < petertodd> Luke-Jr: IMO not relevant here because we're talking about code that is getting changed drasticly as the pull-req evolves 23:30 < Luke-Jr> petertodd: sometimes. most of the time the rebase is just to adapt to the upstream 23:30 < Luke-Jr> and even then, those changes could be additional commits on top 23:30 < petertodd> Luke-Jr: I think more interesting is what litecoin is doing, rebasing all the 0.7->0.8 changes, where they probably could have done a merge 23:31 < petertodd> So what's your usecase for multiple distinct mempools anyway? 23:33 < Luke-Jr> petertodd: I do that every other month. It's possible, but a real pain. 23:33 < Luke-Jr> petertodd: I wouldn't want to actually *maintain* a client based on it. 23:33 < Luke-Jr> no use case. just proper abstraction 23:34 < petertodd> hmm, well when that case comes up changing things would be a fairly mechanical patch 23:35 < petertodd> more generally it shows how a more functional style would make sense here - we keep on recomputing tx hashes because tx's are mutable 19:22 < maaku_> warren: anti-centralization is uncontrovertial. some of the side effects of relevant proposals are worrisome on the other hand 19:23 < petertodd> killerstorm: "can implement lamport" is probably a good minimum test for whether or not your scripting system is general enough! 19:23 < maaku_> there's no clear cut path forward which decentralizes the network without tradeoffs 19:23 < warren> petertodd: 1) easy to MITM 2) easy to determine which keys you have 3) no way of doing authenticated peerings 4) expensive to the server 19:24 < petertodd> warren: right 1) committed (U)TXO 2) all the lessons in my blockchain privacy paper 3) add SSL or SSL-alike 4) prefix-filters w/ appropriate indexes 19:25 < warren> maaku_: multiple competing scalable p2pool-like things with a trustless accumulators and more GBT pools would be low hanging fruit 19:25 < petertodd> warren: electrum actually is reasonably close to solving all that, modulo committed indexes 19:25 < warren> petertodd: yeah 19:25 < adam3us> petertodd, warren: prefix have worse privacy properties than bloom. 19:25 < petertodd> warren: problem is we have to make it *more* profitable to mine with p2pool/decentralized, and that's going to require changing economics 19:25 < maaku_> petertodd: well, Thomas is waiting on me for the indices 19:25 * maaku_ gets back to work 19:25 < petertodd> adam3us: depends on your attack model 19:26 < petertodd> adam3us: again, did you read my paper? :P I strongly think in practice with real users prefix has better real-world privacy 19:26 < adam3us> petertodd: broadcast vulnerable info is like worse because it can be analysed later by anyone, vs sent to one random node 19:26 < adam3us> petertodd: i did, i just disagree. 19:26 < petertodd> adam3us: well, least you read it finally, ha 19:26 < warren> petertodd: the lower orphan rate should help. currently the too-many-txo's in coinbase is a problem. 19:26 < adam3us> petertodd: yeah i skimmed it before also. as i recall gmaxwell has the same view as me on that risk. 19:27 < warren> petertodd: the trustless accumulator should help that 19:27 < petertodd> adam3us: problem is bloom naturally leads to a situation where people broadcast the *exact* contents of their wallets over and over again to random peers, and that's just nasty 19:27 < petertodd> adam3us: android wallet has 1 in 16k specificity for a reason - users want fast syncs 19:27 < petertodd> adam3us: that could really kill coinjoin the moment attackers start running SPV nodes to collect wallet data 19:28 < petertodd> warren: no it won't - it still requires all the expense of running a full node 19:29 < adam3us> petertodd: they are both non ideal solutions. it is considered in privacy that you should pick a random node and stick to it. if its going to analyse you it already did. if you explore random nodes eventualy you'll find a hostile one. tor doesnt do this yet either, but theyre planning to fix it. 19:29 < petertodd> adam3us: anyway, prefix *queries* are a categorically better model than bloom filters from the point of view of lookup privacy 19:29 < adam3us> petertodd: that might be. also electrum is like central/trusted type of solution right? 19:30 < petertodd> adam3us: now forcing your txouts to match prefixes may or may not be the right approach, but only prefix queries lets you distribute the load, and thus query specificity leak, accross multiple nodes 19:30 < petertodd> adam3us: electrum is not different from bloom SPV in principle 19:30 < petertodd> adam3us: in practice maybe more secure in some models because there are fewer electrum servers 19:30 < petertodd> adam3us: and their operators are better known 19:30 < adam3us> petertodd: but in practice, i thought electrum have a few central servers 19:31 < petertodd> adam3us: meh, picking random nodes and sticking to them isn't very feasible without a "small number of nodes run by volunteers" model 19:31 < adam3us> petertodd: yes if u trust electrum. the other model as said above, pick a random node and try to stick to it. 19:31 < petertodd> adam3us: and even in that model you're better off with prefix queries 19:31 < petertodd> adam3us: electrum *is* the pick a random node and stick to it mdoel 19:32 < adam3us> petertodd: well its electrum advertising them selves as a trustworthy node. sometimes that is a flag to say dont trust them. 19:32 < petertodd> adam3us: anyway, my prefix solution may leave some statistical data in the chain, but it has the enormous advantage that it doesn't fail hard the moment an attacker does a sybil attack. it also doesn't give that attacker a reason to do that sybil attack 19:33 < petertodd> adam3us: note how prefixes gives you decent security even *if* you're connected to the nsa 19:33 < warren> We could just forget about SPV, finish ultraprune and stop worrying about this. 19:33 < adam3us> petertodd: if u use prefix with one-use addresses t seems ok no? no need for explicit prefix 19:33 < petertodd> adam3us: (prefixes + addr grinding) 19:34 < petertodd> adam3us: no! unless your addresses in your wallet are clustered around a prefix, for a given amount of bandwidth you have to have very specific prefixes and thus are leaking a heck of a lot of data 19:34 < CodeShark> what's the prefix solution? using the first few bytes of a pubkey or script hash rather than a bloom filter? 19:34 < petertodd> warren: ultraprune doesn't help with bandwidth 19:34 < petertodd> CodeShark: yeah, there's two parts to it, first for queries you can always query by prefix 19:34 < adam3us> petertodd: could be block range constrained + closeness metric to tune like bloom 19:35 < petertodd> CodeShark: secondly you can always force your addresses in your wallet to *all* be clustered around soem prefix, which means you only have to do a single query 19:35 < petertodd> CodeShark: the beauty of the latter is even if you're querying the NSA for blockchain data they learn very little about what's in your wallet, the disadvantage is you leak *some* stat information to the blockchain permanently 19:35 < adam3us> petertodd: yeah but then you're back to broadcasting anon-set reducing info to the block chain for the stats analysis guys to party on. 19:36 < petertodd> CodeShark: I argue leaking some all the time is much better than leaking your exact wallet contents the moment you manage to connect to the NSA 19:36 < petertodd> adam3us: the types of people who have the resources to do stats analysis have the resources to just run 50% of the available nodes to connect too 19:36 < adam3us> petertodd: if you query the NSA with a prefix, they learn the anon-set you are in. just info o help triangulate you no? 19:37 < adam3us> petertodd: eh no? academics do it for like 3rd year project 19:37 < petertodd> adam3us: I mean, shit, I was running about 10% of all public nodes for a few hours to test an attack 19:37 < petertodd> adam3us: yeah, all they learn about is the prefix, and then the stats leaks stops 19:37 < adam3us> petertodd: oh ok, u mean on the low side, gotcha 19:38 < petertodd> adam3us: vs. without prefixed addresses *in reality* users set very specific prefix/bloom filters, and then you leak very specific contents of your wallet 19:38 < adam3us> petertodd: but a bloom filter with some decent params can do that also no? 19:38 < petertodd> adam3us: yeah, from the point of view of "clustered wallet addresses" bloom and prefix are identical 19:38 < CodeShark> petertodd: right now with BIP0032, you can have at most 2^31 different keys from a particular master seed - so say you use k bit prefix - that reduces the number of keys to 2^(31 - k), no? 19:38 < adam3us> petertodd: so say TD fixed improved the params 19:38 < petertodd> adam3us: if you're not clustering wallet addrs, bloom and prefix are identical, it's just the latter is way more scalable 19:39 < jtimon> petertodd is there any reason why you can't use several prefixes in your wallet? more bandwith but more privacy 19:39 < jtimon> ? 19:39 < petertodd> CodeShark: well BIP32 has problems there 19:39 < petertodd> adam3us: it's impossible to fit the params, it's a specificity/bandwidth tradeoff 19:39 < petertodd> adam3us: s/fit/fix/ 19:39 < jtimon> say, use 3 prefixes, n instead of 1 19:39 < petertodd> adam3us: if you think params has anything to do with it you didn't understand my paper... 19:39 < adam3us> petertodd: bloom/prefix similar with no addr clustering... yes. 19:39 < CodeShark> perhaps we should expand the BIP0032 child index to 64 bits :) 19:40 < petertodd> jtimon: more prefixes *of the same length* just means you're using more bandwidth 19:40 < petertodd> jtimon: remember this is a bandwidth/anonymity set tradeoff 19:40 < adam3us> petertodd: you claimed the default params were too specific, so make them les so, while still tolerable bw. 19:40 < petertodd> adam3us: the reason why they are so specific is because users aren't tolerating more bandwidth 19:40 < jtimon> petertodd yes, my point is you can make the tradeoff configurable 19:40 < petertodd> jtimon: yes, and you can do that with prefix clustering too 19:40 < CodeShark> petertodd: I'm also thinking about how deterministic m-of-n script chains could work with this prefix model 19:41 < adam3us> petertodd: well more importantly u also said as i recall there was no feature to change the params 19:41 < jtimon> yes, yes, with prefixes 19:41 < petertodd> jtimon: the fundemental problem is that if you don't cluster all your addresses in one prefix or bloom index, then naturally you have to have fairly specific filters, which overtime become more specific and let you be attacked 19:42 < petertodd> adam3us: in the library and wallets no, but the bloom filter specification does let you change the params easily by making the filter smaller 19:42 < petertodd> adam3us: smaller filter == less specific 19:42 < CodeShark> there is in my library :) 19:42 < petertodd> CodeShark: good 00:24 < amiller> now for each one of these, if some untrusted agglomeration of network nodes gives me a proof, i can validate this proof with one crazy crypto field multiply. 00:25 < amiller> also no secrets are involved, so the big ol' crazy program can be compiled once for everyone and maybe we can agree on them using checkpoints 00:25 < amiller> or validate them piecemeal or something --- Log closed Sun May 05 00:00:05 2013 --- Log opened Sun May 05 00:00:05 2013 03:24 < amiller> i haven't looked at my anti-coalition puzzle for a while, but i've learned how to use two crypto primitives to do roughly what i want 03:24 < amiller> the first is a zero knowledge proof, the second is an extractable hash function 03:24 < amiller> i'll explain what the point of this is 03:25 < amiller> to encourage decentralization (or discourage pooling resources) we might want to design a proof of work puzzle that is difficult to outsource 03:25 < amiller> the basic scenario is this 03:26 < amiller> suppose Alice and Bob each have a personal budget, and they have two options: either they pool resources and purchase one big Asic, or they each mine independently with their GPUs 03:26 < amiller> also they don't inherently trust each other 03:26 < amiller> it's more efficient for them to pool resources and buy an asic, although this option is also more centralized and therefore worse for the network overall 03:27 < amiller> assume that if they buy the asic then Alice has to operate it at her house 03:28 < amiller> since they don't trust each other, the only way they'd agree to this is if they can work out an arrangement where Alice can prove that she's operating the asic fairly, meaning in a way that benefits them both equally 03:28 < amiller> the current proof of work puzzle mostly accomplishes this 03:28 < amiller> the basic technique is for Alice to show Bob her shares, like the closest she gets to a winning block each day 03:29 < amiller> more specifically, the winning nonces are a set, and the "shares" are a much larger superset of the winning ones 03:29 < amiller> each computed hash in bitcoin contains a hash commitment to a particular block, so by revealing the block alice can prove that she was running at roughly the correct rate, and that she was only working on blocks that would have paid out equally to both of them 03:30 < amiller> okay so this is bad for decentralization, because in the extreme case everyone might want to pay for shares of a huge mining operation that gets cheap power in sweden or something 03:31 < amiller> what we'd basically want as an alternative is a proof of work puzzle that doesn't admit such a safe outsourcing protocol 03:32 < amiller> the idea is that whoever is operating the asic and doing the hashing should be enabled to run away with whatever the winnings are 03:33 < amiller> what makes the safe outsourcing protocol work for the hashcash pow is that the work contains a commitment to a particular payout strategy 03:34 < amiller> to get this desired anti-coalition property, it should be malleable in the sense that the payout destination is undefined until after the work is complete! 03:35 < amiller> the current work can be thought of as this: h( nonce || block-commitment || payout-commitment ) < difficulty 03:35 < amiller> the basic structure of my suggestion is this: h( nonce || block-commitment || privatekey ) < difficulty 03:35 < amiller> so you can still commit to a block, just it's everything except the actual thing it takes to win the coin 03:36 < amiller> like whoever possesses the private key can claim the prize 03:36 < amiller> so far this is all just a recap i've done this same ramble previously in #bitcoin-dev 03:36 < amiller> now for the new material... 03:36 < amiller> there's a certain property of this hash function that we want which is that it should be "extractable" 03:36 < amiller> extractable is like the opposite of obfuscatable 03:37 < amiller> if it's not extractable, then there's the potential for the involved parties to create some wacky obfuscated hash function where the private key is built into the hash and there's no way to recover it just from evaluating it on different nonces 03:37 < amiller> if it's extractable then that's not possible 03:38 < amiller> extractable hash functions are discussed here: http://eprint.iacr.org/2011/443 03:38 < amiller> it's sort of a recently popular concept because it's equivalent to the super-efficient circuit verification i talked about last time 03:39 < amiller> but it's kind of on shaky ground as far as assumptions go, it doesn't seem possible to prove that a construction is extractable, but there are constructions that are thought to be... 03:39 < amiller> okay so the next problem is 03:40 < amiller> normally you have to revael the nonce and the block commitment etc as plaintext 03:40 < amiller> but in my scheme where that's a private key, it wouldn't be safe to do so 03:40 < amiller> this is where a zero knowledge proof comes in, all you have to do is construct a zero knowledge proof that you know a privatekey such that the condition holds 03:41 < amiller> and you can still open the block-commitment as normal 03:48 < amiller> to actually give a formal definition for this property i'd have to have something more to say 03:48 < amiller> about like the kind of joint work protocols that i'd consider 03:48 < amiller> because like 03:49 < amiller> any hash function at all could be done as a multiparty computation or a homomorphic outsourcing thing 03:49 < amiller> but basically those would be way less efficient (hopefully) 03:50 < amiller> so i think like the best that can be done is to say something to the effect of well if you want to form a coalition among untrusting parties, then you'd have to use a heavy generic technique which would probably obliterate any advantage from economy of scale 20:43 < sipa> warren: btw, i have a branch of my bitcoin repository (secp256k1) that uses my library, and doesn't need OpenSSL/EC --- Log closed Mon May 06 00:00:08 2013 --- Log opened Mon May 06 00:00:08 2013 03:41 < warren> sipa: horray! 03:41 < warren> sipa: I was about to install Ubuntu for the first time ever. 03:43 < warren> I'm sorry I haven't been helpful here. 04:00 < jgarzik> warren: heh, just did so myself tonight 04:01 < jgarzik> warren: felt dirty, too 04:03 < gmaxwell> "I heard jgarzik installed ubuntu, the writings on the wall" 04:05 < jgarzik> gmaxwell: It was either Ubuntu or debug grub :/ 04:18 < warren> jgarzik: I installed ubuntu in a VM but didn't login yet. Now I can wipe it. =) 05:08 < warren> sipa: is the intent for this library to eventually be incorporated as /src/secp256k1, ship as a separate library, or both? 05:16 < sipa> at least as a separate library, but for bitcoin it probably makes sense to incorporate it in the source tree 06:59 < warren> sipa: [warren@newcaprica secp256k1]$ ./configure 06:59 < warren> <stdin>:1:24: fatal error: openssl/ec.h: No such file or directory 06:59 < warren> sipa: I guess that wasn't adapted yet. Makefile works. 07:00 < sipa> oh 07:01 < warren> TODO is also old. 07:29 < sipa> warren: fixed 07:51 < warren> sipa: allocators.h:12:53: fatal error: openssl/crypto.h: No such file or directory 07:51 < sipa> warren: you still need openssl, just no EC-enabled one 07:51 < warren> ahhh, ok 07:51 < sipa> this isn't too hard to change, though 07:51 < sipa> it's only used for RIPEMD160, SHA256 and a PRNG 07:52 < sipa> and lbisecp256k1 uses either openssl or gmp by itself 07:52 < sipa> (preferably gmp, as it's faster) 07:56 < sipa> oh, and SSL-RPC, which would be pretty hard to change (though i'm in favor of just removing that, and suggesting to use stun if you need it) 08:19 < warren> /bin/ld: cannot find -lboost_thread 08:19 < warren> I'm missing something... 11:30 < gmaxwell> warren: BOOST_LIB_SUFFIX='-mt' make -j4 -f makefile.unix bitcoind USE_UPNP= --- Log closed Tue May 07 00:00:10 2013 --- Log opened Tue May 07 00:00:10 2013 14:19 < gmaxwell> So. An idea to make proof of stake more workable... what if coins selected to function as consensus stake were temporarily destroyed at heights where they were eligible for stake and then returned via regeneration, if and only if no one presents to the network evidence that the same stake signed more than one distinct consensus? It still wouldn't prevent abuse of stake to create deep reorgs, since you can't make coin invaldation so ... 14:19 < gmaxwell> ... powerful that it invalidate the coins of downstream users. 18:43 < warren> gmaxwell: does that deal with the "rich getting richer" issue? 18:45 < gmaxwell> warren: I don't think there is any real RGR issue in POS inherently, so long as linearity is preserved. (PPCoin doesn't do a good job preserving linearity) 18:49 < gmaxwell> having to have the stake still for a while does create some richness bias, alas. 18:50 < warren> gmaxwell: Is any form of PoS flawed because any form of it incentives pooling of stake to ensure receiving stake rewards, which is an anti-incentive to decentralization? Yes, it's hard for stakeholders to *trust* each other, but if they do they become an unstoppable cartel. 18:53 < gmaxwell> warren: they're all linear, having more stake in one place doesn't increase your ability to mine stake than having it in many. Now you might not care to run validation if you don't have a sufficient consolidation to make your income great... but thats no different than any POW scheme: if _validation_ costs are high relative to users tolerance such that they have to be paid to validate, then it can't be decenteralized. 18:58 < warren> haha. one of the litecoin clones bubbled to be 400% more profitable than mining BTC for a week. Attracted a great many miners then popped. Now it is limping along with new blocks > 4x slower than designed. 18:59 < warren> those stupid exchanges have been adding days old alt coins to trading 20:07 < petertodd> justanotheruser: your communication includes that nLockTime'd tx - that's how you pay for it 20:07 < justanotheruser> petertodd: well you would have to pay a fee for that tx, then everyone would have to pay a fee for the coinjoin tx to go through 20:08 < petertodd> justanotheruser: which you have to anyway - tx's aren't free 20:08 < justanotheruser> petertodd: yes, but with PoS you only have to pay one 20:09 < petertodd> justanotheruser: no, it's identical to pos, except that you ensure something of value is actually lost 20:09 < petertodd> justanotheruser: after all, you can't prove pos other than by signing for a txotu scriptPubKey, this is the same, except you've signed a valid-in-the-future transaction with some minor fee 20:11 < justanotheruser> petertodd: When you have stake that means you payed a fee to get the coins. That is what you lost. 20:12 < petertodd> justanotheruser: it's the same argument as merge-mining: to the attacker they can re-use something they already have (txouts sitting around) for free 20:12 < justanotheruser> except for cases where millionaires don't pay fees, but there aren't enough of those to worry about 20:13 < justanotheruser> petertodd: they can use it for free, but they can only use a certain amount of it. Then they have to make another tx to spend again. The coinjoin tx takes care of this. 20:14 < justanotheruser> s/use a certain amount of it/use it to a certain extent. 20:15 < petertodd> justanotheruser: yes, but now you have to have a database of UTXO's whose stake has been proved, vs. there's a natural time limit because the fee sacrifice tx's get mined 20:16 < justanotheruser> gmaxwell: does pinnochio take care of petertodds concern? 20:17 < justanotheruser> petertodd: Wouldn't proof of burn also remove anonymity in the same way? 20:18 < petertodd> justanotheruser: yes, emphasis on the same way, they're both identical re: anonymity, but the burn version has better resistance to DoS attack 20:21 < justanotheruser> petertodd: I don't understand pinnochio fully, but gmaxwell said it would work for proof of burn and I think he said it would work with PoS 20:22 < justanotheruser> It's a pretty big research paper 20:22 < gmaxwell> what concern? 20:22 < justanotheruser> And I have to look stuff up every page 20:22 < gmaxwell> you guys said a bunch of stuff 20:22 < justanotheruser> gmaxwell: (08:15:21 PM) petertodd: justanotheruser: yes, but now you have to have a database of UTXO's whose stake has been proved, vs. there's a natural time limit because the fee sacrifice tx's get mined 20:22 < petertodd> justanotheruser: pinnochio is orthogonal to the choice between proof-of-stake and proof-of-sacrifice 20:23 < justanotheruser> petertodd: then your comment was irrelevant to the discussion of which was the better method 20:23 < gmaxwell> what pinnochio lets you do is make compact blind proofs from something where you have efficiently extractable authenticated data. 20:23 < justanotheruser> because they both have that glaw 20:24 < petertodd> justanotheruser: pinnochio's proof-of-stake for anti-DoS still requires a UTXO database, or you can re-use proofs. (it becomes like some weird zero-coin thing in that case) 20:24 < gmaxwell> right now because we don't have a committed utxo proof-of-sacrifice will be smaller unless you expect all validators to keep a copy of the utxo themselves. Having the verifiers have a utxo database might actually be a bunch better since it could be restructured in a way to make the proofs small. 20:24 < petertodd> justanotheruser: for the proof-of-burn case, then pinnochio is less desirable because you have to do a separate burn that's actually mined 20:25 < gmaxwell> petertodd: my suggest for rate limiting based on POS is that you do get a once per $time_interval random ID out of your stake. 20:25 < petertodd> gmaxwell: proof-of-stake for anti-dos requires you to at worst end up storing something like a bloom table of spent stakes 20:25 < petertodd> gmaxwell: it's doable, but potentially ugly long-term if people really want to attack it 20:25 < gmaxwell> yea, you'd then use a hashtable that you keep for $time_interval 20:26 < petertodd> gmaxwell: I mean, you've created an incentive to make a lot of utxo's you know... or failing that, you let rich people block coinjoin 20:26 < petertodd> gmaxwell: at least proof of burn ensures they'll spend fees doing so 20:26 < gmaxwell> petertodd: well of course the proof can emerge a bound on its value. 20:26 < justanotheruser> couldn't your "proof of time" be the hash of your proof plus the unix time being below a certain value? 20:26 < gmaxwell> proof of burn can't be done non-interactively in zero knoweldge. 20:27 < gmaxwell> PoS and PoS can be. 20:27 < petertodd> gmaxwell: no, but my trick of nLockTime'd tx's isn't a serious disadvantage - note how you can very much use a different txout then the one you actually join 20:28 < gmaxwell> for coinjoin PoB is pretty great, I agree. 20:28 < gmaxwell> since coinjoin inherently must expose a txout. 20:28 < petertodd> yeah, and for everything else, proof-of-prior sacrifice *with* some kind of domain-specific tag is pretty decent 20:28 < gmaxwell> for something like a replacement for BitMessage's pow I prefer PoS or PoS. 20:28 < sipa> gmaxwell: PoS and PoS (i do keep reading that as piece of s**t...) 20:29 < gmaxwell> Proof of Stake or Proof of sacrifice. 20:29 < petertodd> sipa: PoS and PoX I prefer myself 20:29 < justanotheruser> gmaxwell: should their stake expire after a certain number of blocks? Otherwise they can use the network at no cost 20:30 < gmaxwell> justanotheruser: you'd prove that you had stake as of some reference time that moves periodically. 20:30 < gmaxwell> e.g. first block after midnight utc every day. 20:30 < petertodd> justanotheruser: funny how you actually want the inverse of coinage in this case 20:30 < justanotheruser> petertodd: yes, coin/days 20:30 < gmaxwell> every day at the first block after midnight all the message nodes snapshot their utxo and reorg it into a hash tree and save the root. 20:31 < gmaxwell> Then when you want to use a message for this hour you run the ZK proof to get a token good for the hour that proves you had a coin in the last day's utxo snapshot. 20:32 < gmaxwell> likewise for proof of sacrifice, except you just extract sacrifice like transactions. 20:32 < petertodd> gmaxwell: heck, just prove you have a txout that existed in some time period, and spent a txout preior with some amount of coin-days destroyed 20:33 < gmaxwell> yea, whatever, you can get compact proofs of any of this if you don't mind the participants needing to bitcoin nodes and thus generating the data extracts themselves. 20:33 < petertodd> gmaxwell: well, that case you'll have all that data in your wallet actually 20:33 < gmaxwell> unfortunately using bitcoin's own data for ZK proofs is kinda craptastaic because of having to traverse a whole variable length transaction just to extract an output. 20:34 < petertodd> yup 20:34 < gmaxwell> but if you extract the data directly you can reorder how its stored. 20:34 < justanotheruser> How big is the proof of stake using pinnochio? 20:34 < gmaxwell> e.g. use exactly the ultraprune data structure though bitcoin itself never commits to it... all participants would come up with the same value. 20:36 < gmaxwell> justanotheruser: the proofs are 288 bytes (well, in the pinnochio paper they might be a bit larger, but they can be done in 288 bytes), plus a few more bytes to identify the serial number, epoch, and utxo set that its relative too. 20:36 < justanotheruser> That's not bad 20:39 < justanotheruser> gmaxwell: Why is a proof of SHA256 so big? 20:41 < maaku> justanotheruser: SHA256 is a non-trivial function? 20:41 < justanotheruser> maaku: So ECDSA isn't? 20:42 < maaku> that's an apples-to-hot-wheels-cars comparison 20:42 < midnightmagic> gmaxwell: I do not appear to have an easily-accessible sidechain that reorgs out 1000-blocks, if -loadblock can be used to replay the blk*.dat files and the dat files have the sidechains stored in them by default. 20:42 < petertodd> justanotheruser: you don't need to prove ECDSA in this case 20:42 < midnightmagic> gmaxwell: I have one more place where I can look. Would you like me to check? 20:43 < gmaxwell> Because ECDSA is special in that it naturally yields compact proofs of knoweldge. There are very few things that do this. 20:43 < gmaxwell> midnightmagic: not that urgent I have it at home someplace. 20:43 < petertodd> gmaxwell: how does that work? 20:43 < midnightmagic> ok 20:44 < midnightmagic> gmaxwell: If it's cleanly possible to get a copy of that I would sure love one. :-D 20:44 < gmaxwell> petertodd: an ECDSA signature is a proof you know the discrete log of the public key value. 20:44 < petertodd> gmaxwell: ah, and these schemes can do that directly? 20:45 < gmaxwell> petertodd: no no. Perhaps we're miscommunicating. 20:45 < gmaxwell> I thought justanotheruser was asking why the pinnochio proofs were much bigger than an ECDSA signature. 20:46 < petertodd> gmaxwell: right, I took it as asking why you couldn't feasible make a pinnochio proof of a ECDSA sig 20:46 < sipa> ECDSA is basically a scheme designed for creating a compact proof... for a very specific operation 20:46 < gmaxwell> petertodd: oh you could, and ... like all other GGPR'12 proofs would be 288 bytes. Though the proving time might be awful. 20:47 < petertodd> gmaxwell: right, and the proving would be some crazy thing that basically implements ECDSA with some circuit 20:47 < gmaxwell> right, with an arithemetic circuit over some finite field. 20:48 < gmaxwell> (or some boolean circuit, though usually arithemetic circuits are more compact, e.g. they make sha256 quite compact) 20:56 < petertodd> so the pinnochio source code is available, but I don't see any license anywhere 20:57 < petertodd> oh wait, I found it, Microsoft non-commercial, not too useful 22:12 < amiller> i think that is a realistic interpretation of what people have believed about bitcoin without stating it as such 22:12 < gmaxwell> yea, thats a stronger claim and there are a bunch of ways thats wrong. 22:13 < gmaxwell> amiller: they may have, they also think things like 1 confirm is safe. 22:13 < gmaxwell> You can find me disputing the claim that you need >50% to cause trouble all over the forum and on 22:13 < gmaxwell> IRC. 22:13 < gmaxwell> (though not on this particular basis) 22:14 < amiller> so they show one compelling way that it's not the case for x>33% and no one would really dispute that 22:14 < amiller> anyone who's bothered to state incentive-compatible as a goal would not have said that 22:14 < amiller> and it's nice of this paper to introduce incentive compatible and make it clear that's the desired goal 22:14 < amiller> so that whole set of ideas is great and is a good result 22:14 < gmaxwell> well, they haven't published their simulation source and are apparently not interested in doing so. so I'm not actually sure about the 33% number, bytecoin got a different figure in his simulation. 22:15 < amiller> maybe they should have shown the positive result that with x<33%, honest mining *is* incentive compatible! 22:15 < gmaxwell> I don't think honest mining is ever incentive compatible, sadly. Not with a wide enough net of possible bad behaviors. 22:15 < amiller> actually kroll davies and felten in their WEIS paper showed precisely that, but for a more restricted set of strategies (they didn't look at block delay, only which block you build on) 22:16 < amiller> yeah and i showed that it's not if there's a sufficiently big enough anomalous tx fee, but that is easy to fix except for coinbase maturity :3 22:16 < amiller> so does their result actually build *more* evidence that honest mining is incentive comaptible under a somewhat wider range of bad behavior? 22:16 < amiller> do you really think it's never the case? 22:17 < amiller> what else does it depend on, like your ability to pull off a double against against some 1-confirmers? 22:17 < gmaxwell> no. I'm just saying, I don't know how useful it is to show these things under restricted behavior. Peoples behavior is not restricted. 22:17 < gmaxwell> amiller: yes, thats one example. Or get paid to censor, as another. 22:18 < amiller> well maybe moving in that direction is the right idea 22:18 < amiller> maybe that's the thing to do is start with incentive compatible under restricted behavior and widen the net? 22:18 < gmaxwell> not just 1-confirmers... at anything under infinite confirms a <50% faction has improved ability to reverse than a smaller <50% faction. 22:19 < amiller> yeah but at some point you're just wasting money for a poor chance 22:19 < amiller> yes an adversary who just *has* a portion of the hash power can keep trying to get a streak-of-7 forever 22:19 < gmaxwell> e.g. the success rate at reversing 15 confirms is higher for a 40% faction than a 20% faction. So that just depends on how big a heist you can pull off. And the size of that depends on how many txn you can put in a block, and how many parties will be exploitable at a number of confirms. 22:20 < amiller> i think that's a game we can win 22:20 < amiller> for some kind of reasonable attack model 22:20 < gmaxwell> amiller: pratically nothing in bitcoin land waits for more than 6 confirms. https://people.xiph.org/~greg/attack_success.html 22:20 < gmaxwell> 50% success rate for 40% hashpower. 22:21 < amiller> everyone who waits 6 blocks probably should wait longer? 22:21 < amiller> my only question is this 22:21 < gmaxwell> plus you can outsource the actual performing of attacks by just letting other people send their double spends to you directly, and they pay you a high fee and they get included in your attack blocks. 22:21 < amiller> is the overall network harmed by people setting their threshold too low? 22:21 < gmaxwell> yes, I think they are: you saw the ghash.io thread? 22:21 < amiller> it's like living in a neighborhood where no one buys door locks except you, and that attracts lots of criminals, one of those security analogies 22:21 < amiller> yes i saw the ghash.io thread 22:22 < gmaxwell> 25% miner attacking a zero confirm betting service (hurray!) 22:22 < amiller> but afaict that isn't affecting consensus or anyone with larger confirm therhold 22:22 < amiller> then just think of the stupid betting service as part of the 25% attacker 22:22 < amiller> it isn't a money pump exactly 22:23 < gmaxwell> yea but you now have a mining farm created of captive miners who have no control of their mining, which is controlled by people who can perhaps multiplicatively increase their income by playing games. 22:23 < amiller> let them bleed the zeroconfirm gambling thing dry? 22:23 < amiller> then they have to stop? 22:23 < amiller> i mean that's no different than subsidized mining to attract users and then use them for arbitrary double spends 22:23 < gmaxwell> they could profitably exploit the betting service even if they required 6 confirms, in fact. 22:24 < gmaxwell> (because the house rake on that betting service is only like half a percent or something) 22:24 < gmaxwell> though they might not like the variance of that game. :P 23:56 < ebfull> https://bitcointalk.org/index.php?topic=327064.0 23:56 < ebfull> re: this ^ 23:56 < ebfull> when blocks are orphaned and their transactions are re-introduced into the mempool 23:56 < ebfull> what are the transactionseconds for those transactions? --- Log closed Wed Nov 13 00:00:24 2013 --- Log opened Wed Nov 13 00:00:24 2013 00:01 < ebfull> if it's nil because the node never saw the transaction enter the mempool... then new blocks would have zero incentive to include those transactions because they could be orphaned so easily by a competing miner 00:02 < ebfull> if it does exist, we have to retain a transactionseconds map of arbitrary length to anticipate reorgs 01:32 < midnightmagic> lol. of course they're not interested in publishing their simulator. Why would they be? Fuck science. 01:33 < ebfull> who 01:35 < amiller> ebfull, the ES people with the selfish mining 01:35 < midnightmagic> the "bitcoin is dead unless you fix it with our patch specifically, and choose randomly between two possible forks of the blockchain" 01:35 < ebfull> they made a simulator and are not publishing it 01:35 < ebfull> maybe it sucks as bad as mine ^^ 01:36 < ebfull> i actually tried their patch 01:36 < midnightmagic> Yeah, Eyal and Sirer. 01:36 < ebfull> it only slightly dampens the selfish mining attack 01:36 < ebfull> and in fact it makes sybil attacks less necessary 01:37 < midnightmagic> (apologies to channel for foul language.) 01:37 < ebfull> so you not only get the small benefit of the selfish mining attack above 30% or so, but you also don't have to sybil attack the network 01:37 < ebfull> i think they admitted in their paper it raises the threshold to 25% or something 01:37 < ebfull> i don't remember 01:38 < gmaxwell> ebfull: yea that was my immediate observation. 01:38 < gmaxwell> makes an immediate incentive for a large pool to delay their blocks. I generally worry about any scheme that isn't "earliest block first" in terms of the convergence behavior in a real network. 01:39 < ebfull> one thing i want to try to simulate 01:39 < ebfull> is the idea ByteCoin had on the forum 01:40 < ebfull> which was to choose the branch with the most transactions from the mempool (proportional to how long they were in the mempool) 01:40 < ebfull> since the selfish miner won't have as many as the honest miner 01:43 < gmaxwell> I thought that was interesting, but its complicated to consider possible strategies that encourages completely. e.g. will someone announce old transactions that are unattractive to mine but just enough to get into the mempool and mine those to win races? 01:55 < warren> any way to score quality ahead of quantity? 01:56 < gmaxwell> warren: most things like that are bad for convergence. 01:56 < gmaxwell> e.g. letting you continue to mine in competition instead of extending as long as you can produce a block with better quality. 01:57 < warren> Past assumptions about why big pools are not dangerous assumed that miners would realize the damage a bad pool is causing and move to another pool. The recent huge hashes to the highest bidder makes that seem unlikely. 01:59 < gmaxwell> dunno whos past assumptions those are? not mine. you miss me cheering about ghash.io attacking, and no one budging? :P (well, not for the attack but that I have a concrete example of what I believed) 02:00 < warren> does ghash own all the hardware that hashes there? 02:02 < gmaxwell> no. 02:03 < gmaxwell> ghash is a semi-public pool, most of its hashrate is owned by the public via cex.io. (which is probably really the same people as ghash.io through some wink and nod) but its all captive. 02:08 < midnightmagic> warren: They did leave deepbit when it was approaching the magic majority a while back. 02:08 < gmaxwell> midnightmagic: not ... quite. 02:08 < gmaxwell> more like deepbit left the miners. :P 02:09 < gmaxwell> (and not approaching, after it was a majority for a fair bit of time) 02:09 < midnightmagic> gmaxwell: Did deepbit kick out a botnet then? Why did its hashrate dip back? 02:09 < gmaxwell> midnightmagic: it was under heavy DDOS for over a week and was unreachable a lot of the time. 02:09 < midnightmagic> hrm.. 02:09 < midnightmagic> I wonder if that was btcexpress. 02:13 < warren> gee, if only there were a way to do decentralized mining... 02:14 < gmaxwell> warren: decenteralized denial of service, thats almost like decentralized mining, right? 02:15 < warren> gmaxwell: given the fragility of these nodes ... 02:20 < gmaxwell> hm? pools are pretty hard to attack from a bitcoin perspective. 02:21 < gmaxwell> the dos attacks mostly try to run them out of bandwidth, sometimes try to break their poolserver stuff... 15:26 < gmaxwell> (I know what they're doing now, but would prefer to comment after the paper is out) 15:26 < Emcy> righto, be interesting to see if its the real deal 15:26 < TD> ditto 15:26 < gmaxwell> Emcy: they'll probably keep calling it zerocoin, but indeed, it will achieve somewhat different things and its done using a different mathmatical basis. 15:26 < TD> it's SCIP based, i guess we can say that. 15:27 < TD> but for anything more wait for the paper 15:27 < TD> i'm sure it'll be out soon 15:27 < Emcy> who is matthew green? 15:27 < TD> a top class guy 15:27 < TD> (one of the zerocoin researchers) 15:28 < gmaxwell> ;;lmgtfy matthew green 15:28 < Emcy> http://spar.isi.jhu.edu/~mgreen/ this one i assume 15:31 < Emcy> well he got hos doctorate in 3 years with a thesis on a privacy thing 15:31 < Emcy> so we will see 16:19 < adam3us> so i guess people eg amiller were thinking that you could do things with scip - eg you could compact a committed coin with a scip (zkp it adds up and relates to a previous payment) 16:20 < adam3us> probably other variants also scip-coin, so they seemingly have put something together 16:20 < adam3us> but another question is if you could (and the are probably multiple configurations, scip is very general and flexible) would you want to 16:21 < adam3us> meaning its based on weil pairing and lots of cutting edge stuff 16:22 < adam3us> whats to say shamir or someone isnt going to break some of the assumptions or techniques - so we'd need to know the implications from the security unraveling partly - eg can they then attack individual coins which is maybe too expensive or can they attack the whole system. hard t say without further details 17:29 < amiller> i doubt matt green is using anything with generic zk 17:30 < amiller> i have no idea what's actually in the new zerocoin thouhg 17:30 < Emcy> pixie dust 17:31 < adam3us> amiller: "TD: it's SCIP based, i guess we can say that." 17:31 < Emcy> if ti works it could be pixie dust for all i care 17:31 < amiller> i think td is just guessing 17:32 < adam3us> amiller: it seems to me if you allowed scip there should be multiple ways to build a scip-coin with privacy 17:32 < gmaxwell> No, td isn't guessing. It's zk-SNARK based. 17:32 < amiller> oh 17:32 < amiller> well... cool then 17:32 < adam3us> do we know a publication timeline? 17:33 < adam3us> fc2014? 17:33 < amiller> oakland 17:33 < gmaxwell> I dunno, I was told their paper was done and just being edited 17:33 < amiller> he'll put it on arxiv wthin weeks 17:33 < gmaxwell> well "done" and that they'd send it to me soon. 17:33 < gmaxwell> ah there you go. 17:34 < amiller> it can be zk-snark and still not use the generic tools like pinocchio or scip 17:34 < amiller> in other words i would still guess he'd construct it himself out of bilinear groups rather than compiling a circuit 17:35 < adam3us> amiller: yeah ok terms backwrds 17:35 < gmaxwell> there is also compiling a circuit but not using something fully generic like tinyram (e.g. more like pinocchio) 17:35 < gmaxwell> or mixing. 17:36 < amiller> pinocchio is identically as generic as tinyram! 17:36 < gmaxwell> you get pretty different circuits out of it though. 17:37 < amiller> yeah that changes 17:37 < amiller> i think the right question is whether it uses GGPR 17:38 < amiller> which all of the three generic snark projects do so far (scip, pinocchio, pantry) 17:38 < amiller> that's the particular way of using bilinear group primitives to do zk over arbitrary circuits 17:39 < gmaxwell> amiller: eli's group also has a backend that is not GGPR based apparently. 17:39 < amiller> well hm, i'm not aware of that 17:40 < gmaxwell> (IIRC their other one is a fiat shamir on some RS locally testable codes for 'more efficient' pcp) 17:41 < gmaxwell> amiller: IIRC it eliminates the trusted randomness that all the GGPR stuff needs for the construction of the proving key (which if violated allows the construction of false proofs) 17:41 < gmaxwell> but I have no @#$@ clue what the performance is really like, because ... theoreticians. 17:42 * amiller isn't sure about the trusted randomness needed for ggpr 17:43 < amiller> it's public coin to build the verification key, you could do it pseudorandomly like fiat-shamir too 17:45 < gmaxwell> amiller: it's annoying because I think most of the papers have really not been clear about this requirement. 17:45 < gmaxwell> It was my understanding that if you knew the original randomness then you could trivially produce false proofs, but I could be incorrect. 17:46 * warren is greatly amused. Feathercoin has been trying and failing for 2 months to copy Litecoin 0.8.x and make it network compatible with their old 0.6 client. 17:50 < Luke-Jr> lol 17:52 < amiller> unrelated to zerocoin, the whole team at best people at microsoft research have published a workshop paper that no one heard about despite being presented at a workshop a week ago.... 17:52 < amiller> http://forsyte.at/petshop-2013/ 17:52 < amiller> called, unimaginatively, "Pinocchio Coin" 17:54 < gmaxwell> The coin is (telling) a lie. 17:54 < gmaxwell> hm. so it inflates when you lie about it? 17:56 < Luke-Jr> lol 17:58 < amiller> no, it just uses pinocchio's generic zksnark to do what zerocoin does apparently. it's also a 1 page paper and they give very little analysis. 17:59 < gmaxwell> do these people not feel any pain that their work never gets used in anything? 18:01 < TD> well i guess matthew does, hence the focus on building an actual alt coin 18:03 < gmaxwell> yea it was a general complaint about crypto folks. (well not just crypto, same thing exists in dsp / coding tech) 18:03 * amiller wonders what satisfaction can be had having people use your altcoin... 18:04 < gmaxwell> ;;ticker 18:04 < gmaxwell> oh gribble isn't here. 18:04 < gmaxwell> Well. there is at least <what gribble would have said>. Kinda boring though. :P 18:04 < TD> in fairness, if every crypto paper had to create a useful real world app before they could do the next one, there'd be much less crypto research 18:04 < TD> btw does anyone want to connect with me on Pond? 18:05 < TD> (talking of crypto that needs usage) 18:05 < gmaxwell> a lot of stuff has applications, but it does seem that a lot of things get proven possible and then forgotten. 18:05 < Luke-Jr> amiller: you get to pump & dump? 18:06 < Luke-Jr> TD: wtf is Pond? 18:06 < maaku> TD: is pond stable enough to use for real stuff? 18:06 < maaku> Luke-Jr: email done right, from a crypto nerd's perspective 18:06 < maaku> https://pond.imperialviolet.org/ 18:07 < Luke-Jr> something wrong with PGP+SMTP? 18:07 < amiller> metadata? 18:07 < maaku> yes, lots 18:07 < maaku> metadata, reliance in relays, etc. 18:08 < TD> maaku: it sort of sucks on MacOS X thanks to GTK and Go being rather 1990's, imo, but yes, it works and I've been using it to communicate a bit. a guy from the foundation forums set it up with me and we used it to have some back and forth discussions 18:08 < TD> Luke-Jr: the big one (other than it being a pain to use) is that PGP+SMTP leaks who you are talking to 18:08 < TD> Luke-Jr: and it turns out that often you can sort of guess what is being said, if you can see who is communicating 18:08 < Luke-Jr> this doesn't? 18:09 < TD> it's also got no forward secrecy. private key compromise == all sniffed/obtained comms owned 18:09 < TD> nope, pond runs exclusively over tor and all clients/servers communicate at randomized intervals, sending garbage if there's no real comms to do 18:09 < Luke-Jr> you can see who is communicating with each other over tor 18:09 < maaku> TD: I'll see if I can get it setup and reach out to you 18:10 < TD> maaku: there are binaries these days. if you send me a shared secret then that's all we need 18:10 < TD> Luke-Jr: not really. all you see is a bunch of hidden service connections that send traffic at random intervals. even if you can strip tor, the messages themselves are all encrypted using some very fancy crypto. even the server doesn't know who is sending a message to an account, and of course, accounts are all anonymous anyway 18:11 < TD> basically it's about the most extreme form of secure email imaginable. i'm tempted to call it massive overkill, but ...... maybe these days it's not 18:11 < TD> also the linux version supports using a TPM to implement secure delete, even if you have an SSD that wouldn't normally be able to delete data properly 18:11 * sipa invokes XKCD 538 18:11 < Luke-Jr> I just lost TPM in my upgrade :P 18:11 < Luke-Jr> new mobo just has a header 18:12 < TD> the downside of pond is there's no concept of an email address 18:12 < TD> before someone can send you messages, you have to do a key exchange with them 18:12 < Luke-Jr> and in any case, that's assuming the TPM vendor is trustable 18:12 < TD> well all the TPM is used for is the NVRAM really 18:13 < Luke-Jr> which the TPM *could* be making secret backups of.. 18:13 < TD> nah. they're too limited. 18:13 < Luke-Jr> I wasn't aware of TPMs having open source designs 18:13 < Luke-Jr> or did someone do an X-ray audit or something? 18:14 < TD> their design and features are limited by the spec + cost pressure. there's nowhere for a secret backup to go. these things have storage measured in kilobytes 18:14 < TD> but sure if you go full tinfoil hat, then your computer has no way to delete stuff. 18:14 < Luke-Jr> TD: NSA-subsidised additional NVRAM never exposed to the outside 18:14 < TD> the TPM wasn't designed to be used in this way, so that'd require the NSA to be clairvoyant 18:14 < TD> which even I don't believe 18:14 < Luke-Jr> XD 18:15 * Luke-Jr wonders if TPMs from >1 year ago would work on his motherboard's header 18:15 < gmaxwell> Luke-Jr: they should. 18:16 < Luke-Jr> what would they be called? TPM "boards"? 18:16 < Luke-Jr> maybe I could wire my old motherboard's onboard TPM up to it somehow? 18:17 < TD> TPM chips 18:17 < Luke-Jr> chips plug direct into the header? ;) 17:24 < warren> https://bitcointalk.org/index.php?topic=337294.msg3668245#msg3668245 17:25 < warren> sipa: win32 binary works on Linux and Mac, so we could distribute just one build for all platforms. =P 17:25 < warren> bad joke 17:30 < gmaxwell> virtualbox plus the linux binary. 17:30 < gmaxwell> :P 19:44 < michagogo|cloud> Maybe some stripped down, boot-to-Bitcoin Linux distro? 19:45 < michagogo|cloud> I'd guess warren's got experience creating Linux distros... 19:45 < michagogo|cloud> That has the added bonus of allowing people to boot up into it 19:46 < michagogo|cloud> (Non-VM) 21:33 < cfields> heh, i _seriously_ underestimated how much building qt for osx in linux would suck 21:33 < cfields> that was no fun at all 21:37 < phantomcircuit> lol 22:55 * n0g hugs all the wizards <3 <3 <3 22:56 < n0g> I am honored to be in your presence. 23:57 < warren> gmaxwell: EFI bitcoin? --- Log closed Fri Nov 22 00:00:56 2013 --- Log opened Fri Nov 22 00:00:56 2013 04:54 < warren> NMC is now $2.65 ... 04:54 < TD> back from the dead, huh 04:58 < warren> undead 04:58 < warren> TD: somehow BBQCoin is still alive 04:59 < TD> even the name of that coin makes me smirk 04:59 < TD> lol. BQC Foundation 04:59 < TD> given how controversial the creation of the foundation was, alt coins sure love the idea 05:11 < petertodd> warren: interesting, namecoin diff is 471M, btc diff 695M, so it is 51% attack secure as a merge-mined coin 05:11 < petertodd> warren: IIRc for a while it was looking a fair bit worse than that 05:34 < michagogo|cloud> Um, BBQCoin?!? 05:34 < michagogo|cloud> ;;google bbqcoin 05:34 < michagogo|cloud> Oh, no gribble 06:02 < sipa> we are gribbless 06:03 < michagogo|cloud> Any specific reason? 06:03 * michagogo|cloud wonders if there's an altcoin called altcoin yet 06:26 < wumpus> not according to this list http://coinchoose.com/ 06:27 < warren> I've come to realize all the scrypt clones are actually useful for something. 06:28 < warren> although I can't tell them what that is. 06:28 < wumpus> there are HoboNickels though, does that come close enough? :p 06:29 < warren> I can't imagine why anyone wouldn't want to use it with that name. 06:30 < wumpus> right, I can't imagine bitcoin would have taken off with that name 06:31 < warren> wumpus: http://coinchoose.com/charts.php this is a more interesting chart 06:31 < warren> Pac Man 06:33 < wumpus> like a pacman eating all the other coins 06:42 < warren> heh 06:57 < Emcy> percentage of chart that looks like pacman: 85.80 07:46 < michagogo|cloud> 13:28:02 <warren> although I can't tell them what that is. 07:46 < michagogo|cloud> Why not? 09:11 < adam3us> michagogo|cloud: suspecting its like evolution in action and he doesnt want to disrupt the process by renting them a clue ;) 09:12 < michagogo|cloud> Now I'm curious :-/ 09:13 < gmaxwell> "Prime directive" 09:14 < michagogo|cloud> okay, I need to go get dressed -- Shabbat Shalom and I'll see you tomorrow night 09:25 < n0g> Good morning, everyone. *hugs* 09:42 < adam3us> y'know i've been musing about subliminal channels and smart-card wallet with observer protocols from Brands and others for eg the trezor. some people opined that well why should i trust a trezor wallet. well indeed - trust no one - thats the point of crypto currency 09:43 < adam3us> so with these observer protocol the smart card subliminal channels are 100% plugged its only "communication" is logical level one-bit at a time by failing with an error msg instead of signing, which you're going to notice 09:45 < adam3us> the idea is the observer (your desktop/latop/smartphone computer) sends a zkp that the blind protocoin (not yet signed coin) has the given input txids, vales etc whatever you need the signature on. the trezor displays that info for the user to cross check, signs it, the observer unblinds the signed coin, and then has an extended ECSchnorr sig which is transferably verifiable to anyone 09:46 < adam3us> and yet there is no effective subliminal channel - the only way for the trezor to squeal is to have malware on your observer, or have an unadvertised bluetooth or something in it (maybe want to make it a mini faraday cage:) 09:54 < gmaxwell> adam3us: so, it would be simpler to just use the device in a multisignature manner with the observer as another signer, no? then it could squeal but if the observe was strong, it wouldn't matter. 09:55 < adam3us> yes i think u certainly could stop it squeeling via a multisig 09:56 < adam3us> gmaxwell: however your primary issue is the insecurity of your observer. this is the most corrosive driving force for security attacks ever invented by several orders of magnitude 09:57 < adam3us> gmaxwell: certainly doesnt hurt to multisig it, but 99.9% of your security is in the trezor, so it would be nice if it's subliminal channel is blocked. i think lack of end2end secure, mutually airgapped finance built on to of bitcoin may start to erode its value and potential 09:58 < gmaxwell> right, but if your observer is compromised then the blinding procedure won't stop it either. 09:59 < adam3us> gmaxwell: address authenticity is the other problem, you cant trust anything your online computer is telling you. eg exchanges should be end2end airgapped at both ends with a chain code shared by the exchange trezor and the user trezor 09:59 < gmaxwell> And sure, if you'll note, I wanted them to switch it to determinstic DSA so it was more easily auditable against side channels. 09:59 < adam3us> gmaxwell: this is true, but if the observer is not compromised you dot 10:00 < gmaxwell> if you use dice to come up with your master key and load it into the tresor, then everything that comes out should be deterministic and reproducable by a simulator. 10:01 < adam3us> gmaxwell: yes the deterministic DSA is verifiable with a paper backup and an offline computer and ec calcultor, which is nice; the observer allows you automatically and safely online prevent the subliminal channel (ie yes if your observer is compromised you have a problme, but the observer doesnt have secrets) 10:01 < adam3us> gmaxwell: agreed. i was wondering if you could make a dsa variant, or another way to compute a dsa that can be publicly verified as subliminal channel free. ie against the public key. 10:03 < gmaxwell> adam3us: you could probably have the signer produce a zkp that the r is (g*H(message||private key)) 10:03 < adam3us> gmaxwell: the deterministic DSA requires the private key to verify, maybe there's another way to do it where you get a dsa sig an something that proves it was generated fairly. eg proof of concept SCIP. provide also a proof that you know k and k was chosen as H(d,m) via scip and auxilliary proof 10:03 < adam3us> gmaxwell: yes exactly 10:04 < gmaxwell> now the problem is that the signer is a 40 mhz cortex-m3 with 256k of ram. :P 10:04 < adam3us> gmaxwell: you know it would be even better if its compact and publicly auditable so the miners check it and reject htem 10:04 < adam3us> gmaxwell: if they are non-deterministically signed... then your hw has no power to abuse a subliminal channel 10:05 < gmaxwell> adam3us: meh, that would just make the transaction bigger. if it gets into the network even if it doesn't get mined a badguy can see it. 10:05 < gmaxwell> adam3us: huh? it's easily possible to have a working subliminal channel with non-deterministic signatures. 10:06 < gmaxwell> E.g. keep drawing random numbers until r encodes some bits for you. 10:06 < adam3us> gmaxwell: it was split across to ims. i meant to say if you can prove its deterministic (to the observer) then your hw cant cheat you 10:06 < gmaxwell> oh indeed. 10:08 < adam3us> gmaxwell: see eg you can have an optically isolated observer. mini tablet with no network, point it at screen qr code, it displays msg and green check box that yes this coin has no subliminal channel 10:08 < adam3us> gmaxwell: could be the new era analog of the paper note counterfeit detectors 10:08 < gmaxwell> So a proof would work nicely for this, but making it pratical would be hard. (such a proof could also inhibit people storing other garbage in the blockchain) 10:09 < gmaxwell> "digital iodine pen, now with 100% less snake oil" 10:10 < adam3us> gmaxwell: a nice side effect to be sure (garbage stuff on the block) that seems like it needs nother step tho eg prove the receiving address as a private key known to someone- we could already do that at the cost of some bloat (eg selfsigned public keys as addresses) 10:10 < gmaxwell> adam3us: you could have a optically isolated tresor' with the same private key loaded in it (but you don't need to trust it much because its isolated) and it just checks signatures. 10:11 < gmaxwell> adam3us: you don't even need the bloat in the history because you'd throw the proof out and only check it in for the most recent block. 10:12 < adam3us> gmaxwell: broadcast but not stored, validated spv style by late joiner full nodes, yes 10:14 < adam3us> gmaxwell: the other mechanism direction was thinking maybe you can do a direct zkp, rather than fiat shamir transform, eg if you replace the hash H(m,d)=SHA-256(m,d) with like H(m,d)=mG+dH for some point H with unknown discrete log 10:15 < gmaxwell> ha ha 10:15 < adam3us> gmaxwell: then make a signature with that. dH would be secret also. that is broken no doubt, but maybe it can be fixed 10:17 < gmaxwell> I'm laughing due to my failed attempt to convince djb that we ought to have curve parameters selected so that strong nothing up my sleeve points exist. Because we don't know how our generator was selected it's possible whomever picks it knows the discrete log of an apparently nothing up my sleeve point. 10:17 < adam3us> gmaxwell: yes that is a no no, thats what went wrong with EC_DRBG 10:18 < adam3us> gmaxwell: the base point needs to be proven.. eg by hash2curve on digits of pi or such things 10:18 < adam3us> gmaxwell: didnt he do that? 17:47 < amiller> or a dsecription 17:47 < amiller> (or just elaborate here?) 17:47 < jrmithdobbs> gmaxwell: even with a pre-sorted map all historical txns in the chain? 17:47 < gmaxwell> amiller: because the colored coin rule says that the color goes into the first colored coins worth of txouts. 17:47 < amiller> so only one txinput can be colored? 17:48 < amiller> only splits no merges? 17:48 < jrmithdobbs> gmaxwell: and by 'the chain' i mean the blockchain, not the usage/history chain of those coins 17:48 < gmaxwell> amiller: TXOUT. I'm specifically saying tracing forward from the genesis, not backwards from the payment. 17:48 < jrmithdobbs> gmaxwell: it's getting more prohibitive but still feasible after all 17:48 < gmaxwell> and if you split then its the first N or whatever, and yea, you have to trace them all in the case of a split, thus why I mentioned meet in the middle. 17:48 < amiller> you mean i trace *all* the ones forward? 17:49 < amiller> i see 17:49 < gmaxwell> or you have someone just preidentify the paths and you just confirm them, which is fundimentally easier. 17:49 < amiller> yeah i'm just thinking of the ones needed to confirm 17:49 < gmaxwell> and I have no clue about code for this. As I said, most people talking about this crap have not implemented it and are missing how expensive this is. 17:50 < amiller> i wish i had some way to express this bound 17:50 < gmaxwell> some of the stuff that was implemented simply just keeps an enormous database and traces the color (according to their rules) of every coin. 17:50 < jrmithdobbs> it's only one of the most computationally expensive features ever requested 17:50 < amiller> that's what i first wrote down 17:50 < jrmithdobbs> I don't know that I really agree with the necessity of it 17:50 < amiller> it's the same as mastercoin in that case 17:50 < amiller> you get nothing like spv security 17:51 < amiller> you need to build the index for every coin that *might* interact with a coin later that you care about 17:51 < amiller> or else traverse a potentially exponential number of tx 17:51 < gmaxwell> yes, thats been one of the objections to all these stupid parasitic things. The network is blind to them, but the network is blind to them. 17:51 < sipa> i wish we hade pruning and spv in the reference client, so all these fancy-feature implementers would at least realize what they're precluding 17:52 < sipa> gmaxwell: the first member of tautology club... 17:52 < gmaxwell> after all, you could just have a bitcoin where the blocks were nothing but timestamps and miners didn't validate anything. ... of course you could never have any kind of lite node in that world except centeral server trusting ones. 17:53 < gmaxwell> sipa: don't worry we'll just <arms wave> use checkpoints to make our uber indexes scale! or we'll like, write those checkpoints into transactions so you can get them in the blockchain too. 17:53 < sipa> Easy. 17:53 < jrmithdobbs> gmaxwell: i just vomitted a little 17:54 < sipa> gmaxwell: if the indexes grt toobig, you use a DHT of course 17:54 < sipa> and rainbow tables 17:54 < sipa> *get too big 17:54 < jrmithdobbs> dht is my favorite of those 17:54 < jrmithdobbs> lol 17:55 < gmaxwell> yea, plus if that doesn't handle it we can use an xml database with ldap to haddoop to achieve webscale in the cloud! 17:55 < jrmithdobbs> there's no problems to solve with a massively distributed untrustworthy dht rite guys? 17:55 < amiller> grrr 17:55 < gavinandresen> rainbow tables are pretty 17:56 < jrmithdobbs> gmaxwell: and you could do elastic scaling pools of resque queues synchronized by a redis entry and just give up on this decentralized nonsense while we're at it 17:56 < amiller> colored coins definitely aren't fungible if some of them are potentially way more expensive to verify than others 17:56 < amiller> i'm annoyed if anyone really thinks that's preferable than the index approach 17:56 < amiller> if everyone has to keep an index then colored coin has no advantage over mastercoin 17:57 < gmaxwell> amiller: the index approach isn't cheap either, no spv nodes, just some gigantic index. 17:57 < amiller> yes 17:57 < gmaxwell> amiller: well mastercoin requires coding in a bunch of extra stupid data into transactions which seems kinda silly, since if you have to have that index why can't that index store it? 17:58 < amiller> not really, if it's published then you have a guaranteed ordering 17:59 < amiller> it is reasonable to use bitcoin as append only log in that sense 17:59 < gmaxwell> In any case, minus that detail they're actually the same thing, index vs trace being an "implementation detail", likewise the system depending on its own currency that the creators minted and manually issued is an implementation detail. 17:59 < gmaxwell> amiller: you can get guaranteed ordering from the hash of the state rather than coding it explicitly. 17:59 < amiller> no you can't 17:59 < amiller> because it's indeterminate whether the preimage of a hash has been revealed yet 18:01 < gmaxwell> amiller: makes it halariously vulnerable to censorship if they're counting on the blockchain as a jamming free communications channel. 18:01 < amiller> why? 18:02 < jrmithdobbs> amiller: because you can outbid them for space and delay their comms indefinitely under some circumstances 18:02 < amiller> that's no worse than with bitcoin proper 18:02 < gmaxwell> because they're trivially distinguishable. 18:03 < jrmithdobbs> amiller: right but bitcoin isn't trying to differentiate inputs like this so it doesn't matter, delaying the data distribution can effectively delay any affect from the color system decreasing it's value 18:03 < gmaxwell> It would be in the rational self interest of bitcoin users and miners to not allow the currency to be dilluted by the non-fungable mastercoin transactions which are trivially distinguishable. 18:03 < jrmithdobbs> amiller: if i can pull off a heist and delay coloring of my coins for 48 hours i can probably spend them 18:03 < jrmithdobbs> eg 18:04 < amiller> i see 18:04 < amiller> well... if you can delay blocks to full validating nodes... then 18:04 < amiller> i dunno i don't really see a conflict with requiring bitcoin to implement a jam free network sufficient to validate transactions 18:04 < amiller> you have to at least run the tx through the hasher 18:04 < amiller> you can prune it before validating etc 18:05 < jrmithdobbs> don't have to delay blocks just SD style spam with paid fees (what I'm talking about isn't free, I'm sure you could come up with more inventive similar attacks) 19:50 * Luke-Jr stabs Google for signing him up for G+ without permission 19:51 < gmaxwell> Luke-Jr: it's not all bad, ... now you can show up in ads endorsing products! and you didn't even have to go to a tryout! 19:51 < Luke-Jr> I don't want to be on G+ 19:51 < MoALTz> accidentally clicked one button that did it all? microsoft did that to me a few years ago 19:51 < Luke-Jr> my only guess is when YouTube asked if they can put a space in my name "Luke Dashjr" instead of "LukeDashjr" when I left a comment 19:52 < gmaxwell> yea, youtube does that. 19:52 < Luke-Jr> didn't say I was joining G+ 19:52 < Luke-Jr> -.- 19:52 < gmaxwell> you have to just not use youtube for 12 hours after it pops up that rename dialog. 19:52 < Luke-Jr> srsly? 19:53 < gmaxwell> yea, works for me. you can delete your google+ but it'll keep doing the thing after the fourth or fifth consecutive video you view. 19:55 < BlueMatt> or not comment on youtube videos? 19:55 < gmaxwell> BlueMatt: nah, it gets triggered even if you don't comment if you view a couple videos in a row 19:55 < BlueMatt> lol, wow... 19:57 < gmaxwell> It also helps to be in an office with a couple other google+ refuseniks... since you can share mechenisms for getting around it. though there seems to be no workaround for some things. E.g. no way to do hangouts. 19:57 < gmaxwell> so we have a sacrifical mac in the office for hangouts access that has its own dummy account. 19:57 < BlueMatt> or you could just have a dummy g+ account on your google account, its not like you have to use it 19:57 < BlueMatt> you just get counted as a g+ "active" user 20:01 < K1773R> there should just be a way to opt out... 20:10 < Luke-Jr> gmaxwell: therefore, discourage people from doing Hangouts 20:11 < Luke-Jr> gmaxwell: Google Apps which upgrade to Hangouts lose XMPP interoperability -.- 20:16 < jgarzik> Hangouts > Skype 20:16 < sipa> hangouts <-> XMPP works fine, as long as you don't do groupchats 20:16 < sipa> unsure about federation though 20:23 < gmaxwell> Luke-Jr: it's hard to discourage google employees from using hangouts. :P 20:30 < Luke-Jr> gmaxwell: "you won't be able to talk to me" works for me 20:30 < Luke-Jr> jgarzik: two bad choices don't make the lesser bad a good one 20:31 < Luke-Jr> there are open standards for all this; Google just doesn't care apparently 21:32 < jgarzik> XMPP is exceeding lame 21:33 < jgarzik> and I speak from experience, having coded solutions for it back when it was called Jabber 21:34 < jgarzik> It's hard to fault people for avoiding a lame standard 21:37 < Luke-Jr> jgarzik: it's better than none at all 21:38 < phantomcircuit> xmpp is pretty horrible 21:38 < jgarzik> http://gigaom.com/2011/06/30/google-hangouts-technology/ 21:39 < jgarzik> I cannot find any open protocol docs, but it does use several open techs 21:39 < jgarzik> XMPP is not meant for real time multi stream audio+video 21:47 < BlueMatt> was there a bug in a recent satoshi client that allows it to forward vin empty txn? 21:48 < phantomcircuit> BlueMatt, yeah there is 21:48 < phantomcircuit> or was 21:48 < phantomcircuit> i cant remember if it was fixed 21:49 < Luke-Jr> jgarzik: SIP is 21:50 < jgarzik> phantomcircuit, not sure if it was fixed... I think it was tracked down to $something wound up writing an all-zeroes transaction to the wallet, or somesuch. 21:51 < phantomcircuit> jgarzik, oh i think i found it 05:04 < Luke-Jr> all recorded Church teaching is consistent with current Church teaching 05:05 < petertodd> As in, in my model I'm saying Catholic teaching can change in reality, but of course everyone knows it doesn't, therefore any inconsistencies are obviously imperfect records of the past. (I jest obviously) 05:05 < Luke-Jr> except there are no historical records to support that 05:06 < petertodd> Luke-Jr: it's a joke! 05:06 < Luke-Jr> jokes are supposed to be funny. 05:06 < petertodd> Luke-Jr: funny is subject to consensus problems :p 05:07 < petertodd> proof-of-comedy would be an aweful way to do an alt-coin... 05:09 < petertodd> anyway, in all seriousness, my other point is you don't want a standard based on "the best interests of the child" because you want diversity in society. For instance, you could make an argument that homeschooling isn't in "the best interests of the child" and stop parents from doing so, when we're much better off having that diversity in society. 05:11 < petertodd> The right approach is "Does this cause sufficient provable harm that we can't accept it?" 05:13 < petertodd> on topic: WTF is with 122.108.150.47, it reports nServices as 00002017 05:14 < petertodd> Five bits set in total. 05:18 < Luke-Jr> petertodd: not quite. the problem is that the question doesn't exist. 05:18 < Luke-Jr> governments do not have *jurisdiction* over child custody/care 05:19 < Luke-Jr> they have no grounds to even set any standard at all 05:20 < Luke-Jr> so even if it can be demonstrated that Joe Parent's way of raising his children is harmful, nobody has the authority to kidnap his children 05:21 < petertodd> ok, so can I murder my own kids? 05:22 < Luke-Jr> hopefully someone would stop you 05:22 < petertodd> indeed, maybe someone paid by my tax dollars 05:23 < Luke-Jr> maybe 05:23 < Luke-Jr> they still can't kidnap your children, though 05:23 < Luke-Jr> and if you actually succeed in killing one, you're then a criminal who can be locked up 05:23 < petertodd> ah, see, now that could be closer to a reasonable standard: if it's not behavior that would get the parents criminal charges, maybe the state should keep it's hands off 05:25 < Luke-Jr> actually, on that note, that's part of why the US is as bad as it is 05:25 < Luke-Jr> since there's no criminal charges filed, they never have to prove anything 05:25 < petertodd> that's a very good point 05:25 < petertodd> child protection actions should absolutely be held to standards of due process 05:40 < adam3us> luke-jr: btw i wasnt saying move to .ch i was saying put your money there and declare it on your US tax form, in that way your funds are protected from US court decisions, the swiss model is they have jurisdictional authority and do not accept foreign courts and law enforcement unproven claims, they require to see the proof 05:41 < adam3us> luke-jr: and the activity has to be illegal by swiss laws, not by foreign laws - and their laws are generally more sensible, and more fairly interpreted with less risk of political interference 05:41 < adam3us> luke-jr: of course I wouldnt doubt the US law enforcement would present outright forged evidence to try get their way if they were worked up enough 05:43 < adam3us> back on topic: posted some crypto comments on the mintchip like "othercoin.com" guys thread https://bitcointalk.org/index.php?topic=321085.msg3440818#msg3440818 05:44 < adam3us> i think its far more efficient and he doesnt need crypto hw accel that he's giving up openness and signing NDAs to get access to 05:44 < adam3us> and probably 10x the hw cost for also 05:45 < petertodd> interesting 05:46 < petertodd> what's available for open source smartcard devel? 05:46 < petertodd> when I looked I couldn't find remote attestation, so you'd be stuck with a trusted distributor 05:46 < adam3us> retep: brands is a genius :) u dont need anything much to do the observer part 05:47 < petertodd> ? 05:47 < adam3us> retep: just cx+w mod n (one 256-bit mod mul, one 256-bit add these are integers not point ops) 05:47 < adam3us> retep: that can be done in software, now crypto accel on an 8-bit card in a timely fashion; about hw tamper resistance i am not sure 05:47 < adam3us> retep: correction now=no 05:49 < petertodd> right, but these cards are stuck implementing ECDSA exactly like bitcoin needs, there's no alternative 05:49 < adam3us> retep: to my way of thinking, relying on the good behavior of a hw manufacturer central or a small pool is the antithesis of user controlled blockchain security, and its not far removed from an AES encrypted balance and MAC msgs flowing between cards with a shared key 05:50 < petertodd> (other than revealing d and locking coins to H(d), but that doesn't have verifiability) 05:50 < adam3us> retep: is there anyway we could get EC schnorr sigs deployed w/out a hrd fork 05:50 < petertodd> yeah, we can add anything we damn well want in a soft-fork 05:50 < adam3us> i'll volunteer to implement EC schnorr and write the BIP 05:50 < petertodd> it's not going to happen for a long time 05:50 < adam3us> there are dozens of wins from schnorr over the wretched DSA 05:51 < adam3us> eg k of n, n o n sigs in teh space of one sig 05:51 < petertodd> all of which don't matter because even I don't know what you're talking about :P 05:51 < adam3us> blding etc 05:51 < petertodd> we can't even get people to support p2sh... asking for new sig methods is hopeless in the near future 05:51 < adam3us> retep: schnorr is better and enables many things; dsa is a cheap and inferior knock off of schnorr 05:52 < petertodd> as I say, it's completely irrelevant because the politics of changing anything in bitcoin is a nightmare 05:52 < petertodd> go propose it to litecoin instead 05:52 < adam3us> retep: i started out anti-alt-coin, but the more i see this kind of thing, the more its weakening that reasoning 05:52 < petertodd> yup 05:52 < adam3us> retep: i prefer the bitcoin staging approach to lite-coin 05:52 < petertodd> I'd give it 50:50 that you could get that implemented in litecoin in, say, two years 05:53 < petertodd> bitcoin staging is hopeless because there's no financial incentive, litecoin is your bitcoin staging 05:53 < adam3us> retep: why dilute the digital scarcity with a param tweak if you're not even one of the first week "soft premine" winners 05:55 < adam3us> retep: i just mean its destructive of the meaning of digital scarcity, to lend support to param tweaks like litecoin, if you want to o it, i think do it with the bitcoin-staging mechanism with or without foundation buyin 05:55 < petertodd> meh, we can live with one tweak 05:55 < adam3us> retep: as that retains the 21 mil coin cap and doesnt start a fresh gold-rush 05:56 < adam3us> retep: yes we could but its partly a matter of principle: why should we enrich a bunch of param-tweakers, just because bitcoin itself cant change quickly due to security validation risks of soft forks/hard forks, hence bitcoin staging 05:56 < petertodd> destructive or not, doing stuff in litecoin is viable, and has the advantage that the competition can induce bitcoin to actually change 05:57 < petertodd> anyway, go write the code! we can figure out how exactly to deploy it later 05:57 < adam3us> retep: scrypt(1) is broken for its design objectives... its even a bad param tweak - its not even memory hard 05:57 < petertodd> all this stuff is the exact same codebase 05:57 < petertodd> who cares? litecoin exists and has ameniable politics 05:58 < adam3us> retep: true 05:59 < adam3us> retep: maybe the observer proto can be made to work with ECDSA but i am not looking forward to the slog of figuring out if or how, it just seems so stupid to be using DSA given the multple clear advantages of Schnorr were its all trivial 05:59 < petertodd> explain the observer protocol? 06:03 < adam3us> retep: so with schnorr, similarly to dsa, the signature is computed all mod n not group values (except for the initial witness r=kG in DSA and analogus a=kG in schnorr) 06:04 < petertodd> right 06:05 < adam3us> retep: so in ECDSA sig is r,s where r = R.x from R=kG, and s=k^-1(H(m)+rd) mod n where in EC Scnorr: sig is a,s: a=R.x, s=k+H(a,m)d mod n 06:06 * Luke-Jr ponders why adam3us is using retep for petertodd 06:06 < petertodd> Luke-Jr: it's backwards day 06:06 < adam3us> retep: verification is ECDSA sR=?H(m)*G+rQ in ECSchnorr its rG =? A+cQ whre c = H(a,m) 06:06 < petertodd> right 06:06 < Luke-Jr> ?yllaer 06:06 < adam3us> luke-jr: he has a ridiculously long handle & ive been typing too uch and its his bitcointalk handle :) 06:07 < Luke-Jr> adam3us: .. you don't have a real IRC client? :p 06:07 < petertodd> don't you have copy-n-paste? 06:07 < Luke-Jr> pe<tab> is sufficient 06:07 < adam3us> luke-jr: its pidgin and i am a irc client n00b so i am probably missing existing features 06:07 < petertodd> BTW, I prefer to be called by my full name: peterkevin-georgetoddthethird 06:08 < adam3us> petertodd: (hot damn thanks luke-jr TAB works)! 06:08 < petertodd> (or if you're british: thehonorablepeterkevin-georgetoddthethird 06:08 < Luke-Jr> didn't IRC have a 7 character limit to nicks? or was it 11? 06:08 < Luke-Jr> <.< 06:08 < petertodd> Luke-Jr: it got turned up to 11 06:09 < adam3us> petertodd: ok so the interesting thing about schnorr is there is no dreaded k^-1 factor so its easy to do 2 of 2.. just add the k & c*d contributions together, DONE! 06:09 < warren> <petertodd> destructive or not, doing stuff in litecoin is viable, and has the advantage that the competition can induce bitcoin to actually change 06:09 < warren> <---- has already happened 06:10 < warren> <adam3us> retep: scrypt(1) is broken for its design objectives... its even a bad param tweak - its not even memory hard 06:10 < adam3us> petertodd: now observer, because of the flexibility there is a DL generalization called the representation problem instead of Q=xG you can have Q=xG+yH for two generators G & H whic no one kows the DLof 14:21 < CodeShark> throwing more hardware at making bitcoin scale seems to encourage greater centralization, though 14:22 < adam3us> maaku: anyway the comment was part of some wide-ranging what-ifs i tried to isolate the dependency bitcoin puts on mining, and it turns out there are multiple entangled reasons 14:22 < petertodd> yes, but bitcoin will easily survive having transactions gradually become more expensive 14:23 < nsh> "There are levels of survival we are prepared to accept." -The Architect. 14:23 < petertodd> nsh: transactions already actually cost like $50 each; fees can go up a hell of a lot 14:24 < CodeShark> $50 each?!?!? 14:24 < nsh> hmm 14:24 < CodeShark> are you talking about international wire transfers, petertodd? :) 14:24 < petertodd> CodeShark: yup. total new bitcoins created out of thin air * $/BTC / # of transactions = $50 14:24 < adam3us> there are multiple paths to policy neutrality: actual decentralization, moderately central nodes having insufficient info to do policy (committed tx) 14:25 < adam3us> petertodd: yeah but thats a point in time description allocating all of reward to tx fees; as number of tx increases and reward decreases the cost/tx falls 14:25 < CodeShark> petertodd: I don't follow - block rewards don't cost the parties transacting bitcoins 14:26 < CodeShark> it has a small inflationary effect, perhaps 14:26 < CodeShark> but that affects everyone 14:26 < petertodd> adam3us: sure, but the point is the *economics* are such that bitcoin works at a real cost of $50/tx, which implies that the core usage of bitcoin is as a store-of-value/speculation 14:27 < petertodd> adam3us: maybe it'd start to get ugly at $10/tx, but we can certainely survive $1/tx 14:27 < CodeShark> petertodd: so you're saying that each transaction spreads a cost of $50 amongst all holders of bitcoins? 14:28 < adam3us> petertodd: seems like the reward is the reward, its just a distribution mechanism/bootstrap mechanism. i dont see a reason to equate it to tx cost at current tx rates 14:28 < petertodd> CodeShark: no, I'm saying the cost to run the whole bitcoin system is $50/transaction 14:28 < maaku> petertodd: that's saying subsidy is $50/transaction 14:28 < CodeShark> petertodd: who foots the bill? 14:28 < petertodd> CodeShark: that's not to say the *marginal* cost of a transaction is $50, but it strongly suggests that much higher fees are economically feasible 14:28 < adam3us> petertodd: the supposition is that % of income from mining crosses over as tx # increase so that fees take over as reward tapers 14:29 < petertodd> adam3us: exactly, and given the system functions just fine with a huge fixed cost, making that into a marginal cost is likely fine to a first approximation - my main worry is actually off-chain systems being *too good* and not supporting miners enough 14:30 < petertodd> adam3us: but we probably have ~10 years before that's a big deal... 14:30 < adam3us> so far no one made a remotely plausible off chain anything other than TDs micropaymens channel but thats point to point so its just a way to avoid aborts on a tab 14:31 < petertodd> adam3us: micropayment channels are *not* off-chain, don't call them that 14:31 < maaku> adam3us: freimarkets 14:31 < petertodd> adam3us: and I'd say fidelity bonded banks, especially w/ trusted hardware, are perfectly plausible, they just won't happen unless fees make them happen 14:31 < maaku> but i think you have some confusion over what off-chain is 14:31 < adam3us> maaku: isnt freimarkets on chain (on freicoin or other coin) 14:32 < adam3us> petertodd: there you go that is off-chain 14:32 < petertodd> adam3us: I think you a word 14:32 < maaku> adam3us: private accounting servers (with atomic transfers with the public chain, including bitcoin) are part of the spec 14:32 < adam3us> maaku: off-chain is like not on-chain ;;) 14:33 < maaku> and i'd count open transactions too 14:33 < adam3us> maaku: yeah you could say chris odom open transactions is focussing on off-chain 14:33 < adam3us> maaku: the problem is all the off-chain stuff i've seen loses fundamentaly 1 or 2 important and useful bitcoin functions 14:34 < maaku> well the key part is how value is moved on and off chain 14:34 < maaku> chris only figured that out with his "holy grail" voting pools 14:34 < maaku> which still aren't implemented, i think 14:34 < maaku> adam3us: if it didn't lose bitcoin functionality, it'd replace bitcoin entirely 14:35 < adam3us> maaku: or what properties are left once you have the coin in some offchain situation. eg what OT tokens backed in bitcoin? thts not going to be as secure, nor distributed etc 14:35 < petertodd> adam3us: and to that, so what? losing my $100 morning coffee slush funds every once in a while isn't a big deal 14:35 <@gmaxwell> :( https://github.com/spesmilo/electrum/issues/512 14:36 < maaku> let me rephase ... you can't expect an off-chain solution to be better or equal to bitcoin in every way, or else it will be strictly speaking better (off-chain scales better), so what are we doing? 14:36 < petertodd> gmaxwell: huh? every time you make a paymen tto an address it goes into the "used" bin and gets hidden 14:37 < adam3us> maaku: well itd be nice to minimize the feature loss offchain. maybe its possible to not give up anything even. we can at least try with that objective 14:38 < petertodd> adam3us: don't let perfect be the enemy of good enough 14:38 < maaku> adam3us: well i'm on board with that. recognizing that the goal is something we weill probably never achieve (and if we did we'd replace bitcoin entirely) 14:38 < adam3us> maaku: eg say btc gets to minimum amount of $10k on chain, perhaps a solution is multiple side-chains and atomic swaps into the main chain for example 14:38 < maaku> but shoot for the moon and you'll at least land among the stars 14:39 < adam3us> maaku: i just like to understand clearly the requirements (rather than think in terms of the artefacts of the current system) not all of the artefacts may be actual fundamental limitations 14:39 < maaku> who knows what the minimal, least impactful features are that we'd have to give up, so might as well try to keep them all 14:41 < CodeShark> atomic swaps would also permit a fully decentralized cryptocoin exchange :) 14:41 < adam3us> maaku: yeah well so far all my design rejigging attempts ended up making something worse, its definitely hard; seems like bitcoin only-just-works, and its multiple features so inter-dependent on mining its hard to modify anything 14:42 < maaku> CodeShark: what's the value of having more than 1-2 decentralized currencies? :P 14:42 < adam3us> CodeShark: this is true; somewhat. you also need script extension to have non-stalling (otherwise people will stuff the order book to manipulate price with cryptocoins they have no actual intention of selling). ie so you can take the ask, by definition by satisfying its price 14:43 < CodeShark> maaku: there are different use cases where different features might be more/less desirable - economic parameters, confirmation times, etc... 14:43 < adam3us> maaku: i think one digital scarcity definition (bitcoin) is the limit, 14:43 < adam3us> CodeShark: they are mostly excuses for me-too-coins aka pump & dumps with no transactions and so no intrinsic value 14:44 < maaku> CodeShark: I challenge you to come up with one real example that isn't better served by some other off-chain solution 14:44 < petertodd> gmaxwell: oh hang on, just tried that myself... weird, recv addr list not getting repopulated, yeah, that's a WTF 14:44 < petertodd> gmaxwell: recent bug I think 14:44 < adam3us> bitcoin-staging with 1:1 peg (as discussed a few days ago by BlueMatt & gmaxwell) is the answer IMO 14:45 < CodeShark> adam3us: I'm familiar with that argument - and while true that all the alt coins are essentially bitcoin ripoffs, I see it differently - I think the parameters Satoshi chose for bitcoin are completely arbitrary - what's not arbitrary is the block chain concept as a decentralized timestamping mechanism. why should we get stuck on a specific set of arbitrary parameters? 14:45 < adam3us> anyone not doing that needs their pump & dump sabotaging financially of via mining difficulty attacks 14:45 < maaku> adam3us: in my view changing the nature of the decentralized money is the only valid reason to try a different coin (like we've done with freicoin, and I'm sure there are other possible variations) 14:45 < maaku> but changing interblock time, proof of work algorithm, subsidy algorithm, etc. has ~zero real world benefit 14:45 <@gmaxwell> CodeShark: they aren't completely arbritary, as alts have been created which only changed the "arbritary" ones and turned into fireballs as a result. 14:45 < adam3us> maaku: yes freicoin actually and namecoin are not param tweaks 14:46 < adam3us> CodeShark: yeah satoshi clearly but extensive modeling into the params; pretty much all alts are outright worse 14:47 < CodeShark> adam3us: Satoshi is the wright brothers and bitcoin is the first powered airplane. 14:47 < petertodd> CodeShark: and our job as bitcoin developers is to upgrade that airplane to a modern Boeing 787, without landing 14:48 < andytoshi> gmaxwell: i saw that comment on #bitcoin too, i left 14:48 < andytoshi> idk how you can tolerate so much of that channel at once 14:48 < nsh> my secret is copious consumption of crack cocaine 14:48 < petertodd> andytoshi: my contacts at the vatican say greg's getting canonized when he kicks the bucket 14:49 < maaku> CodeShark: you know the wright brothers spent years in their private wind tunnel perfecting their airplane before it ever flew ;) 14:49 < adam3us> CodeShark: like i said i think param tweak alts that try to start a new race are pump & dumps; and if one did come along that got real transactions, it would rise to instead be dangerous to the confidence in digital scarcity which is too valuable a new concept jeopardize with toy pump & dumps 01:12 < realazthat> I remember the data structure 01:12 < midnightmagic> google also leaves out the wooledge bash wiki when you goog for bash questions. never understood that. 01:12 < realazthat> from a quick scan of the paper, and remembering his video, he was very into testing random graphs 01:12 < realazthat> and that is suspicious right off the bat 01:13 < realazthat> because random graphs are easy 01:13 < realazthat> its suprisingly hard to get random hard problems 01:13 < Luke-Jr> midnightmagic: http://www.youtube.com/watch?v=kLueWNsYRno 01:13 < realazthat> one common way is to do RSA => SAT => HAM 01:13 < realazthat> and those fail all the solutions to HAM 01:13 < realazthat> and if they don't, well then you can profit :D 01:14 < realazthat> ah yeah 01:14 < realazthat> thats *awesome* vid 01:14 * realazthat is eagerly awaiting codes 01:15 < Luke-Jr> the more I think about it, the more I convince myself it's impossible 01:15 < realazthat> lol 01:15 < realazthat> I haven't gone through the math 01:15 < realazthat> I prolly wouldn't understand it 01:15 < Luke-Jr> is the math actually published yet? 01:15 < gmaxwell> Luke-Jr: there is basically a decade of papers behind this one. 01:15 < realazthat> mmm I think gmaxwell was saying he was gonna publish "tomorrow" a while back 01:15 < gmaxwell> The most important are the PCP from graph coloring problems papers, and the tinyram paper. 01:16 < realazthat> I haven't even begun to think applications yet 01:16 < realazthat> it is exciting :/ 01:16 < Luke-Jr> gmaxwell: do they make sense to you? <.< 01:18 < zooko> I consider this more of a novelty than an important result, but: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1773169 01:18 < gmaxwell> Luke-Jr: I can follow parts of the math, not all of it. 01:18 < Luke-Jr> gmaxwell: enough that you can vouch for it being possible? 01:18 < gmaxwell> http://eprint.iacr.org/2012/071.pdf < in any case, this is the paper to start research from right now. 01:19 < gmaxwell> Luke-Jr: oh yea, sure it's possible. Although the succinct proofs are not sound, they're only secure against a computationally bounded attackers. (like cryptographic security) 01:20 < gmaxwell> If you accept proofs which are polynomial in the amount of computations these systems can produce sound proofs, ones which can't be forged even if the attacker is not computationally bounded. 01:21 < gmaxwell> In addition to that paper, there is a earlier paper by Eli about RS codes over finite fields which is important to understand how the proofs are made succinct. 01:22 < realazthat> mmm so this seems to be a somewhat good solution to untrusted hardware perhaps, as well, no? 01:22 < realazthat> was that mentioned somewhere? 01:22 < Luke-Jr> gmaxwell: what stops me from simply redefining a crucial x86 opcode? ;p 01:22 < gmaxwell> realazthat: Yes, eli pointed that out specifically in discussion. 01:22 < realazthat> ok 01:23 < Luke-Jr> then it will run the same code, but produce a different result.. 01:23 < gmaxwell> Luke-Jr: well, you're not executing x86 but instead "tinyram" which is a instruction set that has ~24 opcodes. 01:23 < Luke-Jr> hmm 01:24 < Luke-Jr> so the feature is an integrated part of an emulated CPU basically 01:24 < Luke-Jr> and I presume it has some way to stop me from redefining one of the 24 opcodes? 01:24 < gmaxwell> (add/mul/sub/and/or/xor/shal/shr/not/mov/cmp*/jmp/load/store) 01:25 < realazthat> if you redefine it, the signature will obviously not verify your output to the program 01:26 * Luke-Jr ponders a good way to distract himself from the urge to pester CareBear\ about his copyright issues so he can release BFG 3.1.0 already <.< 01:30 < midnightmagic> Luke-Jr: at a certain point, I'm not going to be able to resist an eve:online reference about carebear tears. :) 01:30 < Luke-Jr> midnightmagic: O.o 01:30 < Luke-Jr> aha, games 01:30 < Luke-Jr> that's how I cna distract myself 01:30 < petertodd> games? you mean like making cryptocurrencies? 01:31 < Luke-Jr> I mean like freeciv 01:31 < petertodd> well, you combined the two... 01:31 < gmaxwell> go try to read that paper. :P (of course, you'll need to go read the ones it references...) 01:31 < Luke-Jr> I did! 01:31 < Luke-Jr> my freeciv has a Cryptocurrency technology :P 01:31 < gmaxwell> that was pretty cool. 01:33 < petertodd> gmaxwell: usually I can pretend I have a real degree, reading that paper is not one of those times 01:34 < Luke-Jr> petertodd: you say that as if degrees have value! 01:34 < gmaxwell> One way of thinking about the proofs is that a reed-solomon code lets you efficiently verify the validity of data. Their work lets you use an RS code to verify that arbritary boolean constraints for data are true... then they run the program and create a transcript of the execution, 01:35 < gmaxwell> and reduce the program to a boolean set of constraints that only vaid transcripts would match.... 01:35 < petertodd> Luke-Jr: heh, first and second year calc/analytics were well worth it, even if I failed the latter 01:35 < petertodd> *analysis 01:35 < Luke-Jr> petertodd: I bet you could have learned it faster on your own ;) 01:35 < petertodd> gmaxwell: I now have to recursively evaluate reed-solomon codes... 01:35 < gmaxwell> they apply an RS code to the result, and are able to then send only part of the RS code output, along with a proof that the constraints match the program, and a proof that the RS coded transcript matches the constraints. 01:36 < petertodd> Luke-Jr: No actually, absolutely not. The analysis part of the math I did take was by far the hardest thing I've ever done and there is no way in hell I would have gotten anywhere without uni. I know this because I tried going through the textbook the summer before... 01:37 < gmaxwell> the whole reduction of the programs execution to constraints is pretty tricky thing, it involves passing the execution through a sorting network and then using the sorting computation to create a graph coloring problem. 01:38 < petertodd> gmaxwell: See, I kinda follow that, but not in the sense that I would know if you were bullshitting me. 01:38 < Luke-Jr> lol 01:39 < gmaxwell> petertodd: I can't say that I understand it _that_ much better. I basically understand what they're doing but not in the kind of complete way needed to see problems with it. 01:39 < petertodd> oh lovely: https://www.btproof.com/ yet another timestamper... I think they're all using the blockchain.info API 01:40 < petertodd> gmaxwell: Yeah, as you say, 10 years of research. 01:42 < gmaxwell> also lots of deeply nested stuff, I wouldn't be surprised if no one person working on it really understands the whole thing. 01:43 < petertodd> Mostly true of Bitcoin too, if you include the inner workings of the crypto primitives in that set. (esp. hashing algorithms) 01:44 < gmaxwell> It's true. ... or ... boost. :P 01:46 < petertodd> ... 01:47 < midnightmagic> gmaxwell: That's a really big beard. How long did it take you to grow that badboy? 01:47 < Luke-Jr> lol 01:47 < gmaxwell> midnightmagic: I trim it every couple weeks. 01:47 < gmaxwell> so no idea. 01:48 < gmaxwell> midnightmagic: what picture of me are you looking at? 01:49 < midnightmagic> http://www.youtube.com/watch?v=qgJtaBE6uT8#t=6m1s 01:49 < midnightmagic> That's you waving right? 01:49 < Luke-Jr> lol, gmaxwell is in it? XD 01:49 < Luke-Jr> apparently I'm right in the center of the altcoin Q&A XD 01:49 < gmaxwell> yes, thats me. 01:50 < midnightmagic> cool 01:51 < Luke-Jr> I should have feigned falling asleep when the ripple guy went on and on 01:51 < midnightmagic> lol 01:52 < realazthat> lol 01:53 < midnightmagic> Luke-Jr: http://www.youtube.com/watch?v=fZ85cssgDmI#t=0m29s ah there you are. 01:53 * midnightmagic is growing sadder and sadder to have missed out 01:53 < gmaxwell> midnightmagic: yea, you suck. People asked about you multiple times. 01:53 < midnightmagic> aww 01:53 < Luke-Jr> midnightmagic: can't say we didn't try! 01:54 < midnightmagic> no sure can't. 01:54 < zooko> It would have been nice to have met you IRL. 01:54 < midnightmagic> zooko: You too! 01:55 < realazthat> there'll be another one 01:56 < realazthat> prolly 01:56 < realazthat> unless that P=NP paper does pan out after all :P 02:01 < petertodd> jgarzik: was thinking some more on the k-v store idea... 02:01 * zooko 's ears perk up 02:02 < petertodd> jgarzik: So I think the sacrifice specially marked txout needs to be able to back reference *two* prior txouts, and you should store cumulative size in there as well. 02:03 < petertodd> jgarzik: To incentivise small size k-v maps I'm still not sure... If the rule is largest total sacrifice always wins, that doesn't take storage size into account, but if it's value/size, then empty blocks win. 02:04 < petertodd> jgarzik: Probably want something in between, but now you get to pick a constant and... ugh 02:04 * petertodd feels like gavin... 02:04 < petertodd> zooko: did you see the discussion earlier? 02:05 < zooko> petertodd: I did not. 02:06 < petertodd> -wizards needs archives... 02:06 < petertodd> Essentially jgarzik needed a key-value store, and I came up with one based on a proof-of-sacrifice, where the best block is defined by total sacrifice. (roughly speaking) 02:07 * zooko boggles at the concept. 02:07 < petertodd> The trick is, the sacrifices in the Bitcoin blockchain are made to be identifiable, which means that if someone withholds the block associated with a sacrifice, you can be sure your fork wins by just sacrificing more than they did. 02:08 < petertodd> The incentive to build on others blocks, is then simply that you are building on their sacrifices, and in turn that gives an incentive to propagate your blocks. 02:09 < realazthat> I can paste logs 02:09 < petertodd> I've got them too 02:09 < realazthat> ok 02:09 < zooko> Is "proof of sacrifice" explained on the wiki or somewhere? 02:10 < zooko> Welcome, nejucomo. (I invited him.) 17:53 < realazthat> Finally, if you're up to writing a LLVM (or any other compiler) for our TinyRAM spec (which is a very simple and nice virtual machine) we'll be happy to share the spec. It will also go online soon. 17:53 < realazthat> ^^ 17:53 < petertodd> Nice! 17:57 < petertodd> Hmm... mind, the problem with my scheme is it's non-recursive; the wager has to be a large fraction of all previous sacrifices... hmm... 18:06 < petertodd> ACtually, no this works: so lets say my sacrifices form a linear list, with a total sacrificed sum at position i of S(i). The rules are now that with propability 1/S(i) I can "cut-the-chain" and do not need to provide the previous link in that list to consider my sacrifice valid. 18:07 < petertodd> The problem is my expected proof size is still long... 18:13 < petertodd> With a tree construction I can keep the proof size small though by picking between n previous sacrifices. 18:17 < petertodd> The other trick, for picking the random number based on the block hash, is you can do a weak proof of work to arbitrarily make it harder to pick the hash. IE run SHA256 n times to make an attacker spend n more resources (in terms of thrown away blocks) to pick the number. 18:20 < petertodd> re: tree, construct a merkle-sum-tree of the prior sacrifices, and randomly pick a single sacrifice out of that n for the one you are required to keep. 18:22 < petertodd> What's interesting, is that provided you have a means to do the commitment and a followup random nonce, you can use this same principle for any proof-of-work system. 18:23 < petertodd> Yet another example of how the very existance of Bitcoin makes Crypto-Magic possible... --- Log closed Wed Jun 05 00:00:07 2013 --- Log opened Wed Jun 05 00:00:07 2013 --- Log closed Thu Jun 06 00:00:10 2013 --- Log opened Thu Jun 06 00:00:10 2013 --- Log closed Fri Jun 07 00:00:13 2013 --- Log opened Fri Jun 07 00:00:13 2013 --- Log closed Sat Jun 08 00:00:16 2013 --- Log opened Sat Jun 08 00:00:16 2013 --- Log closed Sun Jun 09 00:00:19 2013 --- Log opened Sun Jun 09 00:00:19 2013 --- Log closed Sun Jun 09 03:35:39 2013 --- Log opened Sun Jun 09 03:35:56 2013 --- Log closed Mon Jun 10 00:00:22 2013 --- Log opened Mon Jun 10 00:00:22 2013 --- Log closed Tue Jun 11 00:00:24 2013 --- Log opened Tue Jun 11 00:00:24 2013 --- Log closed Wed Jun 12 00:00:27 2013 --- Log opened Wed Jun 12 00:00:27 2013 11:27 < amiller_> good morning, it's a great day to be a wizard 11:29 < jgarzik> time for more wizzing 11:47 < petertodd> speaking of, I'm trying to figure out how to model flood fill on a random graph, so really the expected number of nodes reached at time t 11:48 < petertodd> everything I see from google talkes about maximum's... not so useful --- Log closed Wed Jun 12 13:32:30 2013 --- Log opened Wed Jun 12 13:32:47 2013 --- Log closed Thu Jun 13 00:00:31 2013 --- Log opened Thu Jun 13 00:00:31 2013 --- Log closed Fri Jun 14 00:00:33 2013 --- Log opened Fri Jun 14 00:00:33 2013 --- Log closed Sat Jun 15 00:00:36 2013 --- Log opened Sat Jun 15 00:00:36 2013 06:48 < HM> the NSA are pretty good at boiling down complex crypto for their presentations 06:48 < HM> and expressing it simply 06:50 < HM> i bet it's a great organisation to work for, just for being exposed to all kinds of interesting work 07:39 < amiller_> my roommate used to work for the NSA but he quit, he says he hated it 07:39 < amiller_> now he is doing a startup company about yoga classes 07:40 < HM> lol 15:58 < midnightmagic> As I understand it, it's pretty universally miserable working at places like the NSA unless you're a particular kind of human, or motivated by some external philosophy. --- Log closed Sun Jun 16 00:00:38 2013 --- Log opened Sun Jun 16 00:00:38 2013 --- Log closed Mon Jun 17 00:00:41 2013 --- Log opened Mon Jun 17 00:00:41 2013 --- Log closed Tue Jun 18 00:00:44 2013 --- Log opened Tue Jun 18 00:00:44 2013 --- Log closed Wed Jun 19 00:00:47 2013 --- Log opened Wed Jun 19 00:00:47 2013 --- Log closed Thu Jun 20 00:00:50 2013 --- Log opened Thu Jun 20 00:00:50 2013 13:29 < jgarzik> petertodd, Seen this? "The Economics of Bitcoin Mining 13:29 < jgarzik> or, Bitcoin in the Presence of Adversaries" http://www.weis2013.econinfosec.org/papers/KrollDaveyFeltenWEIS2013.pdf 13:30 < petertodd> interesting! 13:31 < petertodd> IMO we're really going to need some sort of proof-of-stake system in the long run, but it'll inevitably involve a somewhat different security model 13:32 < jgarzik> Edward Felten is pretty well known author 13:32 < jgarzik> never heard of the others 13:33 < petertodd> funny, I'm not sure the authors realize the blockspace is a limited resource 13:35 < petertodd> the authors also don't grasp how difficult it is for SPV nodes to do anything other than put all their faith in PoW, or trust some central authority 13:47 < petertodd> their analysis of transaction fees also doesn't take into account that adding a transaction increases your chance of an orphaned block - IE there is a very real cost, albeit one that varies dramatically and has weird technological and size variables 13:48 < petertodd> re: orphans, given that higher hash rates == lower orphan rates, everything else equal, it implies the right strategy is pool consolidation to allow you to spend less on hardware to lower orphan rates 13:51 < gmaxwell> I'm not convinced that higher hashrate == lower orphans in any meaningful sense until you're at a consolidation level thats already invalidating the security assumptions. (e.g. one party with a third of the hash power) 14:11 < jgarzik> petertodd, The authors seem to think there is a fee market right now, missing the fact that most fees are paid due to hardcoded anti-spam limits 14:18 < jgarzik> "The only way to preserve the system?s health will be to change the rules, most likely either by maintaining mining rewards at a level higher than origi- nally envisioned, or making transaction fees mandatory." 14:18 * jgarzik rolls eyes 14:18 < gmaxwell> 0_o 14:18 < gmaxwell> well petertodd said they didn't sound like they knew that blockspace was a limited resource? 14:19 < jgarzik> gmaxwell, indeed, though I haven't reached that point yet 14:25 < gmaxwell> I can't resist giggling at "making transaction fees mandatory", but if you discard blockspace as a limited resource then I don't know that I could draw any better ones. 14:37 < jgarzik> When reading papers like this, I'm torn between the urge to thank academics for looking at bitcoin? or to flame them for inaccuracies 14:43 < amiller_> this paper gets the wrong euqilibrium analysis 14:43 < amiller_> mine is better 14:43 < amiller_> they basically ignore transaction fees altogether 14:46 < amiller_> rather than looking at how the presence of transactions with fees alters the equilibrium 14:46 < petertodd> well, what I did get from the paper was some math notation to use when I write a better one... :P 14:46 < petertodd> amiller_: link to yours? 14:47 < petertodd> I suspect the overall trust of the idea that security costs money is a good point though - an attacker will spend less than the value they are destroying 14:47 < amiller_> https://gist.github.com/amiller/cf9af3fbc23a629d3084 14:47 < amiller_> this is by far the best paper i've seen on bitcoin analysis imo 14:48 < amiller_> they get more 'right' than anyone else so fa 14:48 < amiller_> r 14:48 < amiller_> for example focusing on a rational rather than honest model 14:48 < amiller_> looking at mining and competition rather than just, e.g., user anonymity 14:48 < petertodd> yeah, it's a 51% majority of rational nodes, not honest ones 14:49 < amiller_> it's still a sort of weak paper 14:49 < jgarzik> amiller_, it's full of hand-waving 14:49 < jgarzik> several statements along the lines of "this must be changed" without supporting evidence 14:49 < amiller_> really nothing they've said is terribly well supported 14:50 < amiller_> it's just a workshop paper 14:50 < amiller_> that's basically the equivalent of a forum post 14:50 < gmaxwell> It's still an example of the peer review model failing. 14:51 < gmaxwell> There are some pretty obvious derpy things that any of us could have said "uh, you at least should talk to Y" 14:52 < amiller_> academia moves really slowly 14:52 < amiller_> it's a good sign if a bunch of goofy grad students start writing papers on related things eventually better ones will come out 14:52 < petertodd> They could have said they are analyzing a cryptocurrency with a given set of properties, rather than talking about Bitcoin specifically... which is what they've done really. 14:52 < petertodd> We need common terminology for different models of cryptocurrencies for instance. 14:53 < petertodd> Their analysis is valid for something almost, but not quite, like Bitcoin. 14:55 < petertodd> gmaxwell: re orphans, but we're already seeing pools with such a high hash rate that they are kinda invalidating the security model, modulo the fact that their users can in theory switch pools (weak I know) 14:57 < gmaxwell> yea, okay sure, I'll grant that.. but thats busted. I assume it'll change eventually. If nothing else sooner or later one of the pool compromises will do something unkind with the hashpower and it'll get cleaned up after the panic. 14:58 < Luke-Jr> I have my doubts 14:59 < petertodd> lets suppose though that, say, pooled-solo mode and auditing becomes popular or whatever: you'll wind up with the same centralization for higher profitability, without the obvious risks --- Log closed Fri Jun 21 00:00:05 2013 --- Log opened Fri Jun 21 00:00:05 2013 --- Log closed Sat Jun 22 00:00:07 2013 --- Log opened Sat Jun 22 00:00:07 2013 --- Log closed Sun Jun 23 00:00:10 2013 --- Log opened Sun Jun 23 00:00:10 2013 --- Log closed Mon Jun 24 00:00:12 2013 --- Log opened Mon Jun 24 00:00:12 2013 12:16 < HM_> Hmm 12:16 < HM_> seems to be common in ECC to take the x coordinate, mod n, of a point g1 to multiply it by another point g2 19:00 < HM> how do signed values even work 19:00 < sipa> they're stored as 2's complement 19:00 < sipa> so if the highest bit of the first byte is set, it's a negative vale 19:00 < sipa> but OpenSSL just parses everything as unsigned 19:02 < HM> sure, but how did these transactions get accepted ? 19:02 < sipa> because OpenSSL parses everything as unsigned :) 19:02 < sipa> and every bitcoin full node has used OpenSSL to parse signatures 19:03 < sipa> that's what i mean with bug-by-bug conformance: every full node must mimic all 'errors' that OpenSSL allows, and no others 19:03 < HM> I don't follow, if they're always interpreted as unsigned then the first 1 bit means nothing 19:04 < sipa> imagine you want to store the value 0x9999 19:04 < HM> 0b10011001100110011001 19:04 < sipa> so the positive integer 39321 19:04 < sipa> the correct DER encoding is 0x009999 19:05 < HM> oh, I'm not familiar with DER 19:05 < sipa> as 0x9999 is interpreted as -26215 19:05 < HM> seemed like crufty nonsense to me 19:05 < sipa> well, that's the standard, and it's crufty indeed, but it's sane 19:06 < sipa> the problem is, because OpenSSL knows it expects an unsigned integer, even if you store 0x9999, it will interpret that as 39321 and not as -26215 19:06 < HM> how is sane to encode a perfectly reasonable 2 byte unsigned value in 3 bytes with 1 useless 0x00 byte? 19:06 < sipa> because it is not an unsigned value 19:06 < sipa> DER doesn't have an unsigned integer type 19:07 < HM> why didn't Bitcoin just use 32 byte unsigned big endian byte types 19:07 < HM> that's pretty straightforward 19:07 < sipa> because Satoshi just used OpenSSL to encode/decode pubkeys/sigs 19:07 < sipa> and probably knew nothing about the encoding itself 19:09 < sipa> anyway: bottom line: every implementation _must_ accept 0x9999 as 39321, even though a standards-compliant DER parser would interpret that as a negative number, which would cause ECDSA to reject the signature as out of range 19:10 < HM> don't you mean it must accept 0x00 0x99 0x99 19:10 < sipa> it must accept both 19:10 < sipa> as OpenSSL accepts both 19:11 < HM> OpenSSL is broken 19:11 < sipa> it is not - it is a tolerant parser 19:11 < sipa> which tries to accept anything that makes sense 19:11 < HM> Why does it use DER if it interprets it as unsigned and DER doesn't have an unsigned type? 19:12 < sipa> well in a way it makes sense: "ok you give me this signature *parse* ok, syntactically correct. wait... this R value is negative? i don't expect a negative number here... let's assume you just missed a 0 byte in front" 19:13 < sipa> the only problem is that bitcoin passes signatures directly to OpenSSL 19:13 < HM> ick 19:13 < sipa> and thus made OpenSSL's implementation an implicit hardforking network rule 19:13 < HM> so basically you have to read the byte string and if it's not already zero padded, add a 0x00 byte 19:14 < sipa> by the way: we did use this 'oversight' to our advantage as well: it allowed a completely backward-compatible implementation of compressed pubkeys 19:14 < sipa> as every old nodes silently already accepted compressed pubkeys 19:15 < HM> using one oversight to correct another :P 19:15 < jgarzik> speaking of (somewhat)... petertodd already used 0x00 + 32 bytes for information purposes, so I think we should just do OP_DROP-as-standard 19:15 < jgarzik> i.e. purposefully invalid pubkey 19:15 < HM> compressed public keys made sense from the start 19:16 < sipa> jgarzik: i really dislike making something like that standard, but i have no problem with instant-pruning obviously-unspendable outputs 19:17 < jgarzik> interesting 19:17 < sipa> which was what he was asking for, i think 19:17 < jgarzik> a bit more limited than OP_DROP, but should suffice for per-transaction information purposes 19:17 < sipa> (make scriptPubKeys that start with an OP_RETURN insta-pruned) 19:18 < jgarzik> yeah 19:18 < sipa> 195k blocks verified 19:20 < HM> sipa: how is that AST idea for scripting going down? 19:20 < HM> along with P2SH 19:20 < sipa> HM: it exists 19:20 < sipa> in the abstract mathematical sense :p 19:21 < HM> anyone slapped together a grammar? 19:21 < sipa> roconnor and i have worked on something like that for a while about a year ago 19:22 < HM> any public documents? 19:22 < sipa> dunno 19:24 < sipa> we certainly never got to a point of defining a serialization, so i guess that'd count as 'no' to your question 19:26 < sipa> hmm, problem with such fast script verification: i can't get my parallel signature checking to use more than ~3 cores 19:28 < HM> i almost feel a register based script engine would suffice. 19:29 < HM> although long lists of pubkeys and such pose a problem 19:29 < HM> less flexible to expand as well 19:30 < sipa> 206k 20:02 < sipa> done! 21:06 < amiller> i'm learning to do proper semantics now 21:06 < amiller> wiht things that look like this: 21:07 < amiller> so i'm sure i'll have this sorted in no time 21:49 < gavinandresen> all righty . who has done what? I sent an alert to 0.8 nodes and tweeted, pointing to sipa's post on bitcointalk 21:49 < gavinandresen> gmaxwell: you sent email to the infrastructure list? 21:49 <@gmaxwell> Yes. 21:50 <@gmaxwell> Sorry it wasn't a great email, but I checked and one hadn't been sent fast seemed better than perfect. 21:50 < gavinandresen> fast is good 21:51 < gavinandresen> I'm going to kiss the kids goodnight, and stop and take a breath. We'll need a web page explaining to people what happened / what is happening; either on bitcoin.org or I could post to the foundation blog --- Log opened Mon Mar 11 22:50:36 2013 --- Log closed Tue Mar 12 00:00:39 2013 --- Log opened Tue Mar 12 00:00:39 2013 00:17 < HM> so, sipa... you were telling me about bug for bug compatibility ;) 00:30 < midnightmagic> HM: dude, terrible timing, lol 00:37 < amiller> there should be a meta format so miners can voluntarily provide better detail about hash power 00:37 < amiller> it's pretty cool that we can observe pools strength in closer to real time 00:52 <@gmaxwell> HM: I was too. Actually I wanted to take a moment to mock you, but it was too busy! :P --- Log closed Tue Mar 12 02:59:43 2013 --- Log opened Tue Mar 12 11:11:38 2013 --- Log closed Wed Mar 13 00:00:19 2013 --- Log opened Wed Mar 13 00:00:19 2013 03:46 < jgarzik> <blueadept> Decentralized networks for instant, off-chain payments - https://bitcointalk.org/index.php?topic=152334.0 04:01 < petertodd> oh, is that guy for real? 04:01 < petertodd> I didn't bother reading that huge page - assumed he was a crank. 04:03 < jgarzik> petertodd: I skimmed a bit, but admittedly had RL kid craziness going at same time 04:03 < petertodd> Huh, well at least it's probably not obviously crazy. 04:03 < jgarzik> petertodd: mainly wanted to add it to the collective link collection --- Log closed Thu Mar 14 00:00:21 2013 --- Log opened Thu Mar 14 00:00:21 2013 17:25 < jgarzik> Block #225430 chain fork dataset available - https://bitcointalk.org/index.php?topic=153170.0 --- Log closed Fri Mar 15 00:00:22 2013 --- Log opened Fri Mar 15 00:00:22 2013 00:17 < amiller> jgarzik do you know how i'd go about getting a dataset of all the work done at that time 00:17 < amiller> like shares from pools 02:02 < warren> didn't know this existed 02:02 < amiller> yeah 02:02 < amiller> it's the rocket science research central 02:02 < amiller> we're going to the moon 02:02 < jgarzik> not until amiller blabbed about it anyway ;p 02:03 < warren> and not logged, apparently 02:03 < amiller> this is more of a shunt away from #bitcoin-dev than an exclusive panel jgarzik :p 02:08 < amiller> it could be logged, no one has seen the need to bother 02:09 < amiller> i have logs if you want a copy 02:09 < amiller> warren,^ 02:15 < amiller> good evening 02:15 < cads> 'sir 02:16 < amiller> also see pm 02:16 < amiller> i think you're barking up the wrong tree with the suggestions about AI but it's probably not important 02:22 < amiller> cads ah i'm not sure what question this really answered but i feel like linking to a bunch of papers on the topic of interestellar economics 02:22 < amiller> http://people.csail.mit.edu/rivest/fc97-paper.pdf 02:23 < amiller> first of all ron rivest made a short opinion piece at the first FC conference speculating how future money would be based on computational power and it would have a lot in common with voting 02:24 < amiller> i like a really famous old paper in distributed computing about protocols that scale arbitrarily well http://groups.csail.mit.edu/tds/papers/Lynch/jacm88.pdf 02:24 < warren> shamir? 02:24 < amiller> shamir what? 02:25 < warren> -dev mention 02:25 < amiller> http://eprint.iacr.org/2012/584.pdf 02:25 < amiller> this is a paper by shamir and a colleague dorit ron on an empirical analysis of bitcoin 02:25 < amiller> it was really lame because they didn't really answer any of the questions they posed and those questions weren't worhtwhile in the first place >:| 02:26 < amiller> it has no theory or math or anything in it which is strange given that the authors are reputable academic crypto/math people 02:27 < amiller> still hopefully it's seen as 'breaking the ice'? 02:28 < amiller> the basic idea of partially synchronous networks is that there are some algorihtms that work even if you don't know what the latency is across the whole network 02:29 < amiller> the basic technique is something like exponential backoff - no matter what the real latency is, you 'find it' eventually/quickly 02:31 < amiller> so you said something about wanting to understand the basic limits of global consensus 02:32 < amiller> also it's useful to think about space and long distances if it puts coping with big latency in scope 02:33 < amiller> otherwise you can fantasize about intercontinental network splits or whatever 02:33 < amiller> but a practical reason is that better dealing with latency also implies better use of more efficient networks in a normal environment 21:37 < jgarzik> <smooth> so i built a tip bot for irc cause jgarzik suggested it, but im discouraged by all these legal issues. i may not deploy it 22:49 < petertodd> interesting 22:49 < petertodd> can he at least release the code? 22:52 < gmaxwell> run it as a testnet thing for development perhaps? 22:53 < jgarzik> He already disappeared off #bitcoin, where that was said, before I had a chance to say hi 22:54 * jgarzik was thinking about writing one, testing on testnet, and open sourcing the code... but not running it 22:54 < jgarzik> with real money 22:54 < petertodd> Ha, we all want to not run it. 22:54 < jgarzik> and even on testnet, zero deposits periodically 22:54 < petertodd> Yup, least testnet BTC suddenly have a value... 22:55 < gmaxwell> Right. I would expect limits on deposits and total value, and then someone in a favorable jurisdiction running it .. over tor. probably no problems, but I'm sure not going to do it. 22:55 < petertodd> I've been pondering TPM'd coins actually; would a remote attested private key swapping thing fall under FinCEN? 22:55 < gmaxwell> petertodd: god knows, we can probably find all kinds of regulatory corner cases very rapidly. 22:56 < gmaxwell> Testnet even is a funny example. Testnet is _clearly_ not money. not unless you want to call beaney babies money. 22:56 < petertodd> What's interesting there, is you can improve security of it by having central double-spend detection servers, yet those servers aren't "running" the scheme and you can have as many of them as you want. 22:56 < petertodd> gmaxwell: Yet the second testnet difficulty rises... 22:57 < gmaxwell> petertodd: well it can't we broke it. Testnet difficulty can be warped back to 1 at an time. 22:57 < gmaxwell> It's fundimentally broken. :) 22:57 < petertodd> gmaxwell: Right, so agree on more testnet checkpoints and it's money again... 22:58 < petertodd> Or fix the timewarp bug... 22:58 < gmaxwell> not just that. 22:58 < gmaxwell> if you mine a 20 minute block at a mod 2016-1 point the diff gets reset to 1. 22:58 < gmaxwell> well, 1-4 depending on the timestamps. 22:59 < gmaxwell> (the retarget uses the prior blocks actual difficulty) 22:59 < petertodd> Exactly, so if that bug gets fixed testnet can turn into money again on miner whim. 23:00 < gmaxwell> I suppose. But then why isn't my respect for you money? :P At some future whim I could convert it into bonds or something. :P 23:00 < petertodd> Anyway, my general point is it's good to have favorable legal rulings, but the law changes, and furthermore the interpretation of the law changes. 23:01 < petertodd> BTW you said you bought some TPM-capable hardware? 23:03 < petertodd> I was thinking of doing so too, and it'd be neat if we had what we had bought co-ordinated. 23:04 < jgarzik> TPM has an RNG too. Make sure to make use of that. 23:06 < petertodd> I dunno, I think RNG is easier than people make it out to be with yarrow and persistant applications. 23:06 < petertodd> For instance a perfectly reasonable RNG algorithm for something like a smartcard is to use a non-reversable counter with a secret seed. 23:07 < petertodd> *PRNG 23:07 * jgarzik was mainly thinking of its use to fill the kernel's entropy pool 23:08 < jgarzik> rngd will use TPM's RNG automatically, to do that 23:08 < jgarzik> then, /dev/[u]random are happier 23:08 < warren> I vaguely recall reading a paper about a smartcard that detected time-based attacks upon it by checking how much of SRAM had decayed into random bits during poweroff. I thought that was pretty clever. 23:09 < petertodd> warren: Interesting, although that'd make for an interesting testing problem at the factory. 23:09 < warren> I wondered at the time if that would be a good or bad way to get more entropy. 23:10 < petertodd> My point is, with secure storage you keep a pool that you are essentially adding entropy to the whole lifetime of the device, thus you don't actually need all that much, and it's perfectly reasonable for the factory to fill the pool with entropy per-device. 23:14 < warren> you're right, but you'd have to trust the factory 23:14 < petertodd> You already have to! 23:14 < warren> heh 23:15 < warren> Intel's new entirely digital hardware RNG is supposed to be pretty good. But the linux kernel developers don't trust intel, so they are feeding it as an input to the kernel prng instead. 23:16 < petertodd> As they should. Similarly software like Bitcoin shouldn't trust the kernel developers, and should feed their random numbers into our own PRNG 23:17 < warren> You're so screwed if you can't trust the kernel. 23:17 < petertodd> I proposed using the last privkey XOR /dev/urandom to create every privkey 23:18 < petertodd> oh, I forgot H(last privkey XOR /dev/urandom) 23:19 < petertodd> For Bitcoin PRNG mistakes are especially bad because the attacks can be done at leisure, so the usual standards of kernel development may not be enough. 23:21 < gmaxwell> petertodd: I already had a pair of X9SCL-F motherboards (i7 systems) which support the txt stuff but just need a tpm module. Getting actual TPM modules is hard. I found one which _may_ be compatible on ebay. I'll let you know when it shows up and I get a chance to test it. 23:21 < gmaxwell> warren: "trust but verify" 23:21 < gmaxwell> warren: if the kernel developers are malicious you're in trouble, if they make mistakes well no need for bitcoin to be utterly brittle to weaknesses in the kernel rng. 23:22 < petertodd> gmaxwell: Cool. Yeah my mobo is an Acer and supports TPM modules, but good luck finding one. I was thinking I might just get a thinkpad laptop w/ TPM. 23:22 < gmaxwell> I have one of those but I use it. :P 23:23 < gmaxwell> petertodd: if you go that route: lenovo outlet store. 23:23 < gmaxwell> (or ebay) 23:23 < warren> gmaxwell: lenovo outlet doesn't have awesome deals anymore like a year or two ago 23:23 < gmaxwell> aww 23:23 < warren> gmaxwell: 3 of 11 laptops I bought from outlet were lemons 23:24 < warren> I think they gave up on the customer service for that and just dumped all of them with 3rd party outlets. 23:24 < petertodd> Yeah, I've got a few options - every laptop I've ever owned has been an older used thinkpad from a corporate lease. 23:24 < warren> You'll see them on newegg outlet along with random other brands. 23:25 < gmaxwell> petertodd: perhaps buy a thinkpad with a broken screen on ebay. :P one advantage of using laptops for this sort of thing is that if you wanted to come up with a design which would be cryptoanarchist compatible they could strip the laptops down to nothing but the motherboard and embed them in stuff. 23:25 < warren> That and if you can find a IBM employee, their ibmepp code lets you buy Thinkpads often cheaper than outlet. 23:26 < petertodd> gmaxwell: For sure. TPM 1.2 can do remote attestation just fine, it's just the lack of the infrastructure to convince others that your attestation is correct, but with some standardization I suspect that can be worked around. 23:26 < petertodd> gmaxwell: The JavaCard smartcard standard seems to be able to do it too, but documentation is scanty. 23:27 < gmaxwell> seperately from the bank stuff, a generic computational oracle would be interesting. 23:28 < petertodd> Yup. Not to mention secure remote servers is totally doable, especially if you add some anti-tamper sensors. 23:31 < gmaxwell> yea, well tampering can be made as hard as you like... make an anti-tamper nest of fine wires all around it and pot the darn thing... plus then its waterproof too. :P 23:33 < petertodd> Two other good ones are to use light sensors plus *light sources* in the box, and wipe the keys if the amount of light returned ever changes from the expected, along with vibration sensors. For the latter your only limitation is earthquakes. 23:33 < petertodd> I live on top of four billion year old rock so earthquakes aren't such a big deal. :P 23:33 < jgarzik> RE RNG and feeding... it's not about trusting the kernel but the hardware. Easier to put a big lump of FIPS testing and other fun in userspace. Easier to balance between competing consumers of hardware RNG entropy, if its bandwidth limited versus the application. 23:34 < jgarzik> a direct function call kernel->kernel isn't optimal for all situations 23:34 < jgarzik> including hardware RNG burp situation 23:37 < gmaxwell> petertodd: having something like accelerometer wipe and shutdown would be neat but kinda bad that you can never recover if someone just kicks it. 23:37 < jgarzik> gmaxwell: hah, neat idea 23:37 < gmaxwell> petertodd: I imagine it might be possible to drop a computer at the bottom of an abandoned gas well and fill it in. connected via fiber (both for power and comms) .... would be totally tamperproof. 23:39 < petertodd> gmaxwell: Depends on the threat model. Allegedly nuclear anti-proliferation sensors often are basically sealed computers in concrete filled holes, and seismic is an essential part of testban treaty monitoring anyway. 23:40 * jgarzik would love to see a modern day Johnny WifiNodeSeed 23:40 < jgarzik> toss them on rooftops, powered via solar 23:41 < petertodd> jgarzik: Ha, well my other hobby is cave exploration... maybe a microhydro turbine in a storm sewer? :P 23:42 * jgarzik wonders the size of the block header + largest transaction list seen to date 23:43 < jgarzik> having the full TX list can occasionally be more useful than just merkle root --- Log closed Sat Mar 23 00:00:02 2013 --- Log opened Sat Mar 23 00:00:02 2013 18:43 < gmaxwell> petertodd: it seems to me that all this TPM everything (including hal's stuff) could all be converged on a single computational oracle model. 18:44 < gmaxwell> E.g. you write a TPM-program that takes a AST-program hashroot. And derrives a program specific secret value H(AST-root||oracle_secret) and pushes that on its stack along with the time. .. and runs whatever program the user sends it. 00:20 < zooko> Like with Bitcoin-proper, we relieve some of the burden on the consensus system by asking it only to determine which of multiple conflicting signed statements to honor, instead of 00:20 < zooko> asking it to speak for everyone. 00:20 < zooko> Right? 00:21 < zooko> In the same way that Bitcoin doesn't ask the global consensus to determine everyone's account balance, but only to choose which spend to honor when there are conflicting spends. 00:21 < petertodd> Ok, but lets rephrase that: Bitcoin is a consensus system, and for every unspent txout (the key!) it assigns a value (what transaction spent it!) 00:24 < zooko> Ok. 00:24 < zooko> But those keys are use-once. 00:25 < Luke-Jr> add a version number to the key name, and voila 00:26 < petertodd> Sure, but lots of key-value maps are set once, doesn't make it not a key value map. 00:31 < zooko> Luke-Jr: I don't quite see what you mean. 00:31 < zooko> petertodd: I didn't mean it isn't a key-value map... 00:32 < Luke-Jr> zooko: version 0 of a key is the first time it's set; version 1 overrides that to set it a 2nd time, etc 00:32 < zooko> So, maybe this is what Luke-Jr was getting at, if you have this set-once kind of thing, you can always use it as a set-many kind of thing by every time you set the set-once key, the value has the next key bundled into it. 00:32 < Luke-Jr> that's an option too 00:32 < Luke-Jr> I'd just make it deterministic :P 00:33 < Luke-Jr> "next key bundled into it" is arguably what Bitcoin does :P 00:33 < zooko> Yeah! 00:33 < petertodd> Exactly, and as jdillon pointed out, you can make a updatable key-value store that way: https://bitcointalk.org/index.php?topic=186264.msg2037810#msg2037810 00:33 < petertodd> Of course, he pointed that out because he wants to show that raising the blocksize limit is madness... 00:34 < Luke-Jr> right now* 00:34 < petertodd> Luke-Jr: correct, *removing* the blocksize limit 00:35 < petertodd> zooko: jdillon is the same guy that timestamped 50K PGP fingerprints into the blockchain to prove a point 00:36 < Luke-Jr> petertodd: glare at him for me 00:36 < Luke-Jr> if you want to prove a point, testnet is the place for that -.- 00:37 < petertodd> anyway... his underlying idea there is sound, the key-value system now called zookeyv that I outlined basically takes that simple structure and makes it efficient, and importantly, gives incentives to not hide your actual keys and values 00:37 < zooko> petertodd: heh heh 00:38 < zooko> So is your "zookeyv" design using the technique of bootstrapping set-once keys to get effectively set-many keys? 00:38 < petertodd> well... very roughly speaking kinda 00:39 < zooko> I don't understand why it is important to disincentivize hiding keys and values. 00:39 < zooko> Or... or what "hiding" could mean here. 00:39 < petertodd> Its more that we can attach a value to those set-once keys, to decide *which* set once key is now canonical, and instead of values being keys directly, they're block headers 00:41 < petertodd> Oh, and the key, that's actually the previous block(s) in the dag 00:41 < zooko> Hm. 00:41 < zooko> I didn't follow that last bit. 00:41 < zooko> There is never a question about which set-once key is canonical, if 00:41 < zooko> you already have a global consensus system to resolve conflicting claims about that from the controller of the key. 00:41 < zooko> Right? 00:42 < zooko> And what's a block header? 00:42 < petertodd> Well, lets suppose we have an updatable set-once key, as Luke described. 00:42 < zooko> Actually I didn't understand that. 00:42 < zooko> The version I described, in which you have a key that can really be set at most once 00:43 < zooko> and then whenever you set it, you set it to a tuple of (value, new-key). 00:43 < zooko> That I understand. 00:43 < petertodd> Basically he's just saying that if your keys follow the convention key-1, key-2, key-3 then you basically *do* have a set-more-than-once key-value map. 00:43 < zooko> (By the way, it dovetails with a thing called "Guy Fawkes Protocol".) 00:43 < petertodd> (assuming consensus about the current set of all k-v pairs) 00:43 < zooko> But, that's, but,... 00:43 < petertodd> Bitcoin has consensus about the state of the txout set. 00:43 < zooko> Someone who didn't control key-1 could set a value for key-2. 00:44 < petertodd> Sure, but what if we look at the whole set of those keys, and decide which one is canonical based on a PoW? 00:44 < petertodd> Which is what the blockchain kinda does... 00:45 < zooko> Um. 00:45 < zooko> Okay, "what if". My answer is, it might not work, might be complicated and dangerous, and also why would we want that? 00:46 < zooko> The thing where you set-once key1 00:46 < petertodd> Do you understand how the Bitcoin blockchain itself is basically one such key value system? 00:46 < zooko> would be secure. 00:46 < zooko> I think so. 00:47 < petertodd> Good. Now lets repalce the proof-of-work, with proof-of-sacrifice. 00:47 < zooko> So, like I was saying earlier, it seems wise to ask as little as possible from a global consensus system. 00:47 < petertodd> (tied to Bitcoin) 00:47 < petertodd> Sure, but we only have one good global consensus system, and that's Bitcoin, so build on it. 00:47 < zooko> Instead of asking Bitcoin-proper what each person's balance is, we ask it only to reject N-1 double-spends. 00:47 < petertodd> That's irrelevant to zookeyv 00:48 < zooko> Likewise, instead of asking it to decide whether key-1 and key-2 both belong to the same "owner" or authority spehere or whatever, let's just ask it to choose at most one of the "set-once" operations authorized by key1. 00:48 < zooko> Then let's use key1 (value1, key2) to tie key1 to key2. 00:48 < petertodd> Sure, but step back for a minute.... 00:49 < petertodd> Lets suppose you had a Bitcoin blockchain, where instead of the hash-based proof of work, you decided on what was the blockchain based on 00:49 < petertodd> Bitcoin sacrifices. 00:49 < zooko> I don't see why it matters how the global consensus system decides. 00:49 < zooko> Although, I'm interested in the Bitcoin sacrifices idea! 00:49 < petertodd> It matters a heck of a lot because we have to build the damn thing... 00:50 < zooko> But I don't see why it matters for this. 00:50 < zooko> Hrm. 00:50 < petertodd> Anyway, point is, so you can make a blockchain where the best chain is picked by proof-of-sacrifice. 00:50 < zooko> Okay. 00:51 < petertodd> Now, the transactions that actually sacrifice funds, you can "mark" them in such a way that by examining the Bitcoin blockchain you can be sure to know about every such sacrifice. 00:51 < zooko> Haha! Security firedrill. Hilarious. 00:51 < zooko> Sorry. 00:51 < petertodd> (essentially there is global consensus on what sacrifices have been made for this PoS blockchain) 00:51 < petertodd> lol 00:51 < zooko> Distracted by that... 00:52 < zooko> Okay, so I think I understand... for example, you could spend to an address which is all 0 bits. 00:52 < petertodd> Now because of that consensus, you can be sure that *if* a sacrifice was made to add a block to the chain, you at least know that happened, if not what the contents of the block actually where. 00:52 < zooko> Ugh, I'm sorry, I missed a step again. 00:52 * zooko thinks. 00:53 < zooko> I still don't understand why it matters whether the consensus system that provides the set-once key-value pairs is PrOW or PrOSa. But I'm still interested in PrOSa. 00:54 < petertodd> Again, strictly speaking, it doesn't, but to actually make one, PoS is a *much* better option. 00:54 < zooko> Okay, so to help me understand, let's move back to more like normal Bitcoin. 00:54 < petertodd> Namecoin is k-v via PoW remember 00:54 < Luke-Jr> PoS = proof of stake 00:54 < zooko> Or something else that I find more familiar. 00:54 < Luke-Jr> petertodd: namecoin's k-v is proof of sacrifice 00:55 < petertodd> Pff, proof-of-stake == PoT, because that's what it's proponents are usually smoking 00:55 < Luke-Jr> lol 00:55 < petertodd> Luke-Jr: No, I mean the namecoin blockchain itself, not how you buy a name on it. 00:55 < Luke-Jr> oh 00:56 < petertodd> zooko: Well, I am talking about something like normal Bitcoin... 00:57 < petertodd> I'm describing how in my zookeyv system we determine what is the state of the blockchain. 01:00 < zooko> petertodd: okay, so suppose we have some way to achieve global consensus on a "blockchain", 01:00 < petertodd> see, you're talking on a level different than what I'm talking about 01:00 < zooko> where the relevant thing about a "blockchain" for this purpose is that a blockchain doesn't contain any conflicting set-once's for any key. 01:01 < petertodd> ok 01:01 < zooko> Am I on the right track so far? 01:01 < petertodd> Not really 01:02 < petertodd> You're getting hung up on what you do with the keys and values, not how you decide them,. 01:02 < zooko> Ah yes. 01:03 < zooko> So, what do you mean "how you decide them"? But don't tell me (yet) about how you would implement it! 01:03 < zooko> Instead tell me what properties it would have. 01:03 < zooko> Who gets to choose what the set-once value for key1 will be? 01:04 < petertodd> But see, zookeyv's underlying model allows for a whole bunch of ways to implement the deciding bit depending on what your problem is. 01:04 < zooko> By "who gets to choose", I hope to be getting at what you were talking about -- how you decide them. 01:04 < zooko> You mean a whole bunch of ways to determine who gets to choose the value for key1? 01:05 < petertodd> No, a whole bunch of ways to decide what the key-value mappings are. 01:05 < zooko> Isn't that the same thing? 01:05 < petertodd> What's more interesting, is how do you do the mappings on top of Bitcoin. 01:05 < petertodd> Because once you have one key-value mapping, you can build upon that to do all kinds of ones. 01:05 < petertodd> (specifically one set once key-value mapping) 14:49 < CodeShark> maaku: the wright brothers didn't even understand swept wing designs or the fundamental subsonic limitations of propellers 14:50 < CodeShark> point is, Satoshi surely missed many things, too 14:50 < adam3us> CodeShark: thought experiment: if ltc got real transactions, overtook btc in market cap, and then perhaps btc users dump btc to buy ltc causing a btc price crash; then ltc users notice ftc catchng up with its market cap - next thing you know people lose confidence in the asset class of digital scarcity and turn the whole thing into a digital tulip 14:51 < adam3us> CodeShark: I dont want that outcome. alts must die. use bitcoin-staging to try useful new params or features. 14:51 < CodeShark> anyhow, I'm not going to get sucked into a religious debate 14:52 < CodeShark> alts are inevitable - we must learn to cope with them. they won't die 14:53 < adam3us> CodeShark: i am just saying alts are stupid and maybe even dangerous. 14:53 < CodeShark> the same decentralized nature of the technology which makes bitcoin so hard to kill makes alts hard to kill 14:53 < adam3us> CodeShark: I think most of the pump & dumps will die soon enough. they have no intrinsic value because there are no transactions. eventually they die 14:54 < adam3us> CodeShark: bitcoin has first mover advantage - big intrinsic value, infrastructure and stored-value; the alts are abuses trying to make-money-fast with param-tweaks, 99% of them. 14:54 < CodeShark> the core technology is agnostic to these parameters - the core technology consists of a decentralized timestamping mechanism using proof-of-work 14:55 < CodeShark> you can think of alts as simply param tweaks on bitcoin - I see it a different way - I would like to see the decentralized timestamping mechanism Satoshi invented applied to many problems 14:55 < adam3us> CodeShark: if you like analogies its like the wrong brothers came along and cloned the write brothers plane and painted it blue and then tried to claim they invented or profit from the wright brothers work 14:56 < CodeShark> I think the original bitcoin client isn't sufficiently modular and flexible 14:56 < adam3us> CodeShark: "look at my blue plane".... its "BLUE" so its like cool and stuff, please mine it and make me money fast :) 14:56 < adam3us> CodeShark: so work on making it modular and flexible 14:56 < CodeShark> I have been :) 15:01 < CodeShark> adam3us: my motivation here is not making money fast - my motivation is seeing this technology evolve 15:02 < adam3us> CodeShark: ok, me too. i think the best for tht to happen is bitcoin-staging with 1:1 peg. BlueMatt & gmaxwell had a plausible argument that a 1:1 peg maybe possible 15:02 < adam3us> CodeShark: the one change to rule them all as greg put it 15:03 < adam3us> CodeShark: it allows btc denominated (21 million coin cap preserving) alts or beta-coins 15:03 < jtimon> adam3us 1:1 is possible but very unconvinient 15:04 < adam3us> how so? 15:04 < jtimon> what would you make bitcoin's security depend on another chain? 15:04 < adam3us> jtimon: i think its fantastic; thats the clever part - onl the coins moved are at risk 15:05 < jtimon> well, the whole altchain is at risk if the validity of its transactions depend on bitcoin's chain 15:05 < jtimon> a reorg in one can cause a reorg in the other 15:05 < nsh> depends on the nature of the dependency :) 15:06 < jtimon> sure 15:06 < adam3us> jtimon: yes. but it seems unlikely for the mid-term that an alt will be more secure than bitcoin; and most alts are also uninteresting - no tx, and no intrinsic value 15:06 < adam3us> jtimon: i think a reorg in the alt is designed not to do anyting to btc; g like mining a long conf time 15:06 < jtimon> that doesn't say anything in favor of a bitcoin-pegged currency 15:07 < adam3us> jtimon: most of the thinly veiled excuses for alts are "oh the innovation" (like param tweak or hash function swap) 15:07 < adam3us> jtimon: so if they can peg to btc, then they have no excuse, they can do the innovation or go away 15:07 < CodeShark> alts are just tinkering with parameters that a suffiiciently modularized technology would allow you to freely tweak anyhow 15:08 < jtimon> I don't see how a bitcoin-pegged currency will prevent stupid people from doing and saying stupid things 15:08 < adam3us> jtimon: yes but they wont be starting a digital scarcity race and no one will risk btc in them, so its less wasteful and less dangerous 15:09 < jtimon> I disagree with your "digital scarcity" argumentation 15:09 < jtimon> you can innovate in your own testnet, you don't need a btc-pegged currency nor an altcoin for that 15:11 < CodeShark> the genie is out of the bottle 15:11 < nsh> hell, these days you can simulate an entire operating economy with some EC2 instances and historical transaction data 15:11 < CodeShark> regardless of whether or not alts are dangerous to bitcoin, they are inevitable 15:12 < jtimon> agreed 15:12 < nsh> network protocols are inevitable too, yet here we are on tcp/ip(v6) :) 15:12 < nsh> (unfortunately) 15:13 < jtimon> and a btc-pegged altcoin changes nothing with respect to the rest of altcoins 15:14 < jtimon> I think we just need more time and people losing ridiculous amounts of money by speculating in altcoins for the fever to pass 15:14 < adam3us> jtimon: it shows them for what they are - pump & dumps or they would use btc-peg (unless they are actually experimenting with the distribution model itself, like freicoin) 15:15 < jtimon> I think the btc-pegged altcoin is a bad idea and I'm still missing how it is supposed to change in any way the perception on altcoins 15:15 < jtimon> why would they use btc-peg? 15:16 < jtimon> that's not better, is worse 15:16 < jtimon> technically 15:16 < jtimon> an unecessary burden 15:16 < adam3us> jtimon: ok say someone wanted to implement freimarket extensions to make them available to bitcoin scripting. 15:17 < jtimon> cool 15:17 < adam3us> jtimon: they could do that using dogecoin or btc... you choose 15:17 < adam3us> jtimon: (and i like freimarket script extensions a lot... a couple of them i thought about before i saw it, very elegant and minimal!) 15:17 < jtimon> the hardfork on btc is much more difficult 15:18 < jtimon> so I think altcoins will have it first 15:18 < adam3us> jtimon: thats the point of bitcoin-staging and btc-peg. make that hard fork, then other hard-forks can happen in pegged-alts 15:18 < jtimon> probably freicoin first, then a freicoin-without-demurrage fork or several of them... 15:19 < adam3us> jtimon: thats why i said gmaxwell called it to the one change to rule them all - its literal, other forks dont need forks after that 15:19 < jtimon> just like can happen in non-pegged alts much more easily I still don't see the point 15:20 < jtimon> the whole pegging stuff is a burden in your design I don't see what it adds other than calm some of your "digital scarcity" fears 15:20 < adam3us> jtimon: the point is where woud you rather have freimarket extensions available in bbqcoin or to btc users 15:21 < jtimon> to all users 15:21 < jtimon> but are bbq devs going to rebase their code? 15:21 < jtimon> maintain it? 15:21 < adam3us> jtimon: no really teh original motivation is the unfortunate conflict between the need to be careful with btc changes, to preserve value, and the desire to implement known useful improvements 15:22 < adam3us> jtimon: bbq are a joke, thats my point; it'll probably flame out at some point when the dev gets bored and it breaks 15:22 < jtimon> I understand the motiviation, I just disagree that your proposed solution helps in any way or that altcoins are really a problem 15:23 < jtimon> many people involved in altcoins haven't seen altcoins die yet 15:23 < adam3us> jtimon: give it time. quite a few have died already in flame outs and peter outs 15:24 < jtimon> after a couple of them die in their hands they will think twice before speculating on the next proprietary altcoin 15:24 < adam3us> jtimon: btw i mean param-tweak alts... should distinguish - i am using alt as short hand for things like bbq coin an doge coin 15:24 < jtimon> they're all alts 15:24 < pigeons> probably the first ones WEEDS, 100% premined only tx fee currency, and beertokens, backed by 1 bottle of beer, have died 15:25 < jtimon> I think "backing" is a bad idea in general 15:25 < jtimon> for money 15:26 < pigeons> yes, but fun thing is you can prove something is a good or bad idea eventually 15:26 < jtimon> a year from now, there will be articles with a long list of death altcoins 15:26 < warren> it's hard for them to die 15:27 < jtimon> well, most of them are zombies as currencies anyway 15:27 < pigeons> anyway the client multicoin that sacarlson used by forking bitcoin and pulling out the parameters into config files was used by later altcoins like tenebrix and fairbrix which eventually brought litecoin even though at that point litecoin decided to fork from bitcoin again 15:28 < jtimon> yeah, multicoin was an interesting project 15:28 < pigeons> he was starting to work on plugin modules for things like difficulty adjustment filters as that started to get more complex than just changing static numbers, but then he got a real job 15:29 < pigeons> and bitcoin is kind of less interesting now that its big bucks for some 15:29 < pigeons> but for some people that makes it more interesting 15:32 < pigeons> i think a focus on decentralizing mining would be a good niche for an altcoin. i guess the tools are all there with GBT, and there are example models such as p2pool with real data to look at 15:53 < jtimon> kind of off-topic but...does anyone know if the rumors that say coinbase uses mongoDB as their primary store for financial transactions are true or not? 16:07 < nsh> jtimon, i am relatively confident they are true or not, yes 16:08 < jtimon> yeah true or not, that's what I thought 16:08 < nsh> it's always the way... 16:08 < nsh> damn you aristotle. damn you to hell... 21:49 < cfields> warren: the thing about that change, is that it affects lots of leveldb in tiny tiny ways 21:49 < gmaxwell> cfields: we should probably do some testing of level db where we fill the source code with if(atoi(getenv("diehere"))==linenumber)exit(1); and then run in a loop syncing the testnet chain and picking random numbers to die on then restarting and making sure it continues. 21:51 < cfields> heh 21:52 < cfields> gmaxwell: are you after a test for this one in particular? or general leveldb badness? 21:52 < gmaxwell> well, I always suspect more badness once some is found. :) 22:24 < cfields> heh 22:25 < cfields> gmaxwell: leveldb has a pretty extensive test-suite. I'm really not sure we could catch anything that they miss 22:26 < cfields> in your example above, looping their corruption test as long as syncing testnet would probably give the same result 22:26 < gmaxwell> cfields: well, you found bugs by inserting sleeps and killing it .. :) 22:27 < cfields> heh 22:27 < cfields> gmaxwell: actually, that does raise an interesting point 22:28 < cfields> a bash script to continuously send STOP/CONT to bitcoind could be interesting 22:30 < cfields> i don't know enough about the underlyings of those to know how much (if at all) that could simulate outside-world interference. loss of net connections, closed files, etc 22:33 < gmaxwell> mostly I want to detect cases where a sudden power off would leave the system in an unrecoverable state. 22:41 < cfields> i'm unfamiliar with what is allowed to finish after a SIGKILL. How close does that come? 22:41 < gmaxwell> a real test would be to create a special log structured block device that allows you to mount the log at any write along its history can continue from there. 22:42 < gmaxwell> sigkill is probably close enough to be interesting but just randomly sending sigkills are not because it doesn't get good coverage. 22:42 < gmaxwell> (and thats a test I've already done) 22:42 < cfields> gmaxwell: in any case, if it's important enough to you, i have dozens of small arm dev boards here that i'd be happy to setup for automation 22:42 < gmaxwell> e.g. 99% of the time you kill it doing nothing. 22:43 < cfields> though iirc you mentioned you have them at your disposal as well recently 22:43 < gmaxwell> yea, I have a couple pandaboards. that I mostly use for continious integration testing for code stuff, (e.g. arm simd) 22:44 < cfields> oh, right, i forgot to wtf you on that 22:44 < cfields> you build natively on those things?! 22:46 < gmaxwell> cfields: sure, on codec stuff the compile time is insubstantial compared to the actual tests. 22:46 < gmaxwell> and if something breaks self hosting is much easier to work with then using a remote debugger. 22:46 < cfields> interesting 22:47 < gmaxwell> I wouldn't want to work with bitcoin on them in that way... just because bitcoin takes a long time to compile (though, as you noted I did indeed compile bitcoin on one of them the other day) 22:47 < cfields> i guess i've gotten so used to remote debugging that the idea of debugging on embedded would never enter my mind 22:48 < cfields> though i suppose that really doesn't make much sense, considering their speeds these days 22:48 < cfields> "back in my day..." and all that :) 22:52 < gmaxwell> yea indeed, well I was there too at one point.. but when I started dealing with dual core 1ghz embedded devices... 22:53 < cfields> one of my first embedded projects was porting xbmc (and its ~50 dependencies) to a 400mhz mips SOC 22:54 < cfields> unfortunately, i think that mentality has stuck with me 23:07 < warren> cfields: did you submit the memory barrier thing anywhere? 23:07 < warren> cfields: given that it isn't wrong and it seems to have done something, perhaps more eyes ... 23:10 < cfields> warren: heh, it must be torture inside your head :) 23:12 < cfields> doing now 23:27 < cfields> warren: https://code.google.com/p/leveldb/issues/detail?id=218 23:34 < warren> cfields: thank you --- Log closed Thu Nov 28 00:00:00 2013 --- Log opened Thu Nov 28 00:00:00 2013 --- Day changed Thu Nov 28 2013 05:52 < gmaxwell> nice numbers on my display here: high: 1100.00 low: 1001.00 06:01 < TD> amazing 06:01 < TD> heh. someone sent me a fee-less transaction yesterday. it took about 22 hours to confirm. seems like that's the normal waiting period at the moment. 06:02 < TD> for low-pri transactions (it was a return to sender kind of thing) 06:15 < Luke-Jr> sounds reasonable 06:16 < gwillen> I've been telling people "typically not more than a day", although I imagine that won't stay true forever 06:21 * TD remembers when all transactions were free and confirmed immediately 06:22 < warren> and unicorns were $2.99/lb 06:23 < TD> more evidence bitcoin is taking off in china - the number of emails i'm getting in broken english from chinese people with questions or who are trying to use bitcoinj, up infinity% 06:23 < gmaxwell> ::shrugs:: I did a zero fee transaction last week that confirmed in under two minutes. 06:23 < TD> yeah. priority is a good thing. 07:44 < warren> http://www.coinchoose.com/charts.php 07:44 < warren> what the heck is QRK 07:45 < _ingsoc> That's "Quark Coin", whatever the heck that is. 07:45 < gmaxwell> I would guess something called "quark" 07:46 < _ingsoc> "Quark Coins are based on the original idea of Bitcoin but improved, more secure, with improvements to design and security." 07:46 < _ingsoc> Where have I heard that before? :/ 07:47 < gmaxwell> apparently "more secure" means some @#$@ed up homebrew pow function 07:48 < gmaxwell> ... with 30 second blocks. 07:48 < gmaxwell> so they have a really slow custom pow, and really fast blocks. 07:48 < gmaxwell> and they call this more secure. 07:48 < _ingsoc> And bad grammar, don't forget the grammar! 07:49 < gmaxwell> and ... seem to have no source code? 07:49 < _ingsoc> That's too complicated for the users! 07:49 < gmaxwell> oh there it is. 07:49 < Emcy> legit question, how many 3 letter contractions can there be 07:49 < gmaxwell> almost as hard as finding the bitcoin source. :P 07:49 < Emcy> and can we hope that the tide of altcoins will recede after theyre all taken 07:49 < gmaxwell> lots once you use greek 07:50 < _ingsoc> Soon we will move to a new suffix, like how Zerocoin will be Zerocash. 07:50 < _ingsoc> Wait, that wonh't change anything. 07:50 < Emcy> gmaxwell fratcoin? 07:50 < Emcy> by bros for bros 07:51 < _ingsoc> Max Keiser said someone should make Keisercoin. 07:51 < _ingsoc> Watch it happen. 07:51 < Emcy> cosbycoin happened 07:51 < gmaxwell> _ingsoc: oh, have they actually made public the zerocash name? 07:51 < _ingsoc> He only said they're thinking about calling it that. 07:51 < _ingsoc> Does he have beef with you guys somehow? 07:52 < gmaxwell> Who? 07:52 < _ingsoc> Matt Green. 07:53 < Emcy> no one exactly shitted on zerocoin v1 did they 07:53 < gmaxwell> Not as far as I know, I had a pleasant conversation with him. He asked me if I'd be willing to work on his thing, I told him I would, after chatting a bit. He said he'd send the paper, hasn't done so. 07:54 < _ingsoc> How do I talk you into something like that? 07:54 < gmaxwell> then he started posting tweeting bragging about it, which I found a little .. unfortunate, because I don't think he's being completely frank about the tradeoffs involved, but I feel a little hand tied because I don't want to go blabbing the details of their system. 07:54 < _ingsoc> Do I need to go get a professorship and a Twitter account? :( 07:56 < gmaxwell> _ingsoc: well, as I said before, I don't think most of the alt ideas are actually interesting. The zero cash stuff is, well, except for some of the limitations. But ignoring them it's a material improvement over what we have in bitcoin. 07:57 < _ingsoc> That's fair enough. In any case, your efforts are very much needed on Bitcoin specifically. 07:57 < gmaxwell> well because of some of the limiations I don't expect the zerocash alt to actually be a long term success, but it would be a useful science project. 07:58 < _ingsoc> There are so many interesting ideas to explore, and it's a pity we can't find more people to do it. The money is there, even though you guys demand a pretty penny nowadays. You just need the right model and you'll attract lots of new people. 07:59 < Emcy> perhaps he thinks the best way to get it implemented in bitcoin is via external market pressure 07:59 < Emcy> rather than try and wade thru the internal politics 08:01 < Emcy> assuming he think s ZCv2 is good to go too, they were pretty triumphant about v1 and it was actually completely impractical right now 08:01 < gmaxwell> not only was ZCv1 impratical, but you see how quickly its being replaced by something much better. 08:05 < Emcy> yeah. If such effeciency gains as 98% as claimed were possible, i wonder why they announced the first time. 08:05 < Emcy> assuming its incremental and not some sort of huge re-innovation 13:10 < n0g> I told all my friends that I hang around the BTC devs.. *so proud* 13:10 < n0g> I love you guys. 13:10 < n0g> :D 13:10 < n0g> You make me a celebrity overnight.. 13:10 < Einz> lol 13:10 < n0g> LOL 13:21 < jrmithdobbs> cfields: I used a one liner and run it. Stuffed service names in an array and used $RANDOM to decide which instance and which signal (stop, cont, term, kill, int) .. It's two lookup tables and sv ${sigtbl[$(($RANDOM % 5)) ]} ${svtable[$(($RANDOM % 6))]} in a sleep $(($RANDOM % 90)) loop 13:22 < jrmithdobbs> cfields: It's zero work using the right tools. ;p 13:23 < jrmithdobbs> If you don't like the lcw/mcw (I forget which bash uses) provided by random you can $(myfunc_that_printfs_dev_random) 13:28 < jrmithdobbs> cfields: Like gmaxwell said though, such tests don't give good coverage/repeat ability even when there's a known issue that test will eventually trigger ... --- Log closed Fri Nov 29 00:00:17 2013 --- Log opened Fri Nov 29 00:00:17 2013 16:34 < TD> one of the guys who worked on it said that people associated with the NSA kept making suggestions during the spec process that sounded reasonable to non-experts, but actually broke the security 16:36 < petertodd> TD: it's a good thing we've never ran into that problem with Bitcoin 16:37 < jrmithdobbs> gmaxwell: we don't know for sure but we know they're actively targeting specs now why wouldn't they have been 15-30 years ago while the others were written? Whose to say we haven't ignored some of their infiltration as simple mistakes/advancements on the state of the art 16:38 < gmaxwell> TD: hard to know for sure, since even honest experts make suggestions with bad security here and there. 16:38 < maaku> petertodd: that we know of 16:38 < jgarzik> anybody gonna be in DC next week? 16:38 < TD> yeah i dunno what to make of the ipsec allegation 16:38 * jgarzik decided to attend, on short notice 16:39 < TD> you'll watch live? 16:39 < petertodd> jrmithdobbs: the NSA aren't omniscient, even they probably don't know how to write useful backdoors into a lot of the core algorithms due to constraints on the math; I understand that no-one has ever come up with a plausibly backdoored hash function with the same type of construction as SHA256 for instance. 16:39 < jrmithdobbs> TD: the ipsec allegations are plausible but don't matter, we know it's broken by design ("we" being anyone familiar with the crypto who has actually tried to implement it) for a while now 16:39 < TD> i don't know much about ipsec so i'll take your word for it 16:39 < jgarzik> TD, dunno :) If it's not open to the public, that's the only alternative. 16:40 < petertodd> maaku: those merkle mountain ranges even sound dangerous 16:40 < jrmithdobbs> TD: the interesting question is was it's design broken by infiltration of the process or by the fact that it's process was design by comitte in the first place? ;p 16:40 < gmaxwell> jrmithdobbs: there are a lot of IETF protocols that are uselessly complex. Some of them get implement none the less (e.g. SIP) 16:40 < TD> i'm not a big fan of designing specifications by committee 16:40 < jrmithdobbs> me either 16:40 < TD> but then again designed by individual doesn't always work either 16:41 < jrmithdobbs> and tls and ipsec are the best examples of it failing 16:41 < TD> e.g. jabber "xml is fashionable let's use that" 16:41 < TD> tls wasn't designed by commitee, right. it's basically SSL which was designed by a few guys at netscape 16:41 < jrmithdobbs> which is why i said tls not ssl 16:41 < jrmithdobbs> the extensions were all by comittee 16:41 < TD> ah ok 16:42 < TD> gavinandresen has some fun stories about when he worked on standardising VRML 16:42 < gmaxwell> TD: most IETF documents are the work of one or two authors. E.g. in the case of jabber the thing was dropped half way fully formed (including the trendy XML) right on the IETFs doorstep. IETF generally works more like peer-review than a design committee. 16:42 * TD remembers the 3D shark vrml demo 16:42 < Luke-Jr> gavinandresen is to blame for VRML? 16:42 < TD> yeah sure, jabber started as jeremie millers pet project and went from there 16:43 < maaku> I'd much rather someone here take a few months to design IPSec-done-right, we implement it, use it, and standardize after the fact 16:43 < jrmithdobbs> and now it's jeremie millers' pet project as deployed by google 16:43 < jrmithdobbs> basically 16:43 < jrmithdobbs> ;p 16:43 < TD> it did pretty well yeah 16:43 < jrmithdobbs> (bleh xmpp) 16:43 < TD> maaku: what does done right mean? 16:43 < Luke-Jr> XMPP is better than the alternatives, at least. 16:44 < maaku> TD: secure by default, easy to understand and use, hard to get wrong 16:44 < petertodd> maaku: secure against what type of attacker? 16:44 < gmaxwell> maaku: there have been a bunch of proposals, but really done right is not the right objective. The right way of doing it doesn't work because it doesn't get past the enormous installed base of nats and firewalls. 16:44 < jrmithdobbs> maaku: the problem with ipsec is it tries to solve 10 different problems and ends up doing so very poorly because of it 16:45 < gmaxwell> maaku: personally I'm a fan of TCPcrypt: http://tcpcrypt.org/ (though I wish it were using curve25519) 16:45 < jrmithdobbs> we have replacements for each individual component of ipsec ... just not at the transport layer 16:45 < jrmithdobbs> where it would be, you know, useful 16:45 < maaku> cool i didn't know about tcpcrypt 16:46 < jrmithdobbs> gmaxwell: what is that *curve one someone released recently that's similar to sctp (iirc) 16:46 < jrmithdobbs> based loosely on the dnscurve work iirc 16:47 < jrmithdobbs> curvecp! 16:48 < Luke-Jr> gmaxwell: isn't it builtin to IPv6 already? 16:48 < jrmithdobbs> there was a revision or alteration of it by someone else more recently (maybe @tarcieri) but I can't find the name/project i'm thinking of specifically 16:48 < gmaxwell> Luke-Jr: "lol" 16:48 < petertodd> Luke-Jr: nope 16:50 < phantomcircuit> iirc ipsec is required of ipv6 but nobody is actually implementing it that way 16:50 < TD> yeah stuff like tcpcrypt is gret 16:50 < TD> i think that's the right approach 16:50 < phantomcircuit> also ipsec is crazy complicated 16:50 < jrmithdobbs> ipsec is worthless 16:50 < TD> the shared secret thing is interesting 16:50 < jrmithdobbs> (says probably the only person in the country that had a working transport mesh network setup in his house for the longest time) 16:51 < phantomcircuit> jrmithdobbs, i tried to setup ipsec between two boxes on my lan once and it just refused to work 16:51 < jrmithdobbs> phantomcircuit: see above, i got it working 16:51 < TD> it seems to be a dead project though? last change was 2 years ago 16:51 < jrmithdobbs> phantomcircuit: i even got it working WELL and CORRECTLY but it wasn't worth the effort. 16:52 < jrmithdobbs> phantomcircuit: it's convoluted and you actually have to understand both the spec and the underlying primitives, in some cases, to have a shot in hell of even figuring out why it's not working, let alone fixing it =/ 16:52 < phantomcircuit> which of course 99.99% of sysadmins wont do 16:53 < phantomcircuit> and 99.999999% of people wont 16:53 < jrmithdobbs> phantomcircuit: right, and that's without even going into the fun subtle differences between different spec versions of the major components (eg, isakmp vs ikev2) 16:54 < jrmithdobbs> phantomcircuit: and then on top of that you can have problems between different implementations that implement the same spec versions and primitives just because of how the spec is so convoluted and unspecific 16:54 < jrmithdobbs> fuck ipsec. 17:02 < phantomcircuit> jrmithdobbs, that was my distinct impression 17:02 < phantomcircuit> jrmithdobbs, so NSA subversion or just normal design by commitee 18:11 < adam3us> https://twitter.com/DataTranslator/status/401410639354019840 18:11 < adam3us> yifu responds "@adam3us see http://www.coindesk.com/bitcoin-tracking-proposal-divides-bitcoin-community/ Coin Validation is not trying to police Bitcoin or bitcoins." 18:12 < adam3us> ho hum... no but they are hoping their customers will and that it will be viral, and as a side effect will kill fungibility 18:14 < gmaxwell> adam3us: yea, I don't get the people fixating on goverment imposition in general, as if badness can only be emitted by governments. 18:14 < gmaxwell> People seem to not think that bussinesses enforcing it out of paranoia and cargoculting good practices would be somehow better. 18:15 < adam3us> the verified-by-visa of the bitcoin world 18:17 < MC1984> gmaxwell thats stems from fear of govt action 18:18 < MC1984> people think maybe if they make a good show of it perhaps the govt wont steamroll in with regulation 18:18 < MC1984> maybe thats right 18:19 < gmaxwell> MC1984: in some cases e.g. even with no fear of government action you can happily throw away a couple percent of 'likely troublemakers' for pure business reasons, but regardless not directly. 18:19 < adam3us> MC1984: well like i said, they just need to issue AML/KYC certs for cases where its needed <eom> why would they want to kill fungibility 18:19 < MC1984> but its like locking your keys in the house so that you dont lose them 18:19 < phantomcircuit> gmaxwell, or like 20% 18:19 < phantomcircuit> (or 90+% like i currently do) 18:19 < MC1984> you cant troublemake with bitcoin though, from the view of a merchant 18:20 < MC1984> why would most of them care where coins come from 18:20 < phantomcircuit> MC1984, oh boy is that not true 18:20 < MC1984> phantomcircuit assuming merchant has sane policies 18:20 < phantomcircuit> did you see the crazy lady saying im killing her dog? 18:20 < MC1984> nope 18:20 < phantomcircuit> just google patrick strateman 18:20 < adam3us> MC1984: they only would feel they need to care because of the existence of taint; if taint were fixed they would have no reason to even give it a second thought 18:21 < MC1984> "just google me" 18:21 < phantomcircuit> MC1984, it's literally the first result 18:22 < phantomcircuit> if i cared more i'd start giving reporters sensational comments to change that 18:22 < phantomcircuit> lol 18:22 < MC1984> yeah im just saying "just google me and all will be clear" 18:22 < MC1984> more like patrick bateman amirite 18:23 < gmaxwell> phantomcircuit: when that person was posting on the forum I thought they were threatening to kill your dog 18:23 < gmaxwell> because they were all "I know where you live and now the dog will die because you didn't give me money!!" 18:23 < phantomcircuit> gmaxwell, she has threatened to kill both me my mother and my dog 18:23 < phantomcircuit> ironically blaming me for killing her dog 18:24 < MC1984> which one of those links is the moneyshot 18:27 < MC1984> yeah thats weird, its like a whole narrative 18:28 < phantomcircuit> yeah 18:28 < phantomcircuit> the thing is 18:28 < phantomcircuit> i have literally no record of her ever 14:40 < gmaxwell> And this is important if we can't prevent the data from containing nasty stuff, okay well by the time anyone complaints the data can be deleted from all computers _forever_. Thats protective of the system. 14:40 < petertodd> The problem is that there is absolutely nothing stopping a miner from changing their software to ignore that rule, for instance because some large pools got hacked and the attacker deleted the data and no-one feels like screwing up everything for that minor feature. 14:40 < petertodd> Whereas actual proof-of-posession proves that the miner really did have that data. 14:40 < petertodd> And proof-of-posession still lets you define a deletion period. 14:41 < gmaxwell> huh? It's the same as any other network rule (once deployed). Nodes will reject blocks that they didn't get the attached data for, until the block is well and burried. 14:42 < gmaxwell> petertodd: if you stuff the data into the output then the data can never be deleted. :( 14:42 < petertodd> No, unlike other network rules you *can't* verify that it was actually followed after the fact because the data doesn't exist anymore. 14:43 < gmaxwell> petertodd: you can verify it was followed _during the window_. So unless you hypotheize a >window reorg, you can't. 14:43 < petertodd> gmaxwell: I'm not saying stuff data into an output, I'm saying put a hash of the data in your specially marked output, provide it with relaying, *and* incorporate a proof-of-posession into the proof-of-work scheme. 14:43 < gmaxwell> okay okay whatever. 14:43 < gmaxwell> Look, good luck changing the proof of work. :P 14:43 < petertodd> gmaxwell: No you can't. Miners can agree to not follow it and you have no way of knowing. Where as with any other network rule the data is still there and you can verify it yourself. 14:44 < gmaxwell> petertodd: you won't accept their blocks for some huge gap indeed, this data has only SPV security past that gap. Thats the point. 14:44 < petertodd> gmaxwell: But you *are* talking about a soft-fork, and it's not a hard proof of work, just a "well my PoW spat out this nonce, and I'll quickly provide a merkle path picked randomly to prove I had the data" 14:45 < petertodd> gmaxwell: Yeah, that's kinda my point... you've created a system that can't have better than SPV security, while with the slight change of just adding a proof-of-posession it has full security. 14:45 < gmaxwell> These things aren't mutually exclusive either, if your want your proof of possession just strenghtens what I'm suggesting, but I don't think its needed. 14:45 < petertodd> Yes, it strengthns it from very weak SPV to something much stronger; why not take that trivial extra step if you are going to all that trouble? 14:45 < gmaxwell> adding proof of possession gums up deleted forever, 14:46 < petertodd> No it doesn't, those are just merkle paths and anyone interested can retain sufficient data so that they can verify the merkle paths. 14:46 < gmaxwell> because you need for forever store the possession proof which is smaller than the data (E.g. if its a cut and choose that only shows one item) 14:47 < gmaxwell> petertodd: no because then people didn't possess the data, they might have possessed H(data) 14:47 < petertodd> But that's it: you *don't* need to even store the item, or even the merkle path at all unless you want to prove your data was visible! 14:47 < gmaxwell> otherwise you could call the txn itself with the hash a proof of possession: you can't prove that they had more than the hash. :P 14:47 < petertodd> No, the algorithm is calculate H(nonce | data), and everyone other than those interested in the data stores nothing more than the tip of the merkle path. 14:48 < gmaxwell> for your PoP the proof that gets committed will have to include at least one of the data elements under proof or its not actually a PoP. 14:48 < gmaxwell> otherwise it's just SPV security. :P 14:48 < petertodd> But the thing is the only people who care that the data was actually visible, and need to prove that, are the people with the data! Everyone else *can* throw away the PoP's. 14:49 < gmaxwell> Okay, H(nonce|data) is interesting. 14:49 < petertodd> Remember, we're calculating H(nonce | data) for each bit of data (or a subset), making a merkle tree of that, and putting the digest in our block somewhere. We temporarily relay the PoP's, and then throw them out after n blocks. 14:49 < petertodd> People who need to prove visibility save those PoP's when they are being created, everyone else throws them away. 14:50 < gmaxwell> But I don't follow "Everyone else can throw away" if you make it part of block validation then everyone who wants to validate a block needs the data, otherwise they might accept an invalid one. 14:50 < petertodd> Right, but they only need to store it temporarily. 14:50 < petertodd> For the average miner of course they're just getting SPV security for the PoP validation... but they don't care! 14:51 < petertodd> (I mean, they're getting SPV security that PoP validation was done correctly *in the past* if they are synching up fresh and weren't mining in the past) 14:51 < gmaxwell> petertodd: so, lets say 99% of miners just have SPV security for the pop validation. And oops. some minority cheats them. What happens? 14:52 < gmaxwell> I'm still trying to grasp what PoP really provides over my ripabble data with SPV security. Both cases reduce to SPV security at some point or you're stuck keeping around data, right? 14:52 < petertodd> Nothing without fraud proofs, and because PoP's are relayed in full temporarily, you can be sure that the last, say, 144 blocks were done honestly. 14:53 < petertodd> The thing is my case reduces to SPV security for the people who don't care if the data was visibile, your case reduces to SPV security for the people who need the security! 14:53 < gmaxwell> but you could also be sure that last 144 blocks were honest just by not accepting them without getting a copy of the rippable data. 14:53 < petertodd> Yes, but you have no way of proving that in the future. 14:54 < gmaxwell> Got it. 14:54 < gmaxwell> Cool. 14:54 < petertodd> Heh 14:55 < petertodd> ....we gotta start writing papers for this shit... 14:56 < gmaxwell> Fuck that, make it real. :P 14:56 < gmaxwell> In any case, now I'm trying to figure how how simply it could be implemented. 14:56 < petertodd> Yeah... actually I had a nice idea for a timestamping alt-chain that I should implement. 14:57 < petertodd> Though rippable data might be easier to implement... 14:57 < petertodd> I wish the scripting system was more sophisticated; you could write scripts that evaluate the proofs and pay miners for having made them directly. 14:57 < gmaxwell> I think that prior to today it hadn't been clear to me that a strong short term visibility proof was completely compatible with not-perpetual-storage. 14:58 < gmaxwell> But now we have a problem that some crap scheme that results in perpetual storage is realistically what is going to get deployed. 14:59 < petertodd> I've also been fleshing out a alt-coin with decentralized mining that depends a lot on proof-of-visibility so it's been on my mind. 14:59 < gmaxwell> because it's 100x easier than anything we discussed. 14:59 < petertodd> Yup, you can't win there. 15:00 < gmaxwell> so the question I have: is there a limited form of the trivial dumb way that won't preclude implementing something smarter later? 15:02 < petertodd> I'd say OP_RETURN is exactly that - you can always just use the UTXO proofs + sha256 midstates as your way of tossing the data when safe with a limited impact on long-term validation. 15:02 < gmaxwell> IIRC the order of the transaction isn't so helpful for midstate compression. 15:03 < petertodd> Yeah, because the txin's come first. 15:04 < petertodd> But other than one outpoint you can verify everything, and UTXO proofs themselves will eventually offer an alterative to the standard transaction merkle tree anyway. 15:05 < petertodd> Once it's a hard rule I'd say that's just as good proof as anything else. 15:06 < gmaxwell> this sounds like a reason to restrict the OP_RETURN to be the last txout though. 15:06 < petertodd> No, restrict it to the first txout. 15:07 < petertodd> Although a sane UTXO proof system will make a merkle tree within the transaction itself, IE hashing txins and txouts. 15:07 < gmaxwell> right yea, I'd proposed making the transactions a merkel tree like a year ago to make it easier to subset the 2#$#@ data. 15:08 < petertodd> PoW is always energy anyway, so you just need to store the parts of blocks you need to prove + UTXO proof stuff + block header and verify that. After a year or two that's a year's worth of PoW - pretty damn good confidence. 15:08 < gmaxwell> petertodd: hm. putting it first doesn't help because you can't even check the signatures anymore. :( 15:08 < petertodd> From an energy point of view the last 3 months of PoW mean as much as the other 4 years. 15:09 < gmaxwell> petertodd: sure though at some point we'll reach an equlibrium 15:10 < petertodd> Right, but you can even stuff your data in the scriptSig if you hash it so that it's authenticated. Though the signatures of the first txout are still meaningless. 15:10 < petertodd> An equilibrium sure, but the point is you can have very good security by just waiting for the PoW to build up. 15:46 < adam3us> maybe i missed the very beginning of this topic but whats the motivation for proof of possession? 15:47 < adam3us> (I am inferring a proof of possession of a preimage of the hash stuffed int the block chain - but why, what do you use it for, what could you build on it?) 15:51 < Luke-Jr> adam3us: you prove it's a hash 15:51 < Luke-Jr> adam3us: ie, you're not spamming data 15:51 < adam3us> ok so to stop people stuffing up the blockchain with stupid stuff that doesnt belong is the motivation? that sounds like a good idea 13:53 < petertodd> nsh: anyway, the dark wallet guys are interested in doing it, but no specific timeline - cj is much higher priority, as is openpgp stuff for payment protocol/payment protocol-like stuff 13:53 < maaku> ok wizards, I'm trying to decide if the forward-diff, reverse-diff or both should be checkpointed in the utxo validation index proposal 13:54 < maaku> in addition to the committed root hash 13:54 < TD> grrrr. this time the irc app crashed 13:54 < TD> sigh 13:54 < petertodd> maaku: explain? 13:55 <@gmaxwell> nsh: I don't think anyone is using characteristic 2 for pairing, at least not in the open world... everything is using the 254 bit BN curve, which is on a prime field. 13:56 < maaku> my diff I mean what I called an "operational proof" in the previous BIP - a list of key,value pairs to insert/update, a list to delete, and paths through the merkle structures to accomplish that 13:56 < maaku> a forward-diff would take you from prevBlock to currentBlock (e.g. summarize the effect the block has on the index structure) 13:57 < maaku> a reverse diff is an undo block : take you from the current block to the previous block 13:57 < maaku> it should be possible to turn a forward diff into a reverse diff and vice versa 13:57 < nsh> gmaxwell, right. i think it's much closer to a curiosity than a catastrophy for the foreseeable future. but i don't know the math at all, so can't guess at the likelihood of eventual generalization of the technique 13:57 < maaku> since you have both the information being added (explicitly) and the information being removed (from the path) 13:58 < petertodd> maaku: so what's the use-case for those deltas? 13:58 < maaku> petertodd: well, a reverse delta could be used to recover from a reorg during pruned operation 13:59 < maaku> but beyond that, that's why I'm asking :) 13:59 <@gmaxwell> nsh: it's only like the Nth attack on characteristic 2 things, so I don't think any engineering-cryptographers (as opposed to theoretical-cryptographers) are the least bit excited by it. 13:59 < petertodd> maaku: but why does that need to be committed? 13:59 < petertodd> maaku: having explicit committed deltas would also make proving fraud even more complex, because now the deltas themselves may be fraudulent 14:01 < nsh> gmaxwell, the paper mentions "medium" characteristic too so perhaps there's some ground being made. dunno 14:01 < maaku> petertodd: a delta would give you a listing of the inputs spent just in that block though 14:01 < maaku> i know that's something you've advocated - is it still relevant if there is a committed validation index? 14:01 < nsh> medium appears to mean "3" though 14:02 < nsh> in which case practical applications should properly be described as employing fields of "unfathomable" characteristic :) 14:02 < petertodd> maaku: ah, good point. :) of course, I advocated *just* having the deltas 14:03 < petertodd> maaku: see, for a wallet syncing txs, they want to know two things: a new txout exists relevant to them, and a txout was spent that they owned 14:03 < maaku> another point is storageless mining / validation - the delta (forward in this case) provides the information you need to update mempool proofs 14:03 < petertodd> maaku: so if you only have deltas, you want both. if you have utxo + deltas, then you only need the "was spent" delta, the "is new utxo" is provided by the utxo set commitment 14:04 < petertodd> maaku: for memoryless operation you don't need to commit the forward delta: you provide it to update the UTXO set, and the fact that the forward delta applied to the existing UTXO set results in the new set is the proof 14:06 < maaku> which is what the forward delta is - it contains the relevant portions of the utxo set 14:07 < petertodd> maaku: yes, but my point is there is no reason to commit it 14:07 <@gmaxwell> nsh: I mean, ec with highly composite fields is subject to index calculus and is known insecure forever. People use "unfathomable" characteristic now in practice (this isn't to say that there aren't commercial characteristic 2 systems, there probably are 14:07 < petertodd> maaku: committing it just fixes the way it's designed in stone 14:08 < petertodd> maaku: and come to think of it, the same argument applies to the reverse delta: you're better off just proving to SPV clients that the UTXO still exists in the set for every block when it comes to showing them their utxo wasn't spent 14:08 * nsh nods 14:08 < petertodd> maaku: there's some size tade-offs here, but the difference isn't much and I'm very hesitent to make things more complex for a minor decrease in bandwidth 14:10 < maaku> petertodd: what about truly storageless nodes (which just keep the current merkle root + mempool + some temporary space for proof processing)? 14:10 < maaku> my thought was that by committing the reverse delta they can work backwards 14:10 < petertodd> maaku: again, there's no need to commit the deltas 14:11 < petertodd> maaku: they know the deltas are valid by the fact that the UTXO root matches after the deltas are applied 14:12 < maaku> ah, so I can just query the network "what's the delta from A to B?" and verify what I get back 14:12 < maaku> ok 14:13 < petertodd> yup 14:13 < petertodd> which means if we figure out a better way to describe the deltas, we can change that without a fork 14:13 < maaku> ok i had some fuzzy thinking - i was thinking they would query for proofs by hash (of the delta itself) 14:13 < maaku> but that's silly 14:15 < maaku> on another note, I had a complex mechanism for structuring the final txout of the coinbase transaction, but I don't think that's necessary 14:15 < nsh> mathematically, is there likely to be a "canonical" way of describing the difference in the utxo set structure? (modulo some symmetries that are orthogonal to security/accounting) 14:15 < maaku> here's an easy rule: if last txout starts with OP_RETURN, concat the remainder of the script with the coinbase string 14:17 < maaku> nsh: it's a weird question. there are arbitrary choices and tradeoffs made in choosing/designing a Merkle structure 14:17 < maaku> but it's definately a requirement that there exist a canonical form of that structure 14:17 < nsh> well, many of those choices will be fork-constrained, i'd imagine 14:18 < maaku> fork constrained? 14:18 < petertodd> maaku: whats the op-ret rule for? 14:19 < maaku> petertodd: you start stuffing Merkle roots in the coinbase string and you quickly run out of room and/or crowd out other uses 14:19 < petertodd> maaku: right, but, how does that rule help? 14:19 < maaku> and changing the size of the coinbase string is a hard-fork ... so overflow to the last txout 14:19 < maaku> also, allows midstate compression 14:19 < nsh> nm, i gtg sociability :) merriment to ye all 14:20 < maaku> nsh: happy holidays 14:20 < petertodd> maaku: the only thing in the coinbase that's consensus right now is the height, so I'd be inclined to leave that situation the way it is rather than add even more complexity 14:20 < petertodd> nsh: later 14:21 < maaku> nsh: when you come back, there's a long debate in the UBC thread about what structure to use for the index 14:21 < maaku> prefix trees were chosen because anyone could reconstruct the canonical structure without knowing the entire spend history 14:22 < petertodd> right, but with needing to know the entire UTXO set, and with the disadvantage that adding anything to the set requires having to have the entire set 14:22 < petertodd> (though you can outsource the storage to others) 14:23 < maaku> petertodd: in a series of bips I will be proposing committing three 256-bit hashes (validation index, wallet index, arbitrary data committment) 14:23 < petertodd> maaku: what's the validation and wallet indexes exactly? 14:23 < maaku> validation is txid -> CCoins 14:24 < maaku> wallet index is what I've been calling the address index: txid:n -> unspent txout 14:25 < maaku> sory, scriptPubKey:txid:n -> unspent output 14:26 < maaku> i find it easier to explain to muggles if I call them based on what they are used for: txid keyed index for blockchain validation, scriptPubKey:txid:n index for lightweight wallet apps 14:26 < petertodd> maaku: suggestion: explain in detail how some examples of compact proofs could be made for various frauds 14:26 < maaku> petertodd: will do 14:26 < petertodd> maaku: being able to prove fraud compacting is a huge use-case for all this stuff 14:27 < petertodd> maaku: for instance you do need a merkle-sum-tree in there for txin/txout values 14:28 < maaku> petertodd: yes, both indices have nValue summation in the "extra" field 14:28 < petertodd> maaku: and while a bit less efficient, I'd be very inclined to ensure that tree must be distributed as part of some other use-case so we don't get into a situation where nodes stop passing it around 14:28 < petertodd> maaku: good 14:29 < petertodd> maaku: also, it should be easy to prove part of a transaction exists, IE, I shouldn't need the whole tx to just prove a single txout existed in it 14:30 < petertodd> maaku: now I guess scriptPubKey:txid:n -> unspent output works for that, but there needs to be something similar for the scriptSig case too - txid -> CCoins would probably better be txid -> merkle tree of txins + merkle tree of txouts 14:30 < maaku> petertodd: can you elaborate? I'm using a modified version of sipa's CCoins data structure which is basically metadata + compressed unspent outputs 14:31 < maaku> i see 14:31 < petertodd> maaku: suppose I have a 100KB transaction, can I prove it had a txout with a specific form without providing the whole transaction? 14:32 < petertodd> maaku: that txid tree is the perfect place to sum fees too: sum all transaction inputs and outputs, sum that, then sum all tx fees 14:32 < maaku> yes you'd only be providing the compressed outputs (33 bytes * number of unspent outputs, if they are standard form, plus a few bytes metadata) 10:39 < gigavps> my pool caps at 600k with 150k minimum 10:39 < Emcy> why 600 10:40 < gigavps> completely arbitrary 10:41 < gigavps> it was at 350k before, and we rarely create blocks that large 10:41 < gigavps> because of the recent ramp up of the network hashrate and tailing difficulty 10:42 < Emcy> see id have though most miners are actually pools where the node is in hosting of at leat 100mbit 10:43 < Emcy> so surely just pumping out 1mb blocks wont make relatively jack shit difference to orphan rate 10:43 < Emcy> specifically orphan rate due to fat blocks, instead of normal orphan rate due to sods law 10:43 < Emcy> if such a thing can even be measured 10:47 < jgarzik_> You don't just push out the block once, if you are a miner creating one 10:48 < Emcy> well really how many uploads does it take to seed into the network 10:49 < gigavps> Emcy jgarzik is saying that you push the block to every node you are connected to. so if you are connected to 125 nodes, then it is 125 * blocksize 10:49 < Emcy> maybe 3 or 4 to diverse subnets until it flood nicely? 10:49 < Emcy> how many sockets does a pool node usually have 10:51 < gigavps> Emcy we have many pool nodes 10:52 < Emcy> ok say top ten pools youre pushing to 10:52 < Emcy> thats just over a second even at the minimum of 100mbit right 10:58 < Emcy> oh theres something on the list about someone got some actual metrics about it. and im here on irc pulling numbers out of my ass 10:58 < Luke-Jr> gigavps: coming to the meetup? 10:58 < gigavps> what meetup? 10:58 < Luke-Jr> gigavps: same as last year, but in Brooksville! 10:59 < gigavps> probably won't make it, have a lot going on 11:00 < Luke-Jr> aww 11:00 < Luke-Jr> if you leave now you might make it in time! 11:00 < Luke-Jr> <.< 11:01 < gigavps> ahhh 11:01 < gigavps> thanks for letting me know 11:01 < Luke-Jr> XD 11:01 < Luke-Jr> next year we'll have to plan more in advance 11:06 < Luke-Jr> looks like forrestv is MIA anyway 11:53 < cfields> Ryan52: ping 12:30 < Ryan52> cfields: pong 18:22 < gmaxwell> Did I kill the thread here, or what? https://bitcointalk.org/index.php?topic=346008.0 18:25 < gmaxwell> maaku: when you get a chance, please help me understand how you think we can MMR a spent token database. I'm not getting it. 18:25 < gmaxwell> mmring a unspent token database is easy, because its naturally append only. 18:26 < maaku> it isn't append-only like peter's MMR 18:26 < maaku> it's an ordered tree of spent tokens 18:27 < gmaxwell> oh and you know your token ID in advance, so you know what part of the tree you need to maintan a proof for, even before you spend? 18:27 < maaku> to insert, you provide the path to where the spent token would go (demonstrating that the token has not been used) 18:27 < maaku> -- yes 18:28 < maaku> so you watch spends as they go by and update accordingly 18:28 < gmaxwell> Sorry, I don't know why that wasn't obvious to me 10 minutes ago. I've got it now. 18:28 < gmaxwell> Yea, that would work. Okay we really can oursource all these costs. 18:29 < gmaxwell> though we can't shrink the tree, any such system is going to have to be able to cope with a potentially very tall tree. (to some extent thats okay, the ZKP stuff really wants you to set the circuit execution time in advance) 18:31 < gmaxwell> The unspent token side has the nice property that its truly append only and write once, so tracking the proofs is really cheap. Alas we can't get that for the other side. 18:34 < maaku> yeah 18:35 < maaku> There is some small messiness, namely that proofs have to be updated for *every* spend in the series (although, 50% of the time it only requires modifying the top level, 25% the top two levels, etc.) 18:35 < gmaxwell> Is there a way to privately start tracking the required proof up front that doesn't require having the whole spent tree? 18:36 < maaku> Miners would have to do that themselves if there is more than one spend in a block. 18:36 < gmaxwell> maaku: I don't think so: I think you could accept a ... right I was about to say that. 18:37 < maaku> Still thinking about your question. 18:37 < maaku> In general, no, I think you would need to replay history 18:38 < maaku> Or otherwise have access to a whole tree 18:38 < maaku> This successfully moves work out of the validator, but is less than ideal in other respects :\ 18:39 < gmaxwell> yea, okay, well thats alright, we basically get back to the MMR argument: there is now an economic incentive for people to keep the whole tree: people can show up and say "here is a transaction, and oh it pays you, but its proof is incomplete. Can you help?" 18:39 < maaku> Yeah. 18:39 < gmaxwell> and if you're worried about getting extorted in the future: keep your own copy of the data. 18:39 < gmaxwell> and it means we can pay people to run archive nodes. 18:40 < gmaxwell> and if you only recover the proof right at spent time there is no loss of anonymity. 18:40 < maaku> I can think of some very dumb ways to avoid that which people will undoubtably do and get themselves in trouble 18:40 < maaku> E.g, choose a secret within a range exposed by a recently seen proof, and start updating from there 18:41 < gmaxwell> well, if your token id is required to be the output of a hash function thats a bit hard. 18:41 < maaku> Ah that's true 18:42 < gmaxwell> I'm imaginging a system where your "token" is actually sha256(scriptPubkey),coinvalue 18:42 < gmaxwell> e.g. basically a bare p2sh utxo. 18:44 < maaku> Might as well even do that directly: ripemd160(sha256(scriptPubkey)), coinvalue, (4 bytes for something else?) 18:46 < gmaxwell> well maybe, in thinking about improved systems, I think at some point we should probably go to 256 bit security. Also the size of the unblinded coin isn't important for communicating to someone who wants to pay you, the only time its seen is on spend. 18:47 < maaku> 256-bit security as in 512 bit key/hash sizes? 18:47 < gmaxwell> maaku: well 256 bit security against second preimages. (which only requires a 256 bit output, so long as the hash's state space is large enough) 18:49 < maaku> Not against that in general, but the rest of the system is only 128-bit security, right? Are you in favor of increasing the security bits of the rest of bitcoin too (if possible)? 18:52 < gmaxwell> maaku: well you can more easily change the other things. E.g. adding another checksig operator is easy. 18:52 < gmaxwell> and non-hardforking. 18:59 < petertodd> maaku, gmaxwell: sounds very much like my TXIN commitment thought experiment - I simply incentivized miners to hold the relevant data by defining mining as some PoW on that data 18:59 < petertodd> maaku, gmaxwell: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html 19:00 < gmaxwell> I don't even see a reason to incentivize miners to hold it. 19:00 < petertodd> gmaxwell: me neither, just incentivize someone too in such a way that there can never be incentives to withhold 19:01 < petertodd> gmaxwell: though you need to be very careful to ensure that the system can recover if some of the data gets lost 19:02 < petertodd> Note how bitcoin recovers from blockchain data getting lost: this causes a fork which is overtaken sooner or later. 19:03 < maaku> petertodd: you mean permanently, 100% globally lost? 19:04 < maaku> how does bitcoin recover from that? 19:04 < maaku> -- oh wait, i get it 19:04 < petertodd> maaku: lost from the public sphere yes 19:04 < maaku> the new "fork" starts from where the history was lost 19:04 < maaku> not from the current block 19:04 < gmaxwell> petertodd: well if you can get paid helping people complete their proofs, thats a pretty awesome incentive. 19:04 < gmaxwell> way better than mining, IMO 19:05 < petertodd> maaku: mainly I'm more worried that you can easily create systems that give people incentives to withhold data and just broadcast the PoW - bitcoin is way too close to being such a system itself 19:05 < petertodd> gmaxwell: yeah, although be careful it's not the main way to earn income in the scheme - that's a business that naturally centralizes so it must be independent from the PoW security of the system 20:11 < cfields> Ryan52: sorry, missed your pong earlier today 20:11 < cfields> Ryan52: was just curious if you got any further in reproducing the build 22:05 < gmaxwell> I laughed too much at this: http://www.smbc-comics.com/?id=3186#comic 22:15 < petertodd> gmaxwell: Meanwhile the mathematician: "Let I, the Iliad, be a spherical novel of unit radius..." 22:17 < petertodd> wait, no, a mathematician would generize to non-euclidian novels as well... 22:17 < petertodd> *generalize 22:17 < gmaxwell> I suppose an epic poem is isomorpic to a novel upto projection. 22:18 < petertodd> Right! and a "...enter a bar" joke is isomorphic to an epic poem! ah, good, we've reduced this one pretty quickly to something we already know. 22:44 < warren> "mcxNOW is shutting down for a period of time - "Withdraw all your coins before December 20th" 22:44 < warren> anyone surprised? 22:44 < warren> realsolid is very solid 23:10 < gmaxwell> very surprised. 23:10 < gmaxwell> that it wasn't "omg hax, oh look no coins" 23:14 < phantomcircuit> gmaxwell, that's a far more economically effective ploy 23:17 < pigeons> seems weird 23:20 < phantomcircuit> pigeons, what about it seems weird? 23:21 < pigeons> "i'm making money off you, i'm gonna stop now" 23:21 < phantomcircuit> pigeons, accounts that will be unclaimed before december 20th are almost certainly worth more than running it for decades 23:21 < pigeons> ah 23:22 < phantomcircuit> if i pulled that shit with intersango right now i'd be laughing all the way to the bank 23:22 < phantomcircuit> well actually i'd probably be laughing all the way to jail 23:22 < phantomcircuit> but nobody knows who he is 23:24 < gmaxwell> well, as I've lamented before, a friend of mine lost 20 BTC in the tradehill shutdown and hasn't yet been able to recover it 23:24 < gmaxwell> At some point it'll be worth the lawsuit. 19:31 < petertodd> gmaxwell: right, although you could do a checksig that did bip32 with some kind of crazy 1-of-m multisig essentially, although at the cost of privacy 19:31 < gmaxwell> And they're planning on doing this with the ed25519 curve. 19:31 < gmaxwell> And I don't think they've yet realized that they won't be able to use the standard implementation 19:31 < jtimon> separate issue, does what I said here make any sense? Is Flavien right? https://groups.google.com/d/msg/bitcoinx/Nq_8dkC3zqU/h_aqRA5A7TkJ 19:31 < gmaxwell> (I only realized this because I went and tried to implement ed25519 for bitcoin) 19:32 < gmaxwell> petertodd: BIP32 perhaps, but not the privacy purposes of it. 19:32 < gmaxwell> Or stealth addresses. 19:32 < gmaxwell> Which is basically the same usecase tor has. 19:32 < petertodd> gmaxwell: yup, although OTOH a merkle tree would do it, at the cost of size 19:32 < gmaxwell> (and incidentally, tor is working on a rigorous security proof for their derrivation scheme, though last I checked they hadn't made much progress) 19:33 < gmaxwell> petertodd: not for privacy, I could see your hashroot was the same. :P 19:33 < petertodd> jtimon: it makes sense 19:34 < petertodd> gmaxwell: no, the hash root would be of n pubkeys, and if you could spend any one of them you can spend the txout. each pubkey is still bip32-style secure, although there is a 1 in 2^256 chance of not being able to spend the txout (or whatever the math is) 19:34 < jtimon> petertodd: thanks, so Flavien is wrong saying you can reuse an address to sign securely 100 times a day even if you don't care about privacy 19:35 < petertodd> jtimon: well, the bigger thing is that you should just have the definition of a valid ccoin txout be "whatever the issuer signs", with a separate merkle sum tree for auditing purposes 19:36 < petertodd> jtimon: your proof that your ccoin is valid just needs to be that the signature on the genesis txout was valid 19:36 < maaku> jtimon: the chance of choosing the same K value is exceedingly low ... unless you have a bad RNG, in which case it is exceedingly high 19:36 < gmaxwell> petertodd: oh god, you mean using lots of bip32 keys just to make sure you get one where the MSB is 1? 19:37 < petertodd> gmaxwell: yes! not that I ever said it was a good idea :P 19:37 < gmaxwell> petertodd: dear god, that idea ... so bad. ... must stab 19:37 < jtimon> petertodd, flavien is talking about "inflatable colored coins" in which the same address can be used to just issue more 19:37 < maaku> If you assume your RNG is good or use deterministic signatures, key reuse is not a problem (from that perspective only) 19:37 < petertodd> gmaxwell: pity you can't stab someone over the internet 19:37 < jtimon> so maaku says flavien is right... 19:37 < gmaxwell> I'm pretty sure there is an onion site for that. 19:37 < petertodd> jtimon: yes, which is a dumb idea, just use the signature to sign a message saying some arbitrary txout is colored 19:38 < maaku> but you still wouldn't want to tie it to an unchanging address anyway, for a multitude of other reasons 19:38 < maaku> jtimon: he is not factually incorrect when he says "Signing a billion transactions per second, it would still take you hundreds billion times the age of the universe before you have 1% chance of collision." 19:38 < maaku> (assuming perfect RNG or deterministic signatures) 19:39 < gmaxwell> petertodd: you ever hear about how the signature systems which are based on one-time-hash based signatures but allow ~infinite signatures work? 19:39 < maaku> but those are invalid assumptions for real-world cryptography 19:39 < petertodd> gmaxwell: of course, which is why I expected the idea to raise your blood pressure :P 19:40 * petertodd has been paid off by the NSA to kill gmaxwell via heart disease 19:40 < maaku> where with a bad RNG (or a reused seed value on a VM) it only take two signatures to give up the key 19:44 < jtimon> maaku I was going to answer something like "thank you for the clarification, then addresses is still the right approach for inflatable basic CC, but since we have tokens in freimarkets for other reasons, they're still more convenient for re-issuance as well" 19:46 < maaku> jtimon: it's not just a matter of convience. it lets you have more control over operational security, for example by having one key per signing server and local protections against K reuse 19:47 < maaku> which would protect you against spinning up two separate servers, who each sign separate messages with the same K value 19:47 < warren> petertodd: I knew it! 19:47 < maaku> (due to saved random state in the VM image and a lack of entropy) 19:47 < justanotheruser> Is bitmessage off topic here? 19:48 < maaku> justanotheruser: so long as it involves arcane spell 19:48 < maaku> s 19:48 < justanotheruser> ? 19:48 < jtimon> well the "one address" in colored coins could be a p2sh multisig or whatever, by convenience I also mean that more control 19:49 < maaku> jtimon: yes, but in the example I gave you need tokens because you need a new key every time you spin up a server, and eventually you run out 19:50 < jtimon> tokens allow you to change the p2sh one addres doesnt 19:50 < maaku> although if you had bip-32 in script... 19:50 < maaku> yes 19:50 < maaku> if you could do bip-32 derivation in script though, you could get by with a single address 19:51 < justanotheruser> Anyways, how well does bitmessage scale? Would it work with 10 million users? 19:51 < jtimon> not if you want to radically change the config 19:51 < maaku> yeah 19:52 < gmaxwell> justanotheruser: scaling is largely in terms of the anonymity set size. 19:53 < gmaxwell> justanotheruser: they kinda waved their hands at the streams stuff in their initial writeup though so the mechnisms needed to get people onto different streams is unde(rde)fined. 19:53 < justanotheruser> Nice use of parenthesis there. How is scaling in terms of the anonymity set size? Will the network break into sections or something? 19:54 < gmaxwell> justanotheruser: the idea is that the POW would increase to keep the datarate in a stream sane. And thus that would push people off onto other streams where the pow was lower (but the anonymity set smaller). 19:55 < petertodd> ...which is basically what sane people propose for consensu blockchains in general. 19:55 < justanotheruser> I see. And there is no in depth explanation for their streams? 19:55 < petertodd> it's just that how that'll actually work in bitmessage si a lot more obvious - no "oops I let a tx spent a bit of dust that didn't actually exist" problem 19:55 < petertodd> justanotheruser: not that I've seen 19:56 < gmaxwell> there is a stream setting on addresses, so the stream stuff is implemented but no 'fee intelligence' if you will. 19:56 < petertodd> justanotheruser: you can also do steams based on sharding H(addr) space (roughly speaking) 19:56 < gmaxwell> I think they don't quite have the incentives well aligned. they guy sending to you pays the pow for your choice of stream. 19:57 < gmaxwell> so, duh, yea, of course I'm going to pick stream 0. 19:57 < gmaxwell> let you suckers pay the cost of messaging me. 19:57 < petertodd> gmaxwell: yup, although another way to look at it, is the person messaging you is picking the size of the anonymity set thye want *their* message to be in 19:57 < justanotheruser> Well there is an incentive to have someone message you right? 19:57 < justanotheruser> I mean to send a message 19:58 < justanotheruser> So if you don't agree on the stream then it wouldn't be sent 19:58 < petertodd> justanotheruser: yup, and stream would be part of addr 19:58 < gmaxwell> petertodd: well no the recipent picks the the stream. Not the sender, and thats generally good because its the recipents privacy that is triciker. 19:58 < gmaxwell> I think the incentive issue is probably not fatal, as justanotheruser says people want to recieve messages. 19:58 < gmaxwell> But it is interesting. 19:59 < petertodd> gmaxwell: right, but you can easily imagine a system where you have receivers listening to some fraction of the addr space by prefix, and senders get to pick how much of the prefix they match based on how much pow they spend 19:59 < petertodd> gmaxwell: limit bandwidth based competition for a given prefix specificity 20:00 < petertodd> gmaxwell: hilariously, that matches really well to what PoW algorithms actually do... but in the exact wrong way 20:01 < justanotheruser> How does the reduced anonymity effect the anonymity of coinjoins? Does it even matter? 20:01 < petertodd> justanotheruser: depends on how anonymous you want to be... 20:01 < gmaxwell> I don't know that it even matters. ... though I assume anyone would use bitmessage over tor. 20:03 < petertodd> justanotheruser: oh, you mean coinjoin over bitmessage? meh, bitmessage isn't a great message layer for cj anyway from a usability perspective 20:04 < gmaxwell> petertodd: there are no more sutiable traffic analysis resistant privacy networks. 20:04 < justanotheruser> petertodd: Why not? I would think it is great, it just needs a layer on top of it to handle it 20:04 < petertodd> justanotheruser: needing a PoW to send a message is ugly vs. using fees for it 20:04 < petertodd> justanotheruser: and you can use fees to pay for it with the nLockTime trick 20:05 < justanotheruser> petertodd: I think gmaxwells idea of using PoS is better. 20:05 < justanotheruser> People don't really want to pay double fees, one for the message and one for the coinjoin. 20:06 < petertodd> justanotheruser: you don't have too though, you make a nLockTime'd tx spending one input, and then respend it in the coinjoin 20:06 < petertodd> justanotheruser: either way you spend some tx fee, and you can arrange all of this such that the attacker doesn't learn much 20:06 < justanotheruser> petertodd: how would you determine the coinjoin tx without being able to communicate with the network first? 03:57 < warren> hence you charge more 03:58 < warren> it can spit out VM's for block explorers, *cointalk.org SMF, bribe form letter to <exchange> 03:58 < warren> make it very easy 03:58 < warren> programmatically create a shill army too 03:58 < warren> mechanical turk? 04:00 < sipa> [ ] Use less than 2 year old Butcoin source code {+.3 BTC} 04:00 < sipa> ehm... that actually is a typo, i meant Bitcoin 04:01 < BlueMatt> well if you dont pay it forks buttcoin instead 04:01 < gmaxwell> well buying and selling accounts on bitcointalk is permitted. 04:01 < gmaxwell> so you can even one-stop buy your shill army. 04:02 < warren> would you sell after-sale support? 04:02 < warren> 1 BTC/hour 04:02 < warren> NO WARRANTY 04:03 < sipa> [ ] Use doge-styled shill army posts 04:04 < sipa> actually, the opposite perhaps should cost money 04:04 < sipa> so we'll get easily recognizable dummy posts by defauly 04:06 < warren> http://aurawallet.com/ somehow this site causes chrome to use 100% of 4 cores. maybe I'm mining for them. =P 04:08 < midnightmagic> lol 04:12 < midnightmagic> it would be an excellent example of why scamcoins are pointless. what a statement. 04:14 < warren> what's up with this Nxtcoin thing? written in java. entirely premined. 04:14 < _ingsoc> 100% PoS apparently. 71 one people own all of it. Yup. :/ 04:15 < _ingsoc> No mining! It's a winner. 04:15 < _ingsoc> They figured out to do what Bitcoin does and more with no mining necessary. I bet you're all feeling pretty dumb right now. 04:15 < gmaxwell> 100% PoS? does it suffer from the nothing-at-stake attack that PPC originally did then? 04:16 < gmaxwell> or is it a consenus that requires quadratic communication, requires all nodes with stake to be online, and is trivally jammed by any participant? 04:17 < warren> the PoA design sounded great in that regard, except after we realized it encourages banking cartels. 04:18 < gmaxwell> well, glad to hear that its something different. 04:18 < gmaxwell> "Nxt doesn aka predicates. This simplifies and accelerates transaction processing. Advanced features like multisig will be created on top of the core as 3rd party services." 04:18 < gmaxwell> hopefully '3rd party services' means something domain specific. 04:19 < warren> sounds like they will have centeralized issuers like ripple 04:19 < warren> sounds very much like ripple 04:19 < warren> including the not open source part 04:19 < gmaxwell> yea, indeed not open source 0_o crazy 04:21 < _ingsoc> warren: That was my first thought too. 04:22 < gmaxwell> apparently it's currently being dossed and they are trying to train a "Neural net" to remove spam. 04:23 < _ingsoc> gmaxwell: Nxt? 04:23 < gmaxwell> yea, I can't find anything about how it works though. 04:23 < gmaxwell> apparently it's a blockchain, so that probably rules out it being a standard quadratic consensus. 04:23 < gmaxwell> which probably means its vulnerable to the nothing at stake attacks. 04:27 < warren> I was thinking, woudl there be a way to cancel out the extra orphan risk of larger blocks 04:27 < gmaxwell> oh wow, this is partially the work of that Come-from-Beyond guy... 04:28 < warren> if the difficulty was fudged by some factor of the transactions (quantity, days destroyed, fees, or something) 04:28 < _ingsoc> gmaxwell: Has he done anything else? 04:28 < _ingsoc> That we know of. 04:29 < gmaxwell> beyond being a confused jerk on the forums? 04:29 < gmaxwell> what a bummer. 04:29 < gmaxwell> after seeing that I'd estimate less than 1% chance that it works. 04:30 < _ingsoc> xD 04:30 < gmaxwell> I guess thats part of why I didn't see it, I have him on ignore on the forum. 04:30 < gmaxwell> https://bitcointalk.org/index.php?topic=352286.msg3794431#msg3794431 04:31 < _ingsoc> Hahaha. 04:31 < _ingsoc> Do you know why he's on ignore? 04:31 < _ingsoc> Not to detract. 04:35 < gmaxwell> no idea, but it would be the same as anyone else nasty*ignorant > threshold. 04:35 < midnightmagic> but.. it's in java. who cares if he releases the code? 04:35 < _ingsoc> ^^ 04:37 < gmaxwell> I don't agree. I don't personally like java, but its currently the language I'd prefer any mediocre programmer use if I'm ever to run their software at all. 04:38 < midnightmagic> oh I just meant that unless he's running weird obfuscators it can be decompiled to fairly readable 04:38 < _ingsoc> I couldn't care less about all these coins. They should have the right to present their ideas and get the support if people want to. I just wish it wasn't so damn sketchy. How many people now have just taken money or made absurd promises? Countless people have been suckered into that type of belief system, and that sucks. 04:38 < _ingsoc> gmaxwell: Mediocre programmers should be roping people in. :/ 04:38 < gmaxwell> uh.. nxtcoin addresses appear to be 20 base 10 digits... 66 bits? 0_o 04:39 < _ingsoc> shouldn't* 04:42 < gmaxwell> this thing is amazing. 04:42 < gmaxwell> it's like every bad idea multipled into an swimming orgy of bad ideas. 04:43 < gmaxwell> it _forces_ you to use brainwallets. 04:43 < gmaxwell> and the addresses are ~20 base 10 digits, based on a kind of first bits system where the system remembers the first pubkey it's seen spend for any prefix and then always uses that pubkey. 04:44 < sipa> wait, parts are closed source? 04:45 < gmaxwell> sipa: it's all closed source except for some small parts they released. 04:45 < _ingsoc> Reasoning? 04:47 < gmaxwell> well it's an entirely premined coin. 04:47 < midnightmagic> so.. much.. development effort that could have been put to constructive use. :( gaw how disappointing. 04:47 < gmaxwell> it doesn't appear to actually be that much. 04:48 < sipa> "a single source file", "no comments"... these guys are satoshi reborn! 04:48 < _ingsoc> Hahaha. 04:49 < maaku> _ingsoc: the problem is that ignorant people with money to invest actually find these things more credible than real projects :\ 04:50 < gmaxwell> here is their PoS mining code in their early source release: 04:50 < gmaxwell> int elapsedTime = getEpochTime(System.currentTimeMillis()) - lastBlock.timestamp; 04:50 < gmaxwell> if (elapsedTime > 0) { 04:50 < gmaxwell> 04:50 < gmaxwell> BigInteger target = BigInteger.valueOf(Block.getBaseTarget()).multiply(BigInteger.valueOf(account.getEffectiveBalance())).multiply(BigInteger.valueOf(elapsedTime)); 04:50 < gmaxwell> if (hits.get(account).compareTo(target) < 0) { 04:50 < gmaxwell> 04:50 < gmaxwell> account.generateBlock(user.secretPhrase); 04:50 < _ingsoc> maaku: I think you'd be surprised. There are so many people who are new to this field looking to be part of something that they can grow with. That's the appeal. So they justify "investing" money they might not have because their urge to be part of it outweighs rational thought about the project itself. 04:52 < gmaxwell> no, having talked to VCs, maaku's characterization appears to be spot on. Wild, unsupported, even impossible claims add credibility. I think people seem to believe that you'll actually accomplish some fixed percentage of what you claim to, so the guy who claims infinite things is obviously the best. 04:53 < _ingsoc> True, I'm not denying there wouldn't be bigger money involved, but you bet there are smaller guys getting burned by these things. 04:54 < _ingsoc> But I guess you do your research and go with what you believe in. 04:54 < gmaxwell> yea, this is totally vulerable to a nothing at stake attack. 04:55 < gmaxwell> they create ECDSA signatures of a candidate block and hash them, then compare them to a target that depends on time and the value of that account. 04:56 < gmaxwell> so of course, the same attack PPC got nailed with applies trivially. 04:56 < maaku> yeah Jorge and I have talked to quite a few VCs trying to get funding for Freimarkets. it always seems like we're at a perpetual disadvantage by only claiming what we think can be reasonably achieved 04:57 < sipa> gmaxwell: yes, but if the mining code is not open sourced, that is no problem, right? :p 04:57 < maaku> and in VC eyes, a project that got funding is treated as credible (assuming that someone somehwere did due diligence, I suppose) 04:59 < gmaxwell> pretty sure I can just hack the java bytecode directly here to make it mine all the blocks. 04:59 < gmaxwell> it just needs one extra wrapping loop, with a break when its actually successful. :P 05:05 * midnightmagic grits teeth and discovers more reasons why macports feels broken 05:06 < midnightmagic> https://trac.macports.org/ticket/35358#comment:28 05:40 < gmaxwell> wow: ... this thread has gone a bit pear shaped since I last looked at it!!! https://trac.torproject.org/projects/tor/ticket/8106 06:22 < jtimon> gmaxwell what java bytecode can you hack? 06:28 < _ingsoc> jtimon: Nxt. 06:40 < jtimon> oh, Nest, thank you 06:41 < jtimon> wasn't that source closed? I assumed it was a ripple fork 06:52 < _ingsoc> They've released some snippets apparently. 07:15 < gmaxwell> So random not very bitcoin idea. 07:16 < gmaxwell> Tor HSs have had some amount of problems with attackers exploiting the now-popular vanity addresses. 07:16 < gmaxwell> onion addresses are only 80 bits long, 5 bits per character, and there are super fast gpu vanity generators, so some not nice people have been generating lookalike names and then leaving links around. 07:18 < gmaxwell> Some future HS system could make lookalike attacks much harder by requring any HS address generation to also generate a lookalike address. You prove you have your required lookalike by just disclosing the second address inside your HS directory entry, so the urls are no longer. 07:19 < gmaxwell> And the advantage of this is that since it's a collision a 64 bit lookalike takes only ~2^32 operations. But someone trying to pick a specific value instead of pick only any two similar ones, has a much harder time. 14:19 < nsh> petertodd, i'd enjoy reading such a description 14:19 < maaku> oh maybe we mean different things 14:20 < nsh> or such a write-up, even 14:20 < petertodd> well, I was thinking "this is how you use UTXO commitments to make namecoin work, and/or make namecoin on the bitcoin blockchain because I'm evil" 14:20 < maaku> oh ok yes, I would like that to understand better your worry 14:21 < petertodd> yup, and it's actually rather relevant to my new dayjob too... utxo commitments could be quite handy for things like mastercoin data feeds 14:21 < maaku> so this is totally offtopic then, but my namecoin 2.0 in a nutshell: 14:21 < nsh> not enough essay titles end with the phrase "...because i'm evil" 14:22 < petertodd> nsh: lol 14:22 < maaku> add another coinbase committed prefix tree that persists from block to block 14:23 < maaku> and add soft-fork opcodes to insert/update into this tree, using pushdata proofs 14:24 < maaku> and signatures for updates (the first bytes of the value field being a length-prefix encoded scriptPubKey) 14:24 < petertodd> right, basically you're adding state to the scripting language 14:24 < nsh> (what could go wrong...) 14:25 < petertodd> what vitalik's ethereum thing should have focused on rather than getting into the nitty-gritty of the language IMO 14:26 < maaku> nsh: so you can have another way to double-spend a transaction, in a way that is observable to anyone who understands this soft-fork. what's the issue? 14:26 < petertodd> nsh: well, the key thing is to charge fees for every time the scripts run rather than allow them to run unhindered, on every block, multiplying and multiplying, consuming, EVERYTHING 14:26 * nsh nods 14:27 < petertodd> (though petri-coin is suddenly sounding *really* attractive...) 14:27 * nsh registers graygoocoin 14:27 < maaku> hehe, jtimon and I said basically the same thing to vtalik... 14:31 < petertodd> yeah, although that still assumes a model where you are outsourcing validation to miners - pure proof-of-publication schemes are IMO superior 14:31 < maaku> but anyway, that's part of why I find it a little hard to follow the UTXO namecoin objection ... there's a very easy pathway to namecoin-over-bitcoin which is stateless, scales better, and requires very little validation effort 14:31 < maaku> petertodd: you need consensus, no? 14:31 < petertodd> maaku: the only consensus you need is what data has been published and in what order 14:32 < petertodd> maaku: the objection is that things never expire out of the UTXO set, and to insert new items into it you need the whole damn thing 14:32 < maaku> ok, so you can do the same thing with the document-timestamper solution and not even need the soft-fork 14:32 < petertodd> maaku: maybe not you personally, but someone has to have it 14:33 < petertodd> maaku: actually no you can't - timestamping is only part of proof-of-publication 14:33 < maaku> and have people's view of the DNS database be eventually consistent 14:33 < maaku> petertodd: what's the other part? 14:33 < nsh> bunga bunga parties on the moon 14:33 < petertodd> well, the proof that your data actually got to people 14:34 < petertodd> IE, I can timestamp data that I have kept hidden all to myself 14:34 < nsh> well, proof-of-existence should be differentiates from proof-of-dissemination 14:34 < petertodd> only proof-of-publication can be used to solve the double-spend problem 14:34 < nsh> *differentiated 14:34 < maaku> yes, which is why I suggested soft-fork miner verification (although they throw away the data as soon as it is published) 14:34 < jrmithdobbs> ya, you need timestamps from observers and then the rabbit hole starts getting deeper and deeper 14:34 < petertodd> jrmithdobbs: no, not timestamps, proof-of-work/sacrifice 14:35 < maaku> really? why? 14:35 < maaku> if you have the data, you can broadcast it anytime at your convenience 14:35 < petertodd> right, which is the *problem* 14:36 < jrmithdobbs> petertodd: well, signed timestamps from observers is a (bad) form of proof-of-work 14:36 < jrmithdobbs> petertodd: ;p 14:36 < petertodd> for instance, you timestamp your transaction, but don't publish, you then make a subsequent transaction spending the same coins, and do publish, I only see the later timestamp, and then you can take the money from me later by publishing the earlier one 14:36 < maaku> you can't have your cake and eat it too ... you need a distributed consensus mechanism 14:36 < petertodd> jrmithdobbs: assume frictionless spherical cow timestamps 14:36 < maaku> do you have a solution to this? 14:36 < jrmithdobbs> petertodd: come again 14:37 < jrmithdobbs> maaku: noone has to my knowledge 14:37 < petertodd> jrmithdobbs: assume timestamps are free, infinity timestamps is still zero work 14:37 < petertodd> maaku: yes and no 14:37 < petertodd> the yes is that bitcoin is a proof-of-publication system, so obviously the problem can be solved. 14:38 < petertodd> the no is that if you want a scalable system, you still need some notion of "audience size" so to speak, and your security is better if you can prove the data was published to a larger audience 14:38 < jrmithdobbs> petertodd: the signatures on the timestamps aren't free though 14:40 < petertodd> jrmithdobbs: this is -wizards, we're mathematicians here :P 14:41 * nsh smiles 14:41 < maaku> Merkle-tree validation is pretty cheap though right? and the added size is paid for in fees 14:41 < jrmithdobbs> petertodd: my point was the timestamp isn't the proof, the multiple signatures from separate observers on "close" timestamps can serve as the proof of publication time 14:42 < petertodd> jrmithdobbs: only if I have some notion of observer - without proof-of-work every observer claimed has zero weight (sybil problem) 14:42 < jrmithdobbs> petertodd: you need a mechanism for defining what are enough and that's where it starts falling apart imho 14:42 < petertodd> jrmithdobbs: exactly, and proof-of-work is what fixes that mechanism 14:43 < petertodd> (I *really* need to write a book on this as fast as possible so I can cement as much terminology as possible from the fine art world into this field...) 14:43 < nsh> please do 14:44 < nsh> i am happy to contribute by poking you daily with an imaginary irc stick if that helps 14:44 < nsh> (was actually wondering what "weight" means here...) 14:45 < maaku> petertodd: that doesn't seem to address the issue very well 14:46 < petertodd> oh man, the crazy thing is semiotics terminology actually makes sense here too, sign, signified, signifier... 14:46 < maaku> so i burn some coins or electricity to get enough sybil identities to double-spend 14:46 < nsh> oh good, let's invite umberto eco to keynote the next bitcoin conference 14:46 < maaku> it puts an economic cost on it, but not one that can be too big 14:47 < petertodd> maaku: they're not sybil identities, the notion of identity is really kinda irrelevant at the theory level, what matters is a certain amount of electricity was destroyed in support of a particular history 14:47 < petertodd> nsh: lol 14:47 < maaku> maybe if I'm "selling" superpreciousname.bit it's worth while 14:48 < maaku> petertodd: you mean like mining proof-of-work? 14:48 < maaku> sorry to come back, but this is sounding like "let's reinvent bitcoin!" 14:51 < petertodd> maaku: not reinventing, expalining what it's really doing 14:52 < petertodd> maaku: first of all, do you see how if miners did no validation at all, bitcoin can still work just fine? 14:53 < maaku> no 14:53 < jrmithdobbs> can you clarify that? what do you mean by that 14:53 < maaku> not for my definition of fine at least 14:54 < jrmithdobbs> petertodd: you mean that even if they didn't verify the actual contents as part of the pow the verification would happen by being rejected by peeers on the network? or are you after something else? 14:55 < andytoshi> i think he means, the order of transactions would be set in stone by the POW 14:55 < petertodd> andytoshi: exactly 14:55 < andytoshi> and the ordering is the only thing that nodes can't agree on by themselves 14:56 < petertodd> andytoshi: and nothing else, dups, invalid, whatever would all be allowed 14:57 < andytoshi> it occurs to me that growing up is in some sense a POW, you can't sybil irl because humans take so long to spam 14:58 < petertodd> andytoshi: indeed 14:58 < petertodd> jrmithdobbs: well, wallet software would ignore the invalid transactions basically 14:59 < jrmithdobbs> petertodd: but it wouldn't "work just fine" in that case as the clients would have to do a lot more filtering and processing wouldn't they? you get the ordering from the pow but you don't know how much of it is valid, doesn't that open up real spam issues? 14:59 < petertodd> jrmithdobbs: after parsing through the entire blockchain 14:59 < petertodd> jrmithdobbs: oh sure, but other than bandwidth and storage the system *would* work just fine 14:59 < petertodd> jrmithdobbs: IE, miner validation is an *optimization*, it's not fundemental 15:00 < maaku> ok yes, i get that (i wouldn't say "just fine" either, but let's not argue sematics) 15:00 < petertodd> maaku: "just fine" to a mathematician :) 15:00 < jrmithdobbs> petertodd: i see your point but would like to point out that the basic mechanisms for all this have been around for several decades and the optimizations are what made it feasible ;p 15:01 < jrmithdobbs> damn you beat me to the academic joke ;p 15:01 < petertodd> jrmithdobbs: well no, proof-of-work consensus in any form *has not* been around for long 15:02 < jrmithdobbs> petertodd: but it's building blocks have been 15:03 < maaku> petertodd: requiring nodes to validate by processing the entire block chain themselves is not scalable. so how do you determine with certainty whether the inputs to a transaction are valid without processing the whole block chain? 15:03 < amiller> jrmithdobbs, no one thought of doing proof of work consensus, it's an out-of-the-blue idea 19:21 < gmaxwell> "Uh. maybe there is a NTP reflection DDOS attack" "oh look, one was recently found and is being exploited" 19:21 < petertodd> lol 19:23 < andytoshi> petertodd: suppose that you've got like a 1btc bond, and it's only considered valid by fast food restaurants and groceries (who want the bond value to be some large multiple of the product value) 19:23 < andytoshi> then to get a net win a scammer would have to get to a whole ton of physical stores within a blocktime or two 19:23 < andytoshi> (and any more than a blocktime would require some sort of mining-based attack) 19:24 < petertodd> andytoshi: sure, but that just goes to say you have to take countermeasures against that kind of thing or it's easy to rip off 19:24 < phantomcircuit> andytoshi, or coordinate with lots of other scammers 19:24 < gmaxwell> andytoshi: really these things make more sense in the context of an anti-doublespending signer service rather than personally, as the signer service could afford a bond a huge multiple of the typical transaction prices. 19:24 < phantomcircuit> (organized russian crime groups do this fairly regularly with atm heists) 19:24 < gmaxwell> (and could also be secured by hardware remote attest) 19:24 < petertodd> gmaxwell: esp if the signing service provides some kind of proof of how many uncommitted btc they've signed for 19:25 < andytoshi> phantomcircuit: right, derp 19:25 < andytoshi> gmaxwell: neat, then you've got a traditional debit-card system but with a bit less trust 19:26 < gmaxwell> petertodd: if only someone recently described how to run a cryptographically private accumulator... 19:26 < petertodd> gmaxwell: I know 'eh? 19:26 * andytoshi has one last exam tomorrow, better get off -wizards before somebody posts a link 19:26 < phantomcircuit> lol 19:39 < maaku> petertodd gmaxwell: I had a "duh" moment, but if prefixed proofs become *required* for transaction and block propagation, then it doesn't matter how the (U)TXO index is keyed, right? or the size of the UTXO set? 19:40 < petertodd> maaku: it's impossible to require them effectively 19:40 < maaku> well, setting that aside... 19:40 < maaku> spherical cow analysis, if you could get every node to upgrade, etc. 19:41 < petertodd> then you'd get collusion between miners who greatly reduce their bandwidth to each other by leaving out proofs they don't need because they have parts of the utxo set cached 19:42 < maaku> i'm not sure that's a problem, except as it applies to decentralization 19:43 < petertodd> well if it's not a problem, then why did you want to require them? 19:43 < gmaxwell> perhaps I'm missing some context, as I don't see what maaku is talking about (maybe it was something too obvious?) 19:43 < petertodd> I assume for fairness, otherwise you might as well just only provide proofs when needed 19:44 < maaku> well it's very obvious now that i think about it, but the trigger was that I as assuming you need to store the UTXO twice to support scriptPubKey-indexing 19:44 < gmaxwell> the whole idea of the MMR-structured data was that it let you make a storage/bandwidth tradeoff if you could always demand a peer give you proofs with their transactions. 19:45 < gmaxwell> oh no, you wouldn't though you should note that scriptPubKey-indexing isn't naturally computationally balanced so its a poor index. 19:45 < justanotheruser> petertodd: do you think blockchain sharding will be implemented some time soon? 19:45 < petertodd> justanotheruser: heck no 19:45 < gmaxwell> (also making address reuse cheaper is unfortunate) 19:45 < maaku> but if a proof comes with a transaction, you could just mandate that proofs contain the paths to the inputs in the scriptPubKey index, and a mapping of txid:n -> scriptPubKey 19:46 < justanotheruser> petertodd: what is the number of full nodes drops below 2k? 19:46 < gmaxwell> yea, sure. Doesn't mean that indexing by scriptPubKey is actually desirable, but if you change how transactions look up their inputs, then indeed, you don't need two indexes. 19:46 < maaku> "<gmaxwell> (also making address reuse cheaper is unfortunate)" <-- yes i'm onboard with that. this is more of a -wizards hypothetical 19:47 < gmaxwell> ::nods:: 19:47 < maaku> yeah ok i was stupid for not realizing that earlier 19:47 < petertodd> justanotheruser: sharding requires miner co-operation and a soft-fork 19:47 < justanotheruser> petertodd: yes, wouldn't it be necessary because the number of full nodes is dropping? 19:48 < sipa> well, if we can create a currency from scratch, with outputs being (value, merkle-ast-root) and inputs being (merkle-script, script inputs), you can easily (except for potential unbalancing) have your UTXO tree indexed by (merkle-ast-root, txid) 19:48 < maaku> justanotheruser: re "blockchain sharding" sortof, that will come soon 19:49 < maaku> if, that is, you mean pruning where some nodes only store ranges of blocks 19:49 < maaku> not tomorrow though, but soon 19:49 < justanotheruser> maaku: I mean blockchain sharding as in https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html 19:50 < sipa> so you only need a single UTXO data structure for both validation lookups and lightweight node balance checking 19:50 < gmaxwell> The unbalancing could be avoided by just prohibiting reuse. You end up with a design close to an anonymous coin then. E.g. where outputs do blinded inserts into a existing coin list, and where inputs unblind coins, prove the coins exist, and they are added to a spent coin list. 19:51 < petertodd> justanotheruser: necessary doesn't make stuff actually happen you know, more likely lack of full nodes just pushes people to use web-wallet stuff 19:52 < petertodd> justanotheruser: with so few pools the politics of the situation are unknown and may not be what we want... 19:52 < justanotheruser> gmaxwell: btcguru in #bitcoin is linking to a sketchy website. No results on google 19:53 < justanotheruser> petertodd: why would the number of pools effect that? 19:53 < petertodd> sipa: ugh, I really think we're best off avoiding that kind of single-scriptPubKey balance checking stuff 19:53 < petertodd> justanotheruser: because they're large enough that more centralization and fewer nodes out there may be in their interests 19:54 < maaku> sipa: yeah that was more my line of thinking. indexing by txid or by insertion order isn't really useful, other than that's how bitcoin is structured (scriptPubKey isn't available in the input) 19:54 < maaku> and, i guess, useful in that it doesn't encourage bad, bad things like dumping data on the block chain 19:55 < petertodd> maaku: or address re-use 19:55 < sipa> petertodd: maybe - i don't like the privacy implications of that either 19:56 < maaku> petertodd: yeah, although I don't know how to support looking up bip 32 or keypool addresses without also encouraging address reuse :( 19:57 < petertodd> maaku: use fixed prefixes so all you're reusing is the prefix, which still gets you a decent anonymity set (see my recent post on blockchain data) 19:58 < petertodd> maaku: for change I think we can get away with totally random change addresses as the set of *unspent* change txouts doesn't have to grow 20:03 < gmaxwell> Man, people are going to love anonymous coins where efficient lookups for payments to you is impossible. 20:04 < petertodd> gmaxwell: ? 20:06 < gmaxwell> petertodd: if you have an truly anonymous cryptocurrency, e.g. one that worked by committing to blinded coin values in an insertion ordered tree.. there is no way to tell someone paid you from just inspecting the currency. 20:07 < gmaxwell> They'd have to tell you out of band, or you'd have to have a seperate channel e.g. for storing ECDH keyed encrypted messages "hey, I paid you, the blinded coin has value X" 20:07 < petertodd> gmaxwell: oh sure - all this business about stealth addresses is just a way of relaxing that anonymity a bit so you can recover the payment. even a fully anon cryptocurrency can always bolt on a messaging layer to provide that channel 20:08 < gmaxwell> yea, but interestingly the messaging layer could easily break the privacy. 20:08 < petertodd> gmaxwell: if bitmessage was reliable, you'd just use it, but it's not for non-interactive use 20:08 < gmaxwell> e.g. if the messages have a visible to it likely removes it completely. 20:08 < petertodd> gmaxwell: well, if you re-use something like bitmessage, at least your anonymity set also includes random messages unrelated to payments 20:09 < gmaxwell> an interesting point. 20:09 < justanotheruser> Are you referring to zerocoin? 20:09 < petertodd> Anyway, figuring out how to make the user-experience of "must send this packet of data for foo to get their coin at all" to be acceptable might come in handy for other crypto-currency schemes like txin commitments where the network doesn't have the data at all. 20:10 < gmaxwell> petertodd: well in general seperating the accumulator operation from notice is interesting. Esp since there are different durability requirements. 20:10 < gmaxwell> e.g. losing old notices, ::meh:: 20:11 < petertodd> gmaxwell: yup 20:11 < gmaxwell> justanotheruser: no. 20:20 < phantomcircuit> Morici v Hashfast Technologies 20:20 < phantomcircuit> and so it begins 20:20 < phantomcircuit> Case5:14-cv-00087 20:26 < gmaxwell> phantomcircuit: do you have some data feed of bitcoin relevant docket entries? 20:27 < phantomcircuit> gmaxwell, yes 20:28 < phantomcircuit> fun with lexus nexus 20:28 < gmaxwell> Is anyone aware of any fully homorphic encryption schemes can have a plaintext output? e.g. the code inside the FHE decides to write to a plaintext output 20:28 < gmaxwell> phantomcircuit: any details on it? 20:28 < phantomcircuit> gmaxwell, i'll upload the complaint in a minute 20:31 < phantomcircuit> gmaxwell, also it should be on RECAP now 20:34 < phantomcircuit> huh not working 20:36 < gmaxwell> and of course, pacer's password recovery takes like ... days --- Log opened Tue Jan 07 00:00:00 2014 --- Day changed Tue Jan 07 2014 00:00 < wyager> There is no proof that finding primes is particularly difficult 00:00 < wyager> but I suppose the same is true about the discrete log problem haha 00:00 < wyager> Namecoin is actually useful 00:00 < gmaxwell> primecoin is pretty uninteresting, its not a problem anyone cared about before. 00:01 < gmaxwell> Namecoin might be interesting but it's mostly abandoned and has some serious problems. 00:01 < wyager> Yeah, sadly 00:01 < wyager> I think the tech could seriously replace DNS 00:01 < wyager> Scaling might be a bit of an issue, but maybe not 00:02 < gmaxwell> basically nothing else has done much of anything. peercoin and feather coin have solved their consensus problems (in one case PoS doesn't really work, in the other because their blocks are too fast) with developer controlled selection on the best chain. 00:02 < Luke-Jr> something similar to namecoin could.. 00:02 < gmaxwell> wyager: you can't do a secure lite client resolver for namecoin with the current design. it can be done, but namecoin doesn't do it. 00:02 < wyager> SPV? 00:02 < gmaxwell> I'd suggested how back in 2011, but by then namecoin development was mostly dead. 00:02 < wyager> Or SNV, rather 00:02 < gmaxwell> wyager: can't work in the current system. 00:03 < wyager> Really? Why's that? 00:03 < gmaxwell> (vulnerable to replay of old records) 00:03 < wyager> Don't records expire? 00:03 < wyager> Ah 00:03 < wyager> I see 00:03 < wyager> records can be updated before expiration 00:03 < gmaxwell> easily enough fixed: https://bitcointalk.org/index.php?topic=21995.0 00:03 < gmaxwell> and the record expiration is rather long. 00:04 < wyager> clever 00:05 < gmaxwell> state proofs have a lot of other advantages, e.g. like being able to prove to a lite node that a block is invalid. 00:06 < gmaxwell> in any case, I have an old (and lost past due for updates) list of alt ideas I think are interesting: https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas 00:09 < wyager> hahahaha 00:09 < wyager> I love the timelock chain idea 00:09 < wyager> that would provide a very useful public service 00:10 < wyager> Do you sit around all day and think of clever crypto ideas? It seems like it would be a nice hobby :p 00:11 < gmaxwell> wyager: I mean, it's taken years to produce these. 00:11 < gmaxwell> actually I have a ton more of them that aren't there. 00:11 < wyager> Yeah, but a lot of these are great 00:11 < wyager> People have built entire altcoins on less 00:11 < gmaxwell> correction: no altcoin has ever been built on anything as cool as anything on that list. (except maybe merged mining in namecoin) :P 00:12 < wyager> hehe 00:12 < gmaxwell> well okay, peercoin's PoS was the same scale of an idea, but it doesn't really work but perhaps some of those ideas won't work either (well, almost certantly some won't work) 00:13 < wyager> What is wrong with PoS? I haven't actually researched any criticisms of Peercoin 00:13 < wyager> But PoS seemed OK 00:13 < gmaxwell> yea, I think the timelock is sexy. I came up with it midsentence while I was telling someone that timelock appears impossible. :P 00:13 < gmaxwell> wyager: the nothing at stake problem. 00:13 < justanotheruser> gmaxwell: What do you think of nxt's PoS? nxt doesn't have checkpointing. 00:13 < wyager> Which is? Aren't you giving up scare coin-days? 00:13 < wyager> *scarce 00:13 < gmaxwell> justanotheruser: lollollol 00:14 < justanotheruser> gmaxwell: I realize it is 100% premined which is why I specified their PoS 00:14 < gmaxwell> Basically in POW you're incentivzed to mine on the ONE TRUE most likely to ultimately survive chain because they're burning a costly resource forever every attempt they make, and their only compensation is getting a block in that one true chain. 00:15 < gmaxwell> The nothing at stake problem is that since you don't really burn anything there isn't any reason not to mine many forks in fact its the rational optimal strategy to mine all forks you don't hate. 00:15 < wyager> I see 00:15 < wyager> don't they waste compute power as well though? 00:15 < wyager> by mining on every random ass chain 00:15 < justanotheruser> gmaxwell: To fork PoS you wouldn't have to expend additional resourced, but you would still need more PoS "mining" power than the main chain. 00:15 < gmaxwell> Including all possible hypothetical forks. There was a neet attack once PPC started pos mining: someone programmed their system to consider all possible forks to find the ones where their stake was selected over and over again as the block winner. 00:16 < gmaxwell> wyager: yes and at the limit it just becomes POW in disguise when that happens. 00:16 < Taek42> that's a pretty cool attack 00:17 < gmaxwell> PPC "fixed" that bug by forever requiring POW blocks, and setting it up so the identity of the stake depended on nothing after the last POW block.. which makes the specific all-blocks-are-mine attack harder (requires some POW power), but kinda breaks the energy argument and still leaves weird incentives to mine forks. 00:17 < gmaxwell> justanotheruser: Oh is nxt's fork out? I'll tell you what lines of code to change so you can mine all the blocks. 00:23 < Taek42> I had an idea, 'Proof-of-Storage' 00:23 < wyager> I also like merkelized AST P2SH 00:23 < gmaxwell> wyager: I really wish I knew a way to make POS work, but the best I can offer is if you have one cryptocurrency you could mine another by moving/destroying/etc coins in the first. 00:23 < wyager> Oh, and gmaxwell, my IRC client crashed so I may have missed a few things you said 00:24 < gmaxwell> Taek42: do you mean something like https://bitcointalk.org/index.php?topic=310323.0 00:24 < Taek42> not quite 00:25 < Taek42> the idea is that nodes contribute storage to the network, that can then be sold over the same network 00:25 < Taek42> like distributed cloud storage 00:25 < Taek42> where being a storage host gives you coin mining 00:26 < gmaxwell> Taek42: yea, I don't know how to do that except via proof of throughput which may not be what you want. 00:26 < wyager> Didn't cryptosphere or something try to do something like this? 00:26 < gmaxwell> And I've thought long and hard about how to actually do that. 00:26 < Taek42> where I'm currently stuck is the blockchain 00:26 < gmaxwell> the problem is that if you prove you have storage via a fiat-shamir of a cut and choose over it, you can just POW grind the proof to hit a fraction of the data you've kept. 00:27 < gmaxwell> ... and worse, its delegatable. 00:27 < Taek42> delegatable? 00:27 < gmaxwell> e.g. a pool can keep the data, and answer queries for other miners. 00:27 < gmaxwell> so you'd only get one copy of the data, which wasn't your goal. 00:28 < Taek42> ah yes, we did think of a solution to that 00:28 < Taek42> a partial solution, that is 00:29 < wyager> gmaxwell: What if you did something like this: You only want to verify that the other guy is keeping a backup (you also have a copy), so you make him XOR the data he's supposed to be keeping with the output of a stream PRNG (you do this as well) and then make him give you the hash of this data. You can't spoof this without actually having a copy of the data. That would work for distributed backup systems, at least. 00:29 < Taek42> the goal would be perfectly distributed data with a tunable redundancy such that nodes go offline over a perfect random distribution. 00:30 < Taek42> anytime nodes go offline in some fashion that doesn't follow a perfect random distribution, you assume they are somehow correlated 00:30 < gmaxwell> wyager: but who are "you".. distributed system, right? 00:31 < wyager> Alice wants Bob to keep a backup of her super important file. To make sure Bob doesn't delete his copy and say he still has it, Alice makes Bob modify the file and hash it. Alice does the same on her end, and if Bob can't produce the correct hash, he no longer has the file 00:31 < wyager> So it's not the same thing as distributed storage 00:31 < wyager> it's just distributed backup 00:31 < gmaxwell> wyager: thats really inefficient too. 00:31 < Taek42> (maybe they were all sharing a file - so they were pretending to be redundant but they weren't, or maybe they were all in Afghanistan and then Afghanistan decided to remove itself from the internet the way (Iran?) did - either way they were correlated in some way, which is against the goals of the network) 00:32 < wyager> Meh 00:32 < gmaxwell> wyager: e.g. forget the stream cipher whatever. Just challenge bob to provide a couple blocks at random from the file. 00:32 < wyager> Yeah, true 00:32 < gmaxwell> (or, if you want, the hash of a couple blocks at random) 00:33 < gmaxwell> wyager: a point there is that no matter which of those you do, bob can turn around to proxy the requests to mallory. Mallory has the data and answers. 00:33 < gmaxwell> wyager: if you had ten bobs you wanted to store the data, perhaps they're all just proxying through to mallory. 00:34 < Taek42> so when multiple nodes go offline in a correlated way, you punish them for 'false redundancy'. 00:34 < wyager> Unless Alice sends copied encrypted with a different key to all people 00:34 < wyager> Then at least she knows that Mallory must be using space to store the file 00:34 < gmaxwell> Taek42: how can you make a consistent observation of "offline" in a decenteralized system? 00:34 < Luke-Jr> ^ 00:35 < gmaxwell> Or is your system merely distributed and not anonymous? 00:35 < wyager> And Bob has to pay Mallory anyway, so he's probably keeping it on his own unless the cost savings Mallory offers are worth more than his reputation if he gets discovered 00:35 < Taek42> they don't participate in N consecutive blocks 00:35 < gmaxwell> wyager: yea sure, though that gives alice n-fold communications cost. 00:35 < Taek42> wyager you can do better: 00:36 < Taek42> use something like LT-Codes or Reed-Solomon codes to produce the file 20:05 < phantomcircuit> even after adding a bunch of debugging stuff to cpuminer it's still not matching 20:56 < gmaxwell> amiller: it would also be very simple to implement. --- Log closed Wed Sep 18 00:00:51 2013 --- Log opened Wed Sep 18 00:00:51 2013 11:48 < gmaxwell> oh here is an interesting idea for an evil altcoin: some portion of the coin's supply comes from converting bitcoins... but instead of making you burn bitcoins, thus increasing their scarcity... it makes you turn them into far futured nlocked anyone can spends... so that bitcoin value isn't increased by the removing coins from circulation, since everyone knows that they'll flood back in later. 11:53 < sipa> what's evil about it? 11:57 < gmaxwell> well, not that evil. I don't have _that_ much capacity to think evilly. :P But it's something of an economic attack, in that it attacks confidence about the level of coin scarcity in the future. Basically it removes use of bitcoin by removing coins from circulation, but not far enough so that bitcoin is more scarce. 11:57 < gmaxwell> not that different from something like the mastercoin exodus address, but there is no conversion to a private value. 16:08 < warren> did mastercoin actually destroy BTC? 16:11 < jgarzik> I don't know if that's happened.. their protocol described creating unspendable outputs 16:11 < warren> He raised a lot of money for doing nothing. 16:11 < warren> it took us two months to raise 10% that much 16:12 < jgarzik> a fixed asset within a fixed asset. 16:12 < warren> an asset entirely in cash with poor management can be worth less than the value of cash. 16:13 < jgarzik> it can be worth more. it can be worth less. yes :) 16:13 < jgarzik> it's basically pybond-like scheme 16:13 < jgarzik> everyone must conform to the additional protocol 16:14 < sipa> he seems to be just using bitcoin as a very expensive replicated append-only log 16:15 < sipa> by encoding data into fake addresses 16:15 < warren> jgarzik: I also wonder if Mastercard will try to crack down with a "confusingly similar" trademark infringement claim 16:19 < gmaxwell> warren: he's destroying very tiny amounts of btc, but his fundraising was just to a vanity address. 16:19 < gmaxwell> (though this was a bit confusingly marketed, at least some people thought the "exodus address" was some kind of special gateway address and not just going into his pocket.) 16:19 < warren> at least prunable? 16:19 < jgarzik> warren, not v1, no 16:20 < warren> fun 16:20 < jgarzik> warren, v2 is multisig, where 1-of-3 is valid, 2-of-3 are data 16:20 < jgarzik> so still bloating UTXO 16:20 < Luke-Jr> jgarzik: but nothing is actually implemented, AFAIK? 16:20 < jgarzik> yah. people are "working on things" 16:20 < gmaxwell> nothing is implemented but they're still making "v1" transactions by hand using blockchain.info! 16:22 < sipa> jgarzik: but are those outputs actually spent? 16:22 < sipa> the muktisig onea 16:22 < sipa> multisig ones 16:22 < jgarzik> sipa, eventually creating other 1-of-3 multisig data carrying outputs 16:23 < sipa> ic 16:23 < sipa> that better than unspendable in any case 16:23 < sipa> but i think it's wrong talk about spendable or not 16:23 < warren> sounds like a parasite 16:23 < sipa> it's about whether they're getting spent 16:23 < Luke-Jr> is it doing *anything* that can't be accomplished with merged mining? 16:24 < sipa> i doubt that 16:24 < Luke-Jr> how much did he raise again? <.< 16:24 < sipa> no idea 16:24 < jgarzik> dunno 16:24 < jgarzik> presumably bc.i or be will tell you 16:24 < gmaxwell> ~4000 btc? 16:24 < gmaxwell> 4740 BTC. 16:25 < Luke-Jr> pfft 16:25 < Luke-Jr> give it all to sipa to do the coding for a year 16:25 < Luke-Jr> :P 16:25 < sipa> daaaamn 16:25 < gmaxwell> giving money to sipa would only save the world, not create some toy asset that you can pump and dump. 16:26 < warren> only 16:26 < Luke-Jr> hehe 16:26 < gmaxwell> warren: what, are you some kinda socialist?? 16:26 < Luke-Jr> O.o 16:26 < jgarzik> Luke-Jr, well if it follows the pybond pattern, mastercoins are tradeable, normal transactions, with a little bit of protocol-specified data attached. merged mining would be far less efficient than a simple purchase via atomic coin swap. 16:26 < gmaxwell> It's a joke. 16:27 < Luke-Jr> gmaxwell: I think the lossy IRC lost the humour XD 16:28 < gmaxwell> jgarzik: yea, the zero trusted party atomic coin swap is easer to accomplish with their blockchain fattening approach. 16:29 < gmaxwell> Of course, if you have a trusted party (or even a smart property agent) that is giving value/meaning to the colored coin, then you could instead just instruct it to watch the bitcoin chain for a payment (or show it proof of one) in order to make an atomic transaction. 16:30 < gmaxwell> but if the thing you are trading for is just "mastercoins" then there is no such party. 16:31 < jgarzik> sure, that's a design choice, not having a centralized party ;p 16:31 < jgarzik> you pick a shared protocol rather than a common party 16:33 < gmaxwell> jgarzik: well, not quite in some cases, e.g. trading shares of some business there actually is a centralized party. Not making use of them doesn't make them stop existing. Most of the colored coins usecases are like that. 18:17 < amiller> "<sipa> he seems to be just using bitcoin as a very expensive replicated append-only log" 18:17 < amiller> yeah. 18:18 < amiller> i think things like that will happen more until bitcoin prices them out somehow, you can't prevent someone from putting the junk data in there if they want to otherwise 18:18 < sipa> well... texhnically, so is bitcoin 18:18 < amiller> all the colored coin schemes are defective for the reason that they don't put any data in the utxo 18:18 < sipa> it's alao using the blockchain as an exensive replicated log 18:18 < amiller> so no one really has any incentive to actually maintain the indexes that will be needed to prove things 18:19 < sipa> hmm, how do you mean? 18:19 < sipa> they need an annotated utxo set 18:19 < amiller> suppose i want to do a complicated mastercoin query 18:19 < amiller> yeah 18:19 < amiller> they have so much functionality that they will need a whole giant sql database 18:20 < amiller> a lot of work (well, you in particular do all of it :p) goes into keeping the utxo managable sized 18:20 < amiller> which is good because everyone replicates it 18:20 < amiller> but only "mastercoin" nodes will replicate the special mastercoin indexes, which will probably be enormous 18:21 < sipa> well, right now everyone with the UTXO set also has the blockchain 18:21 < sipa> so people are not pointed to the fact that they have very different replication needs 18:21 < amiller> yeah but if i want to answer a mastercoin query i might have to go take a very long walk through it 18:21 < gmaxwell> yea, the functionality they have described requires doing O(N^2) accesses to the set of all existing mastercoins. There isn't even an O(mastercoins) way to get just a list of currently existing mastercoins. 18:22 < sipa> oh my 18:22 < gmaxwell> And can't be. Even if the mastercoin is in the UTXO and you have a UTXO proof, you still need to do the history tracing unless nodes enforce the mastercoin rules on the UTXO. 18:22 < amiller> they're bolting on functionality left and right, it's a whole spreadsheet application 18:22 < sipa> i'm suddenly not worried about it anymore 18:23 < gmaxwell> basically all the colored coins proposals have these problems. 18:24 < gmaxwell> bitcoin at least gets you a computationally cheap verification because you can forward produce your own utxo. Mastercoin could do that too but you'd need special mastercoin nodes that examined the whole blockchain and built mastercoin indexes. 18:24 < sipa> i always imagined colored coins schemes as just augmenting the utxo set, with a "colors" tag for each coin 18:24 < gmaxwell> sipa: yea but mastercoin's "feature" list has things like automated trading with an orderbook in the blockchain. 18:25 < gmaxwell> so you'd have to do order matching against all the eligible coins... 18:25 < sipa> uhhhh 18:25 < amiller> no one is going to realize/notice/viscerally feel the problem until it's filled with junk and no one can afford to run a full mastercoin node and so everyone's security relies on checking mastercoinexplorer.info 18:25 < gmaxwell> and supporting multi-leg trades, like my 1 btc for your 1 mcUSD for amiller's 1 mcLTC. 18:26 < sipa> amiller: and i'm sure mastercoinexplorer.info will just scrape blockchain.info :) 18:26 < amiller> well that's not sufficient 18:26 < amiller> i mena 18:26 < amiller> it will have to maintain its own ridiculous index 18:26 < amiller> in addition to scraping 18:26 < amiller> good thing they've raised enough money to afford one instance of that for a cuople years! 18:26 < gmaxwell> amiller: the funny thing is that they'll probably be fine with that. Annoyingly the'll shit all over the distributed system instead of just putting all that centeralized stuff in a central place to begin with.. just because the pretext of decenteralization raises money. 18:26 < sipa> they may come up with some checkpointing scheme, that includes the "index" 18:28 < amiller> opencoin/ripple also has this problem 18:28 < amiller> it just sucks that eveyrthing will seem like it's working as long as not too many people use it and no one minds that only a few people run nodes 18:30 < amiller> it wont crumble until it has a SatoshiDice moment 18:30 < gmaxwell> Centeralized systems (even ones pretending not to be) are just fundimentally easier. It won't even crumble in that case, just throw more resources at it. 18:30 < amiller> bitcoin hit that hurdle and just leveled up, so to speak 18:31 < amiller> so suppose they're centralized (but no one notices because of confusing greypapers) and reasonably efficient as long as you don't run a full node, will they just gain users until there's an actual security breach or something? 02:10 < petertodd> zooko: kinda: https://en.bitcoin.it/wiki/Fidelity_bonds 02:10 < nejucomo> Hello. 02:10 < zooko> Thanks. 02:11 < petertodd> zooko: logs: http://pastebin.com/Rj4bshY3 02:11 < zooko> Thanks. 02:13 < realazthat> mmm 02:13 < midnightmagic> hey nejucomo 02:16 < zooko> Hey, you folks were talking about the danger of miners discriminating among txns. (In http://pastebin.com/Rj4bshY3 .) 02:16 < Luke-Jr> zooko: O.o? 02:16 < Luke-Jr> miners are supposed to do that 02:17 < petertodd> Yeah, that's part of Adam Back's thing with his commit coins stuff. 02:17 < petertodd> Luke-Jr: we mean mike-style blacklists 02:17 < Luke-Jr> mike-stlye blacklists? 02:18 < petertodd> Luke-Jr: Yes, as in centrally/semi-centrally issued lists of coins that must not be allowed to move. 02:18 < zooko> Luke-Jr: the minimal service that we need from miners is just to not include conflicting double-spends in their block. 02:18 < Luke-Jr> petertodd: I don't see a problem, as long as it's not enforced on blocks miners make 02:18 < petertodd> zooko: assuming a limited blocksize... 02:18 < zooko> Other than that, if they could be blinded to the contents of transactions that would be good. 02:18 < Luke-Jr> zooko: also spam filtering 02:18 < zooko> petertodd: why? 02:19 < petertodd> zooko: With unlimited, then you *do* want spam filtering to keep UTXO set size sane. 02:19 < zooko> Luke-Jr: well, inasmuch as something is imposing an externality that it doesn't pay for, then yes. 02:19 * zooko nods. 02:19 < petertodd> Anyway, Luke and zooko are really talking about different things here... 02:20 < petertodd> zooko: I guess the key-value store stuff is about halfway down that paste. 02:21 < zooko> petertodd: still reading that paste... 02:29 < zooko> rs 02:29 < zooko> oops 02:32 < gmaxwell> petertodd: a position I've taken before is that we'd much rather have the miners not able to pick and choose, but if we can't eliminate that choke point and its costs and risks, then we darn well better also exploit the public benefits of having it there. 02:34 < petertodd> well, I'm not that concerned about UTXO growth with small blocks, so I figure if mining is decentralized enough, miners will greedily choose tx's by fees, and I consider fees apolitical 02:38 < petertodd> adam back's tx hiding stuff is nice, among other similar solutions, but if you are thinking about scenarios where it's needed for more than just plausible deniability, users will be forced to prove what's in the opaque containers anyway 02:38 < petertodd> meanwhile, being able to implement IsStandard() and similar has strong practical benifits 02:40 < gmaxwell> I'd give up all that in exchange for a non-problematic blinding... esp if blocksize is not infinite fees should also stop spam. But not that I think we have non-problematic binding. 02:40 * zooko too. 02:41 < Luke-Jr> SCIP could solve so many problems, that if I could be convinced it worked I'd be happy to depend on it :P 02:42 < Luke-Jr> maybe even could solve double spending. maybe. 02:42 < gmaxwell> Luke-Jr: well, that will just take time. It also will need to improve in performance before it solves many of them. 02:42 < gmaxwell> Nah, it doesn't prevent replay. I can't prove that I didn't seperately spin up another computing instance and do some computation twice. 02:42 < Luke-Jr> gmaxwell: will it? verifying one SCIP signature for the entire blockchain sounds nice XD 02:42 < Luke-Jr> gmaxwell: well, you could prove you delete the private key then the question is can you prove you never copied it? 02:42 < petertodd> Luke-Jr: that's what the sales guys at amazon ec2 said as well 02:43 < petertodd> Luke-Jr: of course not 02:43 < realazthat> but you could make secure distributed cloud computing perhaps 02:43 < realazthat> I dunno if that is suggested anywhere 02:43 < realazthat> where people offer their computer time in exchange for bitcoins 02:44 < realazthat> all sorts of crazy ideas 02:44 < petertodd> realazthat: that's a long-standing problem with a whole bunch of efforts trying to solve it. Standard hardware and OS's just aren't up to the task 02:44 < realazthat> but SCIP can do it, no? 02:44 < petertodd> realazthat: TPM hardware is just too brittle 02:44 < zooko> Well, I'm not going to finish reading this chat log tonight... 02:44 < realazthat> I don't mean secret computing, just authenticated 02:44 < zooko> I'll leave it open in a browser tab... 02:45 < realazthat> ie. you can ask someone to do a job 02:45 < realazthat> they give you answer + signature 02:45 < petertodd> zooko: heh, it's deep, but hey, I did say "zooko's triangle" at one point in it :P 02:45 < realazthat> so you can make any problem verifyable 02:45 < petertodd> realazthat: yes, SCIP allows for that 02:45 < petertodd> realazthat: but you have to be very careful about what exactly you are saying the security is 02:46 < realazthat> so you can have people doing cloud computing 02:46 < realazthat> for things like protein folding etc. 02:46 < zooko> petertodd: cool! 02:46 < zooko> petertodd: we didn't speak at the conference. 02:46 < realazthat> in exchange for bitcoins 02:46 < gmaxwell> realazthat: they can monitor the computing though, it's not private when someone else is running it. 02:46 < realazthat> right 02:46 < realazthat> but public good projects don't care about that 02:46 < petertodd> zooko: oh, you were there? too bad 02:46 < gmaxwell> realazthat: they can go conduct an election. 02:47 < zooko> I saw you arguing heatedly with PVessenes at the core developers huddle. I said to him that the obligations for accounting are not expressed at the level of the Bitcoin protocol, they are merely that you have to "be able to identify+match" customers and their transactions. 02:47 < realazthat> gmaxwell: I don't understand 02:48 < petertodd> I remember that... he really should have kept his mouth shut. Lots of people have taken that as the foundation being actively anti-privacy. 02:50 < gmaxwell> realazthat: conducting an election is obvious public good thing, and the integrity and confidentiality of the election is important. 02:51 < realazthat> ah ofc 02:51 < realazthat> I meant the famous public projects like SETI@home 02:51 < realazthat> and Folding@home 02:51 < realazthat> and other scientific projects like that 02:52 < realazthat> ofc there wouldn't be confidentiality 02:52 < realazthat> but integrity, yes 02:52 < realazthat> homomorphics stuff could do confidentiality perhaps, but AFAIK that is totally impractical ATM 02:53 < petertodd> realazthat: unlikely. SCIP has a pretty big speed penalty, big enough that the usual method of just running work units on more than one computer would be far faster in practice. 02:53 < realazthat> mmm 02:54 < realazthat> interestingly, if SCIP is somehow used for proof-of-work for mining or somesuch, there would be huge incentives to improve it :D 02:54 < petertodd> and/or break it 02:54 < realazthat> yes lol 02:54 < realazthat> but imagine dedicated SCIP hardware 02:55 < petertodd> dedicated hardware typically only makes sense for simple algorithms - I'd be surprised if SCIP qualified 02:55 < realazthat> well, it needs to run a specialized assembly, essentially a VM 02:55 < petertodd> it's a lot more complex than that... 02:55 < petertodd> but I could be wrong 02:55 < realazthat> I think it makes sense to implement the virtual architecture, and take the signing to another CPU or w/e 02:56 < realazthat> maybe 02:56 < realazthat> I look forward to the source codes :D 02:56 < petertodd> I think you need to accept that neither of us know enough to have any idea if that's possible. :) 02:56 < realazthat> end of august for phase 1 02:56 < petertodd> which august? :P 02:56 < realazthat> this august if things go as planned, I guess 02:56 * petertodd works at a 12 year old startup 02:56 < realazthat> lol 02:57 < realazthat> software engineering 02:57 < realazthat> fun 02:57 < realazthat> always ontime :D 02:57 < petertodd> some problems are hard, and just become harder when you try to solve them 02:57 < realazthat> yes 02:57 < realazthat> I am being optimistic 02:57 < realazthat> because I wanna experiment with the so many practical ideas 02:58 < realazthat> that would come to be if it were usable 02:58 < realazthat> mmm 02:58 < realazthat> how about this, 02:58 < petertodd> well, look at how the existence of the blockchain has spawned all sorts of clever ways to use that magical data strucutre 02:58 < petertodd> er... almost none of which are implemented 02:59 < realazthat> mmm 02:59 < realazthat> yeah 02:59 < realazthat> if you have something very interesting that is easy, tell me 02:59 < realazthat> I'll implement it :D 03:00 < realazthat> most of the things I heard were nice ideas, but not very practically applicable 03:00 < petertodd> I'm probably the world leading expert on how to sacrifice your Bitcoins (a rather dubious honor...) and I've done exactly one such sacrifice, and I did it by hand 03:00 < realazthat> unlike SCIP 03:00 < realazthat> haha 03:00 < petertodd> implementing stuff is a lot of work... 03:01 < realazthat> mmm 03:01 < realazthat> I have yet to find something really worth implementing though 03:01 < realazthat> ie. I've seen things that sound nice 03:01 < realazthat> but have no practical purpose in the near future 03:04 < realazthat> (if you do have some ideas that are practical, lay them on me) 03:05 < Luke-Jr> realazthat: any ideas? :P 03:05 < realazthat> well I still get to choose to do them or not lol 03:05 < realazthat> bite sized ideas preferable :D 03:06 < Luke-Jr> realazthat: https://gist.github.com/luke-jr/5409899 03:11 < realazthat> mmm 03:11 < realazthat> both interesting ideas hehe 03:11 < realazthat> so what does ctx accomplish though 03:11 < realazthat> saving space? 03:11 < Luke-Jr> saving blockchain space, lower fees, more privacy 03:12 < realazthat> ah yes 03:12 < realazthat> makes sense 03:12 < realazthat> I don't understand how it works exactly, but thats ok 13:00 < adam3us> petertodd: i think h(d,m,ctr) is enough. the main point of the determinism is to avoid relying on the rng. so its a kind of deterministic rng seeded with d built in sw so ou dont have to trust the OS nor support libraries + the idempotency fix 13:00 < adam3us> petertodd: but idempotency anyway still works if the prefix target is deterministic 13:01 < petertodd> adam3us: but remember my point about coinjoin: you don't know m at the point when you want to specify the address 13:01 < adam3us> petertodd: i see. didnt get you before 13:04 < petertodd> adam3us: the frustrating thing is that it'd be possible to wind up with everyone using stealth addresses, and all this effort being wasted when a simple marker would suffice :P 13:06 < adam3us> petertodd: yeah (i didnt think about stealth, just about changing). but i wonder if stealth has a problem: how does the sender know what prefix to put? i suppose the prefix is like leading bits from H(d*P) where P is the sender address? that would be safe as it requires d to indentify 13:06 < petertodd> adam3us: it's encoded in the address of course 13:07 < adam3us> petertodd: which address? sender, recipient base, or recipient randomized? 13:07 < petertodd> adam3us: the stealth address 13:07 < petertodd> adam3us: or more accurately, the scriptPubKey creation instructions making use of stealth 13:08 < adam3us> petertodd: well the stealth address becomes public after its spent, and so if the prefix of R is matching some bits from the S = dQ = zP if we call S the stealth address, then it becomes distingusihable after spend 13:09 < adam3us> petertodd: (which are hidden before spend because Saddr = H(S)) 13:09 < petertodd> adam3us: huh? spent or not the derived one-time-only address is indistinguishable from any other random address modulo the prefix 13:10 < adam3us> petertodd: what i mean is spending reveals the pubkey hidden inside the address. 13:11 < petertodd> adam3us: prefixes would be on H(pubkey) or more likely H(scriptPubKey) 13:11 < petertodd> adam3us: only that is likely to be indexed for other purposes 13:11 < adam3us> petertodd: P is the senders pub key, Q is the recipients pub key, S is the stealth pub key. S=dP=d'Q where Q=dG and P=d'G, and Saddr=H(S) etc 13:13 < petertodd> adam3us: I don't see how that makes it distinguishable to an obverser who only knows P and Q 13:14 < nsh> what's the topic? 13:15 < petertodd> nsh: stealth addresses, address is public, but only the recipient knows what payments are made to them 13:15 < adam3us> petertodd: ok maybe i am confusing it; point is recipient scanning looks for sender pub key P, multiplies by d to get S=dP=d'Q. 13:15 < nsh> oh, interesting 13:16 < adam3us> petertodd: then he can ask for prefix of H(S) 13:16 < adam3us> petertodd: but how does he know d*d' he needs taht otherwise he has an unspendable addr 13:17 < petertodd> adam3us: no, you've got it backwards, recipient asks for all txs matching a specific prefix, and then for the matching transactions he scans 13:17 < adam3us> petertodd: how does the recipient know the prefix 13:17 < petertodd> adam3us: the recipient *specifies* the prefix 13:17 < adam3us> petertodd: how.. there is no comms channel 13:18 < adam3us> petertodd: the sender has only a compressed public key Q in QR form on a bizcad 13:18 < petertodd> adam3us: there doesn't have to be: the recipient specified it in conjunction with their pubkey 13:18 < petertodd> adam3us: the point is the sender is sending to a derived address, such that the address matches the prefix, and the recipient can calculate the privkey 13:18 < adam3us> petertodd: ok; and now everyone who he gives that bizcard to can also link his payments? 13:18 < adam3us> petertodd: (within the anonymity set of people with the same prefix) 13:19 < petertodd> adam3us: NO! because sender and recivers pubkey/seckey are combined with ECDH so the only parties who can calculate the shared secret are them 13:19 < petertodd> for any given sender/receiver pair there is exactly one shared secret, that only they know 13:21 < adam3us> petertodd: but more fundamentally how does the recipient know the private key for S. teh shared secret coming from k=H(dP)=H(d'Q) is not usable to find d'*d 13:21 < adam3us> petertodd: you need some message space to communicate , and further you dont want to give the recipient d' or he double spend race your payment 13:22 < petertodd> adam3us: the recipient knows their secret key, and the pubkey of the sender (it's in the scriptSig). The sender knows the recipients pubkey, and their seckey. Thus they both arrive at shared secret x, and that can be combined similar to BIP32 to form a pubkey that only the receiver has the seckey too. 13:22 < adam3us> petertodd: not trying to be obtuse btw - i want this to work too. 13:22 < petertodd> adam3us: heh 13:23 < adam3us> petertodd: so specifically sender pub key is P, sender private key is e, P=eG; recipient base key is Q, recipient private key is d, Q=dQ; 13:24 < petertodd> adam3us: right, so x=eQ=dP, x is the shared secret 13:24 < adam3us> petertodd: now DH says that P & Q can negotiate a shared secret as dP=eQ=d*eG=e*dG and often it is hashed to reove bias 13:24 < petertodd> adam3us: right 13:24 < adam3us> petertodd: ok now what can they do with this secret... they have to delegate to Q some way to be able to compute a private key 13:25 < petertodd> adam3us: well, this secret could be hashed and used as the private key for the one-time-only address 13:25 < adam3us> petertodd: ok say S=xQ=x*d*G 13:25 < petertodd> adam3us: more sophisticated is to do the BIP32 trick to derive a pubkey using that shared secret as a nonce 13:26 < petertodd> adam3us: now only the recipient can spend the funds and we're all good 13:26 < adam3us> petertodd: and yes actually x=H(eQ)=H(dP) 13:26 < petertodd> adam3us: right 13:27 < adam3us> petertodd: alrighty. i am glossing over BIP 32 HDness but yes. they can treat x as a chain code if they want. 13:27 < petertodd> adam3us: yup 13:27 < petertodd> adam3us: and you can use a nonce to grind until the resulting address has the right prefix 13:28 < adam3us> petertodd: grind address or signature? either could be done 13:28 < petertodd> adam3us: no, it has to be grinding the address because we can only count on address indexes existing 13:28 < adam3us> petertodd: ok its good for existing infra agreed 13:29 < petertodd> adam3us: well, infrastructure that can be reasonably expected to exist in the near future :p 13:30 < adam3us> petertodd: nevemind; call me a spherical cow. so point is now the prefix is linkable modulo overlap if it small enough 13:30 < petertodd> adam3us: yeah, e.g. if it's an 8-bit prefix your anonymity set is 1/256th of all addresses 13:31 < adam3us> petertodd: and i guess its not going to be too big becauase you're grinding it through EC operations like vanity address levels of cost 13:31 < petertodd> adam3us: yup, and the *sender* needs to do it which kinda sucks 13:31 < adam3us> petertodd: and the generator maybe a smart phone 13:32 < petertodd> adam3us: you can be a bit clever, and abuse multisignature w/ fake pubkeys, but that's the best you can do 13:32 < petertodd> adam3us: (that makes the inner-loop SHA256) 13:33 < adam3us> petertodd: yes or maybe p2sh with random unused value on stack 13:33 < petertodd> adam3us: well, that's no longer a standard transaction format 13:33 < adam3us> petertodd: p2sh restricted that much? 13:33 < petertodd> adam3us: might as well just do a marker explicitly 13:34 < petertodd> adam3us: that too... IsStandard() is applied to P2SH inner scriptPubKeys 13:35 < adam3us> petertodd: i dont think it matter so much actually to hide that it is a sender generated addr. its not like one use addresses are not allowed or that there is any stigma to using them 13:35 < adam3us> petertodd: so i view the encoding as more a way to do it without introducing a new format 13:35 < adam3us> petertodd: and without requiring a new index 13:35 < petertodd> adam3us: with regard to coinjoin you're better if you stick to something standard 13:36 < petertodd> adam3us: a subtle point with that too is you probably want to make your change look like a stealth payment if you are distinguishable 13:37 <@gmaxwell> 07:50 < adam3us> btw the card thing P(52,26) is conveniently > 2^128. course then you have to keep them from getting accidentally shuffled 13:37 <@gmaxwell> ^ the case where you care about the permutation is kinda lame because you'd have to capture the data twice. 13:38 <@gmaxwell> if you only care about assignment, you walk into a drug store, buy a cheap pack of cards, shuffle and split and depart.. then later capture the data from your cards. 13:38 <@gmaxwell> If you exchange via a permutation you have to shuffle and digitize without breaking the permutation. 13:40 < maaku> gmaxwell: slide the deck on a flat surface 13:41 < adam3us> gmaxwell: yes. well also you dont know the other guys permutation, unless you do some card game/trick on a table to co-sort them 13:41 < nsh> hm 13:41 <@gmaxwell> right but the split method (where you only gain bits from the assignment of which person got the card) doesn't care about the permutation. 13:42 < adam3us> petertodd: so full nodes are no problem anyway. 1 byte was my guess for 'bloom bait' also. is that small enough for SPV efficiency? 13:42 <@gmaxwell> You just take the card deck(s) shuffle, and split between the two people. No prep required, and no issues with accidentally reordering them.. though you only get on the order of 50 bits (1 deck) or 100 bits (2 decks). 13:43 < petertodd> gmaxwell: it's interesting how for cards that have a top and a bottom you could shuffle their orientations, draw a line with a marker across one side, and then you have a 52-bit secret in a card deck that's highly subtle 13:44 < petertodd> adam3us: 1/256th is ~4KB/block, not a big deal at all 13:44 < adam3us> petertodd: yeah but say scan a few weeks worth. 19:06 < warren> the mac builds are 32bit 19:06 < sipa> ah 19:06 < gavinandresen> I was running a bitcoind compiled with clang when I got corruption 19:06 < warren> gavinandresen: 32bit or 64bit? 19:06 < phantomcircuit> personally i suspect there is an issue with the ioctl sync function 19:06 < phantomcircuit> but who really knows 19:12 < Luke-Jr> cfields: have you published any of the Mac stuff yet? 19:17 < cfields> Luke-Jr: i'm just now starting to get it packaged up. It looks about like this right now: http://www.digitalmediatree.com/library/image/12/beautiful_mind_2.JPG 19:17 < cfields> should have something presentable in a few days i'd think 19:21 < cfields> it will initially be missing some of the dmg fluff. compression, background images, drag+drop, etc. But i'll publish before tackling those in the hopes of finding some help along the way 19:27 < warren> cfields: is the plist working in your build? 19:27 < cfields> basic, not fancy 19:27 < sipa> plist? 19:28 < cfields> which is why drag+drop and background images aren't hooked up yet 19:28 < cfields> we'll have to port that stuff 19:30 < cfields> sipa: i assume he was alluding to the 'fancy' dmg generation options. customizations for how the dmg should present itself when opened 19:38 < Luke-Jr> wtf, why could callq ever segfault? 19:40 < warren> cfields: no 19:40 < warren> cfields: the context menu on the dock when you right click 19:44 < cfields> warren: hmm, no. tbh i'm not sure where that comes from? 19:46 < gavinandresen> warren: clang 64-bit. All of the speculating "maybe it is this, maybe that, lets try putting a full-sync here" is unlikely to be productive. In my humble opinion, somebody who knows a lot about the OSX filesystem needs to instrument leveldb (maybe stream a log of operations over-the-network to a second logging system???) and either figure out how the corruption could happen theoretically or capture an actual case of corrupti 19:48 < gavinandresen> (I'm hoping somebody who knows a lot more about filesystems than I do will tell me why I'm wrong, and what actually needs to be done is to run the FroBaz Filesystem Widgetizer to catpure all low-level disk activity and analyze it with the FileWizPro doo-hickey) 19:49 < gavinandresen> ( after installing some hardware on the EIEIO hardware bus) 19:50 < cfields> gavinandresen: i was discussing with warren a bit yesterday. Seems to me it would be a reasonable first step to throw an assert() and output some useful data (like what the actual/expected read data was) in the case of a crc mismatch 19:50 < cfields> or is the read data completely unhelpful, and only the failed write is interesting you think? 19:51 < gavinandresen> dunno, haven't thought about it. 19:52 < warren> gavinandresen: I'm convinced that the wild guesses earlier (fsync blah) actually did fix things, the errors we have now are more consistent. 19:52 < gavinandresen> warren: okey dokey. Just don't forget that we're pattern-seeking monkeys.... 19:53 < cfields> warren: i just compared my linux-built dmg to mainline bitcoin-qt. They seem to have the same options/actions 19:54 < warren> cfields: great 19:54 < cfields> afaik dock handling is done in code. I'm not aware of anything to mess with in packaging 19:54 < warren> there's python scripts that fiddles with the plist stuff 19:55 < cfields> other than maybe ensuring the icon finds its way to the right place 19:55 < cfields> yea, i hacked those up to make em work in linux 19:55 < warren> ooh, I'm intersted in that 19:58 < cfields> ok 19:59 < cfields> i'm off for tonight. I've got the rest of the week to spend on this, though. And I'll get the qt updates in somewhere in there as well. --- Log closed Wed Nov 20 00:00:39 2013 --- Log opened Wed Nov 20 00:00:39 2013 10:06 < adam3us> hmm HD wallets, armory use of the concept, does the chaincode of an offline wallet get copied to the watch only online wallet? 10:07 < adam3us> ie if someone has a copy of the root key, is that enough to recovery the wallet and access funds if they also got all the info out of the online wallet? 10:18 < sipa> do you mean BIP32, or armory's deterministic wallets? 10:18 < sipa> or did armory already adopt BIP32? 10:30 < adam3us> hmm i am not sure - i thought because alan had commented on bip 32 and been involved with it that was the same thing 10:33 < sipa> they both use a 'chaincode' 10:46 < adam3us> i am wondering if the online wallet is a sub-wallet or shares the same chain code 13:07 < cfields> anyone happen to be around and running windows? 13:49 < BlueMatt> hah 13:49 < BlueMatt> windows? 13:52 < cfields> heh, exactly. hacking on win32, but i have to trust wine to verify. in this case i really can't 14:01 < BlueMatt> this is what kvm is for 14:18 < phantomcircuit> BlueMatt, yeah but who has a retail license to install with anymore? 14:18 < phantomcircuit> i still use windows xp since its the only thing i have a disk for... 14:19 < BlueMatt> university licenses :) 15:20 < warren> I'm trying to figure out a quick hack (for modeling purposes only) that removes all UTXO that is 1-satoshi in value after reindexing to X height. 16:10 < BlueMatt> warren: try using the new drop-unspendable code and replace the unspendable check with 1-satoshi? 16:10 < BlueMatt> (and then short-circuit the return falses for now-invalid txn?) 16:11 < warren> BlueMatt: tried that, that only works during reindex, it works until I hit a block where someone spent a 1-satoshi (which is extremely rare in litecoin) 16:12 < warren> BlueMatt: I could find the small number of spent 1-satoshi txo and whitelist them to allow reindex to succeed. 16:12 < warren> this isn't meant to be committed, just testing stuff 16:12 < BlueMatt> or just consider all unknown-txin to be 1-satoshi and all spends of them correct 16:13 < warren> hah 16:13 < BlueMatt> if its just for analysis, why not 16:13 < warren> where's the code for that part? 16:13 < BlueMatt> in ConnectInputs? 16:13 < warren> looking 17:07 < warren> BlueMatt: back from lunch. it appears I need to construct a fake CTxOut 17:08 < warren> oh, screw it, just consider everything valid 17:09 < michagogo|cloud> 04:41:28 <warren> I'm not sure why people downvoted the bounty thread. 17:09 < michagogo|cloud> Unless the total score is negative, there may be no downvotes -- reddit adds random equal numbers of upvotes and downvotes to avoid gaming the system 17:18 < michagogo|cloud> 23:41:42 <cfields> Luke-Jr: unfortunately, the cleanest approach to the next step is to begin modding the hfs+ kernel module. And at that point, I don't think it's really worth it 17:18 < michagogo|cloud> Am I wrong, or would that break gitian builds with LXC? (IIRC, some trouble we were having had to do with a kernel module Wine tried to install or something like that?) 17:18 < cfields> michagogo|cloud: nm that, i got it working 17:18 < michagogo|cloud> Oh, awesome 17:19 < michagogo|cloud> (I'm still at Wednesday morning, midnight UTC+2 in the backlog) 17:24 < michagogo|cloud> 00:31:41 <cfields> as an osx user (i hate admitting that), any download that's not a dmg gets on my nerves 17:24 < michagogo|cloud> 00:31:48 <cfields> unless it's a .pkg for good reason 17:24 < michagogo|cloud> I'm not a Mac user, but I've been told (somewhere, don't remember exactly -- I think it was in the context of bitcoin, so maybe #bitcoin-build?) that among Mac users, any non-.dmg software downloads are treated with extreme (or at least much) suspicion 17:24 < cfields> michagogo|cloud: keep reading ;) 17:25 < cfields> deterministic dmg's are working 17:25 < michagogo|cloud> cfields: Yeah, I saw that :-) 17:26 < cfields> but yea, i agree with the above. If it's not a dmg, it's usually a pkg because it requires root (like an sdk). If it's neither, it usually goes in the trash 17:26 < cfields> for me, anyway 17:26 < adam3us> sipa: about bip32 vs armory alan says its not a sub-wallet the same chain code is in the online watching (read only) wallet 17:26 < adam3us> sipa: so its not hierarchical, just using public derivation 17:26 < michagogo|cloud> cfields: Actually, I've seen even pkgs be distributed as dmgs 17:27 < michagogo|cloud> (I have used Macs some, just not a full-time user) 17:30 < cfields> michagogo|cloud: yea, that's reasonable too 17:31 < michagogo|cloud> cfields: So you managed to get bare-bones deterministic DMG working? 17:31 < michagogo|cloud> (bare-bones, meaning without all the fancy dmg features, AIUI?) 17:31 < cfields> yep, passes basic sanity checks anyway 17:32 < michagogo|cloud> That's great :-) 17:32 < michagogo|cloud> Nice work. 17:32 < cfields> thanks. but hold that until there's some proof ;) 17:33 < warren> hmm, what part is signed to distribute in Apple's app store for mac os x? 17:33 < warren> or would it be rejected like they rejected bitcoin apps from the iphone? 17:34 < cfields> the dmg is signed, i believe 17:34 < cfields> any signatue would break determinism ofc 17:34 < cfields> rather.. provable determinism 17:34 < warren> gavinandresen: ever considered submitting Bitcoin to the MacOS X app store? 17:36 < warren> cfields: for developers and power users determinism is great, the only way to prove safety 17:36 < michagogo|cloud> cfields: MAS uses dmg? 17:36 < warren> cfields: but or end users who mess up downloads ... MITM ... DNS redirection ... an app store might be safer. 17:39 < cfields> might be possible to add a comment, not sure. if so, the comment could contain the original checksum 17:45 < michagogo|cloud> warren: Looks like the process is running https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/codesign.1.html#//apple_ref/doc/man/1/codesign 17:45 < michagogo|cloud> and then https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/productbuild.1.html#//apple_ref/doc/man/1/productbuild 17:45 < michagogo|cloud> (https://developer.apple.com/library/mac/releasenotes/General/SubmittingToMacAppStore/) 13:09 < gmaxwell> He's currently trying to negoiate with the SMF folks to get SMF 1.0 open sourced so he can opensource the whole forum. Dunno ho[D[D[Dw thats going. 13:09 < sipa> what? the forum code is not open source? :o 13:10 < gmaxwell> no, apparently the later versions of SMF are but the earlier (and more popular) versions are not or something. 13:10 < gmaxwell> And the one bct runs is heavily modified, including a lot of security fixes. 13:11 < gmaxwell> (like, uh, hashed and salted passwords 0_o) 13:13 < TD> from what i know of SMF open sourcing it would probably be a security disaster ... 13:13 < TD> vanilla forum is nice 13:14 * sipa mumbles "security through obscurity" 13:20 < gmaxwell> adam3us: https://bitcointalk.org/index.php?topic=258678.msg3698304#msg3698304 < what are your thoughts on a simple delegation like this? 13:21 < gmaxwell> adam3us: it doesn't have the nifty information-theoretic blinding, so it makes the KDF weak to an attacker who has already performed the KDF for the user. 13:21 < gmaxwell> adam3us: but I think the prospect of getting people to implement the RSA blinding scheme is ~0, plus I think we really do want memory hard KDFs. 13:27 < gmaxwell> sipa: I dunno if you saw, but a while back adam3us pointed out that using a group that permits a trapdoor permutation you could have a delegatable blind KDF. E.g. you pick a random blinding factor and blind your password, then give it to miners who crunch on it then give you the result, and then you unblind the password. 13:27 < gmaxwell> sipa: and the work they did is of no use to them trying to also crack your key, because they don't know the blinding factor. 13:28 < sipa> i'm not following 13:30 < gmaxwell> E.g. You can Encrypt(password,nonce) -> Epwd and give Epwd to 'KDF miners' who do expensive computation on it and return Eresult and then you can Decrypt(Eresult,nonce). 13:30 < sipa> right 13:30 < gmaxwell> But in doing so they learned nothing that would help them shortcut cracking your wallet. 13:30 < gmaxwell> e.g. if later they got a copy of your wallet. 13:30 < gmaxwell> (or even if they already had it, and simply wanted you to pay for the work of cracking it) 13:31 < gmaxwell> I think its neat though I dunno if its useful, simply because its complicated to implement, more complicated to explain, and we'd probably prefer memory hard KDFs. 13:32 < gmaxwell> Though the notion of delegation is probably a good one: any of these wallet encryption schemes should be setup so that you could ask a marginal trusted party to do the expensive KDF for you, without totally giving away your keys. 13:32 < gmaxwell> might make them easier to tolerate for things like hardware wallets. 13:33 < gmaxwell> Sadly the simple way of constructing these things means the party you delegate to at least no longer has to face the difficult kdf anymore. 20:32 < midnightmagic> what?! smf isn't open source? 20:33 < theymos> 1.x uses a non-free license. 2.x is open source. 20:33 < theymos> I asked them for an exception to the 1.x license so I could distribute my modifications, and even offered to pay, but they never got back to me. 20:34 < sipa> that doesn 20:34 < midnightmagic> Ah. It's open source, but it's not licensed openly. You need permission to fork. 20:34 < sipa> wait, what meaning of open sourc... right, that 20:39 < midnightmagic> theymos: That's b-s man. They should've given you an answer. 20:39 * midnightmagic is grumpy now 20:41 < phantomcircuit> theymos, i guess they dont understand how much you could pay 20:41 < phantomcircuit> lol 20:41 < theymos> bitcointalk.org even has some small modifications by Satoshi. I might publish those in isolation for historical interest. I think that this is legal. 20:50 < cfields> https://github.com/theuni/bitcoin/tree/deterministic-dmg 20:51 < cfields> how do you guys recommend i start the discussion? RFC pull-request? 20:51 < cfields> dmg's are deterministic via gitian and verified working fine on 10.6 and 10.8 20:52 < Luke-Jr> Meetup at [or near] my place tomorrow, anyone? (Broooksville, Florida) 20:54 < cfields> in its current form it's not really reviewable. I'll need to break it up into chunks. But it'd be nice if I could convince someone to verify my gitian results 20:55 < Luke-Jr> cfields: throw the gitian files in a temp git repo somewhere? 20:55 < cfields> Luke-Jr: they're in there 20:55 < Luke-Jr> ah missed that 20:56 < cfields> osx-native -> osx-depends -> osx-qt -> osx 20:57 < Luke-Jr> I'd have split each depend out individually 20:57 < cfields> Luke-Jr: you'll need the sdk too. I can spare you the trouble of registering and extracting it if you'd like 20:57 < cfields> Luke-Jr: i did all the work native. Gitian was an afterthought 20:58 < Luke-Jr> what *is* osx-native? O.o 20:58 < cfields> Luke-Jr: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1#diff-8 20:58 < Luke-Jr> yes, that's what I'm looking at 20:59 < cfields> osx-native builds the build-side tools 21:01 < cfields> er, i suppose osx-native is confusing, since that probably implies that they run on osx 21:01 < cfields> rather, it means the tools for the native arch to build osx binaries 21:03 < Luke-Jr> IMO everything except the final Bitcoin-Qt .yml file should probably live in its own git repo 21:03 < Luke-Jr> independent of any program 21:03 < cfields> Luke-Jr: it's just in one repo for convenience right now 21:03 < Luke-Jr> sure 21:04 < Luke-Jr> I presume you saw my cross-osx repo 21:04 < cfields> translation: don't bother pointing out how ugly it is, i already know :) 21:04 < cfields> i'd just like a little input as to what people want before i sit down to actually organize it 21:05 < Luke-Jr> any reason not to use CXXFLAGS for -target? 21:05 < cfields> for ex, to me, it's important to be able to build without gitian. Imo that's a nasty dependency 21:05 < cfields> but if i'm alone, i'll toss that out 21:05 < Luke-Jr> what if gitian produces archives usable by other OS? 21:06 < cfields> hmm? 21:06 < Luke-Jr> otoh, as long as it's outside the bitcoin repo, I guess it makes just as much sense to have it designed to build outside too 21:06 < Luke-Jr> cfields: I was thinking "let gitian build the cross development stuff, and make it usable without gitian" 21:07 * Ryan52 waves 21:07 < cfields> it can build anywhere, its location is arbitrary 21:07 < cfields> you can just cp -rf the folder wherever you want 21:07 < Luke-Jr> but it might make better sense to just have the new cross-osx git repo work without gitian to do the same, and just a few .yml files to utilise that 21:07 < warren> cfields: I have Ryan52 looking into the integrity of all your gitian mac inputs, comparing downloads from multiple Linux and ports distros, looking at diffs from previous versions to look for compromised source, then generating a list of identical download URL's and sha256sums 21:08 < warren> cfields: https://github.com/bitcoin/bitcoin/pull/3191 that'll allow adding simple integrity checks like this. 21:09 < cfields> warren: yep, i'll add those 21:09 < cfields> warren: as a quick hack though, you saw this: https://github.com/theuni/bitcoin/blob/deterministic-dmg/contrib/macdepends/download.sh ? 21:10 < warren> cfields: ooh, ok, so Ryan52 should just verify that things match your checksums 21:11 < warren> Ryan52: sorry, didn't know he already had checksums. This is just another sanity check. 21:11 < cfields> ./download.sh is all that's necessary, yes 21:11 < cfields> Ryan52: if you're going to verify sanity, the one you really need to target is the MacOSX10.6.pkg 21:12 < cfields> that's a pain in the ass to get. So i assume it will end up being passed around privately rather than being extracted from the source 21:12 < cfields> for ex, i was about to send Luke-Jr a link to it so he could avoid the hassle 21:12 < cfields> so if you could verify that, it'd be a big help 21:13 < warren> cfields: it's a good idea to have https://github.com/bitcoin/bitcoin/pull/3191 style build-time checks too. When Litecoin began gitian I didn't give the team URL's to download inputs at all. told them to find it from random locations. 21:13 < cfields> warren: sure. I just threw that together quickly. I agree with your approach 21:13 < warren> cfields: ok great, Ryan52 knows what to do. 21:14 < warren> Ryan52: please document all paranoid extra checks done, it will be part of the code review for that massive PR. 21:14 < cfields> i really can't stress it enough: It's not worth reviewing that commit. It's still very chaotic. Only worth ack'ing that it works, then discussing wtf to do with it 21:14 < cfields> at that point, i'll organize it into something more reasonable 21:16 < Ryan52> warren, cfields: will do, thanks for the advice. 21:19 < cfields> Ryan52: you have a mac at your disposal? 21:19 < warren> cfields: oh yeah, please ask Ryan52 for help with QA. He's a good coder too. 21:19 < warren> cfields: we'll donate to him for specific goals that we think are important 21:19 < cfields> ok 21:20 < cfields> verifying that .pkg will be much easier in osx 21:21 < Ryan52> cfields: yes, I do, but I'm not too familiar with development on osx yet to be honest (mostly a linux dev historically) 21:22 < cfields> Ryan52: no worries. register for an app dev account at apple, grab the dmg, mount it, cd into it from a shell, and md5 it 21:22 < cfields> https://developer.apple.com/devcenter/download.action?path=/Developer_Tools/xcode_3.2.6_and_ios_sdk_4.3__final/xcode_3.2.6_and_ios_sdk_4.3.dmg 21:23 < Ryan52> cfields: thanks! 21:25 < Ryan52> cfields: sha256, or md5 too? 21:26 < cfields> Ryan52: sorry, i'm used to md5ing for quick verification. sha256. 21:26 < Ryan52> heh, thought so, me too :) 22:08 < warren> https://bitcointalk.org/index.php?topic=337294.0;all MacOS X corruption fix bounty now increased to 10 BTC + 200 LTC thanks to new a pledge from BitcoinTalk. 22:13 < cfields> Ryan52: i had to step away for a bit. having any luck? 19:34 < andytoshi> sorry, i can't join, all my money is in the one i just did with petertodd :P 19:34 < petertodd> andytoshi: ha 19:39 <@gmaxwell> andytoshi: heh one lame thing with the rotation is that if you only get one other player the timer really doesn't have time to go solicit more. 19:40 < andytoshi> yeah, my original plan was to make it be open for 24 or 48 hours 19:41 <@gmaxwell> thats so long people will lose attention though. 19:41 < andytoshi> i joined this one with a small 0.008 input and spent it all to the donation address.. 19:42 < andytoshi> gmaxwell: yeah, it's a tough balance 19:42 <@gmaxwell> hah. I guess thats something you have the ability to do! :P 19:42 <@gmaxwell> easier if in the future there is a autosigner. 19:42 < andytoshi> :P i am actually doing the spent-through-coinjoin trick we talk about 19:48 <@gmaxwell> andytoshi: the sound thing works, no color change? :P 19:49 <@gmaxwell> I feel like window 3.1 encountered an error. 19:50 < nsh> ehehe 19:51 < petertodd> andytoshi: looks good this time 19:51 < petertodd> andytoshi: dunno why it says "this transation has a non-standard input" on bc.i though 19:52 <@gmaxwell> it does? 19:52 < petertodd> gmaxwell: https://blockchain.info/tx/33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1 19:54 < CodeShark> someone could run a bot that constantly submits transactions at specific demoninations for inputs with random outputs 19:54 < CodeShark> so that there are always enough "participants" :) 19:54 < petertodd> CodeShark: the bot to run is one that matches other peoples outputs and/or input combinations on demand 19:54 < CodeShark> right :) 19:55 <@gmaxwell> petertodd: doesn't say that for me. 19:55 < CodeShark> so you could specify a minimum number of participants and a maximum amount of time to wait - if in that time, the number of participants is below what you asked for, a bot fills in the rest 19:55 < petertodd> gmaxwell: the little triangle thing in "estimated confirmation time" 19:56 <@gmaxwell> what is a "_none_ standard input" 19:56 < petertodd> beats me 19:57 < CodeShark> you'd want the bot to fill each of the remaining slots using a separate wallet 19:57 <@gmaxwell> isn't the fee a bit high? 19:57 < petertodd> no, 1.5x minimum 19:57 <@gmaxwell> got it. 20:15 <@gmaxwell> petertodd: it seems to me that pond could be combined with bitmessage ... where bitmessage was used for small messages and notifications that you had messages waiting ... so that it didn't have to constantly poll. 20:16 <@gmaxwell> the polling probably makes parties substantially more vulnerable to traffic analysis should their pond server be compromised. 20:16 < petertodd> gmaxwell: makes sense, better bandwidth utilization too 20:17 < BlueMatt> gmaxwell: wasnt pond supposed to be constant-bandwidth? 20:17 < nsh> what's this pond thing now? 20:17 < BlueMatt> or am I thinking of a different one? 20:17 < BlueMatt> nsh: https://pond.imperialviolet.org 20:17 < nsh> ty 20:18 <@gmaxwell> BlueMatt: it doesn't appear to be but if it is that still doesn't prevent traffic analysis. E.g. if your pond server is compromised it still knows when you (by your group ID) poll. and the fact that you keep polling over and over and over again (10 minutes appears to be the default) makes tracing the tor a lot easier. 20:19 <@gmaxwell> petertodd: depends on usage patterns. ... you'd have to have a very high number of users who never had any traffic then perhaps a flooding network for you-have-new-messages may well indeed be more efficient. Certantly pond for large objects is way more efficient than bitmessage. 20:19 < BlueMatt> well, yes, if your server is compromised, but at least thats stronger than if the encrypted links to your server are compromised 20:20 <@gmaxwell> pond also doesn't seem to have any real way of handling "your server got taken down" that I can see, it looks like you have to start a totally new identity and rebuild your contacts? 20:24 < BlueMatt> are there any actually good products for having secure group messaging today? 20:24 < andytoshi> gmaxwell: that chime is actually me on the piano 20:24 < petertodd> BlueMatt: oh, interesting bugs in bloom FWIW 20:24 < andytoshi> i was quite sad to discover it was the win3.1 chime :P 20:25 < petertodd> BlueMatt: define "secure" and "group" :P 20:25 < nsh> you should sure microsoft for retroactively stealing your chimetulectual property 20:25 < BlueMatt> petertodd: oh? 20:25 < nsh> *sue 20:25 < petertodd> BlueMatt: I mean, what you were telling me - I need to think about that stuff some more 20:26 < BlueMatt> petertodd: oh, yes 20:26 < BlueMatt> its possible to fix, but not in a clean way afaict 20:26 * BlueMatt fucked it up...suppose thats what I get for running out of time and just trying to get it done... 20:26 < CodeShark> could coinjoin be defeated by someone who inserts the vast majority of requests? 20:27 < CodeShark> you join a transaction, think there are 10 participants, when actually 9 of them are an attacker 20:27 < BlueMatt> petertodd: secure: otr-like security, group: >= 3 technically-minded people 20:27 < petertodd> BlueMatt: yeah, good example of how important analysis is up front :( 20:27 < petertodd> BlueMatt: right, where the group can trust each other not to leak 20:28 < BlueMatt> petertodd: well, I did analyse it, and had a good design....then it needed tweaking to make it more useable, but I was out of time, so I tweaked it until it worked 20:28 < BlueMatt> now I realize I tweaked it until it broke...but it works 20:28 < petertodd> BlueMatt: do you have that original analysis written up somewhere? good starting point for fixing it 20:29 < BlueMatt> writeup? noooo 20:29 < petertodd> BlueMatt: stained napkin? 20:29 < BlueMatt> stained braincells, sure 20:30 < BlueMatt> anyway, my brief thoughts over the past two days dont indicate any clear way of keeping the "efficiency" (ie not making it worse than it already is for serving nodes) while improving the privacy 20:30 <@gmaxwell> andytoshi: where is the actual url to your chime? 20:31 * nsh is starting to think computers should not ever have access to plaintext 20:31 < nsh> that decoding of anything into human-comprehensible form should only be done by an input-only device you wear as glasses or something 20:31 < CodeShark> homomorphic encryption? :) 20:32 < nsh> aye, it's at least a weekend project :) 20:32 < petertodd> BlueMatt: figures 20:32 < petertodd> BlueMatt: I think it's just a fundemental problem where it's a tradeoff between efficiency and anonymity set size 20:33 < petertodd> BlueMatt: I'm actually thinking we might be better off with this stealth address idea/reinvention of mine and just using a fixed % of all addresses as your anonymity set 20:33 < BlueMatt> petertodd: no, I mean its very possible to get that tradeoff decent, you just have to do something like make the server Hash256^2 all elements tested against the filter as well as the element itself 20:33 < BlueMatt> or push the hash160 of the pubkey onto the scriptSig as an extra element 20:34 < BlueMatt> s/Hash256^2/hash160/ 20:34 < BlueMatt> you can get verry good download speeds with a fp rate of like 0.005% or so, which gives you a pretty big anonymity set 20:34 < BlueMatt> or even 0.01% 20:34 < BlueMatt> hell, a desktop does fine higher than that 20:35 < petertodd> andytoshi: interesting, I did a tx where I was all parties, and sent it on my own node, and it just said "invalidated" 20:35 < BlueMatt> should have you a litecoinj as a christmas present... 20:35 < petertodd> BlueMatt: maybe we're thinking of different things; I'm more talking about a perfect bloom filter with optimal behavior 20:35 < BlueMatt> ehhh, damn missing /msg 20:36 < petertodd> BlueMatt: heh, I could go for that 20:36 < petertodd> BlueMatt: maybe a mastercoinj while we're at it 20:36 * petertodd ducks 20:36 < CodeShark> haha 20:36 * BlueMatt kicks petertodd's ducking head 20:36 < CodeShark> that's not very nice... 20:37 < CodeShark> I mean, to bring up mastercoin :p 20:37 < petertodd> CodeShark: lol 20:37 < BlueMatt> petertodd: well, ok, but as far as I'm concerned, having an anonymity set of a few thousand addresses besides your own is perfectly reasonable for 99% of people 20:38 < BlueMatt> the rest can damn well run full nodes 20:38 <@gmaxwell> it's not quite that simple, because there are usually several other bits of deanonymizing data available. 20:38 <@gmaxwell> and so a set of thousands is quite often a set of 1. 20:39 < petertodd> for instance the nTweak itself can be a deanonymizer... 20:39 <@gmaxwell> at least bloom only reveals it to your servers. 20:39 < BlueMatt> I dont think its nearly /that/ bad, sure you can get rid of lots of fps with some analysis, but getting it down to 1 would require as much (or far less) effort than just breaking in and stealing a computer... 20:39 < BlueMatt> petertodd: how? 20:39 <@gmaxwell> BlueMatt: getting it down to a few is how you figure out which computers to go steal. :) 20:40 <@gmaxwell> (go look at that bomb threat moron. They simply enumerated all the people on campus who had used tor near the time in question and went and intimidated them all and the guilty party confessed) 20:41 < petertodd> BlueMatt: by reusing it multiple times you have a 32-bit unique value that identifies you across multiple connections 20:41 < BlueMatt> petertodd: so...dont use it multiple times? 20:42 <@gmaxwell> I don't know why you'd reuse it? 20:42 < BlueMatt> gmaxwell: I'm not sure we're thinking of the same threat model here... 20:43 < BlueMatt> the main threat model a bloom filter addresses is your upstream nodes finding out who you are 20:43 < petertodd> gmaxwell: if you don't reuse it, and someone matches multiple instances of bloom filters to you, they can AND all the addresses matched by the filters to narrow down the actual ones in your wallet 20:43 < BlueMatt> not the network tracking down where given addresses lie 21:10 < warren> Yes it's not difficult to bypass, just annoying. 21:10 < gmaxwell> I haven't upgraded to fedora >17 because I feel kinda blah about its future... I'd probably be moving to gentoo but it just doesn't have enough active development. 21:10 < gmaxwell> I'll probably end up moving all my stuff to F19 by default, but not really excited about it. 21:18 < warren> jgarzik: can you chain load ubuntu's EFI loader to fedora's boot loader? =) 21:18 < warren> hmm... how to you add a ssh git remote with a non-standard port number... 21:19 < warren> it turns out stackexchange has this answer. 21:23 < warren> sipa: PM. Ignore the Coin Control stuff which isn't part of litecoin. I used that as a lazy way to visualize the available inputs. 21:26 < warren> sipa: shoot, you'll have to let me know your IP address, it doesn't allow incoming connections. =( 21:26 < warren> nevermind, I'll just open the firewall for now 21:27 < warren> ok, opened 23:01 < gmaxwell> fuck: http://blockchan.org/ 23:08 < amiller> wat 23:12 < warren> gmaxwell: looks like a highly secure online service 23:13 < gmaxwell> it's 4chan implemented using data storage transactions. You pay for access, and that funds the spam. 23:21 < warren> gmaxwell: coblee and I are considering a radical change to fees where we charge primarily for outputs and make inputs a lot cheaper. This means you are charged for the quantity of outputs, and even higher fees for dust outputs. Inputs would have a cost but much lower. 23:21 < gmaxwell> warren: and change your blocksize rule to be based on that? 23:22 < warren> well, we're only thinking about this. It needs a lot of testing. I haven't thought of a way to exploit this yet. 23:23 < gmaxwell> The obvious metric is the make the transaction size for blocksize rule the utxo set change plus some constant factor (e.g. 1% of the size of the transactions) so that you can't get an infinitely large block that is just cleaning up the utxo. 23:23 < gmaxwell> and then make fees based on the same metric. 23:23 < gmaxwell> it doesn't solve uneconomic utxo but makes it much harder for them to exist. 23:24 < warren> The general idea is to indeed use fees to discourage the growth of UXTO. 23:28 < warren> gmaxwell: a major flaw in that plan is how would pools pay miners and "stocks" pay dividends. That may scuttle the plan. 23:30 < gmaxwell> warren: why? I mean these things have a cost... failing to charge for it doesn't make the cost go away. 23:31 < warren> Wouldn't that encourage paying the miners through side-channels to include their massive tx's at sub-normal costs? 23:32 < warren> Or perhaps it's cheaper for many-dust-payers to pay using Bitcoin instead, since TXO's would be so much cheaper there. =P 23:33 < gmaxwell> uh. ... like. you guys are going to just produce failure if your ideas include things like trying to rule-specify fees in transactions! 23:33 < warren> "include things like trying to rule-specify fees in transactions!" isn't that what litecoin already does? 23:35 < gmaxwell> no. 23:35 < gmaxwell> or well, you know it better than I do 23:35 < gmaxwell> Is it that stupid? 23:37 < warren> trying to find the URL... 23:38 < gmaxwell> warren: litecoin will reject blocks that don't have some particular fees? thats nuts you can trivially pay outside of the blocks or have rebates outside of the blocks, or mine fake fees to yourself. 23:38 < warren> gmaxwell: no, I think we misunderstood each other. 23:39 < gmaxwell> thats why I asked the clarifying question, okay. 23:40 < gmaxwell> <foamy> so lets say tomorrow i wanted to start a website that needed login credentials. 23:40 < gmaxwell> ^ it's rude of me to snark behind his back, but I don't really mean this personally 23:40 < gmaxwell> this is an example of many other people too ... are we doomed because people want 23:40 < gmaxwell> to use bitcoin inefficiently because it's the only #$@#$@ public key signature system they know how to use?!? 23:42 < zooko> It is a great leap forward over others because it doesn't have a "name" field. 23:42 < zooko> (Tahoe-LAFS has that feature too, but it is relatively obscure.) 23:42 < zooko> Don't worry! Once people learn the new payment protocol and its x.509 names then they'll find bitcoin just as hard to use as the others. 23:42 < gmaxwell> well this guy wants a name field. "addresses are too hard" 23:42 < gmaxwell> :P 23:43 < zooko> Haha! 23:43 < zooko> I think there's a deep truth lurking in here somewhere. 23:43 < zooko> Trying to grab my ankles and drag me to the depths. 23:43 < warren> arm wave and tell him to reuse namecoin in some bad way. 23:44 < gmaxwell> he doesn't have a consensus problem, he doesn't need a blockchain at all. 23:44 < gmaxwell> I told him to use Persona. 23:44 < zooko> Ooh, nice. 23:45 < gmaxwell> he just wants a portable identity service without a centeral identity provider. 23:45 < zooko> Yeah, I think Persona was the right answer. Nice one. 23:45 < amiller> does anyone understand bitmessage 23:45 < amiller> it's an entirely separate blockchain right it doesn't try to be merge mined like namecoin? 23:45 < gmaxwell> there is no blockchain 23:45 < gmaxwell> it's just hashcash flooding messages. 23:46 < gmaxwell> (which is fine) 23:46 < amiller> er, hm well there's no incentive argument 23:48 < gmaxwell> if it's cheap enough to run because the hashcash ratelimits it, then there doesn't need to be an incentive beyond "have a useful system, and have your own participation be anonymized by the fact that you're running it" 23:48 < gmaxwell> they divide the anonymity set to scale better. ('channels') 23:49 < amiller> i'm still sort of looking for an application where extra consensus storage in the utxo is worthwhile and then maybe that's a good way to prototype utxo storage fees 23:49 < amiller> the only reason not to use Namecoin as that application is because there's this additional complexity about how to handle initial allocation of names and such 23:50 < warren> what ever happened to namecoin? why was it never updated? 23:50 < warren> the lack of a GUI to make names might have limited its appeal? 23:51 < warren> Or it tried to solve a problem that people really didn't care about? 23:52 < gmaxwell> those two, also developers lost interest (somewhat the case in litecoin too), also the developers were pissed about speculation and adjusted the cost of names way down and people then registered every possibly interesting name 23:54 < gmaxwell> also merged mining gave a ton of namecoin to people who didn't care about names... making it more expensive for people who did. 23:54 < gmaxwell> not only didn't care about names, but had never even run the software and couldn't register one! 23:55 < gmaxwell> also their design had no mechenism for a secure lite mode resolver which got lamer as the chain grew... 23:55 < warren> I'm guessing that chain would be really cheap to spam to death. 23:55 < gmaxwell> (though I 'solved' that by inventing committed utxo sets! well kinda, I didn't instantly see how to prevent tree unbalancing attacks) 23:56 < amiller> fuck it just use tries 23:57 < gmaxwell> I didn't think of that at the time, but didn't think too hard ... I did think of "just use a self balancing tree" except I worred about the worst case complexity of an update. 23:57 < gmaxwell> but yes, a prefix-trie is the obvious thing to do. 23:58 * amiller stopped worrying and loves tries, w/ev 23:59 < amiller> namecoin would likely suffer from utxo bloat though 23:59 < gmaxwell> also, the namecoin community provided insufficient on-ramping. E.g. if they'd raised money and bought .bit (the real TLD) and proxied to it... I bet namecoin would be dominating the world of something now.. but back then raising a few hundred K in the bitcoin community wasn't obviously possible. 23:59 < gmaxwell> amiller: it has renewals required every 30k blocks. ... so not name utxo bloat! --- Log closed Wed May 22 00:00:03 2013 --- Log opened Wed May 22 00:00:03 2013 --- Day changed Wed May 22 2013 00:00 < warren> If someone UXTO spammed that chain, it would be weeks before anyone noticed. "Why is namecoind using 1.5GB of ram?" 00:00 < amiller> ok well not from dead lost txs but like, just having lots of names registered 00:00 < amiller> i don't remember the financial model for namecoin whether there's a fee per name or w/e 00:00 < gmaxwell> amiller: good problem to have. use utxo-spv resolvers and a lot of caching. :P 00:01 < gmaxwell> amiller: mining gives you 'namecoins' and there is a system imposed minimum fee for names. the idea is that its a closed loop ... miners get coins to make the chain go.. people buy them to get names. 00:02 < gmaxwell> merged mining meant the 90% of the hashpower was a couple miners that didn't really give a shit about the whole thing... and so no one manually propped the fees up when the system minimums became obviously too low. 00:02 < amiller> ok so the minimum fee + renewal rate, at least is a bounded kind of per-storage fee 00:02 < amiller> what's the bloatiest thing you can put in a namecoin registration, some weird mappings or sub rules or something? 00:03 < gmaxwell> the minimum fee geometrically declined however ... even faster after the merged mining hardfork because the dev was pissed off at speculation of the coins. 00:03 < gmaxwell> amiller: I think you can mine 10kb of whatever the @#$#@ you want. 00:04 < amiller> why mine as opposed to just make a tx 00:04 < amiller> unless your point is specific to coinbase tx outputs 00:05 < zooko> gmaxwell: exciting idea about launching a namecoin with integration to the legacy name system! 00:05 < zooko> Somebody get a few million from a VC and do that. 00:06 < zooko> I had thought that a really good hack would be to grant the new-name to anyone who proved ownership of the old-name. Grandfather-in as many people as you can. 00:06 < zooko> By "new-name" I mean namecoin-like-thing, and by old-name I mean DNS/PKI. 14:05 < Luke-Jr> adam3us: to fix the param problems with Litecoin's PoW, you'd introduce an algorithmic problem because you'd expose validators to the memory requirements 14:06 < adam3us> Luke-Jr: I love what you are doing with eligius policy. My point was more in the long term/theoretical - the fact that a miner can make decisions about payments might lead to censorship, coin blaclisting if miners get too large and centralized 14:07 < adam3us> Luke-Jr: this risk is what led me to think of committed tx where the miner cant see the coin contents until after it is mined 14:08 < Luke-Jr> adam3us: that was already a risk 14:08 < amiller> gmaxwell, you see the post about bitter to better and hash locking? 14:08 < amiller> i'm familiar with that paper but somehow didn't understand that. 14:10 < adam3us> Luke-Jr: yes i am talking about the 5 year old risk. like I say your new policy i think is awesome :) 14:16 < K1773R> adam3us: how should a miner (were talking about bitcoind in this case) decide which txs are valid and which not if he dosnt know what it is until it founds a PoW? 14:17 < gmaxwell> K1773R: becuase in such schemes it doesn't matter if its not valid. 14:18 < adam3us> K1773R: the commited tx is a hash of the tx and a cleartext fee, only the recipient gets to see inside it, and technically its only recipients who care. 14:18 < K1773R> gmaxwell: so i could fill someone else blocks with trash (invalid txs which will be later droped/ignored) to minimize the amount of valid txs? that seems even more horible than it is now 14:19 < gmaxwell> K1773R: you'd have to pay fees, same as always. You're replaying my objections now. :P 14:19 < K1773R> adam3us: so i can spent coins from someone else with no signatures attached and the system would mine a block with it? ugh :S 14:20 < K1773R> gmaxwell: ah i c, so you pay the fee even if the tx will be later droped (after its contents are known)? 14:20 < adam3us> gmaxwell, K1773R: (yes) btw similar objections could probably be made of mastercoin and colored coins and the new message packet - people ay to use the block chain in ways even less useful to bitcoin 14:21 < gmaxwell> K1773R: yea. you can imagine it as a normal fee paying txn plus a blinded txn stuffed inside it. And no, if it's used right someone can't block you with an invalid txn. 14:21 < amiller> damn this bitter to better proposal is actually really cool.... 14:21 < adam3us> K1773R: it also cant be double spent, even though its in commited form 14:22 < amiller> i didn't realize it but it successfully provides no way to link the two transactions involved 14:22 < gmaxwell> amiller: it doesn't work in bitcoin today. 14:22 < amiller> why not 14:22 < amiller> looks like it does to me? 14:23 < gmaxwell> IIRC it requires arithemetic in script. 14:24 < maaku> adam3us: fyi i object to "committed tx" because that terminology is misleading. people think committed == confirmed == validated. 14:24 < maaku> you might have an easier time explaining it if you adopt "hidden tx" or some other terminology 14:25 < adam3us> maaku: yes. was thinking of bit-commitments when i came up with the name. it might be better yes. howeve it is only temporarily hidden typically. so in some way it is rather like a classical bit commitment - you fix a value for the duration of the protocol and then reveal 14:25 < amiller> gmaxwell, i just checked and no it doesn't require any airthmetic in the script 14:25 < amiller> i thought it did too, but it doesn't 14:25 < adam3us> amiller: link? 14:25 < amiller> https://crypto.stanford.edu/~xb/fc12/bitcoin.pdf 14:25 < amiller> scroll to section 7.1 a fair exchange protocol 14:25 < amiller> alice and bob can swap coins in two transactions without linking the two transactions to each other 14:30 < maaku> really? it looks to me like they're linked by the hashes 14:30 < maaku> it'd be easy to build an index of transaction matching this form, matching them together 14:31 < amiller> they're not 14:31 < amiller> i totally misread this paper as i think everyone else did 14:31 < amiller> a1,a2,a3,... are alices secrets 14:31 < amiller> b1,b2,b3 are bobs secrets 14:32 < amiller> what happens is that one transaction contins H(b1),H(b2),... 14:32 < amiller> while the other transaction contains H(a1+b1), H(a2+b2), ... etc 14:32 < amiller> so you can only link the transctions if you know a1,... 14:32 < maaku> a1 + b1 meaning a1 XOR b1? 14:33 < amiller> ye 14:33 < maaku> ok they could have been much clearer 14:33 < amiller> so alice begins with a1,... and bob learns a1+b1 throuhg the protocol 14:33 < amiller> however no one else learns them. 14:34 < amiller> er i mean bob learns a1,... throughout the protocol by observing a1+b1 and alreayd knowing b1,... but no one else learns b1 etc 14:35 < maaku> b is revealed when alice claims her amount, yes? 14:35 < amiller> b is revealed yes 14:36 < amiller> everyone learns b 14:36 < amiller> no one other than bob and alice learn a though 14:39 < adam3us> maaku: btw the other day on here you mentioned about combining chaum certified issue for a external issuer and ZC. maybe with lower overhead for the network you could have chaum certs exchangeable with the issuer, and use the blockchain only for recording spent coins 14:40 < gmaxwell> maaku: basically its a similar protocol to my first coinswap attempt, but they didn't move as much of the protocol out of band as petertodd did. 14:41 < maaku> gmaxwell: where's the latest protocol? 14:41 < gmaxwell> instead, they just moved the script execution out via the cut and choose thing. 14:41 < gmaxwell> whereas PT's approach was to move the entire hashlock out via escrows and refunds. 14:42 < maaku> adam3us: yes, if someone has rights to issue currency, trusting them for double-spend validation is no less secure 14:42 < maaku> issuing more currency or allowing double-spends amounts to the same thing 14:42 < maaku> it requires them to be online, however 14:43 < maaku> i see a use for that with private accounting servers, where the server itself can act as signer 14:43 < maaku> not so sure about the public chain though 14:43 < adam3us> maaku: i was wondering also if you could prevent overissuing. say the issuer key is offline, but thre is an online refreshing key. the block chain validates that no more than the issuer number exist 14:45 < adam3us> maaku: i think the main problem is it conflicts with privacy - if the refreshed coin has to be block chain validated, it is obvious to the issuer who the owner is 14:46 < maaku> adam3us: how? 14:46 < adam3us> maaku: timing 14:46 < maaku> i'm not sure I follow 14:47 < maaku> there are 20 coins in existance in this series, say, and when I send a token for redemption, how does the server know which one prior -- 14:47 < maaku> oh you mean because the person claims it and uses it 14:47 < adam3us> maaku: so say th eblock chain provides a way to count how many coins are in circulation, because they are recorded as confirmed 14:48 < maaku> yes everyone knows where coins enter and leave the chaum system. that's assumed 14:48 < adam3us> maaku: yes the recipient swaps it for a fresh one, and then has to confirm it. the old serial number must be recorded, and the new blind coin 14:48 < maaku> but if it's chaum -> chaum, there's no linkage 14:49 < adam3us> maaku: the timing is the issue - the user would like to hold it off chain until he wants to spend it ,if he does that the online issuer could overissue wrt to the offline issuer intended share pool size (eg if it was hacked) 14:49 < maaku> why? there's no privacy risk to confirming the redemption 14:50 < maaku> because it's not linked to future or past transactions 14:50 < maaku> it's completely anonymous 14:50 < maaku> input: unblinded token (not linked to past), output: blinded token (not linked to future) 14:51 < adam3us> maaku: i am making assumptions about how to enforce the limit. maybe there is a better way. at time of issue, 100 shars are issued (blind certs). 14:51 < adam3us> maaku: whenever they are traded the old serial number is given to the block chain by the recipient for validation, and used as proof to the online issuer to get a fresh coin 14:54 < adam3us> maaku: you want the network to be able to help the bearer share holders know there are only 100 in circulation still. seems tricky 14:55 < maaku> adam3us: that could be kept in an index 14:58 < adam3us> maaku: seems like the online issuer could issue 101, 102 etc because the recipients hold them offline until use 15:12 < adam3us> gmaxwell: you mentioned yday or so that the idea of sending keys from committed/hidden coins via the p2p network without mining validation would conflict with confirmed utxo. is the utxo set view of he miner included in the coinbase to facilitate spv? 15:18 < gmaxwell> adam3us: it isn't included today, we've talked about including it.. not just spv but "spv that can validate", for use in rapid full node bootstrapping and other things. 15:20 < gmaxwell> adam3us: on a seperate subject, I was thinking: It's actually really sad that our native signature scheme can't do efficient 2-of-2 multisigning ("split key"), because if it could the anonymity set of 2-of-2 escrows (like coinswaps) would include all the regular transactions too. 15:23 < adam3us> gmaxwell: yes this is why i keep on about EC schnorr it supports n of n without prior arrangement, just add up Q1 and Q2 and sign with d1 and d2 15:24 < adam3us> gmaxwell: schnorr also supports simple k of n (again with public key of size one key) and the observer never knows if a signature is one public key, 2 of 2 or k of n. its all invisible to the veifier 15:25 < adam3us> gmaxwell: ec schnorr also supports very simple efficient blinding (unlike ec dsa), an extends into brands credentials which open a whole realm of compact, similarly efficient to ECDSA per term ZKPs of selective disclosure and formulae on attributes, which probably something interesting can be done with 00:03 < realazthat> so I was asking the other day, if it is a good PoW 00:04 < realazthat> even if it is an easy problem, just a bad algorithm 00:04 < realazthat> answer is yes 00:04 < realazthat> Q: "Is there a guarantee that there is no way to generate a signature if a correct answer is otherwise found in a quicker manner than running `P`, the original program, via running `Q` instead?" 00:04 < realazthat> A: "Yes, the only way (assuming you cannot break crypto) is to run P, not Q." 00:04 < realazthat> Q: "I heard a rumor that you are using LLVM; if so, is it possible that any/most (possibly restricted?) LLVM programs can be used to generate such a proof (obviously can be done via the defunct "C back end" as well)? If not, disregard this question." 00:04 < realazthat> A: Wrong rumor. The top level uses a gcc backend. But really our pixie-dust is sprinkled after we have assembly code for a specific virtual machine and we would like to get a decent LLVM compiler for it as well. 00:05 < realazthat> mmm I would be interested in doing that 00:05 < gmaxwell> their machine code is really simple. 00:05 < realazthat> yeah 00:05 < realazthat> mmm can you link their stuff on that if there is any? 00:05 < realazthat> I want to see the vm 00:05 < realazthat> tinyram? 00:06 < gmaxwell> shits, mul, add, sub, cmov, add, xor,not, load, store, and ~5? iirc compare operators. 32 32-bit registers. 00:06 < realazthat> mmm 00:06 < realazthat> dunno why they didn't just do LLVM in the first place 00:06 < gmaxwell> (er replace second add with _and_) 00:07 < gmaxwell> because they need to know how to convert each of the operators to a set of constraints on how it updates the program state. 00:07 < realazthat> oh no I know that 00:07 < realazthat> thats fine 00:07 < realazthat> I mean LLVM => tinyram 00:07 < gmaxwell> Ah. Yea, no clue. 00:08 < gmaxwell> probably the compiler person on their team knew gcc internals already? 00:08 < realazthat> this would be a really sweet LLVM backend hehe 00:08 < realazthat> yeah 00:08 < realazthat> as soon as its out, I'll see if I can do something with LLVM 00:08 < realazthat> LLVM has a defunct C backend as well 00:08 < realazthat> but I'd rather see something more direct 00:08 < realazthat> seems simple enough 00:09 < gmaxwell> I imagine a lot of the most interesting stuff will just end up as handcoded tinyram eventually... C gives you rapid bootstrapping. 00:09 < realazthat> mmm maybe 00:09 < realazthat> because of performance? 00:10 < gmaxwell> Yea, at least their first generation stuff requires a lot of fast memory to compile to their constraint program. It's polynomial, but the constants are big enough that hand optimizing will be worth it for many things. 00:11 < realazthat> yeah the 1st gen is .. not optimal 00:11 < realazthat> I saw that slide 00:11 < realazthat> er 00:11 < gmaxwell> also, dunno if you've spent much time looking at compiler output ... well, there are a lot of sins which are more forgivable on modern hardware with things like branch prediction and reordering nearly free register to register motion, etc. compared to this enviroment. 00:11 < realazthat> or do you mean in general, 2nd stage included 00:12 < gmaxwell> No, I meant first. I don't quite fully grasp the performance implications of the second generation stuff. 00:13 < realazthat> mmm, I'll write up a second email with some followup questions 00:13 < realazthat> including my recursion idea 00:14 < gmaxwell> The recusion idea sound like the ram binding stuff itself, to some extent. 00:14 < realazthat> ah I am not familiar with that; probably over my head :/ 00:15 < gmaxwell> (the idea that if you prove the state transistions and you prove the ram state you can arrange these operations in graphs and prove the compositons then the compositions of the compositions) 00:15 < gmaxwell> it's in that paper I linked to the other day. 00:15 < realazthat> ah 00:16 < gmaxwell> It's a little frustrating to me, because I have enough background to undersand basically all of the parts... but the whole of it is a bit too specialized for me to follow in detail. 00:16 < realazthat> yeah I was thinking about how SCIP would work internally (without ever having read anything on it) 00:16 < gmaxwell> er understand. 00:16 < realazthat> heh, for me it is hard to imagine 00:16 < realazthat> but I imagine it is a bunch of cool tricks in this vein 00:16 < gmaxwell> the RS code and proximity proofs for the PCP stuff was pretty mind blowing to me. 00:18 < amiller> does this even need any PCP 00:19 < amiller> i can't figure out how to reconcile all the different terms, many verifiable computing things explicitly say they don't need any PCP which is desirable because PCP usually implies exponentially additional work for Prover 00:19 < gmaxwell> go read Eli's paper on how they solve that. 00:19 < gmaxwell> lemme find link 00:21 < gmaxwell> http://people.csail.mit.edu/madhu/papers/2005/rspcpp-full.pdf and then http://eccc.hpi-web.de/report/2012/045/ 00:23 < amiller> i see "Although we also construct simpler PCPs, our approach by contrast relies on adding algebraic structure instead of combinatorics." 00:23 < amiller> they also mention something by Dinur that presumably also gets quasilinear blowup (which is probably tolerable) 00:28 < amiller> ok so fuck it we'll be able to code a single utxo branch checker and then validate the whole block chain in constant time, that's totally exciting 00:29 < amiller> then the splitting hairs thing is to try to get these proofs constructed collaboratively 00:30 < amiller> they're already set up to be built incrementally which is good 00:30 < gmaxwell> (the second cite I just gave even mentions "recursively compose non-interactive proofs") 00:39 < realazthat> mmm 00:39 < realazthat> that sounds something like what I suggeste 00:40 < realazthat> at least by the name lol --- Log closed Sun Jun 02 02:09:08 2013 --- Log opened Sun Jun 02 02:09:22 2013 02:50 < amiller> every advanced crypto concept is just a) complicated thing b) compicated thing c) merkle tree on top of complicated things d) complicated thing 02:50 < warren> Don't forget the hand waving. 12:09 < realazthat> I invited eli to #bitcoin-dev and #bitcoin-wizards 12:09 < realazthat> dunno if he has the time lol 12:09 < realazthat> but would be cool 22:04 < realazthat> mmk 22:04 < realazthat> got eli's response 22:04 < realazthat> Q: How does SCIP cost O(T(P)) time to generate P' for Alice, if there is no way of knowing how long P will run (halting problem)? I assume there is some bound that must be chosen then? If Bob runs longer then this bound, I assume it will fail? 22:04 < realazthat> eli: Part of the problem definition is a time bound. And we assume wlog that if the execution shoots over it then it fails. Thus, the halting problem is not an issue. 22:05 < realazthat> Q: Why can't a simple 1-level recursion reduce Alice's required generation time? That is, Alice verifies a verification function was run on chained runs of a smaller task, which sum up to P? I think this can get the generation time to sqrt(T(P)). And possibly lower, if it is done with more levels of recursion. 22:05 < realazthat> eli: Good idea, this is known as "bootstrapping" but getting it right is far from trivial. There are a few works on the topic, such as by Paul Valiant (titled "incrementally verifiable computation"), and by Chiesa and Tromer (called "Proof carrying data and heresay arguments") and more recently by them+Bitansky, cannetti, titled Recursive composition and bootstrapping for SNARKS and proof-carrying data. 22:05 < realazthat> PS. if you have time to answer more questions, I would love to chat with you and/or other people knowledgeable/interested about the project on IRC. Several interested people hang out on the freenode network in #bitcoin-dev and #bitcoin-wizards. 22:05 < amiller> righteous 22:06 < realazthat> eli: I would be happy to hang out some time with some of my collaborators, how does this work? 22:06 < realazthat> PPS. I would also love to attempt/start an LLVM backend to tinyram for my personal gratification of playing with LLVM and tinyram. 22:06 < realazthat> Will forward this to my co-PI and let's see how to get it to work, will get back to you on this. 22:06 < realazthat> mmk, now I have to give him instructs on getting on here :D 22:09 < realazthat> I wonder if we should setup some sort of official Q&A 22:10 < realazthat> in #bitcoin-dev 22:10 < realazthat> because his wording indicates a one-time deal 22:42 < amiller> mailing list threads are usually pretty good too 22:55 < realazthat> oh shall I invite him to the bitcoin ML? 22:55 < realazthat> I am not subscribed myself 22:55 < realazthat> subscribed to too many MLs lol 22:59 < amiller> maybe it would be nice to make a forum thread about his talk and how to actually begin a project on it? 22:59 < amiller> if you want to solicit more open ideas / support / help from the community 22:59 < amiller> or if you want to do it mostly yourself you could just pick anyone you can find (maybe people in here i guess) and include them on an email 23:00 < realazthat> mmm 23:01 < realazthat> I assumed there were people talking about this elsewhere on the forums 23:01 < realazthat> I don't really follow them 23:01 < realazthat> but I have his attention, I am just wondering where it is best to direct it 23:01 < realazthat> as for working on applications of it, that's a separate story I think, no 23:02 < amiller> link to the forum threads? 23:03 < amiller> (why not look for them) 23:03 < realazthat> mmmyeah 23:03 < amiller> i'm also not sure where best to direct it 23:03 < realazthat> it seems a bit silent about SCIP hehe 23:03 < realazthat> on the forums that is 23:04 < realazthat> google doesn't turn up much 23:04 < amiller> but i definitely have the sense that it's really exciting to have high powered cryptographers taking nontrivial (grr, adi shamir) looks at bitcoin and offering to help 16:39 < gmaxwell> yea, okay, but if it fails you could just ban the host... doesn't seem like a very useful attack. "I can make you do one pointless sha256 operation per IP!" 16:41 < gmaxwell> Luke-Jr: what? if someone submits something that isn't valid work (either a share or a block solution), why not short term blacklist them? could even just be for 10 seconds. 16:41 < phantomcircuit> gmaxwell, you cant do that, a significant enough % of shares submitted are invalid that you'd block legitimate clients 16:42 < gmaxwell> phantomcircuit: invalid as in the hashes aren't good?! 16:42 < Luke-Jr> gmaxwell: becuase it happens normally 16:42 < Luke-Jr> not often, but it does 16:42 < Luke-Jr> especially with stupid miners 16:42 < gmaxwell> Luke-Jr: uh why aren't miners checking work before they submit it? 16:42 < Luke-Jr> dunno 16:42 < Luke-Jr> I guess that's harder to screw up with GBT.. 16:43 < warren> gmaxwell: certainly we've seen that all miners and mining pool ops know what they're doing. 16:43 < phantomcircuit> gmaxwell, yeah i dont get it either but some % of shares submitted by cgminer end up missing the target 16:43 < warren> and understand the code they copied from a random github 16:44 < phantomcircuit> lol 16:45 < Luke-Jr> gmaxwell: heh, denying the authority we basically have seems futile - I'm just going to blame the community that empowers us by not make decisions 16:45 < Luke-Jr> making their own* 16:45 < Luke-Jr> phantomcircuit: well, that's cgminer 16:46 < phantomcircuit> Luke-Jr, i think i've seen it with bfgminer also over stratum but only at trivial amounts 16:46 < phantomcircuit> but certainly banning for a single failed hash wouldn't be a good idea 16:46 < gmaxwell> Luke-Jr: I think his comment is just psycho. he's railing about the bitcoin foundation as if that has anything to do with it. 16:46 < gmaxwell> (especially as if it had anything to do with bfgminer!) 16:46 < warren> bitcon foundation g*something miner 16:47 < Luke-Jr> lol 16:47 < warren> I couldn't think of an amusing g word. 16:47 < Luke-Jr> gmaxwell: well, it doesn't help that someone got a cert to sign B-Qt as "Bitcoin Foundation" :/ 16:47 < Luke-Jr> warren: Bitcoin Foundation/Google Miner 16:47 < Luke-Jr> obviously 16:59 < BlueMatt> amiller: http://i.imgur.com/wGNyKLX.jpg (yes, the position of the title is rather arbitrary, but it works well as my desktop background) 17:00 < amiller> :) 17:00 < amiller> i'll let you know if we make a more accurate one :) 17:01 < BlueMatt> meh, I figure its probably pretty far off, but I dont care all that much 17:01 < BlueMatt> still looks cool 17:03 < amiller> :) 17:03 < gmaxwell> https://bitcointalk.org/index.php?topic=325737.msg3492937#msg3492937 17:12 < phantomcircuit> Luke-Jr, does #allblocks work if the stratum server supports get_transactions? 17:13 < Luke-Jr> no 17:13 < phantomcircuit> gmaxwell, sometime later this week i'll work on preventing amiller's mapping method 17:14 < amiller> pls dont 17:14 < phantomcircuit> gmaxwell, any suggestions beyond just improving the trickle out stuff? 17:14 < phantomcircuit> amiller, the problem is you could be mapping nodes to wallets 17:14 < phantomcircuit> which is a general privacy problem 17:15 < phantomcircuit> im sure you're not but 17:15 < gmaxwell> phantomcircuit: well mapping the network increases dos risks. e.g. map the connectivity in the region of a node of interest and DOS its peers. 17:15 < gmaxwell> Now you've isolated it. 17:15 < phantomcircuit> right 17:15 < phantomcircuit> im sure he isn't doing that 17:16 < phantomcircuit> but there are all kinds of problems with beign able to map the network 17:16 < gmaxwell> he's not, but his technique could be used to do so, if it were accurate enough. 17:16 < amiller> well, figure out how to fix it and just let me collect results before deploying it :o 17:18 < gmaxwell> sure sure 17:18 < phantomcircuit> amiller, i would assume that such a fix wont be part of a release for several weeks minimum 17:18 < phantomcircuit> you've got plenty of time 17:18 < amiller> k 17:18 < phantomcircuit> also fun fact i tried to record every message from the entire network but gave up after i filled a 2TB hdd in 15 days 17:18 < amiller> the grad student who's working on this has basically been working on it for 2 years now, he codes slowly 17:19 < phantomcircuit> (yes with extensive deduplication) 17:19 < phantomcircuit> amiller, you maybe want to put a fire under his butt then :/ 17:19 < amiller> yep. 17:41 < MC1984_> amiller how are nodes grouped on that graph 17:52 < amiller> MC1984_, arbitrarily 17:52 < amiller> something about mutual connectedness 17:52 < MC1984_> i wondered if the orange cluster on the right was bci 17:53 < MC1984_> and the big yellow one top middle is probably the nsa amirite 17:54 < amiller> petertodd, did you make a javascript bitcoin network simulator and tell me about it some time 17:59 < petertodd> amiller: nope, never written a line of javascript in my life 17:59 < amiller> good, keep it that way 17:59 < amiller> petertodd, are you reeep 18:00 < amiller> not retep, but reeep 18:00 < petertodd> lol, nope 23:12 < midnightmagic> it's 25% iterative, capped when the queue for that peer fills up with enough waiting messages (in which case it floods it out), with a 100 millisecond granularity. --- Log closed Wed Nov 06 00:00:26 2013 --- Log opened Wed Nov 06 00:00:26 2013 08:25 < adam3us> can you put a locktime inside a script address? or is the locktime an attribute of the transaction only 08:26 < sipa> it's a transaction attribute 08:26 < adam3us> sipa: eg can i pay you, in such a way that I cant later (after confirmation) spend the inputs; and you can only onwards spend after locktime 08:27 < sipa> yes, that's what locktime does 08:28 < sipa> it prevents putting the transaction in a block until a certain timestamp or block height has passed 08:28 < adam3us> sipa: well the first transaction must be confirmed, but i suppose eg the script requires two signatures, and i give the recipient one signature that is on a transaction serlaiziation with a locktime 08:28 < adam3us> sipa: i guess that is how you would do it 09:58 < amiller> i'm starting to feel more concerned about the selfish mining attack 09:58 < amiller> first of all i think the thing to focus on is th 1/3 limit 09:58 < amiller> since everything else really gives the attacker too much control over latenc 09:59 < amiller> as an impossibility result you'd want to say that we're screwed even with a weak adversary 09:59 < amiller> so here's the thing, previously we thought there was no direct way to profit disproportionately even with a 51% attack 10:00 < amiller> the thing is, this closes the gap between 1/3 and 1/2 because once you hit 1/3, you can gain disproportionate profit 10:00 < amiller> you don't even have to commit fully to the selfish mining! 10:00 < amiller> if you are above 1/3, you can withold blocks for a little bit, some of the time, and still get the benefit 11:00 < petertodd> amiller: announce/commit sacrifices to fees are an excellent example where withholding blocks for just a little bit can be worth it 11:01 < petertodd> amiller: basically, the sacrifice unlocks at some block height, so anything you do to keep the rest of the network at least a block behind can be very profitable 12:54 < amiller> it's hard for me to understand how trickle could actually slow tx propagation much 12:54 < amiller> every inv has a 1/4 chance of getting sent, every 100 ms or so 12:55 < amiller> since that's how often each peer is processed 12:55 < amiller> the chance of a tx not getting sent after a couple seconds is really low --- Log closed Thu Nov 07 00:00:33 2013 --- Log opened Thu Nov 07 00:00:33 2013 06:25 < midnightmagic> hrm. 06:26 < midnightmagic> petertodd: Did you see the FAQ entry in Sirer's blog? "Our attack does not rely on network position or well-connectedness. It does not require Sybils. It does not require a fast connection to other miners. Anyone who claims otherwise does not understand the attack." 06:47 < petertodd> midnightmagic: yes I did, and the way they describe their attack is its one where it's made better by all those things 06:50 < midnightmagic> Sneaky wording then. Doesn't *rely* on it, and works without it. I wonder if "minimal advantage" is thus how they consider the attack as a currency-destroying revelation. 06:51 < petertodd> They're assuming that miners will shift to the pool with the higher profit margin 06:52 < midnightmagic> i wonder if the math were done right now it would compare against just making a bunch of blank blocks 06:52 < midnightmagic> s/now/how/ 06:53 * midnightmagic solicits headache cures 06:53 < petertodd> Look at it this way: their attack, without any low-latency insight into the network, devolves into my attack! 06:56 < petertodd> Or less charitably: I had a great bit of intuition months ago, was lazy and didn't develop it properly, and someone else re-invented it with the twist that if you also have low-latency you can exploit it at less than 30% hashing power. 06:57 < petertodd> or heck, maybe that's where they got the idea... they tell me that they don't understand how my attack works, but I don't exactly trust those guys :/ 07:13 < midnightmagic> petertodd: I read -wizards as much as possible but I missed your attack. What's your attack? 07:14 < petertodd> It's something I posted ages ago to bitcoin-development - like last january - showing how contrary to popular belief miners had an incentive to publish their blocks to only a majority of hashing power rather than all hashing power if their goal was to get more blocks than other miners. 07:15 < petertodd> My original analysis was overely simplistic, and when I applied a bit of math to it I realized I was wrong and the threshold was actually only 30% 07:20 < midnightmagic> petertodd: ah cool thanks for the pointer 14:25 < maaku> I haven't studied SIN / identity protocol much at all 20:50 < fagmuffinz> justanotheruser: you could have people agree to some protocol that would operate the same way some central authority would, and if compliance with that protocol can be algorithmically guaranteed, then you could decentralize it 20:50 < fagmuffinz> Thinking on that algorithm 20:55 < fagmuffinz> I mean, you don't need a proof of work for it at all 20:55 < fagmuffinz> If you actually count the vote right... 20:55 < fagmuffinz> There's no incentive to keep recounting it 20:55 < fagmuffinz> All you care about is verification 20:55 < fagmuffinz> Which is easily agreeable in a shared protocol 20:56 < justanotheruser> fagmuffinz: how do you do this anonymously? 20:56 < justanotheruser> while verifying that everyone who started with a vote, and only those that started with a vote are counted 20:56 < fagmuffinz> That's harder 20:56 < fagmuffinz> First part is easy, just random key generation every time 20:57 < fagmuffinz> Now you're asking about assigning people keys 20:57 < fagmuffinz> Let's say... 20:57 < fagmuffinz> Everyone agreed to do a shamir's secret sharing algo 20:57 < fagmuffinz> And you could generate M keys... 20:57 < justanotheruser> fagmuffinz: If the central authority can make 10000000 votes for themselves, then it is no better than the current situation 20:58 < fagmuffinz> The M keys could be applicable to use, then, for signing given enough length 20:59 < fagmuffinz> Thinking about retooling shamir's 21:00 < fagmuffinz> I think this would work... 21:00 < justanotheruser> When assigned keys, you either need to say who you gave them to, which would remove anonymity, or not say, which would allow them to make as many votes as they wanted 21:00 < fagmuffinz> Is it important to outside parties to verify the result of an election? 21:00 < fagmuffinz> No 21:00 < fagmuffinz> I've already gotten past that 21:01 < justanotheruser> What, using shamir? 21:01 < fagmuffinz> Yea 21:01 < fagmuffinz> I've got it actually 21:01 < fagmuffinz> As long as outside parties don't need to vote 21:01 < fagmuffinz> Or verify 21:01 < fagmuffinz> Whatever 21:01 < justanotheruser> How would you use shamirs for voting? 21:01 < fagmuffinz> lmfao 21:02 < fagmuffinz> God, that's gorgeous 21:02 < fagmuffinz> Ok 21:02 < fagmuffinz> Let's say there's a blockchain that starts with some initial seed 21:02 < fagmuffinz> Everyone shamir's secrets that seed 21:02 < fagmuffinz> And generates M keys to vote with 21:02 < fagmuffinz> Encrypt this initial seed with the key Shamir's secret sharing generates 21:03 < fagmuffinz> Save it as the next seed for the next "voting block" 21:03 < fagmuffinz> Everyone who's in knows it 21:03 < fagmuffinz> Those people then use their M keys to cast a vote 21:03 < fagmuffinz> Moot after that point 21:04 < fagmuffinz> You could add people potentially 21:04 < fagmuffinz> Everyone agrees that each key also gets to elect one new person to join 21:05 < fagmuffinz> Eh... 21:05 < fagmuffinz> Fuck 21:05 < fagmuffinz> Sec 21:06 < justanotheruser> fagmuffinz: Wouldn't everyone know everyone elses votes if there was a shared seed that was the other half of everyones secret? 21:06 < fagmuffinz> Yea 21:06 < fagmuffinz> But you can make that pseudononymous 21:07 < justanotheruser> So there are pseudonyms associated with the votes? Meaning the votes aren't guaranteed to be associated with a person? 21:07 < fagmuffinz> Correct 21:07 < fagmuffinz> The issue I'm running into right now mentally... 21:08 < fagmuffinz> Is ensuring the keys generated that suffice shamir's secret sharing... 21:08 < fagmuffinz> Can be isomorphic to a private/public key pair... 21:08 < fagmuffinz> Or guarantee some private/public key pair 21:12 < fagmuffinz> If p and q were your public/private key pair 21:12 < fagmuffinz> You could do something like... 21:12 < fagmuffinz> G = p^q 21:12 < fagmuffinz> Then sign G with p 21:13 < fagmuffinz> Or... 21:13 < fagmuffinz> One of the M keys 21:13 < fagmuffinz> Sign (G,p) 21:13 < fagmuffinz> All of this modulo some N 21:21 < fagmuffinz> K, scratch part of that. All that's necessary to ensure that whoever had the key actually cast the vote is signing off an (p,N) message with one of the shamir's keys, for a p/q mod N public/private key pair. I currently have no way of guaranteeing good behavior to those included in the vote, aside from the protocol penalizing them during the next voting round(s) 21:27 < fagmuffinz> Is that sufficient? 21:40 < justanotheruser> sorry, I was away, you still there fagmuffinz 21:40 < fagmuffinz> yea 21:41 < justanotheruser> I don't really understand what you mean by penalizing them 21:42 < justanotheruser> brb 23:40 < fagmuffinz> I'm not exactly sure what I mean either thinking about it 23:40 < fagmuffinz> Or any good way of enforcing it 23:40 < fagmuffinz> The issue is in verifying everyone else's key in the SSS (Shamir Secret Sharing), you could easily use any of their keys to vote 23:41 < fagmuffinz> So you're assuming good behavior amongst the voting population 23:41 < fagmuffinz> That's probably a no-no --- Log closed Wed Jan 01 00:00:44 2014 --- Log opened Wed Jan 01 00:00:44 2014 01:15 < midnightmagic> fagmuffinz: man you have a terrible nickname 01:18 < gmaxwell> fagmuffinz: I'm not sure what you're trying to accomplish, I missed the history. 01:19 < justanotheruser> gmaxwell: It was the voting thing again. 01:35 < phantomcircuit> midnightmagic, maybe he likes his muffinz with fags 01:35 < phantomcircuit> although that sounds a bit gritty 14:38 < maaku> can Grover's algorithm be used for quantum mining? 14:39 < gmaxwell> sure, in theory, if there existed hardware that could run it. 14:40 < gmaxwell> it's only a sqrt speedup. It would unhinge the difficulty update somewhat. (though if it got far out of wack it would still have quadratic convergence) 14:44 < maaku> Some FUD on lesswrong about quantum computing leading to centralization 14:45 < warren> No tech breakthroughs are needed for human behavior to cause centralization. 14:46 < maaku> heh, yeah 14:49 < gmaxwell> I don't see where that conclusion comes from, unless it's just some assumption that only one party will have access to the faster miner. 14:50 < maaku> gmaxwell: yes, that's the (rediculous) assumption 14:50 < gmaxwell> Not only that Its quite likely that should someone successfully use Grover it'll be _slower_ for some time. Simply because the quantum machine runs at 100khz or whatever. 14:50 < maaku> that someone will invent a quantum computer capable of doing more work than the entire bitcoin network 14:51 < Alanius> isn't the "quadratic speedup" irrelevant when considering sha 256? 14:52 < Alanius> it's quadratic only for large enough problems 14:52 < Alanius> but the problem size is fixed in this case 14:54 < andytoshi> maaku: lesswrong link? istm that any non-infinite speedup would be covered by the difficulty algo 14:54 < maaku> Sybil successfully Sybil-attacked psychiatrics: http://www.npr.org/2011/10/20/141514464/real-sybil-admits-multiple-personalities-were-fake 14:54 < sipa> Alanius: the quadratic speedup is about finding a preimage 14:55 < Alanius> ... isn't that what Grover's algorithm does? 14:55 < sipa> yes 14:57 < maaku> andytoshi: http://lesswrong.com/r/lesswrong/lw/je7/a_proposed_inefficiency_in_the_bitcoin_markets/a8xl 14:57 < sipa> Alanius: right, it's only quadratic if you see the size of the hash output as variable 14:58 < andytoshi> sipa: is it correct to think of mining that way, 14:59 < andytoshi> "find a SHA16 preimage of 00", then a SHA32 preimage of 0000, and so on 15:00 < Alanius> I guess you could devise a variant of Grover's algorithm that finds a partial collision instead of a full one, and you'd probably see that quadratic speedup with regards to the inverse of the target :) 15:02 < andytoshi> Alanius: yeah, that's what i'm trying to say 15:03 < sipa> right, it's grover on truncated double sha256, with variable truncation length 15:07 < gmaxwell> Alanius: If you're saying that you're going to find complete preimages (size at maximum) than the work factor is still 2^128, which is infeasable. 19:19 < phantomcircuit> ffs 19:19 < phantomcircuit> bought a cable modem 19:19 < phantomcircuit> no coax cable 21:59 < maaku> merged mining attack I hadn't considered : https://bitcointalk.org/index.php?topic=394388.0 22:01 < maaku> somone solo mining altcoin could double-count proof-of-work by merge mining the fraud chain against their solo blocks 22:06 < gmaxwell> maaku: namecoin ended up deploying a specific defense against this 22:06 < gmaxwell> that requires the namecoin chain to be at a particular position 22:09 < maaku> gmaxwell: i'm aware of that one - it protects against having multiple auxblock committments in the same coinbase 22:10 < maaku> but the twist here is namecoin merged mined against namecoin 22:10 < maaku> so the attacker has the choice of using the outer block or the inner block 22:11 < warren> maaku: wouldn't that only be an issue in practice if the value of NMC were much higher? 22:12 < maaku> warren: eh? it depends on the size of the double-spend you are trying to make 22:13 < Niko_B> Get some easy bitcoins all you need is a web browser http://t.co/RFLekya7Hc 22:13 < maaku> the fact that you can build up he public chain, while double-counting work towards a secret attack violates some security assumptions 22:14 * maaku needs to learn how to use +o 22:14 < gmaxwell> maaku: oh I don't think you can mergemine namecoin against namecoin. 22:15 < maaku> gmaxwell: yeah i'm not certain if it'd actually work.. but this wasn't something I'd previously thought about 22:15 < gmaxwell> maaku: if you can thats dumb and should be fixed, but its a purely academic attack right now since you'd have to forgo substantial bitcoin income. 22:15 < maaku> and it would have worked in the system I was designing 22:15 < maaku> it's easily fixed though 22:15 < gmaxwell> should be trivial to fix if so just don't accept non-mergedmined blocks. 22:16 < maaku> yeah 01:33 < gmaxwell> andytoshi: example https://bitcointalk.org/index.php?topic=393593.msg4274997#msg4274997 (thats just one post in a six page thread of people who were ripped off) 01:35 < gmaxwell> suggestions that people publish their loan amounts in OTC in the ratings list have generally been met with unwelcome sounds wrt privacy... though people do it sometimes, esp for smaller amounts with newer traders. 01:35 < andytoshi> ok, i see now, this is really cool .. i think it has the highest usefulness/computational hardness ratio of anything you've posted involving zk proofs 01:35 < gmaxwell> yes, also ... implementable outside of bitcoin. 01:36 < gmaxwell> (Any idea where step 1 is change bitcoin ... is just a lot harder to do, regardless of the details) 01:36 < andytoshi> i'm going to go post this in #coindev and see if anybody wants to implement it.. 01:37 < gmaxwell> also, since it involve loss of currency, the CRS-assumption ZKP systems (where you trust that some key creator has thrown away a master key) aren't so bad. 01:38 < gmaxwell> e.g. you're trusting someone to not have kept data that would allow them to make fake loan accumulators. whoptiedo. 01:38 < andytoshi> i wonder if there's a stronger/simpler zk proof system for updating merkle trees like this 01:38 < andytoshi> which maybe doesn't work for general computations 01:38 < gmaxwell> maybe, though as soon as you need proofs for bitcoin thats right out. 01:40 < warren> I suppose this is why the credit agencies ding you for hard pulls. 01:40 < gmaxwell> in any case, proving a very simple function like this should actually be quite realistic, e.g. cpu time of tens of seconds. 01:41 < gmaxwell> warren: hah you could actually make number of proofs a metric that it tracks and extracts. 01:41 < gmaxwell> (e.g. to do a proof for someone they give you nonce, which you must insert into a pulls counter tree.) 01:42 < gmaxwell> it's not quite so cheap that my trivial NIZK would be useful, I expect. 01:42 < gmaxwell> but I guess I should go count how many AND-gates sha256 has. 06:49 < nsh> happy new year, wizards :) 09:57 < jtimon> https://bitcointalk.org/index.php?topic=396991.0 10:08 < tholenst> 24 coins built there already... 10:08 < tholenst> and that's not even counting the ones which prefer to remain private 10:10 * nsh considers a "proof of quality" based blockchain 10:10 < nsh> difficult, all involve voting i suppose 10:11 < nsh> e.g. new block whenever someone comes up with a joke that is considered funnier by >75% of people 10:16 < tholenst> The new scip paper http://eprint.iacr.org/2013/879 seems promising, but they still don't give a download link 10:30 < nsh> hmm, ty 10:32 < tholenst> How long does verification of a ECSDA signature take? 10:34 < nsh> depends on the library, etc. 10:34 < nsh> (and scheme) 10:35 < nsh> -- 10:35 < nsh> Wow, it's great. 10:35 < nsh> 187us versus OpenSSL's 1008us, on my test laptop. 10:36 < nsh> -- sipa's implementation of sepk256k1, last July 10:36 < nsh> https://bitcointalk.org/index.php?topic=236477.0 10:38 < tholenst> So they talk of 5ms verification time for a program, but that's not on a lapt, so one would probably have to verify a few hundred signatures -- but they only run their program for 32'000 instructions, so it doens't seem quite useful for signature verification yet 10:39 < tholenst> also they talk of a 16 bit machine... 12:06 < andytoshi> oh my god, the comments on BlueMatt's altgen thread.. 12:09 < nsh> always wear appropriate protective eyewear. do not stare directly at derp 12:10 < adam3us> andytoshi: on bct? 12:10 < andytoshi> adam3us: yeah, https://bitcointalk.org/index.php?topic=396991.0 -- jtimon posted it a few hours ago 12:13 < adam3us> andytoshi: lol 'bulk discounts' etc 12:13 < jtimon> yeah, this was hilariously absurd: https://bitcointalk.org/index.php?topic=398272.0 12:14 < nsh> "We will hard fork you out, then we will have to continue with GPU without you." (imagines set to all your base graphics...) 12:17 < nsh> or 12:17 < tholenst> It's awesome. It essentially says: "If you give me money, that'll help me to fraud people!" 12:17 < nsh> there's reductio ad absurdum and then there's straight out building a highway to absurdity. 12:30 < jtimon> hehe highway to absurdity... 12:40 < Luke-Jr> "Yes, it works fine and you do not end up on the wrong chain as long as you have a different network packet magic - as your node will never peer with another node with a different magic." 12:40 < Luke-Jr> hahaha 13:59 < jtimon> does anyone know if any of the results have been launched on the alts subforum already? 14:26 < Luke-Jr> nsh: can I quote you? [17:17:31] <nsh> there's reductio ad absurdum and then there's straight out building a highway to absurdity. 14:26 < Luke-Jr> (I already did, but I forgot to ask first..) 14:27 < nsh> sure 14:27 < nsh> :) 14:27 < Luke-Jr> thx 14:31 < Luke-Jr> "hello, is there a way to set a permanent change address?" 14:31 < Luke-Jr> why do I get these PMs now? 14:32 * Luke-Jr replies "No, because that would be broken and stupid." 15:44 < _ingsoc> Does anyone mess around with Go? 15:45 < gmaxwell> tholenst: their scaling is nearly linear, so you can scale up the cycle count. Also, 32000 instructions is enough to do hash based signing. In any case, the tinyram stuff is always going to be less efficient (by ... 10 to 1000 fold) than direct circuits specialized for the task at hand. 15:58 < nsh> tinyram is just a didactic model though. there's no reason you couldn't adapt it to specialized problems 15:58 < nsh> (that i can think of, at least) 16:00 < gmaxwell> nsh: well kinda, there are ways of using this stuff where you want the circuit under evaluation to be a constant thing. 16:01 < nsh> mmm 16:01 < gmaxwell> and with tinyram you could make it constant (or at least constant up to some execution length) and the hash of the program being run is just a public input. 16:01 < gmaxwell> so it really can be useful to have a fully generic circuit. 16:01 * nsh nods 16:03 < gmaxwell> you could, of course, add extra instructions. e.g. for our applications a SHA256 operator would be super useful. 16:03 < nsh> hmm, good point 16:05 < tholenst> gmaxwell: yes, i know... i was trying to get a grasp of whether it would be useful for example just to batch all signature verifications... but I found it difficult to assess. Would be nice if there was an implementation available 16:06 < gmaxwell> tholenst: yea, I don't know why they haven't made it available. They're using the same backend math as pinocchio, so you could look that up. 16:06 < tholenst> I could just ask them :) 16:07 < gmaxwell> tholenst: IIRC only a few of the pairing operators are input specific, as I recall. 16:07 < gmaxwell> So I think that if your circut is constant you can precompute a fair bit. 16:08 < gmaxwell> (A few, being like two pairing operations I think) 16:08 < tholenst> i don't acutally have a specific application in mind... 16:11 < tholenst> I was thinking more about extending the scripting language recently anyhow :) 16:12 < tholenst> It should be like this: if you have a reserved opcode in the pubkey script, the script should automatically accept no matter what happened before. 16:14 < gmaxwell> tholenst: well it's not. Its easy to build extensions that work like that anyways. 16:14 < gmaxwell> e.g. just different OP_EVALs for new P2SHes that make transactions look hashlocked to the old nodes. 16:16 < tholenst> do you mean exactly the same as P2SH, but a different op-code instead of OP_HASH? 16:16 < tholenst> i don't see right now how you mean that 16:18 < Luke-Jr> tempting to revise Script in a P2SH^2 16:21 < gmaxwell> tholenst: effectively. 16:22 < tholenst> oh i see -- you can just take one which is effectively a NOP now 16:47 < tholenst> btw i was thinking more about what it would need in scripting to implement the idea that you can have deposits for your transactions; i.e., if you double spend you lose money 16:47 < tholenst> i think it's reasonable 16:51 < sipa> that implies scriots can access state outside of the chain they operate on 16:51 < sipa> which is extremely jard to get right, i think 16:51 < sipa> scripts, hard 16:51 < tholenst> no 16:52 < tholenst> i don't need thta 16:52 < sipa> double spends don't exist within one chain 16:52 < sipa> if you're even using that word, it implies you're observing other state 16:53 < Luke-Jr> tholenst: double spending is not detectable technically really 16:53 < Luke-Jr> two signed transactions spending the same coin, is not necessarily "double spending" 16:53 < Luke-Jr> it can occur in legitimate circumstances too 16:53 < tholenst> well, the idea is different: I give you a transaction which essentially says: "If you find messages m_1 != m_2, signed with SecretKeyA, then you can have this money here" 16:53 < sipa> ah! 16:54 < sipa> you'd need some higher order construxt in transactions 16:54 < sipa> but indeed, that doean't require access to other data 16:54 < tholenst> yes, you need improved scripting, but it suffices to look at the chain 16:54 < nsh> hrmmm 16:54 < sipa> just means you need to embed the two different spending transactions inside your script 16:54 < nsh> interesting idea 16:55 < sipa> no it does not suffice to look at the chain 16:55 < sipa> within the chain double spends are impossible already 16:55 < tholenst> Luke; I know that; a bit more work is necessary for that 16:55 < tholenst> no you just need to embed the two signatures in the script; I can do that 16:55 < sipa> right, indeed 16:56 < tholenst> the chain will get two signatures, from the same secret key, which I assemble from the double spend; thus, the scripting doesn't look outside the chain 16:56 < sipa> yup 16:56 < sipa> but you need some meta construct 16:57 < sipa> where you embed the two previous conflicting signatures as proof that a double spend existed 16:57 < sipa> which is possible and sane 16:57 < sipa> but doesn't exist currently 07:27 < jtimon> bitcoin solves seignoriage by trying to destroy that value 07:28 < deantrade> For example, the Fed not being able to steal my bitcoins unlike they'd be able to steal my gold or my gold in a bank is really really awesome. 07:28 < jtimon> that's true for freicoin too 07:29 < jtimon> there's no need to give 100% of the initial supply to miners to have that 07:29 < jtimon> not to long ago gmaxwell was saying that 5% of the total supply anually for miners is wasteful 07:30 < jtimon> then the initial subsidies have to be much more wasteful 07:30 < jtimon> we need proof of work for security, totally agreed 07:30 < deantrade> "waste"? wasting what? 07:31 < jtimon> but I don't think we need ti for issuance too 07:31 < deantrade> How else do issuance? Have the group of developers that made it each get some number of coins? 07:31 < jtimon> electricity, conductors to build more asics than we need instead of general purpose computers 07:32 < jtimon> deantrade, it's not an easy issue 07:32 < jtimon> we've looked for ways in the freicoin forum and many have appeared 07:32 < jtimon> we hope to find a purely p2p one 07:33 < jtimon> for example, subsidizing scientific computations demonstrable with spark/scip 07:34 < deantrade> "electricity, conductors to build more asics than we need instead of general purpose computers" -> just like all of the effort used to mine and refine and make jewlrey out of gold. 07:34 < jtimon> isntead of getting money for random hashes, get it for submitting folding@home work units or something else 07:35 < deantrade> It takes effort to make bitcoins, they don't just come into existence willy nilly. 07:35 < jtimon> that's purely a design decision as demonstraded by freicoin 07:36 < jtimon> only 20% of the initial freicoins come to existence through mining 07:36 < jtimon> yet the freicoin network is secure and their miners get profits 07:37 < jtimon> miners don't create the value, users and merchants do 07:37 < deantrade> folding@home = centralized acceptor no? I agree it would be cool if the work could be towards something like organic chemistry simulation, but I'm not really an expert in that field in order to really know if there is anything practical that we could do that would be hard to find a solution for but easy to verify work on. 07:39 < deantrade> Miners do create some value: we use the ledger made by the person who proves to do the most work, rather than just going with ledgers that are made by valueless lazy losers who just would want to double spend or spam 07:40 < jtimon> hard to find a solution for but easy to verify work -> that's what spark/scip is about 07:40 < jtimon> yes, miners provide security 07:41 < jtimon> I agree it's a complex problem 07:41 < jtimon> for now mining is the only 100% p2p distribution mechanism I know 07:42 < jtimon> all I'm saying is that if we had another one, issuance could be completely decoupled from mining 07:43 < jtimon> miners will live only on fees, and if that's not enough security then the system is not sustainable in the long run and the current subsidies are blinding us 07:44 < deantrade> Yea its a system that hasn't been tested yet. 07:45 < deantrade> Thinking about it while sleep deprived now... 07:51 < jtimon> think of ripple's xrp for example 07:51 < jtimon> their security mechanism is not pow 07:51 < jtimon> they could have distributed it through proof of work 07:52 < jtimon> but that wouldn't haven't made any economic sense 07:52 < jtimon> that doesn't mean the distribution mecanism they've chosen is cool 07:52 < deantrade> ripple is crap, not pow, its mob vote rule 07:53 < deantrade> good night! 07:53 < jtimon> Ryan Fugger's Ripple is a great concept 07:53 < jtimon> ripplelab's implementation is not good enough, I agree 07:53 < jtimon> ok, good night, I have to code 16:09 < warren> jgarzik: you had people at the office who could reproduce the mac corruption? 16:10 < warren> Please ask them to test the new builds? 16:10 < Ryan52> cfields: submitted my verification of sources in deterministic dmg builds, as a comment to your commit. 16:10 < cfields> Ryan52: great, thanks 16:11 < warren> Ryan52: URL? 16:11 < warren> cfields: zero reports of testing your memory barrier patch so far 16:11 < warren> from people who were able to make it fail 16:11 < cfields> warren: the more i read, the less convinced i am that it will do anything significant 16:11 < warren> cfields: oh? 16:11 < Ryan52> warren: https://github.com/theuni/bitcoin/commit/8a64fb98370ccc299d73111bbf97cdde23f681b1#commitcomment-4708754 16:12 < cfields> asm dumps seem to show that the asm memory hack is enough to get the compiler to avoid reordering 16:12 < warren> Ryan52: btw, for gitian you need to have an established GPG key and identify 16:12 < warren> identity* 16:14 < Ryan52> warren: Sadly, my 1024 bit key is not well connected and my 4096 key is not really connected at all. :( 16:14 * Ryan52 needs to get out more, or something. 16:15 < warren> Ryan52: I started a 8192 bit key only a few months ago 16:15 < warren> Ryan52: what state are you in now? 16:16 < TD> cfields: hmm i thought you said you checked that and saw reorderings across the barrier 16:16 < Ryan52> Gah, guess I didn't even get my 4096 key usable before it was obsolete, that is sad. I actually do have one more signature sitting in my INBOX from recently, though, when I get the chance to pull out the disk with the private key storage from my safe. 16:16 < cfields> TD: i do with some compilers, with some flags 16:16 < Ryan52> warren: Oregon 16:17 * Ryan52 travels to Washington frequently, too 16:17 < cfields> TD: i think the change is necessary, but i'm not sure that it will affect the way we currently build 16:17 < TD> ok 16:17 < TD> hmm too bad. i thought that might have been it, for a moment 16:18 < cfields> the asm diffs are pretty hard to read since it changes a bunch of stuff around. it's still possible they're necessary, but i'm not as confident as i was yesterday 16:44 < maaku> Ryan52: 4096 bits is obsolete? 16:45 < cfields> warren: have you heard of the corruption happening to anyone running a 64bit osx binary? 16:46 < sipa> yes, gavin is running a 64-bit build and has seen corruption 16:46 < maaku> cfields: yes, it's happened to me 16:46 < cfields> the current corruption? not the ones that have been fixed already? 16:46 < sipa> i have no idea what has been fixed 16:47 < sipa> i don't have any iThings 16:47 < maaku> it was either v0.8.3 or v0.8.5, but not trunk 16:47 < cfields> the fdatasync commits a while ago, i meant 16:47 < maaku> i don't know about gavin 16:47 < cfields> ok 16:47 < sipa> gavin has seen corruption on master a month ago or so 16:47 < maaku> gavinandresen: ^^ 16:48 < phantomcircuit> Ryan52, 4096 bit keys are probably safe for a decade assuming no major quantum computing improvements 17:20 < amiller> hey does anyone here understand iddo's protocol er adam back's version of it 17:21 < amiller> adam3us, does this post work and not rely on currently disabled opcodes? https://bitcointalk.org/index.php?topic=277048.msg3210328#msg3210328 17:22 < amiller> i don't see how you can guarantee that you can add a + b, does addition in the script just do overflow with mod? 17:27 < amiller> so each number must be 4 bytes or else it fails 17:27 < amiller> and it's signed 17:28 < amiller> what you'd want to do is typecheck the b preimage of h(b) 17:28 < amiller> in other words you don'tw ant to allow b to be a 5 byte number, becuase then b could claim his side but a wouldn't be able to take it anyway 17:28 < amiller> so it would time out 17:28 < gavinandresen> hmm? I've had three instances of corruption over the last six months, all running at-the-time-git-HEAD, compiled 64-bit with clang3.3 (my development environment builds) 17:29 < amiller> but you can typecheck b by making b have to do an OP_ADD 0 to it, which guarantees that if B can spend it, A can spend it 17:33 < warren> cfields: the distributed bitcoin binaries are built with xcode 3.2.x on MacOS 10.6.x 17:34 < warren> cfields: gcc-4.2 based 17:34 < cfields> gavinandresen: ok, thanks 17:43 < warren> cfields: so would test results of my builds with your patch built by gcc-4.2 32bit be useful? 17:44 < cfields> warren: erm, what else would they be built with? 17:44 < warren> cfields: you're asking about 32bit vs 64bit and different compilers 17:45 < warren> cfields: these are built in the "standard" release way 17:45 < warren> gavinandresen: quick question 17:45 < cfields> warren: i saw an oddity in leveldb that would only be a problem for 32bit builds. If the error manifests in 64bit as well, there's no need to investigate it 17:47 < warren> gavinandresen: https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md my Bitcoin builds using this documented process ending with "contrib/macdeploy/macdeployqtplus" works in creating .dmg's, but their plist is missing menu options. Are you following exactly this documented process? 17:48 < gavinandresen> warren: yes, I copy and paste from that document when I do the builds 17:49 < gavinandresen> warren: and that's really not a bitcoin-wizards type of question. 18:11 < adam3us> amiller: iddo wrote it up later in the same bct thread as https://bitcointalk.org/index.php?topic=277048.msg3220019#msg3220019 and there he used (A xor B) mod 2 == 1 as the test. however xor is disabled. similarly add is enabled but aborts if the input is > 4 bytes. i guess thats a problem too because a hash of a 32 bit number is trivial to brute force. cat is also disabled, and hash takes one input only 18:13 < amiller> adam3us, so what about what i suggested 18:13 < amiller> you can hash a 4 byte number 18:13 < amiller> ah but that's not very high entropy. 18:13 < adam3us> amiller: yes but then its brute forceable and cat is disabled etc yep 18:13 < amiller> you can basically enumerate the hashes of the 4 bytes 18:13 < amiller> so without cat you're screwd 18:13 < amiller> okay right. 08:31 < adam3us> jgarzik_: apparently it originally stood for ex-google btc list, but is some kind of invite only ? bitcoin list that some bitcoin bigwigs are lurking on , or so i was told and found via a fwded mail from that list, from someone who got htemselves onto it 08:31 < adam3us> jgarzik_: i am not so much a fan of closed/moderated/non-open lists myself - i was kind of irritated at the concept 08:31 < HM2> jgarzik_, you're obviously not a bigwig :P 08:31 < jgarzik_> obviously :) 08:31 < adam3us> jgarzik_: so my buddy charles said let me find the mail (his words) 08:33 < adam3us> jgarzik_: (and its ridiculous to me that something relatively closed coudl be formed to talk about bitcoin with any coverage without having folks like this irc chat as first invitees) thogh i even dislike elitist closed lists on principle 08:36 < adam3us> charles said "it is the who's who of btc so need to get you on it" i am guessing maybe a bunch of mostly ex-googlers plus some bitcoin startup bizdev/ceo types... i'll find out soon (what was fwded to me was some discussion about some kaminsky intel-cpu-only mining function idea) 08:38 < adam3us> the list gatekeeper is bendavenport@gmail.com if you're not someone who refuses to partipate in closed lists on principle (i'm largely of that mentality...) 08:40 < sipa> is any of the core devs on that list? 08:40 < sipa> i had never heard about it 08:42 < adam3us> sipa: i dont know whos on it, i have the list invite, but i didnt click on it yet ecause it sends email to your gmail acct if you fwd your email to gmail which is a nuisance because i dont read my gmail 08:42 < adam3us> sipa: i saw peter vessenes name in the thread 08:43 < adam3us> sipa: there is a way to avoid supposedly that but its complicated involves editing gmail urls and stuff 08:43 < sipa> meh :) 08:44 < adam3us> sipa: yeah maybe its more a bitcoin angel/mba/bizdev club 08:44 < sipa> sounds like it 08:44 < adam3us> sipa: so they think they're the who's who but we think they're n00bs in suits 08:46 < sipa> loi 08:48 < adam3us> jgarzik_: have an email for this Patrick Murck guy? i found his linkedin profile only 08:49 < jgarzik_> adam3us, https://twitter.com/virtuallylaw on twitter, gotta search for other. bug me in 12 hours, after coding session ;p 08:52 < adam3us> jgarzik: google name, @domain -> patrick@engagelegal.com 08:53 < adam3us> jgarzik_: brain dump about strong need for bitcoin MAD/defensive pool heading patricks way :) 08:56 < adam3us> jgarzik_: i get the brunt of patent shit as my day job is crypto consultant to multiple companies... every time I open my mouth i have to watch what i say or i nor anyone else will be able to use that idea again, have to minimize damage by pointing them at open, prior art ideas only - though that can be partially succesful as patents "innovation" doesnt mean what it means in english 09:02 < jgarzik_> adam3us, patrick@bitcoinfoundation.org 09:18 < adam3us> btw about patents, i dont mean to imply any reason to doubt sincerity of the defensive motivation for bitcoin startups to apply for patents; just that history has shown it is not uncommon for such patents within 5-10 year in the normal chance of small companies going bankrupt and their investors selling the assets 09:40 < adam3us> is it matonis@btcf also? 12:03 < adam3us> amiller: about second ZKP there is a technique called limited-show which can prevent showing more than n times (eg more than 1 time) on pain of disclosing your private key via simultaneous equation if you do 12:06 < adam3us> amiller: the way to do that is restrict the owner to using only one initial witness, if he uses two different ones his private key can be calculated for analogous reasons to reusing k in DSA 12:06 < adam3us> amiller: its decribed in the extended schnorr context in http://cypherspace.org/credlib/brands-technical.pdf p23 12:33 < adam3us> amiller: for example in relation to dsa, that means r=g^k becomes part of the public key, and you're only allowed to use r by definition (not r'=g^k' for any other k'), eg say bitcoin address was H(r=kG,Q) 12:34 < adam3us> amiller: then, as bitcoin anyway always spends the entire input, bitcoin addresses could be strictly one-use, and if you double-spend you reveal your private key, to all miners, who take your coin for themselves instead of mining it - a crypto way to deter double-spending :) 12:35 < gmaxwell> adam3us: unless you're a miner, win win. 12:35 < adam3us> amiller: (of course you cant use that address to control multiple transactions, or you have a problem 12:36 < adam3us> gmaxwell: yes - i suppose the point is it may make certain kinds of bribe other miners to block competing transactions untenable 12:36 < adam3us> gmaxwell: its always going to be more profitable for them to take your coin rather than your bribe 12:38 < adam3us> gmaxwell: i mean then instead of it being plausible to send spend one to victim, and spend2 to some miners, or try to segment the entwork via network hacking or bribe to not-mine, double-spending becomes risky: anyone and everyone is on the hunt for double-spent transactions, because to a miner they are 100% fee :) 12:43 < petertodd> adam3us: meh, we've already got a way to deter double-spending: replace-by-fee scorched-earth. And it turns out double-spending is actually ver useful for a lot fo stuff. 12:47 < adam3us> petertodd, gmaxwell: could probably extend that to one spend per txout without having single use keys. eg put r=kG in the txout but reuse Q 12:49 < adam3us> petertodd, gmaxwell: then a double spend of any of them allows all balance by any txouts controlled by that key to be cashed by miners 12:50 < petertodd> yeah, you could do lots of things, but double-spends aren't such a bad thing! there's no good way to resubmit a transaction if you don't allow them. 12:51 < adam3us> petertodd: well the reason i like looking at the double-spend mechanism is it is the core of the mining entanglement in the overall design - if there were a way to do it without mining validation that could be a component of a scalability improvement 12:52 < petertodd> adam3us: why do you say it's the core of the mining entanglement? 12:53 < amiller> it would matter for a different network 12:53 < adam3us> petertodd: well to guarantee order is defined is why there is a single chain partly 12:53 < amiller> if we had like subchains that we wanted to merge 12:53 < amiller> in order to support higher transaction volume without making everyone have to hear them all 12:53 < amiller> then it would be useful to have ways of discouraging noncommutativity 12:53 < amiller> i.e. doublespends 12:53 < amiller> hardly matters for now though 12:54 < petertodd> right, but I think I solved that pretty decently the other day :) 12:54 < petertodd> (FWIW I'm halfway through writing up all that in a semi-proper paper) 13:02 < adam3us> amiller: so constitutional enforcement attached to sigs: single-show (as above), signature of knowledge (and the transaction) that either you know the discrete log of Q or currentReward() != blockreward 13:03 < adam3us> amiller: however i dont think it quite works, probably someone can make a 2 stage soft-fork to remove such checks from majority of clients, if they want to revise the constitution, an most of the users agree 13:04 < adam3us> petertodd: didnt the discussion get to sharding and trie representations within the shard, but still have to somehow avoid hashrate dillution weakening mining vote 13:05 < adam3us> petertodd: you did say something about that but i didnt understand it at the time and channel history gone 13:06 < petertodd> adam3us: I'll send you my logs 13:07 < petertodd> adam3us: but yeah, so basically *if* the blockchain data gets published by miners, it all works out and the hashrate dillution isn't a big deal: the resistance to changing historic data is still there, and because there's no validation required in the scheme that's much less of an issue 13:08 < petertodd> The problem is sharding inherently makes it easy to not publish that data, and essentially have the rest of the hashing power build upon state changes that only you can prove. 13:10 < petertodd> One approach there is to basically say "It's everyone's job to mine" 13:10 < petertodd> (if you withhold your block data, and don't have a local hashing power majority, the non-withholders will overtake you) 13:26 < adam3us> petertodd: maybe it can work, security for individual coins doesnt depend on cross shard mining, because their double-spend information is definitionally in the same trie-shard. 13:26 < adam3us> petertodd: additionally because we dont care which version of history is recorded, just that one is, the other shards can just hash the top of the other shard-chains best effort with out looking at or validating the contents of it 13:27 < petertodd> adam3us: yeah, I'm pretty much at the point where I think that in terms of resistance to rewrite, you just need timestamping, and that's what "cross shard hashing" is doing 13:27 < adam3us> petertodd: yes 13:27 < petertodd> It's the incentives to actually distribute the data that's ugly, and the resistance to rewrite can be a bad thing if someone does a 51% attack with the intention of destroying the data later. 13:28 < adam3us> petertodd: because you dont care what they said in their timestamp output, you're just preventing htem changing their mind later 13:28 < petertodd> yup 13:29 < adam3us> petertodd: you could even make a k-ary tree of time-stamp servers rather than a broadcast network of them, i think same principle applies 13:29 < petertodd> So one thing that can help, is for mining to be strongly coupled to the blockchain data: make a pow solution involve a non-interactive selection of some of the data, and make it only valid if that data is attached. 13:30 < adam3us> petertodd: well presumably at least the miners can validate the size of the pow on the shard mined blocks they include 16:05 < adam3us> maaku: they are discussing safe curve RFC on CFRG which i am on, which include ed25519, is there a separate place that a EdDSA RFC is being discussed? or is that what you meant 16:05 < kinlo> gmaxwell: I kinda like the happiness and fun the people have in #dogecoin with using the meme. It will die out ofcourse, but they do have a strong community 16:05 < gmaxwell> maaku: if its not mandatory then the amlcoin risk exists. "not our problem your wallet isn't showing our payment, durn off this switch, it's broken" 16:06 < andytoshi> michagogo|cloud: strange, i'll refresh the download, one sec 16:06 < maaku> adam3us: I think that's the discussion I heard about 16:07 < andytoshi> michagogo|cloud: that is a bad hash, thx for letting me know, fixed now 16:07 < maaku> gmaxwell: with sufficient user level protections I don't rate amlcoin as a serious existential risk 16:08 < michagogo|cloud> ;;cjs 16:08 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one. 16:08 < michagogo|cloud> andytoshi: woot 16:09 < michagogo|cloud> (so far, so good... no errors this time, it knows there's no open session) 16:09 < andytoshi> michagogo|cloud: excellent :) sorry, i forgot to stand up the testnet instance of the server, will do that now 16:10 * adam3us is old enough to remember people making analogous claims to reason about systematic MITM, CA malfeasance in the CA security model. 16:11 < michagogo|cloud> andytoshi: What's the format of cjclient.conf? 16:11 < michagogo|cloud> atm I see joinerserver = https://wpsoftware.net/coinjoin/cj-client.php in there 16:11 < michagogo|cloud> and that's it 16:11 < adam3us> maaku: (i was complaining at the time.. 1993ish that a dissident trusting CA infrastructure is crazy) 16:11 < maaku> adam3us: so? that was as sensible a thing to say then as now 16:12 < maaku> that doesn't mean you're right on this issue 16:12 < adam3us> maaku: people had all kinds of reasonable arguments how they'd never do that. it could be detectable. it was unreasonable etc. i am seeing analogies in your assumption that viral ecosystem features would not be abused 16:12 < michagogo|cloud> andytoshi: (I mean, what are the other options) 16:12 < maaku> apples and oranges 16:12 < andytoshi> michagogo|cloud: rpcconnect, rpcuser, rpcpassword and rpcport all work as in bitcoind 16:13 < maaku> if the NSA demands the root cert from the CA, it *is* undetectable 16:13 < michagogo|cloud> So to use testnet I'd set rpcport = 18333? 16:13 < michagogo|cloud> 18332* 16:13 < andytoshi> michagogo|cloud: yeah, that should work 16:13 < michagogo|cloud> And what's the URL? 16:13 < maaku> covenants, on the other hand, by their very nature are prominently part of the script 16:13 < andytoshi> http://testing.wpsoftware.net/coinjoin/ 16:13 < adam3us> maaku: alternatively then what makes you confident it would not be abused? good behavior of the incumbent power bases? the possible motivated parties include the combined weight of the banking lobby and governments. 16:14 < maaku> to do... what exactly? 16:14 < michagogo|cloud> andytoshi: bleh... 16:14 < michagogo|cloud> Syncing with joiner, session ID unknown 16:14 < michagogo|cloud> Join server: SSL: no alternative certificate subject name matches target host name 'testing.wpsoftware.net' 16:14 < maaku> force me to convert a coin into something which is unspendable because it fails IsStandard, is not relayed, and not accepted by anybody? 16:14 < adam3us> maaku: anything that is expedient if history teaches us anything. mandate viral amlcoins per example 16:14 < andytoshi> michagogo|cloud: sorry, testing.wpsoftware does not have an SSL cert, just use HTTP 16:15 < michagogo|cloud> Ah, k 16:15 < adam3us> maaku: no thats my point. things which are not supportable by the infrastructure of all users are harder to foist on the users. 16:16 < adam3us> maaku: its not a given, and its a possible risk point, that all bitcoin wallets will remain open source, depending n the parties that get into the wallet & wallet integration/bundling business 16:16 < andytoshi> michagogo|cloud: ok, how about we do a 1.1 testnet join? 16:16 < michagogo|cloud> andytoshi: "Joiner status: session not found." 16:17 < andytoshi> michagogo|cloud: oh :P click "Session->Forget Session" 16:17 < andytoshi> oh, wait.. 16:17 < maaku> adam3us: at least where there is rule of law, taking away someone's capability to use their property is amount to theft 16:19 < adam3us> maaku: i agree, and thats a libertarian argument, but even neutral biz people will propose doing something pragmatic that appeases the regulator so they personally can make money fast. its not that they are evil, just that they dont care. if people with this mentality have software deployment power the can cause a lot of damage. eg apple? 16:21 < spenvo> #go-nuts 16:21 < adam3us> maaku: back on interest and contracts. is there another way to achieve that? when i was thinking about extrospection i found it curious that much was achievable via hashlock and dependent transactions 16:21 < spenvo> sorry about that 16:22 < adam3us> maaku: jtimon gave an example of something he claimed was impossible without covenants? 16:22 < maaku> adam3us: but my point is how could their proposal ever fly? people would reject it because their coins would suddenly become unspendable, there'd be lawsuits, etc. 16:22 < maaku> all before it gets far enough along to be entrenched 16:23 < maaku> adam3us: yes, restricted buy-back (of IOUs, to use his example) 16:23 < adam3us> maaku: i dont know. but the adversary is adaptive and intelligent also. coinvalidation would itself be viral 16:24 < maaku> you issue an asset with 1% demurrage with an attached covenant allowing you to buy it back at any time for principle + interest (implemented by sending regular coins to the script stripped of the covenant) 16:24 < maaku> /demurrage/interest/ 16:24 < michagogo|cloud> andytoshi: I ticked my inputs and clicked view transaction 16:24 < michagogo|cloud> Now it's frozen 16:25 < adam3us> maaku: so what about a micro-channel. either party can pull-out and claim whats paid to date. interest paid periodically. 16:25 < andytoshi> michagogo|cloud: aw, shit 16:26 < michagogo|cloud> andytoshi: Oh, wait 16:26 < maaku> adam3us: tx replacement? vulnerable to double-spend 16:26 < michagogo|cloud> Just opened up a tailf on bitcoin's debug.log 16:26 < michagogo|cloud> Looks like it's busy drawing addresses 16:27 < andytoshi> how many output did you ask for? 16:27 < maaku> not to mention you wouldn't be able to move around ownership (resell debt) 16:27 < andytoshi> it shouldn't do an infinite loop if that's what you're seeing 16:27 < adam3us> maaku: or is there a less powerful language feature that could enable the class of use cases? 16:27 < maaku> adam3us: that would be entirely missing the point 16:28 < maaku> we *want* these crazy covenant use cases 16:29 < maaku> it's just doing so with the decentralized host currency that is problematic 16:29 < michagogo|cloud> andytoshi: My output is in the 5 digits 16:29 < adam3us> maaku: most of the examples on the covenant bct thread looked grey-goo like in their end game. 16:29 < michagogo|cloud> andytoshi: I think it's drawing ~21k keys... 16:29 < maaku> well that was the point of the covenant thread 16:30 < andytoshi> michagogo|cloud: hahahaha, ok, i should definitely do a sanity check there 16:30 < andytoshi> (and you probably want to kill it) 16:30 < adam3us> maaku: what i suggested to vitalik whe he asked me something about something ethereum was using is that scripts be certified. then at least users can see who is proposing they do this as a sanity check. 16:30 < michagogo|cloud> It's about half-way done 16:31 < maaku> adam3us: that's something for the payment protocol 16:31 < adam3us> maaku: (he's using some PoW thing i mentioned to him in ethereum it seems) 16:32 < justanotheruser1> maaku: I see. Do you think anything but PoW could work? 16:32 < adam3us> maaku: i mean of the script itself, like maybe you dont want to accept financial covenants unless they are certified as safe and fair by a competent 16:32 < andytoshi> michagogo|cloud: ok, if you're willing to let it go that'll be a good test to see if you can break something 16:32 < maaku> justanotheruser1: what for consenus? no. proof-of-work is absolutely perfect 16:33 < maaku> the defficiencies people often quote are actually what makes it work 16:33 < Luke-Jr> O.o 16:33 < Luke-Jr> far from perfect imo 16:33 < justanotheruser1> maaku: No it isn't. Someone 20% of the processing power could reverse 6 confirmations within a day 16:33 < adam3us> maaku: missed this bit "just doing so with the decentralized host currency that is problematic" thats interesting. so u think it could be safe for issued assets (peer issued or central issuer issued) 16:34 < maaku> Luke-Jr: idk, the only viable improvement I've seen is gmaxwell's timelock-encryption, although that has more problems than it solves 16:34 < maaku> at the moment 16:34 < michagogo|cloud> 2014-01-15 21:34:29 keypool reserve 17592 16:34 < Luke-Jr> maaku: I didn't say I knew something better, just that PoW isn't perfect :P 16:34 < adam3us> maaku: well i guess eg an issuer like a gold depositary or a mortgage issuer might put some pretty bad terms in the fine print that u are not qualified to evaluate 16:35 < maaku> justanotheruser1: and there's no getting around that. not without compromising what PoW gives you 16:35 < maaku> don't mistake a rule of thumb (6 confirms) with the actual security model of proof of work 16:35 < justanotheruser1> maaku: I never said there is a way to get around that. I just am pointing out that it is an imperfection. 16:35 < maaku> adam3us: sure, who cares if you put a crazy grey-goo covenant on your personally issued asset? 16:36 < maaku> in freimarkets at least, where user assets aren't host currency 03:42 < gmaxwell> and when someone shows up and wants to rewrite some big chunk of the wallet it would be much easier to accept ... or even offer in parallel. 03:42 < gmaxwell> right now its a pain to run more than one or two bitcoin daemons on a host.. but it would be nice to be able to try out a couple different wallet types. 03:43 < wumpus> right, that's the advantage of modularization 03:43 < gmaxwell> "oh, you want the ultra fancy mode with coin control? no problem run wallet-advanced-qt " 03:43 < wumpus> keep the consensus part in a locked-down repository, and allow freeer experimentation with the rest 03:45 < wumpus> and 'berkelydb wallet' and 'fancy new append-only wallet' could exist in parallel for a while 03:45 < gmaxwell> http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf < 20 bits per second across 20 meters, using high pitched (e.g. near inaudiable) sound from a laptop. So much for your airgapped wallet. :P 03:45 < wumpus> (I forgot "deterministic" somewhere in there) 03:48 < warren> I'm pushing Bitcoin and Litecoin mac builds to the people who complained about corruption. 03:48 < Emcy> noticed the trend against modularity or even customisation in end user software though? 03:48 < warren> we'll see ... 03:48 < wumpus> An Acoustical Multi-hop Keylogger 03:49 < wumpus> warren: hopefully 03:50 < Emcy> gmaxwell what was the mic? 03:50 < warren> gmaxwell: white noise jamming 03:50 < wumpus> wouldn't white noise be easy to filter out? 03:50 < gmaxwell> warren: with a sutiable design thats actually very hard. 03:50 < gmaxwell> Emcy: it's between laptops, they built a mesh network 03:51 < Emcy> thats frankly cool and how could we use this power for good instead of evil 03:51 < wumpus> I guess it could also work with webcams and screen patterns, at least if they're in each others line of sight 03:52 < gmaxwell> warren: it's possible to have modulation schemes that are very difficult to jam without knowing the right cryptographic keys. ... and jamming those is basically only effective via overpowering. 03:52 < warren> sounds about as monetizable as the patented qrcodes that contain audio recordings. The MBA program tried to make us do a consulting project on saving that stupid company. I dropped the class because I didn't appreciate the professor using his own crappy portfolio companies. 03:52 < Emcy> i could hear 21khz last time i checked with a signal generator though so im good :) 03:53 < Emcy> wumpus there was a casio watch in the 90s that used flashing bars on your monitor for data downlaoding 03:53 < gmaxwell> Emcy: yes I can too, _however_ your and my sensitivity to that frequency is very weak even though we can hear it. 03:54 < Emcy> and gmaxwell is right about jamming, im reminded of how GPS gets a signal through from orbit with some sort of notch frequency thing 03:54 < gmaxwell> Emcy: which means the computer can be moderately loud but still seem quiet to us. 03:54 < gmaxwell> Emcy: orbit is easy! it's stright up1 03:54 < gmaxwell> and gps birds have a fairly low orbits. :P 03:55 < Emcy> gmaxwell the sound coming from old tube displays frequently caused me physical pain 03:55 < Emcy> i lucked out being born in time for the age of flatscreens 03:56 < gmaxwell> Emcy: there is some crazy person a few blocks from where I live that has some kind of pest repeller or something that produces a ~20KHz tone. I plug my ears when I walk by.. it's super loud. 03:57 < warren> does it work? 03:57 < gmaxwell> it repels me, does that count? 03:58 < warren> that could mean it is successful, it just doesn't discriminate 03:59 < wumpus> so it keeps humans away as well, terrific 04:00 < Emcy> some shops here started putting those things above the door specifically to keep chav kids from hanging around the front drinking 04:01 < Emcy> obviously completely discriminatory and not just against chavs 04:01 < gmaxwell> non chavs can afford earplugs? 04:02 < wumpus> their reasoning is probably that the younger kids hearing is still more sensitive to those frequencies 04:02 < gmaxwell> it's generally true, though also women. 04:02 < gmaxwell> which might not be their goal 04:02 < Emcy> lol im not putting in earplugs just to go into your shitty overpriced spar 04:03 < Emcy> the ironinc thing is everything in these shops is overpriced except the cheap gutrot cider 04:03 < wumpus> here they use classical music for that, in some places 04:03 < Emcy> lol really 04:04 < gmaxwell> "Well, we still have bums at the door; but at least they're classy bums now" 04:05 < wumpus> hah 04:09 < warren> http://download1.rpmfusion.org/~warren/bitcoin-0.8.5-OMG4/macosx/ 04:09 < warren> http://download1.rpmfusion.org/~warren/litecoin-0.8.5.2-rc6/macosx/ 04:11 < Emcy> omg? 04:12 < warren> Emcy: OMG! 04:13 < warren> grr 04:13 < warren> I built the wrong branch 04:17 < deantrade> gmaxwell: thanks. I'm guessing I won't bother you as much posting in here, but I'll still be able to toss my ideas out on more experimental things 04:20 < deantrade> Did you see my comment on trashing DiskBlockIndex.pnext and storing height->mainChainBlockHash key/value table instead? 04:20 < Emcy> just remember the first rule of wizards 04:20 < Emcy> you dont talk about wizards 04:23 < deantrade> I thought it was something more along the lines of "People believe invalid things for all sorts of motivations, such as fear, instead of believing by evidence/reason." 04:24 < Emcy> wheres that from 04:24 < deantrade> Sword of Truth series 04:50 < deantrade> On UTXO aging: I was thinking of having a system like this: The money supply inflates at some constant % increase each year. Say something like 1% per year. Then in 70 years (when the money supply doubles) you do a reverse stock split, and anything that gets rounded to zero coin value is thrown out. 04:52 < deantrade> 2% per year: 35 years to double money supply. 3% per year: 23.5 years. 4% per year: 18 years. 04:54 < gmaxwell> "inflates" so what winner are you going to transfer the results of everyone in the economies labor to? 04:55 < gmaxwell> ... because if you simply scale the value of all existing coins, none will ever fall under your thresholding. 04:56 < deantrade> Lets say you had 1 satoshi. If there was a reverse stock split where 2 satoshis were then stored as 1 satoshi, then 1/2 = 0. 04:57 < deantrade> Winner of the inflation would be the block solvers (via proof of work). 04:58 < gmaxwell> deantrade: right, so depending on how much coin was lost you might be transferring some huge percentage of the economy to miners who sets that and keeps it sane?. this doesn't sound like a grand plan. 04:59 < deantrade> No, when you reverse stock split nothing goes to the miners 04:59 < jtimon> that's escheatment we have thought about it for freicoin (which has demurrage instead of inflation) 05:00 < jtimon> at some point some outputs will approach zero value 05:00 < jtimon> should we still allow to spend them? 05:01 < jtimon> the anti-dust stuff limits that a little bit but you still can't take them out of the utxo set 05:01 < jtimon> with custom assets the problem gets worse I guess 05:02 < go1111111> gmaxwell: the miners would bid up the mining difficulty until they were barely making a profit. a 2% per year inflation forever (once the existing rate would otherwise fall below 2%) would just enhance the strength of the network, assuming it didn't cause people to be less enthusiastic about the currency 05:02 < deantrade> I don't think you guys are getting what I'm trying to say 05:02 < jtimon> I don't know, the incentives are complex, but didn't users already paid the transaction fees? 05:03 < jtimon> deantrade I really think I do, just replacing inflation with demurrage 05:04 < jtimon> in freicoin, for example, there will always be 5% (aprox) demurrage going to miners 05:04 < jtimon> in this case you don't need to "double the minimum expressable quantity" 05:04 < jtimon> because some outputs nominal values will go under 1 satoshi through demurrage 05:06 < gmaxwell> go1111111: yea, or cause starvation because 40% of the econonmy is going to build spheres capture all the sun's energy to power miners. 05:06 < deantrade> Yes, it is effectively demurrage. I guess the problem with this system is that its not really a great thing that the miners get paid via inflation rather than via tx fees. 05:08 < jtimon> gmaxwell maybe 5% is "too much security", we've discussed that a lot on the freicoin forums 05:08 < jtimon> that ultimately depends on monetary velocity 05:09 < gmaxwell> jtimon: it depends also on prior lost coins and a bunch of other factors. 05:09 < jtimon> with V=10, 5% of the nominal supply is less than 49% with V=1 05:09 < jtimon> with demurrage lost coins are eventually recycled (even without escheatment) 05:10 < jtimon> in any case, many freicoiners believe that we need another p2p distribution mechanism besides mining 05:10 < deantrade> I guess maybe the best solution would be that unspent transactions would just be thrown out after X number of years. And then coins would just need to be made more divisible if that became a problem. 05:11 < deantrade> So when you throw out coins, it effectively reduces the money supply, causing people to realize they now own a larger fraction of the total money supply. 05:12 < jtimon> I've heard that proposal before "escheatment if funds aren't moved in X blocks" 05:13 < jtimon> that would solve the "utxo size problem" too 05:14 < jtimon> but I'm not sure something like that is even necessary 05:14 < deantrade> But its not that the coins go to someone in particular who gets richer. It just reduces the money supply, making everyone realize they are now effectively some fraction "richer". 05:15 < jtimon> as explained by go1111111 nobody gets necessarily richer 05:15 < jtimon> if you give coins to miners you subsidize security, that's all 05:16 < jtimon> in prefect competition profits still tend to zero 05:16 < jtimon> but your proposal is polemic 20:43 < petertodd> Luke-Jr: exactly! 20:44 < gmaxwell> at best you can say it's probably inconsequential. 20:44 < petertodd> gmaxwell: yes, but if you are running a node *on behalf of merchants* the incentives are different! 20:45 < gmaxwell> I'm sure if we're thinking at all we're spending 1000x more thought than any bitcoin merchants are likely to put into anything in the near term. 20:45 < gmaxwell> oh well. 20:45 < petertodd> Yeah well, if we're going to eventually design better systems, understanding the incentives of the one we have right now is very valuable. 20:46 * gmaxwell goes off and continues to sulk that he found _yet another_ very high profile bitcoin service provider that was trivially exploitable. 20:46 < petertodd> gmaxwell: that we're all still whitehats says a lot about our incentives :P 20:47 < Luke-Jr> gmaxwell: to be fair, BitPay did hire jgarzik; that counts :P 20:47 < gmaxwell> petertodd: what good are awesome exploits if you can never brag about them? 20:47 < petertodd> Luke-Jr: heh, cavirtex tried to hire me 20:47 < petertodd> gmaxwell: what good is bragging rights if you don't have hired strippers and the hot tub? 20:48 * petertodd brb, snorting coke 20:48 < gmaxwell> hah 20:48 < Luke-Jr> gmaxwell: next time maybe you should say "if I demonstrate how I can steal 50 BTC from Coinbase, can I keep it?" ;) 20:48 < Luke-Jr> s/Coinbase/whatever service/ 20:48 < Luke-Jr> s/50 BTC/something reasonable at the time/ 20:48 < petertodd> Luke-Jr: heh, that's why I demonstrated that zeroconf attack on bc.i rather than just told piuk it was possible :P 20:49 < petertodd> Luke-Jr: figured I had a 50:50 chance he'd let me keep it 20:49 < Luke-Jr> <.< 20:49 < gmaxwell> I don't even want the 50 BTC, I want the bitcoin economy to not be super fragile. 20:49 < Luke-Jr> petertodd: if you don't ask in advance, there's a question of legality 20:50 < petertodd> Luke-Jr: meh, I didn't know if it could be done, which puts you in a catch-22 between responsible disclosure and actually doing the attacks 20:50 < Luke-Jr> petertodd: that's why you ask :P 20:50 < Luke-Jr> once you have permission to try, then go for it :D 20:50 < sipa> "Hi, I think there's a bug in your systems. If I can exploit it tovgain no more than X btc, can I keep it?" 20:50 * Luke-Jr glares at Litecoin for not giving permission 20:50 < petertodd> Luke-Jr: that's my point, by asking I would have been irresponsibly disclosing the attack! 20:51 < Luke-Jr> petertodd: ? 20:51 < petertodd> sipa: yes, which I probably should have done, but I figured $50 wasn't a big deal 20:51 < petertodd> Luke-Jr: the nLockTime zerocoin attack was embarassingly obvious once you got at all clued in on it 20:51 < gmaxwell> At least with bc.i I've had bad expirences with them ignoring reports, and then claiming that an attack wasn't ever possible after I do finally get their attention. Mostly I just try to not load their pages, lest I find _yet another_ exploitable vulnerablity and have to deal with the stress of convincing them to fix it. Fortunately most other services I've reported to are more responsive. 20:52 < gmaxwell> TD seemed to be saying bc.i is still mostly a one man operation, so I guess that explains part of it. 20:52 < petertodd> Luke-Jr: I basically went through every service I could think of and did the attack - only bc.i was really vulnerable to it. 20:52 < Luke-Jr> "Hi, I offer penetration testing services. You owe me nothing if I don't find anything, but if I do, I keep up to x BTC of what I acquire using the discovered exploit, and deliver to you documentation on how I did it. If this offer interests you, please sign and email this permissions contract." 20:53 < petertodd> Luke-Jr: meh, for now you can be pragmatic - give it another year or two and my advise would be don't 20:53 < Luke-Jr> ? 20:53 < Luke-Jr> with permission, hard to see how it can go sour 20:54 < Luke-Jr> of course, in a year or so hopefully there won't be anything so obvious I could actually get anywhere XD 20:54 < petertodd> Luke-Jr: as bitcoin gets bigger and the companies have more to lose permission is both more important, but also, doing stuff out in the open is legally risky 20:54 < gmaxwell> Luke-Jr: one limitation with that is that some attacks require collateral crime... a real attacker isn't constrained to not defraud other people, but you are. 20:54 < petertodd> Luke-Jr: even really whitehat-acting people ahve been rail-roaded in the real world 20:54 < gmaxwell> e.g. those people trying to compromise mining pools by social engineering datacenter operators. 20:54 < Luke-Jr> petertodd: with permission? 20:55 < petertodd> Luke-Jr: yes, define "permission" - companies have later claimed whitehats didn't have permission for instance 20:57 < Luke-Jr> petertodd: signed document 20:58 < petertodd> Luke-Jr: "That employee never had authority to sign that document/you and him were conspiring." (e.g. if an attack somehow goes worse than expected, say takes down a whole site accidentally) 20:58 < Luke-Jr> hrm 21:01 < petertodd> Legality is hard. Speaking of, it's going to be fascinating to see the first time someone threatens to prosecute a miner for mining a zeroconf double-spend... 21:02 < petertodd> ...or assisting in one, as you do with Elgigius by not following the same mempool rules re: satoshidice as everyone else. Or as you do every time you upgrade... 21:02 < gmaxwell> how can you even establish which one was the right one? 21:02 < gmaxwell> e.g. the doublespender could have just given you the other one first. 21:02 < petertodd> gmaxwell: Sworn testimony in court obviously. 21:03 < petertodd> This isn't a technical question. 21:03 < gmaxwell> I suppose. The doublespender has no assets and cooperates? 21:04 < petertodd> No, e.g. a *dice site: the site would swear that according to their logs GHash.IO allowed a double-spend to be mined on multiple occasions, or Eligius *through negligence* allowed it to happen. 21:04 < petertodd> "Accepted practice in Bitcoin is to not mine double-spends and to peer well enough that they don't happen." 21:04 < Luke-Jr> petertodd: good thing everyone here is able to be an expert witness against such nonsense 21:05 < Luke-Jr> petertodd: Eligius didn't neglect anything 21:05 < petertodd> Just for the record, for a sufficient amount of money I'll be a expert witness on the opposite side... 21:05 < Luke-Jr> petertodd: you'll lie under oath? 21:05 < petertodd> (might as well say that given that is the reality...) 21:05 < petertodd> It's not a lie, it's... a different interpretation of the facts. 21:05 < Luke-Jr> that statement would be a lie. 21:06 < Luke-Jr> every double spend ever, has been mined 21:06 < petertodd> Luke-Jr: what do you mean by that? 21:06 < Luke-Jr> petertodd: exactly what I said 21:06 < petertodd> Well I've personally used that exact mempool trick to demonstrate that zeroconf isn't safe, so I'm not sure what you mean there. 21:06 < Luke-Jr> for any given conflicting transaction pair, one of them has appeared in a block eventually 21:07 < Emcy> anyone surprised how many people sont appear to like the eligius address reuse patch thing 21:07 < Luke-Jr> Emcy: I'm surprised 21:07 < Luke-Jr> partly my fault though 21:07 < Luke-Jr> the original plan was to make a set of multiple competing patches 21:07 < petertodd> Right, but I'm saying you could convince a court that because "accepted practice" was to not allow double-spends in mempools, failing to do that is negligence, or perhaps conspiracy if an attacker keeps doing that and Eligius doesn't change their policy. 21:07 < Luke-Jr> but it was taking up too much time 21:08 < Emcy> ar they just ignrant/misinformed or do they not want anything to rock the price boat 21:08 < Luke-Jr> petertodd: either of the transactions is equally valid 21:08 < Luke-Jr> and accepted practice is that nodes are free to choose which transactions they relay or mine 21:08 < Luke-Jr> and often DO discriminate 21:09 < petertodd> Luke-Jr: no, one was broadcast first. By the *accepted practices* the first was the valid one. Eligius allowed a double-spend to enter its mempool even 5 minutes later! 21:09 < petertodd> Luke-Jr: No it's not. Look at how angry people were at GHash.IO. 21:09 < Luke-Jr> petertodd: miners have a duty to filter spam. even if Eligius were the only one to be fulfilling this role (we're not), it is the *other* miners who are neglegent 21:10 < Luke-Jr> petertodd: they were mad at GHash.IO for actually PERFORMING the double-spend 21:10 < Luke-Jr> not for merely mining it 21:10 < Luke-Jr> also, that thread was surprisingly not-very-angry 21:10 < petertodd> Luke-Jr: "Duty to filter spam? What duty? Accepted practice by all by one rogue pool is to follow the Official Bitcoin-QT Implementation." 21:11 < Luke-Jr> petertodd: that's not true 21:11 < petertodd> Luke-Jr: Truth is established in a court of law in a process that may have results you do not like. 21:11 < Luke-Jr> petertodd: no, truth cares not what any court says 21:12 < petertodd> Luke-Jr: ok, whether or not the government has a judgement for damages and/or an arrest warrent for your name has nothing to do with your definition of truth 21:12 < Luke-Jr> petertodd: whether you have committed perjury does 21:13 < Luke-Jr> "Accepted practice by all but one percent of businesses is to use USD cash" 21:13 < Luke-Jr> ^ about as good as your argument 21:13 < petertodd> Hey, we can sit here all day if you want to be a engineer and ignore the complexity of the legal system. 21:14 < petertodd> Reality is, my line of argument is one that a court may very well accept, resulting in real world and undesirable consequences. 21:15 < Luke-Jr> not after I demonstrate how you're lying :P 21:15 < petertodd> if you truly believe a court would be guaranteed to think I was lying I suggest you spend some more time with your lawyer 21:18 < Luke-Jr> I don't believe a court would hear a case from a criminal enterprise plaintiff 04:40 <@gmaxwell> hah. 04:40 < warren> I personally would want work on this, to setup a non-profit and a legal structure that states clearly the project's goals (safety, security, anti-spam) but disclaims liability. 04:41 <@gmaxwell> if someone wants to find implied liability ... the fact that someone took donations or didn't isn't going to matter. 04:41 < warren> TRC dev really fucked up. I doubt anyone will sue there. 04:42 < sipa> trc? 04:42 < warren> sipa: another alt coin, sha256-based. They had ~4-5 mandatory version upgrades over a week because their bad design was destroyed repeatedly by a single avalon 04:42 < sipa> ha 04:42 < warren> sipa: TRC's "innovation" was super fast difficulty changes 04:43 < warren> It broke in a different way with longer 30 block intervals 04:43 <@gmaxwell> it's not even the first time someone has made that innovation with the same consequences! 04:43 <@gmaxwell> solidcoin 1.0 failed that way. 04:43 < warren> Attempt #4 made it far worse! 04:44 <@gmaxwell> yea, well I called that (or was that #3?) with ten seconds of code review 04:44 < warren> They added a testnet-like difficulty reduction if there were no blocks in the last 10 minutes. 04:44 <@gmaxwell> yea, that was the one I called. :P 04:44 < warren> I pointed it out first, and you agreed. =) 04:44 < warren> Shortly thereafter, someone did the time traveling attack. 04:45 < warren> during these attacks, btc-e added TRC to their exchange, and they were wondering why nobody was trading 04:45 < warren> great due dilligence folks 04:45 < warren> That was a huge opportunity to rob the exchange 04:45 <@gmaxwell> You knew before I told you there about the reseting difficulty attack? 04:45 < warren> yes 04:45 <@gmaxwell> cool. someone else paying attention. 04:45 <@gmaxwell> oh well, in any case, Lolcust is back around so you can expect more really super awesome altcoins. 04:45 < warren> I remembered seeing it in the testnet code while I was studying litecoin. 04:47 < warren> If I had time, I'd like to release a tool that forks Bitcoin, mass string replace, generates a new genesis, makes deterministic builds and uploads to a new git. 04:47 < warren> Then those fools can make a 100 new coins. 04:47 < warren> Then *maybe* people will realize how stupid it is. 04:48 < warren> gmaxwell: Can you help me approach MtGox on that idea? 04:49 <@gmaxwell> I suggested that idea in #bitcoin-mining with an added twist: you should make the cgi charge a nomial fee (in btc), and partner with a large pool, with merged mining, so that instead of premining them the creator can just recieve the pools worth of mining. 04:49 <@gmaxwell> warren: making 100 new coins? 04:49 < warren> no 04:49 < warren> sponsor dev of their new coin to reduce their financial risk 04:49 < warren> because there's literally no reference client devs 04:50 <@gmaxwell> Well, I can however, magical tux doesn't talk to me too much, and the last time he talked to me it seems like he outright lied to me. So... 04:51 < warren> gmaxwell: oh, you mean make it super easy for the creator to pre-mine? 04:51 <@gmaxwell> nah, not pre-mine but to have a large amount of hashpower on the coin right from the start which the creator is getting paid for. 04:51 <@gmaxwell> a slightly more equatible premine that also provides some security. 04:52 < warren> huh. 04:52 < warren> which would be the aux? 04:52 <@gmaxwell> it would be the aux. It'd be merged mined against bitcoin (or litecoin, I suppose if you wanted) 04:53 < warren> are any of the merge mining methods reliable now? 04:53 < warren> such that it won't slow down the main coin 04:54 < warren> gmaxwell: well, I suppose an introduction might help. This seems like a good idea for both parties. 04:54 <@gmaxwell> luke's code is and I assume doublec's too considering both have basically merged mined everything mergminable. Luke stopped mming namecoin recently mostly because the daemon itself was crapping out. 04:54 < warren> doublec? what pool did he write? 04:55 <@gmaxwell> http://mmpool.bitparking.com/pool 04:55 < warren> hmm, no source I guess 04:56 <@gmaxwell> no, but it wouldn't be useful to you, you don't have a big installed base of bitcoin hashpower 04:56 <@gmaxwell> my suggestion was to partner with someone who already did. 04:56 <@gmaxwell> luke was all for the idea can't stop the altcoin folly directly, so make it more obvious with infinite worthless altcoins. 04:57 <@gmaxwell> I sometimes joke about gmaxwellcoin ... but then everbuddy could have their own altcoin, for the low low price of 0.5 BTC! 04:58 < warren> On a more serious note, how do you feel about a blockchain-based solution to reward full verifying nodes? 04:58 <@gmaxwell> blockchain-based? huh? 04:58 <@gmaxwell> I like puppies and apple pie. 04:59 < warren> OK, I haven't thought this through yet, just wondering if its possible to have a POW that proves you have all the tx's and you are relaying. 05:00 <@gmaxwell> amiller proposed to use queries against a committed utxo set as a memory hard function as the system POW. 05:01 < warren> who would do the query? 05:01 <@gmaxwell> and it seems like a generally reasonable idea to me, though I have some skepticism that the result will actually be hardware thats good at validation: if there is _any_ way to make it faster by cheating people will. 05:02 <@gmaxwell> warren: you'd query to mine. e.g. H(header||nonce) forms a random sequence which you use to query the UTXO set.. then you hash up the result append that to the header.. and hash that to see if you've met difficulty 05:03 < warren> and if you met difficulty, what do you get? 05:03 <@gmaxwell> a block 05:04 < warren> This is a secondary blockchain to somehow reward full nodes? 05:05 < warren> hmm 05:06 <@gmaxwell> ... 05:06 <@gmaxwell> Amiller's suggestion is to make it _the_ proof of work. 05:06 < warren> oh 05:06 <@gmaxwell> In order to align the interests of the network. 05:07 <@gmaxwell> If you just want a full node lottery get pay2ip reenabled and probe nodes and then randomly pay them if they've been good. reasonably hard to fake if you pay them proportional to their throughput. 05:07 < warren> how about ... for each BTC block round, the highest difficulty from valid proof of uxto set from all nodes gets <reward> which is set aside in the next BTC block? 05:08 < warren> with some limitations to prevent ballot stuff 05:08 < warren> stuffing 05:09 <@gmaxwell> uh. 05:10 <@gmaxwell> well good luck with that. 05:11 < warren> what? not technically possible? 05:13 < warren> Oh. Not highest. More like a lottery where the winning number is derived from the next block. 05:17 < warren> I don't have this fully thought through. I'll think more about this. 05:18 <@gmaxwell> I don't see how I don't just enter that lottery unpteem billion times per second. Or how you're going to convince the network to take awards away from miners. (amillers stuff seems obviously enough not-for-bitcoin but if you're going to be all hardforky about it might as well go full amiller time) 05:19 < warren> The hard part is to prevent folks from making many artificial nodes on many IP's they control. yes. 05:21 < warren> I think the lottery could be limited by having random peers check then sign if they pass certain rules. 05:22 < warren> best we can do is limit by public IP, and maybe also only one per subnet randomly chosen. 05:25 < warren> gmaxwell: Divert a really tiny portion of fees to the full node lottery. Since running a node is much cheaper than running a miner, even a tiny lottery reward would be sufficient to encourage many more relays. --- Log closed Thu Apr 25 07:21:17 2013 --- Log opened Thu Apr 25 07:21:34 2013 10:43 < warren> There are aspects of this I haven't figured out yet, and a major drawback of it being decentralized might be lots of extra tx's per round. 10:47 < warren> gmaxwell: Oh, another aspect of the p2pool dust problem: The litecoin users began taking matters into their own hands by forking p2pool, cutting forrest out entirely. There are at least two other p2pool instances in litecoin now. 10:50 < warren> "<gmaxwell> [23:07:25] If you just want a full node lottery get pay2ip reenabled and probe nodes and then randomly pay them if they've been good. reasonably hard to fake if you pay them proportional to their throughput." 10:51 < warren> I'm afraid this will create perverse incentives to intercept traffic 10:51 < warren> (yes, we talked about this before) --- Log closed Thu Apr 25 11:29:38 2013 --- Log opened Thu Apr 25 11:28:19 2013 --- Log closed Thu Apr 25 11:28:29 2013 --- Log opened Thu Apr 25 11:29:04 2013 15:09 < HM2> cryptography is a fascinating field 15:09 < HM2> obvious ideas can sneak up on you 15:10 < HM2> i'm reading a paper on permutations over arbitrary domains. e.g. using a key to remap the numbers from 0 to 1 million to a permutation 15:11 < HM2> simplest algorithm: use a symmetric cipher to encrypt all the numbers, sort the ciphertext, replace each number with it's ordinal index 15:11 < HM2> such an obvious idea 15:12 < sipa> it will also never be a true random shuffle :p 15:13 < HM2> why so? 15:14 < sipa> your keyspace sie would need to be a integral multiple of the number of permutations ((=n!, with n the number of elements) 15:15 < HM2> Hmm? 15:16 < HM2> Your domain needs to be smaller than the block ciphers 15:16 < HM2> it doesn't matter if you're encrypting 4 digit pins with a 128bit cipher though, it's still going to result in 10000 unique 128bit ciphertexts? 15:16 < sipa> not just smaller, an integral divisor of it 15:17 < sipa> (and that's a necessary requirements, not a sufficient one) 15:17 < HM2> How? 15:18 < HM2> http://www.cs.ucdavis.edu/~rogaway/papers/subset.pdf 15:18 < HM2> method 1, page 6 15:19 < sipa> i didn't say it would be insecure 15:19 < sipa> just that it can't be a true random shuffle 15:19 < HM2> how do you define true random? 15:19 < HM2> it's obviously pseudorandom 06:19 < warren> gmaxwell: among other problems, they went quiet around August, and a few weeks ago people figured out that BFL was violating paypal's TOS, so paypal began seizing funds from them. whoever figured it out first and used the secret escalation procedure got refunds until the seized funds ran out. 06:21 < gmaxwell> yea, I know. They were litterally calling some guy inside paypal who was hand processing it. 06:21 < gmaxwell> I deleted that guys phone number and name from the forum a bunch of time so people wouldn't mob him. 06:22 < warren> I sold only the 30GH unit that I got with the 6 months no interest paypal loan 06:22 < warren> I tried to get paypal to seize that but I learned about the escalation procedure too late. 06:23 < warren> BFL apparently began generating fake tracking numbers to stop paypal from giving refunds. real shady. 06:24 < gmaxwell> wow, I'd missed that. Interesting. I saw some people getting tracking numbers when they canceled. 06:24 < gmaxwell> But I assumed that was someone lying to try to cause a run on cancelations. 06:24 < gmaxwell> warren: sorry, If I'd realized you were in a position where you might want to refund I would have prodded you personally. 06:26 < warren> I feel bad about the pre-order buyer so might just give him his money back. 06:26 < warren> dunno 06:38 < gmaxwell> warren: http://www.reddit.com/r/Bitcoin/comments/1o2zo0/just_got_email_confirmation_from_bfl_that_my/ 06:41 < warren> gmaxwell: I managed to cancel all of my other orders before they stopped giving refunds ... so it's just one 30GH miner remaining from early April 2013 07:26 < gmaxwell> oh got. 07:27 < gmaxwell> that quantum wingnut guy apparently spoke at the Amsterdam bitcoin conf? 07:27 < sipa> what's a wingnut? 07:27 < gmaxwell> american term for crazy or weird. 07:28 < gmaxwell> I have an "investor" person emailing me asking for advice because he wants to invest in this guys super plan for BQP in polytime on clasical computers for mining. 07:28 < sipa> lol 07:28 < sipa> say you want 10% 07:29 < gmaxwell> hah 07:29 < gmaxwell> awful. 07:31 < wumpus> lol 07:36 < warren> "american term for crazy or weird." it's all relative in bitcoinland. 07:55 < warren> are we still switching to testnet4 for 0.9? 07:56 < sipa> what is testnet4? 07:56 < sipa> i don't object to resetting testnet, but i haven't heard about any specific plans or rule changes 07:57 < warren> oh, there was previous discussion about resetting it to discourage storing stuff there 10:01 < jgarzik> sipa, I had suggested resetting it proactively on IRC. gmaxwell seemed to agree, but I don't think it was ever more concrete than that. 10:02 < jgarzik> testnet IMO should not be a permanent side channel database 13:52 < gmaxwell> jgarzik: I agree, but before we do that, we really ought to go figure out where the distributed tests are.... several useful tests were added to that chain later on (including ones that forked bitcoin 0.8-prerelease, bitcoin ruby, electrum, and btcgo) so we can make sure to add them to the front in the replacement. 14:17 < maaku> gmaxwell: if anyone does that, it'd be *really nice* to package that up into a bunch of transaction-generating scripts 14:18 < sipa> how about running pulltester on testnet? :p 14:18 < gmaxwell> sipa: pulltester tests reorgs. 14:18 < sipa> ok ok 14:18 < gmaxwell> maaku: Well the first 500 block of testnet are full of test cases. 14:19 < sipa> i mean, taking the transactions in pulltester, and puttiing them in the chain 14:19 < sipa> though i suppose there aren't that many 14:20 < gmaxwell> yea, reasonable way to go about it. 14:36 < BlueMatt> petertodd: no, if you are an spv node you shall not relay data you cannot fully verify 14:36 < BlueMatt> petertodd: this has been an unspoken network rule for a long time 14:37 < gmaxwell> BlueMatt: oh hai. 14:37 < BlueMatt> hi 14:37 < gmaxwell> BlueMatt: we probably should have CVEed the debian contrib init script stuff that set an rpc password. :( 14:37 < BlueMatt> petertodd: spv nodes shall only relay transactions they created 14:38 < BlueMatt> gmaxwell: probably, but debian should have done that themselves, really 14:38 < gmaxwell> BlueMatt: some guy with a fedora rpm was shipping it. I'd missed it when it was removed, but I caught it when auditing his package. 14:38 < BlueMatt> hmm 14:40 < BlueMatt> (I didnt publicize the removal of it because I wasnt sure when debian was gonna/did ship the fix) 14:42 < gmaxwell> well I've made it public (half on accident because I thought I was in /query with warren and not #bitcoin-dev ... :( though its not the end of the world I don't think that _that_ many were using that fedora package) 14:42 < BlueMatt> and hopefully people have been paying attention to the long-standing recommendation that rpc interface not be public, even if password protected... 14:42 < BlueMatt> but I suppose we can never depend on that :( 14:44 < warren> why do we allow one distro's packaging stuff into upstream at all? 14:48 < maaku> holy cow, there's a C++ REPL? http://root.cern.ch/drupal/content/about 14:50 < maaku> warren: there are many debian/ubuntu based distributions. it makes sense to put that stuff in contrib 14:51 < gmaxwell> warren: projects also do that as a way of having some amount of control/influence/visibility into how they are being packaged. ... though it doesn't stop distributions from ignoring it and patching the crap out of their software... 16:49 < amiller> ugh i'm really bothered by a couple more things now 16:49 < amiller> 1) i've been starting to think about how BTC (the currency) can be thought of as 'legal tender' within Bitcoin (the system) because of how it can be used for tx fees 16:50 < amiller> i'm trying to understand the implications of overlay currencies like in freimarkets and colored coins 16:50 < amiller> but actually since there are no mandatory fees 16:50 < amiller> it *doesn't* even enjoy any privileged status in that regard 16:50 < amiller> you could probably pay miners in colored coins, if the 'color kernel' supported that 16:51 < amiller> it's really entirely up to the miners what motivates them to include your tx 16:52 < amiller> i don't nkow of any colorcions that do that, but in freimarkets you can explicitly pay miners with portions of the self issued currencies 16:52 < amiller> an individual miner may or may not value these of course 16:52 < amiller> but for the sake of hard fork rules it doesn't matter 16:52 < amiller> 2) so this brings me to the second thing that's bugging me today 16:54 < gmaxwell> amiller: well, so long as the coloring rule inherits across fees. 16:54 < gmaxwell> oh you said that. 16:54 < gmaxwell> and yea, people have previously noticed that you can pay miners in other ways.. and in fact there is a history of that already. 16:55 < amiller> what kind of history? 16:55 < amiller> side deal or just with the tx broadcast? 16:55 < gmaxwell> (E.g. eligius providing free priority processing for mtgox as part of their hosting arrangement) 16:56 < gmaxwell> It's one of the reasons that "figure out what fees you should pay from recent blocks" is somewhat iffy. 16:56 < amiller> the second thing is that even if miners can't easily vote to change rules (because of some kind of constitutional interweaving somehow), 16:56 < amiller> i can't figure out what rationale prevents a couple mining pools from "discouraging" a particular transaction, perhaps temporarily 16:57 < sipa> they can perfectly vote to softfork 16:57 < sipa> censorship is only a softfork 16:57 < gmaxwell> (eligius also lets you pay fees by including outputs to the pools' donations addresses) 16:57 < amiller> i'm thinking of something in between a softfork and a hardfork 16:57 < gmaxwell> amiller: mining pools already discourage paritcular transactions. 16:57 < amiller> a hardfork is when you absolutely will not mine a block that has predicate x 16:57 < sipa> no 16:57 < amiller> a softfork is when you do not include in your block, transaction with predicate x 16:57 < gmaxwell> For example, many block correct horse stapler battery. 16:58 < amiller> mine on top of* 16:58 < sipa> amiller: 16:58 < sipa> no 16:58 < gmaxwell> amiller: no thats not the common convention. 16:58 < sipa> a hardfork is allowing something that used be illegal 16:58 < sipa> a softfork is disallowing something that was legal 16:58 < sipa> the rest is just policy 16:58 < amiller> oh. 16:59 < sipa> a softfork requires 51% from miners 16:59 < gmaxwell> What you're describing as a hardfork is a softfork. What you're calling a softfork is just policy. 16:59 < sipa> a hardfork requires 100% from everyone 16:59 < gmaxwell> Everyone that remains at least! :P 17:00 < amiller> i see. 17:00 < amiller> hmmmm 17:00 < sipa> there has exact 17:00 < sipa> ly one hardfork that i know of 17:01 < gmaxwell> and even that one is a little debatable! there are still old nodes running and current! 17:01 < warren> how? 17:01 < gmaxwell> because the bdb large block failure is non-determinstic. 17:03 < amiller> that makes a lot of sense, i don't know how i haven't understood this before, thanks. 17:04 < sipa> a hard fork is called that way because it inevitably forks off old clients 17:04 < amiller> actually i'm not sure where anyone would go to read that description clearly, i can't find it on the wiki 17:04 < sipa> a soft fork only causes an actual fork in case a majority of hash power is on the old code 17:05 < sipa> better explanations on the wiki would be great 17:05 < sipa> many things are just outdated or missing 17:06 < amiller> okay so then what i'm talking about is a softer-fork 17:06 < amiller> i can make my own predicate, or even just a temporary special case, and threaten to try hard to prevent it 17:07 < amiller> it's potentially costly for me in wasted-work if i ignore a block that has a transaction i don't like 17:07 < sipa> you're only threatening yourself 17:07 < sipa> unless you find a 51% hashpower to go along with you 04:03 < jgarzik> petertodd: You are required to file a Suspicious Activity Report (SAR) for a transaction >= $10k, anything that might be a group of transactions >= $10k, or anything that might be an attempt to evade these limits by breaking up transactions 04:04 < petertodd> Per-vendor volume requirements are strange too... what happens with your herd of bots ideas when each one is processing a tiny volume, or collaboratively processing a tiny volume? 04:04 < warren> Why are people trusting a random person on a forum for legal advice? 04:04 < petertodd> warren: It's better than the alternative of having no advice at all. 04:04 < jgarzik> petertodd: I've heard that banks err on the side of the caution, and file SARs for just about anything 04:04 < jgarzik> warren: gathering additional data != trust 04:04 < petertodd> jgarzik: DDoS attack against the regulators... althoguh their analytics tools are probably pretty good. 04:04 < warren> petertodd: if this person is pointing at citations so you can learn more yourself, then OK. 04:05 < petertodd> jgarzik: Chaum tokens definitely evade the "group of transactions" principle, and probably anythign automated does. 04:05 < jgarzik> petertodd: I imagine a truly decentralized bot network would fall outside these regulatory params 04:05 < jgarzik> petertodd: a simple one-owner IRC bot OTOH... 04:05 < petertodd> jgarzik: Yeah, at least the act of *writing* one is probably safe... running one, who knows? 04:06 < warren> jgarzik: the encrypted RAM-only bot? 04:06 < petertodd> jgarzik: Let alone your AI organism stuff... 04:07 < jgarzik> warren: thereabouts 04:08 < jgarzik> I wonder if North Carolina has any laws that would nix an escrow bot 04:09 < petertodd> What exaclty do you see an escrow bot doing? 04:11 < warren> Hmm, by those regulations things like localbitcoin are pretty illegal 04:11 < petertodd> warren: Good point. 04:11 < warren> unless each person registers and follows regulations 04:11 < petertodd> Bitcoin-otc too probably 04:12 < warren> petertodd: I see nothing in there that makes virtual/virtual regulated by that agency though. 04:13 < petertodd> warren: That particular ruling no, but what others might there be? Regardless I suspect there is nothing other than inertia protecting virtual/virtual from regulation. 04:13 < warren> petertodd: yeah, especially otc, given you almost never verify someone's identity. in-person has what the legal scholars called "self-authenticating" properties. Like you obviously don't sell cigarettes to someone who looks too young. 04:14 < petertodd> warren: Yes and no. OTC involves either virtual/virtual, or virtual/online-real, or virtual/in-person. The former is allegedly unregulated. (for now) The latter two either give you dientity by the service (PayPal for instance) or by the person-to-person contact. Legally the last of the three is probably not enough. 04:15 < petertodd> warren: Also interesting how OTC has some people doing fiat/fiat conversions via paypal and similar. 04:15 < warren> yeah, wtf? 04:15 < warren> and why are people trading with non-hard transfers? 04:15 < petertodd> Lack of alternatives. 04:16 < warren> what's the point of fiat/fiat? 04:16 < petertodd> Trust works too with well-known community members - I've had an easy time buying BTC with paypal myself. 04:16 < warren> that seems more fishy 04:17 < petertodd> Presumably the exchange rates on paypal make it make sense; haven't looked. 04:19 < warren> Graet: btw, if I make 0.01 LTC per round on ozcoin and I opt to be paid at say 5 LTC, will the payment be from the rounds I participated in (lots of dust), or is it some more optimal tx? 04:30 < jgarzik> petertodd: an escrow bot[net] would be an open source bot run by a neutral party, that holds funds until some predefined conditions are met 04:31 < petertodd> jgarzik: I guess the key issue is if the bot can spend the funds without consent of either party. (non-multisig) 04:32 < Graet> warren, it isnt split up by round, 04:32 < jgarzik> warren: It's not strictly fiat/fiat. It's fiat-service/fiat-service. Each fiat service has its own barriers to entry and exit. 04:32 < jgarzik> and fees 04:32 < petertodd> jgarzik: After all, there are always scriptPubKeys of the form OP_HASH <digest> OP_EQUALVERIFY {other ops} where the escrow bot is really just providing an oracle service. 04:33 < jgarzik> yep 04:33 < jgarzik> petertodd: in a component sense, I would rather have the escrow bot be a very dump transaction approval machine, that would query oracle bot(s) for the necessary information 04:33 < jgarzik> *dumb 04:34 < jgarzik> anyway, way too late here :) 04:34 < petertodd> ha, same 04:34 < petertodd> Quick q: do you have any code yet? 04:34 < petertodd> Especially for more general off-chain tx stuff... 05:56 < Diablo-D3> can I ask bitcoind to compute a transaction but not send it? 09:10 < warren> Diablo-D3: can coin control? 09:14 < Diablo-D3> I think I found what I wanted in the rpc 09:14 < Diablo-D3> https://en.bitcoin.it/wiki/Raw_Transactions 10:20 < sipa> Diablo-D3: createrawtransaction can do that 10:20 < Diablo-D3> sipa: see above url =P 10:20 < Diablo-D3> details that whole family of api 10:46 * sipa will attend the conference 18:05 < warren> "lead developer" implies he has a lot of decision making power, which makes me kind of nervous by who pays for his paycheck. should I be concerned? 18:07 < warren> nevermind 18:23 < jgarzik> warren: ? --- Log closed Wed Mar 20 00:00:37 2013 --- Log opened Wed Mar 20 00:00:37 2013 03:43 < warren> sipa: aside from ec and ecdsa, do we rely on anything else in openssl? 03:44 < warren> sipa: whenever you have a full openssl replacement I'll do all of my testing on your lib, but for now I'm going ahead with a stripped down openssl. 04:56 < warren> done! 06:17 < sipa> done what? 15:22 < warren> I decided to just build openssl and boost within the RPM itself, because RHEL5 users can't upgrade their system boost, I'm giving everyone a static build. 15:22 < jgarzik> warren: makes sense 15:23 < warren> It's a little extra slow to build this way. =) 15:23 < jgarzik> warren: RE "rely on openssl"... we use sha1/sha256/ripemd160, ec, and bignum 15:23 < jgarzik> warren: the hash bits are trivial to replace 15:24 < warren> jgarzik: src/util.cpp:#include <openssl/rand.h> ? 15:24 < jgarzik> warren: that too 15:25 < warren> Maybe I should make a compat-boost package and have bitcoin static link it, so I don't have to rebuild boost every time, and users don't need to download compat-boost. 23:50 < warren> https://bitcointalk.org/index.php?topic=18313.msg1650231#msg1650231 Whoa. wtf is going on here? 23:50 < warren> that's some hostility and serious accusation 23:51 < gmaxwell> Kano is not a nice person, this isn't news. 23:51 < warren> ok, I don't know who these people are. 23:52 < gmaxwell> He's one of the cgminer developers, but mostly con's pet troll. 23:52 < warren> con is known for his niceness too. 23:52 < gmaxwell> Right. Now imagine his less well socialized sidekick. 23:54 < jrmithdobbs> warren: what's going on there is you read butthurttalk for some reason? your own fault really ;p 23:56 < gmaxwell> If you're interested in the nonce range stuff For a long time eligius was unique in using coinbase based payments. One side effect of this, however, was that it was more computationally costly to issue work compared to other pools. 23:57 < gmaxwell> Back when miners were slower it wasn't a crazy idea to split up the range of a nonce scan among multiple users in order to reduce that cost. Thus the nonce range support. 23:57 < gmaxwell> No one other than luke ever cared about it much, a number of larger pools just banned slower miners. --- Log closed Thu Mar 21 00:00:09 2013 --- Log opened Thu Mar 21 00:00:09 2013 --- Day changed Thu Mar 21 2013 00:00 < jrmithdobbs> oh, just someone calling luke a process whore, that's not interesting at all ... can't believe you tricked me into clicking on that 00:00 < warren> oh. I understand it now. He's being accused of enabling botnets. 00:00 < jrmithdobbs> (and i remember that clusterfuck re: nonce range and that kano guy is right, it's not in the bip ;p) 00:01 < jrmithdobbs> (but i don't know what that botnet nonsense is) 00:01 < gmaxwell> ironically, luke's been pretty agressive at going after botnets. 00:01 < jrmithdobbs> ya, that part is out of nowhere 00:02 < warren> It would be easier if there were a decentralized batshitcrazy consensus system. I'd be at 55%. 00:02 < gmaxwell> jrmithdobbs: the noncerange stuff is in the BIP, its in the pooled mining half. 00:02 < jrmithdobbs> there is 00:02 < jrmithdobbs> gmaxwell: oh that's right, it got split 00:02 < gmaxwell> (arguably it should have been left out of the bitcoind pull, but it must have been missed when that stuff was split out) 00:03 < jrmithdobbs> then ya, i have NO idea what he's talking about then and hate that someone tricked me into reading something on that forum ;p 00:03 < jrmithdobbs> warren: i keel you 00:03 < gmaxwell> I don't know that anyone noticed it was there. 00:03 < gmaxwell> (probably luke included, as jeff notes it doesn't do anything) 00:03 < jrmithdobbs> ya 00:54 < jgarzik> gmaxwell: I noticed, and filed it under "harmless as implemented in bitcoind, must be needed for that crazy BIP 23 stuff" 00:55 < jgarzik> BIP 23 still makes my head spin; 180 degrees from how I would extend getblocktemplate for pools 00:56 < jgarzik> jrmithdobbs: tl;dr: kano accused luke-jr of putting botnet support into bitcoind. I replied, because sometimes newbies believe that shit. 00:56 < jgarzik> jrmithdobbs: just a normal day on trolltalk --- Log opened Thu Mar 21 15:17:14 2013 20:11 < HM2> sipa: how'd you get on with your fast verification work? 20:11 < HM2> did you polish out the bugs? 21:33 < sipa> HM2: added signing, refactoring the code somewhat, ... --- Log closed Fri Mar 22 00:00:01 2013 --- Log opened Fri Mar 22 00:00:01 2013 18:37 < petertodd> https://bitcointalk.org/index.php?topic=395761.0;all 18:38 < petertodd> hilariously the scheme seems to be using OP_RETURN "CNTRPRTY<ProofOfBurn" outputs, yet the actual burn is in a non-prunable output 18:39 < petertodd> though that's not very surprising when you consider the psychology of it: a standard address for the burn lets people easily see how much has been invested, fueling additional investment... 18:41 * nsh blinks 18:42 * nsh reads harder 18:43 < nsh> nope. can you explain in more simple terms, petertodd? 18:43 * nsh looks at the thread 18:45 < petertodd> nsh: OGG CAVEMAN BURN TASTY MEAT IN FIRE BECAUSE NOG CAVEMAN SAID MUCH MORE MEAT IN FUTURE IF OGG BURN MEAT NOW 18:45 < petertodd> nsh: OGG STUPID CAVEMAN, NOG CAVEMAN HAVE NO PLAN FOR MORE MEAT 18:45 < nsh> right, i'm basically at that stage 18:45 < nsh> but the bit where it actually makes sense to someone (and how) is beyond me 18:46 < petertodd> nsh: well I'm basically saying the intelligence of the people who throw away six figures is similar to that of a caveman 18:46 < nsh> sure 18:46 < sipa> what does 'OGG' refer t? 18:46 < sipa> to? 18:47 < nsh> but pretending this guy is actually some satoshi-level genius. what are people gaining by burning these coins? stake in some future system 18:47 < nsh> but how? 18:47 < petertodd> sipa: ogg is a standard caveman name in western english culture 18:47 < petertodd> nsh: basically, by the definition of the system, much like mastercoin was done, only with (arguably) even less chance of future success 18:47 < sipa> at least it sounds less scammy, as the exodus address is an actual burn here... 18:48 < petertodd> sipa: indeed, OTOH that can also mean less chance of success, as who'se paying for development? 18:48 < sipa> agree 18:48 < nsh> you'd want to be really really confident of everything working out to actually boot-strap the thing with real sacrifice from early-adopters... 18:49 < petertodd> nsh: yup, in this case actually it doesn't look like the creator of the scheme has any ill-intent, more that the investment community around it are idiots and will jump to throw money at anything 18:50 < nsh> well, i suppose you can take an ecological view: at the worst, something nontrivial will have been tried and lessons can be learnt, and those people who threw money in probably could afford it 18:51 < nsh> (and everyone who has btc gets slightly richer from the deflation) 18:52 < petertodd> nsh: quite likely true, although I'm going to let someone else pay to learn those lessons for me :P 18:52 * nsh smiles 23:15 < phantomcircuit> hmm 23:15 < phantomcircuit> cookies 23:37 < andytoshi> petertodd: can you give us a preview of the OP_RETURN based stealth addresses scheme you hinted at in your latest email? 23:52 < petertodd> andytoshi: writing it up now :) --- Log closed Mon Jan 06 00:00:29 2014 --- Log opened Mon Jan 06 00:00:29 2014 --- Day changed Mon Jan 06 2014 00:26 < brisque> coingen.io has forged 67 new altcoins. I'm impressed. 00:32 < BlueMatt> brisque: those are just the non-hidden ones, too 00:32 < kyrio> oh yeah 00:32 < kyrio> there's an option to pay to keep it private 00:33 < jcorgan> BlueMatt: of all the ways to earn BTC with a website, coingen.io is the most subversive :) 00:33 < brisque> BlueMatt: I'm extremely impressed. you've done a good job with it. 00:33 < BlueMatt> heh, anyway...its ot for here 00:47 < brisque> almost on topic, can anybody come up with a reasonable explanation for the behaviour of blockchain.info in regards to it's "peers connected" number? they seem to manage to get up to around 1500 connections before dropping them all and starting again. 00:47 < brisque> graph - http://i.imgur.com/iiJYOjo.png 00:48 < brisque> time timeframe is around 30 minutes before each big drop, so they're churning through a lot of connections. 01:19 < phantomcircuit> brisque, they dont understand what the limits of select() are so their client keeps crashing when they go past those limits 01:19 < phantomcircuit> which i personally find hilarious 01:25 < brisque> surely they'd notice the bi-hourly crashes and return the connection limit to something sane. surely. 01:25 < brisque> 72,000 reconnections a day. 01:26 < phantomcircuit> brisque, surely they have no idea what they're doing and haven't noticed 01:27 < phantomcircuit> hint, it's my thing 01:36 < brisque> phantomcircuit: really not sure what the hint means 01:36 < phantomcircuit> <phantomcircuit> brisque, surely they have no idea what they're doing and haven't noticed 01:37 < brisque> ah. 04:22 < gmaxwell> petertodd: P2SH^2 2.0: Take H(script) as a private key in a pairing crypto group. Compute G1*private = pubkey. scriptpubkey contains H(pubkey),sign(H(H(pubkey)||txid)) 04:23 < gmaxwell> er sorry pubkey,sign(H(H(pubkey)||txid)) (because you can't to the pubkey recovery for a pairing short signature) 04:23 < gmaxwell> petertodd: so tada, data storage in txouts completely prevented. Overhead of one group element (e.g. 32 bytes) 04:24 < gmaxwell> Why not ECDSA? because signers choice of K can be used to store data in the blockchain... e.g. pick a well known K, and recievers use it to recover the 'private key' (the data) 04:26 < brisque> I'm interested in what The Pirate Bay is planning to do with Bitcoin. by the sounds of their post it is almost like they intend to be storing identifiers in the blockchain, just as you're trying to prevent. 04:27 < maaku> what would be the point? 04:27 < gmaxwell> because omg bitcoin such VC money WOW 04:27 < gmaxwell> people mistake bitcoin for a jamming free network, constantly. ugh. 04:28 < brisque> have you read the article, gmaxwell? 04:28 < brisque> http://torrentfreak.com/how-the-pirate-bay-plans-to-beat-censorship-for-good-140105/ registrations will be Bitcoin authenticated, on a first come first served basis. After a year the name will expire unless it Site owners will be able to register their own names, which will serve as an alias for the curve25519 pub-key that will identify the site, the Pirate Bay insider notes. 04:36 < Emcy> gmaxwell youve been saying jamming network a lot recently. Brief explanation? 05:20 < brisque> just as a thought, the entire sticking point of having a SPV p2pool is that we can't prove to a SPV client that the inputs are unspent, right? we can prove that they exist at some point, but not that the block the p2pool node creates with it will be valid to the wider network (the inputs were spent elsewhere). 05:34 < maaku> Emcy: jamming-free 05:34 < maaku> meaning it is a reliable mechanism for transmitting messages that can't be forceably censored 05:34 < maaku> (which bitcoin is not) 05:37 < gmaxwell> you can have different kinds of jamming freeness, like all or nothing channels.. If you're a >50% hashpower miner bitcoin is arguably an all or nothing jamming resistant network, but it's not to anyone else. :P 05:53 < adam3us> about XCP PhantomPhreak (one of the authors) seems to have changed from spend to fees to proof of sacrifice which they are calling proof of burn but seems to be the same thing, in reaction to someone pointing out that a miner could take their own fees (and maybe worse by the sound of it) 06:08 < nsh> yeah, seems to be a very improvised affair 06:18 < gmaxwell> adam3us: do you have a EC discrete log formulatio nof my above P2SH^2 2.0? 06:18 < gmaxwell> the idea is basically to have a hash function where you can prove that the value in question is a hash and not data stuffed into the same spot. 06:21 < adam3us> gmaxwell: i read it earlier, its a subliminal channel suppression, seems a bit analogous to the wallet with observer protocol that relies on blind schnorr. but i dont think that helps because there is no semi-trusted hw wallet in this picture. 06:22 < adam3us> gmaxwell: one thing that occurred to me is the one-use signature or limited use sig, where the extended address is H(Q,r) so r is precommitted. then you are only allowed to make signatures with r. maybe you could prove something about r? 06:22 < gmaxwell> I thought perhaps one of those protocols for schnorr where there is one allowable nonce per private key? 06:22 < gmaxwell> ha 06:22 < gmaxwell> But I didn't quite know how those work. 06:23 < gmaxwell> ah there is an extended address. hm. 06:23 < adam3us> gmaxwell: yes same thought... thats it above, its just to say that you choose the nonce(s) at time of address generation 06:23 < gmaxwell> oh darn. 06:23 < gmaxwell> yea, I think that wouldn't work for the namecoin application. 06:26 < adam3us> gmaxwell: i dont get the namecoin connection. (subliminal channel free signatures would be independently nice however to stop stuffing junk in the block chain:) btw if its purely hash based there is a small subliminal channel in grinding the hash if there is any mutability of the serialization or value hashed. 06:27 < gmaxwell> sure, but the grinding subliminal channel isn't huge and you can reduce it further by requring grinding normally. :) 06:27 < gmaxwell> adam3us: it's just the stop stuffing junk application, I'd fleshed that out a little more in particular to namecoin, https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less 06:28 < adam3us> gmaxwell: yes. curious thought that the wallet with observer can have 0 subliminal channel due to the blinding and yet still end up with a valid normal (ec)schnorr sig. actually i saw Brands argue that it has 1-bit channel left: fail or not fail :) (simulated hw wallet death) 06:30 < gmaxwell> hahaha 07:02 * nsh exercises blinking muscles 09:30 < andytoshi> gmaxwell: sorry, i'm not following your scheme: how is privkey == H(script) enforced here (or even exists(privkey) enforced)? what is txid and why doesn't it depend on its own hash? 09:35 < andytoshi> my concern is, pubkey,sign(H(H(pubkey)||txid)) gives you all of 'pubkey' as a subliminal channel 12:36 < gmaxwell> "This is why we are very glad that the SSL used on government census reports does not provide non-repudiation) 12:36 < gmaxwell> " 12:38 < petertodd> yup... 18:17 < gmaxwell> petertodd: thanks for the laugh. 18:17 < gmaxwell> I am now imagining transactions that have spinning hubcaps. 19:08 < petertodd> oh, that's a good idea! 19:09 < gmaxwell> petertodd: you do realize that my covenants thread is largely intended to be a cautionary tale, right? :P 19:10 < petertodd> you've said it before that I am excellent at coming up with cringeworthy ideas... 19:12 < gmaxwell> If I knew a way to forbid perpetual covenants I would, but I'm pretty convinced its impossible short of a freicoin route of forcably recycling coins. 19:13 < gmaxwell> (ones of finite duration, esp one level deep, are insanely useful though, I agree) 19:16 < petertodd> yeah, even the existing scripting system is really close to allowing covenants - it just needs data access to scriptPubKeys, which a modular checksig probably would have given 19:18 < gmaxwell> Some of the script limitations were clearly intentional, though I don't know how much of the covenant like behavior was excluded. 19:20 < gmaxwell> though another point you can take from my message, I think, is that denying covenants is probably moot in the very long term. ... because SCIP is just too compelling, and I'm reasonably sure you can't escape covenants as a side effect. 19:21 < petertodd> yeah, and most of the really nice fidelity bond stuff w/ blockchain support, even without SCIP, was really covenants in disguise, albeit ones that could be special-cased 19:23 < gmaxwell> petertodd: also, wtf, I started working through code for SCIP blinding of fidelity bonds... 19:24 < gmaxwell> Bitcoin makes it FAR more computationally expensive to verify the damn things than it could. 19:24 < petertodd> how so? 19:24 < gmaxwell> The fact that you have to @#$@#$@# fetch the @#$@#$ inputs to fetch the @#$#@$@# values to compute the @#$@# fee. 19:25 < gmaxwell> especially when there could be multiple ones in multiple blocks. 19:25 < gmaxwell> (I realize you can constrain the bond shape to improve this) 19:26 < petertodd> oh, yeah that's why I told jeff to use a anyone-can-spend output 19:27 < jgarzik> I still like miner fees 19:27 < jgarzik> at bootstrap, anyone-can-spend equates to self-payment 19:27 < jgarzik> until miners automate detection and spending 19:27 < petertodd> i say we solve that problem with some bounties :) 19:28 < gmaxwell> I do too, but holy crap. It's a multiplicative increase in sha256 operations. This is probably actually irrelevant for most applications, but for running it under SCIP (to turn your bond into a service specific blinded bond) its perhaps problematic. 19:29 < petertodd> it's a good argument for doing OP_BLOCK_HEIGHT or something 19:29 < gmaxwell> meh. 19:30 < petertodd> gets you down to one tx... 19:34 < gmaxwell> *pop* (the sound of Carlton Banks's head exploding) 19:35 < petertodd> ? 19:35 < gmaxwell> SCIP-covenants thread. 19:36 < petertodd> ah 19:36 < petertodd> "Nakamotish" <- you mean "gmaxwellish"? 19:39 < gmaxwell> I do need to try to extract from Eli's group a simpler explanation for the whole thing, when I talk to people about this stuff the reaction I instantly get is that it can't be possible (they also equally reject PSPACE in IP, just as much and thats a pretty old result now). I can only explain parts of it. And a bunch of this stuff I can kinda explain as interactive proofs but can't bridge the gap to verifyier-oracle secure ... 19:39 < gmaxwell> ... non-interactive. 19:41 < petertodd> for sure, I mean, hell I only claim to kinda understand it because I believe in magic 19:41 < petertodd> I'd love to see a decent visualization of it --- Log closed Wed Aug 21 00:00:27 2013 --- Log opened Wed Aug 21 00:00:27 2013 --- Log closed Thu Aug 22 00:00:30 2013 --- Log opened Thu Aug 22 00:00:30 2013 --- Log closed Fri Aug 23 00:00:33 2013 --- Log opened Fri Aug 23 00:00:33 2013 00:01 < gmaxwell> petertodd: has anyone written about using 'micro'payment channels to enable interservice instant confirmation? I was arguing with phantomcircuit earlier and came up with a protocol. 00:02 < gmaxwell> E.g. say inputs.io and mtgox are mutually distrusting but would like to enable off-chain instant payments between their services. Also assume they've solve the problem of figuring out whos addresses are whos. 00:03 < gmaxwell> Each of them puts up a escrow of bitcoin. Multisigned by both of them with a precomputed nlocktimed refund transaction. 00:03 < gmaxwell> Then they do micropayment-channels against the escrowed funds as transactions happen. 00:04 < gmaxwell> when the escrow(s) are used up they just make a joint transaction resetting them to their current balance and commit it to the blockchain. 00:05 < gmaxwell> by doing this the most their risk is just that the other party vanishes and they have to wait till the timeout to get their escrow back. 00:06 < gmaxwell> it also means they need to lockup their daily transfer amount between the parties, but, meh. I imagine that the vast majority of transactions are small.. and you just don't allow large transactions that would use up to much of the escrow to be instant. 00:08 < gmaxwell> perhaps some protocol modification like where the payments just move money from one escrow to another could make it so the escrows had to only cover the imbalance, but I'm not sure. 01:38 < petertodd> gmaxwell: surely someone has? seems so obvious, but maybe not 01:39 < gmaxwell> thats why I'm asking here rather than just posting on it. 01:39 < gmaxwell> I'll try asking mike, I guess. 01:39 < petertodd> yeah, give it a go 07:15 < Luke-Jr> gmaxwell: I *thought* the payment protocol did that :/ --- Log closed Sat Aug 24 00:00:36 2013 --- Log opened Sat Aug 24 00:00:36 2013 19:48 < gmaxwell> oh.. forum, you amuse me so. 19:49 < gmaxwell> "These are computer scientists with the desire, knowledge and expertise to create bitcoin. [...] They have access and knowledge of LaTeX [...] LaTeX was used to publish the bitcoin white paper" 19:49 < gmaxwell> Access and knoweldge of LaTeX! 19:49 < Luke-Jr> lololol 19:49 * gmaxwell imagines that in court. ... "BUT! you had knoweldge of LaTeX! didn't you!?!" 19:50 < gmaxwell> of course, you'd have to be absent of knoweldge of LaTeX to think the bitcoin whitepaper was typeset in it. 19:51 < Luke-Jr> I am absent knowledge of LaTeX! 19:54 < gmaxwell> it's just a full just openoffice document. There are a bunch of indicators. Including the fact that not every third line is hyphenated. (TeX is way to jumpy with the hyphens, unless you go and modify the weights in the justification search) 21:32 < gmaxwell> Anyone see a merkle signature scheme where a CSPRNG with a matching tree structure was used to generate the private keys instead of a straight random access CSPRNG? 21:32 < midnightmagic> gmaxwell: do you get the feeling it's "over" for the bitcoin devs? There's a half-mil in funding, that's like.. ten guys for a year man! 21:32 < gmaxwell> midnightmagic: hah. 21:33 < midnightmagic> TEN GUYS IS MORE THAN .. uh.. SEVEN! 21:34 < gmaxwell> The reason I ask about tree strcutured CSPRNG, consider how you can compress a lamport signature when there is a dyadic partitioning with all 0's or all 1s... you can avoid revealing the indivigual 1s or 0s preimage and just reveal a hash branch up. But you still have to reveal the indivigual private keys. 21:34 < gmaxwell> But if the private keys are tree structured, you could instead reveal a private key root to reveal all the child private keys. 21:35 < gmaxwell> this doubles the compression that prior compression scheme gives. 21:36 < gmaxwell> midnightmagic: did you see the thread, "oh that was just a placeholder" ... sheesh. 21:36 < gmaxwell> So much for opensourcing their code... who's going to bother auditing it if their respond is to claim that every flaw is a placeholder. 21:38 < gmaxwell> midnightmagic: They say that the effectiveness of competent software developers has a range over more than 10:1. (e.g. you have some guys who are 10x more valuable than some others). 21:38 < gmaxwell> I can only imagine that the range of people working on this stuff is greater. 21:39 < gmaxwell> I am not the smartest, or most productive man. ... But I turned their POW into quivering jelly with little more than a glance. I'd hate to see what someone really good at this stuff would do to their codebase (er, or bitcoinds... !) 22:11 < amiller> gmaxwell, yeah that kind of hash signature is worked on 22:11 < amiller> there's this confusing paper http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.45.6964&rep=rep1&type=pdf Optimal Tree-based One-time Digital Signatures Schemes 22:43 < gmaxwell> hahah. see, this is why I don't publish anything in this space. It's a simple idea, and not hard to work out the expected sizes, I couldn't bring myself to obfuscate it so much. 22:55 < gmaxwell> amiller: know of anyone writing on tree signature schemes where the prior distribution of number of items signed is not uniform? E.g. few-time use is more likely, so you construct an unbalanced tree so that the public keys are shorter if you only sign a few times? :) 22:57 < amiller> hm, actually no i've not heard of that 22:57 < amiller> cool idea 22:58 < amiller> i know someone trying to work on a stateless multi-signature one 22:59 < gmaxwell> yea, for bitcoin we'd want a tree with probablities like 0.5 {0.5 {{}{}}} or something. super cheap for one time use, still cheap for two time use, and then uniform probablity (log n()) after that. But whatever, the shape of the tree is the huffman coding problem, so any dyadic probabilities you can express can get a tree. --- Log closed Sun Aug 25 00:00:38 2013 --- Log opened Sun Aug 25 00:00:38 2013 --- Log closed Mon Aug 26 00:00:41 2013 --- Log opened Mon Aug 26 00:00:41 2013 15:00 < maaku> the history of bitcoin is that making sane, conservative, paternalistic choices in the the operation of the reference wallet(s) sufficiently influences the community to keep all but the most determined people from shooting themselves in the foot 15:01 < maaku> but on the whole there are some definite advantages, such as the p2p lending case which was an outstanding unsolved problem 15:01 < maaku> and it has the advantage of the covenant rules being unchangeable / unbreakable. our existing KYC system for example gave the authorizer the ability to vet transactions involving their assets using whatever metric they want at the moment whereas covenants require them to commit to rules upfront. 15:01 < maaku> that's a definate improvement from the user's perspective. 15:02 < maaku> jtimon: you can save significant block chain space, as well as avoid many difficulties with demurrage / interest if you have explicit assets at the protocol level, in which case it also makes pragmatic sense to have token-based issuers 15:02 < maaku> you could do away with token-based authorizers, although adding them would only be a couple of lines of code at this point. they have somewhat different properties 15:02 < maaku> adam3us gmaxwell: please correct me if i'm wrong, but I think greg's opinion is that permanent covenants attached to a non-demurrage host currency is a Bad Idea. I concur. But make the covenants temporary, the coins themselves perishable, or applied to user issued assets (not colored coins but separately issued assets a la freimarkets), and it is a different story IMHO. 15:02 < maaku> justanotheruser1: yes, PoS is an extremely valuable tool. Just not for consensus. People see "proof of X" and assume they substitute for each other. In fact they are entirely different tools with entirely different uses. 15:02 < justanotheruser1> maaku: what? 15:03 < justanotheruser1> Where was I talking about PoS 15:04 < maaku> [08:16:06] <justanotheruser> Do you think PoS could ever work in a currency? 15:08 < andytoshi> michagogo|cloud: i think it's working, now i ship a certfile (which i got from mozilla) along with libcurl DLLs that i built myself 15:08 < andytoshi> http://download.wpsoftware.net/bitcoin/cj-windows.zip 15:08 < jtimon> yes, maaku, we wouldn't remove the tagged assets with defined interest/demurrage 15:09 < jtimon> I'm thinking we might be able to replace validation scripts, thought I would like to check that case by case 15:11 < maaku> what for offers and stuff? I don't know, maybe 15:11 < maaku> it'd be a little convoluted 15:11 < maaku> /offers/options/ 15:11 < maaku> the delegation opcode is pretty elegant 15:12 < jtimon> well, we use them in most of our examples 15:12 < maaku> you could move the relevant coins into an output with a covenant attached governing their next use in the option or whatever 15:12 < maaku> obviously that would work 15:12 < jtimon> I was thinking about using the same opcodes somewhere else, but I haven't thought about it deeply enough 15:12 < maaku> but I don't think it's a very natural, succinct, or satisfying situation 15:14 < maaku> i think there are many use cases where the conditions are most naturally applied to the transaction itself 15:14 < maaku> e.g. you are saying "I commit these coins to this particular transaction, but only so long as these additional constraints are met" 15:14 < adam3us> maaku: covenants do allow some things that are currently painful think for example things involving hashlock could be made trivial. but i think the more dangerous things are viral covenants that can apply to all further respends indefinitely 15:15 < jtimon> yeah, as said I haven't tried yet, I was just thinking about what could be replaced and what not 15:15 < jtimon> "viral covenants that can apply to all further respends indefinitely" I thought that was the definition of a covenant 15:15 < adam3us> gmaxwell: btw i asked djb and cfrg some questions about ed25519, will see if we get some clarity. 15:16 < maaku> jtimon: we can probably shuffle stuff around, if we start over assuming a more powerful scripting language 15:16 < andytoshi> adam3us: thx much 15:16 < maaku> but i wouldn't get rid of tx-level validation scripts 15:17 < maaku> adam3us: isn't there an rfc process going on? you might want to forward comments to those relevant mailing lists as well 15:17 < gmaxwell> for something like a colored coin, it would be a viral covenant but one that would let you remove it if you ask nicely. It wouldn't allow you to _add_ it except under the right conditions. 15:18 < adam3us> jtimon: i am not sure. i thought of something related, then found it described in freimarket, and finally read gmaxwell covenant thread. maybe i am describing quinine vs covenant, in any case terminology aside a small group of transactions that restrict the next transation is useful, but recursive ongoing or language constructs that allow that by implication are I think existentially dangerous 15:18 < maaku> adam3us: covenants also allow you to do things which you can't currently do, at all (like restricted buy back) 15:19 < gmaxwell> and yeam my covenants thread was intended to point out the existential danger, and also show how easy any sufficiently powerful script can achieve that danger. 15:19 < maaku> that's a very serious pro against a very hypothetical con 15:19 < jtimon> adam3us: not english but I thought: quine = reproduction of code, covenant = viral perpetual quine 15:19 < adam3us> gmaxwell, maaku: yes some kind of language restricted limitation on the power of covenants would be a min-bar for safety i think 15:19 < gmaxwell> adam3us: it seems really hard to achieve that. 15:19 < adam3us> gmaxwell: precisely. i think ethereum is creating unlimited danger as there are no restrictions and it is intentionally as general as possible 15:20 < gmaxwell> (achieve that while also permitting the good use) 15:20 < adam3us> gmaxwell: right, hence dont do that please :) aka i think satoshi as a guess figured out this risk hence the non-extrospection and so non-virality 15:20 < maaku> i think (for reasons obvious in gmaxwell's thread) that the default position should be that if a script cannot be *proven* to come with no strings attached, then it should destroy fungibility and not be treated as bitcoins by the clients 15:20 < maaku> relegated to the equivalent of a spam wallet 15:21 < gmaxwell> adam3us: one thing they may have done right by accident in ethereum is that they seem to have confined the fancy behavior to agents,... which can own coins. It's just a conceptual difference but perhaps a useful one. 15:21 < maaku> we can then experiment and slowly add functionality to allow users to enable certain covenants, pattern matched or detected by theorum proving 15:21 < adam3us> gmaxwell: see i too, once i finally caught up a bit with the aggregate bitcoin brainstormings, though hmm extrospection/limits on outputs, ooh you could do lots of things with that. and then realize similarly to your convenants thread that this would be a singularly dangerous thing to do, and hence script probably looks the way it does for a reson 15:22 < jtimon> adam3us what do you think about maaku's suggestion of killing fungibility in the clients? 15:22 < gmaxwell> well if you admit theorem proving then you can test for non-virality. But not if the script is turing complete, I suspect. 15:23 < jtimon> gmaxwell: I think the validators maaku has in mind would answer a) It is not a covenant b) I don't know 15:24 < adam3us> jtimon: but that is just a client restriction, not a language, nor protocol restriction. its better than nothing as defaults carry weight i guess. but only to that extent. seems like playing with fire and surely there must be other ways to make conveniently composable sub transactions 15:25 < gmaxwell> lol, post on liberation-tech: 15:25 < gmaxwell> As one anecdote, when I TAed the MIT Network and Computer security 15:25 < gmaxwell> course, we assigned "Why Johnny Can't Encrypt" as the first reading. 15:25 < gmaxwell> We asked the students to send us a PGP encrypted & signed message and 15:25 < gmaxwell> tell us how long it took. 15:25 < gmaxwell> If I recall correctly, it took an average of 30 minutes for 15:25 < adam3us> maaku: ie isnt there something one could do to make hashlock convenient, or part of an explicit transaction group, or something that doesnt involve increasing the language power 15:25 < jtimon> adam3us isn't your "all exchanges will port to kycCoin" concern eliminated? 15:25 < gmaxwell> non-existing users to figure out how to use PGP. Think about that. 15:25 < gmaxwell> These were graduate & upperclass undergraduate computer science 15:25 < gmaxwell> students enrolled in a network security course. Everyone had accounts 15:25 < gmaxwell> on the same university system and were mostly using standalone email 15:25 < gmaxwell> clients. 15:25 < gmaxwell> Best of all, someone decided it would be funny to generate a fake key 15:25 < gmaxwell> for me and post it to pgp.mit.edu. Several students fell for the 15:25 < gmaxwell> trick, didn't verify the key, and encrypted their homework with the 15:25 < gmaxwell> wrong key. 15:25 < maaku> gmaxwell: sure you can, an inconclusive result is assumed to be worst-case 15:26 < jtimon> adam3us: the point of all this is precisely to increase the language power 15:26 < adam3us> jtimon: amlcoin via virality risk reduced not eliminated 15:26 < gmaxwell> maaku: ugh, okay I suppose. But you're going to be inclusive an awful lot of the time. 15:26 < adam3us> jtimon: well the point should be to allow contracts to be conveniently expressible language power = danger also. 15:27 < maaku> over all of program space? sure. but that just means you restrict actual scripts used in the wild to those which are provable 15:29 < jtimon> gmaxwell do you share adam3us concerns on all btc becoming amlcoins without the dumb users noticing? 23:28 < amiller> okay so i think i figured out the implication of all my prospect theory crap. 23:28 < amiller> it relates to allowing people to choose their own difficulty 23:29 < amiller> ah this is going to be too complicated to finish 23:31 < amiller> nevermind 23:37 * Luke-Jr wonders if sharing a private key between secp256k1 and Ed25519 would expose it --- Log closed Wed Oct 30 00:00:21 2013 --- Log opened Wed Oct 30 00:00:21 2013 01:56 < gmaxwell> I went to the Silicon Valley Bitcoin Users meetup today. It was interesting. 01:57 < gmaxwell> amiller: I wouldn't say that it's strictly superior to coinjoin, as it requires four transactions in total, so it's not as good for casual usage. And it cannot be completely blind like coinjoin. 01:58 < gmaxwell> However of 2 of 2 wallets became popular the transactions would be higly inconspicious. 01:58 < gmaxwell> the anonymity set could be much larger than coinjoin. 01:59 < gmaxwell> Also petertodd deserves some credit too, my initial protocol was bugged, and he fixed it and the fix made it vastly better (e.g. made the transactions indistinguishable). 02:00 < gmaxwell> amiller: I think you're a little overly pessimistic with coinjoin and DOS, but yea, tolerating dos is a major potential source of complexity. 02:01 < gmaxwell> And sure, I love all manner of ZKP. But well, fuck coding. Real cypherpunks transact. All the pretty protocols in the world are nothing but angles dancing on the head of a pin if no one uses them. 02:02 < Luke-Jr> gmaxwell: interesting how? :p 02:03 < gmaxwell> lots of people. uh.. maybe 30? All nice and excited about bitcoin, and basically all of them would make the least sopiciated users that show up in IRC seem like technical geniuses. 02:03 < Luke-Jr> lol 02:04 < Luke-Jr> did any of them recognise you or your name? :p 02:04 < gmaxwell> there was some debate about what a hash tree was between some of the more technical people there, and one thought to ask me to explain it, and I spent 10 minutes on the subject and blew their mind. 02:05 < Luke-Jr> rofl 02:05 < gmaxwell> No. Well, I was kinda keeping a low profile. So more might have if I'd talked to more. 02:06 < gmaxwell> There was someone presented on their site where people can play board games against each other for btc, looks pretty neat. during his presentation someone asked how he was processing payments, coinbase API and he made some offhand comment about how he keeps his coins in a dozen online wallets because you never know which one is going to get hacked or shut down next, and the room is nodding. 02:07 < gmaxwell> He demoed the site by logging into his coinbase account to transfer some coins into it ... everyone at the room is seeing their username and the length of their password... and the $40k in bitcoin in their account. 02:08 < Luke-Jr> >_< 02:08 < Luke-Jr> sounds like a.. profitable.. group 02:08 < pigeons> what's his mother's maiden name? 02:08 < gmaxwell> in any case, they all seemed nice, even intelligent folks, but really clueless from my perspective. A lot of them inhabit a very different bitcoin world than I do. 02:09 < Luke-Jr> wait, he knew how to run a site? 02:09 < Luke-Jr> omg, what if these kind of people run some of the exchanges? 02:09 < gmaxwell> I was thinking it would be fun to give some presentations they have a fantastic meeting space, but after meeting the people there, I'm unsure where to find the greatest overlap between my interests and their interests. 02:10 < gmaxwell> Luke-Jr: primarly a business person, hired coders in like serbia apparently. He extolled the virtues of offshore coders. :) 02:10 < pigeons> Luke-Jr: http://coinjar.io/about "Ryan is a veteran entrepreneur and Bitcoin guru. Technically and commercially adept, he s founded several successful startups and remains a prominent figure in the Bitcoin community. " 02:11 < Luke-Jr> gmaxwell: somehow that didn't make me feel any better 02:11 < Luke-Jr> pigeons: "He [Asher] also brings lunch for the CoinJar team." <-- at least he does something 02:12 < pigeons> heh 02:12 < Luke-Jr> is that the exchange Gavin said he uses? <.< 02:12 < pigeons> yes 02:13 < gmaxwell> before going I thought if they asked me to talk about something I might talk about the transaction teleportation (Which jcorgan suggests calling CoinSwap) stuff, since its fresh on my mind, but like.. I think I'd have to spend an hour on bitcoin 101 before I could explain anything more that "coin starts here, ends up there, you can't explain that." :) 02:13 < gmaxwell> (I think they'd be interested in more technical things, but for many of them there appeared to be a big knowldge gap) 02:14 < gmaxwell> And well, I guess thats victory that you don't have to be a cryptographic protocol guru to build a bitcoin business. 02:15 < Luke-Jr> that'd be victory if he had a security expert on his staff who didn't let him touch the wallets.. 02:17 < Luke-Jr> (suddenly I understand what bankers' real job is..) 02:32 < petertodd> gmaxwell: we've created a monster 02:33 < petertodd> gmaxwell: yeah, I'm fairly active in the toronto bitcoin community, and I always get the impression I've got at least an order of magnitude more clue than anyone else :( 02:33 * Luke-Jr blames petertodd 02:33 < maaku> gmaxwell: was this the hacker dojo group? 02:34 < petertodd> Luke-Jr: heh, if you want to give me all the credit go ahead :P 02:34 < Luke-Jr> petertodd: so you admit to being Satoshi? 02:35 < petertodd> Luke-Jr: yup, and jdillon, and gavin. (the latter because a good actor has versatility) 02:44 < gmaxwell> petertodd: I'm still editing but: https://bitcointalk.org/index.php?topic=321228.new#new 02:51 < petertodd> make sure you mention how in an actual implementation Alice can also play the role of Carol; specifically how a p2p network doing this would have people play either role depending on what is convenient 02:57 < gmaxwell> jcorgan had initially suggested eliminating bob and making it just alice and carol and alice prime. 02:57 < gmaxwell> But I think it's still easier to follow imaginging it as three parties. 02:58 < petertodd> I explained it to two of my coworkers yesterday, and they got hung up on Bob as well 02:58 < gmaxwell> Another way to represnet it as four. e.g. Alice, Carol, Carol', and Alice' 02:58 < petertodd> Alice, Carol, Carmen and Amy 02:59 < petertodd> ...shit, I've dated all those girls 02:59 < petertodd> Heck, I'd leave Bob in the protocol, but have Bob be a passive recipient only. 03:00 < gmaxwell> Yea, well a version could be drawn with Alice Carol, Carol', Alice', Bob 03:00 < petertodd> right, well, Bob and Dave 03:00 < gmaxwell> so a month or so ago someone was on IRC I think proposing a protocol like this, but without the hashlock so it was totally holdup vulnerable.. e.g. just 2 of 2 escrows. 03:00 < gmaxwell> I ought to credit that person but I can't remember who it was. 03:01 < petertodd> yeah, I think that's come up a few times. Heck, I probably mentioned it at some point in relation to fidelity bonds. 03:11 < petertodd> gmaxwell: CoinSwap is more efficient than four transactions per swap: if the software lets you either play the role of Alice or Carol two simultaneous payments from Alice and Amy to Bob and Bryan take four transactions. 03:12 < gmaxwell> petertodd: well not if alice has to play the role of Bob in order to make your implementation easy and avoid having to coordinate three people. 03:12 < petertodd> gmaxwell: no, even in that case it's fine, because the transactions moving coins from the escrow simply move them to Bob and Bryan 03:13 < petertodd> (for instance five transactions is never required) 03:15 < gmaxwell> K, fair point. 03:22 < petertodd> oh nice: with replace-by-fee we can make CoinSwap be as efficient as a regular transaction: Alice and Amy want to pay Bob and Bryan respectively, so they first jointly author tx0 which sends their coins partially to fees, partially to an unspendable address. Both parties don't want tx0 to be broadcast. Then they author tx1 and tx2, paying Bryan with Alice's coins, and Bob with Amy's. If either party cheats, broadcast tx0. 03:22 < gmaxwell> there is still a chance that the cheat is successful 03:23 < gmaxwell> CoinSwapOfFaith. 03:23 < petertodd> Yes, a chance, for instance if tx1 and tx2 don't get mined at the same time, but you can probably reduce that chance to the point where a fidelity bond can cover it. 03:24 < gmaxwell> petertodd: speaking of bonds, someone is talking about doing something mintchip like with bitcoin private keys. 03:24 < petertodd> I think I'm going to call this new protocol DangerSwap 03:24 < gmaxwell> ohhh. :P 03:24 < petertodd> oh yeah? 03:24 < gmaxwell> ChickenSwap. 03:25 < petertodd> haha, ChickenSwap is good. Or NashSwap 03:25 < gmaxwell> petertodd: it's like a Casascius coin but implemented via something like mintchip. 03:26 < gmaxwell> https://bitcointalk.org/index.php?topic=321085.0 03:26 < gmaxwell> petertodd: NashSquareDance. 03:27 < petertodd> gmaxwell: the latter is wonderfully misleading with its politeness 03:27 < petertodd> gmaxwell: The Great Canadian Coin Swap 03:28 < petertodd> "Armed with cryptographic proof of any fraud, we can force the participants to apologise." 03:31 < gmaxwell> hahahaha 03:34 < Luke-Jr> lol 03:37 < petertodd> Announce/commit sacrifices: The better way to say "Sorry!" 03:39 < Luke-Jr> someone in #bitcoin-otc claims Coinabul is being investigated by the FTC? :o 03:39 < petertodd> ?! 03:41 < Luke-Jr> [07:33:57] <diakin564> FYI - BBB and FTC reports now launched on scam site Coinabul 03:41 < Luke-Jr> [07:34:05] <diakin564> and started FBI investigation 03:41 < petertodd> what scams are they accused of? 03:43 < Luke-Jr> a bit ago, I read bitcointroll threads claiming the (p.m.) coins were "lost" in the mail and coingenuity saying his insurance refused to cover it or something 03:43 < Luke-Jr> dunno much about it 03:51 < gmaxwell> that thread is boring and bogus. 23:46 < jorash> Latest outside analysis of our approach, from lead of the Quantum Information Science Group, MITRE CORP, Princeton: "I follow the logic of your claim but am not familiar enough with the papers you reference to properly say whether or not I agree. However, I do understand your interest in applying QEC only once and I think that my work has something to contribute in that respect. " 23:47 < jorash> QEC = Quantum error correction --- Log closed Sun Sep 01 00:00:57 2013 --- Log opened Sun Sep 01 00:00:58 2013 00:52 < amiller> gmaxwell, why ban him? 00:54 < gmaxwell> because he's been going on and on forever in all the other bitcoin channels begging for money. 00:55 < gmaxwell> amiller: if you want to debate him, I'll invite him back. :P that would be fun. 00:55 < amiller> i missed the part where he's begging for money 00:57 < amiller> anyway i think of this channel as less regulated than -dev 00:57 < gmaxwell> yea, I just didn't want me (or anyone else) to lose another two hours debating with him. 01:01 < amiller> meh, don't ban him for that, just tell him he sucks 01:05 < gmaxwell> (weird, didn't work the first time) 01:11 < Luke-Jr> gmaxwell: too late XD 01:12 < Luke-Jr> gmaxwell: ever hear of Gross-Pitaevskii? 01:12 < Luke-Jr> that's what he's claiming breaks SHA-2 entirely 01:14 < gmaxwell> as I said, dudes a net kook. He's not only arguing that he can do quantum computation on a classical computer, but something more powerful than quantum computation. (If only you'll pay him 5 million dollars to hire the researchers to make it work) 01:15 < amiller> he must have adapted to just probe the room with buzzwords before making it clear he's asking for money 01:15 < amiller> i can't find the panhandling in my scrollbacks 01:16 < gmaxwell> I wasted about two hours on him in #bitcoin and, before I realized that he didn't think _he_ could do that but was just a "business guy", I even offered to pay someone a subsistence living (but not zillions of dollars) to work on BQP in P if he thought he could make concrete progress on it. But he doesn't want ramen, he wants rolex. :P 01:17 < Luke-Jr> he "only" wants 2000 BTC :P 01:18 < Luke-Jr> tempted to email these people on his R&D team and get their perspective 01:19 < gmaxwell> oh, he told me 50k btc. 01:19 < Luke-Jr> cute 01:19 < Luke-Jr> did he send you a budget plan too? 01:20 < gmaxwell> Luke-Jr: no! 01:20 < amiller> ah i found it, here's the grep jorash scrollback from #bitcoin https://gist.github.com/amiller/e6ecfd166a19c6fcecf2 01:20 < amiller> <jorash> the only thing we disprove is the *hubris* of scientific *assumption* 01:21 < amiller> that's a good business plan tagline :o 01:21 < amiller> <jorash> *excuse me, human assupmtion! 01:26 < amiller> so i've been working on this problem that's a really stylized version of bitcoin consensus 01:26 < amiller> it's meant not to resemble bitcoin closely but to resemble the standard distributed systems models as closely as possible, with the only difference being the lack of PKI assumption 01:27 < amiller> where in every standard setup there's n parties and they all know each other's names and can set up secure channels triviailly 01:28 < amiller> rather than consensus, i'm basically saying that the problem is to build a PKI from scratch by agreeing on a set of public keys to be included 01:29 < amiller> to make it as simple as possible just for the first go at this, i'm using pretty strong/unrealistic assumptions, like that there are exactly n players and everyone knows that 01:29 < amiller> also each player has exactly the same hashpower 01:29 < amiller> and no communication latency 01:30 < amiller> and that a puzzle of difficulty d takes *exactly* d units of time to solve for one party and costs nothing at all to verify 01:32 < amiller> i *think* that given all this, there should be a simple deterministic algorithm that does this, but i haven't been able to work it out 01:33 < amiller> then like the realistic versions that are randomized and more efficient would resemble bitcoin more 01:35 < amiller> so this is just a curiosity but it would help me make my argument that the real reason bitcoin is novel / caught everyone by surprise is that almost everything else assumes a PKI, not assuming a PKI is important but really difficult, and adding computational power assumptions is a suitable substitute 01:35 < amiller> i'm frustrated because i've tried to work this out for over a week and haven't gotten it :( 02:07 < gmaxwell> so.. N players, each has a marble factory that produces marbled at exactly 1 marble per second. The marbles can have things written on them, so they write their public key on them. 02:08 < gmaxwell> After X units of time, where X is some number which is large with respect to both n and the respective jitters of your clock, you expect to have ~X/n marbles from each player. For those you do, you've learned their pubkeys. 02:09 < gmaxwell> I don't think you can ever learn a cheating player's pubkey, but he can't fake it under your assumptions, I think. 02:42 < amiller> the problem is you might see ~X/n from the attacker, but someone else might see fewer 02:43 < amiller> basically the attacker gets to selectively pass his messages to some nodes but not others 02:44 < gmaxwell> oh, I see, his marbles might not be uniformly distributed to other players. 02:44 < amiller> i have a procedure that i think works but i haven't been able to explain why clearly 02:45 < amiller> basically you want to make sure that the attacker hasn't just produced enough signatures, but that he's gotten his signatures included in everyone else's signatures too 02:47 < gmaxwell> I can sort of wave my arms and start making a argument that if the honest clique is larger and they recursively include the marbles they've seen in their marbles (analogy fail) then the honest clique will be able to correctly assign keys. 02:47 < amiller> yeah that's about where i'mat 23:04 < gmaxwell> Anyone see anything stupid in this simple idea for oracle enabled instant transactions: http://0bin.net/paste/JCtxYmKrRXfGE6jw#M2b+70sG971rHdEmDKIDgz2PT/zlgSDa8zCTLHE1xbM= 23:07 < jgarzik> gmaxwell, identity key? sounds like it would work great with https://en.bitcoin.it/wiki/Identity_protocol_v1 ;p 23:07 < gmaxwell> jgarzik: yup. I'd expect the oracle itself to be bonded.. and anyone could show that an oracle screwed up just by showing people a bogus extra signature. 23:08 < jgarzik> gmaxwell, BTW the SIN record was recently specified, and looks suspiciously like the merkle pattern employed by CBlock 23:08 < gmaxwell> Main ideas there are (1) precomputed refunds so you're never stuck if the oracle dies, and (2) oracle doesn't need to understand or parse bitcoin transactions.. just a few lines of calls to ecc functions. 23:09 * jgarzik always thought about being N semi-trusted oracles 23:09 < jgarzik> then if one dies, no problem 23:10 < gmaxwell> Yea, you could do that too but in this case, you don't even need it: before you pay into your escrow you've already computed your refund. The cost is the oracle will need about 512 bits of storage per user for the life of each short term key. 23:11 < jgarzik> gmaxwell, this scheme seems sane at first glance 23:11 < gmaxwell> Alternatively instead of the oracle remembering the first singing, you could reduce the oracle's storage to more like 256 bits (for anti-replay) if you made it parse transactions and be willing to sign unlimited transactions with nlocktimes past the expiration date. 23:11 * jgarzik finished reading 23:11 < gmaxwell> But I thought making the oracle see and parse transactions was kinda lame. 23:12 < jgarzik> nah, great anti-velocity measure 23:15 < amiller> is there anything this oracle is supposed to do that couldn't be built into the blockchain? 23:16 < amiller> i guess it's just like a green address 23:17 < gmaxwell> amiller: it's a "green address" anyone can have. Also: unlike a stupid green address it doesn't deanonymize your usage. (the key it signs with looks random to people who aren't party to the transaction) 23:17 < gmaxwell> (the oracle could tell it signed though, but presumably you contact the oracle anonymously) 23:18 < gmaxwell> you can do this same protocol using the counterparty of your transaction as your "oracle", but that only works if you know who you might be paying in advance. 23:19 < gmaxwell> this lets you lock up some spending money to be controlled with the help of some signer who is trusted to not replay, and thus pay instantly... but never transfering the funds to someone who could lose or steal them. 23:19 < amiller> i don't see why we don't just call the oracle a trusted or semitrusted third party 23:19 < amiller> since that's what it is 23:19 < amiller> but yeah that makes sense 23:20 < amiller> this is basically similar to an escrow transaction but for the purpose of immediate confirmation if the third party is trusted 23:21 < gmaxwell> amiller: sure, thats what they are. There are engineering considerations that are being incorporated in this, e.g. I think that oracle can be <1kloc in straight C (except for the ecc signing code) 23:21 < gmaxwell> amiller: the precomputed refunds are somewhat special to the "immediate confirmation" case. 23:21 < gmaxwell> As they remove escrow risk, but don't break 'immediate confirmation' so long as they're far enough out in the future. 23:22 < amiller> i like that actually 23:23 < gmaxwell> that the oracle could only tell who he was signing for at most after it was all over also may reduce the motivation to try to censor the third party. 23:24 < gmaxwell> (and the small code size makes it easier to be confident that it's secure, and easier to run it in special remote-attest hardware) 23:25 < gmaxwell> (the remote attest hardware also protecting privacy, you could make it so the remote-attest has to be violated for the oracle operator to learn which transactions were the oracle's) 11:16 < brisque> oh yes, intentionally destroyed 11:19 < michagogo|cloud> Just for fun, I'm trying to create a pool for it 11:19 < brisque> not much point though, any share for a given client will also be a block 11:20 < brisque> I suppose you're close to a difficulty adjustment now anyway, which solves that issue 12:08 < pigeons> andytoshi: are you still doing daily coinjoins? about what time? maybe the web page could note that? 12:36 < adam3us> want to think more about incentives & 51% security of secure 1:1 peg mechanism 12:37 < adam3us> seems like it would be a very interesting and useful feature, but can it be incentive and 51% secure, and can it go beyond SPV security? 12:48 < andytoshi> pigeons: not regularly (yet) 12:48 < andytoshi> i'll set up an IRC bot to show up on #bitcoin and remind people a few times a day 12:53 < andytoshi> also, for those wondering about the "poetry" gmaxwell said exists in solidcoin 2, you can download the source from solidcoin.info on the wayback machine, the commentary starts at util.cpp:1618 12:54 < gmaxwell> Did I describe it accurately? 13:13 < andytoshi> you undersold it, i think 13:14 < andytoshi> one moment, i'll post it here, i guess it's public in some sense anyway 13:14 < andytoshi> static unsigned char SomeArrogantText1[]="Back when I was born the world was different. As a kid I could run around the streets, build things in the forest, go to the beach and generally live a care free life. Sure I had video games and played them a fair amount but they didn't get in the way of living an adventurous life. The games back then were different too. They didn't require 40 hours of 13:14 < andytoshi> your life to finish. Oh the good old days, will you ever come back?"; 13:14 < andytoshi> static unsigned char SomeArrogantText2[]="Why do most humans not understand their shortcomings? The funny thing with the human brain is it makes everyone arrogant at their core. Sure some may fight it more than others but in every brain there is something telling them, HEY YOU ARE THE MOST IMPORTANT PERSON IN THE WORLD. THE CENTER OF THE UNIVERSE. But we can't all be that, can we? Well perhaps we 13:14 < andytoshi> can, introducing GODria, take 2 pills of this daily and you can be like RealSolid, lord of the universe."; 13:14 < andytoshi> static unsigned char SomeArrogantText3[]="What's up with kids like artforz that think it's good to attack other's work? He spent a year in the bitcoin scene riding on the fact he took some other guys SHA256 opencl code and made a miner out of it. Bravo artforz, meanwhile all the false praise goes to his head and he thinks he actually is a programmer. Real programmers innovate and create new work, 13:14 < andytoshi> they win through being better coders with better ideas. You're not real artforz, and I hear you like furries? What's up with that? You shouldn't go on IRC when you're drunk, people remember the weird stuff."; 14:24 < gmaxwell> petertodd: https://eprint.iacr.org/2013/155.pdf I thought you might like the unusually clear explination of how LEGO garbled circuits achieves high security with modest amounts of cut and choose. 14:41 < sipa> ;;later tell BlueMatt you have a typo on coingen: eactly 14:41 < gribble> The operation succeeded. 16:18 < gmaxwell> petertodd: that paper also suggests to me a simple protocol for non-interactive zero-knowelge proofs of execution which is based entirely on symmetric cryptography and which I could explain to a layman. Though it's not succinct, the proofs would scale with n^2 in the number of gates in the circuit. 16:20 < tholenst> may I ask: what paper is that? 16:20 < tholenst> (i was late ^^) 16:20 < gmaxwell> 11:24 < gmaxwell> petertodd: https://eprint.iacr.org/2013/155.pdf I thought you might like the unusually clear explination of how LEGO garbled circuits achieves high security with modest amounts of cut and choose. 16:21 < tholenst> ty 21:27 < BlueMatt> lololol...first payment for coingen...jesuscoin 21:27 < BlueMatt> well, ok, second to nexuscoin...how much you wanna bet thats copyright infringement? 21:28 < kyrio> lol 21:28 < kyrio> bluematt, give me some free coin generation 21:28 < kyrio> i want to make Meinkoin 21:28 < kyrio> neonazis need love too 21:28 < sipa> haha 21:28 < kyrio> someone stole my shekels coin idea =/ 21:29 < kyrio> i was going to release them both at the same time 21:30 < sipa> can you take this to #bitcoin or something? :p 21:30 < BlueMatt> sorry, /me was trying to keep coingen here while it was still in early alpha, but considering its already out there, oh well 21:31 < justanotheruser> BlueMatt is nexus copyrighted? Blade Runner used "nexus" in '82 way before the Nexus came out 21:32 < justanotheruser> BlueMatt: anyways you have 2 people already making coins? 21:32 < justanotheruser> *made 21:32 < sipa> well, i don't care about coingen itself, it's sort of fun to trivialize altcoins 21:32 < sipa> but when someone is actually serious about using it... 21:33 < BlueMatt> well it has to be used before altcoins are actually trivial... 21:33 < sipa> a "make random bitflips in the source code until it compiles" option would be fun 21:33 < BlueMatt> heh 21:34 < justanotheruser> a coingen could make a lot of money --- Log closed Fri Jan 03 00:00:49 2014 --- Log opened Fri Jan 03 00:00:49 2014 01:12 < gmaxwell> jgarzik: second thoughts yet? http://www.reddit.com/r/Bitcoin/comments/1uagqx/if_you_dont_know_bitcoin_has_just_included_an/ 01:13 < gmaxwell> Luke-Jr: ^ 01:17 < Luke-Jr> gmaxwell: it doesn't help that Gavin pretty much said exactly this in his blog -.- 01:26 < gmaxwell> BlueMatt: I've got a feature for your coin generator. 01:27 < gmaxwell> BlueMatt: there should be something that lets you punch in a formula for a future exchange rate to be displayed in the client. 01:27 < gmaxwell> (some altcoins have an exchange ticker in their clients screw that. Just have them provide a formula as a function of time/height/txn volume) 05:17 * michagogo|cloud wonders why Magiccoin's difficulty didn't go up upon passing the 2016 block maek 05:17 < michagogo|cloud> mark* 05:19 < brisque> michagogo|cloud: maybe BlueMatt was messing with the parameters? 05:19 < michagogo|cloud> brisque: Hmm? You can't mess with the parameters 05:19 < michagogo|cloud> Just name it, pick a port, upload an image 05:20 < BlueMatt> michagogo|cloud: I didnt change the genesis, so...it took years for the first block set... 05:20 < michagogo|cloud> Ahhhhhhhh 05:20 < brisque> michagogo|cloud: you can now, but maybe magiccoin was one of bluematts creations. 05:20 < michagogo|cloud> That'll do it 05:20 < michagogo|cloud> brisque: You can? :O 05:20 < michagogo|cloud> Ooh 05:20 < brisque> you can now, it's got a tonne more features. 05:20 < brisque> by the looks of it you'll need a petahash machine to manage to get above diff 1 though 05:22 < michagogo|cloud> brisque: Nah, should rise at the next 2016, I think 05:22 < michagogo|cloud> "Port must be divisible by 2 if the PoW is SHA256"? 05:22 < michagogo|cloud> Why? 05:24 < BlueMatt> michagogo|cloud: thats an artifact of me creating a little node that lets you auto-bootstrap your network 05:24 < BlueMatt> (it manages peers and such) 05:24 < BlueMatt> but needs to know what genesis block you're gonna be using 05:25 < BlueMatt> michagogo|cloud: anyway, this is ot for -wizards 07:16 < brisque> did anybody have a look at the "descendant of Bitcoin" ala NXT? 07:16 < brisque> they released the source of an older client, a single monolithic file 07:20 < brisque> releasing a broken version that can't connect to their network was a stroke of genius. 07:21 < sipa> i's pure proof-of-stake, which suffers from the "nothing at stake" problem (you can mine on all forks independently without spending more resources than on one, leading yo oroblems in convergence if a significant portion if hashpower does this) 07:21 < sipa> but i'm sure that's not the only problem 07:28 < brisque> if nothing else, I'm very glad Bitcoin doesn't use raw integers for it's addresses, the NXT ones are almost indecipherable when you look at them in the source. 08:25 < maaku> BlueMatt: people are actually using it. crazy 08:25 < maaku> you should have made the fees higher 09:12 < adam3us> maaku: its the beauty of it ... say it relatively dead pan and different people think its the best thing since sliced bread for very different and conflicting reasons, and yet all end up achieving the desired outcome :) 14:50 < jtimon> that one bothers me because it is proprietary software, but it was sad to hear Bill Still "I'm a non-techincal newbie but I've chosen Quark because it has the more secure algorithm" 14:51 < jtimon> some part of me was happy for seeing this "greenbacker" interested in p2p currencies, the other part of me was a facepalm 22:50 < gmaxwell> Been talking about people getting scammed in another channel (geesh, some scammer on the forum just got 200 btc from a single person!) Posted this: https://bitcointalk.org/index.php?topic=398041.0 " 22:50 < gmaxwell> Cryptographically private loan risk management " --- Log closed Sat Jan 04 00:00:52 2014 --- Log opened Sat Jan 04 00:00:52 2014 01:25 < andytoshi> gmaxwell: why can't alice just sybil that? 01:25 < andytoshi> if she wants to borrow more than her lenders want, just restart with a new tree 01:28 < andytoshi> or better, have a new tree for each lender -- then they all see a proof that their entry was added, and each sees only their own total 01:32 < gmaxwell> andytoshi: note the first line assumption is that the reputation system is already preventing that. 01:32 < andytoshi> oh, derp, i read right through that 01:32 < gmaxwell> andytoshi: a common pattern we see on otc and bitcoin talk is that someone starts an account and makes boring breakeven trades for a year, gradually increasing the amounts, and then does tons of large loans all at once. 01:32 < andytoshi> the line "she publishes the root hash and the proofs in the rep system" 00:50 < petertodd> Heck, I sold someone a Bitcoin back when they were over $200 in person - I didn't have a bitcoin on my phone, so they gave me the $200, I gave them my business card, and I sent them the Bitcoin a few hours later. 00:50 < amiller> petertodd, so a -10 confirmation transaction :p 00:51 < petertodd> Absolutely 00:51 < petertodd> Heck, about a -50 confirmation transaction. 00:51 < amiller> so even if you know them 00:51 < amiller> like you said 00:51 < amiller> you should make it so that they can't blame it on someone else 00:51 < amiller> like if they send you a transaction that they only received 1 block agin 00:51 < amiller> ago 00:51 < petertodd> They didn't know me at all or anyone else in the group, but they did know it appeared a bunch of people recognized me. 00:52 < amiller> petertodd, maybe think of it this way 00:52 < amiller> suppose you're a bitcoin business 00:52 < amiller> you might want bitcoin business insurance! 00:52 < petertodd> Point is, people tend to overestimate SPV security, because they think in terms of "an attacker is trying to attack *me*" which is dead wrong. 00:52 < amiller> how would an insurance company decide what to quote you for insurance against fork-attack double-spends? 00:52 < amiller> a risk manager for a bitcoin business would want to develop a policy for how many confirmations to wait before doing something irrevocable 00:52 < petertodd> First they'd call up myself and jdillon and ask us how replace-by-fee is going... 00:53 < petertodd> (0.25% hashing power jdillon figured, at least a month ago) 00:53 < amiller> if you don't have any transactions in flight and a bunch of noobs get double spent after 2-confirmation transactions, then it doesn't really effect you 00:53 < amiller> affect* 00:54 < petertodd> Frankly I think the best way is to arrange things such that you can't lose an unacceptable amount in one go, and continuously, and automatically, watch for fraud, triggering behavioral changes when you see it. 00:54 < petertodd> This isn't like the weather where the underlying mechanisms are well understood, 00:55 < amiller> yeah, and we still fall for the old "natural disaster" attack often enoguh 00:55 < petertodd> When jdillon and I were initially promoting replace-by-fee, we contacted a number of zero-conf accepting merchants, and nearly everyone followed that exact line of thinking and almost without exception the merchants said they weren't worried about replace-by-fee at all. 00:55 < petertodd> (that's before jdillon realized the scorched earth strategy can even make it fairly safe) 00:56 < gmaxwell> amiller would like the scorched earth strategy point if he hasn't heard it. 00:57 < amiller> i don't think i've heard it 00:57 < amiller> in any case this still supports my point 00:57 < petertodd> https://bitcointalk.org/index.php?topic=251233.msg2669189#msg2669189 00:57 < amiller> SPV is bad for *everyone else* to use 00:57 < amiller> but it isn't unsafe for an individual to use 00:57 < petertodd> fourth paragraph 00:58 < amiller> it's a social cost / public good problem 00:58 < amiller> not an individual security problem 00:58 < petertodd> agreed on that point 00:58 < amiller> like voting 00:58 < petertodd> especially when we're talking about tiny sums 00:58 < petertodd> applies to general network scalability too, which itself is a security issue 00:59 < amiller> yeah, i'm all for that. 01:00 < petertodd> Note that scorched earth is subject to most of the technical risks that the current defacto zero-conf is - differing ideas of what is a valid tx - although those risks are lessoned because we only need to be pretty sure a really high fee tx propagates well, and that's obviously not a DoS attack. 01:00 < amiller> it's what i assume is part of the "rational bitcoin client" 01:00 < petertodd> Yeah, bit of hand-waving there because you don't get paid to relay transations of course, but so long as wel keep full/partial nodes cheap we're ok there. 01:01 < amiller> yeah and fees dont' make terribly much sense overall anyway yet, but it's a step in the right direction 01:01 < jgarzik> That's the $10,000 prize: figure out how to compensate people for being full nodes 01:02 < jgarzik> Something that cannot be *for the most part* gamed, a la click bots 01:02 < amiller> jgarzik, yes, move to a Proof-of-Retrievability based puzzle rather than empty hashes 01:03 < petertodd> Well, the logical extension of scorched earth is to make fees part of the *consensus* algorithm: IE burn money instead of burning electricity. This gets your "infinite mining capacity" in real life, almost, which means a 51% attacker needs to spend more than the entire value of the currency. (roughly speaking) 01:03 < petertodd> Problem is, systems like that aren't SPV compatible unless you're clever about it... 01:04 < amiller> petertodd, do you have an idea how you can make it so you have to expend the cost *just to try*? 01:04 < petertodd> They're also disturbingly close to proof-of-stake... 01:04 < petertodd> amiller: Fraud proofs. 01:04 < petertodd> But that only works with the jam-proof-network assumption, and depends on that assumption very heavily. 01:04 < amiller> so you're money is deleted if anyone provides evidence that you used the same money twice? 01:04 < amiller> yeah 01:04 < amiller> your 01:04 < amiller> * 01:05 < petertodd> jgarzik: Very easy to do if we're willing to add extra data to transactions and do probabalistic payments. 01:05 < petertodd> amiller: Yeah, and your fee sacrifice is still sacrificed if someone proves your block was invalid. 01:06 < amiller> petertodd, do you imagine that could ever be money-sacrifice all the way down? 01:06 < amiller> that cpu burning isn't even necessary as a bootstrap step? 01:06 < petertodd> amiller: You get into the nothing at stake problem... at some point *something* has to be costly in terms of energy. 01:06 < amiller> my intuition is that it's not but i haven't made any progress in clarifying what that means 01:08 < petertodd> Non-interactive proofs can work, but they tend to depend on computational limits... 01:08 < petertodd> It may be that the issue boils down to how do you do initial coin distribution fairly. 01:11 < amiller> so i meant to lead into this new topic i want to ramble about.... SPV security is a key point in composition for bitcoin (i.e., multiple chains, and smart coins) 01:11 < amiller> the idea is you can have a heterogeneous network where some people do full validation, and other people just do SPV validation 01:12 < amiller> i am working right now on a "Bitcoin extension" project that lets you pay for outsourced storage 01:13 < amiller> by Bitcoin extension i mean that i am just pretending i can tweak the transaction scripts however i like to define smart contracts and assign value to them 01:14 < petertodd> remember we *can* soft-fork to add all the opcodes we want 01:14 < amiller> so the idea is i write a script that defines a proof-of-retrievability "verification" routine, and i attach some money to it to be paid out every so often 01:14 < amiller> now there is a public bounty on answering proofs-of-retrievability, which means storing my data! 01:14 < petertodd> ha, lovely 01:14 < petertodd> problem is, how many copies? 01:15 < amiller> right! so that's where it gets interesting 01:15 < petertodd> so nLockTime these txs 01:15 < petertodd> or better yet OP_BLOCKHEIGHT them 01:15 < amiller> i have to do some weird sorts of economic modeling here, but it is likely that because of economies of scale 01:15 < petertodd> (so you can't double-spend the txout) 01:15 < amiller> the most cost effective way to participate in my challenge is just to pay some server farm to do the storing for you 01:16 < petertodd> yeah 01:16 < amiller> bitcoin makes it pretty easy to enter into a mining-for-payment contract 01:16 < petertodd> one issue: how do you incentivize retrieval? 01:16 < amiller> basically you just do something like reencode the puzzle 01:16 < amiller> and you pay them when they prove they're working at least on valid 'shares' that would benefit your public key 01:16 < amiller> so my solution to that is to change the proof of work so it's not just a hash, but a signature 01:16 < amiller> in other words, each time you scratch of a ticket, you have to use your private key 01:17 < amiller> this would make it much more difficult just to outsource mining 01:17 < petertodd> ah I see 01:17 < petertodd> yeah, I noticed that issue too with proof-of-stake stuff - allowing for separate stake proof and spend proof keys is a bad thing 01:18 < amiller> i'm having a really hard time defining that intuition any more clearly though 01:18 < amiller> it seems to relte to program obfuscation 01:18 < petertodd> unfortunate, but it has to be done 01:18 < amiller> there are results for general outsourcing of private programs 01:18 < amiller> but they are definitely more expensive 01:19 < petertodd> hmm... go back to your concrete use-cases though, I'm not sure you have to do anything fancy for them 01:19 < amiller> so i'm at this point moving on and just saying, assume i can make a proof-of-work based on signatures such that it's infeasible to outsource, then i can assume somehow that individuals who participate won't just hire the central amortized server 01:19 < amiller> so the next question is what you asked 01:19 < amiller> how to incentivze the actual retreival 01:19 < petertodd> right 01:19 < amiller> and i have no idea 01:19 < petertodd> how big is the data? 01:19 < amiller> just because someone collects the reward by proving they *have* my data doesn't mean they're going to transfer it to me on demand 01:20 < amiller> petertodd, well so far we're considering like storing the library of congress 01:20 < petertodd> it's easy to just make a tx that requires providing the data itself to spend it 01:20 < amiller> it doesn't need to be public data 01:20 < amiller> but it's fun to think of it that way as a start 23:44 < andytoshi> (if NSA excluding these from analysis, then you can get all your ordinary transactions excluded just by spending to several outputs -- then you win) 23:44 < gmaxwell> nsh: because even without participating in an actual CJ you can form a txn all by yourself that looks like one (a bunch of equal sized outputs) and then various automatic deanonymization methods would hit it and fire of their CJ huresitic and give up. 23:45 < gmaxwell> yea, as andytoshi says. 23:45 < nsh> right 23:45 < nsh> though in practice it might rather go as "okay all of these guys are definite terrorists. *dronestrike*" 23:45 < gmaxwell> well different threat model. 23:45 * nsh nods 23:46 < gmaxwell> Either dumb web tools that automatically trace coins frequently gives BS results from CJs in which case they're easily debunked and few trust them... or they ignore CJs and you just make some fake ones and basically opt out of their tracing. win win. 23:46 < gmaxwell> NSA .. I can't help you with. You're probably screwed. :P 23:46 < andytoshi> if SR were still up i'd be sending all the donations there :P 23:46 < gmaxwell> andytoshi: you could send them to the FBI. :P 23:46 < andytoshi> hahaha 23:46 < nsh> people are still "sending" money to that addresss... 23:46 < nsh> but that's another subject 23:47 < gmaxwell> whatever jackass hacked john dillon sent a bunch of btc there that he'd sent me in a private key for the CJ fund. :( 23:47 < nsh> sucks :( 23:54 < andytoshi> ok, i tried doing the max(unsigned tx count, mpo count) thing 23:54 < andytoshi> we'll know in a minute or so if it worked.. 23:54 < gmaxwell> andytoshi: perhaps the count should actually be min(distinct_in_addresses,max(ntransactions,n_most_pop_outputs)) .. otherwise on this one it would have displayed 10 which was clearly impossible vs 9 which is at least more credible. 23:55 < gmaxwell> I suppose there really should be some maximum_credible_amount which does some value analysis. 23:57 < andytoshi> hmm 23:57 < andytoshi> the point of this display is to give people a swag of their anonymity 23:58 < gmaxwell> right, but e.g. if I submit to you a txn that itself looks like a coinjoin, e.g. two addresses each with enough to form a uniform output, the display shouldn't leak that. 23:58 < andytoshi> ah, i see 23:59 < gmaxwell> maybe it should work from a pure analysis of the transaction submitted so far, just some metric some attacker might use to guess the participants. 23:59 < andytoshi> i think i'll modify coinjoin to calculate how many participants it thinks its merging --- Log closed Sat Dec 28 00:00:01 2013 --- Log opened Sat Dec 28 00:00:01 2013 --- Day changed Sat Dec 28 2013 00:00 < andytoshi> "maximum plausible participants" 00:00 < gmaxwell> I wonder if this is some crazy maximal matching problem. 00:01 < andytoshi> yeah, i'll get some paper and see what happens :P 00:01 < andytoshi> i haven't thought about this in any detail up to now 00:08 < andytoshi> ok, i've translated this into a graph theory problem, i'll type it up and post it 00:08 < andytoshi> it's actually pretty neat, maybe it's something well-known 00:15 * gmaxwell waits for the max-flow problem 00:16 < andytoshi> i don't think it's that, i'm looking for a graph on a given vertex set with the maximum number of disconnected components 00:16 < andytoshi> with the edgeset satisfying a bunch of conditions 00:21 < andytoshi> does this look right?: http://download.wpsoftware.net/bitcoin/coinjoin.pdf 00:22 < andytoshi> sorry, it took me forever to find a latex template.. 00:24 < gmaxwell> andytoshi: 2.1 is incorrect. You could have a fee only input. 00:24 < gmaxwell> oh nevermind misread 00:24 < gmaxwell> 2.1 is just that the graph is biparte. 00:25 < andytoshi> that's right, i knew there was a word for that.. 00:25 < andytoshi> but i do fix the input and output sets, and i want to ensure these are the same across every plausible join 00:25 < andytoshi> so i'm not sure how best to say that 00:29 < andytoshi> so, my hunch at this point is that "sort the inputs and outputs somehow then match greedily" will provably give the best plausible join 00:29 < andytoshi> based on, that is how literally every school graph theory problem goes 00:29 < gmaxwell> hahahah 00:30 < gmaxwell> I'm trying to figure out how to refactor this into finding a maximal cut. 00:36 < gmaxwell> I don't think the greedy solution works. 00:37 < gmaxwell> say you have an input of 1.55 which was split into 1.4 and .15 and you greedily assign it a 1.5 output. then you'll be left with a straggler. 00:38 < nsh> greedy doesn't work so well when you have inequalities, i'd guess 00:42 < gmaxwell> andytoshi: hitting set problem 00:56 < andytoshi> oh thx, i'll look that up 01:00 < andytoshi> this is not quite the set hitting problem, that would be if we are trying to cover all the outputs with the least number of inputs 01:00 < andytoshi> here a want a cover by the greatest number of disjoint subsets of inputs 01:01 < gmaxwell> yea.. :-/ 01:01 < BlueMatt> who would be interested in getting a -wizards meetup together at some point in the late march/early april timeframe? 01:02 < andytoshi> BlueMatt: i will know in a week or two what my midterm schedule looks like, but i'd be down 01:03 < andytoshi> i also don't think a greedy algorithm works, this problem does not quite have the right structure 01:03 < gmaxwell> andytoshi: amusingly even that little transaction from tonight is intractable if evaluated via a maximally dumb algorithim that selects all solutions. 01:03 < gmaxwell> s/selects/tests/ 01:04 < andytoshi> cool, do you know how many tests would need to be done? 01:04 < gmaxwell> e.g. there are 9*13=117 edges in the graph, so 2^117. (9 because I merged the dupe address inputs) 01:04 < warren> BlueMatt: will there be a minimum bar of entry? 01:05 < BlueMatt> warren: well, I'll be there, so the bar is set pretty low 01:05 < BlueMatt> in other words...lurkers welcome 01:05 < andytoshi> i think "no floating outputs" is a reasonable assumption, so 117 is a bit high 01:05 < andytoshi> but not by much 01:05 < warren> BlueMatt: what would goals be there? 01:05 < andytoshi> woah 01:06 < BlueMatt> warren: get together, discuss -wizards concepts in person (with whiteboards...), and personally, I'd like to see discussion of moving more things towards implementation 01:06 < andytoshi> i've noticed how hard this is, for example when i was testing the "display max(unsigned txs, mpo outputs)" code (which didn't work, i forgot to update the copy of coinjoin that the site uses :}), some stranger joined with me 01:06 < andytoshi> i was distracted and i trust my joiner, so i just signed what came out without looking at whose outputs are whose 01:07 < gmaxwell> andytoshi: yea, I was just thinking about the dumb algorithim, because sometimes it obviously yields some kind of recursive structure that turns straight into a dynamic programming solution, but I'm not seeing one here. 01:07 < andytoshi> yeah, i'd like to be able to say "if there is a better solution, we can move toward it somehow", but it's not clear at all how different solutions are related 01:07 < gmaxwell> andytoshi: lol, I was thinking it would be good to have a simple tool where you feed it two raw transaction your merged one and the orignal one, and it just checks that one is a proper subset of the other. 01:08 < gmaxwell> andytoshi: I suspect in most cases there are bunch of "forced edges", and then there are bunch of "equivilent edges" which can be assigned in a greedy way. 01:09 < andytoshi> yeah, for example, can we assume every component is a complete bipartite graph? 01:09 < andytoshi> yes: that doesn't affect any of the three plausible join conditions 01:09 < gmaxwell> Yes. 01:10 < andytoshi> awesome, that feels like a big simplification 01:15 < gmaxwell> so, does that reduce the search it's obvious to me thats enough to make this sufficient: consider all permutations of inputs, all permutations of outputs, all partitionings of inputs, all partitions of outputs. = 9! * 13! * 2^(9-1) * 2^(13-1) 01:16 < gmaxwell> there, I made is 7e13 times faster. 01:17 < andytoshi> yeah, that's about where i am 01:17 < andytoshi> but maybe there is a smarter way to match up partitions of inputs and partitions of outputs (?) 01:19 < andytoshi> is that the right number for 'partitionings of inputs' tho? don't you want http://oeis.org/search?q=partition ? 01:21 < gmaxwell> they're ordered. So it's just like sticking a edge between each vertex whic is either cut or not. 01:21 < andytoshi> oh, yeah, i see 01:21 < andytoshi> right, i definitely don't want integer partitions, those compensate for overcountings which are completly unrelated to this 01:22 < gmaxwell> well the permute/partition is wasteful, since we don't care about orders within the partitions. 01:23 < gmaxwell> which might just be the partition numbers /me thinks 01:23 < andytoshi> yeah, sounds like it, i think that's what set me looking at partition numbers in the first place 01:24 < andytoshi> but i wasn't explicitly thinking about permutations, so when you brought them up i confused myself 01:26 < andytoshi> OK, for each n from 1 up to the number of outputs, consider the partitions of outputs into n subsets, and also the partitions of inputs into n subsets 01:26 < andytoshi> call the number of output partitions O_n, the number of input partitions I_n 01:26 < andytoshi> then the number of plausible joins with n participants is at most O_n*I_n 01:27 < andytoshi> so we can reduce the space to sum_n O_nI_n 01:27 < andytoshi> which is ugly to write, but probably easy to compute, and might even be tractable 01:28 < gmaxwell> numbpart(13)*numbpart(9) = 3030 01:28 < andytoshi> that gives us an upper bound on the sum, right? 01:29 < andytoshi> yeah, it does, write each numbpart() as a sum of O_n's or I_n's, then their product will be the dot-product sum_n I_nO_n plus a bunch of nonnegative cross terms 00:36 < wyager> Bitmessage ping? 00:36 < wyager> Or something? 00:36 < Taek42> each person gets a piece, redundancy is N 00:36 < Taek42> then select a random piece of the file to test 00:36 < Taek42> everybody produces that piece 00:37 < Taek42> and if you can use the LT-Codes to resolve it, you know they have the actual file 00:37 < Taek42> if you are worried about somebody waiting, you have them produce a hash first 00:37 < Taek42> but this solution is still delagatable 00:38 < gmaxwell> yea, (you'll note the thing I linked to isn't... but at a cost of not actually being able to store anything. :P ) 00:39 < gmaxwell> hm. I guess encrypting can solve that. 00:39 < Taek42> I'm pretty sure that if you want to store actual data AND have a redundancy, hosts will be able to delegate. 00:39 < Taek42> encryption could solve that? 00:39 < gmaxwell> Taek42: you really want to code it using a locally decidable code. 00:40 * andytoshi-logbot is logging 00:40 < gmaxwell> Taek42: you code your data with a locally decidable code, and then encrypt the codewords. then you issue the codewords to peers. 00:40 < gmaxwell> the peers cannot recover your data because its encrypted. 00:40 < gmaxwell> you can test small fractions of the data by requesting and decrypting and then using the local codeword test. 00:41 < gmaxwell> (I guess the term is actually "locally testable code") 00:42 < Taek42> so the sacrifice would be that you are the only one who is able to repair the file if nodes go offline 00:42 < Taek42> as opposed to the network self-repairing 00:43 < gmaxwell> Yes. though you could have two levels of redundancy which enabled that. 00:43 < gmaxwell> e.g. for the network self-repair you don't need as much correction because the network will respond fast. 00:45 < Taek42> I think though any time you have a self-repairing network, a large set of collaborating nodes could cheat on the redundancy 00:45 < Taek42> which you would block through penalties for correlated downtime 00:46 < gmaxwell> I still don't see how you hope to achieve that, but I'm not that curious. :) 00:46 < Taek42> hmm 00:48 < Taek42> would you consider it mandatory to a cryptocurrency that when you receive a transaction, you don't need to vest trust in some subset of the network? 00:48 < Taek42> because I've been thinking about building a distributed block chain 00:48 < gmaxwell> you mean trust in Igor and hist 999,999 botnet nodes? 00:48 < wyager> lol 00:48 < Taek42> no 00:49 < Taek42> it would be a randomly sampled subset based on how much work they are contributing 00:49 < gmaxwell> 1,111,111 nodes? 00:50 < wyager> If they don't make more money contributing hashing power to the network than they would contributing hashing power against the network, they can't be trusted 00:50 < Taek42> so Igor would need to control a large % of the work on the network (51% is reasonable) as opposed to merely needing a sufficient quantity of nodes 00:50 < wyager> Which is why we pay people who make the blockchain 00:50 < Taek42> wyager I'm pretty sure you could build it such that you always make the most money contributing towards the network as opposed to against it 00:52 < gmaxwell> it's actually pretty easy to break that. 00:53 < gmaxwell> in any case, as I said in bitcoin we trust to trust the absolute minimum possible, and even then we are not sure the system will survive. 00:53 < gmaxwell> many altcoins have been destroyed by attacks by miners. 00:59 < Taek42> hmm 00:59 < Taek42> also, is bytecoin still actively developed? 00:59 < Luke-Jr> scamcoins are almost never actively developed at any point.. 01:01 < Taek42> would it be bad form to steal their name? 01:02 < Luke-Jr> it would be bad form to steal ByteCoin-the-person's name again. 01:03 < Luke-Jr> imo 01:03 < Taek42> oh is he a person too? 01:04 < gmaxwell> yea, bytecoin is a cryptographer who was very active in bitcoin's early days. 01:05 < Luke-Jr> note: no relation to the scamcoin 14:51 < fagmuffinz_> justanother 14:52 < fagmuffinz_> What's up 14:52 < justanotheruser> fagmuffinz_: hi 14:53 < justanotheruser> You should change you're name. I think it's borderline banning territory 14:54 < fagmuffinz_> I would hope the nature of movements like this would line up with free speech well enough to overlook something trivial enough like a name 14:54 < fagmuffinz_> A name is a handle - nothing more. You can identify me, and you can identify that I prefer to remain pseudonymous 14:55 < justanotheruser> I wouldn't ban you for it, but free speech doesn't prevent you from getting kicked for having an inflammatory name, it just prevents you from being arrested for having one. 14:55 < fagmuffinz_> Also, who doesn't like muffins? 14:56 < fagmuffinz_> On a more serious note - I meant to get back to you on your decentralized voting scheme, but I've been traveling 14:57 < gmaxwell> (FWIW, a different name would probably be preferable, I had the same initial response... but you were saying thoughtful things, so I didn't bring it up. :) ) 14:58 < fagmuffinz_> Have you made any progress on it, or are you still where you were ~2 weeks ago? 14:59 < justanotheruser> fagmuffinz_: I was just asking if the system would work. I think jamming may be able to be prevented by requiring a certain number of transactions per block. 15:00 < justanotheruser> And a "vote/coin" can only go through a certain number of transactions from its creation 15:01 < justanotheruser> enough to do coinswaps and joins to anonymize them 15:02 < justanotheruser> along with that you wouldn't be able to have unequal inputs and outputs meaning you couldn't turn 1 vote/coin into 1000 divisible units to fill up the block transaction requirement 15:03 < gmaxwell> I don't know why y'all are wasting cycles on blockchain things for voting. (1) minors can trivially censor votes, (2) none of the anonymity procedures for transactions work without an underlying anonymity network, and if you've got one of those, you don't really need more than that for the anonymity part. 15:06 < justanotheruser> gmaxwell: (1) eventually once [vote recipient A] has all their votes, the miners would have to start accepting votes for B because blocks have to have a certain number of transactions. (2) You need to associate votes with real people in the first place so you know everyone is getting a vote. What you don't know is who they are voting. The anonymity network wouldn't do anything unless you mixed the votes before voting. 15:08 < gmaxwell> justanotheruser: if you must have X votes in total, then you don't need the miners at all. Just have some designated party collect the votes.. pick them at random, hell pick 10 of them to each get a copy. 15:08 < nsh> also voting is basically broken by mathematics 15:09 < nsh> there's no right way to do it, and all the wrong ways suck 15:09 < gmaxwell> electronic voting has a ton of research behind it, solving tricky problems you're not even thinking about (e.g. coercision / vote-buying). You're everything-is-a-nailing it with the blockchain as far as I can tell. 15:09 < gmaxwell> There is basically nothing useful bitcoin adds to to this particular problem. 15:10 < justanotheruser> gmaxwell: how do you verify that all in the voting set had their votes counted and that they are real people with "some designated party" 15:10 < justanotheruser> gmaxwell: I don't think coercion or vote buying can be solved in any voting system 15:11 < gmaxwell> justanotheruser: except they do solve these things. (largely) 15:11 < justanotheruser> the only person who can determine if there is coercion is an all knowing state 15:11 < gmaxwell> justanotheruser: Usually voting systems use verifyable reencryption mixes. 15:11 < gmaxwell> justanotheruser: you cannot be reliably coerced if you cannot prove to a third party how you voted. 15:12 < justanotheruser> gmaxwell: yes, but people can bring cellphones to voting booths pretty easily 15:12 < justanotheruser> "Take a picture of you voting for Putin or I will kill you" 15:12 < gmaxwell> justanotheruser: they're prohibited, including by observers. (and even if you had one, it's not hard to take a picture then vote another way) 15:13 < gmaxwell> Seriously, there are hundreds of people working on this domain, and they have good systems proposed. And their solutions do not need and would not benefit from a blockchain. They can make concrete statements about the security. 15:14 < justanotheruser> gmaxwell: I see. What happened in Florida? The government hacking together their own voting system? 15:30 < adam3us> justanotheruser: just another example of real-life-stupidity. dunning-kruger in action etc 15:33 < gmaxwell> certantly had little to do with cryptographic voting systems (none was in use) 15:41 < adam3us> justanotheruser: not directly bitcoin related but if you're interested in voting there are some papers on it, once is damgard-jurik's threshold extension of paillier's crypto system which gives split trust vote validation, user verifiable counting of votes, and summing via homomorphic encryption. phun stuff if u like crypto-math. there's a whole load of other papers, thats just one i happened to have read. 15:41 < fagmuffinz_> (Back) 15:45 < fagmuffinz_> Oh, cool, nsh is in here also. Was wondering if anyone here was working on 3301 15:45 < nsh> s/on/for/ 15:53 < maaku> :) 15:55 < justanotheruser> adam3us: link? 15:57 < adam3us> justanotheruser: hmm one sec http://en.wikipedia.org/wiki/Damg%C3%A5rd%E2%80%93Jurik_cryptosystem there's an author home page paper link from there, if that doesnt work try citeseer. 15:57 < justanotheruser> thanks 16:00 < adam3us> justanotheruser: i only read it because i knew what pallier was and it is necessary to use DG extended pallier tricks to get a blind signature out of DSA (it sucks that badly compared to Schnorr, its horrendous the complexity of blind DSA, blind ECDSA i am not sure is known to be possible). pallier itself is a nice little RSA related crypto system thta 20:34 < phantomcircuit> (i think i should double check) 20:34 < nanotube> does addnode? 20:34 < jrmithdobbs> phantomcircuit: but on the other side the slots might have been taking is what he's saying 20:35 < nanotube> connect iirc says 'connect only to this node and nothing else' 20:35 < nanotube> addnode says 'add this to whatever else is going on' 20:35 < phantomcircuit> nanotube, connect does prevent connecting to anything else 20:35 < nanotube> so obviously connect would reserve. 20:35 < phantomcircuit> nanotube, i dont think what you're trying to do will work 20:35 < jrmithdobbs> sorry i meant addnode and it doesn reserve if i remember the code correctly 20:35 < jrmithdobbs> *does 20:35 < nanotube> ah so if addnode reserves, guess that's fine 20:35 < jrmithdobbs> but only on connecting-from (client) side 20:35 < gmaxwell> Addnode reserves. 20:36 < gmaxwell> yes only on the from side. 20:36 < jrmithdobbs> but if you have a pool of say 20 bridges that all -connect to each other's onions ... problem solved 20:36 < nanotube> ah, so the scenario of 'tor dies, slots fill up' is still a threat to tor bridging? 20:36 < jrmithdobbs> s/-connect/-addnode 20:36 < nanotube> at any rate, in the meantime, throw me your tor node addresses and i'll addnode them. :) 20:37 < jrmithdobbs> took mine down due to lack of interest/connections 20:37 < jrmithdobbs> months ago 20:37 < nanotube> hum. 20:37 < phantomcircuit> i wonder how much effort it would take to add a gui for adding reserved slot peers 20:37 < gmaxwell> jrmithdobbs: huh? mine usually has >30 HS inbounds... 20:37 < phantomcircuit> so normal people could connect to their friends (or at least try to) 20:38 < nanotube> forget gui, a config option would be nice. :) 20:38 < nanotube> iow, if addnode reserved a slot. 20:38 < jrmithdobbs> gmaxwell: mine didn't and "months" is actually almost a year now 20:38 < phantomcircuit> nanotube, if gmaxwell says it does it probably does 20:38 < gmaxwell> well you can't reserve HS inbound for specific HS peers sadly. 20:38 < phantomcircuit> :) 20:38 < phantomcircuit> oh i didn't mean inbound 20:38 < nanotube> he says it doesn't 20:38 < phantomcircuit> reserved inbound slots isn't important 20:39 < gmaxwell> nanotube: addnode outbound always works. 20:39 < nanotube> anyway just a suggestion. it's a bit of an edge case. 20:39 < phantomcircuit> unless you're super popular you're not going to hit the 128 limit 20:39 < gmaxwell> or dos attacked. 20:39 < nanotube> i don't have the ram for 128, i'm running with 16 :) 20:39 < jrmithdobbs> phantomcircuit: the node i turned tor off on had 512 max cons with ~300-380 constant non-tor and 5-10 unconnectable tor nodes 20:39 < nanotube> will see how it behaves and maybe up it a bit 20:39 < phantomcircuit> gmaxwell, shrug 20:39 < jrmithdobbs> (plus sipa and gmaxwell's tor nodes) 20:39 < gmaxwell> nanotube: since 0.8.1+ you shouldn't need a lot of ram for a lot of inbounds. 20:40 < nanotube> so going from 16 to 128, what's the impact? 20:40 < phantomcircuit> gmaxwell, possibly select should be replaced with epoll() 20:40 < gmaxwell> nanotube: dunno, haven't measured lately. if this is a non-wallet node running the disable wallet patches will also save you 50 mb. 20:40 < phantomcircuit> nanotube, select() is slower but only marginally so and you're using up file descriptors 20:40 < nanotube> currently i have 268/585 res/virt ram use with 16 20:41 < phantomcircuit> nanotube, running what version 20:41 < nanotube> latest release .8.4 20:41 < phantomcircuit> also have you synced 20:41 < nanotube> yes 20:41 < phantomcircuit> this have an active wallet attached to it? 20:41 < nanotube> well, not active, it's the empty default wallet 20:41 < gmaxwell> I'm 262mb res, but at the moment I only have 11 peers. 20:41 < phantomcircuit> weird 20:42 < nanotube> well, i'll run at 16 for a day or two and see how it is, then up it to 128 and see what it does. 20:44 < phantomcircuit> blargh debian ftp mirror rate limiting me 20:45 < nanotube> hm, guess the network has plenty of open slots - i'm running at 15 connections heh 20:46 < phantomcircuit> nanotube, it's exceptionally random how many inbound connections you'll get 20:46 < nanotube> or maybe my fresh node hasn't yet been discovered by much of the network. 20:46 < nanotube> mm 20:47 < phantomcircuit> nanotube, "connections" : 81, 20:47 < phantomcircuit> very long lived node 20:47 < nanotube> nice 20:48 < nanotube> 2013-09-11 00:47:14 Warning: Local node 127.0.0.1:36029 misbehaving (delta: 0)! heh well and there's some indication that i have tor peers. :) 20:50 < gmaxwell> nanotube: what I want to do for inbound is this something like this: Once every few minutes: If your inbounds aren't full, do nothing. If your inbound is full select a peer to evict with an algorithim like this: 20:50 < gmaxwell> Remove addnoded peers that we're not also outbound to from consideration. 20:50 < gmaxwell> Protect up to 8 longest connected localhost / local subnet connections. 20:50 < gmaxwell> Protect 10% of the remaining peers, ortered by most useful to us (e.g. most times the first inv for a new good block) 20:50 < gmaxwell> Protect 10% of the remaining peers, ordered by the lowest ever minimum ping latency, iff they have the useful flag, limited to one peer per netgroup. 20:50 < gmaxwell> Protect 10% of the remaining peers, ordered by H(secret IP), iff they have the useful flag, limited to one peer per IP. 20:50 < gmaxwell> Protect 10% of the remaining peers, ordered by longest connected 20:50 < gmaxwell> sort the rest by connection time divided by the number of peers on the same ip, select one to kick randomly weighed to pick short connections. 20:51 < nanotube> well according to netstat, i have 4 tor peers. \o/ 20:52 < nanotube> ah so the idea is to prevent a node from being too static in the network, ic 20:53 < nanotube> i guess tor nodes would fall under localhost connections 20:53 < phantomcircuit> nanotube, getpeerinfo rpc call 20:54 < phantomcircuit> gmaxwell, instead of doing it when the slots are full, accept 129 connections and then select a peer to evict 20:54 < gmaxwell> nanotube: actually what I'd like to do is split this all by netgroup first, and handle tor peers totally seperately. e.g. move tor inbound to another port to distinguish it. 20:54 < phantomcircuit> i actually have a patch that does this which makes the simplest slot filling problems disappear 20:54 < gmaxwell> phantomcircuit: I think thats not right, in fact! because then someone connecting really fast can quickly use up all your probablistic slots. 20:54 < phantomcircuit> (magic) 20:55 < phantomcircuit> gmaxwell, well of course the disconnected slot could be the newly connected peer 20:55 < gmaxwell> and N in my example should actually be an exponential random variable. 20:55 < phantomcircuit> ie you could give a lot of weight to connections to your probabilistic slots which are new 20:55 < gmaxwell> phantomcircuit: I suppose that would be fine, or adjust the weigh-for-lowest duration to strongly prefer them. Fair enough. 20:56 < gmaxwell> In any case each of my "protect" groups is based on something which is hard for an attacker to fake. 20:56 < phantomcircuit> otoh i was actually considering randomly evicting peers even when you're not full 20:56 < phantomcircuit> just to churn the network and make it harder to do latency based analysis 20:57 < gmaxwell> Being on your local subnet, being net-geographically close is unfakable, giving useful data (blocks) is not really fakable, having an IP that meets our secret criteria is only fakable with great expense, being connected for a long time is harder to 'fake'. 20:57 < gmaxwell> phantomcircuit: for outbound I think we should churn, for inbound I think not. 20:58 < gmaxwell> for outbound sipa has a proposal that randomly changes peers with a weight that prefers to evict the shortest connection. I suggested augmenting it by always keeping the two most useful peers, so you don't rotate yourself into a useless partition of the network. 21:15 < nanotube> phantomcircuit: getpeerinfo - thanks. :) 21:16 < nanotube> if the shortest connections always get churned, they never get a chance to become long connections. 21:16 < nanotube> so some clients may forever be relegated to the churn pile? 21:19 < nanotube> i don't suppose it is possible to change maxconnections without restarting the client? 21:20 < gmaxwell> nanotube: unless they end up in one of those several protected classes I gave. 21:21 < nanotube> which as you yourself said, is not easy to do intentionally. 21:22 < nanotube> i guess eventually it'll end up somewhere which is relatively close with a low ping... 21:23 < nanotube> but wouldn't that make the bitcoin network more closely mirror physical geography 21:23 < gmaxwell> nanotube: thats also why it would only be a limited number of connections in that class. All those other connections are getting used by someone. 21:24 < nanotube> yea just wanted to make sure that a new node doesn't have trouble getting stable peers. 21:24 < gmaxwell> wrt becoming the longest, thats the idea of it being random though it wouldn't punt the shortest life, it would say have a x% of the shorest a x/1.5% of the next... etc. 21:25 < nanotube> ah so weighted, not absolute, ok 21:26 < gmaxwell> yea, absolute would be broken. Sipa did some simulations for the weights for outbound and got some nice properties. 21:27 < nanotube> cool 21:27 < gmaxwell> but absolutely, the latency bias is dangerous if carried too far: you can get networks that self-partition. 21:27 < nanotube> right 21:27 < gmaxwell> Thats one reason I enumerated a class the H(secret+ip) one which is purely random, and not at all uptime or latency sensitive. 21:28 < nanotube> \o/ for randomness. :) 21:32 < nanotube> if nodes are going to be penalized for low uptime, could be a good idea to allow changing conf parameters without restarting the node via rpc. like bitcoind maxconnections X 05:46 < maaku> well the historical analysis, repeated many times is that once you subtract out the risk, the costs, and any other identifiable factor, there's 4-6% left over 05:47 < maaku> it fluctuates a little bit based on global and local economic conditions, but has remained remarkably steady since they started tracking this 05:47 < petertodd> how was the cost of determining credit risk factored out? and for that matter, the way credit risk can often be amortized and so on 05:48 < maaku> unsatisfyingly, i'm going to have to go to bed soon (almost 3am here) 05:48 < maaku> but i believe in these studies they just use the banks own numbers 05:48 < maaku> credit risk is what the bank thought it was 05:48 < petertodd> right, but even the banks might be fooling themselves 05:49 < petertodd> heck, with the last crash, I'll say that's guaranteed in some sense 05:49 < maaku> right, but every banker in the world fooling themselves the same amount? 05:49 < petertodd> they're all human... I hope 05:49 < petertodd> or heck, it's all the same amount because of good competition :P 05:50 < maaku> well that is quite the point 05:50 < maaku> the banks compete and they end up at the same amount 05:50 < maaku> that is, charging extra by the same amount, the most they can get away with 05:51 < petertodd> yup, and they all think they're making out like bandits, and like most people they're discounting all kinds of risks, like black swan events, which leaves them at break-even 05:51 < maaku> competition doesn't drive it to zero, as you might think, because the bank would rather have money under the matress than a loan with expected 0% return 05:51 < petertodd> well... it drives it to zero in *some* sense 05:51 < maaku> opportunity cost and all that 05:52 < petertodd> hence why rather than "zero" you could wind up at that 5% and wonder why it's not zero - when a broader picture is that rate is 0% 05:53 < petertodd> an interesting analysis comes from civil aviation, where a lot of people have come to the conclusion that in the entire history of it, the industry has lost money 05:54 < petertodd> but equally, aviation is full of dreamers... 14:21 < jtimon> maaku petertodd I thought the demurrage rate would be fixed and PoS only votes on the % to the miners % to something else 14:22 < jtimon> "in the zerocoin application, the entire tree is recoverable from the spend history in the block chain, but nodes don't have to keep it resident in the UTXO set" 14:22 < jtimon> how do you do that? 14:46 < gmaxwell> what are you quoting? 14:46 < gmaxwell> In any case, look at the little MMR writeup I did: 14:47 < gmaxwell> https://bitcointalk.org/index.php?topic=314467.msg3371194#msg3371194 15:34 < maaku> he's quoting me 15:35 < maaku> updating the chaum double-spend database using proofs provided with the transaction 15:35 < maaku> like we talked about a week or so ago 15:36 < maaku> jtimon: this is just to keep a list of which chaum tokens have already been spent 15:36 < maaku> you put them in an ordered tree structure, and to perform a spend you have to provide an insertion-proof showing that the token is not already in the db 15:37 < maaku> the validating nodes only have to keep the root hash around 15:37 < maaku> since each spend references the previous hash, and they update the hash afterwards 15:37 < maaku> update the root hash 15:38 < maaku> you still have to use some sort of ZKP or centralized signing to create the chaum tokens and validate that the token provided is from the original issuance set 16:07 < maaku> i wonder if there is a subset of the SHA-3 and AES contendors which are particularly amenable to small circuits in ZK proofs 16:17 < gmaxwell> 22:36 < gmaxwell> It would be interesting to evaluate all the well studied cryptographic hashes and see which would result in the most efficient quadratic span program proofs. 16:18 < gmaxwell> but I suspect sha2 is not so bad. likewise with aes. 16:22 < maaku> yeah i was thinking rijndael is probably better than all the others 16:23 < maaku> but keccak is probably worse than sha2 16:41 < jtimon> maaku in the context of freimarkets, would there be a "chaumian tree" per asset? 16:44 < maaku> well there'd be a tree per mint series 16:44 < maaku> and a mint series would be presumably limited to a single asset 16:45 < jtimon> I see 16:46 < jtimon> did you read pertertodd's proposal for indexing the inputs set instead of the output set? 16:46 < jtimon> I'm not sure I undesrtand it but it looks very interesting 18:30 < jtimon> petertodd I'm re-reading this http://sourceforge.net/mailarchive/forum.php?thread_name=20131119110023.GA24068%40savin&forum_name=bitcoin-development 18:30 < jtimon> I have several questions 18:31 < jtimon> the first is how are tx fees paid? 18:31 < jtimon> maybe you have PoW per transaction to prevent spam DoS? 18:39 < jgarzik> jtimon, TX fees are paid by providing input bitcoins > output bitcoins 18:39 < jgarzik> jtimon, the difference is the fee 18:39 < jgarzik> jtimon, e.g. 2 BTC inputs, 1 BTC outputs == 1 BTC fee 18:40 < jtimon> that's how bitcoin works, but I'm not so sure that is how petertodd's proposal works 18:40 < jtimon> miners see no outputs if I understand correctly 18:47 < jgarzik> ah, apologies 18:47 < jtimon> jgarzik no problem 19:24 < maaku> petertodd: what are the advantages of keeping a spent-txin set instead of an unspent-txo set? --- Log closed Sat Nov 30 00:00:20 2013 --- Log opened Sat Nov 30 00:00:20 2013 05:12 < gmaxwell> erp. So either someone has a secret ltc asic farm, or LTC mining is consuming .5x - 2.5x the electrical energy of Bitcoin mining. 05:13 < gmaxwell> (range due to the huge spread of bitcoin asic efficiencies and me not knowing what the builk of the hashrate is) 06:09 < Ryan52> gmaxwell: interesting! I heard from somebody, who is way less technical, that all attempts at ASICs for that, were at laughable hashrates currently. 08:00 < Luke-Jr> gmaxwell: I'd suspect the former 08:51 < Emcy> i still dont know what ltc actual utility is 08:51 < Emcy> it might have had a reasonable one, it it had managed to stay an x86 coin given the momentum of that architecture 08:53 < _ingsoc> People don't want to be locked into a monoculture. 08:54 < Emcy> what does that actually mean 08:54 < _ingsoc> We could argue about the technical justification for something all day. Fact of the matter is, if it can be forked, it will be forked. 08:55 < _ingsoc> If Bitcoin is the only crypto-currency with any swing, we're screwed. 08:55 < wumpus> it's useful for experimentation 08:56 < _ingsoc> If Bitcoin is supposed to be our God, then you might as well just worship the dollar. Push out as many crypto-currencies as technically possible and let the market decide - that's one form of reasoning. 08:56 < _ingsoc> But then markets aren't always "right". 08:56 < Emcy> i dont think ltc does much experimentation, it jsut seems to be a place to go for people who are asspained about not buying btc when it was $10, and who have gpu farms that are now useless for btc 08:57 < Emcy> do you know how many ltc pump threads are on /g/ these days 08:57 < _ingsoc> Rectal pain is the most powerful force in capitalism. 08:57 < _ingsoc> It literally fuels innovation. 08:57 < wumpus> I mean, if people want to find out for themselves why a block per 10 seconds is a bad idea, let them 08:58 < _ingsoc> Sure. 08:59 < _ingsoc> Dare to experiment! 08:59 < _ingsoc> With real-world data. 08:59 < Emcy> so is 2.5m 08:59 < Emcy> it doesnt really add anything apart from giving people fuzzies when they dont understand how confirmations work 09:00 < _ingsoc> How do you know you know? 09:00 < Emcy> eh? 09:00 < _ingsoc> How do you know you know how it works? 09:01 < Emcy> um 09:01 < Emcy> osmosis from my intellectual superiors? 09:01 < _ingsoc> Well that's a tyranny! 09:02 < Emcy> ive been meaning to ask if a block that took 20 minutes is statistically more secure than one that took 2, actually 09:02 < Emcy> btc block that is, or in the same chain atleast 09:04 < Emcy> _ingsoc i dont beleive everything i read, but theres only so much critical thought one is qualified of doing on a subject. There will always be knowledge brokers in this world. 09:05 < Emcy> we all have people we generally trust to be talking sense, the trick is to watch out for the ones trying to feed you bilge for one reason or another 09:07 < _ingsoc> I agree. I just don't want to crap on things all day. 09:07 < _ingsoc> The LTC devs aren't stupid. 09:08 < Emcy> whos crapping on anything? 09:08 < Emcy> i dont begrudge litecoins existence or anything 09:08 < Luke-Jr> _ingsoc: LTC provides nothing beyond Bitcoi 09:08 < Luke-Jr> at all 09:09 < _ingsoc> I completely understand why you feel that way. 09:09 < _ingsoc> Someone obviously thought it was interesting enough to explore to do it. 09:09 < _ingsoc> And I respect that decision. 09:10 < Emcy> Luke-Jr do you think a super secret ltc asic farm is really likely at this point? 09:10 < Luke-Jr> or FPGA at least 09:11 < Emcy> yeah i never understood why it would be so hard to join a cpouple of gb of dram to an fpga on a board 09:11 < Luke-Jr> LTC scrypt doesn't really even need RAM 09:11 < Emcy> gfx cards are up to like 12gb now 09:12 < Emcy> just for me, it spoke volumes when the first ltc gpu miner came out and the scrypt WASNT tweaked via community consensus to stop it 09:13 < Emcy> i mean if it was billed as something to do with your bitcoin gpus then fine 09:13 < Emcy> makes me wonder if bitcoin could ever break one of its core and fundamental promises and get away with it 09:14 < Luke-Jr> probably by that time people had accepted the fact that CPU-only is a bad thing 09:14 < Emcy> i think the answer would be yes as long as everyone was still getting paper rich 09:14 < Luke-Jr> Emcy: not likely 09:14 < Luke-Jr> Bitcoin isn't Litecoin 09:14 < Luke-Jr> Litecoin is just a get-rich-quick scheme 09:15 < Luke-Jr> while there's no doubt GRQers using Bitcoin, there's a lot more non-GRQ too 15:19 < sipa> TD: i haven't benchmarked, but i doubt it's more than 2* as fast as libsecp256k1 15:20 < TD> right, i haven't benchmarked either 15:20 < sipa> (it.l's fully constant time though, and has other nice properties) 15:20 < TD> and 2x is not to be sneezed at 15:21 < sipa> the question is: do computers get 2x faster in the time you need to deploy a hardfork + wallet upgrade :p 15:21 < TD> hah 15:22 < sipa> (it may be just 1.5x as well) 15:22 < TD> well, i dunno. every time i think intel can't push things any further, they find a way to squeeze a bit more out 15:22 < petertodd> sipa: depends if you do it now or in fifteen years after moores law's good and dead 15:22 < TD> but 2x is a big improvement 15:22 < sipa> anyway, meaningless discussion without numbers 15:22 < TD> yeah 15:22 < TD> true 15:22 < TD> it might be 11x. then we could take it to 11 15:23 < petertodd> TD: or 1.1x, and we'd need our glasses off to take it to 11 15:23 < sipa> accorsing to the webaite, it needs (iirc) 260k cycles for a verification 15:23 < TD> for which impl? there is a C one and an asm one, right 15:23 < sipa> asm 15:23 < sipa> the c one is ridiculously slow 15:24 < sipa> as in 10x slower than openssl ecdsa 15:24 < TD> ah 15:24 < TD> ok 15:24 < sipa> i think libsecp256k1 does a verification in 300k cycles on modern hardware 15:25 < sipa> but i'm sure my benchmark is on much more recent hardware than theirs 15:35 < adam3us> sipa: i think your code is probably so close based n what you said & before that for speed alone EdDSA is not worth it 15:36 < TD> petertodd: btw i didn't really grok your comment about double spends - i'm missing something, not sure what it is 15:36 < TD> petertodd: w.r.t. coinjoin 15:36 * TD didn't think about it much though, this is a tv and beer weekend 16:00 < adam3us> TD: for your beer: comparing ECDSA and ECSchnorr: 16:00 < adam3us> ECDSA: R=kG, r=R.x, s=(H(m)+rd)/k, Q=dG verify: sR=?H(m)G+rQ 16:00 < adam3us> ECS: R=kG, r=R.x, s=k+H(r,m)d, Q=dG verify: sG=?R+H(r,m)Q 16:00 < TD> petertodd: you mean this don't you: https://bitcointalk.org/index.php?topic=300809.msg3227294#msg3227294 16:00 < TD> petertodd: i guess i had not envisioned people making payments directly from a coinjoin. i am not sure that's a great idea 16:00 < adam3us> TD: very similar, except no /k part which is unknown so bollocks everything up in any kind of 2 of 2 or k of n 16:01 < TD> ok 16:01 < TD> thanks 17:03 < adam3us> btw more schnorr fun if you call c=H(r,m) from above, then send sig as c,s instead of r,s the verify is c=?H([sG-cQ].x,m) which is the same, as R=sG-cQ, but then you can use a 128-bit (truncated hash) so the sig is 48byte vs 64byte HOWEVER its actually a spurious claim by Schnorr (and most people since) because they assume the attacker cant chose R. Well what if the attacker IS the signer. doh. academics... 17:10 < maaku> anyone have technical details for this : https://twitter.com/matthew_d_green/status/401798811070107648 17:12 < adam3us> maaku: no seems nothing on the zerocoin.org site 17:13 < gmaxwell> maaku: I know things about it, but I don't know if it would be polite to comment. 17:15 < adam3us> unless i'm missing something ZC is still stupidly expensive even if they got the proof down to 10kB per coin, because for anonymity all the coins are the same denomination imagine paying $1000 in .01c increments 17:19 < gmaxwell> In any case, when the paper is public I'll make sure to update everyone here on it. 17:19 < gmaxwell> for now I refer to my initial ZC comments: "On the plus side approaches can only get better." 17:19 < maaku> adam3us: have multiple mint series, with different denominations 17:20 < adam3us> maaku: indeed, but then the anonymity set drops, and you can trace amounts 17:20 < adam3us> maaku: so then it ends up being maybe no better than bitcoin as is practically 17:21 < maaku> adam3us: with a handful of standard denominations, there's no reason you can't still have a sufficiently large anonymity set 17:22 < maaku> the killer limitation of ZC is the super-long verficaiton times 17:22 < adam3us> maaku: yes it can help, something reasonably pragmatic could be done 17:22 < maaku> i've found pragmatic solutions for everything else 17:22 < maaku> but requiring 1-2s per coin redemption is orders-of-magnitude unacceptable 17:23 < adam3us> maaku: their problem is the cut & chose in their ZKP, if they could find a way to get a direct ZKP it might be different story 17:24 < adam3us> maaku: you know even to create a coin takes 1sec because it must look like c=g^x*h^s mod p and c must also be prime 17:24 < adam3us> maaku: at least when i tried it myself using openssl (before they had the code out) 17:24 < maaku> adam3us: i don't care if it takes 1hr to create a coin 17:24 < maaku> so long as it takes milliseconds for nodes on the network to validate 17:24 < adam3us> maaku: you might if you had to use it much, but yes that is the least worrying part 17:25 < maaku> well yeah, i do care (ideally it should all be fast) 17:25 < adam3us> maaku: if nly there was a way to have the validation work be part of the PoW :) 17:25 < maaku> but if you had to choose.. 17:25 < adam3us> maaku: agreed 17:26 < adam3us> maaku: also the trap door in the accumulator is kind of scary 17:26 < adam3us> maaku: if someone keeps that they can print coins at will 17:26 < maaku> adam3us: that is trouble 17:27 < gmaxwell> well you can engineer around that a little bit: e.g. you can make sure that no more comes out than went in. 17:27 < gmaxwell> so at worst an accumulator break is you steal all its coins, not inflation. 17:33 < adam3us> gmaxwell: well if there are a lot of hoarded coins might not be much consolaton 17:49 < adam3us> gmaxwell, maaku: the accumulator is fixed size, you cant tell how many coins are left in it, all you see is the spent ones serial numbers and a zkp that they are in the accumulator, so i think the limit is if you saw more coins come out of it than went in 18:55 < warren> gmaxwell: why isn't mastercoin threads moved to the alt forum like other alt coins? 19:14 < sipa> if only it was an altcoin :) 19:16 < warren> wow. jdillon seems to have been completely pwned. 19:16 < warren> bitcointalk and GPG key cracked. 19:20 < Luke-Jr> sipa: it isn't? 19:48 < adam3us> nasty business eh - hacking people's emails 19:54 < warren> adam3us: seems he was totally pwned, far more than e-mail 19:54 < adam3us> warren: hope he didnt lose bitcoins 19:55 < warren> adam3us: given his GPG key was compromised, only way he wouldn't totally lose bitcoins would be offline wallets. 19:55 < adam3us> yes 19:56 < Luke-Jr> brain hacking? 19:56 < adam3us> warren: if he was a windows user (or even linux) he'd be nuts to keep btc on an onine puter 19:56 < Luke-Jr> adam3us: why? 19:57 < Luke-Jr> you don't have a hot wallet? 19:59 < adam3us> Luke-Jr: amory offline i think is the way to go, it even worries me about the usb bad bios! 20:17 < warren> https://bitcointalk.org/index.php?topic=319465.msg3607494#msg3607494 20:17 < warren> this is a bit concerning 20:19 < Emcy> wuts btc-ethz 20:29 < maaku> Swiss Federal Institute of Technology 20:29 < maaku> http://whois.domaintools.com/129.132.230.0 20:30 < warren> https://bitcointalk.org/index.php?topic=319465.msg3607734#msg3607734 This isn't without problems, but I think this would help to protect the entire network. 20:30 < maaku> maybe sipa can kindly go tell them to stop? 20:30 < petertodd> adam3us: he lost some: https://blockchain.info/address/1BDSZMaUvrbTjWsSgLA4XqYUK4dDzxREEV 20:31 < petertodd> People have tried to use webbugs on bitcointalk and on the foundation forums lately in discussion related to coin taint; obviously some people are taking ugly actions. 20:33 < petertodd> that 5.11BTC was a private key that it looks like he sent to gmaxwell for the CoinJoin bounty :( 20:34 < warren> why did he give a private key instead of sending it he normal way? 20:35 < petertodd> warren: guess he wanted to make sure coin tracking wouldn't help? 20:36 < warren> coin tracking indeed didn't help in this case. 20:37 < maaku> warren: any link do details on how this happened? 20:37 < warren> maaku: no idea. just everything he has seems to be pwned. 20:37 < petertodd> maaku: we're not going to know unless he tells us, and with his PGP key compromised we're not going to know it's actually him :/ 20:38 < warren> petertodd: I at least don't suspect you are jdillon anymore. 20:39 < petertodd> warren: gee, makes me feel so much better... 20:39 < warren> (sorry, bad joke) 20:39 < petertodd> heh, I know 20:40 < petertodd> seriously maybe one good thing to come out of this would be for people to take security more seriously, but, damn... 20:41 < maaku> until there is a trivial to use, secure by default setup that prevents these sorts of things, our work is not done 20:42 < petertodd> maaku: agreed 20:42 < warren> maaku: setup of what? his entire OS was owned 20:42 < petertodd> though I always got the impression that john was a very careful and clueful guy, which just shows how hard this all is 20:42 < maaku> warren: well, his keys could have been on a TPM or hardware wallet 20:43 < petertodd> maaku: if he was smart, he took gmaxwell's advice and was doing his browsing in an isolated VM 20:46 < warren> petertodd: webbugs, where? 20:50 < petertodd> warren: http://i.imgur.com/EnHNE4k.png 20:52 < warren> petertodd: hmm, I've received localbitcoins phishing e-mail recently 20:52 < warren> they went to (do not click) llocalbitcoins.com/accounts/login 20:53 < petertodd> sheesh 21:00 < Emcy> shame about jdillon 21:01 < Emcy> how do you bootstrap a new identity when you get pwnt that hard 21:02 < petertodd> yeah, I dunno, timestamp a key in advance is the only option. downside of pseudonyms 21:03 < Emcy> no one knows him irl 21:04 < petertodd> yup, early on he offered to meet me at the conference, and my advise to him was don't if he does want to keep his IRL identity separate 15:21 < jgarzik> (the identity version of "scale up Bitcoin to Visa/MC levels RIGHT NOW NOW NOW") 15:21 < jgarzik> "how dare you limit our identity block size" 15:21 < petertodd> absolutely, although at least the scaling limits are about bulk bandwith, rather than the blockchain's race issue 15:21 < petertodd> and consensus can take longer 15:23 < jgarzik> For most identity users, I imagine the _personal_ volume of changes would be rather low. You create an identity, maybe have IC Inc. verify your real world id and provide an attestation, then the record sits unchanged for months or years. 15:24 < petertodd> Yeah, the PGP strong set is only 50k, and all the keys on the key servers are just a few GB worth. 15:24 < petertodd> 240 million domain names in total 15:28 < petertodd> re: creating blocks, but not revealing them until later, an interesting trap is that the naive way of doing that means that the worst case PoS is the sum of all unrevealed blocks 15:28 < petertodd> so part of the PoS should include what previous PoS it builds upon 15:29 < petertodd> though that can actually replace the namespace hash, so the in-btc-blockchain data doesn't increase 15:31 < jgarzik> interesting metric, total-PoS 15:31 < jgarzik> I still wish there was an efficient "burn money" standard bitcoin transaction, e.g. zero outputs. 15:32 < petertodd> yeah, because you want to be sure no unrevealed chain could supercede your k-v's 15:33 < petertodd> jgarzik: well, we need to do OP_RETURN <prev-pos-tx:n> <block hash> anyway, so zero outputs doesn't help directly 15:33 < jgarzik> true 15:33 < jgarzik> alas, either are non-standard (if not invalid, like zero output) 15:34 < petertodd> however an output that is guaranteed to be spendable only after n blocks would be perfect, right now all we have is the coinbase 15:34 * jgarzik ponders PoW + PoS 15:34 < petertodd> I'm really inclined to support OP_RETURN {anything you want} to be honest 15:34 < jgarzik> small PoW, mainly PoS 15:34 < petertodd> once pruning is implemented 15:35 < petertodd> I dunno, given that the PoS is denominated in Bitcoins, I'm unconvinced there really is much value, the Bitcoins can just as easily buy mining time 15:35 < jgarzik> petertodd, That's the current IRC rough-consensus proposal for shipping small bits of data, OP_RETURN output, one per transaction. 15:35 * jgarzik should make the requisite patch, just to have it ready 15:35 < petertodd> I know, but notice how we already came up with an example that absolutely needs two hashes to work? 15:35 < jgarzik> :) 15:36 < petertodd> and actually, in this case, what we really need is scriptPubKey <prev-pos-tx:n> <block hash> OP_TRUE, because that saves one useless output - it's a sacrifice anyway 15:36 < petertodd> (optionally, drop the OP_TRUE, but I like making the standard mandate it so it's less likely to be generated by mistake) 15:38 < petertodd> also, in general two hashes basically let you do an alternate UTXO set for your application, subject to different pruning rules, not unlike what we're doing now 15:39 < jgarzik> Choosing the amount of sacrifice is another annoyance. Starting out, might just pick an arbitrary value like 0.000075 ($0.01) 15:39 < jgarzik> Need to figure out a self-balancing metric 15:40 < jgarzik> Not too big to scare away users, not too small to enable spam 15:41 < petertodd> But, see this is the thing, unlike in Bitcoin provided you are willing to monitor the chain, you *can* do an adaptive sacrifice based on actual attacks. 15:41 < petertodd> Especially if you set a probationary period of n blocks before a given k-v setting (via the consensus) comes into affect 15:42 < petertodd> Basically pick how much time you think your counter-attack will take to implement. 15:43 < jgarzik> indeed 15:47 < petertodd> Oh, and come to think of it the k-v history proof isn't a problem after all: since every block hash is a merkle tree of the k-v set, that hash can simply include the hash of the mmrange accumulator tip, if the k-v isn't changed, just re-use the old value, if it is changed, provide the delta to prove why. 15:47 < petertodd> For the SPV node, provide the full history from the genesis of the key, and one step back to prove the key *didn't* exist prior, along with the appropriate history. 15:48 < petertodd> Now the rules for making a block are always that the delta must make sense, regardless of how small a change you make. 15:49 < petertodd> So finally, how does a SPV client make a change? They ask a full node for the correct merkle paths, and check that their k-v makes sense and leads to a long sacrifice chain. 15:49 < petertodd> *sacrifice dag 15:50 < petertodd> The sacrifice dag will be more bulky than a blockchain, but making that the minimum resource size is acceptable, especially with some manual checkpoints. 15:50 < petertodd> *than blockchain headers 15:50 < jgarzik> just don't want to depend on checkpoints ad infinitum 15:51 < petertodd> Indeed, a full node doesn't have to, and a SPV node that is willing to bootstrap from genesis doesn't have to either: they just need to ask for proof that the keys they are interested in *didn't* exist in the blocks going back to genesis. 15:52 < jgarzik> about to disappear for several hours saving this chat to a log ;p 15:53 < petertodd> So basically, I know that zero-trust full nodes are possible, and I think zero-trust SPV nodes are also possible, although I have to think some more about motivations. 15:53 < petertodd> Ha, same 15:53 * petertodd archives irclogs forever on amazon glacier... 15:53 < petertodd> lol, I'll timestamp this one for patent priority :P 15:53 < petertodd> dammit, why do I have to have a day job... 15:54 < jgarzik> bah :) 15:54 < jgarzik> evil patents 15:54 < petertodd> right, but see, this is a public forum, so all the priority can do is defend against a patent 15:55 * jgarzik should check out Glacier 15:55 < petertodd> $0.01/GB*month is amazing 15:55 < petertodd> I use it with git annex 15:55 < petertodd> a few hundred GB stored, and git annex can do encryption too 18:14 < gmaxwell> I guess we can all go home now: http://arxiv.org/pdf/1305.5976v1.pdf 18:16 < realazthat> oh I think I saw a video by that guy a while back 18:17 < realazthat> I remember the data structure 18:17 < realazthat> mmm get that onto the pvsnp page 18:20 < realazthat> mmm 18:20 < realazthat> gmaxwell: I actually have a hobby to try and run the algorithms from the pvsnp page 18:20 < realazthat> so wrt hamiltonian cycles, random testing doesn't cut it 18:21 < realazthat> but I have the infrastructure setup to go FACT=>SAT=>HAMCYCLE 18:21 < gmaxwell> somewhere on his blog he says that someone has a reduction from SAT to his MSP thing directly 18:21 < gmaxwell> and there is lots of stuff to reduce $randomthings to SAT. 18:21 < realazthat> yes 18:21 < realazthat> but plain random SAT isn't good either 18:21 < realazthat> it can be solved in polytime by well known algos with very high probability 18:22 < realazthat> FACT=>SAT makes for very useful benchmark 18:22 < realazthat> because if you can solve that ... 18:22 < realazthat> then you break RSA 18:22 < realazthat> mmm I'll look into it 18:22 < realazthat> maybe I'll implement it, and email the guy with a counter example :D 18:23 < realazthat> he seemed very sincere in the vid I watched a long time ago 18:23 < realazthat> so I sorta feel bad 18:24 < gmaxwell> realazthat: if you do happen to find that it solves RSA, I recommend factoring the RSA challenge 4kbit number, then making an gpg key out of it, and then posting to sci-crypt a signed message: "You should stop using RSA" and see if anyone notices. :P 18:25 < realazthat> haha 18:25 < realazthat> that would be the day 18:26 < realazthat> even if it would solve it, it would take forever 18:26 < realazthat> I think I saw O(n^5)s being thrown around 18:26 < realazthat> in that pdf 18:26 < realazthat> from experience, its hard(er) to find counter examples to algorithms that run so long :D 23:50 < realazthat> omg I want that SCIP 23:50 < realazthat> so many possibilities --- Log closed Thu May 30 00:00:47 2013 --- Log opened Thu May 30 00:00:47 2013 00:20 < Luke-Jr> if it works 01:05 < midnightmagic> so glorious, thank you for telling me about this place gmaxwell 01:06 * zooko revels in the glory 01:06 < Luke-Jr> lol 01:06 < zooko> Nice meeting you in person at Bitcoin2013, Luke-Jr. 01:06 < midnightmagic> zooko: they linked to http://arxiv.org/pdf/1305.5976v1.pdf in here, which is the first I saw of it. 01:06 < Luke-Jr> zooko: you too, though I have no idea who you were! :P 01:06 < midnightmagic> I'm busy scaring all my friends right now. 01:06 < Luke-Jr> midnightmagic: told you, you should have gone! 01:06 < midnightmagic> heh heh 01:07 < realazthat> midnightmagic: there is a whole list of proofs on the PvsNP page 01:07 < realazthat> (if you weren't aware) 01:07 < zooko> Luke-Jr: we spoke for about 10 seconds. I said I wanted to meet you because my friend amiller said he liked you. 01:07 < midnightmagic> realazthat: I was just about to look that up actually. I wasn't aware. 01:07 < zooko> Luke-Jr: you didn't really make eye contact with me. 01:07 * Luke-Jr wonders if he made eye contact with anyone O.o 01:08 < realazthat> midnightmagic: http://www.win.tue.nl/~gwoegi/P-versus-NP.htm 01:08 < realazthat> they tend not to ... pan out 01:10 < midnightmagic> realazthat: Indeed. My non-keeping-up first sanity check is that magic isn't happening yet. 01:11 < realazthat> mmm 01:11 < realazthat> I didn't read the paper 01:11 < midnightmagic> realazthat: Thanks for a link. I was combing through pvsnp on google. 01:11 < realazthat> but I did watch one of his vids from a long time ago 01:11 < realazthat> midnightmagic: it does leave some out actually 01:11 < realazthat> you can find more if you comb google 01:12 < realazthat> like this one 01:12 < realazthat> anyway I watched the vid from this guy a long time ago 23:36 <@gmaxwell> maaku: because the size of your hashed nodes is always >512 bits, you'll be invoking the compression function twice. There may be some advantage in ordering the data so that the extra data is in the second compression function invocation, in order to use midstate compresison.. but I'm not sure, mostly I'm bringing it up to ask if you've already considered this. --- Log closed Fri Dec 20 00:00:12 2013 --- Log opened Fri Dec 20 00:00:12 2013 00:29 < Emcy> merge avoidance needs a nifty name 00:31 < Emcy> offramp? something that lets you demerge from a general serial stream of traffic...... 00:35 < Emcy> lol mergepurge. 00:36 <@gmaxwell> SPUI 00:37 < Emcy> wut 00:37 <@gmaxwell> google it 00:38 < Emcy> oh a spaghetti junction 00:38 < Emcy> i thought of that but didnt know what it was called 00:39 < Emcy> coinspui 00:39 < Emcy> coinspew? lol 00:42 < Emcy> i didnt know peter todd was involved with the darkwallet stuff 00:43 < Emcy> that best practices list seems reasonable so far 00:44 < BlueMatt> petertodd: btw, thought bloom filters can be expensive if you're looking at the whole chain, they certainly arent n^2... 00:46 < BlueMatt> (and though I agree other things are probably better than them, saying that wallets shouldn't rely on bloom filters now just introduces development overhead for something thats largely unnecessary currently) 01:06 < maaku> gmaxwell: whoops, correct extra should go after value 01:06 < maaku> that's why the branches come last - they are most likely to update 01:07 < maaku> so you could cache midstate, at least for the first few levels where it makes sense 01:09 < maaku> gmaxwell: varchar is length-prefixed, i should have defined that 03:08 < petertodd> BlueMatt: they're n^2 work summed over all users and all nodes is my point 03:08 < BlueMatt> no, they're not 03:08 < BlueMatt> as an spv client downloading blocks, you only download blocks from some subset of your peers 03:09 < petertodd> BlueMatt: ok, you have n users, they make 1 transaction each, that results in blocks with n transactions, for each user to scan a block via bloom filters is thus n work per block, or n^2 work total 03:09 < petertodd> BlueMatt: doesn't matter how you divide it up among your peers 03:10 < petertodd> BlueMatt: it's not so bad if they're scanning a new block, because that's just memory IO bandwidth, but what's particularly bad about the design is that we use it for archival history too, and thus get n^2 IO bandwidth load too 03:11 < petertodd> BlueMatt: compare to prefix-filters which is roughly n*log(n) total work 03:11 < petertodd> BlueMatt: (for n users) 03:11 < BlueMatt> your definition of n is...varying. Realistically you have n users, they each download each block from 1 peer, each peer spends O(|tx|) per client, so O(|txn|*|peers|) sure, but calling that n^2 isnt quite right... 03:11 < petertodd> Again, I'm talking about work done by the system as a whole. 03:12 < petertodd> Consider the most efficient case where there's exactly one Bitcoin supernode out there... 03:12 < BlueMatt> yea, Im not saying they're ideal 03:12 < BlueMatt> just that saying "nodes SHOULD NOT depend on bloom filters" seems very premature 03:13 < BlueMatt> (for non-archival nodes) 03:13 < petertodd> It's not really a "best practices that you should adopt right now", it's a "best practices that you *will* be adopting in the future as all the underlying tech gets developed" 03:13 < petertodd> e.g. practically everything it recommends doesn't exist yet 03:14 < petertodd> The whole point of the document is to guide development efforts so we make exist the most important stuff first; prefix-filters is in there because electrum already implements half of what's needed for them. 03:14 < BlueMatt> well if you're talking 10 years down the road a) dont think we can plan that far ahead, b) probably should say dont use bloom filters at all, not optional 03:15 < BlueMatt> really? nice 03:15 < BlueMatt> if youre talking entirely "down the road" you should probably say you cannot sync from the chain at all 03:15 < petertodd> I'm probably talking about 1 year down the road for everything in there depending on how much man-power proves to be available - note how nothing in there depends on soft-forks although takes the possibilities of them into account. 03:16 < petertodd> Right, which is why I also say that wallets shouldn't depend on the existance of UTXO-set prefix filters because TXO commitments looks to be the front-runner in that space right now. 10:52 < adam3us> petertodd: so how is TXO commitment better than UTXO-set prefix now? by TXO commitment you mean what? that the TXO is included in a merkle tree the root of which is mined; but a recipient needs to know the unspent state of that, which is what tries are being propose for (which i expect you mean with UTXO-set prefix) 13:37 < maaku> adam3us: TXO commitment, minus the U, is petertodd's scheme for building an append/modify-only list of transaction outputs and spend status from genesis block to present 13:38 < maaku> which has the not insignificant disadvantage that you can't lookup spend status by txid 13:39 < maaku> the onus is on the holder of the coins to keep and maintain an unspentness proof which they *must* prefix to the transaction broadcast to spend 13:40 < maaku> petertodd: elaboration on the evil things that either txid-indexed validation trie, or scriptPubKey-indexed wallet trie makes possible would be appreciated 13:41 <@gmaxwell> maaku: the onus isn't on the holder of the coin exactly. 13:42 <@gmaxwell> Rather it's not necessarily on any _more_ than the holder of the coin. 13:42 <@gmaxwell> maaku: or perhaps I should say "holder of the coin is sufficient" 13:43 <@gmaxwell> I don't think anyone (except maybe pt?) think that all holders would do that themselves, I think they'd go get the utxo from archive nodes that kept the data. 13:54 < phantomcircuit> hmm 13:54 < phantomcircuit> theoretically you shoudl be able to merge the bloomfilters for multiple peers 13:58 < maaku> gmaxwell: yes, which is why I don't really understand the objection. in either case you will be using an archival node (the use and maintenance of which can be paid for with explicit fees) 13:59 <@gmaxwell> maaku: because you're not forced to use an archival node, and every full verifiying node isn't forced to be one (in order to verify the utxo updates) 14:01 <@gmaxwell> in any case, I wouldn't have posted PT's no stop message. Though I do think that some of the more recent thinking has made straight utxo commitments less shiny. 14:01 <@gmaxwell> As far as I'm concerned the verdict is out until someone sits down and really figures out exactly what the overheads would be for the proofs in the model.. or. um.. maybe actually writes some code for it. 14:02 < maaku> "and every full verifiying node isn't forced to be one (in order to verify the utxo updates)" <-- this isn't required 14:02 < maaku> with updatable proofs 14:02 < petertodd> gmaxwell: remember that the archival nodes require much less data in my model - older data that's rarely needed can be dropped by everyone but a few specalized services 14:04 <@gmaxwell> maaku: Whats the prefix compression part of the spec fro then? 14:04 < petertodd> gmaxwell: whereas for utxo indexes that a new utxo can be inserted anywhere requires anyone who wants to keep up with the set and serve requests to store some fraction k of the whole set at best 14:06 < maaku> gmaxwell: to keep the serialization small, and level-compressed hashing variant is for other applications like document timestamping in the coinbase 14:06 < maaku> which don't require "rebasing" proofs 14:07 < petertodd> maaku: again, why does timestamping require anything more than a dumb tree? I mean, I've actually implemented this... 14:07 < maaku> petertodd: what type of tree? 14:07 < maaku> some applications require key uniqueness, which your tree structure has to provide compact proofs of 14:08 < petertodd> maaku: yes, timestamping is definitely not one of those. and strictly speaking, I only say tree for efficiency, opentimestamps handles arbitrary dags for a reason 14:08 < maaku> and the level-compression is a bonus for merged mining, where you don't want 128+ hashes to validate a pow 14:09 < petertodd> maaku: right, but direction-based proofs with randomized keys get you the exact same thing with far less complexity 14:10 < maaku> yuck. so what, every altchain picks a random value? or some central authority assigns them? 14:10 < maaku> that's the kind of thing the current merged mining code does that I want to avoid 14:11 < maaku> re: complexity, we're talking about a few dozen lines of code 14:11 < petertodd> heck, with per-block randomization like I suggested, every altchain could literally use their name and it'd work out fine 14:13 < maaku> to be clear, your path-based tree is the same underlying data structure as this 14:13 < maaku> i just have a fancier serialization 14:13 < maaku> (assuming you don't level compress, which I would suggest doing in this case) 14:15 < petertodd> yup, and with randomized keys there's no need to level compress 14:16 < petertodd> anyway, it'd help if I write up txo commitments properly for once :) 14:16 < petertodd> your BIP is a good model there 14:16 < maaku> yes, i was going to recommend that 14:17 < petertodd> I should raid unicode and draw up some nice looking mountain ranges with all the special characters! 14:17 < maaku> i'd like to reference TXO commitments in the followup BIP that discusses UTXO commitments 14:17 < petertodd> likewise 14:18 < petertodd> and I should also write up a description of how you'd do something like namecoin with utxo commitment indexes 14:19 < maaku> yeah i've got a whole solution for that worked out 14:19 < maaku> on the backburner though 14:19 < maaku> it's also stateless 14:19 < petertodd> you mean, solution to make namecoin work on the btc blockchain or block it? :P 00:43 < petertodd> It could be a week and people would still have an incentive to set nTime + 1 week - 1 second 00:44 < Luke-Jr> if nTime is future, wait until that time before relaying it? <.< 00:44 < gmaxwell> and once people did that, you'd want to start accepting blocks that where nTime + 1 week because god knows you don't want to reject a block if your clock was 2 seconds slow and most hashpower accepted it. 00:44 < petertodd> About the only thing that might change that is if the rule was nLockTime > nTime of last block, and then after that being allowed to include a tx was based on H(txhash, last hash) or similar 00:45 < petertodd> gmaxwell: exactly, the fundemental issue is there is no good incentive to set nTime accurately other than miners rejecting your blocks, and nLockTime sabotages that 00:45 < petertodd> gmaxwell: (timestamping could do, but the cause->effect is less obvious) 00:45 < Luke-Jr> I guess I just incentivized always setting nTime to the minimum then 00:45 < Luke-Jr> [04:32:26] <Luke-Jr> petertodd: will you be rebasing it despite its closed status? (block-uneconomic-utxo-creation) 00:46 < petertodd> Luke-Jr: again, relaying does nothing - consider the case of nLockTime'd fidelity bonds where it's guaranteed 100% of the hashing power know (why I wrote the spec as by-block-height in the first place) 00:46 < petertodd> Luke-Jr: sure 00:46 < Luke-Jr> petertodd: I mean delaying relaying the BLOCK 00:46 < Luke-Jr> ie, increasing the risk of it being stale 00:47 < petertodd> Luke-Jr: then you have your mining pool connect directly to other mining pools playing the same game 00:47 < petertodd> you have to assume perfect information knowledge in this stuff, at least if you're writing worst-case academic papers 00:48 < gmaxwell> petertodd: so ... prior block vs minimum time. 00:48 < petertodd> see, that's why I was talking about timestamping, because it provides a way for all users to set their clocks to what the majority of hashing power thinks nTime is, sidestepping the problem 00:48 < gmaxwell> petertodd: what are your arguments there? 00:48 < petertodd> gmaxwell: minimum time is definitely stronger because it involves more hashing power 00:49 < petertodd> gmaxwell: users would prefer minimum time - easier to understand why the tx isn't getting mined 00:49 < gmaxwell> sidestepping the problem < that doesn't sidestep the problem, it would allow the majority of hashpower to mine difficulty down to 1; also moots nlocktime as _time_ being more reliable than a height. 00:49 < gmaxwell> petertodd: plus, you can just add a constant offset to your nlocktime to adjust for the expected minimum lag. 00:51 < petertodd> gmaxwell: yes, it creates a new problem, but it did sidestep the existing one :P 00:51 < gmaxwell> petertodd: yea, lol, creates an inflation attack. Keep it up and you'll be qualified to create an altcoin. :P 00:52 < gmaxwell> (sorry, hah, I'm not poking fun at you, I'm poking fun at all the altcoins that "solved the Foo problem" where foo is something no one else thinks is a problem and they totally broke security as a side effect) 00:52 < petertodd> gmaxwell: yup, now you see how it only sidesteps the problem truly when there is enough hashing power setting their clocks back, IE 50% honest, which is better 00:53 < petertodd> gmaxwell: without the timestamping, nodes have the consensus failures, which can be attacked, likely it trades off one risk for a more existential risk 00:53 < petertodd> gmaxwell: and it's a good excuse for timestamping, lol 00:54 < gmaxwell> I thin the min solves the consensus failure so long as hashpower is well distributed. 00:54 < petertodd> yeah, I'm thinking min is probably the best we can do 00:55 < petertodd> other than disabling nLockTime of course 00:55 < gmaxwell> only time based, height is still safe. 00:55 < petertodd> it'd be good if miners had a "fuzzy" window too, so if they get a block really close to the 2hr window, they'll delibrately try to orphan it, but such stuff can't be more than "it's in the codebase so hopefully people will be slightly economically irrational" 00:56 < petertodd> gmaxwell: of course 00:56 < petertodd> nLockHeight is ok :P 00:56 < gmaxwell> doesn't even have to be in the codebase, natural clock skew accomplishes that. 00:57 * Luke-Jr decides it makes sense to increase the accepted timespan on blocks for Eligius 00:57 < Luke-Jr> :p jk 00:57 < petertodd> hopefully... I suspect pools, and miners in general, are much more likely to be running Linux and thus will have ntp enabled 00:57 < gmaxwell> their time still gets randomized due to the goofy medianing stuff. 00:57 < petertodd> measured skew on my nodes, IE ntp vs GetAdjustedTime() is almost always under a second or two 00:57 < Luke-Jr> doesn't Windows enable NTP by default now? 00:57 < gmaxwell> which, btw we've _still_ never closed that vulnerability. 00:58 < petertodd> gmaxwell: Yeah, all this stuff gets even more interesting if you sybil even part of the network... 00:58 < gmaxwell> petertodd: GetAdjustedTime has been bad in the past but seems to be okay since I reset it like.. two years ago now. 00:59 < gmaxwell> I wonder how it got goofy in the first place... but stays pretty good since it was initially fixed. 00:59 < petertodd> In fact, adding pow-timestamping to the GetAdjustedTime measurement could have value. 00:59 < petertodd> gmaxwell: oh, so previously you were seeing much bigger skews? 01:00 < gmaxwell> petertodd: the vulnerablity I was speaking of was the the maximum GetAdjustedTime skew could get a node and a miner producing blocks that the other will reject. 01:00 < gmaxwell> petertodd: yea, IIRC > 30 seconds. 01:00 < gmaxwell> Then I sybled the network and reset it. 01:00 < gmaxwell> and it seems to have stayed reset. 01:00 < petertodd> wtf 01:01 < gmaxwell> may have just been some initial symetry breaking when the network formed that made it get stuck offset. 01:01 < petertodd> Maybe we should randomize the GetAdjustedTime() calculation a bit to try to make sure symmetry is broken again naturally? 01:01 < petertodd> ...though I'd rather thoroughly understand how that happened first... 01:02 < gmaxwell> I mean, it's just applying a median operation to the peers median operations. So if there ever was a wrong majority it would take over the network and then stick. 01:02 < petertodd> Makes sense 01:03 < gmaxwell> e.g. if you had a network of three nodes, then you add 4 more who all had times +30 seconds off.. the three would also jump to +30 and then so long as you never introduced a majority all at once again it would stick that way. 01:03 < petertodd> Then don't give our peers out adjustedtime, give them our localtime. 01:03 < gmaxwell> giving adjtime is good for consensus. 01:03 < gmaxwell> but not accuracy. :) 01:04 < gmaxwell> I suppose it could give adjtime + *error for some small 01:04 < petertodd> Yeah, and calculate what's needed to break the consensus. 01:04 < petertodd> semi-break it 01:04 < petertodd> Heh, my patch to add adjustedtime to getinfo was probably more useful than I thought... 01:05 < gmaxwell> e.g. if adjtime is higher than local, give adjtime-1. if the whole network gets ahead then everyone will be -1... and it will slide to that. 01:05 < petertodd> Ah, that'll work 01:07 < gmaxwell> I think 1 is actually sufficient. it doesn't matter if it adjusts slowly... 1 is both necessary and sufficient. 01:08 < petertodd> We should also make bitcoind use local time for block creation, not adjusted time. 01:08 < gmaxwell> I dunno about that. 01:09 < petertodd> It's a more true vote about what miners clocks are set too. 01:09 < petertodd> And you can take the min of both in cases where clocks are ahead. 01:09 < petertodd> IE, if my local clock is ahead, don't create a block that the local adjustedtime consensus would reject. 01:10 < gmaxwell> alternatively, I'd offer that it should just stop mining if its too far off. 01:10 < petertodd> That too, but people will be pissed at losing revenue... 01:10 < gmaxwell> yea, well, fix your clock. :P 01:10 < gmaxwell> too far could be 01:11 < petertodd> Using local, but sanity checking it against adjusted, has pretty much all the benifit minus the risk. (modulo adjusted < getmintime, but that can be the "stop mining" condition) 01:11 < gmaxwell> the key point is just making it so that a network attacker can't max-skew two nodes in opposite directions. 01:11 * Luke-Jr ponders if miners would be agreeable to randomizing their nTime within 90 minutes just to discourage timestamping abuse <.< 01:12 < gmaxwell> petertodd: I would be willing to bet a minority of hashing power is run on systems with NTP setup and working. 01:12 < petertodd> Sure, but having an accurate vote for time could be useful by letting you see if such max-skew is being attempted. (for non-miners) 01:12 < gmaxwell> I would also be willing to bet that a majority of that which is using ntp can have their time reset by comproming two hosts. 01:13 < petertodd> Luke-Jr: timestamping doesn't give a damn about +-hours - bitcoin is too inaccurate for that 01:13 < gmaxwell> petertodd: a 'vote for time' is worthless unless there is a strong incentive to be honest about it. 01:13 < petertodd> Yeah, ntp compromiseis scary... 01:13 < Luke-Jr> :P 01:14 < petertodd> I'm not suggesting this to make timestamping applications more accurate, I'm simply suggesting this as a way for nodes to better know if the miner consensus is different than their local adjusted time. 01:14 < gmaxwell> petertodd: and more recent ntp software no longer does the 128 second stuff anymore, you could move chrony 10 years into the future with a majority of peers, IIRC (unless they've fixed that) 01:15 < petertodd> It's too bad the atmosphere is so thick: we could figure out local time by running memtest and analyzing the rises and fall as the earth blocks the radiation coming from the sun. 01:15 < petertodd> (then set the window to 1 week) 20:29 < gmaxwell> (and checks that it matches the chain) 20:30 < petertodd> Yeah, the checkpoint operator might make more sense, although it is a bit tricky as that means someone else could make the fees of your whole tx not apply unless you're careful. Maybe a non-issue though. 20:30 < gmaxwell> (which may really be the best way to go) 20:30 < petertodd> Though remember we want to encourage people to use checkpoints, so make them mandatory. 20:30 < gmaxwell> I mean, if they added it to your txn without you being able to know, a miner could take it out again. 20:31 < gmaxwell> petertodd: right putting them in the header makes that easier.. it's just part of the structure. Though pushing things onto the signature stack is useful. 20:31 < petertodd> Heh, which actually is ok in the case of someone taking your tx, and adding some inputs to it. 20:32 < petertodd> Heh, one crazy thing about all this, is it suggests maybe the entire block should be nothing more than a single transaction, with signatures signing that they want part of the block to exist basically. 20:32 < gmaxwell> also, I think its moderately important that checkpoints be not prunable or at least seperately prunable from the scriptsigs. 20:32 < gmaxwell> because I am imaginging a future where the scriptsigs are eventually completely pruned and forgotten by everyone. 20:33 < petertodd> Hmm... though what's special then about the checkpoints vs other parts of the tx? 20:33 < gmaxwell> actually no nevermind, the checkpoint isn't actually useful anymore without the scriptsig. it really could go into it. 20:33 < petertodd> Cool 20:34 < gmaxwell> just as a special operator which checks the checkpoint and if its valid pushes it onto the sigstack (otherwise pushes 0 or something) 20:34 < petertodd> In this world, the checkpoint should be just <block id>, and at the same time we should add a merkle-mountain-range'd version of the block hash index to make proofs small. 20:34 < gmaxwell> if you want to make it mandatory, do so with an isstandard sort of rule. 20:35 < petertodd> Well, but why not just make a CTxIn include it as a hashed field? 20:35 < gmaxwell> petertodd: I actually think there should be a real (partial) block hash there so that you can validate the transaction statelessly. 20:35 < gmaxwell> E.g. "assuming the checkpoint is good, is this txn valid?" 20:35 < petertodd> Oh, sorry, by <block id> I mean <block hash> 20:35 < gmaxwell> ah okay. 20:36 < petertodd> And yeah, I'd say just put the whole hash in there and be done with it. 20:36 < gmaxwell> well if its useless if you've pruned the signatures, then it should always be pruned with the signature. 20:37 < gmaxwell> likewise, thats how nlocktime should work. 20:37 < petertodd> Yup, hence put it in CTxIn(2) 20:37 < petertodd> Oh, that's an interesting point 20:37 < gmaxwell> 12345 PUSH_CHECKTIME. also some care needs to be required to prevent emulation. 20:37 < petertodd> emulation? 20:38 < gmaxwell> e.g. say I sign a list of only outputs 0xDEADBEEF,0xBEEFBEEF ... and then some wiseass removes the deadbeef output and replaces my signature with 0xDEADBEEF VERIFYPUSH CHECKSIG 20:38 < gmaxwell> e.g. every kind of insertion into the verify list needs a unique prefix that can't be emulated. 20:39 < gmaxwell> TXOUT|0xDEADBEEF,TXOUT|0xBEEFBEEF vs PUSH|0xDEADBEEF,TXOUT|0xBEEFBEEF 20:39 < petertodd> Ah right, yeah, I was gonna say you need to do HMAC(subtree-digest, magic) at various points in this tree. 20:40 < gmaxwell> I don't actually think there is any tree on the signature parts. 20:40 < petertodd> IE the scriptSig is still just a bunch of bytes? 20:40 < petertodd> Makes sense 20:40 < gmaxwell> Well I mean that the data its signing is just a list of leaf hashes, not trees. If you make it a tree it makes the neighboring parts of the tree (outside of the masking) non-malleable. 20:41 < petertodd> Oh, right, I see what you mean. 20:41 < petertodd> The magic's I was referring too was more to make sure proofs of merkle paths in the tree can't be faked. 20:41 < gmaxwell> so the scriptsig should be nlocktime PUSH_LOCKTIME blockehckpoint PUSH_BLOCKCHECKPOINT txoutrlecode PUSH_TXOUT CHECKSIG 20:42 < petertodd> Ah ok, so we're pushing a bunch of validation values to a stack, and then a tree is made of that stack, and the signature is on the digest. 20:42 < gmaxwell> and the data signed is NLOCKTIME|nlocktime,CHECKPOINT|blockehckpoint,TXOUT|0xDEADBEEF,TXOUT|0xBEEFBEEF 20:42 < petertodd> Right 20:43 < gmaxwell> yea, I don't even think you need to make a tree. I don't think it has any particular value to do anything but hash the stack. But maybe there is a reason. 20:43 < gmaxwell> and in particular if you don't want to hash say, the value of a txout you could choose to seperate that stuff out. 20:44 < petertodd> Hmm... could come in handy to make fraud proofs smaller. 20:44 < petertodd> IE find the one part of the tx that was wrong, and prove just that. 20:44 < petertodd> Although I guess that doesn't actually work... 20:45 < gmaxwell> E.g. <1 btc> <tx_index> PUSH_CAPACITED_TXOUT which pushes <TXOUT_MAXBTC|H(scriptpubkey),1,max(1,value)> 20:46 < petertodd> makes sense 20:46 < gmaxwell> (or really, instead of txindex, it would be an RLE code that could match multiple ones) 20:46 < petertodd> Yup 20:46 < gmaxwell> (RLE meaning run-length encoding) 20:46 < gmaxwell> though I don't know how useful value masking it.. not sure what your goal was there. 20:47 < petertodd> One issue is it might be nicer from the point of view of merging tx's if what selects what part of the tx is "visible" to the scriptSig was not actually in the script, and not actually specific to a particular form of script. 20:47 < gmaxwell> well thats why I'm talking about making the entirity of the scriptsig largely seperate. 20:48 < gmaxwell> I'd even suggest using as txid the transaction without the scriptsigs. The only problem I have there is that people could reorder the damn outputs still and then fixup the scripts to still validate. Which is something I wan't but not if its used maliciously. :) 20:49 < petertodd> I guess my point is if I'm spending "weird ass txout", that means the scriptSig that satisfies that txout is also strange, and anyone who wants to merge their tx with my tx now has to understand what my tx is doing. 20:49 < gmaxwell> do they care so long as it passes validation? 20:50 < petertodd> Point is though all these indexes need to be changed in the merge process. 20:50 < petertodd> But what is index, and what is some other data, is specific to the scriptPubKey. 20:54 < petertodd> Oh, and a thought on backwards compatibility, re soft-fork: for every txin:txout, take the hash of the relevant part of the v2 transaction, and put it into the corresponding scriptSig or scriptPubKey. That'll always be spendable from the viewpoint of non-upgraded nodes. 20:55 < petertodd> You should be able to define a 1:1 transformation from new-style blocks to old-style blocks that way. 20:55 < petertodd> (obviously if it's spending a v1 tx, put an actual scriptSig in the right place) 20:56 < petertodd> Though from the point of view of not changing too much code in one go, it may be better to try to keep everything such that it fits in the existing transaction serialization. 21:05 < amiller> so, fuck it, we're going to have arbitrary recursive snarks 21:06 < amiller> the crypto theory for this stuff is so weird but it's plausible enough that no one might care 21:06 < amiller> the approach to theory seems to be like, we wanted a unicorn but unicorns don't exist, so instead we'll ask for a time machine 21:07 < petertodd> amiller: Why not a movie set? 21:07 < petertodd> amiller: Or CGI... 21:08 < amiller> i'm going to add snarks/pinocchio/tinyram to my ads language so that you can compress functions with snarks, in addition to compressing data with hashes 21:08 < amiller> everyone will like it and 'maybe' it's secure who knows/cares 21:10 < amiller> probably even will be practicalish, just would require implementing all the elliptic curve operations from scratch in c 21:32 < gmaxwell> amiller: well and the pairing operations too. 21:32 < gmaxwell> this is using tate pairing right? 21:32 < amiller> yeah --- Log closed Fri Aug 30 00:00:28 2013 --- Log opened Fri Aug 30 00:00:28 2013 --- Day changed Fri Aug 30 2013 00:00 < gmaxwell> amiller: so what you're doing will break the signature of knoweldge proof, right, because you won't know how to build an extractor? 00:02 < amiller> if i only use "standard" knowledge assumptions, then i can build an extractor but it might be exponential sized, which is vacuous 00:03 < gmaxwell> right if the extractor is exponential sized then it just tries all inputs. :P 00:04 < gmaxwell> amiller: having a weak proof of knoweldge would kinda suck. well, there are lots of cases where weak security is okay... 00:05 < gmaxwell> I'm still annoyed about 3/4 of MPC papers using this "semi-honest" model, and not even all that obviously from their text. 00:05 < amiller> the thing is, these knowledge assumptions are on really shaky ground anyway 00:05 < amiller> they're "non falsifiable" assumptions 00:05 < amiller> they reguire "non black box" access to the adversary 00:06 < amiller> they are basically non-constructive reductions about obfuscation being hard 00:06 < gmaxwell> I know, right, if you have a prover who produce a valid proof, and you have full open access to his state, you can extract a witness with realistic work. 00:09 < amiller> so basically i think i should just use the recursive extractor and leave worrying about it to future owrk 00:09 < amiller> it's sound in any 'oracle' model 00:09 < amiller> it's more plausible that this is a problem with the knowledge definition than a problem with using snarks this way 00:10 < amiller> it's a weird situation 00:10 < amiller> it's not even clear what an "attack" on this knowledge assumption would be 00:10 < amiller> to do something without knowing it 22:02 < nsh> i think you could set up an adaptive cracking challenge via a set of clues running on daemons spread about place such that the Nth clue is published encrypted with a puzzle of difficulty chosen on the basis of how quickly the N-1th puzzle was cracked 22:02 < gmaxwell> e.g. you could do this very simply, with all of us here.. but a year from now many of us may have moved on, gotten hit by bussess, become pissed off at the group. And a bunch of new people would have arrived. Maybe N/2 is unfindable a year or two from now. or you just barely have N/2 still standing, and a few people decide to hold the group randsom. 22:03 < nsh> the general principle of "topping up" the multiparty pool seems a pretty useful one 22:04 < gmaxwell> and this isn't just wank, you could use something like this to enable p2pool to hold a abalance. e.g. have a private key escrowed to the p2pool hashrate, and keep "topping up". 22:04 < nsh> but perhaps open to sneaky people who (being coerced to) fake absence until a threshold is reached 22:05 < nsh> it might be possible to modulate each share when topping up such that people who have dropped out are no longer able to partake in revealing 22:05 < gmaxwell> sure, well one thing about the SMPC approch to it is that you could totally redo everyone's shares. The original interpolation way I was thinking about this was vulnerable to people "leaving" in ordre to come back and get someone elses share. 22:05 < nsh> right 22:06 < gmaxwell> yea, you could achieve that at least under the SMPC case... where you have no risk of an incremental break as the shares are just unrelated. (e.g. you have an encrypted secret which is shared, and inside the smpc you reencrypt, so the shares are unrelated) 22:06 < nsh> right 22:07 < gmaxwell> I guess one problem is being at all confident that "there is anything in the box". 22:08 < gmaxwell> e.g. a bunch of jokers begin such a system with an encryption of nothing, but promising it is the key to great riches. And they all gradually leave, selling their share in the pot to other people. 22:08 < nsh> heh, sounds like religion 22:08 < nsh> :) 22:09 < gmaxwell> but I guess that too isn't bad in the SMPC model, since the SMPC could just produce a proof of knowledge (E.g. signature) as a side effect at every remix. 22:09 < gmaxwell> ohhh I found a problem. 22:09 < gmaxwell> A old majority could fork a past state. 22:09 < nsh> (there was a schoolboy prank where you'd get a bunch of people to stand at the corner of a tall problem and all point up and look excited. then wait for more people to arrive until it was sustained enough for the original pranksters to wander off) 22:09 < nsh> fork? 22:10 < nsh> s/problem/building/ # heh.. 22:10 < gmaxwell> e.g. people leave the system until none of the original players are left. The one day the original players meet up and go, "oh I wish we still controlled that key" ... "But wait! I saved my old share, if we all did!" 22:11 < nsh> ah, right 22:11 < gmaxwell> so that would bugger the timelock case where you can't usefully rotate the keys as topups happen. 22:11 < nsh> well, there's no way around that i can think of that doesn't require a T3rdP 22:12 < gmaxwell> but it wouldn't hurt the p2pool "keeps a balance" case, since the pool could just keep moving the funds. (e.g. the bitcoin network is the trusted third party) 22:12 < nsh> right 22:12 < nsh> i think ways of using the bitcoin network as a trusted third party will be a pretty big area of research in future 22:12 < gmaxwell> and tada, if we had scalable threshold signatures in bitcoin we wouldn't need anything else for the p2pool case. 22:13 < gmaxwell> you take your N p2pool hashes (selected by their shares in the p2pool sharechain), and you assign funds to them... then late a largely overlapping new N are selected, and the they generate a new threshold key, and the old N move the funds to the new threshold key. 22:13 < nsh> (are there any threads/mailpost/notes on scalable threshold signatures?) 22:14 < gmaxwell> nsh: they're straightforward if you use schnorr instead of DSA, or so says adam3us I've not personally implemented. At least the N of N case is obvious enough. 22:14 < gmaxwell> basically for the N of N you can just directly compose the public keys.. and to sign directly compose the signatures. 22:15 < nsh> mmm, right 22:15 < gmaxwell> The N of M works based on schnorr basically testing a linear relation, but I've not actually worked through how it works. 22:16 < gmaxwell> lack of scalable threshold signatures I think is a major shortcoming in bitcoin, probably the script limitation with the greatest impact on other protocols. 22:16 < nsh> hmmm 22:16 < gmaxwell> esp because other limitations you can generally work around by invoking multisig. 22:17 < gmaxwell> e.g. how coinswap makes any complicated protocol look like a multisig. :P 22:17 < nsh> assuming schnorr sigs allow for M-of-N, could you add the functionality via a new OP without changing out ECDSA completely? 22:17 < gmaxwell> correct. 22:17 < nsh> right 22:17 < nsh> we definitely need to have a script-extension playground 22:17 < gmaxwell> it's a little tricky to make it backwards compatible. you just can't add a OP_NEWCHECKSIG 22:17 < nsh> that would be very useufl 22:18 < gmaxwell> e.g. it would need to be somehting like a P2SH style change. 22:18 < nsh> what does P2SH style mean? 22:19 < nsh> a generalization of payability? 22:19 < gmaxwell> the reason you can't just take one of the existing NO_OP opcodes and make it into a OP_NEWCHECKSIG is that I could write a transaction that did OP_NEWCHECKSIG OP_NOT OP_VERIFY. 22:19 < gmaxwell> e.g. this transaction is only valid if the newsignature fails. 22:20 < nsh> hmm, and this shoots other places than your (transaction sender's) own foot? 22:20 < gmaxwell> what I mean by p2sh style is that the whole _new syntax_ script is completely hidden from old nodes, they just see a boring hashlocked transaction. 22:21 < nsh> oh, i see 22:21 < gmaxwell> nsh: yea, if OP_NEWCHECKSIG looks like OP_TRUE to old nodes, then I could author a transaction which new nodes would accept but old nodes would reject, and that forks the network. 22:21 < gmaxwell> but no biggie, just hide the whole new script from old nodes completely. 22:21 * nsh nods 22:22 < nsh> so it's as solved as backwards compatible P2SH, at least 22:22 < gmaxwell> though I don't know if any future script extensions are realisitc at all. There are now several actually functional full node implementations, whos going to make those people implement any particular change? 22:24 < nsh> hmm 22:25 < nsh> there should be families of end-to-end functionality for which it doesn't matter if there exist nodes that are blind to the internals maybe 22:26 < nsh> it's not a problem for using P2SH if older nodes don't recognize them? 22:26 * nsh needs to read more about the proposals 22:32 < andytoshi> P2SH uses the same set of opcodes that have always been around 22:32 < andytoshi> older nodes might think they're nonstandard, but they'll just not relay them 22:34 < nsh> hmm 22:35 < gmaxwell> andytoshi: older nodes don't even _see_ the interior script opcodes. 22:35 < gmaxwell> They just see some binary data on the stack. 22:36 < nsh> what i meant was, if we can implement p2sh without unduly worrying about old nodes, shouldn't the same logic hold for implementing threshhold sigs? 22:37 < gmaxwell> only if it were implemented in the same way. 22:37 < nsh> right, so only people who want the new functionality are required to run nodes implementing it 22:37 * nsh nods 22:37 < gmaxwell> no. ugh 22:37 < nsh> oh 22:37 < gmaxwell> none of these changes are secure unless at least a majority of hashpower enforces them. 22:37 < nsh> ah 22:38 < nsh> right, sorry. 22:38 < nsh> so the concern is that at some point changes to the reference client might not necessarily lead to 50(+whatever)% hashpower realization 22:39 < gmaxwell> the trickyness in deployment is that if its not done carefully you can end up where the new feature creates a fatal forking bug even if 90% of the hashpower deploys. P2SH shows one way to do it safely. 22:39 < nsh> although there was some talk about disentangling validation from mining the other day... 22:39 < gmaxwell> nsh: I don't even know what you mean there, it's already quite disentangled. 22:39 < nsh> neither do i, never mind... :) 22:39 < gmaxwell> Most "miners" have never participated in validation. :( 22:40 < nsh> i can't remember exactly what was said such that i took that away from it. was probably not paying much attention 22:40 < gmaxwell> in any case, it's not just hashpower. lets say 80% of hashpower were to have deployed p2sh, but most full nodes don't. 22:41 < gmaxwell> that means that later some super majority of the miners might go "hey, lol, we could make a lot more if we rob all those suckers using p2sh and assign all their coins to us" 22:41 < gmaxwell> e.g. if ~everyone doesn't eventually deploy the new rule it leaves the mining incentives potentially out of wack. 22:42 < gmaxwell> a majority of hashpower is necessary for the new thing to be safe, but it's not really sufficient. 22:42 < nsh> hmmm 22:42 < nsh> i'd love if some student made pretty diagrams illustrating all these things graphically for a thesis or something --- Log closed Sun Dec 29 00:00:36 2013 --- Log opened Sun Dec 29 00:00:36 2013 00:45 < BlueMatt> is anyone working on the altcoin builder? 00:46 < BlueMatt> otherwise I'm gonna hack one together and at least provide bitcoind/bitcoin-qt (for a neat price) 00:46 < justanotheruser> BlueMatt: I think I read that some russian guy is 00:48 < andytoshi> hahaha go for it BlueMatt, it'd be awesome if someone on this channel was behind it 00:48 < andytoshi> we could just quietly slip experiments into other peoples' alts ;) 00:49 < BlueMatt> yea, plus I plan on charging for use of a fork based on anything past 0.8 00:08 < gmaxwell> basically, their fix makes a sufficently large pool (e.g. btcguild) _always_ have an incentive to delay, even if they're not doing any fancy stunts with annoncements of their delayed blocks. 00:08 < midnightmagic> gmaxwell: The fact that randomly switching to a second-heard block means half the hashrate switches to the new block and potentially erases the strength of growth of the longest chain? 00:08 < gmaxwell> (because you can announce late and half the honest miners (and yourself) will still mine on your blocks. 00:08 < gmaxwell> ) 00:09 < midnightmagic> okay. 00:09 < petertodd> gmaxwell: yeah, interesting that they put that fix in their paper, and then on the list pointed out the other idea they had was a deterministic scheme 00:09 < petertodd> gmaxwell: I'll bet you the former was easier to analize.... 00:13 < midnightmagic> :-( may I trouble you to tell me which list? I'm on the bitcoin-development mailing list but I don't see any references to neither Sirer nor Eyal. 00:13 < midnightmagic> i guess that's either-or 00:13 < petertodd> midnightmagic: oh, I'll bet you they're stuck in a mod queue :( 00:13 < midnightmagic> doh 00:14 < midnightmagic> k, thanks. 00:14 < petertodd> midnightmagic: I can forward them to you, email? 00:14 < midnightmagic> sure. thetanix@gmail.com 00:16 < petertodd> sent 00:16 < midnightmagic> cool 00:22 < midnightmagic> wouldn't random-switch decrease overall blockchain growth rate the moment anyone began late-broadcasting? 00:23 < midnightmagic> and so.. yeah everyone would instantly switch to late-broadcasting, which kills it further 00:25 < midnightmagic> what happens when 4 or 7 blocks are late-broadcast? 00:25 < gmaxwell> you start getting big reorgs. 00:38 < petertodd> midnightmagic: you don't need to broadcast more than a single block at a time late 00:38 < petertodd> midnightmagic: in fact, you're better off only revealing your lead the minimum amount possible at a time, which will almost alway sbe a single block 00:41 < petertodd> midnightmagic: oh nvm, I missed the "everyone" part of what you're saying... 00:42 < gmaxwell> most departures from earliest best win are hard to analyize for convergence properties when you have multiple parties. :( 01:37 < pigeons> invite artforz, i mean jdillon 04:46 < pigeons> jeesh reporter, did the paper even claim things like "Bitcoin Protocol Vulnerability Could Lead To a Collapse" 04:50 < gmaxwell> pigeons: go look at the authors blog post thing, it made a bunch of over the top claims. 04:59 < pigeons> wow yeah they make good blog authors 05:01 < pigeons> well most people seem to agree mining needs to decentralize more, and yet the trend hasn't reversed yet. maybe scary headlines will work 05:02 < gmaxwell> no, because it's just being understood as "wrong" 05:02 < gmaxwell> It's hard to sell a nuanced message like "not wrong, but also not very urgent or um. doomful, and with limitations" 05:03 < pigeons> yeah 05:03 < sipa> "Some unknown combination of circumstances may be less safe than previously assumed, which may or may not apply to reality." 05:52 < TD> well 05:52 < TD> the good news is that some journalists do use the press center. 05:53 < TD> i was explaining all this to a guy from new scientist last night 10:56 < phantomcircuit> warren, man why are the centos people so annoying 10:56 < phantomcircuit> "hey guys i need python with hahslib and MySQLdb" 10:56 < phantomcircuit> "HAHAH UR GAY NOOB" 12:59 < K1773R> phantomcircuit: because they use centos ;) 13:40 < BlueMatt> amiller: thanks again for the network map/desktop background ( :) ), any luck figuring out what the patterns were? 13:41 < amiller> hah! no, not yet, the kid working on it disappeared 13:41 < amiller> he must have learned too muhc 14:16 < BlueMatt> amiller: heh, damn grad students 15:31 < gmaxwell> amiller: that connectivity graph looks concerning to me, but perhaps its an artifact of the visualization process. 15:31 < amiller> what about it? 15:32 < gmaxwell> amiller: can you generate some stats like the distrubition of path lengths between nodes? 15:32 < amiller> uh... diameter 8 15:32 < amiller> i have a degree distribution chart somewhere 15:32 < amiller> there are any number of ways in which our analysis can have errors/omissions and the clustering is just some default toy that came with our graph program gephiz 15:32 < gmaxwell> Yea, degree distribution and you have connectivity so you should be able to make a chart of shortest path distances. 15:33 < gmaxwell> Yea, I know your analysis has limits. 15:33 < amiller> what trends are concerning? 15:33 < amiller> (those would help us figure out what to ask, which we don't really have the best ideas for) 15:33 < gmaxwell> If there are discrepancies in the degree/pathlength distribution compared to what we'd expect for how we think it should be wired I'd like to figure out if thats just your measurment method or if something is wrong. 15:34 < amiller> mainly we'd like to try to identify by name/purpose the handful of extra high degree nodes, and understand the group of orange slightly-higher-than-average nodes that also seem mostly connected to each other 15:34 < amiller> here's degree distribution, we don't have shortest path length though but we should http://apps01.mywebapps.net/ajp/bc/degree.pdf 15:34 < gmaxwell> amiller: I think the graph seems to be showing a higher amount of sparely connected clustering than I expected. 15:35 < gmaxwell> also min-cut stats might be interesting. 15:36 < amiller> we have a lot of 1-connected nodes which i think is most likely a problem of us omitting things 15:37 < amiller> it kind of relies on us just connecting to everyone we can, and we can only connect to like half the public nodes because other nodes are saturated already 15:37 < amiller> and we don't particularly try very hard/long 15:46 < adam3us1> so with this selfish-pool attack - did anyone figure out if they are taking into account that the selfish-pool re-actively racing the honest miners, the miner or mining pool they are reacting to will not be convinced 15:49 < phantomcircuit> gmaxwell, the graph is certainly incomplete, indeed i believe it's impossible to come up with a complete network graph without all the remotely connectable peers cooperating 15:51 < gmaxwell> phantomcircuit: sure, since you can't even connect to a lot of nodes. 15:51 < phantomcircuit> gmaxwell, right and you cant know who is connected to peers you can connect to 15:51 < gmaxwell> adam3us1: yea, would be interesting to see their simulation code.. "you can never beat a block in a race to reach the announcer." 15:52 < phantomcircuit> so basically the graph ends up being a graph of connections to your listening nodes 15:52 < gmaxwell> phantomcircuit: you can, thats amiller's magic. 15:52 < phantomcircuit> how? 15:53 < gmaxwell> phantomcircuit: by taking advantage of double spend mutual exclusion. :) 15:53 < phantomcircuit> oh 15:53 < adam3us1> by which I mean say btc guild (30%) http://blockchain.info/pools used the selfish-pool algorithm, it is likely it will compete against ghash.io (20%) eligius (15%) etc as 82% of the network is pooled (possibly more) and so 52% is not controlled by btc guild 15:53 < phantomcircuit> interesting 15:53 < gmaxwell> phantomcircuit: its a cute idea, one which we should eventually build some countermeasures for. We kinda have some already. 15:54 < gmaxwell> amiller: you know that nodes don't immediately relay to all their peers, right? 15:54 < phantomcircuit> adam3us1, the orphan rate they calculated is lower than it would actually be due to there being large pools 15:54 < gmaxwell> we could probably make that more agressive. 15:54 < amiller> how don't they gmaxwell ? 15:54 < phantomcircuit> ironically large pools make the economics of their attack worse 15:55 < phantomcircuit> amiller, trickle 15:55 < amiller> trickly in terms of letting the thread wake up 15:55 < amiller> but no substnatial delay 15:55 < adam3us1> phantomcircuit: right, thats my point 15:55 < phantomcircuit> adam3us1, they did not even try to take that into account 15:55 < gmaxwell> amiller: the trickle sends some right away, some when the queue fills up. 15:56 < phantomcircuit> amiller, see SendMessages 15:56 < gmaxwell> amiller: I assume to close your probing we'll eventually make that more powerful, I've wanted to do that anyways. 15:57 < amiller> more powerful meaning more trickly or transmit faster? 15:57 < gmaxwell> amiller: more trickly 16:00 < amiller> our technique really doesn't rely on precise timing so i don't think that would help 16:02 < gmaxwell> amiller: it's not about timing, is that you can't tell a link exists if the transaction never traverses it. 16:02 < amiller> ok i thought i understood how trickle worked but i might be getting it wrong 16:03 < amiller> i thought trickl just sends them all out over a short period of time, with 25% probability each time it passes over the queue 16:05 < gmaxwell> amiller: no, it's basically 25% upfront, and then otherwise it only gets sent when a queue fills up, and only if it hasn't learned the transaction from the peer already. But the effect is that e.g. if node C is connected to both A and B you might not be able to observe the B<>C link because B->C trickels and so C shows up via the A exclusion. I think right now it won't stop you, but if made more powerful it might. 16:06 < amiller> interesting. 16:06 < gmaxwell> (the trickel is partially a bandwidth optimization today, it reduces the amount of INVs crossing in flight) 16:07 < gmaxwell> e.g. no point in A->B _and_ B->A 16:07 < amiller> the main observation we have made is that any obvious attempt at keeping node connections hidden leads to some kind of dos compromise 16:08 < gmaxwell> I think thats generally true but may not be meaningful. E.g. I could connect my node only to committers to bitcoin-qt. There is a "dos compromise" (they could all conspire to isolate me) but its not a meaningful one. 20:21 < petertodd> gmaxwell: and yeah, a inconsistent hardforking glitch is a consideration 20:22 < petertodd> Luke-Jr: correct, and you'd only sanely do that if its palce in the chain was very recent 20:23 < gavinandresen> right, I mean relay-all-blocks-at-current-best-block-height-that-I-think-are-valid 20:23 < gavinandresen> Having nodes only relay blocks that they are mining on top if might, indeed, be the best policy 20:24 < gavinandresen> ^on top of^ 20:24 < petertodd> gavinandresen: which is the current policy... 20:25 < Luke-Jr> petertodd: if so, only recently? 20:25 < Luke-Jr> IIRC there was a fingerprinting bug that allowed you to fetch old stale blocks 20:25 < gavinandresen> Right, but we could change the "what should I do if I get another block at current best height" policy different-- could be switch to it, and relay it.... 20:25 < petertodd> Luke-Jr: if you relay non-recent, at some point it makes some types of DoS attacks possible 20:25 < Luke-Jr> petertodd: no, I mean until recently, we *did* relay old stale blocks 20:26 < gavinandresen> we wouldn't relay them, but we would serve them up 20:26 < petertodd> Luke-Jr: not relay, we'd give the data for them if asked 20:27 < petertodd> gavinandresen: note that from a technical point of view checking that the second one is actually valid kinda sucks - easier to ignore the txin validity and just relay 20:27 < Luke-Jr> hmm, I need to rebuild #bitcoin-watch's bitcoind branch 20:27 < Luke-Jr> it keeps crashing 20:28 < Luke-Jr> I wonder if it would make sense as a block-preference policy, to use "has all the same outputs as the current bestblock, but fewer transactions"------ selfanswer: no, since coinjoin changes txid 20:28 < Luke-Jr> too bad txids/outputs aren't referred to by hash of scriptPubKey 20:28 < petertodd> Luke-Jr: rational miner policy in some cases is to prefer blocks with the fewest transactions 20:29 < petertodd> Luke-Jr: or, to be exact, smallest fees 20:29 < gavinandresen> petertodd: meta-rational policy is to prefer larger blocks 20:29 < Luke-Jr> rational policy IMO is to prefer the first one you saw :p 20:29 < petertodd> gavinandresen: meta-rational policy to hold hands and sing songs about world peace 20:29 < Luke-Jr> because it means whoever broadcast it might have better peering than the later-seen one 20:30 < gavinandresen> and if you discourage blocks that are "too small" then you can FORCE minority assholes to do the right thing 20:30 < Luke-Jr> and you don't want to get in a stale-block-war with him 20:30 < gavinandresen> (well, incentivize....) 20:30 < Luke-Jr> gavinandresen: the smaller blocks are probably better than the bigger ones! 20:30 < petertodd> gavinandresen: there's already that incentive because you don't want 100% propagation 20:30 < gavinandresen> Luke-Jr: better how? 20:30 < petertodd> Luke-Jr: heh, the small blocks are less spam of course :P 20:30 < Luke-Jr> gavinandresen: likely to have better spam filters, and not full of spam 20:31 < petertodd> Luke-Jr: given we somehow are meta-rational about resource use... 20:31 < petertodd> *don't want 100% propagation in the cases where wanting small blocks apply 20:31 < gavinandresen> Luke-Jr: okey dokey. That's why I say "too small" -- that can be a miner policy preference, too small versus too big . "this one is Just Right." 20:31 < Luke-Jr> gavinandresen: also, if you ever prefer larger blocks, you incentivize the miner to make spam if there isn't any left 20:31 < petertodd> Luke-Jr: indeed 20:31 < gavinandresen> sigh. okay, fine, "includes the right number of transactions that are/were in the mempool" 20:32 < Luke-Jr> gavinandresen: then you punish miners with superior spam filters than whatever-the-relay-nodes-run 20:32 < Luke-Jr> and/or incentivise spam-filling miners to broadcast the spam 20:32 < gavinandresen> who is "you" ? This would be general-consensus-of-the-network 20:32 < petertodd> There's also the strategy that if you know another block has been created, only mine much smaller blocks until you verify it - but that's only really applicable if mining has forced verification... 20:33 < Luke-Jr> gavinandresen: if it's hardcoded in mainline code, there is no consensus-of-the-network, just core developer fiat 20:33 < gavinandresen> I would give miners the knobs to decide whatever policy they liked, and have them figure it out based on their best judgement. 20:33 < petertodd> gavinandresen: why does the network matter? pools can and should connect to each other directly in most models 20:33 < Luke-Jr> I like knobs. 20:34 < petertodd> In which case, if we're going to talk about rational strategy for non-mining nodes, we're back to "do good for our clients", and they'd like to know if an orphan exists that might suddenly unconfirm a transaction they thought was confirmed... 20:34 < Luke-Jr> ^ best reason yet to relay stale blocks imo 20:35 < Luke-Jr> in fact, I think it outweighs all the costs 20:35 < gavinandresen> petertodd: sure, pools will directly connect to each other. I assume pools will listen to their users about what their block creation policy should be, and if the policy is way out of whack for what the users want (e.g. their users cannot transfer their payouts to Mt.Gox because transaction fees are too high) then they will lose hash power..... 20:35 < petertodd> Luke-Jr: there's strong incentives to do it too once merchants get sophisticated software 20:35 < Luke-Jr> *maybe* it even makes sense to relay *invalid* blocks that meet the POW requirement, for that reason 20:35 < petertodd> gavinandresen: users of pools != users of bitcoin 20:36 < petertodd> Luke-Jr: yeah, and technically relaying regardless of validity is way easier to implement 20:36 < gmaxwell> who the heck knows anything anymore, see ghash.io/cex.io 0_o 20:36 < Luke-Jr> petertodd: point is, users of pools have the influence here 20:36 < gavinandresen> petertodd: really? There are still pools that payout usi ng PayPal instead of bitcoin? 20:36 < Luke-Jr> gavinandresen: yes 20:36 < petertodd> Luke-Jr: yes, but how? that's a hard question 20:36 < Luke-Jr> I think Eclipse does still 20:36 < petertodd> gavinandresen: huh? that's what I said 20:38 < gmaxwell> relaying invalid blocks is just irrational though, not only does it use your resources, it helps the network achieve a difference consenus from you. At best it's probably not usually harmful. If it were limited to valid that would be less concerning to me, but it's still helping the network achieve a different state than your current node, but at least one your node would find acceptable. 20:38 < petertodd> gmaxwell: look at it from a merchants perspective: relaying invalid blocks tells them something useful: an invalid block was created. 20:39 < petertodd> gmaxwell: That could mean "I should trigger safeguards because something went wrong." 20:39 < Luke-Jr> gmaxwell: but it might help you spend your money easier 20:39 < Luke-Jr> since merchants will know if someone is trying to build a different consensus of almost any sort 20:39 < gmaxwell> petertodd: Other people doing it helps them in that case, but it's not personally rational. 20:40 < Luke-Jr> they can then afford to accept 1 block deep confirmation 20:40 < gavinandresen> Relaying invalid blocks seems like angels-dancing-on-the-head-of-a-pin there should be approximately zero invalid blocks created 20:40 < gmaxwell> (except in the good for everyone sense, perhaps, but relaying invalid blocks is also not good for everyone, I dunno if on the balance it's helpful just relaying compeating headers is just as good for knowing bad things are happening, I think) 20:40 < Luke-Jr> gmaxwell: if you're the only one selfishly relaying blocks, it won't matter 20:40 < petertodd> gmaxwell: In the spherical cow model you would relay anything at all and have infinite bandwidth - relaying the fact that someone threw away $12,500 due to a bug is worth knowing. 20:41 < Luke-Jr> gavinandresen: but if there are, we want people to know about it 20:41 < gavinandresen> meh. Throwing away $12K will be a self-correcting problem 20:41 < gavinandresen> (and QUICKLY self-correcting) 20:41 < petertodd> gavinandresen: eventually, in the meantime it means you probably don't want to accept zeroconf at the very least 20:41 < Luke-Jr> gavinandresen: it might not be thrown away in some case 20:41 < gmaxwell> gavinandresen: except when they are. E.g. if not for the fact that two directly connected pools with >>50% hashpower were running 0.8 the <0.8/0.8 fork would have self-cured due to nodes not relaying it. 20:42 < gavinandresen> hmm? relaying double-spent transactions is a good idea. 20:42 < petertodd> Besides, implementing relaying based on valid PoW and nothing else is way easier to implement and still DoS resistent. 20:42 < gavinandresen> that's completely separate from invalid blocks 20:42 < gmaxwell> and instead we got a rather large reorg out of that. 20:42 < Luke-Jr> gavinandresen: so pull the transactions out of the blocks? 20:42 < Luke-Jr> at least the blocks have a proof-of-work - hard to DoS with that 20:43 < Luke-Jr> mere transaction double-spend notification is riskier IMO 20:43 < petertodd> gmaxwell: pools connecting directly to each other is just going to become more, not less, of a thing in the future 20:43 < Luke-Jr> (although possibly still necessary) 20:43 < petertodd> Luke-Jr: yeah, relaying headers is even easier to defend 20:43 < gavinandresen> Luke-Jr: sure, if they're valid and haven't already been relayed, you could pull them out of the block. There's going to be a very strong incentive not to put non-relayed transactions in your block, though 20:43 < Luke-Jr> petertodd: if both blocks have your transaction, you care a bit less ;) 20:43 < gavinandresen> (because it'll increase your orphan cost by quite a bit) 20:43 < gmaxwell> petertodd: none of this changes that fact that relaying a block you don't personally like is not something that helps you. 14:45 < amiller> bitcoin mining competes directly for the same market as satoshi dice imo, and bitcoin's reward system is suboptimally designed by not having smaller scratchoff contests (but pooled mining makes up for that a bit) or larger prizes for that matter 14:46 < gmaxwell> amiller: with pooling you can get whatever variance tradeoff you want though, up to the pool size.. and its easy to have smaller variance when someone wants to buy pure variance. 14:46 < gmaxwell> No one wants to buy my eligius shelved shares. 14:46 < jgarzik> heh 14:46 < jgarzik> that would be a neat market 14:46 < gmaxwell> amiller: and yes, I've told people to mine instead of play a gambling game. 14:46 < gmaxwell> amiller: but they don't seem to believe it, I cannot explain why. 14:46 < jgarzik> gmaxwell, I guarantee you would sell them, if there was an automated interface for trading them 14:46 < amiller> that's interesting, it's straightforward to use pooling to make a smaller variance lotto out of a larger variance one 14:47 < amiller> it's less obvious that you can make a higher variance pool 14:47 < jgarzik> gmaxwell, it's like bad debt resale. just need to proper mechanism for price discovery -- and I think bitcoin makes that pretty easy. 14:47 < gmaxwell> jgarzik: yea, thats probably the missing piece. Luke and wiz aren't eager to do that because they don't want share reassignment to be a hacking target. 14:47 < jgarzik> selling digital property is, like, ya know, a forte. :) 14:48 < gmaxwell> amiller: it's really eager to make any sort of tradeoff you want, though some tradeoffs require counterparties willing to take the opposite side of the bet. 14:48 < jgarzik> $idea: offload it. transfer all shelved shares to an agent, who holds shelved shares or transfers them depending on signed message. the agent enables trading further, or handles shelved share payouts. 14:49 < gmaxwell> amiller: e.g. you can get ~zero variance mining from me, right now. Send me your hashpower, I'll extract a cut and just pay you for diff 1 shares exactly what their ev is. :P 14:50 < gmaxwell> jgarzik: yep, I think wizkid himself suggested a one time transfer to a market when we discussed this (uh, in the eligius development channel about two months ago) 14:50 < amiller> gmaxwell, it's easy to make an unenforceable contract like that 14:51 < amiller> gmaxwell, essentially you can't absorb all that risk unless you have deep enough pockets 14:51 < amiller> if you go bankrupt i get nothing 14:51 < gmaxwell> amiller: yes, but I pay you frequently. 14:51 < amiller> well again it's easier in the lowering-variance directoin 14:51 < gmaxwell> There are _tons_ of PPS pools, and some have fees low enough that they are mathmatically sure to go bankrupt eventually. Yet people mine one them in large numbers. 14:51 < amiller> but you could make the same contract with higher variance 14:51 < amiller> that's what satoshidice does basically right 14:52 < amiller> you could have a dozen people win the 64k prize 14:52 < amiller> and obviously they cannot pay out 14:52 < gmaxwell> who knows about SD, after it was "sold" its traffic dropped off ~99%. I don't know that its too useful to generalize anything from it 14:52 < jgarzik> Just-Dice is freakin' awesome. Not because they killed spam by off-blockchain betting, but because of an interesting innovation: insta-investing 14:53 < jgarzik> You can become an investor, or withdraw your investment, at any time. I predict that becomes a trend. 14:53 < amiller> i'm just saying abstractly, unless it has a big amount of money in escrow, you could get 'lucky' but it wouldn't be able to pay out 14:54 < jgarzik> also RE SD: blockchain.info's TX stream sure does show a lot of BetCoin transactions, sometimes more in a time period than SD 15:03 < gmaxwell> amiller: yes, for a higher variance you'd want the party providing it to be able to show they have the funds to back it. 15:11 < Luke-Jr> jgarzik: nice, but any idea what the US laws about investing in it are? 15:12 < jgarzik> Luke-Jr, if eligius just sells it, responsibility is transferred, I would think 15:12 < Luke-Jr> jgarzik: huh? 15:12 < Luke-Jr> I was talking about the investing in Just-Dice thing 15:12 < jgarzik> Luke-Jr, oh 15:12 < gmaxwell> luke was asking about the gambling site, jeff was answering about selling shelved shares. 15:13 < jgarzik> indeed 15:13 < Luke-Jr> oh 15:13 < jgarzik> Luke-Jr, most securities laws do not seem to punish investors for investing in [possibly illegal or fraudulent] securities, IIUC 15:14 < jgarzik> they mostly aim to punish issuers 15:14 < jgarzik> I would think being an investor is OK 15:14 < jgarzik> but dooglus should have his T's crossed, and I's dotted. 15:14 < maaku> jgarzik: well, ok until your investment goes south 15:14 < jgarzik> maaku, so? 15:14 < jgarzik> maaku, SEC will not prosecute you for that. 15:14 < Luke-Jr> maaku: meh, bad investment is distinct from going to jail for investing 15:16 < jgarzik> Luke-Jr, if you scroll up, some of the earlier discussion was about creating a market for shelved shares. Enable people to sell them -- which automatically creates a market 15:16 < jgarzik> there is -some- value in there, just like selling bad debt 15:16 < Luke-Jr> jgarzik: possibly - but there's a lot of complexity to it as well :/ 15:17 < jgarzik> and people might appreciate an opportunity to get paid $now 15:18 < gmaxwell> it would make eligius a true pps pool (at some price determined by the market) 15:19 < gmaxwell> it would also enable people to "gamble" in a way that is less objectively unfair basically just making bets on eligius' future luck but at market rates instead of against the house. 15:19 < gmaxwell> it would also encourage people to help improve eligius, since the bigger and better eligius is, the greater the odds of big luck in the future. 15:20 < gmaxwell> but shelved shares are a weird asset. I dunno how you run a market for them. 15:20 < jgarzik> IMO the main complexity is what to do with existing shelved shares, RE property ownership 15:21 < gmaxwell> jgarzik: I think some signmessage thing to assign all your addresses current and future shelved shares to address X (which would be controlled by the exchange in an exchange case) solves that. 15:22 < jgarzik> an interesting case is that each share is more valuable, the closer to the top it is 15:22 < jgarzik> maybe run a Dutch auction weekly, for shelved shares 15:22 < gmaxwell> right, valuing them is tricky, but this means that you need to actually know the index of each of them. 15:23 < jgarzik> need to package them in blocks of X shares, for sanity's sake 15:25 < gmaxwell> I don't know how bad debt is normalized and sold. I assume it would be similar. 15:37 < jgarzik> It's ranked according to various generally agreed factors, which hopefully sum up to a value that predicts how likely the debt will be repaid: debt lifetime, time since last payment, credit score of holder, ... 15:37 < jgarzik> after rank, debts are grouped together and sold in packages 15:38 < jgarzik> occasionally you will have a company just want to dump everything, and bad debt investors must pick through the garbage themselves, but usually things are a bit sorted 15:38 < jgarzik> for shelved shares, probably sell in blocks of 50,000 shares or whatnot, each indicating an index or timestamp or some other ordering position in eligius payment queue 15:39 < jgarzik> on the eligius side, I guess the main thing would be reassigning shares to new owners 15:42 < gmaxwell> amiller: did you see the link I gave peter todd above for the aggregate signature stuff. It would have some interesting implications for relay incentives. 15:42 < gmaxwell> amiller: as it would allow relayers to take transaction fees. 16:18 < K1773R> Luke-Jr: did was your pull request "child pays for parent" rejected? 16:18 < K1773R> s/did // 16:22 < gmaxwell> K1773R: you should probably be asking about this in #bitcoin-dev ... sounds like bitcoin development discussion! 16:28 < K1773R> gmaxwell: uh yea, clicked a bit below #bitcoin-dev :P 16:35 < amiller> i like this paper. 16:35 < amiller> hm 16:35 < amiller> it's the first one that treats the ledger/utxo properly imo but that's not a big point 16:36 < amiller> still don't grok the actual idea yet though 16:36 < gmaxwell> the OWAS signatures? 16:37 < gmaxwell> It's really pretty simple. the signing scheme has a Genkey() Sign() Verify() Aggregate() Aggregate takes two signatures (or prior aggregates) and does a one way composition. So at the end you have a set of {public keys} {messages} and one signature and you don't know which key signed for which message. 16:38 < gmaxwell> they propose adding it to bitcoin by having a new output type that pays to an OWAS public key. When you spend from it you reference it by blockhash : public key the reason it has to be this way is if a public key gets reused in different blocks you need to know which one you're spending. 16:40 < amiller> i think it's like incremental coinjoin 16:40 < amiller> coinjoin works but all the outputs have to be constructed before anyone signs the tx 16:40 < amiller> here you can make your signature 16:40 < amiller> then give it to someone else in a coinjoin channel and they can add their signature and now it's unlinkable as long as they forget about it 16:41 < gmaxwell> It has a number of conseqneuces.. e.g. you can make the outputs sum to less than the inputs.. and then someone on the relay path can add an output with more value than the inputs to claim that value. 16:42 < gmaxwell> amiller: yea, it's a one-way incremental coinjoin. 16:43 < gmaxwell> It also has an anti-censorship property. If a miner recieves an aggregate signature and there are some blacklisted coins, his option is to ignore the whole aggregate (and hope that he gets resent the partials before some else mines it) or take it anyways. 16:45 < amiller> i don't know, i am not sure this makes any sense 14:15 < petertodd> jtimon: obviously they're not actually doing full validation here, but you can set things up so that all the blockchain data is "covered" by multiple partial validators 14:15 < jtimon> the smaller the prefix, the bigger part of the uxto you have 14:15 < petertodd> jtimon: with fraud proofs if anyone finds a problem, everyone can be informed that the block needs to be rejected 14:15 < petertodd> jtimon: exactly 14:17 < adam3us> petertodd: ok read. i think i skimmed it a bit before (remember the bloom issues you identified.. i asked TD about it early on and he said yes there are a few bugs) 14:17 < jtimon> ok, I'm trying to compare it with maaku_'s stateless validation proposal... 14:17 < jtimon> in that one, miners only have the root of the utxo 14:18 < petertodd> jtimon: this *is* his proposal 14:18 < petertodd> jtimon: it's something you can do with it basically 14:19 < jtimon> ey, wait 14:19 < petertodd> adam3us: good, now see my point how this stealth structure fits in very well with where blockchian indexes are going? this is something we can actually get implemented, and solve a lot of real problems very quickly 14:20 < adam3us> petertodd: block chain indexes? you mean the above koorde like sharding of data? (nodes store things near to them in some artificial space)? 14:20 < petertodd> adam3us: yeah exactly 14:21 < petertodd> adam3us: remember, the big issue with bloom is it's not indexable 14:21 < petertodd> adam3us: to query against a bloom filter requires matching against all transactions for every query, which sucks 14:21 < adam3us> petertodd: i dont quite accept that as a valid design rationale though. 'could shard this way' for a speculative what-if => lets do prefixes even though they have self-admitted linkability problems 14:22 < adam3us> petertodd: yeah bloom has its issues. 14:22 < petertodd> adam3us: there's nothing speculative about it, electrum does just that, and will add prefix queries soon 14:22 < adam3us> petertodd: maybe there's a third way 14:22 < adam3us> petertodd: speculative in there being full-nodes that focus on some prefixes only. 14:23 < jtimon> petertodd: with your proposal, how miners validate foreign blocks that contain tx that refer to a part of the utxo they don't have? 14:23 < jtimon> Are miners also supposed to send the full update proofs to each other like with maaku_'s? 14:23 < jtimon> If so, what do miners hold any of the utxo at all (apart from the root)? 14:23 < petertodd> adam3us: electrum servers *are* an example of a full node serving SPV clients 14:23 < petertodd> adam3us: SPV != bloom you know 14:23 < petertodd> jtimon: in the current design of bitcoin that's not really possible 14:23 < adam3us> petertodd: yes i know, and i agree 14:25 < jtimon> petertodd: which of the two things are not possible? 14:25 < petertodd> adam3us: yes, so, the question really is how do you index data such that you can match approximately, with the in-chain data being less approximate then the indexes the SPV-serving nodes have, gmaxwell has a proposal, but again, how would you ever end up with a miner committed index of it? 14:26 < petertodd> jtimon: the validate txins referring to utxo they don't have 14:26 < adam3us> petertodd: well bloom results are not committed 14:27 < petertodd> adam3us: I know, and like I said, stealth addrs could be implemented as "match this bloom filter index with this nTweak" 14:27 < adam3us> petertodd: or are they. hmm. i mean can you verify the entire result set from the fuzy bloom query tie into the containing block hash? 14:27 < petertodd> adam3us: but that's not scalable on the index side becuse of all the possible nTweak's 14:27 < jtimon> petertodd: I think maaku's proposal with updatable trees require clients to send the complete proofs miners need to check validity having only the root of the utxo 14:28 < petertodd> adam3us: obviously miners could commit to boom filters, but then you'd run into the problem that to use gmaxwell's solution you have to have them commit to n different versions of the filter 14:28 < petertodd> jtimon: ah, sorry, yeah, if you adopt that then miners can do that 14:29 < jtimon> that's stateless validation 14:29 < jtimon> it seems better than sharding for miners 14:30 < adam3us> petertodd: getting sleepy but it seems more like a public key watermarking problem. ie there are people who thought about and may be even have solutions to this problem. i am not sure if they are going to be indexable or not. but we could explore it. if its expensive also maybe there could be fees. 14:30 < petertodd> jtimon: think about how much bandwidht they're using in that example... 14:30 < jtimon> maybe all the proofs should go hashed in the block 14:30 < petertodd> adam3us: it has to be a solution that isn't expensive or this isn't gonna happen and we'll still have address reuse 14:30 < jtimon> petertodd yes, bandwith is the bottleneck in this case 14:30 < petertodd> adam3us: hell, this has to be a solution with pretyt damn low programmer complexity to have any hope of being adopted 14:31 < jtimon> petertodd but your approach is not secure for miners 14:31 < petertodd> jtimon: wait, the sharding? 14:31 < petertodd> jtimon: forget miners 14:31 < jtimon> yes 14:31 < adam3us> petertodd: yea yeah. i know the life of a privacy tech crypto guy, people emand the impossible and then turn their noe up when you pull some minor miracle that its not as easy or as cheap as doing something privacy invasive. been there. done that. got the t-shirt 14:31 < petertodd> jtimon: sharding for miners is a much harder problem then sharding for full-nods that want to serve SPV 14:32 < maaku_> jtimon: i got stateless validation from petertodd 14:32 < petertodd> adam3us: exactly, OTOH we've got this stealth addresses proposal that's gotten like three reimplementations in a few days, and we can actually get adopted. Let that process happen and we can *upgrade* it later to be even better. 14:32 < jtimon> petertodd, full nodes too, but miners are spending money hashing....oh, ok, you're not talking sharded miners 14:32 < petertodd> adam3us: I'm specifically trying to design stealth addresses themselves to be backwards compat upgradable you know. 14:32 < maaku_> or it came out of a discussion between petertodd and gmaxwell, iirc 14:33 < maaku_> here on -wizards 14:33 < jtimon> petertodd I thought you needed prefixes in stealth addresses for sharded mining 14:33 < petertodd> adam3us: when we figure out a more clever way of doing prefixes, we can add a field to the stealth addr data that says "Hey! if you know how to handle this, you can also pay me with this fancy index scheme, but otherwise do the old thing." 14:34 < petertodd> jtimon: sharded mining eventually, sharded full nodes soon 14:34 < adam3us> petertodd: so maybe could it reasonably said that stealth addresses are used only here in the vanity/bizcard kind of use case. or is this going to turn into another 'yeah address reuse, sorry cant persuade user or wallet maker to stop' scenario 14:35 < adam3us> petertodd: ie they just jam them into their wallet, and reuse them ad nauseum for plenty of non-bizcard scenarios 14:36 < jtimon> petertodd sharded mining is what's hard for me to believe you're near to solve, but sharded full nodes seems a good enough use case to justify prefixes on stealth addresses 14:36 < petertodd> adam3us: hey, at least with an upgrade path we only have to convince the wallets incrementally 14:36 < adam3us> petertodd: btw i have another solution to address reuse. one-show signatures. (reuse it at your peril, do that and it leaks your private key via simultaneous equation) the tech is very simple to do it too. how about i propose that on bitcoin-dev and draw some diagrams about the advantages of a final solution :) 14:36 < petertodd> adam3us: meh, users reuse addrs if you let them 14:36 < petertodd> adam3us: pff, good luck, that's user obnoxious 14:37 < adam3us> petertodd: well the client sw would say "error cant reuse" 14:37 < petertodd> adam3us: that's the kind of thing you build into a new system, not something you do as a *downgrade* to an existing one (form the users perspective) 14:37 < petertodd> adam3us: we can hardly convince wallet authors to not reuse change addrs, give it up 14:37 < petertodd> adam3us: never mind you're risking user funds 14:38 < Luke-Jr> lolwut, someone emailed me a complaint - they don't like me using proper nettiquite on bitcoin-dev 14:38 < adam3us> petertodd: well i guess i was just going with the flow you know... proposing things that are risky, and using first to implement arguments for my being right :P 14:39 < adam3us> petertodd: it has uses too. double-spending becomes much harder! 14:39 < petertodd> adam3us: no, you're doing almost the exact opposite to what I'm doing: "I got this idea and lets impose it because it's good, fuck users." 14:39 < Luke-Jr> you all coming to Miami? :p 14:39 < petertodd> adam3us: I'm saying "How can I offer something to users that they'll actually accept and make things easier?" 14:39 < petertodd> Luke-Jr: nah 14:40 < adam3us> Luke-Jr: someone paying flights? kind of far for a weekend... 14:40 < Luke-Jr> far from where :P 14:40 < adam3us> Luke-Jr: malta (europe) 14:41 < Luke-Jr> ah, yeah that's a bit far 14:41 < jtimon> yeah spain's far too 14:41 < maaku_> jtimon (and anyone else) : I'm reaching out to the concatenative language community to see if they have any input for a joyscript. let me knkow if anyting is missing : http://0bin.net/paste/kMkgAK+zO2+mTK0E#Lua4/1g5fGVyv44fpRkftnd37RetgnrDrItXAp9FyvA= 14:43 < petertodd> bbl 14:43 < adam3us> petertodd: i get that they might accept it and find it easier (they already like reusing addresses because its conceptually simpler) but it cant replace one-use adresses, because other than for full node (0-length prefix) its strictly worse on privacy. i mean the whole thing is about privacy, so you cant say its easy to use or they accept, if it makes 22:38 < Emcy> petertodd snowden walked out with a ton of shit - if they have compartmentalisation theyre not using it properly 22:38 < Emcy> same as the reams of stuff manning got off the sipernet 22:38 < petertodd> Emcy: yes, but he was a sysadmin, and he had to use social engineering to get a lot of that data too 22:38 < warren> the media reported that he used authentication of other people to get more data 22:39 < petertodd> Emcy: if you're an average employee playing by the rules you're still compartmentalized 22:39 < Emcy> social engineering definitely counts on your overall security makeup 22:39 < Emcy> so 22:39 < Emcy> id give them a D- 22:39 < phantomcircuit> Emcy, nothing is truly compartmentalized 22:39 < phantomcircuit> anybody can lookup anything 22:39 < phantomcircuit> but everything is audited 22:39 < phantomcircuit> you look up something you shouldn't have 22:39 < phantomcircuit> go to jail 22:39 < phantomcircuit> right? 22:39 < Emcy> well nothing can be, or you dont have a functioning organisation 22:40 < phantomcircuit> except no because he's in russia 22:40 < Emcy> assange was supposed to be a total freak about compartmentalisation 22:40 < phantomcircuit> Emcy, if all the intelligence was actually compartmentalized it would be worthless 22:40 < Emcy> to the point where lots of people left wikileaks... 22:40 < petertodd> phantomcircuit: yeah, and if you don't already know about something, it's hard to know what you are supposed to be searching for... making it even more likely that the auditing will catch you 22:40 < phantomcircuit> petertodd, yup 22:41 < phantomcircuit> im guessing he was basically looking at stuff using other peoples credentials 22:41 < phantomcircuit> and they couldn't figure out what was going on until it was too late 22:41 < phantomcircuit> or maybe he really did just pull it all in at once and left for hong kong 22:41 < petertodd> yup 22:41 < petertodd> he was pretty lucky to pull that off 22:41 < Emcy> he said in that interview he just came accross these examples of casual disregard for the constitution in the course of his job 22:41 < Emcy> and that piqued his interest 22:42 < Emcy> thats how it starts, people dont go into these orgs looking to rock the boat 22:42 < phantomcircuit> Emcy, sounds about right 22:42 < Emcy> the ones with ethics change gradually, the ones without keep pulling the levers 22:43 < Emcy> similar story with manning 22:43 < petertodd> yeah, I get the sense that it's easy for people to rationalize their actions. and heck, if you don't see evidence of abuse, it's easy to figure that "well, my organization is behaving responsibly, and we really do have enemies" 22:43 < Emcy> petertodd you dont know how strong diffusion of responsibility is 22:43 < Emcy> it lefs people step literally over people dying in the street 22:44 < petertodd> Emcy: indeed 22:44 < Emcy> i have become interested again recently in the inherent cognitive defects of humans 22:45 < Emcy> to which of course i am subject as much as anyone else, if not more of course. 22:46 < phantomcircuit> Emcy, that's less of a cognitive defect and more of an evolutionary advantage 22:46 < phantomcircuit> but yeah still 22:46 < Emcy> the study about how people mental arithmetic *on an unrelated maths problem* actually gets measurably worse after being shown statistical evidence which contradicts one of thier political beliefs 22:46 < Emcy> that fascinated the shit out of me 22:47 < petertodd> phantomcircuit: an advantage in the small-group societies that we evolved in 22:47 < Emcy> phantomcircuit depends whether you think we should be bound to baser behaviours gained from our old evolutionary road, or try and be better 22:48 < phantomcircuit> Emcy, sure but it's not really a defect 22:48 < Emcy> were supposed to be sentient and sapient, we could choose not to be such slaves to instincts. But its harder work. 22:49 < phantomcircuit> it's merely a cold fact of survival that is probably not necessary anymore in relatively wealthy countries 22:49 < phantomcircuit> (im not so sure about developing countries) 22:49 < Emcy> evolutionary advantage becomes disadvantage and vice versa 22:49 < Emcy> we just havent caught up yet 22:50 < Emcy> saying that i dont think "tribes" of tens of millions is doing up much good either 22:56 < Emcy> oh wow i guess they took that 5.1btc too if they got all his pgp keys 22:56 < Emcy> nice political statement asshats, if that was the intention --- Log closed Sun Nov 17 00:00:01 2013 --- Log opened Sun Nov 17 00:00:01 2013 02:35 < skinnkavaj> are we still going to have centralized security exchanges or do you think coloured coins will help with that? everyone is working on coloured coin decentralized exchanges right now but i don't understand how it will not be centralized in some parts. 02:39 < warren> skinnkavaj: they are all centralized in some way. 02:52 < Guest12085> warren: not true there are fully decentralized colored coin proposals (e.g. freimarkets) 02:52 < Guest12085> skinnkavaj: concensus by block chain will always be expensive, period. 02:53 < maaku> but decentralized exchanges will exist for the rare cases in which they are needed 02:53 < maaku> such as ripple-like settlement 02:54 < maaku> but high volume exchange will always be centralized in some way 03:01 < Luke-Jr> there's already a decentralised bitcoin exchange, for like a year + now.. 03:02 < Luke-Jr> coloured coins don't really have a viable use case 03:04 < skinnkavaj> (09:01:35) (Luke-Jr) there's already a decentralised bitcoin exchange, for like a year + now.. 03:04 < skinnkavaj> are you talking about Localbitcoins? 03:05 < maaku> Luke-Jr: you see no use for user-issued assets? 03:11 < Luke-Jr> skinnkavaj: #bitcoin-otc 03:11 < Luke-Jr> maaku: I see no need for a decentralised blockchain for centralised assets. 03:13 < Luke-Jr> nor any benefit from it 03:13 < gmaxwell> Any of you feel like buying $800k in coins? that all it'll take to get mtgox usd to $500/btc. 03:14 < Luke-Jr> I don't have that much in MtGox 03:14 < maaku> Luke-Jr: freimarkets allows issuance from a multi-sig address, for example. useful perhaps for settlement at the highest level of a cartel 03:14 < maaku> which wouldn't trust any of its members individually to run the accounting server 03:15 < Luke-Jr> maaku: someone is going to be giving the shares value. 03:15 < gmaxwell> but why does it need a global decenteralized blockchain instead of some closed distributed system? 03:15 < gmaxwell> (closed as in predefined members) 03:16 < maaku> gmaxwell: i never said "global" ;) 03:17 < gmaxwell> okay I could but that, but such a system probably wouldn't be ideally constructed a a POW blockchain. 03:19 < maaku> true, this is probably a good application for (a modified version of) OpenCoin's concensus mechanism 03:20 < maaku> which i shouldn't be giving them credit for since it's basically two-phase-commit 04:58 < warren> anyone know adam3us's bitcointalk name? 05:40 < warren> adam3us: ping 05:40 < adam3us> warren: 'hello 07:35 < adam3us> btw it seems to me the limitation with CoinJoin is that it takes active participation of the participants; hence if CoinValidation virality takes hold people will have an economic incentive to stop using CoinJoin because it is not part of the protocol 07:35 < adam3us> CoinJoin as is, is a fantastic idea and the best we have deployable now. 07:37 < adam3us> my stab towards doing one more is RingCoin. a ZKP that allows you to mix your coins with other people's coins without their participation, its like CoinJoin but whre you can chose other peoples coins to mix with, but without their participation... very cool IMO, the limitation is the mix is like 3kB per mixed value 07:39 < adam3us> if that was part of the protocol, it would be game over; taint tracing ramps up, someone takes it upon themselves to taint the lot, evenly for a modest fee; and repeat - that is in their economic interest because it protects their bitcoin holdings (and everyone else's) from a viral run on bitcoin fungibility increasing transacton costs and maybe crashing bitcoins price as everyone has a race to buy clean coin insurance - no one wants to be l 07:40 < adam3us> i believe there is hope of finding a much better than 3kB per mixed value.. gotta figure out another unpublished Schoenmakers footnote (what is it with the guy- has genius ideas and doesnt bother to publish them!) 07:44 < adam3us> i guess we know a number of other people like that here - its "done" once they've convinced themselves that it works, and finding energy to write in a digestable, never mind peer-reviewable form is like work its hard to find energy for, but schoenmakers is an associate prof at tue.nl and publishes lots a fair bit of other stuff. 07:45 < adam3us> btw i saw in jdillon's hacked email dump of various private IMs that gmaxwell also thought of the same direction - ring signatures are an interesting direction 12:47 < maaku> adam3us: you don't need complex crypto. just let people create composable components of transactions 12:47 < TD> warren: where's that? 12:56 < TD> i see 15:15 < warren> TD: where's what? 15:15 < TD> the jdillon thing, but i saw the thread 15:15 < warren> what about it? 15:16 < warren> https://twitter.com/matthew_d_green/status/401797786347114496 Zerocoin claims to have reduced the proof size by "98%", is this the "it is still 10KB" thing people were talking about earlier? 15:17 < warren> oh, they claim transactions are down to 240 bytes now, while the first version was 25KB 15:25 < Emcy> didnt say anything about how long it takes to verify the proofs though 15:25 < Emcy> i think gregory mention it was like 2 per second on current hardware 15:25 < gmaxwell> Emcy: no point in speculating about it without their paper out. 15:25 < Emcy> or mayby that was the lamport stuff 15:25 < gmaxwell> Emcy: the new stuff works in an entirely different way. 15:26 < Emcy> so its not zerocoin its something new 18:45 < gmaxwell> From that single TPM enviroment you could do anything you'd want to have a tpm do. 18:45 < gmaxwell> Seems better than inventing a new TPM program for every usecase. 18:46 < gmaxwell> For reasons of efficiency you'd want varrious cryptographic operators available as instructions, but they could be generic ones. 18:49 < gmaxwell> Arguably TPM is dumb and should have just invented that in the first place. :P 20:34 < petertodd> gmaxwell: That approach makes a lot of sense to me, and not just technically. If you're creating abstract oracles, you can also safely sell hardware implementing these oracles publicly as they are general purpose and can be used for anything. 20:37 < gmaxwell> ah, so even if some oracle usages are prosecuted .. interesting. 20:38 < gmaxwell> I think the AST stuff adds a lot to the oracle, as it even prevents the oracle from knowing the complete program that it participates in, and also compresses large oracle programs. 20:39 < petertodd> Ah, the preventing full AST knowledge is a godo point there too. 20:39 < petertodd> Which in turn means there can be 1 to n oracles actually doing this stuff. 20:40 < petertodd> The crazy thing about this model, is n could actually be really small, and it'd still work, or really large, and it'd still work. --- Log closed Sun Mar 24 00:00:04 2013 --- Log opened Sun Mar 24 00:00:04 2013 05:20 < warren> sipa: spring break now. I'd like to help complete your secp256k1 so I can build bitcoind entirely without openssl. Do you have a list of tasks that need doing? 05:22 < warren> sipa: I suppose I'm supposed to not look at openssl in order to ensure secp256k1 has a clean, independent copyright? 05:23 < sipa> warren: cool! 05:23 < sipa> what i'm doing now is convert everything to C 05:24 < warren> ah, what's the goal there? 05:24 < sipa> easier to build, mostly 05:24 < sipa> i'm not using much of C++ anyway 05:24 < warren> me too, I've done mainly C and java 05:25 < sipa> apart from that, the largest blocker is import/export of secret keys 05:25 < sipa> which is only done in the wallet 05:25 < sipa> but you probably want to stay compatible with openssl-based builds 05:26 < warren> you mean implmeent the same interface 05:26 < sipa> no. serialization/deserialization of secret key data structures 05:27 < warren> have you been clean rooming this? 05:27 < sipa> the data structures are quite standard 05:27 < sipa> they are ASN.1 encoded 05:27 < sipa> i don't care about source API compatibility 05:27 < sipa> we can change bitcoin's code to match 05:28 < warren> Our API can be much simpler because it goals are limited? 05:28 < sipa> indeed 05:28 < sipa> right now, i have one public function: 05:28 < sipa> int VerifyECDSA(const unsigned char *msg, int msglen, const unsigned char *sig, int siglen, const unsigned char *pubkey, int pubkeylen); 05:29 < warren> sipa: can you list the current status and future TODO list somewhere? 05:29 < warren> sipa: what do you want the final library name to called? 05:30 < sipa> as long as we don't support anything beyond secp256k1, i think secp256k1 is fine as a name? 05:31 * warren checks to see what bitmessage uses. 05:31 < warren> My primary goal is here of course. 05:31 < sipa> i have personally no interest in bitmessage, but if it happens to be able to use it, no problem of course 05:31 < warren> checking 05:33 < warren> They have "secp256k1" in several parts of their code. 05:33 < warren> anyway, I'll worry about them later 05:33 < warren> so yeah, stick to this name. 05:34 < warren> sipa: you want me to autoconf/automake it? 05:34 < warren> autotoolize 05:34 < sipa> warren: if you have experience with that, sure! 05:34 < warren> haven't done it in 4 years, would need to relearn 05:34 < warren> sipa: what license you want it to be? 05:35 < warren> brb shower 05:35 < sipa> good question 05:43 < sipa> added a TODO file 05:48 < warren> sipa: I assume MIT-style to be compatible with bitcoin? 05:49 < warren> sipa: do you have your existing patches to bitcoind so I can use that as an example of the other interfaces that need replacement? 05:49 < warren> *pushed anywhere 06:03 < sipa> warren: yes, but not a complete one 06:03 < sipa> only for replacing verification 06:03 < sipa> which was probably the easiest change in bitcoin 06:04 < sipa> but the changes in bitcoind are easy, i think i know what has to be done for those 06:05 < warren> sipa: which randomness source do we want to rely upon for key generatoin? 06:05 < sipa> regarding the secp256k1 library: just take the nonce as a argument for signing 06:06 < sipa> so the caller can still use OPENSSL_rand if necessary, but i'm beginning to like the idea of deterministic nonces 06:06 < warren> I haven't learned what is the typical meaning of "nonce" in bitcoin. 06:06 < warren> I know the general meaning. 06:06 < sipa> oh, sorry 06:07 < sipa> you're talking about key generation, not nonce generation 06:07 < sipa> anyway, same thing 06:07 < sipa> ECDSA signatures need a secret nonce 06:07 < sipa> that is: a value that is not reused and not known to an attacker 06:07 < sipa> typically (and in OpenSSL), it is just randomly generated 06:08 < sipa> but it is in fact possible to just calculate it as Hash(message + pubkey + privkey) 06:08 < warren> and that's just as secure? 06:09 < sipa> well, i'm in an e-mail discussion with Dan Boneh (prof. cryptography at stanford) about BIP32 06:09 < sipa> and he actually suggested that himself, as ECDSA is otherwise very vulnerable to bad PRNG's 06:10 < warren> hm 06:10 < sipa> anyway, i want secp256k1 to just be a fast math library basically 06:11 < sipa> so anything that requires dependencies will likely be pushed to the caller 06:11 < sipa> so any key "generation" function will just take random bytes chosen by the caller 06:13 < warren> ok, so it isn't secp256k1's job to decide where hte randomness comes from 06:13 < warren> that's a bitcoin implementation detail 06:13 < sipa> indeed 06:14 < sipa> i'll try to get the C version + some rough ideas for the secp256k1 API done today 06:14 < sipa> that'll make it easier to contribute, i guess 06:15 < warren> cool 06:15 < warren> sipa: does bitcoind internally have more entropy sources? 06:15 < sipa> no, it relies on OpenSSL 06:17 < sipa> ask for an hour 06:17 < sipa> *afk 11:17 < jgarzik> sipa: C version? w00t 11:28 < gmaxwell> warren: the determinstic nonce is used by Ed25519 and seems fairly obviously secure so long as the hash function meets the other properties we require from it. 11:28 < gmaxwell> though, ed25519's usage does have distinct state for the nonce key, which is nice. 11:31 < gmaxwell> sipa: You could do a hybrid solution where if the provided nonce pointer is null you do H(message||key) if it is non-null you do H(nonce||message||key). The idea being that even if their RNG is bad doing that bounds the baddness. And then you can still get determinstic tests. 17:38 < sipa> warren: sorry, been busy working on bitcoind network stuff today 17:38 < sipa> and next week i'll have little time i feat 17:39 < warren> sipa: OK, I have mostly family stuff this week during spring break. if I don't make progress this week I'll have plenty of time from May to work on this. --- Log closed Mon Mar 25 00:00:05 2013 --- Log opened Mon Mar 25 00:00:05 2013 17:38 < gmaxwell> 14:36 < randy-waterhouse> http://www.h-online.com/open/news/item/Weak-keys-in-NetBSD-1829336.html 17:38 < gmaxwell> 20:21 < gmaxwell> warren: "trust but verify" 17:38 < gmaxwell> 20:21 < gmaxwell> warren: if the kernel developers are malicious you're in trouble, if they make mistakes well no need for bitcoin to be utterly brittle to weaknesses in the kernel rng. 17:38 < gmaxwell> :P 17:39 < warren> gmaxwell: fun 17:39 < gmaxwell> Seems the author of that article doesn't know about weak nonces. 18:13 < petertodd> Bitcoin really shouldn't be using the system PRNG directly IMO. 18:14 < petertodd> I figure we already have a good RNG pool with the keypool - hash in the last key generated with whatever the OS RNG gives us. 18:54 * gmaxwell sends email to the netbsd security list to point out that its probably somewhat worse than they though. --- Log closed Tue Mar 26 00:00:07 2013 --- Log opened Tue Mar 26 00:00:07 2013 00:22 < jrmithdobbs> gmaxwell: ugh 00:47 < warren> I don't know anyone that uses NetBSD. 00:49 < gmaxwell> I have, but only on VAX. :P 00:51 < warren> heh.... "Thanks To ========= Thor Lancelot Simon for causing, finding and fixing the bug and helping with this advisory." 01:07 < gmaxwell> Has anyone given thought to what the Ultimate sighash types would look like? 01:15 < jgarzik> Ultimate? 01:35 < gmaxwell> Is there some simple(?) set of sighash features that actually captures all the sighash types we might wish for? 01:35 < gmaxwell> what we have now is clearly not ultimate since it's easy to come up with cases they miss in practice. 01:45 < jrmithdobbs> warren: lots of random embedded shit you'll never think of do 01:46 < jrmithdobbs> gmaxwell: i think it really needs to be revisisted as to whether specifying the hash/curve as part of the address might not be desirable 01:46 < jrmithdobbs> gmaxwell: as it relates to sighash, i'm not sure, i know it does but i'm rusty on the script ops 01:47 < jrmithdobbs> there's been too much random "we know this is good" shit being broken, at least academemically, recently =/ 01:47 < gmaxwell> jrmithdobbs: you just use different address types for that. 01:48 < gmaxwell> Or really, P2SH and done. 01:48 < gmaxwell> I'm really not expecting much in the way of curve specific ECDSA attacks that don't undermine the whole thing. 01:48 < jrmithdobbs> gmaxwell: ya but might it be worth extending the base ops to include some things besides ripemd and sha2 in the base ops? 01:49 < gmaxwell> yes, well, when SHA3 is really finally specced we'll add that at least, I imagine. 01:49 < jrmithdobbs> that's the only related thing i've spent much time thinking about really 18:42 < petertodd> now systems where miners can mine pairs of blocks, one valid and one invalid, as gmaxwell has suggested, help here 18:42 < petertodd> jtimon: yes, which means we can trust them not too! 18:43 < jtimon> if you don't send me the proofs, I don't hash on top of your chain 18:43 < petertodd> why not? if I'm not hashing, I'm not making money 99% of the time where the block *was* valid 18:43 < jtimon> and because I want everybody to hash on top of my block, I send the proofs to every miner 18:43 < petertodd> I might as well take that risk 18:43 < petertodd> as I say, the incentive isn't as strong as you think 18:43 < jtimon> I prefer to mine block n-1 18:44 < petertodd> why? you'll make more money if you mine block n 99% of the time 18:44 < jtimon> ok, I don't trust your 99 but I get your point 18:45 < petertodd> remember, what the bitcoin sourcecode implements doesn't necessarily match what a rational miner will actually do 18:45 < jtimon> so miners would have the incentive to send fake invalid blocks to distract competition 18:46 < petertodd> right now that costs too much because you can only mine either a valid, or an invalid, block 18:46 < sipa> they have an incentive to send fake invalid blocks to 49% of their competition... 18:46 < petertodd> now, if the system allows you to mine both simultaneously, perfect! 18:46 < jtimon> so that 99 turns into a 1 and everybody is happy again 18:46 < petertodd> yes 18:47 < petertodd> and/or tie your PoW scheme to some subset of blockchain data, and the other miners simply can't mine on your block unless you give them the data, therefore they'll mine on block n-1 and eventually overtake you (unless you have 51%, but we're screwed there...) 18:47 < jtimon> what's the problem then? we only need miners to spam each other so that they don't trust new blocks without the corresponding proofs 18:48 < jtimon> oh, I see, I guess your solution is better 18:49 < petertodd> well, actually I think both solutions are good, and for different reasons: the "firedrill" one helps test fraud proof code and ensure it actually works, which is valuable in of itself 18:49 < jtimon> sorry, I forgot you were trying to explain me the problem that justified the solution but I forgot you had a solution 18:49 < petertodd> heh 18:50 < petertodd> now here's the next problem: suppose we decide to shard the blockchain, we'll say UTXO's starting with MSB=0 go on one side, MSB=1 go on the other 18:51 < petertodd> so that's basically two parallel chains, and and they timestamp each other (really forming a *timestamp* chain over both) 18:51 < jtimon> sorry, what was sharding again? 18:51 < petertodd> jtimon: shard as in how databases are split up 18:52 < jtimon> like partitioning the blockchain? 18:52 < petertodd> now miners only mine one or the other chains contents, but %100 of the hashing power goes to the timestamp 18:52 < petertodd> jtimon: yes 18:53 < jtimon> sorry again, what's MSB=0 ? 18:53 < petertodd> MSG=most significant bit 18:53 < jtimon> ok 18:54 < petertodd> now, suppose somehow one entity controls 95% of the hashing power on chain 0, and they just don't publish block contents, but *do* contribute to the overall timestamping hashing power 18:54 < petertodd> they can't attack the timestamp - they only have 40% of the total hashing power - but they can make it impossible for any transactions to happen on chain 0 18:55 < jtimon> sorry, I got lost here "now miners only mine one or the other chains contents, but %100 of the hashing power goes to the timestamp" 18:55 < petertodd> suppose then they stop their attack - you're left with a bunch of blocks that have been timestamped, but the actual contents of them have vanished, which means you can't modify the state of the chain unless you "roll-back" to whatever data is publicly available, but what's the right rule to handle that? 18:56 < jtimon> the purpose of sharding is to have lighther miners, I guess 18:56 < petertodd> jtimon: suppose a block header for the timestamp contains hashes of the most recent header in the subchains 18:56 < petertodd> jtimon: exactly, specifically spread the bandiwdth out so that you don't need to keep up with all tx's to mine 18:56 < jtimon> and who pows the timestamp? 18:57 < jtimon> nobody? 18:57 < petertodd> well, one easy way is to say that the two chains are merge-mined with the timestamp 18:57 < petertodd> and then set the pow difficulty to be exactly half of the timestamp difficulty 18:57 < jtimon> isn't merged mining like the opposite of sharding? 18:58 < petertodd> jtimon: no! in this case it's just a way of having a very strong pow for what orders transactions - the timestamp chain - while allowing for two separate chains 18:59 < petertodd> e.g. a block header in this scheme consists of PrevTimestampHash, MergeMineRoot, Time, etc. 18:59 < petertodd> and the subblock headers are just PrevSubChainHash, MerkleRoot 19:00 < jtimon> mhmm I don't know how something that is not powed can be very strong 19:01 < petertodd> jtimon: how is it not PoW'd? 19:01 < jtimon> oh, I see, each chain mines on top of the previous timestamp, not the previous block of the subchain, no? 19:01 < jtimon> what if one chain goes faster? 19:02 < petertodd> heh, well, interesting question! 19:02 < petertodd> you can probably come up with a scheme where the actual headers, just not the block contents, are known to both miners, and you adjust difficulties appropriately 19:03 < petertodd> but that's far from the most interesting part of this stuff 19:03 < jtimon> the most interesting part is having ligher miners, no? 19:04 < petertodd> jtimon: well, that's why you'd do it, but in the process you've made it succeptable to new attacks that didn't exist before 19:05 < petertodd> like I say, if the data for one chain isn't available for whatever reason, things get ugly, and less than 50% of total hashing power can attack the chain that way 19:08 < petertodd> one thing you can do is have "challenges": pick a nonce in the top timestamp chain, and make the rule be unless the data from that subchain turns up - along with an appropriate proof - the way you decide what is the best block changes such that you *can* reorganize that subchain with <50% hashing power 19:08 < petertodd> (normally you can't due to the timestamp property) 19:09 < petertodd> at least then if subchian data gets accidentally lost, somehow, the state of the system can recover. 19:10 < petertodd> that also somewhat protects you against malicious attackers, essentially because you can temporarily pay higher fees to get the rest of the miners to force some <50% attacker to spit up the data you actually need to make your transaction 19:10 < petertodd> and once you make a robust scheme with two subchains... it trivially extends to a full on tree 19:10 < jtimon> mhmm, I don't know...it seems very complex, maybe we just need to think about another way of sharding 19:10 < petertodd> it is very complex, but my suspicion is that sharding inherently is complex 19:10 < petertodd> just handwaving and assuming global consensus is *way* easier 19:10 < petertodd> pity it doesn't scale though 19:13 < jtimon> yeah, I've been thinking about other sharding-like schemes but for now they were broken (well, the first one actually just needs every node to trust each other, that is, is centralized) 19:13 < petertodd> heh, well doing it with trust is easy :) 19:13 < sipa> jtimon: nah, that's just called ripple 19:14 < jtimon> sipa: no, I don't mean ripple, I mean something scalable 19:14 < petertodd> jtimon: heck, just arbitrarily saying "OK! it's 8 block chains now!" will probably work in practice, even if really the security isn't as good as it could be 19:14 < petertodd> jtimon: ripple is scalable technologically, socially OTOH... 19:14 < jtimon> well, I haven't seen any centralized markets infinitely scalable 19:15 < petertodd> jtimon: ripple the idea isn't centralized 19:15 < sipa> i've mentioned it before, but i'd like to stop confusing the word 'centralized' with 'trust-free' 19:15 < jtimon> can the ripple.com network process 1 billion tx/s ? definitely no 19:16 < sipa> sorry, 'decentralized' with 'trust-free' 19:16 < jtimon> petertodd: 2PC ripple is compltely scalable 19:16 < petertodd> jtimon: exactly, ripple.com is an abomination and we shall not mention it again 19:16 < sipa> i shall resist. 19:17 < sipa> anyway, you could have a bitcoin-like system, where instead of script verification, there was just one huge datacenter computing zero-knowledge proofs of the validity of the chains 19:17 < sipa> it would be totally centralized (as in central point of failure), but to an extent trust-free 19:17 < jtimon> well, I think my centralized system is completely scalable, but maaku and I have to actually test that 19:18 < maaku> jtimon: another Joy-derived language that might be useful http://www.cat-language.com 19:18 < petertodd> sipa: which is roughly what my fidelity-bonded foo ideas were about, especially the fidelity-bonded ledgers version 19:18 < sipa> also, a bunch of N nodes all talking to eachother that all trust eachother is perfectly decentralized, but not trust-free at all 19:18 < jtimon> maaku I read that one has strong typing instead of dynamic 19:18 < maaku> yes, which would be a good thing i think 19:19 < petertodd> sipa: yes, and with some changes to the way blocks are structured you certainely could have groups of miners who trust each other co-operatively create and mine blocks with individually low-bandwidth nodes 19:19 < petertodd> sipa: I think you can even pull that off as a soft-fork 19:20 < sipa> anyway, i'm not making any particular suggestion here 19:20 < sipa> just trying to point out that 'decentralized' is ambiguously used in bitcoin context 19:20 < jtimon> well, I try not to use ZKP or snark/scip when designing, haven't learned black magic yet... 19:20 < petertodd> jtimon: if it can't be done with hashes, it's not really bitcoin 23:14 < sipa> gmaxwell: i don't 23:14 < sipa> mike worked on anti-abuse 23:19 < HM> I'm fairly bitter about Goog giving personal domains with Gmail the brush 23:20 < HM> I don't really see how the loss of "@gmail.com" mindshare is harmful to their brand at this point. 23:21 < HM> Let's hope people hosting their own bitcoin wallet isn't as bizarre as running their own email server, or at least using their own domain for email, in future 23:23 < gmaxwell> we have some say in that future... if the only way to get good wallet software is through a website ... welllllll. 23:27 < HM> I don't use the desktop client anymore. I just use Andreas' droid app 23:27 < HM> there's no real reason either 23:28 < gmaxwell> yea, so what you're telling me is that bitcoin is doomed. :( 23:28 < gmaxwell> oh well. 23:28 < HM> ikr 23:29 * gmaxwell wishes they taught kant's categorical imperative in school. 23:32 < HM> gmaxwell, Wikipedia can't teach it to me now, so I think school kids would struggle. 23:33 < HM> something like only do something according to some rule, if you would like to see that rule become the social norm 23:34 < amiller> do what you want everyone else to do too 23:38 < HM> that's kind of vague 23:40 < sipa> heh, i knew that summary 23:40 < sipa> though not the name or whom it came from 23:45 < gmaxwell> the WP article is confusing. 23:45 < gmaxwell> It's basically suggested as a basis for morality, though you can use it more pragmatically than that. 23:46 < gmaxwell> The idea is that you shouldn't do something that would produce bad outcomes if everyone did it. Even if you don't buy into it as a basis for morality (I dunno if I do), it has a lot of pratical usefulness. 23:47 < gmaxwell> For the case of a SPV wallet: "I'll run both a SPV wallet (on my phone) and a regular one elsewhere" and "I'll run a SPV wallet only, if and only if I honestly don't have the resources to run a full node" both pass the catagorical imperative .. in that if everyone follows the same rules things should be okay. 23:48 < gmaxwell> vs, I think "SPV is easier for me, I'll just run that" I think does not, because it suggests a world where basically google (sorry googlers, you get to be the deathstar this week) runs the only full node. :P Once too many people run SPV nodes you're actually at more risk if you run a full node, since you want to be part of the majority of users consensus. 23:48 < gmaxwell> and the whole set of economic incentives around bitcoin start to break down. :( 23:49 < gmaxwell> unless their breakdown triggers people to run full nodes. But I'm not sure that works.. being the one full node against the world isn't a position anyone wants to be in. 23:49 < amiller> depends also on how specific you're willing to make your rule, like "i'll behave altruistically, unless i'm amiller, in which case i'll behave selfishly" 23:50 < gmaxwell> amiller: hahah indeed. well I don't personally really buy CI as a basis for all morality. It only works for that in contrived models, but as you note only ones with finite levels of being contrived. :P But I think it's a useful way to think about things that have externalized costs/risks. 23:51 < HM> I won't steal this ladies hambag because if everyone stole everyones hambag life would suck 23:51 < HM> oh wait...i don't have a hambag... 23:51 < gmaxwell> HM: even if you don't... a world where handbags were stolen very frequently would suck in a bunch of ways that would harm you. 23:52 < HM> i really did type 'hambags' 23:52 < gmaxwell> twice! 23:52 < gmaxwell> I corrected it in my reading! 23:53 < HM> it's almost 5am 23:54 < sipa> 6am! 23:54 < gmaxwell> for example, people might not carry handbags anymore, and then they couldn't shop at your local businesses. Or they might carry exploding handbags which sometimes exploded accidentally. :P CI is not the golden rule, it's a generalization of it in some sense. It basically proposes a rule that if everyone follows it then as a whole society playing a gigantic prisoners dilemma game, we all choose to not-defect without any coordination ... 23:54 < HM> if everyone went to sleep at 5am.... 23:54 < gmaxwell> ... beyond the CI rule. 23:55 < HM> what if I advocate CI publically, but ignore it in private? 23:55 < gmaxwell> HM: it's fine so long as your rule is something like "I'll stay up to 5 am, but only if doing so doesn't make a mess for other people" 23:56 < HM> publicly* sigh 23:56 < gmaxwell> HM: that fails CI. It's not intended to be some maxim you hold people to (well, maybe Kant thought otherwise). But it at least gives you a way to think about a consistent moral system, "if you were god", that helps seperate some of the subjectivity out of morality. 23:56 < HM> right 23:57 < HM> but it's not clear if everyone using SPVs would be bad. I mean it might force you guys to come up with a better solution that has many of the same advantages :P 23:57 < HM> and that would be good for everyone 23:58 < HM> likewise, handbag theft could spur on great innovation in other fashionable accessories 23:59 < sipa> hard to quantify those evolutions though 23:59 < HM> i don't see how you can apply CI without making a decision about what's better globally 23:59 < sipa> and certainly hard to ascribe them causally to handbag theft --- Log closed Mon Sep 09 00:00:20 2013 --- Log opened Mon Sep 09 00:00:20 2013 00:01 < gmaxwell> HM: depends on what you mean by SPV.. also you. 00:01 < gmaxwell> keep in mind that I have an easy out here: I can just forget about bitcoin. 00:01 < gmaxwell> (which I will likely do at some point, in fact if I am to make a prediction) 00:02 < HM> Bummer 00:02 < gmaxwell> HM: if you (being the generalized representative of all man kind) are unwilling to take any cost at all to increase the collective security, then I don't think an improvement is possible. 00:03 < gmaxwell> If you're willing to take some small cost, which happens to currently be less than running a full node, then perhaps there are some things that can be done... but it's not clear to me that anyone will do them: too easy to just walk away from bitcoin. 00:03 < gmaxwell> Worse: if someone were to do such a thing they'd be personally better off (failing the CI) to go do it in an altcoin where they could go own a bunch of it upfront. 00:04 < HM> That's the thing though. Individual disregard for security effects the network in Bitcoin. 00:04 < gmaxwell> (plus have a much easier time doing it: to improve anything in bitcoin involves convincing a lot of people: some who are actually opposed to decenteralization, many who are just clueless, etc.. vs an altcoin you can just put it in.. Fiat Lux.) 00:05 < sipa> ok, let's start egocoin 00:05 < HM> Really you should be objecting to me using a thin client because it puts *your* security at risk 00:05 < HM> in theory 00:05 < sipa> depends what you're comparing it to 00:06 < gmaxwell> it's complicated, if your alternative is no bitcoin at all I'd rather you use the spv client. 00:06 < sipa> you running a thin client vs you not using bitcoin at all isn't a decrease in security 00:06 < sipa> !hi5 00:06 < HM> lol 00:07 < gmaxwell> Thats why I gave those CI passing examples above "I'll run a SPV wallet only, if and only if I honestly don't have the resources to run a full node" and "I'll run both a SPV wallet (on my phone) and a regular one elsewhere" 00:08 < gmaxwell> (the latter means that full nodes need to be cheap enough to run for many people, but at least thats a pure technical challenge) 00:09 < HM> the problem is, more and more people will likely be introduced to Bitcoin through thin clients or hosted wallets 00:10 < HM> you're then trying to argue for additional work that sees no personal or immediate benefit 00:11 < HM> that's a tougher position to start in than having people run full nodes and then saying "this is why you can have nice things" 00:12 < gmaxwell> maybe, we ultimately don't need _everyone_ to run one. But the problem is that what you're describing to me is basically where ~no one runs one. Who would have more incentive to than you esp in a world where most people already weren't? 00:12 < gmaxwell> And I dunno about trying to argue: I'm just stating what I think is the logical conclusion. The things I am observing are telling me that bitcoin is doomed. 00:13 < HM> Some people can walk away from Bitcoin, some can't or won't for other reasons. 00:13 < HM> those that can't will run full nodes if it came to a crunch 00:13 < HM> those that can, know this 00:13 < gmaxwell> sure, and something called "bitcoin" might exist forever, but it wouldn't be the thing that I would call bitcoin. 00:13 < gmaxwell> This isn't clear to me. 00:13 < amiller> gmaxwell, thanks for listening to my idea and describing it as hiding the income, i hadn't thought of it that way but that totally helps 00:13 < gmaxwell> "if it came to a crunch" is too late. 00:14 < amiller> i'm going to use it immediately and remember to give you credit :o 00:14 < gmaxwell> amiller: thanks! I hope you're able to come up with something interesting! 00:14 < amiller> mooncoin 00:14 * amiller drifts off into space 00:14 < HM> fyi, i don't think bitcoin is doomed 00:15 < amiller> it's hard not to worry that the whole internet is doomed these days :/ 00:15 < gmaxwell> HM: You could say that the users of the USD would reject inflation. Except that they don't. Incrementally everyone happily agrees a little inflation is A OK and good for expident interests. 00:16 < gmaxwell> HM: I don't know that its doomed, but patterns are suggestive to me that its initial argument for existance is not likely to be upheld. I'd probably just give it 50/50. I would give it less, but I've seen some remarkable arguments from people I normally wouldn't have expected to "get it" that show they really do get the motivations for such a system... and I get a bit of hope from that. 00:17 < HM> I don't think people worry about central banks 00:17 < HM> they see them as benign 15:17 < gmaxwell> I've spent more time looking at the GGPR pairing based zk-SNARK though it's only smoke-and-mirrors publically verifyable, the linear PCP that eli et. al. have written more about is probably a better match to what we need but I haven't seen as much concrete performance numbers for it. 15:18 * nsh nods 15:18 < gmaxwell> nsh: well, sha256 has all those circular rotations, which don't express compactly in tinyram. and every tinyram cycle is ~1000 gates. 15:18 < nsh> hmmm 15:19 < gmaxwell> the tinyram stuff makes a lot of sense when you have control flow though. In any case, a first prototype should absolutely be done via tinyram. 15:19 < nsh> right 15:20 < nsh> there was also mention of "non-standard assumptions" that were slightly glossed in this talk: http://www.youtube.com/watch?v=nS3smRAfUd8 15:20 < nsh> want to look into those a bit more 15:21 < gmaxwell> the non-standard assumptions is the non-falsifyability problem that all succinct NP argument systems have. 15:22 < nsh> hmm 15:22 < gmaxwell> The problem is that you can't prove it black-box reducable to any simple cryptographic assumption because you can imagine a black box system breaker that only lies in cases where no polytime bounded user could distinguish the lie. It's a kind of wanky argument. 15:23 * nsh muses 15:23 < gmaxwell> nsh: the key thing to watch out for is that the people working on this stuff frequently use a security model we'd consider generally stupid. 15:23 < nsh> which is? 15:24 < gmaxwell> Basically first you can have systems which are only designated verifier any interactive system is like this. A singler verifier gets convined of the proof but the proof is not transferable to other parties. Obviously thats not useful to us. The alternative to designated verifier is publically verifyable 15:24 < nsh> right 15:24 < nsh> but you still require a trusted generator of prover and verifier keys 15:25 < gmaxwell> well there is a bunch of "publically verifyable" work where it's assumed that all the verifiers have a common reference string. Some magical data which was securely generated which they trust. 15:25 * nsh nods 15:25 < gmaxwell> right. which is crap for us, generally. 15:25 < nsh> mmmm 15:26 < gmaxwell> There are systems which are publically verifyable without that assumption, but they are not as popular with the theoretical cryptographers mostly because they depend on fiat shamir, so they are secure only in the random-oracle model. 15:26 * nsh notes to google 15:27 < andytoshi> is there a good paper which explains the random-oracle model and how it relates to real life? 15:27 < gmaxwell> Eli has been working with two different backends one based on the GGPR work which is CRS-publically-verifyable and perfect zero knoweldge. And aparently one which is based on fiat-shamir transforms of some linear pcp. which should be verifyable without a CRS, though its not quite perfect zero knoweldge. 15:27 < gmaxwell> though the proofs would be larger (tens of kilobytes), though I expect more rapidly verifyable. 15:28 < nsh> hmm 15:28 < nsh> (CRS being common reference string, i presume) 15:28 < gmaxwell> right. 15:29 < gmaxwell> I think for us, especially for blockchain proofs, we'd prefer the later assumption. We're already slathered with random oracle assumptions. Also, we can do some novel things to boost the security of fiat-shamir-transform proofs that basically no other system can do. 15:29 < nsh> i guess generating and distributing the CRS isn't much different, security-wise than what's being done now with the blockchain torrents? 15:29 < nsh> but it's not ideal 15:29 < gmaxwell> nsh: eek. no. The blockchain torrents are completely untrusted and might as well be maliciously generated. We verify them. 15:29 < nsh> hmm, right 15:30 < gmaxwell> CRS = if you have the secret you can trivally (at least in the case of GGPR) generate fake proofs. 15:30 < nsh> oh, that's an issue 15:31 < nsh> what novel things can we do to boost the fiat-shamir-tranform security? 15:31 < gmaxwell> plus, you need a new CRS if you change the circuit. Which is a bit lame. 15:31 < Luke-Jr> someone mailed me ants o.o 15:31 * nsh nods 15:31 < Luke-Jr> http://flickr.com/gp/52549449@N05/54iQ5S 15:31 < gmaxwell> Luke-Jr: antminer? 15:31 < Luke-Jr> gmaxwell: no, real ants 15:31 < nsh> lol 15:31 < Luke-Jr> they crawl aroudn 15:32 < nsh> heh 15:33 < gmaxwell> Fita-shamir-transform basically amounts to "construct a hashtree over your data, use the hashroot to select which parts of the data to disclose" .. if the data in question is a probablistically checkable proof, you get a compact proof out of it. You have to expand the number of points you disclose because an attacker could keep retrying junk proof until he got one that happened to pick points that pass. 15:33 < nsh> hmm 15:34 < gmaxwell> nsh: what we can do in bitcoin is commit to a fiat-shamir hashroot in a block, then use a the successful block hash to pick the disclosed points. Because mining a block takes a whole lot of computation, its now _much_ harder to grind on your proof.. so you can disclose fewer points for equal security. 15:34 < nsh> ah, i think i see 15:34 < nsh> that's neat 15:34 < gmaxwell> though the reduction is probably not that great in practice, maybe you can halve the proof size that way. 15:34 * nsh nods 15:35 < gmaxwell> (also, it makes the proofs weaker against people with extreme hashpower ... but then again bitcoin kinda fails if those parties exist) 15:35 < nsh> right 15:38 < nsh> andytoshi: http://crypto.stackexchange.com/questions/879/what-is-the-random-oracle-model-and-why-is-it-controversial // http://en.wikipedia.org/wiki/Random_oracle // http://cseweb.ucsd.edu/~mihir/papers/ro.pdf 15:39 < nsh> http://blog.cryptographyengineering.com/2011/09/what-is-random-oracle-model-and-why.html // http://blog.cryptographyengineering.com/2011/10/what-is-random-oracle-model-and-why.html 15:42 < gmaxwell> Did andytoshi ask something here? /me doesn't see 15:44 < nsh> <andytoshi> is there a good paper which explains the random-oracle model and how it relates to real life? 15:47 < andytoshi> thx nsh 15:47 < nsh> np 15:47 < andytoshi> gmaxwell: i had just arrived, maybe my arrival did not reach your part of the network? 15:48 < gmaxwell> oh, it was here, I just missed it completely. 17:38 < amiller> Secure Multiparty Computations on BitCoin http://eprint.iacr.org/2013/784 17:38 < amiller> this is a pretty great paper 17:39 < amiller> this is the first time someones given a pretty clear way that bitcoin solves a problem that people in crypto theory would like to have solved 17:39 < amiller> fairness in multiparty computations, basically 17:39 < amiller> we've basically talked about all of these things before 17:39 < gmaxwell> amiller: yea, so it's generalizing the iddo stuff on the forum? 17:39 < amiller> yeah exactly 17:40 < gmaxwell> is it a pure theory paper or did they implement something? 17:40 < amiller> they say they implemented it all and used eligius to get the transactions in 17:40 < amiller> we should be able to track those down! 17:40 < gmaxwell> What MPC system are they using? 17:41 < nsh> "Abstract: itCoin is a decentralized digital currency, introduced in 2008...." bloody scamcoin pushers.... 17:41 < amiller> Blum's coin flipping is all 17:41 < amiller> ah they actually give the transactions they use 17:41 < amiller> as blockchain.info indices 17:41 < amiller> https://blockchain.info/tx-index/97079150 17:42 < gmaxwell> ugh. 17:42 < gmaxwell> why would they do that... derp 17:42 < amiller> saves space :p 17:42 < amiller> (i see nothing wrong with that, tbh) 17:42 < gmaxwell> amiller: it'll be lost forever if bc.i reindexes again. 17:43 < amiller> well we should tag the paper with whatever relevant transactions they acutally have 17:43 < gmaxwell> those indexes are not determinstic. 17:44 < amiller> ok well besides that 17:45 < amiller> they didn't need to use any generic mpc compilers like garbled circuits or whatever, their example is just the coin flip game like iddo's protocol, so they used a preexisting coin flip mpc protocol 17:45 < amiller> but their general statement is about any MPC 18:19 < hno> nsh, itCoin is only a copy-paste typo in the online abstract and meant to say BitCoin. 18:19 * nsh nods, smiles 18:20 < gmaxwell> amiller: I expect iddo will be unhappy with that paper. 18:20 < gmaxwell> amiller: it doesn't really go too much further than the coinflip stuff other than to note that it could be applied more generally. And I assume iddo was working on a similar paper. 18:21 < nsh> link/ref for iddo's work? 18:25 < nsh> also a discussion on mitmtalk now: https://bitcointalk.org/index.php?topic=355174.0 18:25 < nsh> oh, that was you amiller 18:29 < gmaxwell> amiller: I edited your post to add some hyperlinks. I hope you don't mind. 18:55 < amiller> np gmaxwell 18:55 < amiller> i think i'll email them and suggest they review iddo's forum post 18:55 < amiller> btc community is basically doing a terrific job of publishing and archiving all these ideas where they're trivial to cite and in fact people build on each other's work quite well 18:56 < Luke-Jr> terrific? more like terrible :P 18:56 < nsh> amiller, where's iddo's forum post pls? 18:57 < Luke-Jr> at least on my part 18:57 < gmaxwell> nsh: I added links to amiller's post. Reload. 18:57 < nsh> oh, thanks 18:57 < gmaxwell> Luke-Jr: people post ideas, they're clearly explained or if not, people ask questions and explinations are forthcoming. 18:57 < gmaxwell> Luke-Jr: people are building of each others work and cooperating. 18:58 < gmaxwell> The work isn't super rigorous or deep, but it's making a lot of progress.. and it even sometimes has implementations which is something you can't say for many academic works. 19:01 < Luke-Jr> gmaxwell: a lot of the time it's just IRC chatter; even for forum stuff, it's hard to remember where what was said 04:04 < midnightmagic> nsh: We can't be friends anymore. I'm sorry. 04:04 < nsh> because gaiman? noes... 04:05 < nsh> if it helps, i was working in a call centre at the time and anything that wasn't market research questionnaires got a pretty big attentivity power-up 05:27 < justanotheruser> What are your thoughts on this? Can you route your bank website traffic through a third party safely? https://bitcointalk.org/index.php?topic=173220.0 05:34 * nsh frowns 05:35 < justanotheruser> In post 10 it looks like he proposes just giving the escrow the SSL key 05:36 < nsh> why not just get a receipt from the bank like everyone else does? 05:38 < justanotheruser> nsh: because that could be forged easily 05:44 < nsh> in any system where the bank has a private key, signing a receipt is going to be much simpler and more effective than keeping a log of http traffic 05:44 < nsh> i am probably missing something but this seems pretty absurd 05:44 < gmaxwell> nsh: that requires the bank cooperate. 05:45 < gmaxwell> this can work if the bank doesn't do jack shit beyond having an ssl website. 05:45 < justanotheruser> nsh: Banks don't sign receipts 05:46 < justanotheruser> they just encrypt it and send it to you 05:47 < justanotheruser> gmaxwell: have you seen the post I linked? 05:47 < justanotheruser> You're usually able to tell me some fundamental flaw in a system. 05:48 < gmaxwell> a while back, if it's the thread I think it is. 05:48 < gmaxwell> the proxy on aws that can extract a transcript of your bank session minus login credentials 05:48 < gmaxwell> which has enough remote attest to be relatively confident that it's legit 05:49 < gmaxwell> it's ugly, but what better can you do? It would be vunlerable to misconduct on the proxy host hardware, or vulnerabilties in the software stack. 05:49 < justanotheruser> gmaxwell: can the transcript be forged? 05:49 < gmaxwell> avoiding leaking things like session cookies might be hard. 05:49 < gmaxwell> by someone with control of the proxy hardware or who has compromised its software stack. 05:50 < gmaxwell> I'd have to review again, I didn't look at it too deeply before. 05:50 < nsh> all seems very messy. i bet there are lots of ways to interact with online banking software that look right but cause a failure, or instantly cancelling it through another channel, etc. 05:50 < gmaxwell> my 30 second conclusions was 'yuck, well I suppose you probably can't do better right now' 05:51 < justanotheruser> gmaxwell: P2P exchanging with fiat is a pretty messy concept when you have banks that don't sign receipts and dollars that don't have proof they were transacted. 05:52 < gmaxwell> plus tons of corner cases. 05:52 < nsh> i wonder what a bank would say if you asked them to cryptographically sign receipts of purchase 05:52 < nsh> doesn't seem hugely onerous 05:52 < justanotheruser> gmaxwell: example of a corner case? 05:52 < gmaxwell> I'm sure there are all sorts of ways to make a ledger entry show up in the bank which means nothing. 05:52 < gmaxwell> I mean the transactions are inherently reversable. 05:52 < justanotheruser> nsh: they wouldn't go through that much work to keep a customer 05:53 < nsh> never ask for yourself. ask for you and your seventeen thousand friends :) 05:53 < gmaxwell> I pay you.. shows up in my bank. I get a transcript and call the bank. "sorry, I was drunk and some fraudster tricked me into it. please reverse." 05:53 < justanotheruser> gmaxwell: how do exchanges deal with that? 05:53 < gmaxwell> nsh: the problem is that we want to use this for applications the bank actually wants to block. 05:53 < nsh> oh, right 05:54 < gmaxwell> justanotheruser: long delays, invasive personal information collection... and profit margins big enough to absorb non-trivial losses. 05:54 < justanotheruser> gmaxwell: but if I wire money to btc-e in russia, it can't be reversed right? 05:55 < gmaxwell> it can be, sometimes. 05:55 < justanotheruser> wouldn't that involve russian banks cooperating? 05:56 < justanotheruser> Perhaps P2P exchanging can be achieved if we only trade with members of countries that aren't super good buddies with us. 06:31 < CodeShar_> gmaxwell: I got rid of that boost_log dependency :) 06:32 < CodeShark> gmaxwell: I got rid of that boost_log dependency :) 09:39 < Emcy> 30c3: To Protect And Infect, Part 2 09:39 < Emcy> is there actually a part one anywhere or is it called part 2 for another reason 10:57 < Emcy> i think appelbaum genuinely thinks he might wind up dead 11:27 < pigeons> it is scary to be messed with and have your family messed with by the people who are apparently messing with him 11:31 < Emcy> just how he joked about it at the end 11:31 < Emcy> just the way it came across 11:31 < Emcy> like he knows he is far past the point of no return so may as well press on 16:59 < andytoshi> a new snark paper from ben-sasson: http://eprint.iacr.org/2013/879 17:03 < andytoshi> 35 pages, has a bunch of tinyram benchmarks, looks really cool 17:53 < nanotube> fwiw, i enjoy both stephenson and doctorow >_> i wonder what that says about me. :) 17:56 < Emcy> doctorow i find a bit hard because the stuff he writes is preaching to the choir for me 18:01 < andytoshi> hey guys, who makes laptops like lenovo? 18:01 < andytoshi> who is not lenovo 18:08 < nanotube> haha good thing you qualified. or i might have said lenovo. >_> 18:09 < Emcy> whats wrong with lenovo 18:09 < nanotube> what particular qualities of 'like lenovo' do you have in mind? 18:09 < nanotube> i've been pretty happy with dells 18:09 < nanotube> they take well to linux 18:13 < andytoshi> well, the 440p no longer has the intel chipset, and rumor has it that the default one does not support linux 18:13 < andytoshi> also they don't have the eraser mouse 18:19 < andytoshi> by 'like lenovo' i mean i want a decent keyboard, and an eraser mouse, and ruggedization 18:55 < gmaxwell> maaku: in your blind signing investigation did you find an implementation for JS ready to go someplace. 18:57 < gmaxwell> ? 18:58 < gmaxwell> I'd like to ask wikimedia to just setup the donation form so that when you donate, for every $10 donated you get a blindsigned token which can be used to make an IP BLOCK excempt account in order to solve this problem: http://lists.wikimedia.org/pipermail/wikitech-l/2013-December/073764.html 19:45 < robert222> Bitmessage 2.0 19:45 < robert222> http://twister.net.co/ 19:45 < robert222> "Introducing Twister: a fully decentralized P2P microblogging platform leveraging both the Bitcoin and BitTorrent protocols. " 19:50 < sipa> kthxbye 19:51 < CodeShark> https://github.com/CodeShark/bips/blob/master/bip-n2.mediawiki 19:51 < CodeShark> gmaxwell, sipa: please, tell me why this is a bad idea :) 19:52 < sipa> if a transaction gets included right at the edge, a reorganization could push it over the limit 19:52 < sipa> making it invalid 19:52 < sipa> and making any transaction depending on it invalid 19:52 < CodeShark> same could be said for double-spends, though, no? 19:53 < sipa> those don't happen without malice 19:53 < CodeShark> I gave some examples where they in fact happen without any malice at all 19:53 < sipa> malice or buggyness :) 19:54 < CodeShark> in practice you'd set the expiration sufficiently in the future and set the fee high enough so that this reorg risk is reduced 19:54 < gmaxwell> CodeShark: sipa was faster than me. This creates fungibility problems because now you have transactions dependant on spending recently mined expiring coins, where a perfectly ordinary chance reorg will invalidate enormous amounts of transaction potentially. 19:55 < gmaxwell> CodeShark: the risk is not just to the transaction user, the risk is to all downstream coins... and so you'd have to do blockchain analysis to figure out which coins have what exposure. 19:55 < gmaxwell> (preventing this is part of why the coinbases aren't spendable for 100 blocks) 19:55 < CodeShark> hmm - ok, this is a valid point trying to think of a way around it 19:56 < sipa> in a world where nobody trust 0-conf transactions, and everyone waits N (with N>2 or so) confirmations before spending anything, that is likely much less of a problem 19:56 < gmaxwell> There are other script features people have wanted that had similar risks. 19:56 < CodeShark> yeah, what sipa just said: accepting transactions with low confirmation count is already somewhat risky - if some of those coins also happen to be near expiration, it's even more risky 19:56 < gmaxwell> sipa: except if you accept N>2 and someone has a transaction which would get killed by an N=3 reorg, you would really want a N>2+3 wait on that coin. 19:57 < CodeShark> the biggest problem, I think, is not so much the risk this could be managed but the potential complications in dependency analysis 19:58 < CodeShark> but nothing that couldn't be solved with some well-written code :p 19:58 < sipa> too tired to reason now, but i'm very wary about changing the (apparently very deliberately chosen) rule that a transaction, once valid, is always valid (modulo its inputs becoming unavailable) 19:58 < CodeShark> doesn't seem to be intractable 19:58 < gmaxwell> as far as expirations go, we already have a way to expire: spend one of the contributing inputs. :P 19:58 < sipa> CodeShark: it's completely impossible for SPV wallets to do such analysis 19:58 < sipa> without a local mempool 19:58 < CodeShark> sipa: true 19:59 < CodeShark> well, there could be other partial validation mechanism 19:59 < CodeShark> but that's perhaps a topic for another time :p 19:59 < sipa> that's perhaps more on topic here in the first place :D 19:59 < CodeShark> I'm running into this problem right now as we speak, though - here's the use scenario: 20:00 < CodeShark> (it's not hypothetical - I'm actually doing it for real) 20:00 < CodeShark> you create a joint account with two other people, 2-of-3 signature policy 20:00 < CodeShark> you want to initiate a payment, need approval from at least one other person 14:11 < petertodd> jgarzik: Well, half the cost is probably a decent number to make it clear that doing the right thing is the way to go. 14:11 < gmaxwell> jgarzik: I do think we should have some way of binding a hash to a transaction under signature, setup so the data is prunable and so the space usage is strictly limited. Esp if such a tool makes it easier for people to use _hashes_ instead of raw data that just has a lot of additional problems for us. 14:12 < jgarzik> currently patch definitely provides that 14:12 < jgarzik> timestamping an entire transaction is another use case, which obviously requires more data transited 14:13 < jgarzik> cannot have proof of visibility otherwise 14:14 < gmaxwell> proof of txn visibility is an interesting special case, because the list of interested parties is 1:1 with miners, I think it would really unfortunate to enable random data storage just to enable txn timestamping. 14:14 < petertodd> We already have random data storage and can't do *anything* about it. 14:15 < gmaxwell> petertodd: That isn't the case for the utxo set. 14:15 < gmaxwell> oh but this is op_return. 14:15 < gmaxwell> Hm. 14:15 < petertodd> Lets suppose P2SH^2 was implemented and we even forced P2SH^2 spends to have signatures for every pubkey, you could *still* make special pubkeys by modular addition from a known point and just subtract that known point to recover the data. 14:15 < jgarzik> gmaxwell, "interested parties ?1:1" not really. Or at least not right now. The link just given is anyone-can-spend. 14:16 < petertodd> gmaxwell: Sheesh, took you awhile to notice that... 14:16 < gmaxwell> part of the problem is I can't prove an output was @#$@# OP_RETURN to you without actually giving you it. :( 14:16 < petertodd> But you can't prove an output was spent correctly without giving you it either. 14:16 < gmaxwell> jgarzik: well, at least interested in _theory_; not my fault that miners aren't economically rational in any simple sense. :P 14:17 < jgarzik> heh. Well maintenance costs of carrying a patched bitcoind forever also factor into rational economic decisions 14:17 < petertodd> OP_RETURN isn't special in that regard, and future UTXO proof stuff will allow for pretty good certainty that a given txout was prunable because it never made it to the UTXO set. 14:17 < gmaxwell> thius 'simple sense' :P 14:18 < jgarzik> ;p 14:18 < jgarzik> petertodd, sipa's pullreq already does similar 14:18 < gmaxwell> petertodd: ideally it should be possible to sync a chain minus instaprunable data. 14:19 < petertodd> Remember that provided the inner tx of an announce-commit is standard interested *users* can always ensure sacrifices are actual sacrifices to keep whatever service they are using maximally honest. 14:19 < petertodd> gmaxwell: Yup, but that's going to require a soft-fork. 14:19 < petertodd> jgarzik: His prune OP_RETURN one? Yeah, it's not exactly rocket science... 14:20 < jgarzik> petertodd, nod. proving an inner tx is already a known quantity 14:21 < gmaxwell> So? For example, I'd rather require the OP_RETURN to only have 32 bytes, and then have a soft forking rule that there is additional out of transaction data required for you to accept the transaction near the tip. The fact that the soft fork would take a while to deploy is moot.. it will take years to deploy the sacrifices, so the fact that their security is weak initially is no big deal. 14:21 < jgarzik> obviously you can only prove unspent at that point in time, but it's still a lot of validation 14:21 < petertodd> gmaxwell: Look, like it or not, all you can do is make data in the blockchain more or less expensive relative to standard transactions. That's *it* 14:22 < gmaxwell> lol. Are you pounding a table? Careful. You might break it! 14:22 < petertodd> gmaxwell: If you want to do something, submit a pull-req to make CHECKMULTISIG's not in a P2SH !IsStandard() for instance - it'll up the cost. 14:22 < jgarzik> gmaxwell, I'm working on the identity stuff now, and certainly won't wait years :) 14:23 < gmaxwell> petertodd: but it simply isn't so, I can many any of it get hidden behind hash preimages... from where it becomes much easier to cut-along-the-dotted-line 14:23 < petertodd> All limiting OP_RETURN does is sends a *social* message. 14:23 < jgarzik> gmaxwell, the alternative is simply yucky but still doable (1-of-X pubkeys is actually valid) 14:23 < gmaxwell> jgarzik: you don't have to wait years for it to be used. 14:23 < adam3us> could there be another store and forward channel for tx data that doesnt need to be in the block chain, so the data doesnt need to be in the block chain can still be sent if the users are not both online at the same time can do so without resorting to email; and then try to minimize the bytes on the block chain via commitments etc 14:23 < gmaxwell> petertodd: no, ithat really isn't true. 14:23 < petertodd> gmaxwell: "I can many any" <- ? 14:24 < petertodd> adam3us: We're talking about proof-of-visibility here. 14:25 < adam3us> yeah i know, was lurking, but also about bloating the blockchain 14:25 < adam3us> theres a diff between everyone must see (validation) and must be available/pruneable or not 14:26 < petertodd> gmaxwell: Right now I can put 360 bytes of data in a given OP_CHECKMULTISIG txout. Making OP_RETURN limited to 32 bytes when CHECKMULTISIG abuse exists is sending a social message. So if you want to do that, ban OP_CHECKMULTISIG's not in P2SH at the sametime. 14:27 < gmaxwell> jgarzik: basically an identity transaction whos visiblity proof depends on a soft forking change to not mine it unless you've seen the hash elided data is usable to you today. But less secure until the soft forking change happens. 14:28 < gmaxwell> petertodd: There is no reason that you have to do (B) before (A) when your concern is just that it remains possible to do (B) in the future. 14:28 < petertodd> gmaxwell: Yes, but until you do (B) all you are doing is sending a social message because anyone who actually has a use-case for the 360 bytes will just do (A) 14:28 < gmaxwell> And I do think it's important to not enable more random data storage in a manner which is incompatible with hiding it behind a hash. 14:29 < petertodd> gmaxwell: Be clear: are you talking about UTXO data or blockchain data? 14:29 < jgarzik> gmaxwell, in general I agree, hence the proposal of "80 bytes || standard tx" 14:29 < jgarzik> gmaxwell, because the latter is a special case (PoV) 14:30 < jgarzik> the vast amount of timestamping works just fine with a hash 14:30 < petertodd> jgarzik: and the "standard tx" option for data is just the Bitcoin developers saying "we think *that* use of data is cool, so we'll make it cheaper" 14:30 < jgarzik> petertodd, yes 14:30 < jgarzik> petertodd, which is what all the IsStandard rules are :) 14:31 < gmaxwell> jgarzik: Why quite so much as 80 bytes? What I'm pointing out is that even the special visiblity stuff can work with a hash too: so long as we add a soft-forking rule that says you don't accept a block unless it comes with the preimage of the hash, when the block is near the tip of the chain. After that the data can be forgotten. 14:31 < petertodd> jgarzik: Emphasis on cheaper. It is *not* us saying blockchain data is banned, because we have no way to make that happen. 14:31 < gmaxwell> (if its not clear my last line was two totally distinct things) 14:32 < petertodd> gmaxwell: Forgotten in what context? UTXO or long-term blockchain data? 14:32 < midnightmagic> ;seen gavinandresen 14:32 < midnightmagic> ;;seen gavinandresen 14:32 < gmaxwell> Kinda crappy that we just needed to cut down on the additional message data, as that would have been a ducky channel to relay the preimages. :P 14:32 < gmaxwell> petertodd: forgotten in long term blockchain data. 14:33 < petertodd> gmaxwell: That's only possible by adding a proof-of-posession PoW mechanism and having a separate set of data storage. 14:33 < gmaxwell> Derp what? 14:34 < gmaxwell> You have a transaction with a hash in it. For the txn to be valid you must have the preimage of that hash. But this rule only applies when the block is sufficiently new. 14:34 < gmaxwell> You now have proven visiblity once the rule is widely deployed. 14:34 < jgarzik> gmaxwell, Definitely lost me there. I'll have to ponder/parse :) I don't see how it solves the proof of visibility, but maybe "hash" is vague 14:34 < gmaxwell> Without adding more than 32 bytes of hash to the long term visible block chain. 14:34 < jgarzik> hrm 14:35 < jgarzik> gmaxwell, in particular for identity, the full tx must be available for anyone to spend 14:35 < petertodd> Right, you've proven visibility in the sense that 1/2 * hashes/second * 10 minutes of hashing power saw it - that's not very good. 14:35 < gmaxwell> jgarzik: Think of it as making the visible data attached to the transaction with a perforation: Rip along the dotted line. But you're not allowed to rip it until the block is sufficiently old. You can define how sufficiently (maybe even encode that in the txn). 14:35 < petertodd> All I have to do to make invalid sacrifices is temporarily hack into a few big pools for an hour. 14:36 < petertodd> s/sacrifices/proof-of-visibility/ 14:36 < gmaxwell> petertodd: No, thats not the case. 14:36 < petertodd> gmaxwell: Why not? 14:37 < gmaxwell> petertodd: You can choose the security parameter to where that isn't an issue. If the rippable sections must be provided for 144 blocks are you speculating that someone will perform a 144 block reorg in order to make bogus sacrifices? Might as well give up. You've already accepted some maximum depth by virtue of the nlocktime offset. 14:38 < gmaxwell> I don't know what parameter makes sense. I'd have to think more. But the important thing is that you can make the data possible to rip out, so that _no one_ has to remember it once an adequate announcement window has passed. 17:22 < amiller> i'm pretty opposed to any change in behavior that addresses some particular deviant strategy without any way of showing that it doesn't introduce poor performance against various other possible strategies 17:23 < amiller> i guess the idea is with simulation you can take all conceivable strategies and let them battle it out... 17:24 < adam3us> gmaxwell: yes ntp security is bad, adding dependence on time accuracy also bad; hard to eval anything without simulation - game theory permutations too complex 17:24 < adam3us> gmaxwell: it might not be inherently bad in the sense that if you tried to replace an old block, chances are someone else would extend it in the mean time then you wasted time 17:26 < adam3us> amiller: if nothing else this selfish-miner paper proves this is very complex and hard to exhaustively reason about, so +1 i think its a given, cant make changes eg until litecoin has canaried a well simulated and argued proposal for a year+ 17:26 < amiller> lol. 17:27 < adam3us> amiller: (i mean by fact that seemingly other than bytecoin and maybe petetodd, this >33% strategy existed for years without it registering to everyone there could be a problem) 17:28 < gmaxwell> the problem there is that all coins (other alts, litecoin, even bitcoin) have gone huge spans of time with _known_ eploitable vulnerabilities (e.g. to get a edge at mining) and without people exploiting them. live testing is very useful but doesn't really tell us an attack won't start. 17:28 < adam3us> gmaxwell: but i also was suspicious about the concept of relying on coordinated time, it doesnt really exist in a distributed system, and pretending it does is bad 17:28 < amiller> (i'm pissed i didn't think of it too, while thinking about related anomalously-large-txfee and feather-fork incentive-compatibility problems) 17:30 < adam3us> does bitcoin have some built in sanity check protocol for time 17:31 < gavinandresen> adam3us: yes, although there is a longstanding bug-- see discussions of "timejacking" 17:35 < adam3us> i liked the idea of discouraging blind pooled mining, maybe you could do it with a reward address being a chameleon hash, then the pool can be convinced reward is due, but the miners can selfishly withhold the key winning block and assign it to themselves 17:37 < amiller> adam3us, sounds like my non-outsourceable puzzle? 17:37 < amiller> i don't understand the difference if there's one 17:37 < adam3us> amiller: yes that was elicited the above 17:39 < adam3us> amiller: just suggesting the underlying problem is blind pools, and agreeing with your non-outsource motivation, and suggesting chameleon hash reward address could be an mechanism (i dint see a simple one in the thread)... in that way you can change the reward addr after the fact 17:41 < adam3us> amiller: (btw i was ging to ref the thread which i have open in a tab on other machine, but i couldnt remember if it was you or socrates ah.. you are socrates! that explains) 17:50 < maaku> adam3us: I haven't followed your latest discussions, but I understand it has something to with alternatives to blind signatures, right? 17:50 < maaku> I'm using 1024+ bit RSA blind signatures for CoinJoin 17:50 < maaku> is there a better primitive I could be using? 17:51 < adam3us> maaku: yes there is a schnorr blind sig which can be EC so thats more similar, n fact it can use the same keys and params as ECDSA 17:52 < adam3us> maaku: and if you need to encode a value to the blind sig, brands has an extended version of it i have code (non EC, but DL with openssl): google credlib brands 17:53 < maaku> adam3us: is there sufficient peer review of these schemes? 17:53 < adam3us> maaku: 1024 is weak you need really 3072 rsa to match 256 ec 17:53 < maaku> well, it's not long-term keys 17:53 < maaku> just need to be secure for the duration of the protocol 17:53 < maaku> hours to days max 17:53 < maaku> typically minutes 17:54 < amiller> adam3us, lol, yeah, i'm socrates1024. sock, for short 17:54 < adam3us> maaku: yeah brands phd supervisor was chaum (inventor of blind sigs & ecash) then when brands fell out with him, rivest & shamir or somethign 17:55 < amiller> adam3us, anyway the construction for that approach has the advantage of using exactly SHA2 as the underlying hash, no need for chameleon hash, so that's a benefit to miners, although the zero-knowledge puzzle-stealing option relies on generic zk snark 17:56 < adam3us> amiller: yes i saw zk snakr and thought... hmm complex, unproven, impractical as a starting point (though i know they compile based on existing zk constructs) 17:56 < amiller> it's not unproven... 17:56 < amiller> "GGPR" is the underlying scheme and proof https://usukita.org/sites/default/files/P3_rgennaro_quatradic_span_programs.pdf 17:56 < adam3us> amiller: i mean as in hasn survived 20 years of academic prodding, not in sense of not coming with security proofs, many things with proofs got broken 17:56 < amiller> ok well yeah 17:57 < amiller> fair enough 17:57 < adam3us> amiller: whereas a chameleon hash can be very simple, posted one in gmaxwells' thread which is basically like a schnorr sig, ultra simple 17:57 < adam3us> amiller: conventional simple ECDL & hash assumptions 17:58 < amiller> i'm not sure it's suitable for proof of work 17:58 < amiller> i mean, proof of work relies on much more than collision resistance 17:58 < adam3us> maaku: doesnt privacy rely on the blind sig? 17:58 < amiller> you need like n^th unbounded partial preimage resistance 17:59 < adam3us> amiller: i dont mean as the work hash, just the reward address 17:59 < amiller> i don't think that's sufficient to get the strong work-hiding property 17:59 < adam3us> amiller: put i the coinbase, rewardaddr=CH(addr,x) 17:59 < amiller> in other words you could still embed watermarks in the work and therefore the mining pool could enforce it by requiring a bond to participate 18:01 < adam3us> amiller: yes you do need the mechanism to be ZK basically, so in the chameleon case you need there to be no coercion way for the miner to prove he has disabled the hash malleability 18:02 < maaku> adam3us: no, at least with RSA blind sigs, breaking the key means someone else can impersonate the faciliator 18:02 < maaku> ... i think, i would suggest double-checking that 18:02 < maaku> but the blinding factor should make sure that privacy is preserved 18:03 < adam3us> maaku: yes you are right, its info theoretic privacy 18:03 < adam3us> maaku: but if they factor your key, and its long lived, tey can take your money 18:03 < maaku> well, the key doesn't outputs in this case 18:04 < adam3us> maaku: but are you wanting a single denomination only? chaum blind sig ecash has no denomination 18:04 < maaku> for a mixing coinjoin transaction, there's a pool of same-denomination outputs, and the facilitator generates a key specific to that pool 18:05 < maaku> the participants then blind their outputs, the facilitator signs them, then the participants disconnect, unblind, and reconnect anonymously to broadcast 18:05 < maaku> then the key is thrown away 18:07 < adam3us> maaku: ok; yes just to say if you want multi denomination brands can do it, though i suppose that wont be useful as diff denominations tend to correlate the inputs 18:07 < adam3us> maaku: ok; yeah rsa blind is very simple 18:09 < adam3us> maaku: i suppose rsa keygen is a bit entropy hungry and cpu expensive vs ec schnorr long term keys but otherwise it seems not much point switching 18:13 < adam3us> amiller: have to think about the zk coercion free possibility of chameleon hash for nonoutsourceable puzzle, seems like an interestingly simple mechanism if it could be shown secure 18:14 < maaku> adam3us: I'll probably continue to prototype with RSA (other advantage: implementation is dead simple) 18:14 < maaku> but it's nice to keep tabs on more efficient (space and time) solutions 18:14 < adam3us> maaku: yes exactly, simplicity tends to win 18:14 < amiller> adam3us, it seems like a premature optimization to me but i don't disagree really, i guess i'm personally more interested in seeing if i can get any better economic statement just by assuming we have a coalition-free puzzle 18:15 < maaku> i just wasn't aware there was much concensus on an EC blind signature scheme 18:15 < maaku> it's a primitive we need to have anyway for other uses... 18:17 < adam3us> maaku: yep its there i guess despite its brilliance no one really used brands stuff nor even chaum 18:22 < adam3us> maaku: btw p5 & 6 of this: http://www.di.ens.fr/~pointche/Documents/Slides/1996_asiacrypt.pdf talking about blind sigs mentions chaum and schnorr for backgrond 18:22 < adam3us> maaku: (gives the math on one slide) 18:33 < adam3us> amiller: btw in non-outsourceable puzzle thread you described motivation to prevent a hosted miner (by making it so the hosted miner could steal from the user) however i mean something related but different, discouraging pooled miners from not validating their own blocks (blind mining i mentionend it as) 18:35 < adam3us> amiller: you mention miner proving to the paying cleint that it is working for them, but i guess thats not how people are doing it, presumably they just audit loosely based on knowledge of power and expected return, and that could remain the case with a non-outsourceable puzzle 18:36 < amiller> well it guarantees you'll have no lucky streaks or something like that :/ 18:37 < adam3us> amiller: however users blindly using miners is bad, without validating their own blocks so i was interested in ways to make that (not creating your own coinbase from tx you got yourself) unsafe for the pool 18:37 < amiller> i see 18:37 < adam3us> amiller: yes but thats not a big disincentive 18:38 < amiller> you're right it's unfortunately sort of tricky there 18:38 < adam3us> amiller: its kind of the same thing but in the opposite direction --- Log closed Mon Nov 11 00:00:04 2013 --- Log opened Mon Nov 11 00:00:04 2013 04:20 < gmaxwell> if you mean some function of recent transaction fees the problem is miners padding up transaction fees with payments to themselves to manipulate prices (might as well just let miners set them) 04:20 < justanotheruser> gmaxwell: you could look at how much was paid in tx fee since the last difficulty adjustment (or some other arbitrary period of time) 04:21 < justanotheruser> gmaxwell: yeah, that is a problem 04:22 < justanotheruser> There's not really a way to evaluate how many namecoin users there are... 04:22 < gmaxwell> you can look at the registrations however. 04:23 < gmaxwell> (and also, it's easy to see it not being used anywhere, and even easy to see the lack of people asking how to use it) 04:23 < justanotheruser> gmaxwell: but you can't set the registration rate based on the number of registrations 04:23 < gmaxwell> yea oh sorry I thought you were back to suggesting that namecoin isn't currently a failure. :P 04:23 < justanotheruser> If there were only 500 domains offered per day, people would have to compete in price for registering. 04:24 < justanotheruser> Unfortunately namecoin isn't going to ever be stable, so you can't say "$10 for a registration" 04:24 < gmaxwell> yea, I've got no freeking idea. yes, one possible way would be to make the database fixed in size or something like that. 04:25 < justanotheruser> if people compete in price it would have to be in mining fees, so the miners would be able to register however many domains they wanted... 04:25 < gmaxwell> well with 2 way-peg you could transfer bitcoins into the namecoin chain to pay for names, thus giving them to miners, who can remove them from the namecoin chain. (I mean, if we're talking about things which decidely aren't namecoin as it is today) so then the instability of namecoin as a tradable asset can be removed. 04:25 < justanotheruser> but I guess for every domain they buy, they lose one domain sale that day 04:25 < gmaxwell> justanotheruser: unless the system just limits it via a protocol rule. 04:26 < justanotheruser> gmaxwell: is there a way to have a decentralized 2 way peg? 04:26 < gmaxwell> I guess you missed those discussions. I believe it's possible, there are some security limitations. 04:27 < justanotheruser> also I don't think pegging something to bitcoin makes it stable. It makes it more stable relative to all other cryptocurrencies, but relative to almost every other asset/commodity bitcoin is incredibly unstable 04:28 < gmaxwell> basically I suggested a relatively minor softforking addition that would allow you to assign coins to another chain, and then carry a proof back from the other chain to bitcoin to allow you to very slowly teleport coins back and forth. 04:28 < gmaxwell> (slowly meaning like 100 blocks) 04:28 < justanotheruser> gmaxwell: would this allow for offchain transactions if the bitcoin chain was too big making transaction fees high? 04:29 < justanotheruser> well not "if", but for that reason would it be useful 04:29 < gmaxwell> it would. or more interesting it would allow altcoins to expirement with new ideas without also creating new currencies. (at least when the idea is just new payment network ideas) 04:30 < gmaxwell> e.g. you could have namecoin but without having a seperate namecoin currency. or you could have some 10 second blockchain thing (0_o) or something with more powerful script. 04:30 < gmaxwell> (turing complete script, whoppie!) 04:30 < justanotheruser> gmaxwell: is the peg discussion in #bitcoin-dev logs? 04:30 < gmaxwell> it's in the logs here. 04:30 < justanotheruser> any public logs for this channel? 04:31 < gmaxwell> andytoshi-away: makes logs, dunno where they are. 04:31 < michagogo|cloud> (The logs should really be mentioned in the topic...) 04:32 < justanotheruser> I'll make a note to ask him for the logs 04:32 < gmaxwell> it's not a serious proposal at this time... but perhaps it will become one. The belief that it could work two ways is relatively new. (it's not that complicated an idea though, I'm sure I would have said it was obvious in 2011 if it had been suggested to me then) 04:32 < justanotheruser> gmaxwell: so would this pretty much remove the need for Open Transactions? 04:33 < gmaxwell> but in any case the idea is that you make a payment to a special scriptpubkey which basically says "these coins are now controlled by foocoin" and then it's possible to spend from txouts to that scriptpubkey by showing up with an SPV proof "foocoin says you should give me X of those coins to scriptpubkeys Y and Z", plus some extra details. 04:34 < gmaxwell> justanotheruser: well it would allow the same kind of "binding" that open transactions could do already using multisig ... but allow it for other blockchain cryptocurrencies. 04:34 < justanotheruser> gmaxwell: isn't the only way for that SPV proof to exist by embedding all those block headers in the bitcoin blockchain? 04:35 < justanotheruser> Or is there some way that the miner can be proved that their blockchain says something without actually looking at anything other than the transaction 04:35 < gmaxwell> justanotheruser: sure, but 100 blocks is 8kb. whopptie do. These transfers would generally be infrequent because they'd be used for bulk liquidity, normally if you want coins on the other chain you find someone who wants bitcoin and you do an atomic coinswap. 04:35 < gmaxwell> But the coinswaps alone cant get you a 2-way peg because they can't provide long term liquidity. 04:37 < gmaxwell> justanotheruser: the proofs could also be structured so that they can be pruned. e.g. perhaps the only thing that gets stored in the blockchain directly is a summary of the proof. After all the proof only has SPV security, once it's thousands of blocks deep in bitcoin why keep it? (and if that were done the proof wouldn't need to count against the block size limit, or wouldn't need to count against it fully) 04:38 < gmaxwell> (also a single proof could actually be batching dozens of transfers, e.g. foocoin tells bitcoin a whole list of scriptpubkeys to pay, at least you can get batching in the foo->bitcoin direction) 04:39 < justanotheruser> gmaxwell: Seem expensive still. The blockchain could end up storing a dozen other blockchain headers in it 04:39 < gmaxwell> e.g. the foo->bitcoin instructions are generated by foocoin miners, summarizing actions commanded by transactions and validated according to the foocoin rules. 04:40 < gmaxwell> justanotheruser: well snarks can compress that kind of thing down to 384 bytes for 128 bit security, but I'd prefer to show it viable without any cutting edge cryptography. 04:40 < justanotheruser> I wonder if there's some crypto that could be used to do that proof in a size significantly smaller than the actual altchain 04:40 < gmaxwell> justanotheruser: and each of those dozens of other chains could have an infinity of transactions, seems like a good tradeoff to me. 04:41 < justanotheruser> gmaxwell: do you think that's more viable than sharding the blockchain? 04:41 < gmaxwell> justanotheruser: zk-SNARKs can have size only proportional to the security level. The size of the rule being proven or the data it accesses is irrelevant to them. 04:43 < gmaxwell> but the really small ones have some uncomfortable security tradeoffs (CRS assumption) the ROM ones are somewhat larger (eg 20kb, though I did invent a novel compression scheme which may help, so they may not be good for compressing header proofs, but then again they'd allow full security not just spv, potentially.. but this is all really cutting edge and not yet totally pratical stuff.) 04:44 < justanotheruser> hmm 04:44 < justanotheruser> gmaxwell: do you have some cryptography PhD or something? 04:45 < gmaxwell> in any case, I don't think an 8kb signature intermittently per bound chain is a bad tradeoff. Especially knowing that application of sufficient magic could make it smaller in the future. 04:45 < gmaxwell> justanotheruser: No. I'm just some guy who enjoys math. 04:45 < justanotheruser> I see 04:45 < justanotheruser> This idea seems to have a lot of potential 04:46 < justanotheruser> Would this not require disabled opcodes to determine whether the transactions belonged to someone else on this other chain? 04:47 < justanotheruser> I guess you said it was a softfork, so my real question is why wouldn't it 04:47 < gmaxwell> I think it does too. well, and it also may solve a problem thats been bothering me which is that its hard to do novel cryptocoin expirementation. We can't mess around with it in bitcoin because its too important. Alt systems generally get little love because they're worthless, unless you make a big thing about pumping their value and then that speculation becomes all encompassing. 04:48 < gmaxwell> justanotheruser: we'd add a new opcode in place of a no-op today "the thing on the stack is a chain binding proof, this transaction is only valid if the proof is valid" 04:48 < gmaxwell> old nodes would just see a no-op transaction and permit it. 04:49 < gmaxwell> It would be safe to use once a super majority of hashpower agreed to enforce it as a rule in the chain same way p2sh was deployed. 04:49 < Taek42> gmaxwell, what's your opinion of XRP? 04:50 < gmaxwell> Taek42: https://bitcointalk.org/index.php?topic=144471.0 the whole thread is informative, I answer my own question and then get into a discussion with one of the ripple developers. 04:50 < Taek42> thanks 04:53 < justanotheruser> Any known weaknesses to the pegging system? 04:53 < gmaxwell> ohh "Crony Consensus" I'll have to remember that. 04:54 < gmaxwell> justanotheruser: at least as I was describing above it only has SPV-like security. meaning that if you can outpace the second chain you can steal all the bitcoins assigned to it and leave it fractional reserve. 04:55 < gmaxwell> (which would be part of the reason it would need to be fairly slow) 04:55 < gmaxwell> (I mean the teleport operation would need to be slow) 11:19 < adam3us> jgarzik_: sure they do, but what i mean is i want a compact representation for the entirety of a snapshot of an OS (like a merkleroot for the OS at that point in time) so tthat it is safe to dowload modules 11:20 < petertodd> adam3us: right, but don't teach your offline wallet about base addrs, because then users will do dumb things like verify the base addr via PGP on a compromised computer - stick to matching the identity of the person they are transacting with and how they established that identity 11:20 < adam3us> jgarzik_: even if the signer does a poor job of managing his rpm signing key 11:20 < adam3us> jgarzik_: like you get an ISO checksum, but then most of these isos wont even install without a network connection!! (nutters if you ask me) 11:20 < jgarzik_> adam3us, interestingly, with some filesystems, that automatically happens at the filesystem level 11:21 < adam3us> petertodd: i a sayng lets at least make it work conveniently for the people who are trying to do things securely. eg an exchange has a airgappe backoffice for enrollment. users get a trezor in the snail as part of their exchange setup. that prevents misdirecting deposit addresses 11:22 < petertodd> adam3us: right, which is a totally different tech than anything I was thinking about 11:23 < adam3us> jgarzik_: yeah. you know zach brown? btrfs, zfs have what you said but thats about file system integrity. you want that on the base iso and the merkle tree of all point in time snapshot of packages available for it. then i can write the checksum down and I know for sure even if someone holds a gun to the head of the package signer he cant tamper with code post-hoc or in a targetted way against me 11:23 < K1773R> why does bitcoin use /dev/urandom and not /dev/random? 11:24 < jgarzik_> K1773R, /dev/random takes forever for questionable additional security gain 11:24 < adam3us> K1773R: probably because /dev/random can block and /dev/urandom is good enough. but there could be an argument for /dev/random for keygen only 11:24 < K1773R> jgarzik_: what about ppls whith HWRNG? 11:25 * jgarzik_ isn't familiar with the PPLS method of mining pool payouts 11:25 < adam3us> petertodd: point is even the tech users have no bitcoin internal tools short of calling the sender, per transaction, or scripting some pgp sigs on the offline machine (trezor wont do that as its not part of the protocol at present) 11:26 < K1773R> adam3us: well, i just had to debug something (ie, with strace) and saw it used /dev/urandom . which operations depend on /dev/urandom and how much bits/bytes are needed? 11:28 < petertodd> adam3us: indeed they don't, but lets not encourage tools that turn into extremely specific things... 11:28 < petertodd> adam3us: the fundemental issue is you have to verify against the identity that the other party communicated to you with in the first place - the example of a physically loaded key is an exception 11:29 < adam3us> petertodd: thing is airgap doesnt really fix the problem for people who actually do tranactions (biz, customers) it just moves it on to the insecure computer and hoping there's no malware on it - we know thats a lose even for revocable credit card payments 11:30 < adam3us> petertodd: what use is a payment request x509 sig against a malware loaded machine with installed malware fake CA, address replacing code, and at the high end stolen CA private keys (not like that didnt happen before) 11:36 < petertodd> adam3us: yes, but if the CA system is secure, then only thing that really helps is to verify the destination *on the offline wallet* against a payment protocol request 11:36 < petertodd> adam3us: equally, if PGP WoT is secure 11:36 < petertodd> adam3us: anything else means you can do attacks where you trick the user into accepting an identity for the key that had nothing to do with the identity of the person they thought they were transacting with 11:36 < petertodd> adam3us: (modulo entire CA systems meant to track other CA systems... ugh) 11:37 < adam3us> petertodd: right. but people know how to do fact checking, due diligence and biz people do it al the time for high stakes decisions 11:38 < petertodd> adam3us: so what? there's no better alternative 11:38 < adam3us> petertodd: they'll research the company, call them up, go visit them, look at their paper work. expect courier documents. etc this can work for crypto currency exchanges also 11:38 < adam3us> petertodd: yes my assertion is you need the trust to be rooted in the financial identity because its the most critical and most secured part 11:38 < petertodd> adam3us: and yeah, I'm not saying that's a bad thing to do, I'm just saying if you *aren't* doing some fancy physical protocol, we have no other alternative 11:39 < adam3us> petertodd: ok, yes so then i'm saying so we need this signed addresses generated & validated by hw airgapped 'puters and trezor devices as a min bar as part of any bitcoin related transaction 11:39 < petertodd> adam3us: besides, mail has it's own set of security risks too... a SSL cert/PGP key + being told to verify a fingerprint isn't crazy (or make it that getting the fingerprint is the only way they can get the key) 11:40 < petertodd> adam3us: indeed, and the payment protocol is meant to solve exactly that! 11:41 < adam3us> petertodd: well except it is probably not the right flow as it needs the recipient key also, plus its so far (right?) tied to X.509 which is a sideways step 11:42 < petertodd> adam3us: no it's not tied to X.509 at all, look at the spec 11:42 < petertodd> adam3us: and what do you mean by flow anyway? you want to just select a recipient in your offline wallet as step one? 11:45 < adam3us> petertodd: i mean you are proving to the world (or giving a transferable proof) that this address belongs to this recipient maybe ok for a merchant, but the user doesnt have an SSL cert to issue a payment request with. i wa meaning you could have a payment request request, where you said this is my public key, i want to buy one of those, and then the payment request sends you an encrypted non-transferable signature (or encrypted signature i --- Log closed Fri Nov 22 11:59:44 2013 --- Log opened Fri Nov 22 12:00:02 2013 12:07 < petertodd> adam3us: sorry, server crapped out, repeat that? 12:10 < adam3us> petertodd: seems like payment request does 90% of it, except you need the signature on the payment request to come from an airgapped key, or the key to carry its own proof it was originally generatd with the airgapped key before upload to the server. the thing is if the server is handing out keys from a pool, you dont know if someone broke into the server and re-served you with an address associated with their exchange account 12:11 < adam3us> petertodd: i mean having the server hand out signed requests but composed of an unsigned address from a pool in server ram or server disk is just inviting trouble mid-term though a short term improvement 12:12 < petertodd> adam3us: right, but if your website is insecure they can already redirect where the money goes anyway 12:12 < adam3us> petertodd: its not like people cnt break into servers, just that its not that interesting with credit cards because you the consumer pays the 3-5% fraud cost and the merchant lives with the chargeback 12:12 < petertodd> adam3us: the only way to improve upon that is to create a whole new CA system of bitcoin addresses + identities 12:13 < petertodd> adam3us: yeah, well, get better security for your keys: e.g. put the SSL keys on a HSM 12:13 < petertodd> adam3us: or, if it's with PGP, same idea 12:15 < adam3us> petertodd: yes thats what i'm saying. i think bitcoin should form its own payment security based identification system 12:16 < adam3us> petertodd: preferably without trusted third parties (CAs) being trusted too much, or prominently displaying the static merchant identity fingerprint (with airgapped private key) so you can check it manually 12:18 < petertodd> adam3us: check it manually how? 12:19 < petertodd> adam3us: I don't think we know what we should be doing in this space yet actually; get the payment protocol out there and start learning about how it works in practice 12:19 < petertodd> adam3us: what you're talking about, especially re: manual checking, really sounds like a job for PGP... 12:19 < adam3us> petertodd: yes. but its quite predictable where the next week point is 12:20 < petertodd> adam3us: and again, what good is that vs. adding *manually checkable* OpenPGP to the payment protocol? 12:20 < adam3us> petertodd: i think it ideally should be soething simple, concise and built in. the authenticity of addresses a core bitcoin internal critical requirement 12:21 < petertodd> adam3us: and simple and concise just isn't. The closest thing to simple and concise is a friggin address book with manually entered addresses (+HD wallet seeds if you want to get fancy) 12:21 < petertodd> adam3us: we've already got that 12:21 < adam3us> petertodd: and if we promote one-use addresses, whih we do for fungibility/privacy, then we have to somehow fix up the user experience and user comprehension and out of the box secruity of doing it (even if it means all users nee to use hw wallets for non toy amounts of spare change) 12:22 < petertodd> adam3us: yeah, and as I say, we've already got the single address thing covered, and adding derivation isn't rocket surgery 12:22 < petertodd> adam3us: anything beyond that and you're talking about identities, which are not simple or concise, (and frankly I doubt the trade-off is worth it - more people will lose coins due to malware than bad CA's) 12:22 < adam3us> petertodd: right. i proposed another way to get fungibility by using a static address, that can be randomly derived from by senders without your chain code for this kind of reason. 12:23 < adam3us> petertodd: "single address thing covered" you mean one use address as transaction number (but not really address in name)! 18:54 < gmaxwell> right, and you can also have 100 gb of memory which you run 100 instances in parallel, and then you do this over and over again probalem after problem amortizing the hardware costs and shifting the costs towards operating costs. 18:55 < tromp__> this imposes a large cost if you want to run 1000s of attempts in 10min, because you need t have many GB now 18:55 < tromp__> ok, now consider the insalled base of comomodity hardware 18:56 < gmaxwell> sure but its linearish (actually better since manufacturing scales) upto the point at which you start exausting the earth's resources. :P In any case, I'm not saying this tradeoff loses, but that you cannot compare it soundly without a model for the total cost, not just the upfront costs. 18:56 < tromp__> there may be 100M PC's that can run cuckoo 18:56 < gmaxwell> tromp__: right and that installed base gives the defenders an advantage, but that advantage may in fact be completely overcome by the operating costs. 18:57 < tromp__> so for someone to match that they'd have to invest in 100M *1GB 18:57 < gmaxwell> You can convert everything in this comparison into dollars (or dollar equivilent joules) if you like. 18:57 < gmaxwell> And hardware costs are one time, so they amortize. 18:57 < tromp__> that's WAY harder than in the bitcoin world, where a modest investment can match the combined gpu hashing power in the wrold 18:58 < gmaxwell> Thats the analysis which I have pointed out several times is flawed. 18:58 < gmaxwell> The operating costs are the supermajority of the costs, not the hardware costs. 18:59 * nsh wonders . o O {is progress-freeness definitely essential for consensus-POW?} 18:59 < tromp__> in any case, what you propose is that an "attacker" can basically buy a shitload of PCs to do cuckoo hashingm and amortize their cost 18:59 < gmaxwell> The advantage you can get in bitcoin comes from the fact that dedicated hardware is enormously more power efficient. (it's also worth noting that the speed of all the current bitcoin parts is predominantly power limited, they could run much faster, but they're require more expensive packages and/or exotic cooling) 19:00 < gmaxwell> nsh: if you're not progress free (at least on a large scale) you're unfair and you give superlinear rewards to larger participants, which would incentivize centeralization. 19:00 < tromp__> the operating cost of latency constrained RAM is pretty low 19:00 < nsh> hmm 19:00 < gmaxwell> yes, ::cries:: and thats bad! 19:00 < gmaxwell> I agree that its low. 19:00 < tromp__> no, that means an attacker is constrained by investment costy 19:00 < tromp__> by cost of buying tons of RAM 19:01 < tromp__> he'll never spend as much on operating cost as the investment in RAM 19:01 < gmaxwell> Sorry, I think we're wasting time now. I suggest we both take a break and consider this again later with fresh eyes. By then I'll also read your paper, as I'm sure its independantly interesting regardless of this meta argument. 19:01 < tromp__> good idea. 19:02 < tromp__> thanks for your interest in my proposal 19:05 < tromp__> to summarize my aarguments: cuckoo is sequential latency constrained -> not parallellizable -> miner cost dominated by initial RAM investment rather than operating cost -> cannot match worldwide comodity PCs 19:07 < gmaxwell> Yes, this is also the argument advanced in the scrypt paper (just without the mention of operating costs). I am concerned, but not yet convinced that at least in the scrypt paper the argument is wrong, and I am nearly convinced that at least for some scrypt parameters that its wrong. This may not apply elsewhere, however. 19:08 < tromp__> also note that scrypt cannot increase RAM use much, because verification is alrd nontrivial 19:08 < tromp__> while cuckoo verification is always trivial 19:10 < gmaxwell> yes, I'm aware of this. It's inapplicable to the KDF case, as I said before I think the PT was giving the wrong initial argument to you. Collision like things usually fail to progress-freeness problems or TMTO, but they do achieve asymetric verification costs. 19:11 < tromp__> right, you cannot make a good KDF out of cuckoo 19:12 < gmaxwell> Why not? take your first solution from a determinstic start and hash it. The result is your key. 19:13 < tromp__> let me check my email correspondence on this 19:16 < tromp__> that does make a KDF, but it doesn' exploit the neat feature that cycles are trivially checkable. and memory hardness has to be taken more on faith than with ROMix based functions 19:17 < tromp__> so it's not an obvious improvement over other schemes 19:17 < tromp__> whereas for PoW it has ideal properties that no other PoW has 19:27 < tromp__> afk to dinner 22:35 < gmaxwell> man, the internet is so screwed up: http://thenextweb.com/socialmedia/2014/01/29/lost-50000-twitter-username/#!tV5FI < this guy got his short twitter account name extorted out of him, and part of his advice is not to use your own domain names for registration because the domain names are so easily hijacked. 22:45 < c0rw1n> that's screwed up yes 22:49 < tromp__> with paypal you need to actively opt-out of being screwable. of course they have plenty other ways to screw you... 22:50 < tromp__> generally, the last 4 digits of cc shld be considered public knowledge 22:50 < tromp__> so godaddy was the bigger offender 22:54 < andytoshi> tromp__: agreed, i'd register a domain with realsolid before godaddy.. 23:00 < tacotime_> andytoshi: I hear he's offering decent prices for fee shares on his exchange these days too 23:03 < tacotime_> It's a shame for SC2, I feel like if RS/CH hadn't gone so outrageous crazy on trying to manipulate the price it would still hold some value today as a litecoin competitor 23:06 < tacotime_> And I was surprised how long the trust node system stood up for. 23:06 < gmaxwell> it got abused by RS pretty quickly. 23:07 < gmaxwell> I think it was only two months or so before the first time he used it to force a subsidy change on the network. 23:07 < tacotime_> Yeah, that was the problem. I mean, SK more or less does the same thing with checkpointing PPC, but SK doesn't mess with the chain. 23:08 < gmaxwell> yea the ppc mechenism is functionally quite similar though at least RS had an argument about how his thing would eventually be distributed. (though after he decreased the subsidy you could be pretty sure no one would ever have 1M SC) 23:08 < tacotime_> There's nothing super wrong with a temporarily forced centralization of the chain while it takes off and you mess with new features that could break it I think, but when you decide, "Hey, the price isn't high enough! Let decrease subsidy 100 fold!"... 23:09 < tacotime_> Yeah 23:10 < gmaxwell> tacotime_: well PPC's think is not temporary, it was originally that way to bootstrap until POS took off, but most mining is POS now... and the new white paper points out that the checkpoints are needed to create a consistent baseline state for POS. but yea yea. 23:10 < tacotime_> There's a new version? I didn't know he'd changed that... that's unfortunate. 23:11 < gmaxwell> if I did an altcoin I'd have multisignature broadcasted checkpoints (e.g. distributed instead of fully centeralized) and I'd have the nodes disable them automatically at some high enough difficulty. 23:11 < tacotime_> That makes sense. 23:12 < gmaxwell> yea, the updated one he did after the initial attack on PPC POS where someone was mining all the blocks. (by grinding at block hashes to search for a history where his stake was selected in every block) 23:13 < tacotime_> Right. I don't think that totally justifies complete centralization though... that's kind of an admission that you're not really confident in what you're doing functioning correctly on an indepedent basis 23:14 < c0rw1n> (or that you're a wannabe rent-seeking exploiter / future scammer / Ripple) 23:15 < tromp__> could you have checkpoints triggered by the blockhash being particularly far below the difficulty? 23:16 < gmaxwell> tacotime_: yea, well the bigger change that was made at that time was making it so that only pow blocks select POS miners, meaning that a POW majority can pick which stake can mine, and which makes high pow difficulty more or less essential to the security. 23:16 < gmaxwell> tromp__: I can't decode what you're suggesting. 23:16 < tacotime_> Oh, that's what that stake modifier thing was all about? He refused to explain that to me 23:17 < gmaxwell> fortunately(!) his code is pretty readable. 23:17 < tacotime_> That's also kind of scary though, as it makes the network more open to attack if someone decides to DDoS all pools 23:17 < tacotime_> Also the reward algorithm itself makes that lucrative 23:18 < tacotime_> I wish he would have just said that sentence to me 12 months ago, because that makes total sense. 23:18 < tromp__> if the blockheaderhash has maybe 16+ more zeroes than required by the target difficulty, that could be considere a checkpoint trigger 23:18 < gmaxwell> I just assume he's one of us, I think its generally well executed, it suffers because the overall idea is kinda lame. I like bitching about him because he's probably here twiching that he can't reply without blowing his anonymity. :P 23:18 < tacotime_> Haha 23:19 < tromp__> so checkpoints wld happen about every 2^16 blocks 23:19 < gmaxwell> tromp__: you can get some awesome attacks out of that. e.g. mine such a thing and then delay announcing it. 23:19 < gmaxwell> totally pointless, you should probably erase the word checkpoint from your mind, only horrible things result from it. 23:19 < c0rw1n> ooh scary 23:19 < tacotime_> Yeah it's the reason you have to be cautious about using the total work of a chain as the selecting factor too. 23:20 < tacotime_> Because if you hide the block from the network and it represents a huge amount of work, doublespending becomes very easy. 19:07 < Luke-Jr> which tbh is more interesting to me than Freimarkets.. 19:11 < maaku> ok so the story there is I've already gotten permission from the two major pools (>90% of the hash power) to add merged mining with the Freimarkets hard-fork 19:30 < Luke-Jr> maaku: hopefully an improved/fixed algo? :D 19:46 < maaku> Luke-Jr: yeah, basically a generic mechanism for committing arbitrary key/value data to the coinbase using Merklized indices 19:47 < maaku> also works for document timestamping, or other applications 20:21 < andytoshi> i'm going to delay the coinjoin another day because i'm close to having a tool which will merge the signed transactions for me 20:21 < andytoshi> so again i'm open to people joining in :) 21:36 * andytoshi-logbot is logging 22:25 < gmaxwell> andytoshi: if you've got a merging tool then you can probably go nag more people to join. 22:26 < gmaxwell> e.g. go post in the cj thread. 22:36 < andytoshi> gmaxwell: not yet 22:36 < andytoshi> i'm almost done the merger, but rust has no json-rpc support, so there'll be some more work 22:36 < andytoshi> it's no problem to just wrap a C lib, but those are hard to come by too :P 22:51 < gmaxwell> json rpc so that it yells if you try to add already spent coins? are you going to make it constrain outputs<inputs per user too? 22:52 < andytoshi> the latter 22:52 < gmaxwell> cool. make sure you shuffle the order. 22:52 < andytoshi> good call 22:53 < andytoshi> in about an hour i'll have something that can merge transactions and checks that they at least are all the same transaction 22:53 < andytoshi> i'd like to figure out RPC so i can check spending and value constraints 22:53 < andytoshi> and i'd also like to figure out CHECKSIG 22:54 < andytoshi> but those can wait for another day 22:54 < gmaxwell> I guess if you're fetching the inputs you can validate the sigs... but thats not super critical... 22:55 < gmaxwell> validating is a pita if you're not constraining the kinds of coins you spend. 22:57 < andytoshi> yeah, i read through the wiki pages and etotheipi's graphic.. 23:18 < andytoshi> i think it's working (rust is incredible, first time it compiles it does the right thing) 23:18 < andytoshi> how can i verify that the signed transaction is valid? 23:35 < gmaxwell> andytoshi: there is no 'validatetransaction' rpc call, the best you can do is try it on testnet ... or an isolated node. (e.g. if the txn isn't relevant to your wallet, and you are -noconnect -nolisten ... it'll only ever be in memory on your node) 23:50 < andytoshi> done, will be on github in 5 minutes.. 23:51 < gmaxwell> you may have the odd honor of having first publically posted rust bitcoin code. 23:56 < andytoshi> https://github.com/apoelstra/coinjoin 23:56 * andytoshi blushes 23:56 < jgarzik> gmaxwell, I'm pretty sure signtransaction will validate for you 23:56 < jgarzik> gmaxwell, it's not explicit, but there is a way 23:56 < jgarzik> one of the RPC calls will perform that function 23:59 < gmaxwell> maybe the complete flag there ... but I'm not sure, as I've run into it saying complete:false on a totally valid completed transaction in some case or another. 23:59 < gmaxwell> it won't tell you where it fails if it does, which I think is what andytoshi would want. --- Log closed Wed Dec 11 00:00:11 2013 --- Log opened Wed Dec 11 00:00:11 2013 --- Day changed Wed Dec 11 2013 00:00 < andytoshi> hmm, running signtransaction on my supposedly-signed transaction changes the signature 00:00 < andytoshi> which is a bad sign i think 00:01 < andytoshi> but otoh running decoderawtransaction, i can see that my code is doing exactly what i would have done, had i merged them by hand 00:02 < andytoshi> it seems like signrawtransaction's signatures depend in a noticeable way on what the other inputs are 00:04 < gmaxwell> andytoshi: first, the signatures have a nonce and every time you sign will be different. 00:04 < andytoshi> oh, that's right 00:04 < gmaxwell> secondly, a normal sighash all signature covers all the input ids and outputs (but not the signatures themselves) 00:05 < andytoshi> yes, i'm aware of that 00:05 < andytoshi> but it zeros out the scriptSigs 00:05 < gmaxwell> right. 00:05 < andytoshi> my feeling is, i should just post this on the cj thread, and if it's creating invalid transactions, that's a safe failure mode 00:06 < BlueMatt> anyone want a google glass invite to work on bitcoin on glass? (or in general, but itd be cool to pay with bitcoin on glass) 00:07 < BlueMatt> (because thats not insecure or anything) 00:07 < andytoshi> yeah, there'd be bullies putting QR codes on peoples' feet then saying "your shoes are untied!" 00:07 < andytoshi> you look down and bam, lunch money stolen 00:08 < BlueMatt> well, someone who has time should think about how to make it secure, but first they need glass :) 00:08 < gmaxwell> the glass interface seems really twitchy 00:08 < BlueMatt> how so? 00:08 < gmaxwell> but there are buttons so you can use those. 00:09 < gmaxwell> BlueMatt: just easy to trigger the wrong thing. 00:09 < BlueMatt> yea, it can be 00:14 < gmaxwell> andytoshi: I don't see any huge risk from it, it's not an automated signer, user-beware that they check the decode before signing what it gives them. 00:14 < BlueMatt> it also doesnt even support passcode locks, so you'd have to do that yourself if you wanted anything like bitcoin 00:14 < BlueMatt> still, someone should do it...I'll throw in an invite if someone wants to 00:16 < andytoshi> grr, i typed up a nice message and bitcointalk deleted it.. 00:17 < BlueMatt> why would you type a nice message for bitcointalk anyway? 00:20 < andytoshi> if you guys trust me, i can make linux 64 binaries as well, if you wanna play with this.. 00:22 < andytoshi> http://download.wpsoftware.net/bitcoin/coinjoin/ 00:56 < BlueMatt> andytoshi: I havent been paying attention, how is the matching process on there? 00:57 < andytoshi> hmm? 00:57 < BlueMatt> some magic p2p network that matches people who want to join, or what? 00:59 < andytoshi> BlueMatt: oh, i didn't solve that problem 00:59 < andytoshi> kjj was talking about it 00:59 < andytoshi> my thing requires you get together and exchange rawtransactions, it just simplifies the merge steps.. 01:00 < BlueMatt> ahh, I was hoping for something that could get merged into wallets 01:00 < BlueMatt> :( 01:00 < andytoshi> not yet 06:14 < michagogo|cloud> 06:35:30 <gmaxwell> andytoshi: there is no 'validatetransaction' rpc call, the best you can do is try it on testnet ... or an isolated node. (e.g. if the txn isn't relevant to your wallet, and you are -noconnect -nolisten ... it'll only ever be in memory on your node) 06:14 < michagogo|cloud> Wait, is -noconnect a thing? 06:14 < michagogo|cloud> I knew of -connect=0.0.0.0 06:16 < sipa> -noX is interpreted as -X=0 06:16 < michagogo|cloud> Oh, cool 06:16 < michagogo|cloud> (and can you -connect=0?) 07:03 < wumpus> I don't think -noconnect is a supported option 07:04 < michagogo|cloud> BlueMatt: around? 07:05 < michagogo|cloud> er, wrong channel 12:25 < nsh> http://www.sparecoins.io/ <--- good / bad / ugly / dunno? 12:26 < gmaxwell> nsh: save us from clicking with a one line summary. 12:26 < nsh> browser-extension wallet, storing keys inside browser 12:26 < nsh> -- 12:26 < nsh> Every week, another online Bitcoin Wallet gets hacked. SpareCoins, however, does not have a central point for attackers to target. Your private keys are encrypted and stored inside your browser, rather than an unsafe remote server. Your private keys can be backed up at anytime, and clearing your cache won 12:26 < nsh> -- 12:27 < nsh> depends on the code quality i guess.. 12:27 < nsh> -- 12:27 < wumpus> don't bitaddress etc work the same? 12:27 < nsh> Sam Stewart5 hours ago 12:27 < nsh> It sends bitcoins. It's easy. It works. What more do you need? 12:27 < nsh> -- review. (this is the attitude that worries me...) 12:27 < nsh> unsure 12:29 < sipa> I consider every argument of the form "It is secure because ... only inside your browser" to be invalid 12:29 < sipa> which e-wallet did that, hack their JS to steal some coins back? 12:30 < nsh> aye. though this model is without a server, but just as succeptible to untrusted updates 12:33 < wumpus> well the advantage to this is that you can just host the .html files locally 12:34 < wumpus> and maintain them in (for example) a git repository so that changes are trackable 12:35 * nsh nods 12:35 < wumpus> but I'm also a bit wary to trusting my browser with a wallet, I prefer native applications for that 12:37 < wumpus> browsers have a reputation of having all kinds of suble security bugs which suddenly become fatal if you store high-valued private keys in them 12:38 < nsh> wumpus, this echoes my sentiments 12:39 < nsh> also browsers are an established target for malware/spyware/adware already 12:39 < wumpus> then again, they do accomplish the goal of being more secure than online hosted wallets 12:39 < phantomcircuit> sipa, i actually prefer my implementation, his is using the stdio functions for apparently no reason 12:54 < sipa> phantomcircuit: there was discussion about it on the mailing list 12:54 < sipa> i can't remember why, though 12:54 < phantomcircuit> their google groups is impossible to read online 12:55 < phantomcircuit> every reply ends up with at least 100 citations at the bottom 13:09 < nsh> it works for science... 13:10 < nsh> (fsvo 'works') 13:11 < maaku> nsh: meh, sometimes I wish paper writers would boil it down to the 4-5 actually useful citations 13:11 < nsh> indeed, or at least be able to click through to the relevant findings in the referenced papers highlighted 13:13 < nsh> at lot of it is formality though. you have to prove you're not replicating anyone else's work by laboriously referencing trifflingly similar paper 13:13 < andytoshi> it is also considered polite, to improve others' citation rankings 13:13 < andytoshi> <.< 13:13 * nsh nods 16:16 < pigeons> but some say it not requiring capital expense just allowing renting by the hour provides similar weird incentives like cex.io 16:17 < pigeons> some say it allows particpation by only people with funds to access such a platform 16:17 < pigeons> there are valid responses thought to those concerns sure 16:18 < iddo> maybe AWS is bad for decentralization because amazon itself can redirect their idle CPUs to mine cryptocoins? 16:18 < pigeons> but protoshares original marketing ws "cpu so anybody with a home pc can do it" which large server farms ran those people out 16:19 < maaku> iddo: because the premise of a GPU-hard, FPGA-hard, ASIC-hard, CPU-easy proof of work is that the network will be secured by actual users (1 CPU = 1 user) 16:19 < gmaxwell> maaku: except thats a false one too. 16:19 < maaku> when in reality, whoever owns the largest datacenter with idle CPUs (AWS), or argest botnet controls the network 16:20 < gmaxwell> also you can never be "ASIC-hard" you can only reduce the specialization advantage. ... and mining is perfect competition, even if the specialized thing is merely 2:1 it will eventually dominate. .. more realistically you're not getting the specialization gain under 10:1 16:20 < maaku> gmaxwell: yeah I'm definately not defending memory-hard proof-of-work. SHA-256 is perfect 16:21 < gmaxwell> and most efforts to be asic hard are really just NRE hard, which may lead to monopolies. 16:21 < maaku> unless you figure out a practical way to do your time-lock PoW 16:21 < nsh> you can beat individual (and successive) generations of asics by cycling through PoW schemes like a meany 16:22 < maaku> I was just explaining the (flawed) reasoning behind it... 16:22 < jtimon> maaku I don't think sha256 is perfect but I would only replace it if there's practical use for pow 16:22 < gmaxwell> maaku: I think to really do it beyond a bunch of basic pratical considerations, it really needs an asymetric crypto scheme which doesn't have any attacks better than exponential. 16:22 < jtimon> although I think some people here have problems with that 16:23 < jtimon> I admit I don't understand the problems with a theorical curecoin 16:23 < gmaxwell> (because attacker better than exponential seem to all result in it not being progress free) 16:24 < jtimon> gmaxwell, what could be the problem with say, SETI@coin? 16:24 < jtimon> assuming it is feasible in practice 16:25 < zooko> I love this channel. 16:27 < gmaxwell> jtimon: the standard litany, most of those are not sufficiently cheap to verify (e.g. hurts spv nodes, zero knoweldge proofs of tx data, and initial syncup), they tend to be inadequately proven to be trapdoor free, high hardware implementation complexity (so may lead to asic monopolies)... if the work is not work you could get paid for, then at least it should be free of some of the incentive concerns. 16:27 < gmaxwell> (though because of merged mining even bitcoin isn't free of POW incentive concerns) 16:28 < gmaxwell> jtimon: those sorts of issues aren't fatal, if there really were some task that was obviously a good enough fit .. it might make sense. 16:28 < jtimon> ok, so if implemented properly and for a task that enables the right incentives, would be ok 16:29 < jtimon> what's wrong with merged mining? 16:30 < jtimon> I'm assuming some ZKP efficient mechanism not to hurt SPV 16:30 < iddo> is there SETI@coin proposal that can work? needs readjustable difficulty, and seeded data so that each block depends on the previous block (so you cannot copy PoW) ? 16:30 < gmaxwell> It's not wrong, but it facilitates a possible bad outcome. Right now 99% of the incentive in mining comes from getting your work in the best chain. A rational miner doesn't do work which is doomed to not end up in the best chain, like go mine an earlier fork in order to fool an isolated node. 16:30 < gmaxwell> iddo: you don't need adjustable difficulty. 16:31 < iddo> no adjustable difficulty? how come? 16:31 < gmaxwell> iddo: computes H(seti(H(header)))<TARGET. :P 16:31 < gmaxwell> the seti itself doesn't need adjustable difficulty. 16:31 < iddo> hmm 16:31 < jtimon> gmaxwell I don't see how that changes with merged mining 16:31 < iddo> but then it's the usual hash-based PoW, no? 16:32 < iddo> ahh the hash doesn't have nonce 16:32 < gmaxwell> so w/ merged mining, lets imagine that someday 99% of the incentive instead is coming from a really valuable thing that youre merged mining.. the cost of the attack is only the marginal difference. 16:32 < gmaxwell> iddo: yea you have to grind the seti function. 16:33 < gmaxwell> but the problem is that if seti has a trapdoor, or some instances of seti are fast and you can detect them up front, ... uh oh. 16:33 < gmaxwell> or if seti costs $100 million to put into an asic but once you do it's 1000x faster/more power efficient... then perhaps you get a maker monopoly. 16:34 < jtimon> so let's say we have coins A (50%) B (30%) C (15%) and D (5%) being merged mined together 16:35 < jtimon> the percentages mean how much of the total reward for the merged miner comes from each ones in real terms (ie selling all rewards for bananas) 16:35 < maaku> jtimon: this is the same as the attack-a-merged-mine chain scenario 16:35 < gmaxwell> jtimon: the argument generally applies to making pow do something useful, mining is nearly perfect competition, it adapts until its barely making a profit.. but it adapts on total income. So you can end up with 99% of your income not being from getting into the best chain, but instead being from finding aliens (assuming the aliens pay). 16:35 < gmaxwell> Merged mining potentially presents the same problem. 16:35 < maaku> if you own a big bitcoin mining pool, you can destroy a merged mined alt coin by overpowering it 16:36 < maaku> you can do the same to bitcoin, by offering to pay more (int altcoins) than a miner is receiving (in bitcoins) 16:36 < gmaxwell> it's not a problem so long as getting into the best chain is overwhelming your priority in your mining work. This is optimized by the work being totally usless except for that outcome. 16:36 < jtimon> but all rational miners will be mining currency D, it has almost the same security as currency A has 16:37 < gmaxwell> jtimon: no because you only lose some small amount of your income to switch from honestly mining D to maliciously mining it perhaps unsuccessfully. 16:37 < jtimon> no matter that only 5% of the reward comes from D, all miners are putting 100% of their pow in it, just like they put it in A 16:37 < maaku> jtimon: someone with a lot of C doesn't like D, so he offers 6% (in a trustworthy asset) to those miners which participate in an attack on D 16:38 < jtimon> yes, "you only lose some small amount of your income to switch from honestly mining D to maliciously mining it" 16:38 < jtimon> but that doesn't turn you into a D majority 16:38 < gmaxwell> you don't need to be a majority to attack a cryptocurrency. 16:38 < gmaxwell> even a few percent of hashpower is useful for making bogus sidechains for tricking network isolated nodes, for example. 16:38 < maaku> yes it does if you can convince a majority of the miners to go with you (remember, you're paying more than they're earning in D, in hard cash) 16:39 < jtimon> ok, ok 16:39 < gmaxwell> and yea, slippery slope, if miners are rational you can bribe them to attack. 16:39 < jtimon> but if 100% of miners are mining equally all currencies, D is just as secure as A is 16:39 < gmaxwell> In general none of this stuff is safe in a purely rational model, you need at least some alturists to stablize the system. 16:39 < gmaxwell> jtimon: it's really not. your 100% definition is weird. 16:40 < maaku> gmaxwell: of course, to be honest the argument is a little weak - it's basically "if bitcoin becomes undervalued, it could be attacked" 16:40 < maaku> to which my response is, "why was bitcoin undervalued?" 16:40 < jtimon> you mean undervalued with repect to mining costs? 16:41 < jtimon> ok, I see the point that the attack to D is cheaper if you bribe other pools 16:41 < gmaxwell> maaku: to some extent. But it's not just about undervalued, it's more like regardless of how valuable bitcoin is, it's not a big consideration to the miner's income, and that _could_ be the case at any value level. 16:41 < maaku> and if the situation was so dire that bitcoin was being replaced with an alt, hence leading to its undervaluation compared with the currency used to pay the attackers, then why care? 16:42 < gmaxwell> maaku: I've never presented this as an argument against merged mining except to point out honestly that when I talk about the downsides of "useful work" that we're already not completely free of it. 16:42 < maaku> ok, i wasn't considering he tragedy of the commons scenario, with btc txfees 16:42 < maaku> still had my freicoin-perpetual-reward thinking cap on 16:42 < maaku> yeah ok 16:42 < jtimon> because scarce monies are always over-valued, they're really a consented bubble, an implicit agreement 16:43 < gmaxwell> And I don't even know that w/ cancercoin if it's a big deal. I just like to point out that "useful work" is not all roses, that there are interesting complications. 16:44 < maaku> of course, *not* merged mining makes the situation worse 16:44 < gmaxwell> when MM was introduced I cheered saying hurray even if people lost interest in bitcoin then maybe bitcoin could still be secure in the future. 16:44 < jtimon> yeah, I know it is a very hard problem, but I believe it is the future 16:44 < gmaxwell> Having seen things play out I was slightly too enthuastic about it, I think. 16:44 < gmaxwell> But I still think its a good thing. 16:45 < jtimon> and not these "anti-asic"schemes 16:45 < maaku> jtimon: there are desireable properties of a proof-of-work which boinc-like work units don't have 16:46 < jtimon> yeah, I think it's cheaper security for everyone, even if the "bribe attack" makes D less secure than A 14:26 < petertodd> now the non-snark using version of that is easier to understand: fill up some ram with the function D[i] = H(D[i-1]), then do a merkle-tree over the ram and do samples to prove the transitions are honest, but the issue there is basically that the # of samples you pick relates very strongly to how parallelizable you can get away with without a high chance of getting caught out on fraud 14:26 < petertodd> gmaxwell: yeah, faster than scrypt though right? 14:27 < gmaxwell> dunno. scrypt as used in ltc is slow but it might just be compariable. 14:27 < petertodd> gmaxwell: yeah, anyway, the PoW validation slowness isn't a deal-breaker, just annoying 14:27 < petertodd> gmaxwell: bigger issue is that really ASIC-hard PoW's are a lot slower anduse a lot more ram than scrypt... 14:28 < adam3us> petertodd: i think the fiat-shamir transform can make the failure from skipping calc steps start to lose fast. this is what coelho merkle hash PoW introduced and dagger users even more links to reduce like 3% dow to < 1% 14:28 < petertodd> gmaxwell: (well, LTC-style scrypt params) 14:29 < petertodd> adam3us: yup, however what's nasty about it is if you start thinking about how fast actual hash primatives really are - a fair bit slower than main memory bandwidth right now 14:30 < adam3us> petertodd: indeed. i would help if people used a faster hash or the custom design u mentioned yesterday (hash rounds spread across the tree) 14:31 < petertodd> adam3us: yeah, also re: my "fraud == parallelism" argument, maybe you want the bottom of the tree to be fairly big chunks of memory being hashed anyway, which makes spreading a strong hash out make more sense 14:31 < petertodd> adam3us: like I was sayng above about how ram is banked anyway 14:33 < petertodd> adam3us: oh, and here's a consideration: you probably want to minimize the time and space of the merkle tree over the data being hashed, because if you don't you can optimize by making a better merkle hasher 14:33 < gmaxwell> petertodd: sequentiality to some extent prohibits being progress free, so unless the sequential part is very fast you are creating an advantage for faster miners. 14:33 < petertodd> For instance, notice how the # of nodes in a full binary tree is 2x the bottom layer, so you do need the bottom layer work cost to be >> making the tree 14:34 < petertodd> gmaxwell: well how fast is fast enough? I'd argue keep the PoW creation to < 1s or so and it's in line with latency assumptions anyway 14:35 < gmaxwell> I think it has to be a small fraction of latency in order to not matter. 14:35 < gmaxwell> keep in mind wrt the snark idea: snark _creation_ will always be much slower than execution 14:36 < petertodd> gmaxwell: I would have thought a small fraction of block interval - network latency is a similar impact to PoW latency 14:36 < adam3us> he watching the dexel/alpha indian peoples video on their coming 28nm script asic. did anyone figure out of their demo fpga version was a net win already? this should be fun to watch if they deliver 14:36 < petertodd> gmaxwell: oh, obviously if you do it snark-style you've gotta have the snark proof finish in < 1s - very difficult 14:36 < petertodd> gmaxwell: although maybe ok if the snakr is only for the sake of SPV 14:36 < gmaxwell> adam3us: the ltc fpgas were a power usage win. 14:36 < gmaxwell> petertodd: well in particular because you could do proofs of the whole sum rather than a single header. 14:37 < petertodd> gmaxwell: note how with all this stuff I'll bet you having a FPGA attached to some RAM would be a power win 14:37 < petertodd> gmaxwell: good point 14:56 < adam3us> gmaxwell: i believe that is correct. (progress freedom and ratio of minimum work unit on single core to block interval) 15:00 < adam3us> gmaxwell: it places a limit on how memory hard you can hope to be, which also relates to the fastest crypto hash that can drive the memory 15:00 < Luke-Jr> FPGAs were only a power win for Bitcoin as well 15:01 < andytoshi> petertodd: you don't need to have fast snarks if your block time is something like several hours 15:01 < andytoshi> that may be desirable anyway if you want an anonymous high-latency mechanism for getting txes to miners in the first place 15:01 < petertodd> andytoshi: true, although I suspect several hour block intervals have user-acceptance problems 15:02 < andytoshi> yeah, i really doubt such a system would be good for general use. but there are situations where several-day verification is ok (and it still beats visa :P), eg if there are long shipping or manufacturing times anyway 15:05 < gmaxwell> keep in mind that someday bitcoin might be several hour confirmations, if you can't count on the network to converge in one block anymore e.g. due to implementation inconsistencies, high latencies, bursty mining due to mining for fees, gnarly behavior from miners wrt "rational mining" that is willing to reorg if it's positive expectation 15:05 < gmaxwell> even with 10 minute blocks. 15:13 < adam3us> btw i was thinking part of the anti-litecoin fast confirmation argument maybe partly false. it can be claimed that well 12 lite coin confirms (30min) is weaker than 6 bitcoin ones (60mins). but consider your probability as a selfish miner of winning with p^24 << p^6. in fact even p^12 << p^6 etc. 15:14 < Luke-Jr> adam3us: consider the attacker doesn't need to worry about stale blocks also 15:14 < Luke-Jr> adam3us: there are a lot of factors involve 15:14 < Luke-Jr> d 15:14 < Luke-Jr> fast blocks = more hashes wasted by the legit miners 15:14 < Luke-Jr> scrypt = slower block propagation 15:14 < adam3us> Luke-Jr: oh yes (i said partly) the short block time is worse for orhans and igives well connected low latency miners more advantage 15:14 < adam3us> Luke-Jr: that too 15:15 < Luke-Jr> adam3us: right; there's advantages and disadvantages 15:15 < Luke-Jr> IMO they more or less balance out 15:19 < adam3us> i wonder what it does for selfish mining attack though. the ghost (hash in non-conflicting orphans) approach seemingly allows faster blocks becuase orphans are not wasted. so hypothetically ghost + bitcoin/sha256 mining + eg 2.5min intervals. and still 1hr confirmations . i wonder if the selfish miner loses in that circumstance 16:54 < jtimon> Luke-Jr I don't see the balance, Scrypt is neither "anti-ASIC" nor anti-GPU 16:55 < jtimon> what's the gain Scrypt has over SHA256 ? 16:55 < phantomcircuit> jtimon, nothing 16:56 < sipa> scrypt is certainly anti-gpu, if it'd use more than 128 KiB of RAM... 16:56 < Luke-Jr> jtimon: there is none, that's my point 16:57 < sipa> despite that, i'm very unconvinced that it has any advantages for bitcoin or similar systems 16:57 < EasyAt> scrypt ASICs will have a giant die size, no? 16:57 < c0rw1n> aq@gfa128KB ram desn't take much die space 16:58 < sipa> well the point would be to make the cost of the ASIC be dominated by fast memory 16:58 < jtimon> "<Luke-Jr> IMO they more or less balance out" ok so this is just sarcasm? 16:58 < Luke-Jr> jtimon: no? we're talking about faster block times there, and how it doesn't make transactions any faster really. 17:00 < jtimon> Luke-Jr ok thans 17:00 < jtimon> thanks 17:00 < jtimon> sipa what's the point of "make the cost of the ASIC be dominated by fast memory" 17:00 < jtimon> ? 17:01 < sipa> not saying this is a good idea, just reasoning how you'd make an anti-asic pow 17:01 < gmaxwell> It's an attempt to reduce the gap between commodity hardware and specialized hardware. 17:02 < sipa> if the cost of the asic is dominated by memory, it's unlikely to provide much gain over state-of-the-art cpus connected to as much fast ram as you can find on the market 17:02 < sipa> as the cpu will not be the bottleneck 17:02 < gmaxwell> I think it's generally a poor idea for pow-consensus systems though. My reasoning is that at most you can probably do is get the gap down to 2:1 (or really probably more like 10:1), and even at 2:1 the commodity hardware will probably be completely excluded. 17:02 < gmaxwell> Vs in KDF usage getting the custom hardware advantage down to just 10:1 would be great. 17:02 < sipa> i think it's a great recipe if you want botnets 17:03 < gmaxwell> Well botnets too, if you don't pay for power because you're stealing it you don't mind that you're 10x less efficient than custom hardware. 17:03 < jtimon> I assume it also has to be anti-GPGPU, right? 17:04 < sneak> the nice thing about kdfs is that it's ok to use eleventy bazillion iterations too 17:04 < sneak> because most use-cases don't mind a 500msec wait 17:04 < gmaxwell> well KDFs want fast verification too, but a few hundred ms is okay usually. 17:04 < sipa> jtimon: unless GPUs would happen to have better memory bandwidth :) 17:05 < gmaxwell> They don't want generation / verification asymmetry, which we want for hashcash usage. 17:06 < gmaxwell> sipa: generally GPUs have had much better memory bandwidth than j-random-cpu. (though horrible memory latency relative to their clockrate) 17:07 < jtimon> sipa GPUs will have a better memory bandwith they're not only for graphics anymore, they're the present/near-future of supercomputing 17:07 < jtimon> and some problems have their bottlenecks in memory 17:08 < gmaxwell> jtimon: graphics work is generally memory throughput limited. 17:11 < jtimon> I'm just saying that GPU designers are not only optimizing for graphics, there's more problems being solved with other demands 17:11 < jtimon> GPUs architectures can change 17:12 < jtimon> maybe you're right and the GPGPU people won't ask for those constraints to be improved 17:12 < gmaxwell> jtimon: thats probably the same processor / coprocesor cycle that has gone on since the start of computing. Presumably GPUs will eventually go away and just be subsumed into cpus (or vice versa) 17:13 < gwern> the wheel of reincarnation 17:14 < gmaxwell> (e.g. how FPUs and stand alone short vector units became standard cpu features) 16:37 < gmaxwell> _ingsoc: thats really not true at all. 16:38 < amiller> andytoshi, :) 16:38 < _ingsoc> gmaxwell: How? 16:38 < gmaxwell> _ingsoc: if thats the kind of garbage nonsense that people repeat when its not true, consider what happens when it is true. 16:38 < _ingsoc> gmaxwell: What incorrect about the statement? 16:38 < _ingsoc> What's* 16:39 < Emcy> are you serious 16:39 < gmaxwell> _ingsoc: Bitcoin was public from the very start and considerable effort was made to make that provable. (including, for example, reaching out to likely initial users, as adam back can testify) 16:39 < Emcy> he crafted a block then mined one on it to check 16:39 < gmaxwell> _ingsoc: there were mutiple people using it from the first day. 16:39 < _ingsoc> gmaxwell: I'm not saying he did it in secret. I'm saying he mined it when nobody care about it. 16:40 < _ingsoc> gmaxwell: What I'm trying to say is that what people like to crap on today is not very different from how Bitcoin came to be. 16:40 < _ingsoc> gmaxwell: I'm talking about the underlying economics. 16:40 < gmaxwell> _ingsoc: I don't even thing you can establish that satoshi actually mined it in any non-trivial amounts, in fact. 16:40 < gmaxwell> _ingsoc: and you're factually incorrect. 16:40 < _ingsoc> gmaxwell: You don't know that. 16:41 < _ingsoc> gmaxwell: You believe I'm incorrect, and that's fine, but for a lot of this stuff, we simply don't have the answers. 16:41 < gmaxwell> You're factually incorrect in saying that it was premined or similar to the people who created a ton of coin in the first block. Thats a matter of fact, not uncertanty. 16:42 < _ingsoc> gmaxwell: Ofc that's factually incorrect, but that's not what I was trying to say. 16:42 < gmaxwell> You can say these things to try to justfy whatever scheme you want, I wish you luck. But as you can see people don't tolerate that stuff. They refuse to use primined coins _generally_ though there are some exceptions. 16:43 < _ingsoc> gmaxwell: That's a bit unfair. 16:44 < _ingsoc> gmaxwell: I'm not trying to go on the offensive. 16:45 < gmaxwell> They don't accuse people of behavior that many consider unethical. 16:45 < gwillen> gmaxwell: I don't know that you're right about people refusing to use premined coins; I think most people just don't care that much. 16:46 < gwillen> gmaxwell: I see a lot of loud noise from Luke about how awful they are, and a little bit of loud noise from people who aren't Luke, but I still see plenty of people using them. 16:46 < gmaxwell> gwillen: Which premined coins are people using now, except for ripple? 16:46 < pigeons> why do people use litecoin and not its direct predecessors. why did btc-e destroy a large number of "novacoins" 16:46 < gwillen> gmaxwell: Well, most of them were pointless for other reasons 16:46 < gmaxwell> gwillen: novacoin had to destroy their premine. 16:46 < gwillen> gmaxwell: I mean, you don't see people using ixcoin, but you also don't see people using i0coin 16:46 < gwillen> they're both just as dead 16:46 < gmaxwell> and the litecoine predecessors were heavily premined and are not used though they're functionally identical. 16:46 < gwillen> hmm. 16:47 < _ingsoc> That wasn't my intention at all. I should probably have used a better explanation of what I meant. What I meant to say was that Satoshi sat there mining it whilst nobody really cared, and that's no different than someone mining it for contributors. Satoshi mined it for the ideas he contributed, or whatever drive to support those ideas. 16:47 < gmaxwell> there is a long history of premined coins failing, and/or being forked into non-premine versions. 16:48 < gmaxwell> _ingsoc: even that much is an assumption that may not be true. and the oppturnity to do that to mine where no one believed in even the _chance_ is probably gone, and never would have been a viable funding model in terms of net-expectation. 16:48 < gmaxwell> E.g. Satoshi wasn't doing an economically rational thing even though it may have turned out quite well for him. 16:49 < _ingsoc> gmaxwell: True, I can accept that. I'd have to add that we have no clue. God, Satoshi could be the CIA for all we know. 16:49 < gmaxwell> Probably a good assumption in terms of setting up the right defensive expectations. 16:49 < _ingsoc> Hah. 16:49 < Emcy> gwillen but premining a coin is such a blatant scheme that i feel the people who still get involved do so becuase they like the drama or some other werid psychological reasons? 16:50 < _ingsoc> Depends where the premine go to, Emcy. 16:50 < gmaxwell> _ingsoc: I mined bitcoin in 2009 and basically forgot about it, whatever coins I mined (which are probably now confused as being satoshi coins) back then got destroyed... bitcoin was so worthless that it wasn't worth keeping the software running. 16:51 < Emcy> shouldnt matter "where theyh go to", rationally 16:51 < _ingsoc> But it does. 16:51 < _ingsoc> All of this is in-group, out-group psychology. 16:51 < Emcy> yes, all that crap 16:52 < gmaxwell> I don't think it matters, you can just fork the coin remove the premine and tada, it's more "fair" .. and thats what people do. 16:52 < _ingsoc> Whatever succeeds Bitcoin will rise out of that crap. 16:52 < _ingsoc> It might be pretty good crap, but it's still crap. 16:52 < Emcy> i dont think it can be succeeded 16:52 < gmaxwell> maybe ripple soved it, but only through methods which have offended a lot of people. 16:52 < Emcy> not fairly 16:52 < _ingsoc> gmaxwell: That's success though - the tech propagates. 16:52 < _ingsoc> gmaxwell: Not Ripple, the fork. 16:53 < pigeons> well how do you distribute? you mean adding a mining mechanism to a system that doesnt mine or use PoW? 16:54 < gmaxwell> _ingsoc: yea, well it hasn't answered the question that started this discussion. .. except "wait for someone to be stupid enough to think they can fund major public development with a premine; watch as the public forks their solution" 16:55 < _ingsoc> gmaxwell: I forgot the question. It's 6am here. :/ 16:55 < Emcy> how do you fund anything with a premine. The coins are worthless. 16:55 < gmaxwell> :) 16:55 < _ingsoc> Emcy: The coins are sold for something of value. 16:55 < Emcy> unless you have exchanges ready to roll day 1 and stupid people pumping money in 16:55 < pigeons> mining may not be fair at all to distribute subsidy, but yea we don't know a better way, but any other ways will have loud objections of unfairness because it is the model for now 16:55 < Emcy> day 1 exhanges is another huge klaxon 16:56 < gmaxwell> Emcy: people have tried, the plan is "create premine coin, pump coin, coins gain value" and yes, it fails. 16:56 < _ingsoc> gmaxwell: That's not the plan at all! 16:56 < _ingsoc> gmaxwell: How would pumping something like that create any real value? 16:56 < gmaxwell> 'value' 16:56 < gmaxwell> _ingsoc: it's certantly the plan of some people, and anyone who has a distinctive plan is indistinguishable. 16:56 < Emcy> cos value is an illusion? 16:57 < _ingsoc> Value is better tech. That's the whole point of funding something like that. 16:57 < pigeons> heh new bitcoin forks list existing features as value-add. "Bitcoin fork with IPv6" 16:57 < _ingsoc> If the tech gets forked the tech is good (good enough for someone to fork it at least). 16:57 < _ingsoc> gmaxwell: People will always be full of shit. 16:58 < gmaxwell> _ingsoc: go explain to me the 12 million dollar feathercoin market cap. It's a copy of ltc with the blocktime set to a provably unsustainable value it was suffering convergence problems, so they paid the PPcoin guy for code to do centeralized block signing (like ppcoin uses) 16:58 < Emcy> people have forked coins just for the troll factor 16:58 < gmaxwell> (suffering convergence problems from the blocks being too fast) 16:58 < _ingsoc> gmaxwell: There's no doubt it has technical problems. 16:59 < Emcy> $12m according to whom? 16:59 < pigeons> is that float of mined coins existing? 16:59 < pigeons> assuming no slippage of course 16:59 < _ingsoc> Someone here should just take me up on it, get paid, make better tech, and then we can all go back to arguing. 16:59 < _ingsoc> Seriously. 16:59 < gmaxwell> Emcy: 'market cap', which is a but airy but you can still go extract a hundred thousand dollars instantly by emptying the orderbooks. 17:00 < Emcy> feathercoin has orderbooks? jesus wept 17:00 < gmaxwell> and in my opinion that coin should have a value of approximately nothing. 17:00 < pigeons> it even has apparent "true believers" 17:01 < Emcy> stuff like that makes me think even bitcoins "cap" of 4bn or whatever is bollox 17:01 < gmaxwell> Emcy: sure, its bollox, but the orderbooks at least are real. 17:02 < Emcy> the scheme i see a lot is people mining altcoins and cashing out to btc 17:02 < Emcy> since btc mining became impossible 17:02 < Emcy> thats kinda weird 17:02 < gmaxwell> Emcy: unless there are secret litcoin fpga/asic farms litecoin is probably using more electrical power now than bitcoin. 17:03 < Emcy> yeah thats bonkers 17:03 < Emcy> i prefer to think theres a secret fpga farm 17:04 < Emcy> yet i see threads the gist of which "check out my new 4 7790s for litecoin lol" 17:06 < gmaxwell> I think I pissed off people in #litecoin-dev suggesting otherwise. I find it hard to believe, if true it means there is a substantial multiple of gpus mining litecoin than ever mined bitcoin surprising to me but not impossible. 17:07 < zooko> Hey gmaxwell are you still working on opus? 17:07 < zooko> I was happy to see the 1.1 release announcement today. 17:08 < gmaxwell> zooko: Yes. 17:08 < Emcy> not impossible. I think word got around of how people funded thier new $2000 rigs with GPU mining back in the 2011 excursion.........people seem to think thats happening again with ltc 17:08 < Emcy> at least on /g/ 17:08 < zooko> gmaxwell: nice work! 17:09 < Emcy> when is steam gonna pick up opus for voice :( 17:09 < warren> gmaxwell: people are indeed still buying GPU's now. 10:00 < warren> and a flat smushed face 10:01 < gmaxwell> the only unusual thing here is that they warned him a lot of people have just randomly had their accounts closed when their bank notices btc related txn. 10:03 < warren> "they"? 10:13 < gmaxwell> the bank 10:51 < andytoshi> i had wells fargo disable my account because i was connected through tor ... when i called them up the security guy asked "are you using tor?" 10:51 < andytoshi> i said yeah, he said "okay, i'll make a note of it" 10:51 < andytoshi> i was really surprised 10:58 < andytoshi> i stopped using tor anyway, i think the "note" he made was to NSA rather than anything that'd keep my account open.. 10:59 < gmaxwell> andytoshi: on your manualcoinjoin you're doing, ... you'd mentioned txindex to me, but you can actually look up any spendable coin with gettxout. 11:00 < andytoshi> even without txindex? 11:00 < gmaxwell> yes. 11:00 < gmaxwell> it usees the utxo set obviously since the same operation is needed to validate! 11:01 < gmaxwell> thats also what any CJ tool should use for checking the availability of txins. 11:01 < andytoshi> oh, thanks 11:01 < andytoshi> i thought so, but gettransaction wasn't working...i guess i txindex'd for nothing 11:02 < andytoshi> and i guess gettransaction does not work with txouts 11:02 < gmaxwell> gettransaction would never return a non-wallet txn. Getrawtransaction would, depending on if its spent or not, but we've talked about changing that (e.g. by providing a new call) since its surprising to people. 11:03 < gmaxwell> (getrawtransaction has a nice verbose argument to get the verbose details) 11:03 < gmaxwell> You're the sort of person who should have a txindex=1 node anyways. :) 11:04 < gmaxwell> sorry, it was late last night or I would have thought to mention it then. 11:05 < andytoshi> no worries, i was off to bed anyway, i probably would have missed it anyway 11:06 < andytoshi> and i was asleep for the entire reindex, so it didn't bother me 11:06 < andytoshi> (linux bogs down horrifically during reindexing...there was a recent LWN article about fiddling some flush-rate parameters, but i didn't get around to doing that) 11:07 < gmaxwell> andytoshi: hm. never noticed it, but maybe I'm on overpowerful hardware relative to you. if you have a lot of ram you can make it a lost faster if you run with -dbcache=<big value> 11:08 < andytoshi> nope, i'm on a 2008 thinkpad which is maxxed out at 4gb :P 11:09 < gmaxwell> its annoying that its hard to get more than 16 gb in a laptop. 11:09 < andytoshi> yeah, i've spent forever on this hardware because i can't upgrade as much as i want 11:10 < andytoshi> i was also promised OLED screens every year since 2010.. 11:11 < gmaxwell> yea, display tech stinking kept me on my older thinkpad until it basically fell apart. 12:47 < maaku> gmaxwell: i think the latest workstation lenovos can do 32gb 12:47 < maaku> i would love a thinkpad with 96gb though 12:48 < maaku> petertodd: do you have a link or log of the sacrfiicial key-value store discussion? 12:48 < maaku> it sounds similar to what we came up with 12:50 < maaku> in our system there's on-chain offers stored in a merklized prioritiy heap 12:50 < maaku> and the owner needs to pay rent equal to a percentage of the largest offer 12:51 < maaku> rent being paid by sacrifice 12:51 < warren> adam3us: blah blah, boring talk 12:52 < maaku> (if rent owed goes negative, the offerer can claim the property from the owner by paying the offer amount, but he doesn't need the owner's permission) 12:53 < maaku> This is basically using georgist land tax to solve the squatting problem 12:53 < maaku> Also, with the system we put together it has the nice advantage of being entirely in merklized structures that the validators don't have to keep 13:20 < helo> is there any writing about the idea of an altcoin that gets its coin only from bitcoin sent to unspendable addresses? 13:22 < maaku> helo: that's what mastercoin is supposed to be, no? 13:22 < maaku> s/unspendable/owned by JR/ 13:23 < maaku> helo: in freimarkets we have primitives for issuance and cross-chain transfer 13:23 < maaku> it's meant for gateways, but you could probably use it for unidirectional sacrifice-transfer 13:24 < helo> neat, i'll look into those 16:07 < MoALTz> transaction fees proportional to the block subsidy? 16:14 < MoALTz> *minimum 16:24 < maaku> MoALTz: ? 16:25 < maaku> the block subsidy currently has more to do with initial distribution than an ideal steady state 16:25 < MoALTz> wondering what the effect of setting the minimum transaction fee to be proportional to the block subsidy would be. it would make fees replacing the subsidy take longer, but would it matter? 16:31 < sipa> i doubt any minimum fee policy isn't going to mean much in the future 16:32 < sipa> it exists to protect the network from spammy-looking transactions 16:32 < maaku> 1) what sipa said, and 2) the minimum tx fee and block subsidy are not corrolated 16:32 < sipa> but if the actual fee to have your transaction mined in reasonable time exceeds that anti-dos fee policy, it becomes useless 16:32 < helo> it would make the value of bitcoin go down, as future value would be reduced by exorbitant fees 16:33 < helo> but that is very long... 16:39 < MoALTz> the last question i have for now: would new altcoins with new (truly novel, not like all those forks) features be welcomed? or would they only serve as a distraction from bitcoin? 16:40 < sipa> i've been thinking (just thinking... i don't have nearly enough time to do so) to create an altcoin with many of the nice ideas that have been proposed over the years 16:41 < MoALTz> i think many of us have ideas that we'd like to embody into a new coin 16:41 < sipa> i'd consider it an experiment, though - not a currency 16:41 < sipa> like testnet 16:43 < MoALTz> one issue with a truly novel new altcoin being run as an experiment: people WILL try and keep the original experiment running, even if the creator tries to shut it down or change elements of it 16:43 < MoALTz> it's a genie out of the bottle sort of thing 16:43 < MoALTz> at best you'd be able to change it's direction gradually 16:59 < gavinandresen> Just build an alt-coin with an expiration date: "There Will Be a New Block One Every January 1." 16:59 < gavinandresen> Call it JubileeCoin maybe 17:00 < sipa> or announce from the start that you've added a vulnerability that allows you to exploit the system in a serious way 17:00 < sipa> remaining vague enough 17:01 < MoALTz> that makes implementing it tricker though 17:01 < MoALTz> unless you mean issuing a fake threat 17:02 < sipa> that's *maybe* what i mean :p 17:02 < MoALTz> :) 17:03 < MoALTz> i overlooked the obvious though: just not releasing the source code 17:03 < sipa> that makes it pretty useless as experiment 17:04 < MoALTz> not at all, since you (the author) can still learn 17:04 < gavinandresen> sipa: the real problem is you don't really know you're secure until you have value. Because people won't spend lots of time attacking (or spend money defending) things unless they're valuable 17:04 < maaku> a lot of the stuff that's talked about here is getting added to freicoin ... eventually 17:04 < sipa> gavinandresen: i know 17:06 < sipa> i don't think you need actual economic value though, before people are interested in studying it 17:06 < sipa> anyway, all hypotehtical anyway 18:05 < helo> maaku: so i take it that freicoin is staunchly against increasing the bitcoin block size limit? 18:07 < helo> since presumably freicoin nodes would want to be able to sync the bitcoin blockchain as easily as possible 18:08 < maaku> i'm not sure I follow 18:08 < pigeons> freicoin uses its own blockchain 18:08 < maaku> and no, we're for increasing as quickly and as much as is safely possible to do 18:08 < maaku> without risking decentralization 18:08 < maaku> er, centralization 18:09 < damethos> hey guys. Just thought to share this with u here since u might find some use. Just finished integrating testnet to our blockexplorer. https://www.biteasy.com/testnet/blocks 18:09 < helo> maaku: oh. i haven't had time to read about freicoin yet, but i was thinking it will enable one-way bitcoin-to-otherchaincoin transfers 18:09 < damethos> still fixing bugs etc but we will get there 18:10 < helo> so to know how much coin otherchaincoin has, you'd have to stay current with the bitcoin blockchain 18:10 < helo> and would therefore want bitcoin blockchain to be as small as possible 18:11 < pigeons> ah freimarkets will be yet another chain 18:11 < maaku> freimarkets private accounting servers is what you're thinking of 18:11 < helo> oh -markets 18:11 < maaku> same developers, different project 18:12 < maaku> but freimarkets will be deployed to freicoin 18:12 < maaku> but only the private servers track public chains - bitcoin, or freicoin 18:12 < maaku> freicoin stays independent of bitcoin, except merged mined pow 18:45 < eristisk> maaku: Freicoin does not have a merge minable POW blockchain, or at least they did not create it to be merge minable with Bitcoin's POW chain 18:47 < gmaxwell> eristisk: Freicoin will be changing in the future. 18:47 < gmaxwell> (also maaku is an expert on what Freicoin does and will do. :) ) 18:48 < eristisk> Ah, ok, I thought it was commentary on the current state of things. 18:50 < maaku> eristisk: Freicoin will get merged mining with the introduction of Freimarkets, or if that fails to happen then at the end of the initial issuance (2 years from now) 19:00 < Luke-Jr> maaku: why might it fail to happen? 19:03 < maaku> well it's not something we are actively working on at this exact moment, or funded to do, so I wouldn't want to say with 100% certainty that it would happen 19:03 < maaku> but it is a priority in the near term, just not this exact moment (unless someone stepped in to fund us) 19:03 < maaku> i assume you're talking about freimarkets 19:04 < maaku> "if Freimarkets fails to happen" 19:07 < Luke-Jr> I mean merged mining 12:01 * jgarzik helped in the US Senate hearing prep 12:02 < phantomcircuit> jgarzik, sure... but usually you'd at least try to pretend like you wrote it 12:02 < phantomcircuit> it seems like he hasn't even read the statement before 12:04 < phantomcircuit> lol question is lol 12:10 < TD> jgarzik: bitpay question for you. feel free to take it private if answers are sensitive in any way. how do you guys handle exchange rates for thinly traded currencies? it seems like CHF local trading has kind of broken today, because some wallets are showing the bitcoinaverage global cross-rate and others are showing the rate they calculate from actual trading data 12:11 < TD> and the spreads are enormous, mind-bogglingly huge 12:11 < jgarzik> TD, my answer: dunno :) 12:11 < TD> that answer is pretty sensitive :) 12:15 < phantomcircuit> so what im hearing is 12:15 < phantomcircuit> i should start a company that does exotic transaction types 12:28 < phantomcircuit> these guys are silly 12:37 < michagogo|cloud> phantomcircuit: exotic? Like what? 12:37 < phantomcircuit> ahah 12:37 < phantomcircuit> he cant pronounce nascent 12:59 < gmaxwell> is it over yet? 13:05 < jgarzik> gmaxwell, no 13:05 < jgarzik> gmaxwell, and it's fucking fantastic 13:05 < jgarzik> a must-watch 13:05 < TD> it is ? 13:05 < TD> damn. wish i was watching it now :) 13:05 < TD> what makes it so fantastic? 13:05 < gmaxwell> I've captured it. 13:06 < c0rw1n> jgarzik is this one better than the senate hearing? 13:06 < jgarzik> much better 13:06 < gmaxwell> should probably get someone to transcribe. 13:06 < jgarzik> a very, very in-depth, smart discussion 13:06 < jgarzik> ++ 13:08 < gmaxwell> As soon as its done I'll upload it so people can transcribe. 13:08 < TD> thanks guys! 13:08 < jgarzik> well, OK, in depth and part an opportunity for these guys to pump their bitcoin stuffs 13:08 * TD has to run 13:09 < nsh> what's being discussed, where? 13:10 < nsh> Department of Financial Services? 13:10 * nsh tunes in 13:10 < jgarzik> it is a loose, free-wheeling discussion 13:11 < jgarzik> IMO the first True Bitcoin Hearing, with people asking tough questions 13:12 < nsh> good 13:16 < andytoshi> is BPP != P open? 13:19 < nsh> the entire hierarchy is up for grabs 13:20 < nsh> (specifically, everything collapses to P if the universe is really silly) 13:20 < gmaxwell> damnit, my battery went dead, and so I missed a bit most likely. :( 13:20 < nsh> :( 13:22 < nsh> i like this line of argument 13:22 < nsh> (not sure it'll be as well received by others listening though) 13:23 < nsh> andytoshi: these talks look interesting http://terrytao.wordpress.com/2008/01/10/distinguished-lecture-series-i-avi-wigderson-the-power-and-weakness-of-randomness-in-computation/ 13:23 < nsh> (regarding BPP=?=P) 13:26 < andytoshi> thx nsh. i'm putting together a talk of my own and trying to figure out how to briefly discuss complexity.. 13:27 < nsh> oh, cool. for what purpose? 13:28 < nsh> (i'd like to hear that talk if you get a chance to record it. or see the notes at least) 13:28 < andytoshi> it's just a first-year "everyone gives talks to each other" thing at my school. so i want to explain my public-fhe problem..and snarks, because that's the coolest application i can think of 13:29 < andytoshi> but i only have an hour and these people are pure math folks. so i'm having a tough time compressing material :P 13:30 < andytoshi> if i think it'll work out i'll try to record it 13:33 * nsh nods 13:37 < jtimon> later charlee lee? let's see if he says things like "freicoin is like the usd" and "merged mining would destroy your alt because miners would mine it for free" again 13:41 < jtimon> I guess he won't be asked about that, but I'm always eager to hear new "sentences to remember" from him 13:42 * nsh smiles 13:42 < andytoshi> nsh: current plan is to run through complexity, "hard" problems, security models, several examples of cryptosystems which move information in weird ways with respect to the data flows, turing machines and arithmetic circuits, FHE, PCP and verifiable computing, SNARKs public-FHE 13:42 < jgarzik> Some of the questions and some of the answers were silly or off 13:42 < jgarzik> but overall, pretty good 13:43 < jtimon> I can't see anything, did it finished already? 13:43 < jgarzik> yes. resumes at 2:30pm 13:43 < nsh> andytoshi, sounds good 13:44 < jtimon> jgarzik what time is it for you now? 13:47 < gmaxwell> https://people.xiph.org/~greg/bitcoin_ny_hearing_1.ts https://people.xiph.org/~greg/bitcoin_ny_hearing_2.ts 13:47 < gmaxwell> second file has about :30 left in the upload 13:48 < gmaxwell> maybe it didn't actually miss anything since the streams would start a bit before realtime and I was probably only offline for two minutes, it's possible. I'm not sure. 13:48 < gmaxwell> I missed a bit at the beginning for sure. 13:49 < jgarzik> 1:49pm 13:49 < jgarzik> jtimon, ^ 13:49 < jtimon> thank you both 14:01 < andytoshi> nsh: thx much for that terry tao link. it covers a bunch of what i want to talk about, and has a zk proof of graph 3-colorability which (a) simple and (b) can be fiat-shamir transformed 14:02 < nsh> ah, great 14:03 < nsh> yeah, tao seems to be quite a mathematical legend 14:04 < gmaxwell> andytoshi: is it one where you give the labels or the edges? 14:04 < andytoshi> :P he is indeed. 14:04 < andytoshi> gmaxwell: you give the labels 14:04 < gmaxwell> if you only give the labels how do you know the graph is isomorphic to the query graph? 14:05 < nsh> i watched this talk by tao the other day -- very interesting: 14:05 < nsh> http://www.youtube.com/watch?v=PtsrAw1LR3E 14:05 < andytoshi> gmaxwell: there is no isomorphism involved, the graph and its edges are common knowledge 14:05 < gmaxwell> The classic ZK graph proof is that you commit to a bunch of permuted solutions and then the verifier challenges you to reveal either the labels or the edges. 14:05 < gmaxwell> (but not both, since that would give away the solution) 14:06 < andytoshi> yeah, i'm familiar with that one, that's why i was surprised to see this one 14:06 < andytoshi> i need to think about this, my first impression is that its OK because the verifier knows the graph under consideration 14:07 < gmaxwell> oh interesting. 14:07 < andytoshi> you don't use an isomorphic graph, you use an 'isomorphic' coloring 14:07 < gmaxwell> you randomly pick an edge and only reveal that the two colors are equal. 14:08 < andytoshi> for proving more structural things, eg the existence of hamilton cycles, you need an isomorphic graph..i'll be glad if i can avoid that because mathematicians never get that "isomorphic" does not mean "obviously the same" 14:10 < gmaxwell> well it's nice because you can just wave your hands and say "3-coloring is NP complete" 14:10 < andytoshi> yep :) 14:11 < justanotheruser> Given a network with topology like bitcoins, is it possible to send a message directly (not broadcasted to everyone else) in a zero-knowledge manner (your message somehow finds a path to him, but no one knows that path). 14:12 < andytoshi> justanotheruser: if you have a view of the network you can do onion routing. though it's a bit hard to do without timing side channels 14:12 < gmaxwell> andytoshi: Why can't you just paint everything blue? 14:12 < andytoshi> by 'a bit' i mean in the limit it's impossible, eg if you're the only one doing it everyone can see that it's you 14:13 < andytoshi> gmaxwell: are you talking about the graph problem? 14:14 < gmaxwell> andytoshi: the 3 coloring zk proof. Why can't I just commit to everything blue (e.g. all the edges at a vertex the same color). As it was described there appears to be no test for this. 14:15 < andytoshi> gmaxwell: you are coloring the vertices 14:16 < andytoshi> ..i'm having trouble in that i don't understand how you can commit to one of three colors that can't be forged with roughly 3 tries 14:16 < gmaxwell> oh derp, right, the test should be that they're not the same not that they are the same. 14:17 < andytoshi> :P. it seems to me that if you are doing SHA256(color + secret) or something, you can easily change your secret so you have no commitment. but if there is no secret then the verifier can see right through the commitment so it is not zk 14:18 < andytoshi> wait, i'm an idiot, never mind 14:20 < andytoshi> somehow i was thinking the colors were the commitment and the hashes were what you were proving you had :P 14:22 < justanotheruser> andytoshi: I had an idea to stop timing side channel attacks. But the real question was how to I get my message to someone without knowing their IP 14:24 < andytoshi> if all messages are broadcast, you can 'identify' people by their public keys. just broadcast a message that only your target can encrypt. but this is probably very easy to sybil. 14:25 < andytoshi> you need to have some information about the nodes your are hopping between to avoid sybils 14:25 < andytoshi> decrypt* 14:27 < justanotheruser> andytoshi: yes, nodes would have to have some PoW or PoS to prevent sybil 14:55 < nsh> gmaxwell, did you and/or andytoshi classify/specify the graph problem you were working out from coinjoin transactions 14:55 < nsh> iirc to give an estimate of the number of participants 14:56 < nsh> there were some brief notes or something, i last remember 15:58 < michagogo|cloud> Hmm, what plays .ts files? 15:59 < michagogo|cloud> (also, Chrome is trying to render those two files as text, rather than downloading them...) 15:59 < nsh> vlc generally plays anything that can be decoded into audio/video 16:00 < michagogo|cloud> Ah, I think I have that installed 16:00 < michagogo|cloud> Thanks 16:00 < nsh> np 16:03 < gmaxwell> michagogo|cloud: VLC, mplayer, ffmpeg 16:05 < andytoshi> nsh: not sure if somebody answered you about the coinjoin graph problem 16:05 < nsh> wb, not yet 16:05 < nsh> was interested because a problem in tahoe-lafs looked quite (superficially) similar 05:34 < adam3us> yeah I was wondering as a trend if FPGAs can get closer to ASIC in density, and reduce the ASIC/FPGA performance gap, and that as seemingly moore's law may top out with current fab around 5nm, then the next stage is more cores, more CISC designs, and reconfigurable - eg if you have some GPU units on the die, why not a slab of FPGA; we already have microcode, why not lower (hw) level reconfigurabilty as an on die FPGA co-processor 06:03 < wumpus> adam3us: so you're counting on the overhead for (low-level) programmability to go down; any specific reason for that? 06:03 < wumpus> it would be great, agreed though 06:06 < adam3us> adam3us: they're running out of other options, and the intel & amd & arm chips are getting more and more cisc. gpu, mmu, power regulator, level 4 cache, more simd instructions, special crypto instructions, codec instructions. seems like the next step. (I am not a hw person tho). so if there is room, and fpga are maybe not so widely used vs cpu so maybe with more r&d focus that asic/fpga gap could be closed somewhat 06:08 < wumpus> there certainly seems to be a trend toward lower-level many-core paralellism programmability in newer architectures (paralella, xmos), but not entirely at the gate level, it's more GPU-like from what I understood 06:10 < wumpus> one of the (sw) problems with FPGAs in general-purpose computers is sharing them between applications, it's a limited resource users may not easily understand. GPU vendors spend a lot of work on context switching / multitasking, but on a FPGA that may be harder. 06:15 < wumpus> of course, if you have a fast programmable FPGA or one that supports partial reprogramming you could maybe dynamically allocate gates, but from what I've seen up to now reprogramming a FPGA isn't quite as granular/fast 18:23 < gmaxwell> Interesting: I emailed Colin Percival and expressed my concern that the scrypt cost assumptions may be inaccurate due to a failure to account for energy consumption and asked if he'd performed or was aware of anyone else performing an analysis which included energy consumption. 18:24 < gmaxwell> He responded and said "I'm not aware of any analysis which includes energy consumption. I don't 18:24 < gmaxwell> know anyone who has looked at this who has the necessary expertise in 18:24 < gmaxwell> microfabrication technologies to accurately predict how energy-efficient 18:24 < gmaxwell> a *custom* circuit could be." 18:26 < phantomcircuit> gmaxwell, hmm? 18:31 < gmaxwell> phantomcircuit: New theory: Scrypt may be less effective as a KDF than the conclusions in the scrypt paper suggest because the analysis there did not include operating costs, just chip making: For number crunching chips the power cost outpaces the fabrication cost quite rapidly... and given a specific commodity hardware time budget scrypt cracker may actually use less power (than say sha256-pbkdf2). 18:33 < phantomcircuit> gmaxwell, that is certainly correct 19:01 < midnightmagic> wow 19:01 < sipa> such theory 19:03 < gmaxwell> maybe I can extract some data from the gridseed folks to allow for a scrypt asic cost model that includes energy. 19:03 < gmaxwell> (what I can't just extract from their data sheets is how the energy usage scales with the memory hardness parameter, not without knowing how much of their power is used by the dram vs the rest.) 19:09 < Luke-Jr> Anyone have any tips on boarding in Miami Beach? :/ 19:09 < sipa> don't tell them you have a bomb 19:10 < Luke-Jr> s/boarding/lodging/ 19:12 < jps> sipa: the NSA will never let Luke-Jr board the plane now 19:12 < Luke-Jr> NSA has no authority over that :P 19:13 < sipa> TSA...NSA... just 3 bits difference 19:13 < Luke-Jr> lol 19:15 < jps> I'm sure those guys get a shot at the no-fly list 19:24 < petertodd> gmaxwell: I'm thinking of just hiring someone with ASIC design experience to look at this stuff frankly 19:25 < petertodd> gmaxwell: the EE I was talking to yesterday said he had some contacts 19:25 < gmaxwell> petertodd: actually having built a scrypt asic trumps abstract expirence. :P 19:27 < petertodd> adam3us: the FPGA overhead might get closer to ASIC overhead, but only in the sense of power limitations - you'll never get similar space limitations unless ASIC tech changes pretty drastically in ways that are rather unpredictable 19:28 < petertodd> gmaxwell: the ASIC was a single performance point - scrypt is tunable after all 19:29 < gmaxwell> petertodd: yes, but my _suspicion_ now that I've though about it is that the power usage per user-tolerance-unit will go down as memory usage increases. 19:29 < gmaxwell> esp once memory usage is high enough to not fit in cache on commodity hardware. 19:30 < petertodd> gmaxwell: as is mine, but does that make asics more or less attractive? potentially *less* if commodity dram can be tuned the way we want it to be 19:31 < gmaxwell> I don't follow your argument but I suspect its on an entirely different subject matter than I'm talking about. I'm specifically concerned with scrypt as a KDF here, and I think this thinking invalidates the argument given in the scrypt paper, and that the result might be that scrypt reduces security against a well funded attacker cracking your password. 19:31 < petertodd> gmaxwell: e.g. scrypt with 4GiB might stress random access latency so much that everything but the ram doesn't matter at all 19:32 < petertodd> gmaxwell: no, I'm talking about KDF's - they're an easier problem that ASIC-hard PoW functions 19:34 < gmaxwell> petertodd: right, and if the power costs dominate after N months of operation, and the custom cracker has 10 fold lower power usage than an alternative one that used the same amount of user-tolerance budget but used sha256, then it wouldn't be a win. 19:36 < petertodd> gmaxwell: that's the thing though, your random access related hardware needs to run at full power and high speed, so the rest of the system may not be a big difference in terms of power 19:36 < petertodd> gmaxwell: of course, down the road FRAM tech could blow all these assumptions out of the water too 19:38 < gmaxwell> petertodd: well one way of looking at it once thinking about energy given commodity hardware is actually often made using state of the art technology, the task is to make the most use of the hardware the user has so how can you make commodity hardware use the most energy possible. Grinding against dram is _not_ the way to do that. 19:39 < gmaxwell> on a desktop PC, sitting in a tight inner loop on the SIMD registers in the cpu is. 19:39 < petertodd> gmaxwell: Are you sure about that? Because I'm not. 19:40 < maaku> what gmaxwell just said is definately, 100% true 19:40 < maaku> waiting on the ram bus idles the CPU 19:40 < petertodd> gmaxwell: that *might* be true if the SIMD registers were power limited, but that's not at all a given 19:40 < petertodd> maaku: ram uses power to access 19:41 < maaku> very, very little power by comparison 19:41 < gmaxwell> it does but the power distribution is just not compariable. you're talking about 20w vs 100 watts. 19:41 < petertodd> gmaxwell: the problem is if you're algorithm ever winds up not being power limited, then someone can go build an ASIC for it 19:41 < gmaxwell> petertodd: yea sure, the assumption I started out with is that the commidity hardware is already an efficient implementation of everything it does, which isn't true... indeed. 19:42 < gmaxwell> But to the extent its true the KDF problem is just a matter of using all thats available... use the most gates the most power.. etc. make the most use. 19:42 < petertodd> gmaxwell: yeah, and that's an enormous problem. I'm sure you can make a PoW/KDF algorithm that targets *a* cpu family and uses it 100%, but that's not very interesting - you'd just as easily use a KDF with very tunable params to economically stay ahead of attackers with ASIC-dev costs 19:42 < poggy> is it plausable that energy costs would be a limiting factor or is this just a mental exercise? 19:43 < petertodd> poggy: it's plausible, but not certain 19:43 < gmaxwell> And if power costs dominate, you probably don't want to touch the memory at all... because the computer cannot burn 100watts accessing ram. and even if you imagine that its ALU is 4x less efficient than an optimized one, it probably still can burn more efficiency-weighed-power in the ALU. 19:44 < gmaxwell> poggy: it is the case that for computation tasks operating longer than a few months energy is more expensive than fabrication with modern processes. 19:44 < poggy> ah ok 19:44 < gmaxwell> How that balances out exactly is another question. 19:44 < gmaxwell> You have to run for a long time before fabrication is negligible. 19:45 < petertodd> gmaxwell: but look at the system as a whole: quite possible the lower power density of ram per unit area is irrelevant on a system wide level because you can't necessarily remove head from higher density effectively anyway 19:45 < petertodd> s/head/heat/ 19:45 < gmaxwell> that works against the user, not against the attacker. 19:46 < petertodd> no, it works against the attacker for PoW for sure: removing low-grade heat cheaply with fans costs very little. For KDFs, that's less certain. 19:47 < petertodd> remember for PoW one argument for decentralization is that the heat can be useful - of course if someone comes out with a ASIC process that can run at hotter temps... 19:47 < gmaxwell> oh I misunderstood what you were saying, I was not arguing in terms of unit area. 19:47 < gmaxwell> I'm arguing in terms of whats actually in a PC. 19:47 < poggy> are there any hybrid functions? 19:47 < gmaxwell> e.g. how much attacker joules can 1 second of a PC possibly require. 19:48 < poggy> requiring both memory and gpu(or whatever) 19:48 < gmaxwell> And I believe that large memory memory hard requires fewer attacker joules simply because the PC only has =Mined by AntPool bj1.: # SMK Muhammadiyah 3 Yogyakarta Uw 17:11 < Emcy> and why didnt they use something better for the xbox. Im sure thier codec was some 64kbs cbr shit right up until last month. Everyone so scared of patents. 17:13 < zooko> patents are scary 17:14 < Emcy> yeah its a shame that a competitive free/libre/nopatents video codec will probably never happen cos of that shit 17:14 < zooko> HEy does anybody have a good list of patents that probably apply to NTRU cryptosystem? 17:15 < zooko> cryptosystems, I meant to type, i.e. PK encrypt and dig sig. 17:15 < gmaxwell> NTRU is such an engineering mess in general. 17:16 < gmaxwell> The history of commercial cryptosystems has been a sad one. No one wants patented crypto, even if its awesome. 17:16 < Emcy> i dont actually understand how you can patent maths 17:16 < zooko> OCB 17:17 < nsh> where's context-aware acronym-explainer-bot when you need her 17:17 < maaku> Emcy: you can certainly patent applications of math 17:18 < Emcy> but everything is applications of maths 17:18 < gmaxwell> if you can't patent applications of math then with enough layers of handwaving you can't patent anything, after all we could all just be running in a simulation.. and what is a cotton gin but a pattern of information? :P 17:19 < Emcy> thats one zinger of a reducto ad absurdum :P 17:20 < Emcy> but youre right, where does it end 17:20 < gmaxwell> well, so is saying that a pratical cryptosystem is "just math", in terms of the stuff the patent system was created to do a cryptosystem is something people work hard at to invent... sooo. Of course, it doesn't usually work out, because trust in these systems generally requires them to be public infrastructure... and public infrastructure abhors the toll tax. 17:21 < Emcy> only if you want to make money off your system? 17:22 < Emcy> yes, lots of unfortunate opposing imperatives trying to Something Good under capitalism...... 17:22 < gmaxwell> well, so long as things cost money doing things with no prospect of making money may be somewhat ill-advised. ::shrugs:: no easy answers. 17:22 < Emcy> also true 17:23 < Emcy> we need crypto-patrons....... 17:23 < gmaxwell> amiller: in any case, I think relatively compact snarks of sum-difficulty could be produced. 17:23 < gmaxwell> amiller: as in circuits that only take minutes to make a difficulty proof for some whole blockchain. 17:24 < amiller> i think so too. 17:24 < gmaxwell> though I think you'd want to be commiting to blocks included in a fork that way, instead of just hoping they show up. 17:25 < gmaxwell> did you guys resolve the objection about convergence I started? 17:25 < amiller> i dunno 17:27 < gmaxwell> I think it's resolvable by commiting all the blocks used in the calculation. ... but I think it must be solved. otherwise you could have two subgraphs of great additional difficulty each decided by an additional diff1 orphan added early to the fork... so you must relay the darn things 17:28 < sipa> any opinions about that israeli paper yet? 17:28 < gmaxwell> we were just talking about that, I think you weren't included on the email thread, you probably should be. 17:28 < gmaxwell> its has a lot of similarity to amiller's early ideas about orphan rate targeting blockchains instead of block time targeting them 17:29 < gmaxwell> Major unambigious downside is a six hundred fold increase in SPV base cost (bandwidth/cpu). Though perhaps that could be solved by using snarks to prove difficulties. 17:30 < gmaxwell> there is so discussion over if their specific description is actually convergent or not, I don't think it is though it's easily possible I'm missing something, as I have not read the paper yet , but it could be fixed. 17:33 < nsh> i saw earlier that there's [some kind of] simulator. could that be used to test convergence? 17:34 < maaku> gmaxwell: they're suggesting lowering the interblock time, but i'm more interested in an apples-to-apples comparison: direct drop-in replacement for current fork-selection rules 17:38 < maaku> they seem to have focused on lowering the interblock time, but it's just as applicable to raising the block size 17:44 < amiller> nsh there's a nice simulator by ebfull that simulates mining and block propagation, especially to do the selfish mining simulation, and in your browser with a neat little visualization https://bitcointalk.org/index.php?topic=326559.0 17:45 < gmaxwell> maaku: ignoring the cost to lite nodes, why not increase the block size by lowering the time? 17:45 < amiller> it's basically fast enough with the graphics turned off to do simple monte carlo things 17:45 < gmaxwell> assuming you're willing to tolerate the reduction in goodput. 17:45 < nsh> amiller, ty 17:46 < gmaxwell> Probably the biggest thing to chase here is the goodput implications. 17:47 < maaku> gmaxwell: shorter cycles leading to centralizatoin, mainly 17:47 < maaku> goodput? 17:47 < gmaxwell> The impact on litenodes can be fixed by turning the linked list of the blockchain to a MMR or skiplist and by using snarks to prove difficulty. 17:48 < gmaxwell> maaku: goodput is the actual amount of useful block data you can send, after removing the overheads from sending around orphans. 17:49 < maaku> yes those are my objection to lowering the interblock times: lite client poor performance, decreased gootput, and centralization 17:49 < gmaxwell> maaku: yea, okay, low enough latency has centeralization issues, but so does large enough blocksizes. Figuring out how to navigate that is important. 17:49 < maaku> vs. the corresponding increase in block size 17:50 < gmaxwell> Yea, I think I already know how to solve liteclients well enough. The latter two are big open questions for me. 17:51 < maaku> i think we can probably get shorter intervals than 10 minutes. 1 second is ludicrous though 17:52 < andytoshi> fwiw, aviv says they looked at goodput in the paper, had calculated a worst case of 4% 17:52 < andytoshi> and he did some calcs which suggested that was tolerable 17:52 < andytoshi> from a bandwidth perspective 17:52 < gmaxwell> andytoshi: tolerlable for what? 17:52 < gmaxwell> tolerable on my DSL? 17:52 < gmaxwell> :P 17:52 < andytoshi> yeah, he was talking 320kbps 17:52 < andytoshi> so, tolerable if you are doing nothing else :P 17:53 < gmaxwell> 1 second is ludricrous just compared to the radius of the world. I am on a ssh right now with a 200ms rtt (to NZ) 17:53 < gmaxwell> but I don't think there is any reason to waste time worrying about the specific number. 17:53 < andytoshi> yeah, 1sec seems crazy, but his goal is to have massive scalability 17:53 < maaku> not to mention it cuts of the Moon from the economic sphere of the Earth ... but I'm probably the only one who cares about that ;) 17:54 < gmaxwell> maaku: it's probably better to do that. We've already excluded mars in any case. 17:54 < gmaxwell> maaku: good fenses make good neighbors. :P 17:56 < amiller> ahhh thanks gmaxwell i've been trying to think of what that quote was 17:57 < Emcy> are we really precluding economic warfare with the moon here? Wizards pls. 17:58 < amiller> bitcoins in spaaaaaace 17:58 < sipa> spacoins 17:59 * nsh is definitely in the pro-Moon-inclusion bloc 18:00 < nsh> it's the economic divisions that invariably lead to orbital colonies declaring independence 18:00 < maaku> well 10 minutes is inclusive of cislunar + l4/l5, so that's a pretty expansive area that would be able to participate in the bitcoin network 18:00 < Emcy> heh did you watch elysium too 18:02 < maaku> more seriously I'd love for someone to formalize the bang-for-buck advantages of increasing the block size vs. decreasing the interblock time 18:03 < maaku> my understanding is that we'd get higher tps for the same cost tradeoff by increasing the block size vs. faster blocks 18:04 < Emcy> the block interval is not changing ever 18:05 < maaku> Emcy: we'd be hard forking anyway to increase the block size 18:06 < Emcy> i just dont see it happening. 18:06 < maaku> I don't see the reason to lower the block interval either (unless you can get to to be sub-second, but relativity says that's not possible without centralization) 18:06 < Emcy> and i dont think the block size things is as much of a done deal as people assume either 18:06 < maaku> But that's what people want, and the hypothetical scenario being explored by aviv's paper 18:06 < maaku> So I'd kinda like a formal response 18:07 < Emcy> do it on testnet 18:07 < maaku> Emcy: either bitcoin will increase it's transaction throughput, or it will become irrelevant 18:08 < sipa> maaku: how do you see that happening? 18:08 < maaku> The only ways of doing that are decreasing the interblock time, increasing the block size, or moving to off-chain transactions (which eliminate the relevance of bitcoin-as-a-currency) 18:08 < sipa> no, they eliminate the relevance of bitcoin-the-network 18:08 < sipa> not of bitcoin-the-currency 18:08 < sipa> s/eliminate/reduce/ 18:08 < nsh> why couldn't a second network be spawned? 18:09 < maaku> bitcoin-the-currency only has value because of bitcoin-the-network 18:09 < nsh> (not that this would be preferential to solving problems; just curious in theory) 18:09 < Emcy> i know which one id rather to fade in relevance 18:09 < sipa> maaku: i would like to agree with that, but i think that's completely untrue today 18:09 < nsh> why couldn't you have bitcoin-network-0 at saturation, and start another bitcoin-network-1 for spillover? 18:09 < sipa> what's the point? 18:10 < maaku> sipa: i think it's still true today. bitcoin-the-currency has speculative value because of the speculative future of bitcoin-the-network 18:10 * nsh shrugs 18:10 < sipa> maaku: i'm very unconvinced about that 18:10 < sipa> i think speculation happens because people see the value go up because of speculation because people see the value go up 18:11 < sipa> i think many, many speculators are actually very uncertain about the long term survival 18:11 < sipa> or maybe i'm just projecting my own opinion :) 20:24 < amiller> each party places down a *security deposit*, in addition to their bet, that is used to patch over the lack of computational ability in case one party doesn't cooperate 20:25 < amiller> so the choice in this paper is to make each deposit equal to N(N-1) 20:25 < amiller> in other words, the deposit is one *whole jackpot for every player* 20:26 < amiller> that's a pretty extreme deposit 20:26 < amiller> but it is giving the pretty much best possible guarantee, which is pretty cool 20:40 < amiller> i think i can do better 20:40 < amiller> i think there's a way to improve on the total amount of liquidity needed in their scheme 20:41 < amiller> suppose you're willing to wait for t rounds 20:42 < amiller> the first party puts in N coins, the second party puts in N-1 coins, the third party puts in N-2 and so on 20:42 < amiller> and you release people from their obligations in rounds :o 20:44 < andytoshi> so if parties do not show up, the number of rounds is reduced? 20:50 < typex> tl;dr --- Log closed Fri Dec 06 00:00:35 2013 --- Log opened Fri Dec 06 00:00:35 2013 07:00 < typex> sorry about that. was drunk as fuck last night :-) 08:46 < Mike_B> cool paper! https://bitcointalk.org/index.php?topic=359582.20 08:46 < Mike_B> would love to hear gmaxwell's opinion when he gets up 08:46 < Mike_B> and has time to read 08:49 < _ingsoc> Mike_B: Would it have to operate as an alt? 08:49 < Mike_B> well, it seems like he's proposing a different way of considering transactions confirmed - orphaned blocks should also count as confirming tx's 08:49 < Mike_B> so you could adopt that rule in btc i guess 08:50 < Mike_B> but the idea is that once you adopt this rule it supposedly lets you shoot for a much shorter block generation time on average (1 sec he claims) without sacrificing security 08:50 < _ingsoc> Unlikely before getting some real-world data. 08:50 < Mike_B> right, i'm also skeptical 08:50 < Mike_B> i'm also curious if there are holes that can be poked in that... not entirely sure it's impossible to game it 10:20 < andytoshi> typex, probably the least regrettable drunk IRC posting I've seen.. 10:23 < andytoshi> every bifurcation in a tree represents a halving of computing power, no? 10:23 < andytoshi> i'll have to read tho paper.. 10:24 < andytoshi> and having one block per second is going to cause massive network split effects 11:35 < andytoshi> ok, the way this tree block thing works is, when determining which block continues the main chain, rather than looking at which extends to a chain with the largest total difficulty, you look at which one extends to a -tree- with largest total difficulty 11:35 < andytoshi> so you are still thinking in terms of chains, but your "which chain is best" algorithm considers all active forks along the way 11:37 < andytoshi> they prove that each block is eventually accepted or rejected (i.e. this does not cause permanent network splits) 11:38 < andytoshi> they point out that in the current system, if there are a lot of forks happening for some reason, this drops the effective hashrate because tons of work is being thrown away, thus making a 50% attack easier 11:38 < andytoshi> they claim that this does not affect their system as badly 11:39 < andytoshi> these are all proven, but the statements and proofs are technical and i don't have the time for a detailed analysis 11:41 < andytoshi> anyway my impression is that this is worth taking seriously 11:43 < t7> andytoshi what if two inputs are spent differently in two different chains ? 11:45 < andytoshi> eventually one side of the fork will "collapse" as there is a greater subtree weight on that 11:45 < andytoshi> and as blocks are piled on the usual more-time-means-more-confirmation heuristic applies 11:45 < t7> ah 11:46 < andytoshi> because everybody looks at the greatest subtree weight to decide what to mine on, there is an avalanche 11:56 < amiller> hm 11:56 < amiller> are there any risks of using this? 11:57 < amiller> i feel like we had a reason not to want to do it this way but maybe it's fine? 11:59 < amiller> i'm trying to read an undersatnd the security definitions... 11:59 < andytoshi> that was my thought too, but on a cursory review the math holds up 12:00 < andytoshi> so i'm trying to think about practical attacks, potential for DoS, storage/bandwidth usage.. 12:00 < gmaxwell> amiller had suggested this before. 12:00 < gmaxwell> (or things substantially similar) 12:00 < amiller> so how did you talk me out of it, i don't remember :p 12:01 < gmaxwell> A couple reason, one is that its an enormous cost increase to lite codes (e.g. hundreds fold more bandwidth, potentially) 12:01 < gmaxwell> s/codes/nodes/ 12:02 < gmaxwell> andytoshi: are they actually having new blocks commit to all branches of their past subtrees? amiller's idea was to do that. If they don't then I don't see how its convergent. 12:03 < andytoshi> no, blocks commit only to a single parent 12:03 < andytoshi> i'm not clear how the parent is chosen when there are multiple options with no existing subtree 12:04 < gmaxwell> andytoshi: uh, so why do you and someone who joined the system later than you pick the same solution at all? 12:04 < gmaxwell> e.g. you and I get the same longest tree, but different forrests, and so now later we choose different longest trees. 12:04 < andytoshi> after some time, new blocks will be mined on top of one or more of the options 12:04 < andytoshi> hmm, everyone starts from the same genesis.. 12:04 < iddo> i think they say that each block does point to its 12:05 < iddo> ancestors 12:05 < iddo> maybe just for lite nodes optimization hmm 12:05 < gmaxwell> it has to be all of the ancestors needed to compute the highest difficulty, if they do that, then its what amiller proposed before. 12:05 < andytoshi> for a given leaf node, there is only one ancestor (and only one chain back to the genesis) 12:05 < gmaxwell> if they don't I don't see how it can be convergent, because nodes will pick chains based on data that has no strong synchronization method. 12:06 < andytoshi> so, algorithm 1 on page 18 says what i'm saying here, it's like 5 lines and a bit more precise 12:07 < andytoshi> there is an assumption that everybody eventually hears about every block, and synchronization happens because long-term forks are unstable 12:07 < andytoshi> one or the other will have a stronger POW on its subtree, and then everyone will mine on that 12:08 < gmaxwell> But what mechenism makes you know there are blocks in your subtree that you need to have? amiller's orphan-targeting stuff handled it by blocks commiting to the orphans their miners knew about. 12:08 < andytoshi> no such mechanism 12:08 < andytoshi> well, none that i saw 12:08 < andytoshi> the assumption is that every block propogates eventually 12:09 < andytoshi> so if you are missing blocks, that will give you a bad view of the network, but when the missing blocks come in your view will be corrected 12:10 < andytoshi> and since miners are incentivized to work on the strongest side of the fork, the likelihood that your view is so badly compromised that you think the wrong fork is correct, is very small 12:10 < gmaxwell> how do you prevent denial of service then? e.g. I constantly feed you difficulty 1 orphans for block 1? 12:10 < gmaxwell> you've got to take them, cause, you never know, all those diff 1 guys might eventually sum up to be greater than the current best. 12:10 < andytoshi> right, exactly 12:11 < andytoshi> i'm not sure 12:11 < andytoshi> hmmm 12:12 < gmaxwell> also, what about problems with goodput? lets imagine this with blocktimes of 1ms (e.g. way below the latency betwen nodes) 12:12 < andytoshi> not sure, i skipped over the propogation-time analysis 12:13 < gmaxwell> you would eventually converge on sufficiently old history, but you're spending all your bandwidth sending orphans. 12:13 < andytoshi> i think that's correct, my impression is that they did not look at bandwidth usage 12:14 < andytoshi> i wish they had published a shorter version that did not spend so much time discussing common knowledge about bitcoin.. 12:14 < gmaxwell> liquidcoin (coin with fixed difficulty) basically melted down because it eventually was using all its bandwidth/cpu just switching between a zillion distinct forks and no longer making much progress. 12:14 < andytoshi> the opposite of solidcoin ;) 12:16 < pigeons> same as geistgeld but geistgeld was sha256 liquidcoin scrypt 12:16 < andytoshi> i expect if you were to ask the authors this, they would try to come up with some heuristic for ignoring spam blocks 12:17 < andytoshi> in the limit, you ignore all but the highest-difficulty chain, and you get bitcoin 12:17 < andytoshi> and it seems like anything weaker than that has the potential to cause forks when peoples' definition of "spam" diverges 12:17 < andytoshi> so you'd need to just accept everything, which is what this paper proposes 12:18 < iddo> gmaxwell: about DoS by feeding you diff 1 orphans for block 1, i think that they claim that your node can ignore the orphans until someone does enough PoW to send you many orphans together and prove to you that his subtree should win 12:18 < andytoshi> ...and then gmaxwell's "spam a trillion diff-1 blocks" attack would work 12:18 < gmaxwell> andytoshi: yea you could have any amount of difference between two subtrees. 12:19 < andytoshi> iddo: if a node doesn't know everything, he can't prove or disprove that a certain subtree will win 12:19 < andytoshi> and that'd certainly be the case for every node in a high-block-rate network 12:20 < andytoshi> so if you ignored blocks just because the sender couldn't prove they were worthwhile, you'd end up ignoring everything. 12:20 < andytoshi> and again your ignoring heuristic creates potential for a long-term split 12:21 < amiller> maybe this is an important thing to simulate? 12:21 < amiller> they've gone through the trouble of formalizing what the algorithm should be 21:27 < gmaxwell> What I think their design is doing is taking advantage of the fact that the scrypt engine is area limited while the bitcoin work is thermally limited... so they get a part thats basically does both for the costs of one. (well, their prices are high, but thats markup) 21:28 < brisque> gmaxwell: oh I totally misread the email from the seller, I thought it was over 10W/gh for the sha256 side. 21:28 < andytoshi> nice interview adam3us1, i wasn't familiar at all with hashcash 21:28 < andytoshi> ..except there was a discover article which mentioned it in passing in 2004 or so 21:38 < gmaxwell> hm... this actually suggests a flaw in the scrypt paper. The argument for scrypt it based on chip area. But it really should be based on total costs including energy. 21:39 < gmaxwell> since a cracking chip ends up being thermally limited, increasing the area required may not actually increase costs much at all. 21:42 < brisque> rather than being thermally limited, couldn't it be that they just couldn't fit a second scrypt scratch pad in and just put a sha256d core there to fill the space? 21:42 < andytoshi> increasing the die size should increase the cost/unit proportionally, no? the wafers are a fixed size 21:51 < gmaxwell> andytoshi: no, not when you need to waste area just to act as heat spreading, and not when your total costs for your cracking infrastrcuture are dominated by energy. 21:51 < gmaxwell> In fact, it may even be counterproductive (e.g. reducing the energy ratio between attacker and defender enough that the attacker's advantage increases) 21:53 < gmaxwell> it's currently the case that any piece of high performance computing's energy costs surpasses manufacturing if its operated for more than a few months. 21:54 < brisque> is a piece of bitcoin mining gear worthwhile after a few months? 21:54 < brisque> currently it's not. 21:54 < gmaxwell> brisque: sure. lol. careful with those exponential extrapolations. 21:55 < brisque> gmaxwell: oh I'm not predicting based on them, just observing that it's currently fairly vertical. 21:55 < gmaxwell> my b1 avalons still mine 3x their power cost, ... and keep in mind that decrease in returns is exclusively driven by competition from more power efficient devices. 21:55 < gmaxwell> I'm not talking about mining now in any case, I'm talking about KDFs. 21:56 < brisque> any sensible KDF wouldn't have used the settings Litecoin picked though 21:57 < gmaxwell> yes, but the 'sensible' settings would make this discrepency worse, not better. 21:57 < gmaxwell> e.g. you can choose between two KDFs that take 500ms (user tolerance threshold). It's possible that the memory hard one is actually cheaper to attack once you've factored in power costs because it performed far fewer operations in that time because it was spending time waiting on memory. 21:58 < gmaxwell> the scrypt paper computed costs purely based on area, not power. This is clearly incorrect thinking because on any fixed computing infrastructure the power costs are greater. Though I don't know if it happens to break their conclusions. 21:58 < gmaxwell> The gridseed parts suggest its a wash at the parameters ltc used. 21:59 < brisque> if not memory hard, what is the ideal KDF? 21:59 < gmaxwell> But I'd expected that more memory usage would not increase power usage, but would make it slower on desktops (e.g. fewer operations within the user tolerance window). But that would be interesting to crunch through and see how the numbers work out. 22:01 < gmaxwell> brisque: well the correct question is given the commodity hardware the users have, the user delay budget, and the most optimal possible attacker hardware, what parameters minimize the attacker's advantage. 22:03 < brisque> 500ms is probably on the low side of what a user could tolerate. it's amazing what spinning indicators and progress bars can do to alter the perception a user has of a slow operation. 22:03 < gmaxwell> The Scrypt paper argues that very memory hard things minimize the attackers advantage because it forces the attacker to spend more mm of silicon. I now think this is suspect because mm of silicon is a minority of a large scale attacker's costs... though that doesn't mean that there isn't some particular non-zero memory hardness level that produces the smallest ratio. 22:04 < gmaxwell> It was a random number, it doesn't actually matter. 22:04 < gmaxwell> and fwiw, 500ms w/ bitcoind to authorize a transaction is actually irritating when its in the foreground. 22:05 < brisque> I know, but I've always found it fascinating how users perceive different delays. in a shell a few milisecond delay is horrible, yet people wait 20 seconds for microsoft word to start. 22:05 < gmaxwell> (our kdf is 100ms by default which is pretty much imperceptable... there seems to be a somewhat sharp wall on delay between imperceptable and annoying somewhere around .5s.) 22:05 < brisque> if the signing happened in the background and took half a minute it wouldn't matter in the slightest. 22:06 < gmaxwell> brisque: well except that it can't even tell you if you typed the key wrong until after the delay. 22:06 < brisque> well it would if the password was typed incorrectly, but it's the fact that the interface shows the latency rather than hiding it. 22:06 < gmaxwell> the fact that you need to be sure you can get the users attention again and that you can't report success until after its done makes it harder to hide. 22:07 < gmaxwell> in any case, as I said it's irrelevant. There is some budget, whever it is. The question is how do you best use it to increase the attacker's total cost. 22:09 < brisque> probably by avoiding both cases. a very complex algorithm would be a hindrance to hardware implementations, wouldn't it? you avoid the energy saved by waiting around for memory, and you avoid making very simple hashing cores like for sha256d. 22:10 < brisque> that is, you have the best of both worlds. high power cost for the attacker and massive die space. 22:15 < gmaxwell> brisque: no. a very complex algorithim just increases the engineering work, but thats probably small compared to other costs for a large scale attacker. 22:15 < gmaxwell> After all, your own computer runs the complicated algorithim. 22:19 < brisque> gmaxwell: right. --- Log closed Wed Jan 22 00:00:50 2014 --- Log opened Wed Jan 22 00:00:50 2014 00:50 < petertodd> gmaxwell: nifty chips - vitalik claims they're going to do a PoW (+PoS) competition - I predict it's going to be a horrible failure because the don't even have the skills to properly vet candidate judges... 00:52 < petertodd> gmaxwell: incidentally, I was talking about PoW with a EE unfamiliar with the field, and he independently thought of the area-power re-use thing immediately, which I think indicates how utterly out to lunch 95% of the people here are (scrypt authors included) 00:52 < gmaxwell> petertodd: well and everyone participating has an incentive to play up their advantages. It's also predicated on a goal which is not proven to be objectively worthwhile. 00:53 < gmaxwell> yea, this wasn't obvious to me before. Now it really would be interesting to go analyize scrypt power usage and go compute up the total costs. 00:53 < petertodd> gmaxwell: meh, the other thing the EE immediately saw was how important the goal was - he understood damn well how easily niche technology gets regulated out of existence 00:53 < petertodd> gmaxwell: it *is* an existential threat and figuring how how best to solve it is very important, even if only to make sure the threat doesn't actually happen 00:54 < petertodd> I really suspect there's some interesting games you can play with power gating memory and scrypt - for instance you could probably make a low-power dram implementation that doesn't refresh ram and accepts errors in exchange for low power (another thing that EE immediately thought of) 00:55 < gmaxwell> actually the lifetime of the required memory is so low it probably doesn't need refresh. 00:56 < petertodd> that's the *problem*! DRAM controllers already take that into account, but on top of that optimization you can probably push voltages even lower than standard, and maybe even use some simple, and custom, prediction stuff to shave it even further 00:56 < gmaxwell> scrypt access patterns are somewhat unpredictable so it would be hard to just size the capacitors so that it never failed, but you could still get failure rates as low as you want. 00:57 < petertodd> yeah, and economically optimal is going to be very high failure rates by conventional standards 00:57 < petertodd> probably orders of magnitude higher - so much so that the design will be 100% custom 00:58 < gmaxwell> yea, existing mining hardware runs fine at failure rates around 1%. e.g. stuff ships out of the factor with ~1% of returned nonces being wrong. 00:58 < petertodd> existing computers have failure rates probably... I dunno, twelve orders of magnitude less than that? 00:58 < gmaxwell> you can't run commodity silicon at those error rates because something important will glitch out and it'll wedge. 00:59 < petertodd> well... that's changing though, because designers are being forced into that kind of error territory - we're also lucky that GPU's can tolerate higher error rates than other computing stuff, kinda 00:59 < gmaxwell> (this was actually one of the reasons gpu mining headlessly worked better: most cards could be pushed a lot futher when they weren't displaying anything) 01:00 < petertodd> in any case, said EE thought my ideas about FPGA "cottage industry" PoW algorithms were feasible, because FPGA hardware these days can have a surprising about of power gating and similar tech 01:01 < petertodd> similarly things like DRAM often have a lot of control over how the internals work if you're willing to attach it to a custom controller, and those controllers are FPGA-implementable with good performance 14:24 < gmaxwell> one of the limitations in all this verifyable computing stuff compared to MPC is that you can't keep secrets from yourself. ... but MPC doesn't really get you security in an anonymous model. if you had what you want you could have a publically verifyable version of everything MPC can do. 14:25 < gmaxwell> For example, you could have a captcha POW coin. 14:27 < andytoshi> yeah, and the mere fact that we could get so much magic out of this suggests its implausibility. but idk, maybe we can get all or partway there. i'd like to spend some time researching this. 14:30 < andytoshi> probably 100% of what we've discussed in the last hour, if you asked me 18 months ago if any of it were possible, i'd have said not a chance. so i'm optimistic. 14:31 < gmaxwell> well, perhaps the existance of one way functions sort of suggests the possiblity of it. 14:32 < andytoshi> my money is on their existence being ZFC-undecidable :P 14:33 < andytoshi> halting-complete rather 14:45 < andytoshi> another problem i thought of is that the key-derivation scheme could be malleable. that is, you can tweak the circuit and this changes the key in some predictable way, so you can still steal information about the input this way. so i thought, the KDF should basically evaluate the circuit but attach to each gate a one-way function which is somehow specific to that gate. and then i started to think 14:45 < andytoshi> it'd be very hard to preserve enough information through all this that i could decrypt the information in the end. 14:45 < andytoshi> decrypt the actual output* 14:46 < andytoshi> maybe you take the encryption key, run it though some shadow version of the circuit made of OWFs, then the output of that could be the trapdoor information needed to decrypt the output 15:47 < nsh> hmm 15:49 < nsh> occurs to me that the dynamics of difficulty adjustment are much more complex now you have pools supporting multiple-coins leading to positive feedback from hopping driving instability 15:51 < nsh> there was a significant first-mover advantage with bitcoin in that slushy liquid hashpower was not even a thing until it was relatively mature 15:51 < nsh> to what extent that is balanced by lessons (theoretically) learned is another question 15:56 < maaku_> nsh: fickle hashpower utterly destroys alts with bitcoin's stock difficulty adjustment algorithm 15:56 * nsh nods 15:57 < maaku_> most adjustment algorithms used by alt devs are broken, on the other hand 15:57 * nsh looking at vertcoin, which seems to be an actual effort, at least 15:58 < nsh> 67 pages of trollcointalk thread is quite depressing though. wish there was a way to getting the 5-10 posts that are actually worth reading out 15:58 < maaku_> amiller: do you have contact details for th type theory language person? 15:58 < maaku_> that's someone I'd want to talk to about scripting extensions 16:07 < maaku_> nsh: there's also this, which we spent considerable time crafting : https://github.com/freicoin/freicoin/commit/d82a66e10f413bc81889b48a498625829353d701 16:07 < nsh> looking 16:08 < maaku_> i think gmaxwell would have preferred using bessel functions, but an FIR filter has worked fairly well so far 16:08 < nsh> i recall gmaxwell demurring somewhat. but i guess it's held out pretty well? 16:08 < nsh> right 16:10 < maaku_> it has made the problem go from catestrophic to merely annoying 16:11 < gmaxwell> I watched it for a while and it seemed fairly poorly controled, but I never looked at it before the change. 16:11 < maaku_> there is still a major hopping pool which regularly hits us when profitability creeps up, but only snags a couple of dozen blocks before the difficulty adjusts back up 16:12 < gmaxwell> I'd worry that if there were two of those it might be unstable. but apparently not in practice. 16:13 < maaku_> I don't think there's anyone else using the same filter, but there are mare than two using fast-acting filters 16:13 < maaku_> and that's what the coin hopping pools are doing, jumping back and forth 16:13 < maaku_> i'd be interesting in hearing ideas about a better filter 16:14 < maaku_> although I think there are some fundamental problems here that won't go away 16:14 < maaku_> e.g. there's only so much you can do to mitigate the damage 16:15 < gmaxwell> creating strategic behavior isn't so hot though. 16:19 < nsh> a bunch of coins could probably dampen the effects of pools hopping with a profitability peg 16:19 < nsh> perhaps 16:19 < maaku_> nsh: vertcoin looks like stock bitcoin difficulty adjustment (+ time traveller patch) 16:20 < maaku_> nsh: well, you'd think profitability-seeking is, well, profitable. but it is not 16:20 < nsh> (could be. haven't quite figured out what the NFactor scrypt difference is they're pimping) 16:20 < maaku_> due to coinbase maturity & distribution delays, they get the coins *after* dips in prices due to their activities 16:20 < nsh> right 16:21 < nsh> i doubt the pool operators have analyzed it very deeply 16:21 < maaku_> i've seen people model this, and it's almost always 10% or so worse than mining a single coin 16:21 * nsh nods 16:21 < maaku_> although there could be other strategies - e.g., mine the 2nd most profitable coin, in order to stay in frant of the bigger pool hopper 16:21 < nsh> you could probably account for hysteresis to some degree but the uncertainty would eat into the profitability 16:22 < nsh> right, but that's not robust with many players 16:24 < maaku_> it does show that you'd have to do some serious game theoretic analysis to figure out what optimal strategies are 16:24 * nsh nods 16:24 < maaku_> and even then, you're battling human psychology, because we know that even the guiding hand of the market has led people to an inefficient strategy in practice 16:25 < nsh> i'm sure there's some law to the effect that people will always find a way to be more irrational than your models 16:25 < maaku_> so, in our case, we actually relied mostly on historical bitcoin data in the creation of our filter 16:25 * nsh nods 16:25 < maaku_> we figured it's better to design something which works well at that scale 16:25 < maaku_> than over-optimise to solve this particular problem, which by nature goes away if you are the chief coin (or MM against it) 16:26 < nsh> right 16:26 < amiller> maaku_, i don't want to say any more about it until i get his permission 16:26 < amiller> maaku_, but i showed him your utxo engineering page 16:26 < gmaxwell> maaku_: I'm not sure that I would have used that data in design other than a validation test. The problem you need to engineer for here is a dynamic system problem so just some static data trace from bitcoin doesn't show you data from miners switching on and off in response to the difficulty. 16:27 < maaku_> amiller: well if you want you can show him this too: http://pastebin.com/5ScNX7vy 16:27 < maaku_> it's what I want his opinion on 16:27 < maaku_> and sounds like it might be related 16:27 < maaku_> gmaxwell: we used bitcoin, litecoin, and freicoin data 16:29 < maaku_> and a success metric of how close the chain would have stayed to 10 minute block times 16:31 < maaku_> interestingly the curves (various parameters vs simulated performance) remained the same for all three coins despite the different problems encountered by each. just noisier in the case of litecoin and freicoin 16:31 < maaku_> so we picked the fastest-acting values which were noise free, which by coincidence were also the best for bitcoin 16:36 < nsh> how was noise-free defined? 16:37 < gmaxwell> maaku_: I'd think that what I'd want to do is use the bitcoin/litecoin blockchain and market data to derrivate parameters for a model of miner behavior. (e.g. how fast do miners add and remove hashpower when its (un)profitable.) and then calibrate the control system against the miner model. 16:53 < maaku_> nsh: 1000's of simulations run, results plotted, then eyeballed 16:53 < nsh> right 16:53 < maaku_> so, tight grouping of data points 16:53 * nsh nods 16:53 < maaku_> unfortunately all this work is on another hard drive 16:54 < maaku_> or i'd dig up some of the graphs 16:55 < nsh> no worries 19:30 < jtimon> gmaxwell maaku_ nsh I think it's the chain-hoping algos and not the filters what need to improve most, provided that you have a responsive enough filter 19:31 < jtimon> they are really dumb 19:31 * nsh nods 19:32 < jtimon> they believe anything that's in some webs that calculate profitability simply from spot price without any look to market depth, volume or vollatility 19:32 < jtimon> http://www.coinwarz.com/cryptocurrency 19:33 < jtimon> It's very easy to put a small coin on top of that list with little money 19:35 < jtimon> and hop-miners jump into shitcoin just to find out later that they broke the price when dumping their mined coins into the market 19:36 < jtimon> a good algorithm just needs to target a time period, the market should make profitability tend to 0% 19:38 < jtimon> just not yet 19:40 < jtimon> I think the non-merged-mined SHA256 are in the worse position for chain-hoping 19:40 < jtimon> so I'm pretty happy with freicoin's filter, things will only get better when MM 19:42 < jtimon> and other coins that don't use the block height for demurrage care less about not being always 10 min 19:43 < jtimon> even terracoin survives with its random-like filter 19:46 < gmaxwell> jtimon: I'm more worred about things like long term behavior with fees being compariable in magnitude to subsidy and miners mining near breakeven in power cost. 19:47 < gmaxwell> and then things like filter overshoot making huge chunks of hashpower go unprofitable and shut off automatically. such a system could very likely be quite unstable. 19:48 < gmaxwell> e.g. a small overshoot oscilation magnifies until all the hashrate is turning off. 19:48 < jtimon> for the filter it's the same, you need to adjust rapidly when big hashing comes and goes 19:49 < gmaxwell> "it's the same"? 19:22 < arbart> So is there anyone you've heard developing an open bitcoin bank API / system, meant so anyone (the world) can run an off-chain tx thingies to enable micro-transactions, and enabling a distributed nature of such (to allow people in different countries to implement them however works there), thus using something like probabilistic payments or something to settle bitcoin transfers across the 'banks' in a trustless manner? :) all 19:23 < petertodd> arbart: None that I've heard of - doing all that is a tonne of work and tricky to monetize. 19:23 < petertodd> Small-value payments just aren't worth much... and improvements in blockchian tech, or just the community accepting less decentralization, could easily make all or effort in vain. 19:25 < arbart> Yes, well why i was wondering the state of the art, or I guess opinion on where it is at, in third party ideas, or native bitcoin protocol, or what :) 19:25 < petertodd> arbart: basically state of the art re: what we know can be done is way, way ahead of what people actually do 19:25 < arbart> oh, and they aren't worth much each, but together they are more useful/powerful 19:26 < petertodd> e.g. proving balances are backed by real bitcoins is pretty easy, yet no-one's bothered AFAIK even though there's all kinds of bitcoin funds popping up 19:26 < arbart> Well my mission is to discover all the boundries right now and then find which one I am best suited to help poke at :) 19:27 < arbart> oh interesting point 19:27 < petertodd> well, try writing one of these prove-a-balance schemes! it's reasonably easy, and would be a nice thing for us to be able to show as an example 19:29 < arbart> I can't argue any of that! That's an awesome idea then, thanks :) 19:31 < petertodd> np 19:32 < arbart> What were you thinking then, a whole system? As simple as an rpc call in bitcoind that is something like signs some proof message with the public key? (is that a good way to do it) Or what level of 'system' were you thinking? 19:34 < arbart> Oh, and thank you for the summary of the state of the art then :) Your tree-chain idea though is quite interesting and will plague my thoughts for some time to come I'm sure. 19:35 < petertodd> haha, mine too! 19:36 < petertodd> arbart: doesn't have to be fancy, just something that has some python or whatever functions that takes a list of balances, commits them to a txout, can spit out short proofs, and finally can verify those proofs is enough 19:36 < petertodd> that'd implement everything a cold-storage bitcoin investment fund would need 19:41 < arbart> I know C (enough ++ boost pain that I groked the original Satoshi client) and Java. 19:41 < arbart> Should I be learning python? 19:42 < petertodd> arbart: the python bitcoin libraries aren't great, python-bitcoinlib is one I've done some work on, a javascript implementation of this would probably be more useful to a wider audience 19:44 < arbart> In that case, scarily enough I might take a look at the javascript avenue then :) 19:44 < petertodd> arbart: heh! 20:02 < arbart> petertodd: In your list of requirements, I don't understand the 'commits them to a txout'. By that is it suggested the proof is a transaction that is output (just not published to network, but passed by hand / posted on /investors website)? 20:03 < petertodd> arbart: by "commit" I mean the txout is of some form that makes it impossible to make fraudulent proofs for a second merkle tree 20:05 < arbart> Oh I see, to actually transfer the bitcoins as part of the proof process? 20:05 < petertodd> exactly! otherwise it's just a merkle tree 20:10 < arbart> petertodd: Would you vomit, if I used supernode as a library to do this? 20:11 < petertodd> dunno what supernode is 20:12 < arbart> A BSD licensed java implementatation, not made by google. 20:12 < petertodd> ah, yeah, I dunno much about java anything 20:12 < BlueMatt> is anyone going to the financial crypto conf in march? 20:12 < petertodd> do what you want :) 20:12 < petertodd> BlueMatt: I am 20:12 * BlueMatt is pondering going... 20:12 < petertodd> BlueMatt: amiller is booked, and adam back said he was thinking of it 20:12 < BlueMatt> shit, now I have to go 20:13 < petertodd> BlueMatt: hehe 20:13 < jtimon> "commits them to a txout" sounds like "hash 'them' including a hashof a txout" I'm glad to hear I'm not the only one who gets confused when I hear that abstract data is "just simply" '" commited!?'" to other abstract data. I'm definitely not one of the math guys here, but I miss definitions quite often... 20:13 * BlueMatt ponders where to get funding from 20:13 < petertodd> BlueMatt: I'd offer to share a room except I already cheaped out on a single :P 20:13 < BlueMatt> damn 20:13 < BlueMatt> maybe adam3us would 20:13 < arbart> petertodd: Just wondering if that would limit the usefulness to the community much, not sure how people feel on that. I certainly don't like it due to oracle at least. 20:14 < petertodd> BlueMatt: what'd airfare be for you? you can get the student rates for the conf itself right? 20:14 < BlueMatt> yea, I could get student rates I'd think 20:14 < petertodd> arbart: like I said, a javacsript implementation is probably most useful because it can go on a website to show people 20:15 < petertodd> arbart: beyond that, python is probably best, although python btc libs suck 20:15 < arbart> what js lib would you recommend, when I searched it looked the only one wanted node. Are there any that will run in a browser and do what I need? 20:16 < petertodd> BlueMatt: well work out the total cost, decent chance someone could make it happen 20:16 < arbart> jtimon: thanks for that btw, helps me understand my lack of understanding :) 20:16 < petertodd> arbart: I assume whatever kyle drake is using for coinpunk would work? 20:17 < petertodd> jtimon: correct, we need a -wizards glossery 20:17 < jtimon> python libs https://github.com/monetizeio/python-bitcoin didn't got my hands into it yet, but it's maaku's forking from jgarzik, maybe too focused on commited utxo's 20:18 < BlueMatt> petertodd: now...where to get $2k 20:18 < jtimon> petertodd a glosary would be definitely a good thing 20:18 < petertodd> jtimon: I prefer my 'pythonize' branch at https://github.com/petertodd/python-bitcoinlib myself, but I am a little biased... 20:18 < petertodd> jtimon: yup, and spellcheck in my irc client... 20:18 < petertodd> BlueMatt: that's what it is for you? 20:19 < arbart> petertodd: Awesome, thanks for the pointer to coinpunk. 20:19 < BlueMatt> petertodd: well, incl the hotel +/- sharing a room...the flight is ~700 20:19 < petertodd> arbart: kyle seems pretty competent, so whatever he uses is probably good :P 20:19 < BlueMatt> oh, sorry, +500 for the conf...dur 20:19 < petertodd> BlueMatt: I managed my hotel for like ~$200, but I really cheaped out 20:20 < Luke-Jr> I wish I could cheap out in miami :/ 20:20 < jtimon> well, when I don't understand you is more often because you use foreign terms like I live in your head than because you misspell 20:20 < petertodd> BlueMatt: of course, if you get desperate, ask, and we can swap bookings :) 20:20 < Luke-Jr> I'll be lucky to get hotel alone for under $1000 20:20 < BlueMatt> petertodd: heh, well I suppose I could look harder at finding a real hotel instead of the conf one..... 20:20 < petertodd> BlueMatt: oh, the conf one is insane, IIRC mine was $40 a night 20:20 < BlueMatt> yea, thought so 20:21 < petertodd> single room, shared kitchen/bath - kinda a hostel 20:21 < petertodd> problem is they seem to be booking out :( 20:21 < BlueMatt> petertodd: yea, I had it on my calendar to figure it out by I forgot until today 20:21 < jgarzik> BlueMatt, RE fin crypto, trying to get core devs there 20:21 < jgarzik> Barbados, March 3-7, IIRC 20:21 < BlueMatt> yep 20:21 < arbart> While I'm a math guy, so I really should learn python, however, one idea I have I have would actually need javascript in browser able to generate transactions, so I guess coinpunk it is :) 20:22 < petertodd> jgarzik: you're gonna make this conf go from academia to bitcoin-central :P 20:22 < jgarzik> hey, I didn't start it 20:22 < petertodd> arbart: python is the one true language :) but yeah, in-browser is great for demos for people 20:23 < petertodd> jgarzik: of course, the actual bitcoin part is like one day out of seven 20:23 < BlueMatt> the foundation is a big sponsor... 20:23 < jgarzik> indeed 20:23 * jgarzik would probably only come in for the bitcoin part 20:23 < jgarzik> too many confs. if you go to them all, there's no time for real work. 20:24 < petertodd> BlueMatt: dunno I'd say "big" - they're sponsoring a one-day workshop, dunno what that means in terms of the whole thing 20:24 < Luke-Jr> jgarzik: no kidding, it's getting to the point where it's almost once every week it seems 20:24 < BlueMatt> petertodd: well...they have the largest logo, so that means they have no sponsors, really 20:25 < petertodd> BlueMatt: oh yeah? lol, the location is a bit suspect 20:25 < jtimon> another foundation, small sponsor, but funds free software more than PR, get listed can't lose anything http://foundation.freicoin.org/#/donations, sorry for the spam... 20:25 < Luke-Jr> jtimon: huh? 20:27 < jtimon> Luke-Jr was continuing this "the foundation is a big sponsor..." but yeah, sorry for the offtopic (if you're developing complementary currency-related free software [I think you are] then you should definitely get listed there to get 10% matched donations) 20:29 < petertodd> BlueMatt: you should prove your worthyness by writing up a quick app to do a SIGHASH_ANYONECANPAY fund for you to go :) 20:30 < Luke-Jr> petertodd: that also requires the donors to be "worthy" :P 20:30 < shesek> arbart, look into bitcoinjs-lib, vbuterin's fork is the most maintained one 20:30 < petertodd> Luke-Jr: the better the app is, the less worthy the donors need to be! 20:30 < shesek> and it works well in the browser with browserify 20:30 < Luke-Jr> petertodd: oh app :D 07:44 < petertodd> adam3us: yeah, something with just hashes is probably best - easier to be sure you have an efficient implementation 07:44 < adam3us> petertodd: so c= E_k( msg ), e = E_b( k ) publicsh c, e, bits b[32-255] and bits b[192-255]=0 07:45 < adam3us> petertodd: now you have to brute force decrypt e to find k by finding the missing 32-bit of b, hwen you find it its obvious its the right key 07:45 < adam3us> because its much harder to find a collision in the 64-bits of b set to 0 (adust to 80 or 128 even) 07:46 < petertodd> adam3us: yeah, but starting from random data I still can't prove I did that procedure honestly and came up with nothing 07:46 < adam3us> and so that allows fast verification, and then people can decrypt c and see what the msg looks like, even if its garbage they're pretty sure its the right key and proves work 07:47 < petertodd> oh I see, you're saying that there's only going to be one solution in the space... bit risky there 07:47 < petertodd> you don't want it to be possible at all for people to create false proofs to consensus will break down 07:47 < adam3us> petertodd: well it would be almost impossible to find b!=b' such that D_b(c)=mod 2^192==0 and D_b'(c) mod 2^192==0 07:48 < adam3us> petertodd: if its bits 128-255=0 there is no way they're going to be able to collide that. 07:50 < petertodd> adam3us: but that's not very adjustable re: difficulty - I either make it basically impossible to ever find that distinguished key in the space, or I make it possible to find one such key, and therefor possible to find a second 07:51 < adam3us> petertodd: well the bruteforce space is fromthe delete bits 0-31 so that can be tuned 07:52 < adam3us> petertodd: and the strength of the assurance that they didnt cheat and make two solutions is separately tunable as the trailing 0 bits (80 or 128 of those) 07:52 < adam3us> petertodd: so you can chose those strengths independently 07:53 < petertodd> adam3us: ok, but this is the issue: from random data you won't be able to find a distinguished solution at all, therefore have no way of proving you did the work 07:54 < adam3us> petertodd: well it is true that its a known solution proof of work... the person who did the encryption knows the solution so has a work advantage 07:55 < adam3us> petertodd: if someone sends random junk there is very likely no solution yes. 07:55 < petertodd> adam3us: but that's not the point! the point is to prove the case where no-one did any encryption and no solution exists 07:55 < petertodd> adam3us: what you're doing has a zillion easy ways to do it - it's not the hard part 07:55 < adam3us> petertodd: got it you want to prove this actually is random junk 07:55 < petertodd> adam3us: yes! 07:55 < petertodd> adam3us: I need to honestly prove that, so other people don't have to re-do that work! 07:56 < adam3us> petertodd: yeah i was never able to find a symmetric encryption PoW with no trapdoor that was efficiently verifiable... i tried back in 1997 ight, I'm assuming this needs moon-math 07:57 < adam3us> petertodd: and symmetric encryption search space was interesting because it has a maximum work.. ie we know it takes no more than 2^n work so you can not get more unlucky than that 07:57 < petertodd> well it's not about luck in this case: the work required is well-defined 07:58 < adam3us> petertodd: i left it as an open problem for research in the conclusion section in the amortitzable hashcash paper 07:58 < adam3us> petertodd: different use case. but if we had that building block i think it could've been a solution 07:59 < petertodd> anyway bbl 08:01 < adam3us> petertodd: maybe u can get closer it by defining a verifiable problem instance defined by the ciphertext. so like coelho merkle hash using he ciphertext a deterministic seed. then the fiat shamir gives you possibility to only spot check the work. still fairly expensive though 08:08 < adam3us> petertodd: you can probably do it reasonably efficiently with the asymmetric PoWs like dwork & naor's eg use the ciphertext as a seed to define a big num, compute the squareroot of it mod p a large fixed prime. now people can veryify the root PoW by squaring, and then try to say hash the number and use it a sym key to decrypt. there is only one solution. it resonably efficiently verifiable. p has to be quite big to create much work they 08:11 < adam3us> petertodd: the down side of their approach is the asymmetry of work to verification is less extreme than with hashcash. bigger work tends to require somewhat bigger verification cost. you are basically using a signature algorithm with weak parameters and breaking them in their other scheme sothat maybe is a bit faster verification for reasonable work than square root 08:14 < adam3us> petertodd: unfortunately their non square root scheme has a setup time trapdoor like zerocoin (n=pq with p&q must be deleted and forgotten). its the fiat shamir signature scheme (that introduced the fiat-shamir transform.) 11:01 < amiller> i was pretty interseted to see this RSA UFO paper mentioned in zerocoin http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.4015&rep=rep1&type=pdf 11:01 < amiller> you get a sort-of RSA without any setup trapdoor 11:02 < amiller> would be really thrilling to get this for snarks somehow... 12:23 < maaku> 1A9Px42draCmgcYLC3xcsVZVmQV8YuGxuD 12:23 < maaku> sorry wrong channel 13:09 < adam3us> amiller: yeah but its huge eh 40kbit key or something? i was thinking you maybe able to shave some bits on it with a big online factorizing effort to see if you can find any feasible ones like any < 512-bit factors with some effort. its a composite n=p1*..*pk for variable sized and unknown p, with a statistical argument that at least two fo them should be > 512-bit (or whatever the security margin is) 16:21 < petertodd> sigh, I'm going to miss playing the exciting game "Is that dewer full of liquid helium, or liquid oxygen?" 16:21 < petertodd> maybe I can convince mastercoin to fund some QC miner research? 16:22 < petertodd> I technically it'd be ASIC hard... 16:22 < petertodd> *I guess 16:24 < michagogo|cloud> petertodd: Do you mean Dewar? 16:24 < petertodd> michagogo|cloud: lol, yeah 16:25 < sipa> to dewar, that means to make peace? 16:25 < petertodd> sipa: I think you should stick to your day job... :p 16:25 * maaku groans 16:26 < petertodd> Trying to wrap things up at work... First time I've had to do that with non-trivial projects, and it's not proving to be very easy. 16:30 < michagogo|cloud> sipa: ... 16:31 < michagogo|cloud> I'm assuming that was a joke, but if not, http://en.wikipedia.org/wiki/Cryogenic_storage_dewar 16:32 < sipa> yeah, it was a joke :) 16:33 < petertodd> For the peanut gallery full of investors, the dewar I'm talking about is related to the quantum stuff I do for the mining company I was working at. 16:33 < petertodd> I suggest you sell all your Bitcoins right now. 16:54 < phantomcircuit> petertodd, why? 16:55 < phantomcircuit> just have to mine the transactions spending my pubkeyhash bitcoins to my lamport sig bitcoins 16:57 < petertodd> phantomcircuit: well actually in theory a QC computer can do a sqrt(bits) (or was it bits/2?) speedup compared to a conventional computer for even hash functions 16:58 < petertodd> phantomcircuit: though I suspect QC computers will never be developed - they're basically infinite precision analog computers and that doesn't sound very physical to me 17:07 < nsh> petertodd, at least one quantum computer exists. 17:07 < nsh> (unfortunately we're inside it) 17:08 < petertodd> heh 17:10 < maaku> QC works just fine for God, I don't see why you've got a problem with it :P 17:10 < helo> i was happy to read about the revelation that our brains/consciousness relies on quantum tricks 17:10 < maaku> helo: very off topic, but I wouldn't put much credence in that 17:10 < helo> yeah :/ 17:11 < maaku> helo: mysterious answer for a mysterious question 17:21 < sipa> petertodd: not sure where i read this quote, but it says that QC is essentially trading NP-hard runtime for NP-hard engineering 17:22 < helo> heh nice 17:23 < petertodd> sipa: that's an excellent description - my coworkers echo that sentiment 20:38 < maaku> is there any reason to change the initialization values when performing truncated hashing, as NIST recommends for its 20:38 < maaku> *for its truncated modes? 23:10 < phantomcircuit> petertodd, it's /2 --- Log closed Tue Jan 21 00:00:48 2014 --- Log opened Tue Jan 21 00:00:48 2014 10:10 < jtimon_> fund Jamaican bobsled, such pump. fund dogemarket, to the moon http://maaku.github.io/dogemarket.org/ 10:21 < _ingsoc> Hahaha. Nice. 12:02 < petertodd> jtimon_: the amoral marketer in me thinks maaku's use of dogecoin to pump freidmarkets is very shewed 12:03 < jtimon_> can't find shewed... 12:04 < helo> shrewd 12:04 * petertodd hooked on fonics worked for me 12:04 < jtimon_> we have more stuff in mind "Litemarkets: like gold to colored coin's silver" 12:05 < petertodd> jtimon_: I think you need a cheese analogy, because you can find that kind of thing on the moon 12:06 < jtimon_> apparently people didn't undesrtood what free software means and kept complaining about freicoin's demurrage and foundation when talking freimarkets 12:06 < jtimon_> so maybe people get it this way... 12:07 < petertodd> jtimon_: lol, though speaking of, I noticed that doge's issuing scheme is bugged and results in 5% inflation forever (notied == saw on reddit) 12:07 < petertodd> jtimon_: hilarious that actually matches almost what how I think crypto-currencies should workd! 12:07 < jtimon_> and if those dogs are funding the jamaican bosleigh team... 12:07 < petertodd> heh 12:07 < petertodd> I'll have to buy some 12:08 < jtimon_> maybe the perpetual inflation was on purpose, some other alts have it 12:08 < petertodd> well the github discussion seems to indicate it wasn't, but anyway, happy accident 03:40 < gmaxwell> This all sounds a lot like type-2 derrivation, but it doesn't have the unzip problem: having the session private key doesn't help you derrive any other session private keys. 03:41 < gmaxwell> (In IBE (identity based encryption) this is all used a bit differently: the master keys are held by a CA, and the session ID is your email address, and now anyone can make a public key for you but you need the CA's help to get your private key) 03:44 < gmaxwell> In fact, if we use this only to encrypt bait, then we can make it more denyable by leaving authentication out of the cryptosystem. 03:45 < gmaxwell> E.g. the includes an encryption of a random value with the least significant 8 bits set to zero. Incorrect decryptions will sometimes turn up fake matches. 03:49 < adam3us1> gmaxwell: ah nice. its absolute worst case failure mode is what peter was proposing... bloom bait/prefix 03:49 < gmaxwell> yea, if you break the cryptosystem you just get bloombait. 03:50 < adam3us1> gmaxwell: yes i was thinking also you could send a few dud keys to confuse things, but this is better and could use your like 8 bloom baits, ie one could tune it 03:51 < gmaxwell> downside vs bloombait is that its not indexable. 03:51 < adam3us1> gmaxwell: i mean you could send the node your block priv key and a few random priv keys. but the extras will never match. by doing bait we get that ability 03:51 < gmaxwell> yea, I was thinking about that when I got to the encrypted bait construction... the never matching makes it obvious which ones are real. 03:58 < gmaxwell> one interesting thing about the encrypted bait construction is that its attack resistant. 03:59 < gmaxwell> a normal bait can be attacked by some high transaction volume jerks choosing the same bait as you. 04:10 < gmaxwell> downside is that the it has moderately high overhead, I don't see how to get the overhead under two group elements. 04:10 < gmaxwell> but perhaps when I think some more I'll see a way to get it down to one. 04:18 < adam3us1> gmaxwell: yes i thnk there maybe scope to go further or to non IBE potentially because the requirements are weaker than what it provides. lets see - having one stepwise clear improvement often helps unlock thinking about the next optimization 05:37 < jtimon> oh dear, http://bitcoin.stackexchange.com/questions/21036/are-namecoins-obsolete-with-the-upcoming-bitcoin-0-9 05:38 < jtimon> how do we explain this? 05:38 < jtimon> why so many people think "bitcoin 0.9, now with arbitrary data" 05:38 < jtimon> ? 06:00 < wumpus> can doesn't mean will, certainly not on such a short timeframe 06:02 < _ingsoc> That's just what you say to keep people happy. 06:03 < _ingsoc> Innovation can end up hurting value because it's change. 06:04 < _ingsoc> So you naturally tend to avoid what you perceive as dramatic change. 06:05 < _ingsoc> If Ethereum could do what Ethereum wants to do by contributing code here, there wouldn't be Ethereum, would there? 06:05 < _ingsoc> As an example. 11:02 < tt_away_> Oh whoa, Gavin is here. :) 11:02 < tt_away_> Welcome 11:36 < adam3us1> can someone explain to me how the batching of an epoch of blocks works in bloom filtering? 11:37 < adam3us1> TD said it works via query for 500 blocks in a batch to reduce network round trips. 11:41 < gmaxwell> I don't know that it matters, in that since all this would need new network messages you could just also send a list of 500 keys along with the 500 blocks. Though batching makes sense for another reason: since a txn isn't guarenteed to show up in the next block you need to use past keys too, and the matching has O(N*M) complexity. 11:42 < gmaxwell> so usinge fewer keys, say one for every 72 blocks, may make sense. 11:43 < adam3us1> gmaxwell: i was wondering re the second problem if the sender could identify the block they were thinking of when they derived it. 11:44 < adam3us1> gmaxwell: then they could be indexed by sender block and that bit could be deterministic and O(N) instead 11:46 < adam3us1> gmaxwell: the other thing is (and i started writing a reply to TD on bct) that i am not sure you gain security by using different keys in a batch because its anyway implicit (*) if all the queries are in the same request that they're yours (or candidates if you smear it a bit with your extended bait idea) 11:46 < adam3us1> gmaxwell: (*) the other possibility being to relay queries via a hop encrypted, then queries could be a mix of yours and other peoples 11:47 < gmaxwell> the batching doesn't hurt except in so far as it reduces your minimum connection granularity. 11:49 < adam3us1> gmaxwell: well if i connect from IP-addr#1 and request query of block 1,2,3 with key k1,k2,k3 chances are those tx are all mine, so the node learns those 3 are probably owned by one person across 3 blocks 11:50 < adam3us1> gmaxwell: whereas if i connect from ip-addr#1 and request query of block 1 with k1, then reconnect from ip#2 later, or connect to a diff node and ask for query of block2 with k2, then even if node 1 and 2 collude they dont know if thats one user... (and optional relaying of queries and responses could blur that together) 11:50 < gmaxwell> yes, right but say you make your batch 1000 blocks. Then for blocks 0-100 you're connected to one node ... and 200-300 another node .. and so on. If your batch had been smaller you would have leaked less. 11:52 < adam3us1> gmaxwell: smaller batch = less leakage, a tradeoff, but here the query data is presumably much smaller than a bloom filter, so it would be nice to aggregate multiple users queries into a block via relaying (maybe). 11:53 < adam3us1> gmaxwell: "batching doesn't hurt except in so far as it reduces your minimum connection granularity" i think you mean you optionall ramp it up, but by having epoch size 1 key derivation then you can go down to individual if you want later 11:58 < adam3us1> oh i guess another security argument weil pairing is probably stronger than connecting to random internet nodes and delegating query to them re node-capture sybil attack. (ie the privacy security relies on avoiding node capture) 12:41 < adam3us1> gmaxwell: you know the weil pairing itself is significantly amenable to multiplicative derivation tricks. you might be able to have each node multiply by its H(IPaddr#) or such querier known guid, or sent over comm channel on other connect time response, and then be able to make different query keys for the same data on different nodes, making it harder to observe redundant checks without needing to use encryption between nodes 12:45 < gmaxwell> adam3us1: related, if the bait scheme were similar to the one I suggested, you could intentionally make your bait searching radius half sized and connect to two severs and give each of them half your radius. so some of your transactions would learn via one, some via another... though they'd have the same query key. Probably not worth the complexity. 12:49 < adam3us1> gmaxwell: yes. overall seems quite exciting :) we could improve privacy & anon-set for SPV vs bloom, save bandwidth vs bloom query. Abandoning one-use addresses seems risky because of the reliance on weil-pairing for privacy otherwise that would be a nice simplifying assumption and mesh with hard to shake user comprehension problem (or UX issues that dont show that well). Damn pity there so far no way to do it with ECDL 17:28 < comboy> hey guys, I keep thinking about some p2p web of trust + some pagerank alike algorithm, also I keep wondering if it would be possible to be able to get score for somebody (based on my trust weights), without trust weights being public, maybe you have some random association terms, links or papers to throw at me? 17:29 < c0rw1n> random association term : freenet 17:29 < c0rw1n> they have a web-of-trust, no idea how public it is 17:31 < gmaxwell> comboy: I've thought about this sort of things before, and the best I can come up with is multiparty computation. 17:31 < gmaxwell> one problem is that you have information leak attacks if someone can constantly query the system. 17:32 < comboy> c0rw1n: thx, good hint, but it seems just to fight spam and quite simplified compared to what I'm thinking of 17:32 < gmaxwell> E.g. say I want to know if you trust c0rw1n. Okay, so I make a new sybil account which only trusts you, and then I query the system and find out the sybs trust of c0rw1n. The result is that I know that either you trust him or at least that there is a transitive relationship. 17:34 < Alanius> comboy: there is some work being done on reputation in pseudonymous networks 17:34 < gmaxwell> with multiparty computation you could have N folks combine in order to answer queries on the transitive trust without disclosing the graph, and if you imposed some cost on queries (e.g. have to pay a fee to the bitcoin network per query) then you could prevent an attacker from constantly querying it to drag out the information. Downsides: multiparty computation isn't pratical today, and the participants would need to be online. 17:34 < Alanius> not sure if it's what you're after, but you might want to take a look: http://freehaven.net/doc/cfp02/cfp02.html 17:35 < comboy> gmaxwell: yeah, that is a problem, but maybe you could send queries only to nodes who trust you for example.. I'm not even sure it would help... but if you would be not getting full info with some random noise.. 17:35 < gmaxwell> Personally, I think reputation is nearly worthless in anonymous systems. :P 17:36 < nsh> could the graph not exist publicly (or queryably) in some heavily disjoint form that can be recovered using private correspondences (wallet-like identities) 17:36 < nsh> ? 17:36 < comboy> well it is without this kind of system 17:36 < Alanius> pseudonymous != anonymous :) 17:36 < comboy> yeah identities equivalent to addresses in your wallet would also be some idea 17:36 < Alanius> in anonymous systems reputation is indeed worthless 17:37 < comboy> yes 06:00 < gmaxwell> E.g. if your metric is voting with actual people (which we can't use because people aren't provable computationally) an attacker could use their excessive resources to make more people. 06:00 < Mike_B> oh, right 06:00 < gmaxwell> There is no finite resource, including humans, that you could count to decide a consensus which isn't potentially vulnerable to abuse by an overpowering attacker. 06:01 < Mike_B> i guess you could try some kind of reverse turing test of some sort 06:01 < gmaxwell> (though there are some constant factors: not everyone has a cpu, but everyone is already a people. :) so the honest side might have an initial advantage if we really could count people for the consensus) 06:01 < Mike_B> but yeah, if you have a ton of money you can just spend it on technology to beat that and then sybil your way to the top 06:02 < gmaxwell> right. This is why I roll my eyes on most "51% solution" proposals. they mostly either just shift around some constant factors, or replace one weakness with another. 06:03 < gmaxwell> (another .. usually worse one... like some clique of 10 people who can pick whatever state they want; e.g. in the case of solidcoin2.0) 06:03 < UukGoblin> well, they probably just do it to trick people into thinking their scamchain is "better" 06:03 < gmaxwell> or ripple's think which is ... hard to analyize. 06:04 < gmaxwell> UukGoblin: I'm sure most of the people doing that stuff believe it. Anyone can invent a consensus system which they don't personally think is flawed. And, hey, if I've got one of those signing keys: it's safe for me! 06:04 < Mike_B> maybe i'm ore interested in altcoins than the average person just because i find them to be interesting hotbeds for experimentation 06:05 < Mike_B> like something like litecoin i don't find interesting since it doesn't do much 06:05 < Mike_B> but some of these altcoins are pretty creative 06:05 < UukGoblin> I'm only interested in altchains to solve two issues: faster transaction confirmation and solving of the 7-transaction-per-second scalability limit 06:06 < UukGoblin> I have a feeling a solution with OpenTransactions may solve this stuff, but I don't yet know how 06:06 < gmaxwell> well most of them aren't there are a couple which have done some things, most of it is not so interesting. 06:06 < epscy> i would like to see a mining system that is more decentralized 06:06 < Mike_B> i thought primecoin was really interesting 06:06 < epscy> but so far litecoin and ppcoin have yet to convince 06:06 < UukGoblin> hence I'm looking forward to this thing you mentioned, gmaxwell - about OT people hacking something up 06:06 < Mike_B> i've been consumed with the problem of making POW useful, like coming up with a rePOW like there's a reCAPTCHA or something 06:07 < gmaxwell> Mike_B: yea, I don't think thats a useful thing in fact. If the POW has independant value that may lower the marginal cost of attacking. 06:07 < Mike_B> why? 06:07 < Mike_B> how so? 06:08 < gmaxwell> E.g. if 99% of your mining income comes from people buying cancer cures from you, and 1% from getting your block into the unique best chain... then you'll only lose 1% of your income by participating in attacks that put you on forks and lower your chances of getting in the unique best chain. 06:08 < gmaxwell> (and you can replace income with whatever utility-units power your motivation to mine. :) ) 06:09 < Mike_B> that's a good point 06:09 < gmaxwell> Beyond that, cryptographic hashes have pretty good POW properties in general. You want the users to be very confident that the creator doesn't know some trapdoor that lets them mine fast for free. 06:09 < gmaxwell> You can potentially get that from other things but its surprisingly hard. 06:09 < Mike_B> that doesn't destroy the notion that POW could be useful though, it just argues against one system whereby computational time is purchased from you, and where that purchase works to double as POW for mining 06:09 < gmaxwell> You also want mining to have no progress... e.g. so being 2x faster than everyone else only gets you 2x more blocks, not all the blocks. 06:10 < Mike_B> but that's the exact system i had in mind, so, yeah, that's a good point. 06:10 < gmaxwell> Mike_B: yea, it's not a fatal argument. but it's a consideration. 06:11 < gmaxwell> I got past worrying that pow is "useless": it's quite useful, it makes bitcoin secure, and if you consider the cost of securing other currencies (which have enormous anti counterfeiting expenses, armored cars, guards, etc) perhaps its not so bad. 06:11 < Mike_B> well, i did think primecoin was fairly interesting in how it solves one piece of that problem. in a very broad philosophical sense, it treats the block it's working on as "found art" in a sense 06:11 < Mike_B> like any cryptocurrency has an enormous amount of data going through it 06:11 < gmaxwell> Though my alt idea list does have one not well fleshed out useful-pow that I'm kinda fond of. 06:11 < Mike_B> so primecoin is like, "check every single block to see if it divides the start of a cunningham chain" 06:11 < Mike_B> (or hash the block first or whatever it does, i don't remember the details but you get the gist) 06:12 < gmaxwell> ... which is the ticking of timelock encryption. ... which I'm fond of mostly because I don't think there is any other socially viable way to actually have functional trustless timelock encryption. 06:12 < gmaxwell> (Timelock encryption is encrypt data so that it can't be decrypted until ~xx years from now) 06:13 < Mike_B> hm, interesting 06:14 < Mike_B> well i don't think pow is "useless" in that sense 06:14 < gmaxwell> https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas incidentally, if your head isn't yet full enough. Though I admit its not very readable has a lot of in-group lingo, I mostly made it as personal notes so I'd stop forgetting ideas. 06:14 < Mike_B> i know there's a lot of political tumult over whether hashcash is "useful" 06:14 < BlueMatt> ok smart people, if one has a lgn algorithm that only works on chunks of size power-of-two, and has arbitrary input, how does one go about efficiently breaking said input up into power-of-two chunks and running? 06:14 < Mike_B> i'm just talking from an engineering standpoint 06:15 < UukGoblin> can you use bitcoin for timelock encryption? :-O 06:15 < BlueMatt> UukGoblin: no? 06:15 < gmaxwell> UukGoblin: look at the altideas page. not bitcoin as it is today, but I think it's possible with an alternative pow. 06:15 < UukGoblin> ah. 06:15 < Mike_B> gmaxwell: i read that page before but didn't understand some of the terms, i'll have to keep checking it as i get filled in on more of this lingo :) 06:16 < gmaxwell> UukGoblin: the ideas is basically that you make the pow into "take chunks of pi as a ecc public key, and try to crack it" 06:16 < gmaxwell> UukGoblin: everyone knows pi in advace and thus can encrypt to it. 06:16 < gmaxwell> UukGoblin: and you encrypt your message with all the pi problems between now and when you want it opened. 06:16 < BlueMatt> gmaxwell: heh, literally turn bitcoin into one giant decryption cluster 06:17 < Mike_B> gmaxwell: thinking more about it, doesn't your objection about "useful pow" mining also apply to bitcoin once the block reward goes to 0? 06:17 < gmaxwell> all kinds of problems making it pratical. 06:17 < UukGoblin> gmaxwell, ah... but you still don't really know the speed with which the things will get cracked 06:17 < Mike_B> then 0% of income comes from mining (other than tx fees) 06:17 * BlueMatt puts "make april-fools-altcoin witch decrypts arbitrary constant data as its pow" on his calendar for march 06:17 < gmaxwell> Mike_B: no transaction fees. though bitcoin is toast, at least as it is currently designed, if there is no income for miners. 06:18 < gmaxwell> Mike_B: it works for txfees. You only get the txfees if your block successfully makes it into the longest chain. 06:18 < Mike_B> gmaxwell: why, just because miners will run away? 06:18 < gmaxwell> Mike_B: not just run away, but the difficulty will drop, and so it may become viable to buy up a lot of computing and overpower the network for short times to reverse transactions. 06:19 < gmaxwell> (I also propose on the alt coin page a tweak so that fees can only be collected if you are mining a chain the transaction author likes, so some successful reorg attacker can't get all the fees still) 06:19 < gmaxwell> (thats one I think we could perhaps someday do in bitcoin) 06:20 < Mike_B> gmaxwell: you could also have it so total coins asymptotically reaches something but never gets there 06:20 * BlueMatt wonders what would happen if all of #bitcoin-wizards were taken from their current dayjobs and hired to write an altcoin 06:21 < Mike_B> so a) there's always a block reward, and b) still a finite supply 06:21 < gmaxwell> BlueMatt: figuring out how to make an efficient discrete log solver progress free is one of the problems with that idea as I stated it. But the "Learning with errors" cryptosystem being used for fully homorphic encryption looks like it might be more agreeable... haven't thought about it too deeply though. 06:21 < gmaxwell> Mike_B: thats how bitcoin is already designed! except we eventually run out of precision! 06:22 < Mike_B> oh oh oh, that's why the block reward goes to zero? just because of precision? 06:22 < gmaxwell> Mike_B: its a geometric series with the limit after infinite time of 21 million, but the values are integers with 1e-8 being the smallest amount. 06:22 < gmaxwell> yea. 06:22 < Mike_B> oh, derp 06:22 * Mike_B pats self on back while saying derp three times 06:22 < gmaxwell> yea, hah, well you're not doing so bad when you're guessing how it already works. 06:23 < BlueMatt> gmaxwell: yes, that problem sounds exactly like something homomorphic encryption would be ideal for 06:23 < Mike_B> you could just have the precision automatically increase as the block reward decreases 15:42 < maaku> mempool gossiping and partial proof-of-work to "pre-validate" transactions of a large block 15:43 < maaku> these can lead to very low propogation times for large, intermittant blocks 15:44 < avivz78> you'll need to explain those :-) 15:45 < avivz78> batch validation for example,how do you get a speedup? 15:47 < maaku> well this is more software engineering, but there's ECDSA batch verification engines that are able to process signatures faster in a large group 15:48 < maaku> i assume batch-validation of entire blocks would be easier to do than multiple blocks at once (given that these are presumably handled by separate threads, etc.) 15:49 < maaku> mempool gossiping and partial proof-of-work is allowing miners to send blocks which almost meet the threshold 15:50 < maaku> other nodes then fetch and pre-validate the transactions in these partial proof of works so as to reduce the amount of work that needs be done when a block is actually found (presumably by one of the miners that found a partial pow) 15:50 < maaku> validating the actual proof of work then just becomes a matter of fetching the transaction list, filtering out those already validated, and handling the remaining few 15:54 < avivz78> can't you pre validate transactions upon reception even if they're not in blocks? 15:55 < maaku> if you have them 15:56 < maaku> the partial proof of work provides a DoS-free way of guessing which ones will make it into the next block (including which ones you need to query the network for because you don't have) 15:57 < avivz78> I thought the fees took care of DOSing in this case. Am I missing something? 16:04 < maaku> fees are collected by miners not nodes 16:05 < avivz78> true, but they are anti-spam because the spammer would lose the fee if a miner includes the transaction 16:11 < maaku> avivz78: i think the work you all have done is very valuable 16:11 < zooko> Okay folks, I was stupefied by gmaxwell's and amiller's assertion that a "dual-use" proof-of-expense, with some beneficial side-effect, might cause instability, or facilitate attacks, etc. 16:11 < zooko> So I've been pondering it. I'm not sure I buy the argument yet. 16:11 < maaku> but what it will do is allow bitcoin to scale to larger block sizes, not smaller interblock times 16:11 < zooko> But I mentioned it to my friend Kiln Ham, and he said "What if the beneficial side-effect were a public good that couldn't be used to remunerate the miner individually." 16:12 < maaku> zooko: do you understand the argument that a merged-mined altcoin can be attacked by bitcoin pools? 16:12 < zooko> I thought that was pretty brilliant, so I decided to throw it out there even though I haven't really grokked the original argument. 16:13 * zooko thinks about maaku's question. 16:14 < avivz78> maaku: thanks! 16:16 < avivz78> I should say that we gained a lot from reading Meni Rosenfeld's work on the security analysis 16:18 < maaku> zooko: it's the same argument, just with bitcoin placed in the position of a low-value altcoin 16:18 < maaku> and to your friend, i'd say please give an example 16:19 < maaku> (and if it really does provide value, I'd be willing to bet that enterprising miners would find a way to profit from it) 16:22 < avivz78> Well, time to go get some sleep 16:22 < avivz78> thanks for the fruitful discussion 16:22 < avivz78> I've learned a lot! 16:23 < zooko> maaku: yes, that's an interesting question about if a public good can be made excludable. 16:23 < gmaxwell> zooko: 13:27 < gmaxwell> jtimon: the standard litany, most of those are not sufficiently cheap to verify (e.g. hurts spv nodes, zero knoweldge proofs of tx data, and initial syncup), they tend to be inadequately proven to be trapdoor free, high hardware implementation complexity (so may lead to asic monopolies)... if the work is not work you could get paid for, then at least it should be free of some of the incentive concerns. 16:23 < zooko> Normally I'm wishing to figure out ways to make a public good excludable, but for this I would like to know a way to make it impossible to make it excludable. 16:23 < gmaxwell> yes, if it's work you can't get paid for then it probably eliminates that particular concern. 16:23 < zooko> gmaxwell: yes, that quote from you is what I meant about you have already stupefied me. 16:24 < gmaxwell> zooko: did you see my timelock encryption ticking meta idea? 16:24 < zooko> gmaxwell: I did not! Do tell! 16:24 < gmaxwell> zooko: https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas search for "tick" 16:25 < andytoshi> zooko: the premise is that the POW involves finding private keys...so you encrypt something with a public key, knowing that the network will crack it at some point in the future 16:25 < maaku> gmaxwell: how do you prevent someone from just skipping ahead in the sequence and decrypting what they're interested in? 16:25 < gmaxwell> Discrete log isn't so great though, you really need an asymetric encrpytion scheme with no solution path better than the exponential search. It would need a lot of details to be worked out. 16:25 < _ingsoc> I really wish we could get someone who's interested in implementing some of those ideas. 16:25 < _ingsoc> How hard can it be? 16:25 < gmaxwell> maaku: you encrypt with all future solutions. 16:25 < maaku> hrm i see 16:25 < andytoshi> _ingsoc: very hard, you need to understand the math and also the engineering stuff, and you have to be a good programmer, and you need to have the time 16:25 < zooko> gmaxwell: neat! 16:26 < gmaxwell> maaku: I don't claim that the engineering works out neatly. What struck me about the idea is that it enables a public good, which you can't get paid for, and yet we have no other way to provide that public good. 16:26 < andytoshi> and then you have to deal with #bitcoin-wizards ripping your stuff apart 16:26 < _ingsoc> andytoshi: How many people realistically are around competent enough to do it? Assuming money can be arranged for it. 16:26 < maaku> _ingsoc: i see 61 users in this channel 16:26 < gmaxwell> maaku: this was yet another idea I've had while in the middle of lecturing someone that it wasn't possible. :P 16:26 < zooko> _ingsoc: where are you going to get the money? 16:26 < andytoshi> there are probably a dozen or three people on here who are competent enough 16:26 < zooko> gmaxwell: Haha! 16:26 < andytoshi> they are all very busy 16:27 < gmaxwell> zooko: step 1. Start altcoin step 2. ??? step 3. Profit! 16:27 < gmaxwell> :P 16:27 < _ingsoc> zooko: Tons of people want to see this stuff. It's easy to get it funded. 16:28 < zooko> _ingsoc: somewhat self-referentially, I think implementing a lot of this would be a public good... 16:28 < zooko> gmaxwell: yes, exactly! 16:28 < _ingsoc> Make X amount of coins available for people who are brave enough to fund it ("early adopters"). Whatever is traded for X goes to the developer(s). 16:28 < _ingsoc> Pretty simple really. 16:29 < _ingsoc> Set your boundary so that you have enough for a development fund. 16:29 < gmaxwell> This has long been one of the linchpins of cryptoanarchism a lot of neat ideas depend on decenteralized trustless infrastructure which would be inherently a public good, and by virtue of being decenteralized and trustless, impossible to collect rents on which is the primary way that business monetize infrastructure. 16:30 < gmaxwell> the coin pump model has a lot of problems, in part because its hard to judge competence, so you see things like huge money flowing into coins which have developer signed blocks (feathercoin, ppcoin) and little to no technical innovation (feathercoin, for example but many others too). 16:31 < _ingsoc> gmaxwell: That's why I propose using the model for actual innovations. If you limit the amount of contribution per person, you get a little closer to make it fairer. 16:32 < _ingsoc> Ofc people will game it. Hell, people are gaming Bitcoin as we speak. 16:32 < _ingsoc> If at the end of the day every understands the risks and you end up with better tech, that's progress in my eyes. 16:32 < gmaxwell> the other problem you have is that if you do anything innovative in this space alternative coins will just copy it instantly. We even had a bit of problems with that in bitcoin-qt with altcoins being forumed out of draft features. 16:32 < zooko> gmaxwell: if you hit upon a hack to bypass that problem, please let me know. 16:33 < zooko> "that problem": the public good of a decentralized tech 16:33 < _ingsoc> gmaxwell: There's always the option to open source it after a while of maturation. 16:33 < amiller> ah cool aviv came here :) 16:34 < _ingsoc> gmaxwell: But if someone copies an open source coin, that's not bad in opinion. It's unlikely anyone is disadvantaged by that. 16:34 < gmaxwell> _ingsoc: sure they are, because then they get outmarketed by someone else who has thrown off the "unfair" premine baseload your funding model depended on. 16:35 < gmaxwell> why would I want coinX which had 10k coins premined for its creators when I can have coinY which is the same thing but without the premine? 16:35 < andytoshi> amiller: yeah, he was really cool 16:35 < _ingsoc> How long do you think that'll be sustainable for? Everyone will realise it's the contributors who made the coin happen in the first place. 16:36 < andytoshi> _ingsoc: bitcoin had some really good ideas, and it apparently has no inventor 16:36 < amiller> i am *so* happy that this thread is going on, this is how i was hoping academia and bitcoin devs would interact, and of course the eyal/sirer paper did not go that way 16:36 < andytoshi> so, the ideas hold up on their own 16:37 < zooko> What nym does aviv use for academic publications? 16:37 < amiller> Aviv Zohar? 16:37 < _ingsoc> gmaxwell: Satoshi pretty much premined Bitcoin to high heaven and nobody cared. 16:37 < andytoshi> amiller: aviv said, he was happy to find an audience with so much passion, this does not happen to most papers :P 03:36 < adam3us> maaku: i do not know - the last time i asked about this people told me GBT is the answer, and then after a bit they said however few are using it; if there is a reversal of that situ its good 03:37 < adam3us> why cant the same be done with leased equipment or user owned but datacenter hosted - user provides coinbase for mining 03:37 < adam3us> maaku: i think getwork is a confused design, the client miner can chose the work - thats the point of hashcash - its fully decentralized 03:38 < maaku> adam3us: that's how getwork was meant to be used 03:38 < maaku> satoshi did not foresee mining pools 03:39 < maaku> pools just adopted the same interface as the distributed client (getwork) 03:39 < adam3us> maaku: as i understand it getwork is a mechanism for a miner to ask a pool for a section of work, which is a misthink - no one needs to ask a pool for anything other than the pools current preferred reward address 03:40 < warren> adam3us: does it help at all that my key is here? https://github.com/bitcoin/bitcoin/blob/master/contrib/gitian-downloader/wtogami-key.pgp 03:40 < adam3us> maaku: the search space is not scarce and does not need to be manually divided up; the client should pick a random starting point 03:40 < wumpus> getwork is confused design, but I thought about no one was using it anymore? 03:40 < maaku> adam3us: getwork predates pools 03:41 < wumpus> there have been plans to deprecate it 03:41 < maaku> getworks predates the idea of pools 03:41 < maaku> how does your mining program ask for a block from your locally running full-node bitcoind instance? 03:41 < maaku> getwork was the answer to that 03:41 < adam3us> maaku: what proportion of mining is happening using getwork do we think? 03:41 < maaku> ~zero 03:41 < wumpus> getblocktemplate 03:42 < maaku> at 4GH/s you are making 1 getwork call per second 03:43 < maaku> most of the hash power of the network is in asics orders of magnitude larger than that 03:43 < maaku> meaning 10's, 100's, 1000's of network calls to getwork 03:43 < maaku> doesn't scale 03:43 < adam3us> maaku: that seems silly and an invitation for network induced miner dead time - you need only to make 1 request per successful pool win (if the pool changes its reward address) 03:44 < adam3us> maaku: ok you are saying stall due to asic has pushed people off getwork, which is a good side-effect 03:44 < maaku> adam3us: yes 03:44 < adam3us> maaku: now what about proportion of pooled miners that are building their own blocks? 03:44 < maaku> as soon as asics hit the market, getwork died and getblocktemplate/stratum replaced it 03:45 < maaku> adam3us: 1% 03:45 < maaku> the p2pool miners 03:46 < adam3us> maaku: you think none of the miners are running full nodes, or if they are the full node is not used to construct the block to put in the coinbase? 03:46 < adam3us> maaku: (none of the pooled miners) 03:46 < maaku> adam3us: none of the pools that I am aware of let you construct your own blocks 03:46 < warren> adam3us: very few of the miners run a full node, maybe some do part time when they do wallet tx 03:46 < maaku> maybe Luke-Jr's does, I wouldn't be suprised 03:47 < maaku> the pool gets control over what goes in their blocks - that's part of the agreement 03:47 < maaku> if you want to construct your own blocks, that's what p2pool is for 03:47 < adam3us> warren: (pgp key) a bit maybe - is that some strongly controlled position of the bitcoin github? (my main point was a gentle reminder - put your full fp on the card:) 03:48 < adam3us> maaku: well people tell me p2pool has scaling issues at present 03:48 < warren> adam3us: recent mining clients have the ability to do local block submission, it helps in block propagation (helps against orphans) and possible fallback to solo mining if the pool is down. Not sure if any pool supports this yet. 03:49 < adam3us> maaku: and people complain about the centralization risks of pooled mining, where its not that expensive to maintain your own full node and construct your own block 03:49 < adam3us> maaku: why would the pool care or have a legitimate need to consider whats in the block? that sounds like a dangerous contract 03:49 < warren> adam3us: p2pool's scaling issues are partly psychological, partly dust, partly because it is a single thread. It isn't THAT bad. I invested a good deal of money into improving it further since I don't have time to code on it now. https://bitcointalk.org/index.php?topic=329860.0 03:50 < adam3us> warren: yes i remember that thread 03:50 < warren> adam3us: there's considerable disadvantage to block propagation and losses to orphans for the average home solo miner. 03:51 < adam3us> anyway for whatever reason p2pool is 1% so defacto pools are controlling blocks which is bad 03:51 < warren> I agree. 03:52 < warren> p2pool even has a good solution against orphans with the tx pre-forwarding. 03:52 < adam3us> warren: wouldnt it be possible for the solo to tell the pool what the winning block serialization is, compactly 03:52 < adam3us> p2pool has no fee also 03:52 < warren> adam3us: sure, just few if any pools are doing it that way now, I think. 03:53 < warren> adam3us: the vast majority of pools are run by people who copied code from github and don't understand it. They get exploited all the time and lose money. 03:53 < adam3us> warren: are there code/apis existing that even support a pooled miner uploading the winning block to the pool (in raw or compressed eg ref to txs + raw missing tx)? 03:54 < adam3us> warren: yeah we need an economy of clues factor (or a dis-economy of scale) 03:56 < adam3us> was talking to justus at the conf, he suggested maybe a not-very-decentralized kind of 'candidate block' and then users can encode an actual block compactly as a patch/diff to that 03:56 < warren> adam3us: looked at how p2pool does it? It's already very good there. 03:57 < warren> it only works for immediate peers 03:57 < adam3us> warren: no i dont know p2pool low level details 03:58 < gmaxwell> So, tuning back to my computer for a minute to fill in some details here. 03:58 < gmaxwell> Getwork is mostly not used anymore for the reasons maaku named. 03:58 < adam3us> i just would like to see a way to reduce the centralization even if its something stupid like advertising p2pool if it can take the load (like why would someone pay 5% to big pool whos operator is doing stupid stuff) 03:59 < gmaxwell> The vast majority of miners use this protocol "stratum" that slush created which is somewhat poorly documented. It gives miners a coinbase transaction and a hashtree path to it. The miners can't see or control the transactions (though there are some not widely supported extensions to show them the transactions) 04:00 < gmaxwell> A few pools support using getblocktemplate directly. (Basically just ones running the pool server software luke wrote) 04:01 < gmaxwell> Though because it doesn't hide transaction data from the hashers it takes more bandwidth. 04:01 < adam3us> gmaxwell: whats the difference or benefit gbt offers over stratum? it gets the to download the block? 04:02 < gmaxwell> If you're using GBT with bfgminer (luke's miner software) it can do useful stuff like locak submission. The miner software also does some sanity checking of the work, but right now the most material check is just self-consistency, e.g. the hasher can detect (and will refuse to participate) if a pool directs them to fork back a chain they worked on previously. 04:03 < gmaxwell> GBT also allows malleability of the block, with the pool signaling what kinds of modifications the hasher is allowed to make. 04:03 < adam3us> as it stands would most of the network hashrate blindly vote that 1+2=100? (create fake tx out value fooling spv clients) if a dozen hosts / routers on the internet were hacked 04:03 < gmaxwell> Though even that limited level of sanitization (and mutation) is only done by bfgminer, which is the somewhat less popular miner software. 04:03 < adam3us> gmaxwell: fork reject is good 04:04 < gmaxwell> adam3us: yes, pratically all the hash power would let the pool produce a billion bitcoin subsidy, I think. Though anything gbt mining gets enough data to do more. 04:04 < adam3us> gmaxwell: does gbt check values? or i mean does it receive enough info to check values? 04:05 < gmaxwell> A thing luke, myself, and peter todd were talking about a while back was getting software support for "coinbase only pooling" where you do a GBT request to a pool to get a permitted coinbase transaction, then get the rest of the block from a local (or just different) source. 04:05 < maaku> adam3us: i don't know what you mean by check values, but gbt provides enough information to fully reconstruct the block 04:06 < maaku> well, assuming you can fetch/find the relevant transactiosn 04:06 < gmaxwell> adam3us: it gets enough information to do stateless checks. Though without a trusted bitcoin there isn't enough data to check that much. BFGminer does a couple stateless checks. CGminer does no checks at all. BFG can also do local submission, e.g. when it finds a block it can send it to a local daemon as well as the pool (or to multiple pools for that matter) 04:06 < gmaxwell> maaku: gbt sends the transactions. 04:06 < maaku> oh i thought it was just the tx hashes 04:06 < adam3us> maaku: i mean mining validates two things: non-double spend and that inputs add to outputs (i am not sure even spv nodes would accept a > 25 coin reward??) 04:07 * maaku goes to read the bip 04:07 < gmaxwell> Nope. 04:07 < gmaxwell> adam3us: they absolutely will accept a >25 coin reward, because the generated coins include _fees_ which are not statelessly verifyable. 04:07 < gmaxwell> As are no-double-spends unless you just mean doublespends within a single block. 04:09 < gmaxwell> (the local submission stuff, if anyone used it would break any pools attempt to do 'selfish mining' without the hashers being complicit in it) 13:24 < phantomcircuit> the ticket i opened asking apple to clarify msync MS_SYNC behavior has been tagged Rank:No Value 13:24 < phantomcircuit> so im just going to assume that msync w/ MS_SYNC does the stupidest thing possible 13:24 < phantomcircuit> which is to flush to the dirty page cache of the filesystem and not to disk 13:25 < phantomcircuit> meaning likely the mmap issues in leveldb could be corrected simply by swapping fdatasync->msync to msync -> fdatasync 13:44 < maaku> andytoshi: which is the problem, as a user of academic research: i'd rather useless citations weren't piled on to boost people's rankings 13:45 < gmaxwell> maaku: piled on to grease reviewers palms. :) 13:45 < maaku> heh, yeah 13:45 < gmaxwell> "You want me to cite what? ... ugh. fine." 13:47 < andytoshi> maaku: i concur, i think it's going to improve a bit as people tend to read preprints more, rather than published papers 13:47 < andytoshi> and gratuitous citations on preprints don't help anyone 13:47 < andytoshi> so as long as you just ignore all the actual journals... ;) 16:31 < andytoshi> everyone involved in my coinjoin, i'm going to publish it in about 90 minutes (3PM pacific), so if you want to bug me about it, just /msg 16:33 < jgarzik> andytoshi: this seems like #bitcoin-otc material? bitcoin coin swap meets... 16:33 < andytoshi> hmm, good call 16:33 < andytoshi> it just happened this time that everyone involved (who would identify themselves to me) is a wizard 16:51 < Luke-Jr> andytoshi? 16:52 < Luke-Jr> publish what? :P 16:53 < andytoshi> Luke-Jr: a couple days ago a bunch of us got together on a coinjoin, and i'm just now getting to publishing the combined transaction 16:53 < andytoshi> there were some delays as i had to write tools to do the merger, and people were not always online 16:54 < amiller> oh my, coping with n parties some of which may or may not be online at any given time :3 16:54 < gmaxwell> jgarzik: yea, I'd suggested doing coinjoin tuesdays or whatever. But it sounds like andy might have something better. 16:56 < andytoshi> (i am working on a site which uses my coinjoin merger tool, and flips every N seconds between collecting unsigned transactions and collecting signed ones) 16:56 < Luke-Jr> andytoshi: ah, I thought you meant a paper or program :P 16:57 < andytoshi> nope, nothing so exciting 16:57 < andytoshi> though i do have a program at https://github.com/apoelstra/coinjoin which does the merging 18:24 < nsh> has anyone done an analysis to predict (in some model) when we might be likely to hit the 1mb blocksize limit due to transaction volume? 18:29 < andytoshi> so, the coinjoin transaction has been publish, and has drifted past my node at least 18:29 < andytoshi> which believes it is 100% fees 18:32 < andytoshi> ..well, it has all the relevant addresses and the correct 'send' and 'receive' amounts on each, it's just the total that's wring 18:33 < gmaxwell> andytoshi: actually it believes it has negative fees. 18:33 < gmaxwell> because it has money that came in from nowhere. :) 18:33 < andytoshi> oh :P it's the amount that's displayed as negative. 18:34 < gmaxwell> and yea, what it does for the fees displayed there is braindamaged. 18:34 < andytoshi> ok, and the output of listunspent 0 has all my money listed.. phew 18:34 < andytoshi> i understand how signatures work and it was still scary :) 18:34 < andytoshi> "somehow i lost everyone's money" 18:34 < gmaxwell> andytoshi: it's prudent to be a chicken, but you're still a chicken. :P 18:35 < andytoshi> this is so cool, that basically a bunch of strangers put $35000 into an envelope i held out, saying i'd mail it.. 18:37 < gmaxwell> yea, because the envelope was magic and made it impossible (well, if their putting-in was well formed) for you to cheat. Someday all those fairy tales will sounds sensible. 18:39 * nsh smiles 18:39 < nsh> fools! it was a moebius envelope... 18:40 < nsh> andytoshi, is your coinjoin thing explained somewhere? 18:40 < andytoshi> well, the bitcointalk thread is at https://bitcointalk.org/index.php?topic=279249.0 18:41 < andytoshi> idk if anyone 'invented' the idea, i figured it out just from the name.. 18:42 < andytoshi> to use my tool, the README on https://github.com/apoelstra/coinjoin should be sufficient 18:42 < nsh> ty 18:43 < gmaxwell> Petertodd invented the name at my request. The idea of making private transactions this way has basically been known forever. E.g. I recall some old post of hal's describing a higher level protocol for anonymous loans based basically on coinjoins. 18:43 * nsh nods 18:44 < gmaxwell> I was getting a bit frustrated with people fixating on "zerocoin" as a magical unicorn that was just around the corner(tm) to solve all privacy problems. ... and I decided that part of the problem with people fixating was that the alternatives didn't have _names_. 18:44 < gmaxwell> which sounds kinda weird but I think its true. 18:44 < gmaxwell> so then armed with a name I wrote up a description and a call to action. 18:44 < nsh> excellent 18:44 < andytoshi> i think it's true, back in 2011 when you had that coinjoining thread with no name, it looked very scary and technical 18:45 < andytoshi> and at the time i didn't look into it at all 18:45 < andytoshi> otoh, this time around i knew how transactions were structured, so maybe i didn't need the name.. 18:47 < nsh> names act as conceptual anchors and nucleation points 18:47 < nsh> they can be very effecticious :) 18:48 < andytoshi> yeah, before it was "type some weird commands to get hex codes you are supposed to give to gmaxwell via PM, who totally can't get money out of them, and he'll give you some more hex codes to incant over" 18:48 < nsh> (or efficacious, which is apparently less made-up of a word) 18:48 < andytoshi> and then somehow people smarter than you would no longer be able to watch you so closely :) 18:49 < nsh> i think things where you could illustrate them with a silly simpsons aside cartoon sketch 18:49 < nsh> i picture a load of robed and hooded stone-cutter mason-types all gathering together solemnly in a circle and exchanging things from closed fists while blindfolded 18:50 < nsh> :) 18:50 < gmaxwell> What I observed is that zerocoin is even _more_ technically inaccessable but it had an accessible name and so many people were interested and a few people even learned about some of the details. I also added the points that they could be done automatically, and that you could potentially use blind signing to even blind the merging party to the mapping, and that you could use sorting networks to boost the anonymity to any size, none ... 18:50 < gmaxwell> ... of which are all that important to the idea. 18:50 < nsh> mmm 18:51 < gmaxwell> https://bitcointalk.org/index.php?topic=5027.msg73733#msg73733 18:53 < nsh> "There needs to be a system of anonymous payments, and a simple trusted machine called the Pot. (In practice, the Pot would be simulated by the participants, using a cryptographic multi-party computation.)" boy, those parentheses sure make that sound simple... 18:53 < gmaxwell> what gets described there can be accomplished with a coinjoin and an inverse coinjoin coupled with blind signing to prevent DOS of the inverse coinjoin. 18:53 < nsh> hmm 18:54 < nsh> how are legs broken if someone welches? 18:54 < gmaxwell> the output of the coinjoin is not anonymous. 18:54 < gmaxwell> (and thus inputs of the inverse coinjoin are not anonymous) 18:55 < gmaxwell> e.g. it takes random private amounts and makes N uniform public amounts. And then later N uniform public amounts come back (or else!) and random private amounts are dispensed. 18:57 * nsh nods 20:13 < maaku> TD: I think merge avoidance and coinjoin are solving two different (but important) things 20:13 < TD> could be, but can you elaborate? 20:14 < maaku> well, take your coffee shop example. what if alice doesn't want her employer to know how she is spending her salary? 20:15 < maaku> by running a wallet that continuously mixes through coinjoin (until some privacy threshold is achieved), she can mask that information 20:20 < maaku> i think they complement each other nicely 20:30 < TD> do you mean "when" or "how"? 20:30 < TD> because i don't see how the employer could know what she's spending her money on regardless 20:30 < TD> unless she spends to a well known address (solution: don't have well known addresses) 20:31 < TD> i guess they would know what proportion of the salary she had spent 20:33 < andytoshi> my feeling is that hiding from your employer is a special, very difficult case 20:33 < andytoshi> coinjoin alone should thwart data analysts 20:34 < andytoshi> to hide from somebody providing all of your money, you'd need to do an off 20:34 < andytoshi> off-chain mix 20:34 < TD> maaku is referring to an article i wrote that explores some cases where it doesn't 20:34 < TD> https://medium.com/p/7f95a386692f 20:34 < andytoshi> oh, thx 20:37 < TD> maaku: i think i may agree that they complement each other in some cases, for sure. coinjoin type systems give some degree of deniability. however, at significant cost. it would be nice if the same deniability could be obtained without the cost. 20:39 < maaku> TD: the employer knows where he sent payment to 20:40 < maaku> and therefore knows the denominations at the very least of where she sent the coins 20:40 < maaku> and by taint, can deduce who owns the address 20:40 < TD> i don't follow the last part. the employer only sees that alice spent some of her coins. 20:40 < TD> he can't know what she spent them on 20:41 < maaku> yes, but when those coins eventually do get spent by the third party, they link to other outputs, which can be traced backwards 20:41 < TD> traced backwards how? i feel you're assuming something that i'm missing, here 20:42 < TD> employer pays alice. alice pays bob. bob sees $TRANSACTIONS but beyond knowing the last hop (alice) doesn't know more than that 17:37 < gmaxwell> comboy: well, see for example some of the information theoretic PIR stuff that lets you have a database which can be privately queried and which is secret from the servers if some threshold of the servers do not collude. But I don't know how to create the initial database privately except via MPC, and I don't know how to reliably rate limit access. And trusting servers to not collude is prety lossy. 17:37 < nsh> (reputation only becomes worthless asymptotically as the cost of newnym'ing goes to zero) 17:38 < gmaxwell> Alanius: even in pseudonymous systems. We see lots of cases in bitcoin-otc (one of few examples ofa pseudonymous wot system where there is actually something at stake) where scammers farm identities until they a trusted then rob people blind. 17:38 < nsh> to be fair, that's also a pretty stubborn feature of the non-technological world 17:39 < comboy> I mean as far as my quite dumb crypto mind was thinking it would require some p2p client running, I can't imagine it as just a static db somewhere 17:39 < gmaxwell> I think it's helpful to think about the benefit of 'reputation' systems in terms of "seperation" e.g. how powerful are they at separating good participants from bad ones. And I think a lot of ideas actually turn out to have _negative_ separation: they actually increase the density of bad people because they impose costs and good people just walk away since what they were going to do wasn't that profitable for them, whereas bad ... 17:39 < gmaxwell> ... people don't mind the costs because they're a minor cost of doing business (and because the learning how it works part is amortized against many identities) 17:40 < comboy> gmaxwell: theoretically pagerank + your connections could prevent farming, once somebody goes rogue, ranks of whoever trusted him goes down 17:40 < nsh> well, if you consider it as a separation/classification problem then the system has to be negentropic, which means some resource of order must be consumed 17:41 < gmaxwell> comboy: no, it doesn't because obviously your system needs to be welcoming to new people (or it will fail), and so they just simulate new people. 17:41 < Alanius> gmaxwell: that's a fine insight 17:41 < nsh> (external resource) 17:41 < comboy> it could be much more than such kind of separation, because weight could be vectors, this could be coding skills instead of trust, in an istant I know if I want to work on this guys project or find something else 17:41 < gmaxwell> nsh: except honest participatants often trade neutrally e.g. their gains are maginal in competition with others. So any resource costs on honest people are much harder than resource costs on dishonest ones. 17:42 < nsh> mm 17:42 < comboy> gmaxwell: you would have to get trust from somebody in the existing network, it could be partitioned though (but it's quite impossible it would on the large scale), so somebody is risking their trust to accept you 17:43 < gmaxwell> I saw this a long time on Wikipedia. Lots of antivandalism measures exclude vandals, sure, but they exclude even more grandmas. ... because grandma is not as eager to contribute as many vandals are. The result is negative separation though the absolute decrease in vandals is more salent. 17:43 * nsh nods 17:44 < gmaxwell> comboy: a while back I tried to float in OTC that we shouldn't be "trusting" each other, we should be insuring each other... that would make it have more meaning.. but I was never able to get traction for that. 17:44 < nsh> that makes sense, but it's got higher overhead and trickier 17:44 < c0rw1n_> oooh what a good idea 17:45 < comboy> yeah, probably insuring is a better term 17:46 < comboy> but I really like to hope it could be done with some crypto magic without revealing your weights... at least not to people above some connection degree level 17:47 < comboy> Alanius: thx for that link, I also need to read more regarding MPC 17:48 < Alanius> I think you could do it with cryptomagic 17:48 < RoboTeddy> could we have a combined proof-of-work proof-of-destruction blockchain? the more coins you prove you destroy in the block you're mining, the lower the required bound for your POW 17:48 < gmaxwell> well I had some success with the insuring thing, in that a couple times when people I knew from elsewhere showed up in otc wanting to trade but I didn't want to trade I publically offered to personally insure their trade and people rapidly traded with them on good terms too (e.g. not charging them like a risky transaction) 17:49 < gmaxwell> RoboTeddy: probably not, because coins destroyed in a non-successful blockchain are free. 17:49 < Alanius> imagine this: every node has an accumulator; nodes can increase other nodes' accumulators by an amount equal to how much their own was accumulated - which they keep secret in a zero-knowledge fashion 17:49 < nsh> gmaxwell, so could you script a multiparty vouching system using clever transactions? 17:50 < gmaxwell> RoboTeddy: e.g. I can make a fork where I destroy allmost all the coins and then it looks very attractive to you, so long as I'm confident it wont be the surviving fork doing this cost me nothing. 17:50 < nsh> (so that the more people vouch for someone before a trade, the lower their share of the insurance is it turns sour) 17:50 < nsh> *if 17:51 < RoboTeddy> gmaxwell: good point, thanks 17:51 < gmaxwell> nsh: well the problem you run into invoking transactions is that most fraud is not trustlessly decidable 17:51 < comboy> Alanius: yes that's the computation part, but this leaking information with checking your score on people depending on whether you trust somebody or not, example that gmaxwell gave at the beginning 17:51 < nsh> right 17:52 < gmaxwell> nsh: e.g. I think most of the cost in insuring another trader isn't the actual insurance, its the getting pulled into a dispute should one arise. 17:52 < comboy> this insurance thing reminds ripple a bit btw 17:53 < gmaxwell> my personal standard in OTC is that that I don't give higher ratings (e.g. greater than +1) unless I'd be willing to help someone collect on a debt that I agreed was real. 17:53 < gmaxwell> but I'm weird. 17:53 < c0rw1n> comboy well the rippling is a great idea 17:53 < nsh> hmm 17:53 < RoboTeddy> if one lengthens their fork significantly by destroying lots of their coins in it, they might not be able to safely assume their fork won't survive -- if it's the longest, people will adopt it 17:54 < gmaxwell> RoboTeddy: yes, but you weaken other security assumptions, e.g. bitcoin is generally pretty robust against short term network isolation attacks, when you can assume that the attacker doesn't have hashpower (or otherwise they'd prefer to just mine honestly) 17:55 < RoboTeddy> gmaxwell: ok, that makes sense, thanks 17:55 < gmaxwell> That kind of idea basically undermines the notion in POW that you're buring a scarce resource so you better darn well burn it on the one true successful consensus. 17:55 < RoboTeddy> gmaxwell: it makes a lot of sense when you think about it from that perspective 17:56 < nsh> hrmm 17:56 < gmaxwell> RoboTeddy: I think you can do things like burn resources in one place and use the evidence of the burn in another, and get something working there. E.g. burn bitcoins to mine teddycoins works so long as your bitcoin burn commits to a single unique teddycoin block. 17:57 < gmaxwell> it just doesn't obviously work internally. e.g. burn teddycoins to mine teddycoins. :) 17:57 < RoboTeddy> interesting; so, you could have a pair of currencies which each burn to prove work on the other 17:58 < RoboTeddy> brb mining genesis block for teddycoins 17:58 < gmaxwell> I think if the relationship was cyclic like that then you could attack them as a group. 17:58 < gmaxwell> e.g. tread it as a single system and attack both. 17:58 < gmaxwell> s/tread/treat/ 17:58 < RoboTeddy> also a good point. so you'd need an acyclic DAG 17:59 < RoboTeddy> (along with an "ATM machine" -- I guess all DAGs are acyclic) 17:59 < gmaxwell> I think you can do things like have bitcoins mined by burning power, and teddy coins mined by burning bitcoins, and ninja coins mined by burning teddycoins, and that all works out okay. 18:00 < RoboTeddy> since the whole system is "grounded" by burning power/cycles 18:00 < nsh> as long as the bottom turtle is sitting on a pile of work (hash rounds) 18:00 < comboy> gmaxwell, regarding otc, if this would be insurance network, I wonder if disputes could be automated, I mean higher rank always wins, but I guess possibly taking some hit on it's rating (I'm kinda mixing insurance with public WoT here) 18:01 < gmaxwell> It doesn't have to be power but that works really well. The necessary criteria is that it burns something and that the burn can commit to the thing you're mining. E.g. you could have a coin burned by getting hashes into court filings (if you assume there existed a court which cryptographically signed its document submissions) 18:01 < gmaxwell> You can't have your POW be smashing irreplacable artwork because there is no way to create a cheaply verifable proof that you smashed the artwork in the name of confirming a particular consensus state. 18:02 < RoboTeddy> unless you cut the artwork into the shape of particular hashes ;D 18:02 < RoboTeddy> (but could fake paintings, so not cheaply verifiable) 18:03 < gmaxwell> in particular, it's hard to decide if a painting (real or not) was valuable to begin with. :P 18:03 < gmaxwell> power/computation is a bit more objective. :P 18:06 < gmaxwell> I think this subject is interesting mostly not for the reason of building more resource-burning-consensus systems in part because I'm really unsure of how generally applicable resource burning consensus really is but because I think resource burning anti-spam/anti-dos is interesting and that since bitcoin is a cryptographically provable resource you could use it in those systems. 16:52 < azariah4> "The twister incentive is: whoever finds the hash collision to validate a new block of transactions will be awarded with the right to send a promoted message. Promoted messages have a certain probability of being displayed by twister client." 16:52 < azariah4> hehe :D 16:52 < azariah4> at first I laughed, but thinking of it, it's not too bad for a microblogging platform 16:52 < azariah4> some company could throw hash power at it to push some ads 16:52 < michagogo|cloud> ... 16:52 < sipa> it's trivial to modify your client to just ignore such promoted messages, though... 16:52 < michagogo|cloud> except that you can just not display th- 16:52 < michagogo|cloud> what sipa said 16:55 < azariah4> well, adblock+ haven't killed the website ad industry 16:56 < jtimon> why didn't they just used namecoin for the user registration? 16:57 < sipa> reinventing the wheel is more fun, especially when the wheel can be made to look like a hammer 17:14 < adam3us1> azariah4: is twister an alt as well as a p2p microblog? 17:46 < andytoshi> john baez has a neat article about information complexity and bitcoin scarcity: https://johncarlosbaez.wordpress.com/2014/01/27/the-rarest-things-in-the-universe/ 17:47 < andytoshi> i mean, bitcoin rarity. scarcity is an econ term that i don't mean to use 17:52 < andytoshi> he suggests a POW with a trapdoor function so that the key possessor (i.e. the government) can print coins. then you get the monetary control of fiat -and- the unforgeability of bitcoin :} 17:53 < gmaxwell> andytoshi: you don't need to use a pow for that, if you want to give someone the power to inflate the currency you can just let them (via a key) spend coins that don't exist just directly in the system. 17:54 < gmaxwell> POW = minting is a weird notion; in bitcoin pow = consensus, minting is just permitted as a rule in the blocks. :) 17:56 < andytoshi> yeah, i get that. baez is very unfamiliar with bitcoin and (i think) he thinks that the small hashes are the actual "coins". 17:56 < andytoshi> though, it is neat to see a complete outsider perspective from somebody as smart as him 17:57 < gmaxwell> yea thats not actually an uncommon belief. 17:58 < gmaxwell> I dunno where it comes from though. 18:06 < midnightmagic> password cracking analogies probably. 18:25 < CampyCoin> Any interest in domains? 18:26 < phantomcircuit> gmaxwell, ^ 18:28 < CampyCoin> I'm confused here, let me know if I've done something wrong 18:44 < CampyCoin> anybody want some domains? 18:44 < nsh> that's off-topic here, CampyCoin 19:18 < adam3us3> gmaxwell, andytoshi: i think an interesting rule for fiat coins would be to encode the monetary policy into a smart issuance policy. eg 2%/yr QE cap, things like that. then they cant exceed it without a super majority vote of clients 19:20 < adam3us3> gmaxwell, andytoshi: cryptographic assurance against moral-hazard :) ie cant panic bend the formal rules because a monetary policy committee cant withstand political pressure even though they know its a bad idea. 22:32 < Luke-Jr> new proof-of-<foo> system to be announced soon based on the efforts of BlueMatt, myself, and others! 22:37 < petertodd> Luke-Jr: curious 22:39 < Luke-Jr> petertodd: another guy is writing up the announcement post now 22:39 < petertodd> Luke-Jr: oh nice, you guys are serious? 22:39 < brisque> Luke-Jr: a serious POW, not like proof-of-twerk? 22:39 < Luke-Jr> petertodd: <.< 22:39 < brisque> well, proof of something. 22:40 < Luke-Jr> >.> 22:40 < brisque> oh. 22:40 < brisque> still interested. 22:47 < andytoshi> by 'writing up' you mean that if i stay up another hour i'll see it? 22:48 < Luke-Jr> andytoshi: not sure what the schedule is on it 22:49 < Luke-Jr> he said by this weekend :< 22:50 < Luke-Jr> .. but he might have a draft for me to look over in a few mins 23:29 < brisque> has somebody tried poking ghash.io and asking them to change their default block size? 23:30 < Luke-Jr> brisque: they intentionally have it set low because they can't afford a decent internet connection apparently -.- 23:31 < Luke-Jr> (and can't figure out how to run a pool with the block broadcasts colo'd) 23:31 < brisque> that's awful. I've seen them orphan their own blocks quite a few times too. 23:33 < brisque> it would be nice for them to make decent sized blocks though. surely they can manage the small influx of data they need to broadcast them properly. --- Log closed Tue Jan 28 00:00:05 2014 --- Log opened Tue Jan 28 00:00:05 2014 05:30 < TD> good morning 05:34 < super3> TD, morning 10:11 < andytoshi> here is a cool paper suggesting a category-theoretic view of crypto: http://arxiv.org/pdf/1401.6488v1.pdf 10:11 < andytoshi> maybe nobody here wants that :} 10:16 < gmaxwell> I giggle at the abstract, in that the cryptographic functions whos defintions (rather than proofs) span pages are often the things that get not actual applications. :P 10:58 < jtimon> oh, "maxcoin uses a faster and more secure hashing algorithm for proof of work" 10:58 < optimator> in theory, if you wanted to send 10,000 outputs, would you send it in 1 transaction or split it into multiple transactions? 11:00 < jtimon> optimator: I'm not sure I understand the question, depends on what you want to achive? 11:02 < optimator> say I want to send to 10,000 different addresses using 10 inputs. Is there an advantage in splitting the send into multiple transactions rather than sending it as 1 large transaction? 11:02 < adam3us3> optimator: there is a practical limit n txouts 32 is it? 11:03 < optimator> oh 11:04 < optimator> is that limit detailed somewhere? I don't see it here - https://en.bitcoin.it/wiki/Transactions 11:04 < stonecoldpat> anyone body read the mixcoin paper? 11:05 < stonecoldpat> im going to read it this week - just want a heads up on quality 11:05 < gmaxwell> jtimon: faster? 11:07 < gmaxwell> jtimon: they should get on the horn with NIST, nist wanted something faster and more secure than sha2 for sha3 and basically no one achieved that. They mostly got equally fast and differently secure. :P 11:10 < adam3us3> optimator: maybe ask on #bitcoin-dev someone will know offhand it maybe in terms of isStandard which is a different limit to the msg format 11:11 < jtimon> gmaxwell: yes, it uses Keccak, but he said SHA256 is slower (sorry flash) https://www.youtube.com/watch?v=_Q684UxfDSU#t=907 11:12 < gmaxwell> jtimon: thats not true, SHA256 is faster than Keccak. 11:13 < gmaxwell> well it depends on your hardware, I'm sure on some things Keccak is faster. 11:13 < gmaxwell> They're nearly tied. It depends on how muc hdata you're hashing. 11:14 < jtimon> I imagined it was simply false, "it's a more fair hasing algorithm" isn't true either 11:14 < andytoshi> gmaxwell: i really like the first half of that arxiv paper actually, it has clear explanations of a lot of basic security ideas and their history. probably the category theory is obtuse if you haven't seen it before, but there isn't much of it. there's more in the second half and it goes over my head. 11:15 < gmaxwell> jtimon: lol they claim that too? 0_o 11:15 < andytoshi> as you say the really obtuse definitions that this work help are not anything that anybody would implement. but having a conceptual framework for this stuff could lead to existence/nonexistence proofs that would be good to have independent of any implementation 11:15 < wumpus> Keccak is supposed to be really fast when implemeted directly in hardware 11:15 < gmaxwell> wumpus: yes, though thats also true of sha256. 11:16 < optimator> adam3us3: thanks 11:16 < gavinandresen> optimator: No limit on number of transaction outputs, but transactions larger than 100Kbytes are non-standard, and larger than 1MB cannot get into a block. 11:18 < optimator> gavinandresen: is there any benefit to structuring the transactions smaller? Say in 10K chunks 11:19 < optimator> versus say a 50k transaction 11:19 < adam3us3> optimator: maybe re-ask that prev bit gavinandresen dropped & rejoined either side of it 11:19 < gmaxwell> optimator: I can't think of any benefit to chunking to 10k instead of 50k. 11:19 < gmaxwell> Other than if you're right on the edge of being included in a block some smaller lower fee paying transactions might scoot in where you don't fit. 11:24 < phantomcircuit> i do txs in 500 output chunks 11:24 < phantomcircuit> i doubt it helps much, but it doesn't reduce the overhead much to do larger chunks 11:25 < gmaxwell> yea, arguably once you get above 100 outputs optimizing for change size makes more sense. 11:38 < jgarzik> Did anybody ever work on background wallet defragmentation? And perhaps changing the priority calculations to somehow reward shrinking UTXO? 11:38 < jgarzik> We are interested in that </vendor hat> 11:39 < gmaxwell> jgarzik: I believed we merged the priority change that made shrinking the utxo better, though we also capped free transactions to 1000 bytes so it probably matters less. 11:39 < jgarzik> oh, hearing time 11:40 < gmaxwell> (the change was to not count the size of scriptsigs in the size used for computing the priority) 11:40 < jgarzik> ah! 11:41 < jgarzik> http://www.totalwebcasting.com/view/?id=nysdfs 11:46 < gmaxwell> would be nice if someone could figure out how to download the file for later playback. 11:54 < jgarzik> indeed. I also hit "pause". The video stopped. When unpaused... jumped forward in time, missing whatever had been said during the pause. no buffering :/ 11:58 < gmaxwell> okay I'm grabbing it now, but i missed the beginning. 11:58 < gmaxwell> and I may get cut off because I'll be too busy to supervise it. 11:58 < phantomcircuit> it should be available in the future 11:58 < phantomcircuit> it'll be expensive though 12:00 < sipa> the winkelvi! 12:00 < phantomcircuit> sipa, dat statement written by their lawyers 12:00 < sipa> of course 12:00 < sipa> i found their talk in san jose very unimpressive too :) 12:01 < jgarzik> you want the statement written by lawyers... it's on the record 20:13 < warren> adam3us: I don't have a p2pool fixing budget, I just made large donations out of pocket to the only person working on the problem to give him more incentive. I'm not happy that the larger bitcoin community isn't taking the issue seriously, and I'm at my limit of what I'm willing to fund out of pocket. 20:13 < petertodd> warren: and you know, don' 20:13 < warren> adam3us: I paid about $30k out of pocket during 2013 to various people who helped upstream bitcoin or p2pool 20:13 < petertodd> warren: don't get me wrong, that was money well spent, it's just that in the wizards part of the community we should be working on better 20:14 < petertodd> warren: we're supposed to be thinking medium to long term here, fixing p2pool is short to medium 20:14 < jrmithdobbs> petertodd: but the p2pool thing highlights a real problem 20:14 < warren> adam3us: that money came from people who were concerned about litecoin dying entirely due to lack of developers. I don't expect future revenue potential to be anything like that special case. 20:15 < jrmithdobbs> petertodd: we have functional-enough-for-now technical solution to this, but (practically) noone using it 20:15 < petertodd> jrmithdobbs: yes, that's because it's a tech solution operating in a vacuume, not one that actually takes economics and incentives into account 20:15 < warren> petertodd: p2pool and eligius are attacking the low hanging fruit. I don't have the cycles or money to attack the long-term issues myself. 20:16 < adam3us> warren: i see. (re money situ/history). 20:16 < jrmithdobbs> petertodd: but there's noone (very few) willing to pay the people capable of the technical solutions and give them the context 20:16 < petertodd> warren: that's fine, I do for now 20:16 < jrmithdobbs> petertodd: how do we solve that? 20:16 < adam3us> warren: low hanging short term is good too. people are not even using what they could and yet we are concerned about that as a systemic risk. 20:16 < petertodd> jrmithdobbs: foundations tend to be good at that, but they aren't going to solve that if people don't even accept this stuff is a problem 20:17 < jrmithdobbs> petertodd: or when major players in said foundations deny it's a problem. 20:17 < petertodd> jrmithdobbs: I can hardly even convince people *here* that p2pool isn't a very good solution 20:17 < petertodd> jrmithdobbs: heh, that too 20:17 < jrmithdobbs> petertodd: that's not a solution, that's an admittence of failure, really 20:17 < adam3us> warren, petertodd: which says maybe boring things like user education, nicer UX, more bundling, advertisement are perhaps necessary strange as that seems to a tech mindset 20:18 < warren> adam3us: it's no secret that I've been planning a 501(c)(6) foundation that focuses on development, with issues like centralization as a top priority. A few big players are interested in funding it. I've been too busy with my own career to create it. 20:18 < petertodd> adam3us: I don't have a tech mindset remember... I know damn well boring stuff works in the short term, but I'm not foolish enough to think we aren't up against genuine economic perverse incentives 20:19 < adam3us> petertodd: agreed. but sometimes short-term stupid action gains its own momentum and defacto "way-it-works" that leads to development cementing the stupidity. so it maybe worth fixing these short-term what-users-are-doing when they coud do better issues 20:20 < jrmithdobbs> kinds are part of the types really 20:20 < jrmithdobbs> err wrong chan 20:20 < petertodd> adam3us: hence why I'm not against people improving p2pool; I'm against people who could use their talents to do even better spending their time on p2pool 20:21 < warren> adam3us: uncontroversial things for the new foundation to tackle: centralization, anti-DoS, anti-sybil, scalability, timestamping tech. I rather not prioritize regulatory canaries when there are plenty of uncontroversial existential threats. Others can work other issues. 20:21 < petertodd> adam3us: the people who can do that work can't do consensus system theory (and mostly vice-versa) 20:22 < adam3us> petertodd: yeah maybe it just pains me to sit around watching needless stupidity create short term network scale risks. like 40% miners (that can and did to double spend attacks) when there is no sane reason to do it. 20:22 < warren> Go ahead and call me chicken, after centralization is fixed. 20:23 < adam3us> warren: canaries are a special breed. seemingly matthew green has what it takes :) he claim's he's gonna make an alt out of zerocash. 20:23 < petertodd> adam3us: well like I said, for that issue you've got a hell of an uphill battle... we just to complain about hashers to point their hardware at ghash.io, but the reality is from their point of view there's nothing very stupid about it 20:24 < adam3us> petertodd: actually ghash doesnt charge fees i think. (like eligius and p2pool) otherwise often the big miners are charging like 5% and people are still using them over eligius or p2pool 20:24 < warren> ghash has other ways to make money (trading commissions...) 20:24 < petertodd> adam3us: I know, that's one of the reasons they're so big 20:25 < warren> If p2pool improved substantially, grew bigger and flexed its orphan advantage it might be able to compete. 20:25 < adam3us> petertodd: but i mean wtf why not put it up to 10% and see if they still stay there? do they even care about money? 20:25 < petertodd> adam3us: and 5% isn't much money - remember that when I talk about pools being "profitable" that includes non-monetary "compensation", as well as lower costs, and less perceived risk 20:26 < petertodd> adam3us: business risk is a funny thing - ghash.io has a perception to maintain 20:26 < adam3us> petertodd: u know there's one with 100% fee (aka it stopped paying out) and it still has significant TH 20:26 < petertodd> adam3us: equally, people's perception of value is often that higher cost == better 20:27 < adam3us> petertodd: i suspect its bigger == better thinking here. 20:27 < petertodd> adam3us: hey, if you look at that and say "WTF?!" rather than "yeah, I can see why" then you don't have the insights to understand this stuff 20:27 < petertodd> adam3us: yeah, well duh 20:27 < adam3us> petertodd: if u have no clue and someone forces you to make a too technical or arbitrary decision, you'll tend to follow what others are doing... 20:27 < petertodd> adam3us: that's why I said above you probably have to create tech where pools aren't just discouraged, but are actively disabled in various ways 20:28 < petertodd> adam3us: yup 20:28 < petertodd> adam3us: having to research the right way to do something is a huge cost 20:28 < petertodd> adam3us: heck, ahving to make choices at all is a huge cost 20:28 < adam3us> petertodd: but 5% eh. maybe a 50point font mining pool fee % & profit calculator in the miner sw 20:28 < jrmithdobbs> petertodd: you're trying to say that not only do you need to be able to recognize that "bigger == better" thinking but realize that a) it's not necessarily wrong and b) it's ingrained for a reason and isn't something that can be ignored because "people are dumb" 20:28 < jrmithdobbs> pes? 20:28 < jrmithdobbs> yes? 20:29 < petertodd> jrmithdobbs: yeah, all those points. 20:29 < jrmithdobbs> petertodd: just making sure i was understanding your point (and I agree) 20:29 < petertodd> Now if we're willing to accept that, then how do you force pools completely out of existance? I thik it was you adam who was talking about stealable proof-of-work for instance. 20:30 < adam3us> petertodd: yeah thats more intersting (must get off fixating on irritating user stupiity:) 20:30 < petertodd> Similarly, how can blockchains be structured such that p2pool-like varience reduction is a given? 20:30 < amiller> loosen the difficulty restriction 20:30 < amiller> let people choose their own difficulty in some way 20:30 < amiller> that way you can still maintain the overall security invariant 20:30 < petertodd> And, how can we make mining something that you don't need a bunch of setup time and other work to get started in? 20:31 < adam3us> petertodd: i think it was amiller who said it first (stealable PoW) except i thik he was talking reverse ... for hosted mining 20:31 < petertodd> amiller: well, is that diff per-block then or what? 20:31 < amiller> i was talking about both equally, i gave an abstraction where both pools and hosted mining are equally a security violation! 20:31 < petertodd> amiller: or can we split blocks up? how does consensus work? 20:31 < adam3us> amiller: actually the whole pool choses work packet for miner is just wrong thinkin 20:32 < petertodd> amiller: yeah, I'm not sure if I have a solution to hosted mining yet 20:32 < adam3us> amiller: the whole point of hashcash is the user choses their own work packet 20:32 < petertodd> adam3us: yet, just saying that doesn't help :) 20:32 < warren> Lots of the Litecoin users are pushing for a PoW change because they don't want the same thing to happen with ASIC's. 20:32 < petertodd> adam3us: getblocktemplate is the perfect example of just saying that, and look where that's gone 20:32 < jrmithdobbs> petertodd: the only straightforward solutions i can think of require things that don't actually exist 20:32 < amiller> so the block selection function is 20:32 < petertodd> warren: Good! 20:32 < amiller> choose the lbock with largest sum difficulty 20:32 < warren> They're quite naive, suggesting just increasing the scrypt parameters. 20:32 < amiller> that's invariant to difficulty choice 20:32 < jrmithdobbs> but i've not spent much time thinking about hosted mining, ha 20:32 < amiller> the problem with difficulty choice is one of PoW basically 20:33 < adam3us> petertodd: whats wrong with GBT? 20:33 < amiller> er 20:33 < amiller> Dos 20:33 < petertodd> warren: heh, they willling to put money towards researching ASIC-hardnesss 20:33 < petertodd> adam3us: there's no incentive for individual hashers to use it 00:54 < gmaxwell> pigeons: did your arb script screw you with tradeforetress? 00:55 < pigeons> not at all 00:55 < pigeons> i don't trust tradefortress 00:55 < pigeons> i dont trust anyone who trusts him either 00:55 < pigeons> i dont value anything he issues 00:56 < pigeons> sometimes my paths do go trhough things i dont value though 00:56 < gwillen> gmaxwell: what happened with tradefortress? 00:57 < pigeons> like the other day i discovered someone issuing MXN i didnt know because the cheapest path to send myself bitstamp USD from a certain issuers GBP i had was to buy MXN for XRP that i acquired for selling GBP and sell the MXN for BTC 00:57 < pigeons> trades on the oprder books are treated as a node in the path 00:57 < gmaxwell> gwillen: I'm clueless, something like: he got lots of people to trust him, issued a bunch of tradeforetress btc, lots of trades flowed through him leaving people with tf btc and he said LOL SOL SUCKERS. 00:58 < gwillen> gmaxwell: heh. 00:58 < pigeons> so you can go through a trust line BTC/bob -> btc/alice or you can go BTC/bob ->market BTCbob/XRP _.btc/alic 00:58 < gwillen> gmaxwell: do I understand the ripple system correctly that if you do not manually trust tradefortress, it should not be possible for him to screw you? 00:58 < gwillen> gmaxwell: even if, for example, you trust someone who trust him? 00:58 < pigeons> he posted in the newbie section offering free btc if you trust him for 100 btc 00:58 < gwillen> sigh 00:58 < gwillen> people are idiots, aren't they 00:58 < gwillen> I guess this is why the ripple people put 'trust' under 'advanced' 00:59 < pigeons> then if the user also had btc assets that actually were redeemeable and also trusted TF, or someone with redeemable assets was trusted by the guy who trusted TF, TF or his cohorts would take the BTC they were trusted to be allowed to take 01:00 < pigeons> he calimed he was trying to teach a lesson on the dangers of IOUS, I guess he tought that lesson again with inputs.io and coinlenders 01:00 < gmaxwell> oh did he rip people off on coinlenders? 01:01 < gmaxwell> he should team up with realsolid and zhou... it would be like a cryptocurrency learning expirence dream team. 01:01 < gwillen> pigeons: just to be clear, if I trust X and X trusts TF, the ripple system will leave X holding the bag, and not me, right? I will never end up with TF IOUs? 01:01 < gwillen> pigeons: The only way I could get screwed is if X, who is holding worthless TF IOUs, decides to then default on their own IOUs? 01:01 < pigeons> you can never hold or receive an asset you don't explicitly agree to hold 01:01 < gwillen> (which they might well do, having issued those IOUs without understanding how they could get screwed) 01:01 < gmaxwell> pigeons: you could still trade through those assets you haven't agreed to hold, in passing so no risk from them, right? 01:02 < pigeons> you can acquire assets you havent granted a trust line for by making a trade offer 01:02 < pigeons> but making the trade offer implies agreement to accept 01:03 < pigeons> in the case i mentioned with the MXN, the buy and sell was in one transaction 01:03 < gmaxwell> gwillen: yea, of course there is always the systemic risk. You trust A, A trusts B. B bankrups A and in doing so that bankrups you, even though you never trusted B, only trusted A too much. 01:03 < gwillen> right 01:03 < gmaxwell> I dunno if there was any systemic risk fallout with TF 01:03 < gwillen> just checking my understanding 01:04 < pigeons> we marked the accounts that were not TF himself but took advantage of the situation in our address books as TF.X1 TF.X@ etc 01:04 < gwillen> took advantage how? 01:05 < gwillen> Did they also default on IOUs? 01:05 < pigeons> took advantage by sending the user TF IOUS that the user niavely agreed to accept, in exchange for more trustworthy ious like from bitstamp 01:05 < gmaxwell> used tf IOU's to acquire real assets. 01:06 < gwillen> hmm 01:06 < gwillen> is it possible to implicate people for doing that on purpose? 01:06 < gwillen> as opposed to just treating those things as equivalent, and having the system rearrange them as part of some other transaction? 01:06 < pigeons> well the client gives a red warning "YOU ARE TRUSTING MORE THAN ONE ISSUER FOR THE SAME ASSET, THIS ALLOWS THESE ASSETS TO BE EXCHANGED AT PAR WITH EACH OTHER" or something 01:07 < gwillen> oh, that's new since I used it 01:07 < gwillen> interesting 01:07 < pigeons> gwillen: yes there are ways to assign different values to different lines, called "quality settings" but they are not exposed in the default client 01:07 < gmaxwell> hm. really? 01:07 < pigeons> for example one issuer i have to email to get my btc, so i give it a quality in of 0.95 01:07 < gmaxwell> I have two issuers trusted for btc in my ripple wallet, I have no clue who they are. I don't see any warning. 01:07 < pigeons> so if payment ripples through me i recevie 5% more than the other issue i give out 01:08 < gmaxwell> I was about to ask if there was a way to program in automatic spreads. 01:08 < pigeons> the warning comes when you assign trust 01:08 < pigeons> try it 01:08 < gmaxwell> pigeons: gimme an address? 01:08 < pigeons> the corrolary is 'quality out" which means if liquidity form this line is used, you get more than you give 01:08 < pigeons> i maintain a list of addresses here https://bitcointalk.org/index.php?topic=155236.msg1646402#msg1646402 01:09 < pigeons> dividend rippler is rfYv1TXnwgDDK4WQNbFALykYuEBnrR4pDX 01:09 < pigeons> bitstamp is rvYAfWj5gh67oV6fW32ZzP3Aw4Eubs59B 01:10 < pigeons> so you could set quality out of 1.01 on your trust line with BTC/Bitstamp since bitstamp is very liquid in ripple 01:10 < pigeons> so if you end up with dividend rippler at least you get 1% more 01:10 < gmaxwell> pigeons: hm. so you can turn a profit from acting as a liquidity provider ... interesting. 01:10 < pigeons> altough dividend rippler is immediately reedemable 01:10 < gwillen> what is 'dividend rippler' 01:10 < gmaxwell> rQay7bQ3XoZcT6E3c8uDopZdnWaMBxWea2 < any idea what that is? 01:11 < pigeons> one sec 01:11 < pigeons> i have that address as "jorgen" 01:11 < gmaxwell> "By pressing CONFIRM you are extending trust to multiple issuers for the same currency which may result in your account balances changing without your direct action. Make sure you understand these consequences, and that all your issuers are trustworthy." heh indeed. 01:11 < gwillen> is it not true that trusting a single issuer can cause your account balances to change without your direct action? 01:12 < gmaxwell> I have it, but trusted at 0. 01:12 < pigeons> gwillen: it cannot 01:12 < gwillen> hmm 01:12 < pigeons> trusted at 0 removes the trust line 01:12 < gmaxwell> yea, seems you can't label these darn things in the interfac.e 01:12 < pigeons> go to contacts and enter one and it will show in the trust tab 01:12 < pigeons> but yeah the client pretty much sucks 01:13 < pigeons> gwillen: dividendrippler.com is an automated way to send blockchain assets and get ripple assets issued and vice versa 01:13 < gwillen> hm, interesting 01:13 < gmaxwell> you'd think they'd make the quality stuff exposed, since I bet a lot of people would jump into this trying to make money as liquidity providers. 01:14 < pigeons> yes lots of people on the ripple forums complain that they would like to trust multiple issuers but dont want their balances changing 01:15 < amiller> in other words extend line of credit wihtout implicitly offering any exchange standing offers 01:15 < pigeons> i spoke with David Schwartz at a conference and was talking about my quality settings and he seemed to think that 1:1 acceptance was good for the network 01:16 < pigeons> you can also make explicit order book trades for USD/Foo vs USD/Bar 01:16 < gmaxwell> weird, I'd think that near but not quite 1:1 would be good for the network. Besides, taking a less trusted issuer exposes you to risk you should be compensated for. 01:16 < amiller> 1:1 accepts is basically the "i'm altruistic and trust everyone at my own avoidable loss" setting 01:16 < amiller> so yeah it's good for the network if everyone else does it 01:16 < pigeons> i do try to keep 1:1 if i can cashout easily and immediatly with little to no fee and the issuer has a good repuation 01:16 < pigeons> and then i discount from there 01:16 < gmaxwell> amiller: well not quite because if too many people lose their shirts thats bad for the network. 01:17 < pigeons> that's why i try to use quality in so i can charge a premium based on certain issues i receive instead of a quality out on a popular issue, cause that would affect the liquidty i offer to my friends in that issue 01:18 < pigeons> but the opposite is reccomended i dont know why 01:18 < gmaxwell> quality in sounds generally more reasonable. you have a cost in taking a non-prefered asset, not so much in giving out a preferred one. 01:19 < gwillen> just call it the "Gresham's Law multiplier" ;-) 01:19 < pigeons> sometimes if all my btc is immediatly flowing from bitstamp to say rippleisrael, but eventhough i know the guys at ripple israel and have an automated intefece to get real btc, i set the quality in on R.I. just cause it seems people are willing to pay it 01:19 < amiller> how many transactions go throuhg jeff cliff 01:20 < pigeons> amiller: not as many as in the old ripple system, but he's starting to catch up 01:20 < pigeons> "The Kevin Bacon of Ripple" 01:21 < gmaxwell> so what happens when fincen decides all ripple users are money transmitters? :P 01:21 < pigeons> well then we learn the consequences of the default UNL list issue, when those validators are asked to deny transactions from unlicensed folk 01:22 < gwillen> gmaxwell: http://www.quickmeme.com/Youre-gonna-have-a-bad-time/ 01:22 < amiller> just the ones that make profit, rely on public reputations and the appearance of a "legal company", i.e., the only ones that ripple labs is encouraging to do this, aka gateways 13:38 < gmaxwell> (I have a sketch for a revocation solution too... but didn't post it because I felt the protocol was too complicted to bother implementing) 13:51 < maaku> gmaxwell: how do you get by on 30k/year here? 13:51 < gmaxwell> I don't have Kids 13:52 < gmaxwell> (I don't mean this to insult having kids, but its probably the first major factor! :) ) 13:53 < maaku> yeah 13:55 < gmaxwell> Otherwise, heck if I know. A moderate amount of lifestyle hypermiling. I don't drive. (I have an old truck, but I think I only used it a dozenish times last year). I cook. I don't buy gizmos, though partally this is because I already own two lifetimes worth of gizmos from a decade ago before I intentionally started trying to minimize my cost of living. 13:58 < maaku> Yeah our rent alone is $20k/year 13:58 < maaku> If I were single, no kids, and had housemates I guess that'd be plenty doable 14:08 < petertodd> gmaxwell: re: msc/ether I've been arguing quite strongly that msc either be based on ethereum, do it better, or merge the projects 14:09 < gmaxwell> petertodd: sounds reasonable to me. 14:09 < gmaxwell> (whatever reservations I have on the ideas, they're not made worse by merging them, and may well be reduced by them) 14:09 < petertodd> gmaxwell: yup, and msc seems to have a number of people actually focused on gui's, workflows and other usually ignored details 14:13 < phantomcircuit> msc? 14:13 < petertodd> msc==mastercoin 14:13 < phantomcircuit> oh 14:14 < phantomcircuit> gmaxwell, it would be interesting to build a merged mine altcoin which does a bunch of stupid shit like that 14:14 < phantomcircuit> just to see what would happen 14:15 < phantomcircuit> gmaxwell, 2.5k/month in mountainview? im thinking the key is you split rent with your gf 14:16 < gmaxwell> phantomcircuit: no, actually the 30k figure is including all the shared expenses. 14:16 < phantomcircuit> does that include your electric bill? lol 14:16 < petertodd> gmaxwell, adam3us: still need to reply to your IBE ideas; got some paid work to get done first though on a deadline 14:17 < gmaxwell> phantomcircuit: It doesn't include my (e.g. mining) business expenses (which I already account for seperately), nor should it, since that stuff is self funding. 14:17 < phantomcircuit> i was kidding 14:18 < gmaxwell> my non-mining electricity usage is like $30/month. :P 14:18 < phantomcircuit> without monthly vehicle costs you can live pretty much anywhere in the us for relatively little 14:18 < phantomcircuit> rent/utilities/internet/food 14:18 < petertodd> phantomcircuit: aside from the problem that in many places in the us you can't live without that vehicle :) 14:19 < gmaxwell> petertodd: you _can_ but it requires careful consideration and effort. 14:19 < gmaxwell> at least any town with a population over 50k or so at least has some place in it that you could reasonably live without a car or at least without frequent use of a car. 14:20 < petertodd> gmaxwell: right, I'm including <50k in that statement 14:20 < gmaxwell> but some kung fu balancing of needs is required. 14:20 < maaku> phantomcircuit: i don't, rent is a big issue in many places (silicon valley, nyc, dc, ...) 14:20 < phantomcircuit> petertodd, i imagine it's fairly complicated to live in mountain view without a car also 14:20 < petertodd> gmaxwell: the US also has places >50k with no public transport what-so-ever 14:20 < maaku> my wife and I are considering a move to montreal just to cut expenses... 14:21 < petertodd> phantomcircuit: heh, when I interviewed at google in mountain view I took the bus to the airport to get a sense of how screwed up the place was... 14:21 < maaku> phantomcircuit: actually mtnview is not that bad. it's well connected by train, lightrail, and bike paths 14:21 < petertodd> maaku: where are you now? 14:22 < maaku> but the rent differential is many factors more than car payments would be 14:22 < maaku> petertodd: san jose 14:22 < maaku> used to live in mountain view 14:22 < petertodd> maaku: didn't realize montreal was an option for you 14:22 < phantomcircuit> maaku, if you're single and dont care about roommates you can get a room in sf for ~800/month 14:23 < gmaxwell> phantomcircuit: nah. not at all, at least without kids. There are three supermarkets within a 10 minute walk of where I live, and the caltrain station (though it's pretty expensive, so it would dent the COL if I had to use it daily and pay for it) 14:24 < maaku> petertodd: well it's not per se, but it's easier for freelance americans to get a visa to canada than many other places 14:24 < tromp__> a car also becomes something of a necessity when you're no longer single... 14:24 < tromp__> and not living in a big city 14:24 < petertodd> maaku: ah. why montreal vs. toronto or something? 14:25 < sipa> tromp__: so you go from 2 single people each having no car, to a couple of two people each having a car? :) 14:25 < gmaxwell> tromp__: I'm not single, I haven't been single for >10 years... and I live in the suburbs. There certantly are places where a car really is mandatory, but in a lot of places (and not just crazy big cities) it is possible to organize your life so that you need to use a car very infrequently. 14:26 < tromp__> in my case my fiancee relied on a car alrd 14:27 < tromp__> when she moved here (selling her old car) i went and got my us driver's license and bought a car 14:27 < maaku> petertodd: I have a cousin who is a permanent resident in Montreal & I've stayed with him for some conferences. Love the city, local tech industry, and quebec culture. 14:28 < maaku> From what I hear toronto would probably be a 2nd choice, but I've never visited 14:28 < petertodd> maaku: imo montreal > toronto re: beauty/culture/etc. 14:28 < gmaxwell> e.g. choosing work that is in proximity to reasonably priced places to live and groceries, and then living close to work. Owning a bike with some reasonable cargo accommodations. 14:28 < tromp__> i commute by bike everyday 14:29 < maaku> petertodd: yeah for me now that's the bigger concern ... thanks to bitcoin we can live anywhere 14:30 < petertodd> maaku: you know, rural iran is really beautiful in the mountains 14:30 < maaku> hahahaha 14:33 < maaku> seriously, we considered places like bali and thailand. but having a family means giving priority to things like access to health care and schooling :\ 14:33 < petertodd> maaku: heh, had a long discussion with my dad along those lines a few months ago actually - he job is head of regional economic development in the nwt (way north canada) and I was pointing out how in theory all these remote communities could easily have thriving economies with people doing remote telecommuting IT work and hunting... but of course that doesn't happen 14:33 < petertodd> maaku: yeah, I like first world for that... 14:34 * gmaxwell waits for adam3us to suggest malta. 14:36 < sipa> if you like high rent and public transport that actually works, zurich isn't bad :) 14:40 < maaku> petertodd: probably more potential for arctic air-cooled data centers like we see in iceland and sweden 14:40 < petertodd> maaku: potential maybe, but right now the electricity infrastructure sucks and would cost billions to improve 14:41 < maaku> ah 14:41 < petertodd> maaku: not much generation capacity up there 14:43 < petertodd> maaku: it's a serious problem for the mines - a few km from my parents house is the transfer station for diesel, which has a tank farm with the same volume as a large sports stadium, and that's not even a full season worth of fuel 14:44 < petertodd> maaku: I worked it out once and that one farm had capacity for something like 6 hours of the worlds supply of oil 14:45 < petertodd> (all the mines use diesel generators for their electric supply) 14:46 < gmaxwell> petertodd: electricity infrastructure: https://bitcointalk.org/index.php?topic=170332.msg4808083#msg4808083 14:47 < maaku> jeeze, you'd think there'd be wind, or geothermal (near the ring of fire at least) 14:47 < petertodd> gmaxwell: his electrician fucked that up big time... 14:49 < petertodd> gmaxwell: it should never be possible to do damage like that to any part of your electric wiring no matter how badly you abuse it if everything is done to code with proper-sized fuses 14:51 < gmaxwell> petertodd: yep, well apparently the _meter_ caught fire?! 14:52 < petertodd> gmaxwell: I have to wonder if someone modified it before, say to bypass something... 14:53 < petertodd> gmaxwell: I *think* meters are actually protected by a fuse at the pole in many places - haven't looked at the codebooks in years 14:55 < gmaxwell> petertodd: yes, they are protected by a pole fuse, though sometimes the pole fuses get shorted and don't work. 14:56 < gmaxwell> they're also really slow. 14:56 < gmaxwell> (I've blown one once, so I'm speaking first hand.) 14:57 < petertodd> gmaxwell: yup, probably a bad substitute. one of the harder parts of power engineering is that the timeconstants of your fuses matter and have to be matched to the equipment 15:27 < Emcy> impressive 15:28 < Emcy> not quite as impressive as the kid who gave himself brain damage by sleeping int he same room as 20 radeons or something 15:29 < petertodd> Emcy: heat exhaustion? 15:29 < Emcy> yea 15:29 < Emcy> heatstroke 15:29 < nsh> i once gave myself brain damage by inhabiting a space with 20 radians per revolution 15:29 < petertodd> I was worried you were gonna say EMF pollution :P 15:29 < gmaxwell> Emcy: Pretty sure that was BS. 15:30 < petertodd> nsh: non-euclidian geometry kills 15:30 < Emcy> gmaxwell perhaps but its a nice bit of bitcoin folklore 15:30 < nsh> hehe 15:30 < nsh> Riemannean Manifolds: Just Say No 15:31 < petertodd> nsh: I felt the brain damage coming on while trying to add ECDH support to python-bitcoinlib last night... manifolds >> openssl I'm sure 15:31 < nsh> eek. how did it go? 15:32 < Emcy> how many amps/watts can an american household push then 15:32 < Emcy> i think its surprisingly low? due to 120v 19:08 < c0rw1n> do ty _have_ to send your message in full? or could you be sending it .3kbps at a time? 19:08 < jron> after a over an hour, the most interesting quote to come out of the hearing has been: "...I think the level of engagement and the positive reception that bitcoin companies are now getting from certain banks has lead us all to believe that we're very very close to the banking industry opening up to bitcoin. I think we're probably 2 or 3 months away from some well known banks coming out with kind of clear procedures on how to work with them as a bitc 19:10 < sipa> with them as a bitc[...] 19:11 < jron> with them as a bitcoin company and they'll position themselves as a bitcoin friendly bank." - Barry Silbert 19:11 < andytoshi> brisque: there is an example of the uncertainty principle for fourier transforms involving water waves, where you can't simultaneously determine the waves' frequency and breadth or something like that. using that idea you can smear out the actual changes in traffic volume 19:11 < andytoshi> i'll see if i can find that.. 19:16 < jron> oh, and that someone is trying to remake e-gold\goldmoney. 19:28 < andytoshi> brisque: i can't find it, but i did find a paper by folland called "uncertainty: a mathematical survey" which gave the formulation that i wanted: there exists some number (1/16pi or something) which bounds below the product of your variance and your fourier transform's variance. for waves this means you can measure the water height arbitrarily well, or the wave frequency arbitrarily well, but not 19:28 < andytoshi> both 19:28 < andytoshi> (though ofc you can just do two measurements) 19:29 < andytoshi> so the better you keep your chaff quantity following a sine wave, the worse time an attacker will have determining the actual data level 19:30 < andytoshi> since the attacker can only measure frequency in that case, he can't measure actual bandwidth without knowing what's real and what's not 19:32 < andytoshi> then for example if you can always keep your bandwidth uncertain within +/- 10kb/s, and don't increase the amount of chaff by more than 10kb/s/day, an attacker can only see changes in bandwidth usage with granularity of one day, thus defeating timing analysis 19:33 < brisque> hm. I've never believed that random timings and fake data really help to secure a service. if you're running something like RetroShare you're probably going to need to be attracting a lot of attention to yourself for anybody to bother doing traffic analysis. if they are, you can assume they're probably just going to get a warrant and bust your door down. 19:34 < jrmithdobbs> andytoshi: the shorter way of saying that is "run a bandwidth restricted tor relay on the same link" 19:35 < andytoshi> jrmithdobbs: yeah :} and randomly change the bandwidth cap 19:35 < jrmithdobbs> but i'm with brisque, I'm not so sure I buy shamir/etc's arguments on this topic 19:36 < jrmithdobbs> there's analysis to be done there but it's kind of like plugging the whole in a rowboat with your finger whene there's 500million more holes 19:36 < jrmithdobbs> s/whole/hole/ 19:37 < super3> my question is what is the minimal amount of fake data you can throw around without just wasting bandwidth 19:37 < super3> i like the idea of just using it in random brusts rather than continual data usage. 19:37 < jrmithdobbs> and I don't think we really have a correct answer yet but i've not specifically read the paper andytoshi mentioned :) 19:38 < brisque> even a kilobyte a second adds up, especially over multiple peers. 19:38 < super3> where is this paper? 19:38 < super3> brisque, also makes you stand out on a network. 19:39 < justanotheruser> andytoshi: yes, every N seconds you broadcast data 19:39 < justanotheruser> to all your peers 19:39 < jrmithdobbs> super3: in fact, i'm not sure anyone's actually looked for *generic* traffic, the only stuff I'm recalling specifically involve using spam/smtp as transport 19:40 < andytoshi> jrmithdobbs: yeah, that's an example of what i'm saying about using periodicity to hide actual volume. so if you burst every second, and increase traffic whenever you need it, your attacker can see your volume changing with 1-second granularity 19:41 < andytoshi> i guess that's way way simpler than trying to shape continuous traffic to have decently periodic features.. 19:41 < brisque> super3: like the guy who puts way too many locks on his door. 19:42 < super3> brisque, im that guy 19:42 < super3> brisque, rather too many locks than not enough 19:42 < jrmithdobbs> andytoshi: if anything normalizing like that may obscure the original intent but has the side effect of calling attention to the traffic because NOTHING is that normal 19:43 < brisque> super3: locks seem a little silly when people have glass windows. 19:43 < jrmithdobbs> heh 19:43 < jrmithdobbs> tbqh, having the lock makes the lock do it's job 19:43 < jrmithdobbs> don't even have to lock it 19:44 < jron> here is the e-gold like company the lawyer refered to: http://www.coeptis.com/ 19:44 < jrmithdobbs> (in fact, i rarely do, lol) 19:46 < jrmithdobbs> super3: it's actually quite a fitting analogy 19:46 < jrmithdobbs> super3: you do realize that 98% of locks on the market can be opened in <15s with basically a week's worth of effort, right? 19:47 < jrmithdobbs> and said effort isn't salted so effort on one core of a similar type equates to effort on another core of the same design with different keying 19:47 < super3> jrmithdobbs, i agree with you 19:48 < brisque> locksport is great fun. 19:48 < jrmithdobbs> great party trick if nothing else 19:49 < jrmithdobbs> (and the "week's worth of effort" was from zero knowledge of how they work, not per core, to be clear ;p) 19:49 < brisque> I enjoyed the opening contests at defcon too, they even had casascius coins (to keep the comment on topic) 19:50 < jrmithdobbs> i like freaking out locksmiths 19:51 < jrmithdobbs> had one try and upsell me on some padlocks towing something recently, "Ya see this, this is so thieves can't get a pick in here" "what? yes you can, look: <opens lock>" ... 19:51 < jrmithdobbs> he almost called the cops, lol 19:51 < jrmithdobbs> (because said tools are illegal in tx unless licensed) 19:52 < brisque> well, be careful. fine line between a party trick and freaking people out. 19:53 < jrmithdobbs> it's more fun not to pick the locks and show people the releases on filing cabinets/etc instead ;p 19:53 < jrmithdobbs> *that* freaks people out .. noone thinks about this stuff, ha 19:55 < maaku> there's a great story about feynman 'picking' the combinations of his colleages safes in the manhatten project 19:55 < gmaxwell> where he went and precomputed the combinations and then appared to be able to do it instantly? :P 19:56 < gmaxwell> or was that where there was some bypass? 19:56 < brisque> combination locks are usually the easiest ones, all you need is a drink can and a pair of scissors. 19:58 < jrmithdobbs> gmaxwell: that sounds like a fun story hadn't heard it 20:00 < gmaxwell> one of the puzzles in this years MIT mystery hunt, part of the runaround at the end, was a pin-tumbler lock in the form of a pool-table sized 'bed'. (you had the manipulate slats on the sides of the bed to pick the lock, after first solving some nested trick with a magnetic trigger) 20:01 < gmaxwell> people in my team were kinda mobbing the bed and preventing effective work on it someone called out "who here has picked a lock before" and 3/4 of the room, including everyone within 10 feet of the bed raised their hands... so that wasn't a good distinguisher on who should be taking the lead... 20:01 < maaku> gmaxwell: correct, iirc he was able to feel the last two (of three) numbers on an opened safe, and most people kept their safes opened while they were in the office 20:01 < maaku> jrmithdobbs: it's in "surely your joking?" i think 20:12 < Emcy> anyone ever picked those eletronic dongle locks 20:12 < Emcy> the ones where the key sort of looks like a coin cell 20:21 < gmaxwell> Emcy: I believe I've seen those in the form of the 'keys' used for segways. 20:21 < gmaxwell> I'd _assume_ they're cryptographic. 20:22 < brisque> I wouldn't. I expected the one for my car to, but it just uses rolling codes like all the rest. 20:23 < brisque> if you really want to piss somebody off, go out of range of the car and punch the unlock button a few hundred times. once the keyfob rolls past the acceptable window for the car, it's useless. 20:24 < Emcy> therye rfid 20:24 < Emcy> i used to have one for my dorm door.....the lock seemed to have a nifty internal power source 20:24 < brisque> oh wait, there's stock standard RFID tags probably. I saw a store stocking them. 20:25 < gmaxwell> brisque: I know that some of the car ones are actually cryptographic because they've used snakeoil crypto that people have successfully attacked! (doh!) 20:25 < Emcy> and i once read something about those lock systems being able to form thier own sneakernet via a writable area of the rfid and keep logs of when and who opens doors etc 20:25 < sipa> gmaxwell: a friend of mine at university did :) 20:25 < sipa> (keeloq) 20:26 < gmaxwell> Emcy: I like the electronic locks that look like dial combination locks where spinning the dial powers it. 20:27 < Emcy> never seen that 20:27 < gmaxwell> They're pretty insanely secure because the only connection between the outside and inside is a couple wires, and all the locking is on the inside. 20:27 < brisque> gmaxwell: wonder how big a mechanical lock that used EC would be. it's presumably possible to make a mechanical computer that could do it, just it would be a little on the large side. 20:27 < gmaxwell> about the best attacks on a well built one are bugging the dial. 20:29 < brisque> bombe style with electromechanical calculation? 20:32 < Emcy> yep locks are pretty interesting 20:32 < brisque> likely impossible, but I'd pay big money to see a purely mechanical computer doing a SHA256 hash. 13:11 < realazthat> Yes, the only way (assuming you cannot break crypto) is to run P, not Q. 13:11 < petertodd> huh, crazy 13:11 < realazthat> so you can turn any useless algorithm into a PoW 13:11 < realazthat> and, you can make the lottery winnings be adjustable 13:11 < realazthat> depending on how you calculate the lottery "numbers" 13:12 < petertodd> oh, that'd be very good for combining multiple PoW's actually 13:12 < gmaxwell> eeh. still, you could optimize the hell out of the scip enviroment. 13:12 < realazthat> gmaxwell: yes :D 13:12 < realazthat> thats like someone running a GPU 13:12 < realazthat> except this is brains 13:12 < realazthat> and might interestingly lead to improvements in SCIP 13:12 < realazthat> lol 13:13 < petertodd> like if you had a hundred low-value PoW's, present a proof that they have been combined honestly, and, say, all depended on some initial value 13:13 < realazthat> ofc incentive is not to publicized 13:13 < petertodd> could be used to reduce varience 13:13 < realazthat> yeah a bunch of conflicting ideas along those lines 13:13 < petertodd> sure lends itself to a merkle-tree structure... 13:14 < petertodd> it'd be interesting if we could somehow make solo-mining low-variance 13:14 < realazthat> also 13:14 < realazthat> a compute market 13:14 < realazthat> this might be possible within bitcoin itself 13:14 < realazthat> https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked 13:14 < realazthat> gmaxwell: doooo that :D 13:15 < realazthat> though I was wondering if it were possible to somehow keep the actual program out of the blockchain 13:15 < realazthat> but thats a side issue 13:15 < gmaxwell> ... 13:15 < gmaxwell> I think you need to read https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked again. The whole point of it is that it makes bitcoin obvlivious to your scip dance. 13:15 < gmaxwell> :) 13:16 < petertodd> oh, shit, and I just realized that this same PoW merging thing applies to proof-of-sacrifice, which basically means you don't need to store the zillions of tiny individual sacrifices... damn 13:16 < petertodd> I've been really stuggling trying to find a decent way to keep my consensus key-value system unbloated... 13:17 < realazthat> gmaxwell: what am I missing? 13:17 < realazthat> why can't u use that to make a job worth running 13:17 < realazthat> and pay out to the 1st person with an answer 13:18 < gmaxwell> There is no need to have the program in the blockchain. 13:19 < petertodd> realazthat: it's a way of forcing the seller to proof they have the data from the output of a program, and at the same time, force them to reveal the decryption key to that data as part of receiving the payment 13:19 < petertodd> realazthat: (I think I got that right) 13:20 < gmaxwell> right. They prove to you that the encrypted output is X, and that the hash of the decryption key is Y. And you make a payment that must provide the value that hashes to Y (the key to decrypt the solution) 13:21 < gmaxwell> For NP problems they don't even have to run the computation inside SCIP, only the validator. 13:21 < petertodd> very cool 13:21 < realazthat> mmm yes 13:22 < realazthat> ok this is interesting too, but not as universal I think 13:22 < petertodd> interesting too how it's dependent on the blockchain being reliably public information 13:22 < petertodd> hard to think of an example where that could be done in a non-bitcoin payment system 13:22 < gmaxwell> petertodd: yea... "if they can spend it, you can get the key they disclosed" 13:22 < realazthat> it would be cool if there was a way to post a SCIP program publically, and have an output script that verifies the answer to release payment 13:22 < realazthat> I guess this is a separate idea though 13:23 < gmaxwell> realazthat: requires putting the validator in the network rules, not really realistic at this time. 13:23 < realazthat> yes 13:23 < realazthat> I mean way later perhaps 13:23 < realazthat> or a way to bootstrap it in 13:23 < realazthat> without putting the validator itself in, I dunno 13:24 < realazthat> it can also be very unsuccinct for bitcoin 13:24 < realazthat> the response signature can be relatively big 13:25 < realazthat> something like a MB or something? I don't remember 13:35 < petertodd> so, the recursive bootstrapping SCIP stuff, any sense of how many months/years we're going to have to wait for it? 13:35 < petertodd> I mean, sounds like you have to implement a SCIP proof verifier within the system for one thing... 14:38 < realazthat> yes 14:38 < realazthat> I mean it seems a bit trivial to try to do my myself 14:38 < realazthat> but eli said there were more complications 14:38 < realazthat> and I didn't read the paper he named in response 14:38 < realazthat> and I prolly wouldn't understand it if it goes into the math 14:38 < realazthat> blackbox for me 14:39 < realazthat> I dunno what problems arise though; it *seems* like one could just ... do it 14:39 < realazthat> petertodd: I hope that if it is feasible, eli would start working on it as stage 3 14:39 < realazthat> I think stage 2 is supposed to be done at the end of august or something 14:39 < realazthat> or maybe that was stage 1 14:40 < realazthat> but things never get done on time :P 14:40 < realazthat> petertodd: mmm I asked eli if he could join us in IRC 14:40 < realazthat> PS. if you have time to answer more questions, I would love to chat with you and/or other people knowledgeable/interested about the project on IRC. Several interested people hang out on the freenode network in #bitcoin-dev and #bitcoin-wizards. 14:40 < realazthat> eli: I would be happy to hang out some time with some of my collaborators, how does this work? 14:41 < realazthat> but it seems like he wants a one-time thing 14:41 < realazthat> so I am thinking what the best medium for that is 14:41 < realazthat> #bitcoin-dev Q&A time? 14:41 < realazthat> forums? 14:41 < realazthat> ML? 14:41 < realazthat> I am not really involved in the community 14:41 < realazthat> so I don't know .. 14:43 < realazthat> I guess I could mail him asking him to sign up on the ML and introduce himself 14:43 < realazthat> and point him to the channels in the meantime 14:43 < realazthat> and tell him I'd get back to him about a possible set time 14:43 < realazthat> for a Q&A 14:44 < realazthat> if someone is active on the forums, maybe we can collect questions 14:44 < realazthat> or have a question thread 14:44 < realazthat> dunno if they do this type of thing on the forums 14:47 < realazthat> mmm should I point the webchat client to #bitcoin-dev or #bitcoin-wizards 14:49 < gmaxwell> there is a webchat on the bitcoin.org site that points to bitcoin-dev. 14:56 < realazthat> sent 15:19 < petertodd> realazthat: cool 15:24 < petertodd> Thinking about incentives re: proof-of-sacrifice (PoS) blockchains. Seems to me that the incentive for others to extend your view of history is good enough that people will both keep copies of the chain data, as well as calculate accurate k:v set (UTXO equiv) proofs. 15:25 < petertodd> It doesn't quite feel right though... Making a proof-of-sacrifice block is something you only do occasionally - there isn't any capital involved basically. 15:26 * Luke-Jr suggests PoX for proof-of-sacrifice :P 15:26 < Luke-Jr> as in x.x 15:26 < petertodd> Lol, alright, agreed. 15:27 < petertodd> The other nasty issue is that it's really hard to figure out good incentives not to just spam blocks. You can try to make your sacrifice worth less if it's associated with more data, but that leads to nasty edge cases like a big sacrifice for no data t all. 15:30 < petertodd> On the other hand, I'd argue it's a lot more stable than namecoin, which at any point in time could die due to lack of interest, especially given the huge speculation that it's currency has attracted. 15:32 < petertodd> Having said that, re: data size one nice thing you can do is for the DHT layer or whatever with the actual data the people volunteering their bandwidth have an easy way to filter spam by looking at sacrifice size. 15:33 < petertodd> (remember that PoX is for determining *what* is the valid value for a given key, it doesn't actually have to be associated with storing that value) 15:34 < realazthat> hmmm 15:34 < realazthat> how would namecoin die 15:34 < realazthat> (side interest) 15:34 < realazthat> does it not have merged mining? 15:35 < petertodd> pools turing off merge mining, and someone being an asshole. Running namecoind isn't free. 15:35 < petertodd> Eligius turned off namecoin merge mining a few months back for instance. 15:35 < realazthat> mm 15:36 < realazthat> I was thinking of what merged mining would mean for my SCIP PoW chain idea 15:36 < realazthat> ie. how to take advantage of merged mining 15:36 < realazthat> or, 15:37 < realazthat> how to merge mine in between two such chains 15:37 < realazthat> I have some ideas ... 15:37 < petertodd> Why would SCIP PoW with merge mining be special anyway? 15:38 < realazthat> well 15:39 < realazthat> by SCIP PoW, I mean that mining itself is any useful/non-useful program that the blockchain would run, and use SCIP to prove that the miners are actually doing the work 15:39 < realazthat> so essentially, miners doing something other than hashing 15:40 < realazthat> thus, you can't use hash-mining from bitcoin chain to this chain 15:40 < realazthat> it is simply not the same 15:40 < petertodd> right, and see, that's the thing, because it's not probabalistic a dead simple rule for the merge-mined chain is just "see this merkle path? notice how it leads to a valid PoW in the master chain?" problem solved 15:41 < realazthat> yeah 15:41 < realazthat> so my idea is to work the other way around 15:41 < realazthat> there are two ways to win the lottery 15:42 < petertodd> oh, mind, yeah, mining does need to stay probabalistic... 15:42 < realazthat> 1. you do the work from this chain, and have chance(s) to win 15:42 < realazthat> 2. or you can win in the traditional way 22:19 < brisque> oh, coinbase have changed their responsible disclosure police. it's now minimum $1000 rather than 5BTC. guess they got bitten by the exchange rate. 22:19 < gmaxwell> (it was at a time when mtgox was having problems, and I transfered from mtgox to coinbase, .. and mtgox made a conflicting doublespend... so not only did I withdraw unconfirmed coins, I did so at a time when .. if things confirmed in a different order it would have ripped them off) 22:19 < gmaxwell> ... to the tune of something like $30,000. 22:19 < gmaxwell> (I wasn't aware of the second mtgox payment... lol.. or I wouldn't have done something so potentially confusable as an attempt at theft!) 22:20 < brisque> either way, lucky you found it rather than somebody who would have exploited it. 22:20 < gmaxwell> in any case, if you look around you can find horrifying stories about almost every bitcoin service. 22:21 < gmaxwell> brisque: Well, maybe thats what the VC money is for: to cover hemoraging money from failures like that. :P 22:21 < gmaxwell> BTC-e has has some really severe money loss events and somehow keeps on trucking. 22:22 < brisque> fractional reserve? 22:22 < gmaxwell> maybe! 22:22 < gmaxwell> e.g. someone figured out how to impersonate the liberty reserve deposit callback and then gave themselves infinite btc-e USD. 22:22 < gmaxwell> and then bought up and withdrew all coins that appeared in the btc-e hotwallet. 22:22 < gmaxwell> ... for something like 12 hours. 22:23 < gmaxwell> btc-e price per bitcoin went to >$100 (when btc had been at like $10 or something) and so lots of idiots deposited more coin. 22:24 < brisque> you'd think a service like that would have some sort of checks and balances that sees someone with unlikely situations and freezes the site until it can be verified. better that than losing out. 22:24 < gmaxwell> mtgox now does some of that, though I think probably not enough. 22:25 < gmaxwell> at least these things should freeze deposits and withdrawls... anything purely internal can at least be made right later. 22:25 < gmaxwell> But I suspect that the pretty good incomes from running the sites coupled with fractional reserve can make up for a lot of mistakes. 22:26 < brisque> until there's a bank run, and then they're completely high and dry 22:27 < gmaxwell> Failure is always an option. 22:28 < gmaxwell> I'm not aware of a _single_ major bitcoin business operator who has faced _civil_, much less criminal, charges for their default. 22:28 < pigeons> i guess calling trendon sahvors/pirate@40 a business operator would be a stretch 22:29 < phantomcircuit> gmaxwell, er 22:29 * phantomcircuit raises hand 22:29 < gmaxwell> okay, fair, I'd even include that since a lot of people did think it was real. (::facepalm::) has he actually suffered any consequences for it? 22:30 < pigeons> he got a default judegemnt by the sec cause he stopped responding to the court 22:30 < phantomcircuit> oh charges 22:30 < phantomcircuit> didn't see that 22:30 < gmaxwell> phantomcircuit: well I'm not counting bitcoinica because the actual owner and responsible party dropped the bag of shit in someone elses lap! 22:30 < pigeons> and now the fbi is finishing their investigation 22:30 < phantomcircuit> gmaxwell, charges usually refers to government action also 22:30 < phantomcircuit> gov can take civil action which i believe is what they did against shavers 22:31 < phantomcircuit> or however the fuck you spell his name 22:31 < pigeons> these are the shavers docs. http://ia800904.us.archive.org/35/items/gov.uscourts.txed.146063/ 22:31 < gmaxwell> thats what they did against him, yea. 22:31 < pigeons> yes and i hear criminal is coming soon against shavers 22:31 < brisque> the point being that even under the most abstract failure, most sites simply disappear when something goes wrong. 22:31 < phantomcircuit> so looks like hashfast isn't going to delivery 22:31 < phantomcircuit> deliver* 22:31 < gmaxwell> phantomcircuit: nope, they're not. 22:31 < pigeons> not only do they disappear, they reopen using the same identity 22:32 < gmaxwell> They've also announced that they aren't planning to honor their original comittments to refunds. 22:32 < pigeons> coinjar.io 22:32 < brisque> I enjoyed the inputs.io thread particularly. by the looks of things all the "security" advertised either didn't work or didn't even exist in the first place. 22:32 < phantomcircuit> i actually knew this like two weeks ago 22:32 < phantomcircuit> but i find it amusing watching people find out they're fucked 22:32 < gmaxwell> I'm trying to figure out what I'm going to do about that, as I have two orders with them, along with email correspondance confirming that their refund commitment was to refund the full amount of BTC paid. 22:32 < gmaxwell> The problem, of course, is that if I sue them they'll just bankrupt themselves defending it, and there will be nothing to recover. 22:33 < brisque> they'll end up delivering something I assume 22:33 < phantomcircuit> gmaxwell, my guess is they dont have the capital to do a full production run and were delaying hoping to get enough new orders to do the run 22:33 < phantomcircuit> they didn't hit the target and are now completely screwed 22:33 < phantomcircuit> this is of course fraud 22:34 < phantomcircuit> gmaxwell, it's likely criminal 22:34 < phantomcircuit> but i doubt it's worth anybodies time to pursue 22:34 < brisque> is a poor lack of judgement criminal? 22:34 < gmaxwell> brisque: yea, but at this point its so late that anything they deliver will be a massive loss. To entice batch 1 customers they initially claimed target shipment on Oct 20th, and a full refund of the BTC amount paid if they don't make dec 31st. 22:34 < gmaxwell> brisque: Its become pretty hard to believe that they ever thought they could deliver on what they promised. 22:35 < phantomcircuit> gmaxwell, fun fact hashfast was trying to sell chips in bulk recently 22:35 < phantomcircuit> possibly they have the chips but they dont work 22:35 < phantomcircuit> or they cant put them on boards 22:35 < phantomcircuit> or they cant get components 22:35 < phantomcircuit> or ??? 22:35 < gmaxwell> they have some demo videos now actually showing a test unit hashing, 22:35 < brisque> gmaxwell: from what I've read it looks like they underestimated the complexity, underestimated the power draw (needing new power supplies), and burnt all their funds trying to rectify it all. 22:35 < gmaxwell> and I believe that its real (esp since one of the people in #eligius went to visit them and saw it) 22:36 < gmaxwell> brisque: nah, their power was on target (you might have been duped by someone's joke post... which was sadly a little too believable) 22:36 < gmaxwell> this is the epic timeline post: https://bitcointalk.org/index.php?topic=391251.0 22:37 < brisque> gmaxwell: I wasn't duped by that post, there's a hashfast comment that they needed to order new PCB designs of a new revision. 22:37 < gmaxwell> brisque: oh that, yea, I assumed it was just a design error. 22:37 < phantomcircuit> gmaxwell, they might have the chips 22:37 < phantomcircuit> which i assume they could sell 22:37 < phantomcircuit> so possibly bankruptcy would actually be useful 22:38 < phantomcircuit> but there is no way they can actually refund people in btc 22:38 < Luke-Jr> phantomcircuit: yes there is 22:38 < brisque> hashfasts design is useless anyway. it's cheaper to just buy other designs at this point. 22:38 < phantomcircuit> Luke-Jr, if they kept the btc? 22:38 < Luke-Jr> phantomcircuit: exactly 22:38 < gmaxwell> phantomcircuit: it actually appears that they did though its hard to be sure. 22:39 < brisque> Luke-Jr: isn't there a comment about them using Bitpay, which would go to USD instantly? 22:39 < gmaxwell> brisque: they took both direct payments and bitpay, and bitpay lets the merchant choose. 22:39 < Luke-Jr> brisque: BitPay offers that *option*, but it isn't required 22:39 < phantomcircuit> gmaxwell, huh interesting 22:39 < brisque> Luke-Jr: I wasn't aware of that, interesting 22:40 < gmaxwell> the other fucked up thing is that they're claiming that you have only 15 days to request a refund, which they'll just refund a tiny fraction of the BTC paid (and a bit less than half of what you could expect to mine if they ship early january), and if you don't elect a refund in that window you can't have one. 22:41 < gmaxwell> so it looks like an optimal (scummy) strategy for them is to just build the boxes and start mining and say fuck you to everyone who doesn't refund until march. 22:41 < gmaxwell> so you either lock in an 86% loss by refunding, or take a risk that they'll do something shitty like that. 22:41 < brisque> I suppose they messed up and they're quite afraid of the consequences. I don't blame them for acting irrationally. 22:43 < gmaxwell> brisque: yea, though part of the issue is that no one has yet proposed a conceivable explination for their actions which doesn't involve fraud. 22:43 < gmaxwell> e.g. messing up doesn't explain why they were saying they were on time just a few days before they mised their original oct 20 target, and yet it turns out they didn't get anything from the fab until mid dec. 22:44 < gmaxwell> I guess the most charitable explination I can come up with is the one phantomcircuit mentioned that they didn't raise enough money for the fab run until fairly late... but that still involves them lying about their schedule continually since november. 22:44 < brisque> gmaxwell: I can certainly relate to them from reading that timeline. you mess up a little and tell yourself that it will be alright, you can save face if you just pretend you don't make it clear. things crumble under them and they've just got to keep continuing on so as to not admit they lied in the first place. 22:45 < brisque> it's schoolchildren mentality, but there you go. 23:20 < warren> I trust you will just delete it when you're done? It might be one of my live keys. 23:20 < warren> sipa: where's your GPG keyid? 23:21 < sipa> bitcoin.org/pieterwuille.asc 23:21 < sipa> 1DAAC974 23:21 < sipa> wait 23:22 < sipa> i don't have my private gpg key here 23:22 < sipa> warren: would you trust scp'ing it to my vps? 23:23 < sipa> (bitcoin.sipa.be) 23:23 < warren> do you have the ssh pubkey that you gave me a few days ago? 23:23 < warren> I can put it in the same place you loggedin earlier 23:23 < sipa> i have that one, yes 23:24 < warren> ok 23:24 < sipa> and yes, i promise to delete it after use 23:25 < warren> It's been years since ccache screwed up on me. 23:29 < sipa> warren: interesting, i didn't know that was permitted! 23:29 < sipa> i see why it fails 23:29 < warren> sipa: see ~/protocol.patch for the difference in address 23:29 < sipa> the private key starts with a 0x00, which is omitted 23:30 < warren> This has nothing to do with this? 23:30 < warren> - PUBKEY_ADDRESS = 0, 23:30 < warren> + PUBKEY_ADDRESS = 48, // Litecoin addresses start with L 23:32 < warren> but yeah, the vast majority of keys work just fine with secp256k1. we've only found offending keys in old wallets. 23:32 < warren> sipa: are you able to tell which address is associated with that key? 23:33 < sipa> warren: i don't need to 23:33 < warren> I'm just curious. 23:33 < sipa> warren: i've just pushed a (potential) fix to secp256k1 repo 23:34 < warren> ok, i'll try it 23:34 < warren> sipa: just for my own education, I'd like to learn how to decode that dump 23:35 < sipa> http://lapo.it/asn1js/ :p 23:38 < warren> thanks 23:51 < gmaxwell> sipa: how could one of our own private keys end up starting with 0x00?! 23:51 < sipa> gmaxwell: ? 23:51 < gmaxwell> did openssl pad it? 23:51 < sipa> i mean in 32-byte notation it starts with a 0x00 23:52 < gmaxwell> oh. I see. the test was too agressive and didn't like it when it had less than 32 significant bytes. So about a 1/256 chance of happening. 23:54 < sipa> well, my ASN.1 deserializer is quite hacky and ad-hoc 23:54 < sipa> i somehow assumed it always dumped a 32-byte octet string 23:54 < sipa> but apparently not 23:54 < sipa> indeed, 1/256 chance to fail 23:55 < gmaxwell> you mean you didn't memorize the 500 whatever pages of ASN.1 specification first?! 23:55 < sipa> i actually read the relevant section when implementing it 23:56 < sipa> but that doesn't prevent making an incorrect assumption about how openssl represents things 23:57 < warren> The offending key was in my reserve keys. 23:57 < warren> so I can just delete it 23:57 < warren> sipa: want to add it to a test case? 23:58 < gmaxwell> should just add a privkey of 2 as a test. 23:59 < sipa> warren: but does it work now? 23:59 < sipa> i didn't test the patch before pushing it :p 23:59 < warren> testing now. I spent all that time learning how to decode and figure out which key it was. --- Log closed Fri May 24 00:00:19 2013 --- Log opened Fri May 24 00:00:19 2013 00:00 < sipa> (also, you _did_ check that site does the decoding locally before pasting a private key in it, did you?) :p 00:00 < warren> I copied the site to an offline browser 00:01 < warren> but I ended up adding more debug code to just tell me which key it was 00:01 < sipa> hehe 00:01 < warren> the client loaded without any wallet error 00:01 < sipa> \o/ 00:01 < warren> that isn't proof of 'working'. just the error is gone 00:02 < warren> want the entire pubkey and privkey for a test case? It was a reserve key I can just delete. 00:02 < gmaxwell> sipa: maximum privkey and minimum privkey, would probably be reasonable tests to have. 00:02 < sipa> i always like this blog post (by roconnor!), when i don't really test code before pushing :p 00:02 < sipa> http://r6.ca/blog/20120708T122219Z.html 00:02 < gmaxwell> I wonder if there is any bitcoin assigned to the minimum privkey 00:03 < sipa> you mean 1? 00:04 < warren> ok, I guess not 00:04 < gmaxwell> I wasn't sure if openssl would permit 1. 00:04 < sipa> it should 00:07 < warren> sipa: want me to release the litecoin beta with secp256k1 and see what happens? =) 00:08 < warren> release both openssl and secp256k1. "Uh... if this faster one blows up, use the other one." 00:09 < sipa> if you don't mind being a guinea pig :) 00:09 < warren> I don't mind. They're the guinea pigs. I'm just the guy who likes shiny stuff. 00:10 < sipa> you understand they may come after you with pitchforks? : 00:10 < warren> what's the worse that can happen? =) 00:10 < sipa> you 00:11 < sipa> slowly dying 00:11 < sipa> after being tortured 00:12 < warren> Giant disclaimer: The secp256k1 build is probably faster. It might do bad things and lose all your money. We don't know. Use at your own risk. 00:12 < warren> how else will you find other corner cases? 00:12 < sipa> have it in giant red flashing marquee scroll across the screen, and you're good :p 00:13 < sipa> i'm not really afraid of corner cases hit by regularly usage 00:13 < sipa> i'm afraid of a genius hackr that finds a way to trigger edge cases 00:13 < warren> https://github.com/bitcoin/bitcoin/pull/2688 hmm, why didn't this go into rc2? 00:13 < warren> errr, rc3 00:14 < sipa> it was detected right after rc2 was tagged 00:14 < sipa> there is no rc3 yet 00:15 < warren> ok, I'll rebase onto rc2 and see if I can figure out the looping addrman thing. 00:15 < sipa> addrman has nothing to do with it 00:15 < sipa> it's just the only thing that happens to not be affected : 00:17 < warren> sipa: "genius hackr that finds a way to trigger edge cases" what parts are you worried about? new keys generated by secp256k1? 00:18 < warren> I would imagine most cases of the client crashing are not really to worry about. 00:28 < gmaxwell> http://blockexplorer.com/address/1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh :-/ 00:30 < warren> what's the issue? 00:30 < gmaxwell> thats a privkey of 0 00:33 < gmaxwell> 0.32351356 assigned to 1 but gone now, 0.13 assigned to 1 compressed and gone. 0.0000384 to 2 uncompressed but spent. just recently.. 00:38 < midnightmagic> lol is it a race to spend it now? 00:40 < gmaxwell> no 0 can't be spent. 00:40 < midnightmagic> Oh. That sucks. Why not? 00:40 < midnightmagic> Because it can't be multiplied. 00:41 < midnightmagic> Nevermind. 00:41 < warren> should bitcoin have a built-in limit that warns users away from small keys? 00:46 < zooko> We can't detect all guessable keys, but we could detect 0. 00:46 < zooko> "Check for 0" is actually a prophylactic practice that some crypto engineers have long used. 00:47 < zooko> Or more generally, check for invalid... 00:47 < gmaxwell> zooko: We do do that. 00:48 < gmaxwell> it's not a valid EC point, it won't be generated. Thats just someone being a clown there. 00:49 < sipa> technicaloty: it is a valid EC point, just not valid as a public key 00:50 < sipa> a technicaloty is a like a technicality, but a lot more pedantic 00:51 < sipa> warren: i'm afraid that some of the field/group code has very unlikely overflows or other edge cases, which won't occur for random keys/messages/nonces, but perhaps do happen for constructable inputs 00:52 < sipa> warren: which would be enough to cause a chain fork in that case 00:52 < sipa> or theft 00:52 < warren> If I understand that correctly, the risk of chain fork is nil if no miners use it? 00:52 < gmaxwell> otoh sipa's code may now be more tested than some of the in production ECC code out there but as we know, consistency matters more than correctness. :) 00:53 < warren> I could rip out getwork and GBT from the secp256k1 builds =) 01:01 < sipa> warren: if everyone but miners use it, there is just as much a problem 01:41 < sipa> gmaxwell: well, there are 8 config combinations possible... 01:42 < gmaxwell> Hm? 01:42 < sipa> 4 field implementations, 2 scalar implementations 01:44 < gmaxwell> oh of your code, indeed. 03:22 < warren> sipa: http://pastebin.com/tw3RgHGj thread apply all bt full during the shutdown looping 03:22 < warren> sipa: this is litecoin-0.8.2rc2. Let me know if you insist on me getting this from bitcoin-0.8.2rc2, and if all the debuginfo would be needed. 03:25 < sipa> hmm nothing suspicious 03:25 < warren> crap 03:26 < warren> gmaxwell: I'm still getting the assertion failure at shutdown with gavin's patch 03:26 < warren> I'm trying a gitian build to see if both bugs are present there. 03:29 < warren> hmm, my issue seems to be a diferrent assertion failure 03:31 < gmaxwell> _what_ assertion? 03:33 < gmaxwell> ah, you put it in the bug. 03:33 < gmaxwell> (should have put it on the patch :P ) 03:34 < gmaxwell> warren: trigger it in valgrind, may get a more informative result on _which_ place its failing. 03:35 < warren> haven't used valgrind in years. you need to run entirely within valgrind, you can't attach like gdb? 03:37 < gmaxwell> right. valgrind ./bitcoind -daemon=0 it's slow.. watch the log. ... and ... uh. you really should be familar with it, it will save your bacon. 03:39 < warren> how do I stop it during the loop to dump the state? 04:33 < warren> gmaxwell: oh, misunderstood you. I thought you meant valgrid for the shutdown loop forever issue. I see you mean the assertion. 15:56 < warren> gmaxwell: the shutdown hang seems to be limited to bitcoin-qt, and only my fedora native build, not gitian 15:56 < warren> jgarzik: hey 15:57 < gmaxwell> warren: your bug says the gitian hangs too? 15:57 * jgarzik waves 15:58 < warren> argh 15:58 < warren> gmaxwell: I'm mixing up the bugs again. just woke up. 15:58 < warren> gmaxwell: the assertion failure is fedora specific. the hang is both. 15:58 * jgarzik waves at warren. Thanks for the openssl attention. Now I need several hours to debug EFI ;p 15:59 < warren> jgarzik: let me know if you want openssl for Fedora 19 16:19 < maaku_> jtimon: iirc his proposal is to have script execution paid for in fees 16:19 < jtimon> is that it is protected through fees 16:19 < jtimon> yes 16:19 < maaku_> but if the script is invalidated by running too long, then how does the miner collect the fees? 16:19 < maaku_> *transaction is invalided by the script running too long 16:20 < jtimon> you're paying fees as it is executed, so the execution is somehow "in-chain" 16:20 < jtimon> maybe the scripts are executed in several blocks 16:20 < jtimon> and only a max instructions per block is executed 16:20 < maaku_> then how do you reach consensus on it? 16:21 < jtimon> that was my thought at the time, but doesn't look very scalable 16:21 < maaku_> you bloat the chain with invalid transactions that steal a little bit of fees from its inputs nonetheless? 16:21 < jtimon> because everyone executes the number of transactions that can be paid or the max_per_block (if there's any) 16:22 < jtimon> as said, it doesn't look very scalable at a first glance 16:22 < gmaxwell> maaku_: they move the execution construct out of the transaction and make it free standing. 16:22 < jtimon> I guess he has solved TC by fees in a non-scalable way 16:23 < gmaxwell> e.g. you have an object that has a balance which it can use to pay for execution. 16:23 < gmaxwell> it stops executing when its balance is 0. 16:23 < gmaxwell> it create it at all requires positive fees. 16:23 < maaku_> so it's a distributed-replicated time-share system? 16:23 < gmaxwell> this isn't to say that any of its is good or makes any sense. 16:24 < gmaxwell> the fees are paying the wrong people... unless you convert mining to be a proof of agent execution. :P 16:24 < jtimon> and I hadn't even considered problems related to script-consensus 16:25 < jtimon> exactly miners will get fees, but the rest of validators will be screwed for nothing 16:25 < jtimon> is that what you're saying gmaxwell? 16:25 < gmaxwell> yes. 16:27 < jtimon> so let's go back to compressed scripts 16:28 < jtimon> you could have a list of addresses Lk 16:28 < jtimon> scriptPubKey only contains it's hash 16:29 < jtimon> with a byte or a short, you can select the order in which the scripts in Lk will appear 16:30 < jtimon> the Lk is 64 bit per variable 16:31 < jtimon> then you can have a list of lists OR_list 16:32 < jtimon> each of the lists is named AND_list_n 16:33 < jtimon> and you have another byte to select n 16:33 < jtimon> scriptPubKey contains a hash of Or_list + Lk 16:34 < jtimon> the AND list just contains bytes reffering to scripts in Lk 16:34 < jtimon> indexing 16:35 < jtimon> so the public keys can be presented in any order selected by order_byte 16:35 < jtimon> of the list Lk 16:36 < jtimon> to sign the AND list selected by logic_byte 16:38 < jtimon> there's plenty of redundancy to optimize here, I'm just using bytes for convenience 16:39 < jtimon> not redundancy, unused bits 16:40 < jtimon> well, I'll think more about this until I can express it in a way that can make sense or that helps me find the deficiency by myself 22:09 < jgarzik> bitcoin's scripts are "written in a programming language called Script" 22:09 < jgarzik> http://theumlaut.com/2014/01/08/bitcoin-internet-of-money/ 22:10 < jgarzik> pretty good article though 22:32 < Luke-Jr> jgarzik: I'd concur with that statement.. :P 23:53 < maaku_> jgarzik: if that's the grossest error they made, i'd say that's doing pretty well :) 23:59 < phantomcircuit> lol --- Log closed Fri Jan 10 00:00:20 2014 --- Log opened Fri Jan 10 00:00:20 2014 00:02 < Luke-Jr> maaku_: what error? 00:03 < Luke-Jr> that statement quoted is essentially correct 00:04 < maaku_> which is why i said it's pretty minor 00:04 < maaku_> more like bytecode than a programming language (which implies compilation) 00:05 < maaku_> and i don't know anyone who calls it Script with a capital S 00:05 < Luke-Jr> meh, we have an assembly-like form :P 00:05 < Luke-Jr> maaku_: it's not that uncommon 00:13 < justanotheruser> What do you guys recommend as a proof of sacrifice? Hashcash is more anonymous, but it doesn't work well (someone with a powerful hashing maching/GPU could make a ton of messages) and OP_RETURN associates the sacrifice with you to some extent and remove anonymity. Is there anyway I can get the best of both worlds? 00:16 < gmaxwell> justanotheruser: depends on the application, if you'd really be willing to use hashcash, perhaps mine. 00:18 < justanotheruser> gmaxwell: perhaps mine? What do you mean by that. I wouldn't want to use hashcash if it allowed people with special hardware to spam the network with as much electricity spent as a regular CPU user. 00:18 < justanotheruser> Application is bitmessage fork that isn't vulnerable to the problem I just described 00:20 < gmaxwell> justanotheruser: zero knoweldge proof of a bitcoin sacrifice using pinocchio. 00:21 < justanotheruser> gmaxwell: is that bleeding edge crypto? 00:22 < gmaxwell> yea? so. and a flooding messaging system isn't? the harm of someone breaking it is they can flood your system, whoopiedo. 00:23 < justanotheruser> gmaxwell: I was just curious if there were any other applications in use, or if it was just knowledge from research papers 00:23 < gmaxwell> justanotheruser: I suggested pinocchio because you can go download an implementation. 00:25 < justanotheruser> gmaxwell: where would I find this? Every top google result is research papers and news 00:26 < gmaxwell> https://vc.codeplex.com/ 00:26 < justanotheruser> gmaxwell: thanks a lot 00:26 < gmaxwell> They've annoying ripped out the pairing library so one will need to be pached back in. 00:27 < gmaxwell> justanotheruser: in any case, I think bitmessage pow would be a great application for this. 00:30 < justanotheruser> gmaxwell: ofcourse your anonymity is limited to the recent proof of burns 00:30 < justanotheruser> right? 00:32 < gmaxwell> you make a sacrifice that contains X=H(random_value) and then to send a message you prove X is in a sacrifice of value >= Z in bitcoin (by evaluating a SPV proof for the transaction), and random_value is the preimage of X, and that Q=H(random_value||date||hour), and that R=H(random_value||pubkey). And you show the network the proof and Q,R,pubkey and sign your message with the pubkey. 00:32 < gmaxwell> you basically can get a new anonymous identity from each of your sacrifices once an hour, and then send however many messages the network will let you per identity (maybe just 1) 00:33 < gmaxwell> next hour you redo the proof with a new pubkey, and you have a new anonymous identity. 00:33 < gmaxwell> and you don't have to keep redoing sacrifices. 00:34 < gmaxwell> (unless you wanted to require that) 00:34 < justanotheruser> pubkey is separate from the pubkey I used to make the PoB right? 00:35 < gmaxwell> you wouldn't even need a ecdsa pubkey in the PoB, effectively H(random_value) is a pubkey in the proof of burn. 00:35 < justanotheruser> oh 00:35 < gmaxwell> You don't want to run ecdsa inside the zkp because its @#$@ expensive. Where running a hash inside the proof is more realistic. 00:35 < justanotheruser> what I mean by that is I use a pubkey to spend the output to OP_RETURN 00:36 < gmaxwell> yea, thats irrelevant. youd put H(random_value) in the OP_RETURN and the only thing the proof would look at is the txout value and H(random_value). 00:36 < justanotheruser> if that is the correct terminology, not sure what else you would call spending a transaction to something that always returns false 00:37 < justanotheruser> gmaxwell: I will be able to write stuff in OP_RETURN in v.9 right? 00:37 < gmaxwell> I'd say that even better than a scarifice would just be proving that you have possession of a bitcoin, but to do that you'd have to do a ecdsa signature inside the proof, and that would kinda suck. 00:37 < Luke-Jr> justanotheruser: no 00:38 < justanotheruser> gmaxwell: I don't see how proving you have bitcoins would help in the future when everyone might be transacting bitcoins 00:38 < justanotheruser> Luke-Jr: whenever the miners vote on it? 00:38 < Luke-Jr> justanotheruser: hopefully never 00:38 < gmaxwell> wtf. there is no "miners vote on it" 00:38 < Luke-Jr> and there will never be an interface to do it in any sane client 00:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out. 00:39 < gmaxwell> or at least cut it back to 32 bytes. 00:39 < justanotheruser> gmaxwell: I thought miners voted on whether or not they would mine a certain tx type and if a certain amount said yes it would be implemented and the miners would start mining it 00:39 < gmaxwell> justanotheruser: no. 00:39 < gmaxwell> dunno where the heck you got that idea! 00:39 < justanotheruser> gmaxwell: some other fork I remember miners including their votes in their blocks 00:40 < justanotheruser> maybe it's because that was a hardfork? 00:40 < Luke-Jr> there's no fork going on 00:40 < Luke-Jr> at all 00:40 < gmaxwell> why are you talking about forks? 00:40 < justanotheruser> gmaxwell: Well isn't OP_RETURN <data> an invalid tx? 00:40 < Luke-Jr> no 00:40 < gmaxwell> No. 00:40 < Luke-Jr> just a useless, spam tx 00:40 < justanotheruser> oh, well that's where I was getting that idea from 00:40 < gmaxwell> it's just not IsStandard 00:42 < justanotheruser> "So, with some reluctance, I recently merged Relay OP_RETURN data TxOut as standard transaction type. 00:42 < justanotheruser> So will it be standard in .9? 00:42 < Luke-Jr> hopefully not 00:43 < justanotheruser> gmaxwell: also, how is it a sacrifice to prove you possess bitcoins? 00:43 < gmaxwell> 21:38 < gmaxwell> as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out. 00:43 < justanotheruser> gmaxwell: oh, I missed that 17:43 < sipa> TD: people would not consider key hashes to be "addresses" or things that hold a balance 17:43 < TD> i see 17:44 < TD> well, addresses became dominant for a reason ... 17:44 < sipa> pay-to-IP was obviously broken 17:45 < TD> in lots of ways 17:45 < sipa> but replacing them by static addresses was the easy way out, and i really wish it would have been replaced by a payment-protocol like system back then 17:46 < TD> it was broken because the person you were wanting to send money to would often be offline 17:46 < TD> that's the reason i remember for not using it, when i first used bitcoin 0.1 17:47 < TD> and you wouldn't know their IP anyway. it wasn't a stable identity whereas an address was 17:47 < sipa> yeah, forcing an intermediary for transactions between end-users isn't the best thing either 17:47 < TD> anyway addresses do have a balance. it's the sum of the unspent outputs with scripts that pay to that key hash :) 17:47 < sipa> of course they do 17:48 < sipa> but thinking about it that way pretty much immeditately leads to key reuse 17:48 < TD> key re-use happens for technical reasons. i don't think it's so much a conceptual issue for end users 17:48 < sipa> i think it is 17:48 < sipa> people think about it as "their address" 17:49 < sipa> rather than "some key in their wallet" 17:49 < adam3us> TD: its a complex concept that your address is authorized to move a tx out and not the balance on the address 17:49 < TD> mostly it doesn't matter 17:49 < sipa> i think it does 17:49 < TD> once the payment protocol is more widely implemented we just need a pastebin type site 17:50 < TD> and then people can have "pay.to/sipa" as their ID instead. all the site has to do is pop a payreq off a queue and serve it 17:50 < sipa> right, and it can work with deterministic wallets 17:50 < TD> minimal infra required, should be a competitive marketplace 17:50 < TD> yeah 17:50 < sipa> that's still forcing an intermediary, but indeed, i think it's a nice solution 17:50 < sipa> it's still simple enough to run your own if you want to 17:51 < sipa> the only question is to what extent the payment protocol will take off, now that people are already trained to think of base58 strings as wallets :) 17:51 < adam3us> sipa: it would be nicer if the sender randomized the recipients address, and encrypted the randomization factor for their public key, as you could do that even ffrom astatic web site, email, newspaper qr 17:51 < sipa> adam3us: yup 17:51 < adam3us> sipa: however its more costly to scan for 17:52 < sipa> it means you need to be told about incoming payments 17:52 < sipa> and imho, that's a good thing, but very different from how things work now 17:52 < adam3us> removes need for chaincode, counter, address pool 17:52 < sipa> it's still a privacy problem: everyone can see your transactions 17:53 < adam3us> maybe there's a way to do a bloom filter on it 17:53 < adam3us> sipa: no cos its encrypted 17:53 < sipa> oh right 17:53 < TD> or the wallet app can just upload a bunch of files 17:53 < TD> simple > complicated 17:53 < adam3us> sipa: i mean a variant of bip 38 where Q'=xG+q and E(x) for recipient 17:53 < sipa> adam3us: yeah, i think ByteCode came up with something like that a long time ago 17:53 < sipa> *ByteCoin 17:53 < sipa> loi 17:54 < adam3us> sipa: yes gmaxwell mentioned that we were talking about it yday 17:54 < gmaxwell> 13:22 < gmaxwell> I know, bytecoin proposed exactly that a long time ago. 17:54 < gmaxwell> 13:28 < gmaxwell> adam3us: also, your scheme requires the recieve have an online decryption key to identify their own transactions. (so did bytecoins) 17:54 < adam3us> the missing thing is an efficient privacy preserving way to ask a full node to give you transactions 17:54 < gmaxwell> 13:29 < gmaxwell> Bytecoin's suggestion IIRC was that you include an extra random public key in your transaction. And then the key you payto is ECDH between the recievers private and your public, plus his public. This also gave you a nice identity for the sender of the transaction (the public key) 17:54 < gmaxwell> 13:32 < adam3us> gmaxwell: yes bytecoins seems similar and similar side effects. 17:55 < adam3us> (right, thanks for putting that backlog in for context!) 17:56 < adam3us> TD: well having to upload etc s complicated, if the crypto could be made to behave it could be very simple, and more convenient at user level & integrator level (no chain code, address pool, counter state to track etc) 17:56 < gmaxwell> (mostly I just continue to be amused by the apparent IRC substutuablity of Sipa and I.) 17:56 < adam3us> the missing thing is an efficient privacy preserving way to ask a full node to give you transactions 17:57 < TD> uploading is simple. you already have to calculate a big pile of keys for lookahead with deterministic wallets. uploading to some pastebin service is like, 100 lines of code 17:57 < TD> it's a for loop 17:57 < TD> i mean i love fancy crypto but sometimes, it might be overkill 17:57 < adam3us> sure, but my newspaper article cant do that 17:57 < adam3us> or the qr code in the shop window etc 17:57 < TD> your newspaper article says, visit, pay.to/adam3us 17:57 < TD> ditto for the qrcode 17:58 < sipa> i think it's nice to have a mechanism that forces you to tell someone about the transaction 17:58 < gmaxwell> TD: and I am pay.to and I haz all the coins. :P 17:58 < sipa> as it means you can attach metadata to the transaction 17:58 < adam3us> TD: hmm boring ;) 17:58 < adam3us> sipa: it would be good to be able to send thing sto peers p2p 17:58 < adam3us> without full broadcast 17:59 < adam3us> sipa: maybe that couldve been the next step with auth 17:59 < sipa> you're reinventing pay-to-IP :D 17:59 < adam3us> sipa: yes but store and forward i mean with some redundancy, but not full; p2p email delivery 18:01 < adam3us> so cant one do attach some bloom bait to the outside of the encrypted/randomized addr to tag it up so you can ask an untrusted full node to give you your not directly linkable encrypted payent? 18:01 < midnightmagic> Sounds like Tor. 18:01 < adam3us> midnightmagic: no just to get a msg if the payer and the recipient are not online simultaneously 18:02 < midnightmagic> Hrm. Freenet then? 18:02 < gmaxwell> adam3us: in any case, another downside of the addition scheme is that its ecdsa centric. It doesn't work so well if your preferred payment script doesn't fit in a very narrow box, which is unfortunate. 18:02 < midnightmagic> I2PBote is an interesting anonymous mail mechanism in i2p-land. 18:03 < adam3us> midnightmagic: though bitcoin could do with some minimal tor like multi-hop tunneled link encryption - it can be dangerous to accept big bitcoins to geolocatable ip, people are logging ips looking out for this stuff 18:04 < adam3us> gmaxwell: yes its quite DL centric 18:04 < adam3us> gmaxwell: and actually you need the public key, which you do not currently have, just H(Q) 18:05 < midnightmagic> adam3us: I've taken to sendraw'ing all my txn through a tor-only node. b.i is blocked from my nodes, but dark many-connect siblings obviously aren't. 18:05 < gmaxwell> adam3us: yes, it requires another kind of address. but it would anyways, to indicate willingness. 18:05 < gmaxwell> adam3us: and perhaps key lifetime (do not use after x) 18:05 < gmaxwell> midnightmagic: it would be nice to get a list of those things. 18:05 < midnightmagic> gmaxwell: I agree! 18:06 < gmaxwell> midnightmagic: I've moved away from having ipv4 listeners or I'd offer to correlate with you. 18:06 < adam3us> midnightmagic: that was what i was referring to the dark-many connectors 18:06 < midnightmagic> hrm. IPv6 listeners. I'd forgotten about that as an option. 18:07 < gmaxwell> midnightmagic: my nodes are all either onion only or v4 outbound only + onion now. 18:08 < gmaxwell> I guess I need to fix that... annoying, I don't have stable v4 connectivity except at home and really don't want a public node running on that address. 18:08 < adam3us> oh BlueMatt mentioned that TD and/or gmaxwell had discussed a possibility for a multi-user extended variant of microtransacton channels 18:08 < adam3us> TD, gmaxwell: do tell - i thought that a potentially useful construct towards offchain 18:10 < TD> just making it work for the two party case is complicated enough, really 18:11 < gmaxwell> adam3us: there was a response on these lines in the coinswap thread. Coinswap and the micropayment stuff are highly related protocols. 18:11 < adam3us> gmaxwell: yes that occurred to me also (that they seem very related) 18:12 < adam3us> ok so you or someone commented on this topic on that thread... i'll look 18:13 < gmaxwell> In general once you go beyond two parties in one of these interlocked protocols it becomes really tricky to implement, just from a pure software engineering perspective. 18:14 < adam3us> (still very irritated by the wanton destructiveness of the forbes article "coin validation" company - sabotaging the hard won bitcoin fungibility which is a large and core part of its value) 18:18 < gmaxwell> adam3us: so, I did have another idea related to the bloombait. 18:19 < gmaxwell> adam3us: you make the bloombait small. So that when your lite client fetches a block it can just get a map of bait to index for all transactions with acceptable cost. 18:21 < adam3us> gmaxwell: yes that makes sense 18:22 < gmaxwell> adam3us: then you define an error correcting code that every node can code the block with, this logically expands the blocks. Now your client knows which indexes it needs for its transactions, and it can query N unrelated nodes for fractions of the block to retrive the txn its interested in. With appropiate scheme the servers learn nothing about which transactions you're fetching if non-colluding. 18:22 < gmaxwell> (I guess thats "information theoretic private information retrieval") 13:15 < petertodd> jtimon: that's a market with very little depth to it 13:16 < jtimon> that depends on the issuers, aaa and bbb 13:16 < petertodd> jtimon: if the issuers are big, then you've got something that looks suspiciously like standard systems and the cancellation advantages of ripple don't apply, if the issues are small, then you've got the network effect problems and it doesn't work 13:17 < jtimon> maaku why a miner should accept seq = 5 over seq = 3 if seq = 3 has a higher fee ? 13:17 < petertodd> jtimon: because TD and Gavin asked nicely 13:18 < jtimon> petertodd: if I'm the issuer of both aaa and bbb I can make that volume infinite no matter how small I am 13:18 < petertodd> jtimon: if you issued both, they there weren't two separate things 13:18 < jtimon> "jtimon: because TD and Gavin asked nicely" what did they asked? 13:19 < petertodd> the difference between aaaBTC and bbbBTC is that the issuer is differnt, and thus the default risk is different 13:19 < petertodd> jtimon: to not do "selfish" replace-by-fee of course 13:19 < maaku> jtimon: what if they have the same fee? 13:19 < jtimon> whatever system you had in mind to make "1 aaaBTC == 1 bbbBT", it can be simulated with a market 13:19 < maaku> agreed that nseq is dangerous, but just pointing out the (only) application I know of which nseq handles but nothing else does 13:20 < petertodd> maaku: then you want to accept whatever has the lowest orphan risk, which is whatever you think everyone else accepted, modulo the fact that accepting updates uses precious bandwidth so why encourage that? 13:20 < jtimon> killerstorm said you can do that use case with multisig 13:20 < maaku> petertodd: true. then is there any other valid use for nseq? 13:20 < maaku> (still catching up to scrollback) 13:20 < petertodd> maaku: to fork alt implementations :P 13:21 < petertodd> maaku: nSeq is also the *only* user-settable field in a txin that is signed by the signature - an unfortunate limitation 13:21 < petertodd> maaku: useful for colored coins, as an example, as nSeq can be the mapping of colored input to output 13:21 < jtimon> killerstorm wants to use the unused nseq to put CC metadata instead of using OP 13:21 < jtimon> OP_RETURN 13:22 < petertodd> jtimon: yeah, I suggested that to him 13:22 < jtimon> but some people are telling them that the field will be re-enabled later 13:22 < jtimon> petertodd: yes, he said so in bitcoinX 13:22 < petertodd> so what? using it that way is compatible with transaction replacement in fact 13:23 < jtimon> he came here to ask about that 13:23 < jtimon> arguing against the security and the use case of nseq 13:23 < petertodd> well, just think about it: if nLockTime=0 and nSeq != max, the tx is final and nSeq irrelevant 13:23 < jtimon> so I concluded we could just remove it in freimarkets 13:23 < petertodd> (to the replacement code) 13:24 < jtimon> I see, so there's no contra at all for using them for CCs 13:25 < petertodd> yup 13:25 < adam3us> jtimon, petertodd: are we all done with the sales/system competition-level arguments about freimarket/real-ripple/ripple.com/banking system? so many ore interesting things to talk about... ;) 13:26 < petertodd> the real risk is nSeq will be defined to be something else entirely, and there's some possibilities there, but worst comes to worst you can just upgrade the CC software ina "hard-fork" - not a big deal 13:26 < petertodd> adam3us: lol, distracting me from stealth addresses as it is 13:27 < adam3us> here's one for you... how do you bootstrap mergemine security in a side chain (or an alt in general). find miners to merge mine as a favor before there is fee incentive? 13:28 < adam3us> petertodd: some stealth discussion on bitcoin-dev.. also did u see gmaxwell idea for a better fuzzy bloom-bait/prefix? 13:29 < jtimon> still, I see no reason to keep them in FM 13:29 < jtimon> adam3us I don't think we were advancing much 13:29 < petertodd> adam3us: remind me again? 13:29 < adam3us> petertodd: he posted it also on bitcoin-dev 13:29 < petertodd> jtimon: it's 4 bytes per txin, meh 13:29 < petertodd> adam3us: one sec 13:31 < jtimon> adam3us: our approach to MM start without it untill we have our own miners, than hardfork for MM and convince Luke-Jr to MM it 13:31 < jtimon> I think we could do it already, but maybe we won't be able to hardfok once again for freimarkets then 13:31 < jtimon> petertodd 4 bytes we won't use. we're hardforking, why not? 13:34 < jtimon> well, when we start MM I think we will approach all big pools 13:34 < petertodd> adam3us: gregories idea doesn't scale as well 13:35 < petertodd> adam3us: the big advantage of the prefix thing is it's trivially compatible with sharding ideas and so on - note how I talked about putting the ephm pubkey in the txout too 13:35 < adam3us> petertodd: nearly. its also indexable just more indexes, and it allows some parameterizable fuzziness. but it also has stat analysis problems nearly as bad as bare prefix 13:35 < petertodd> adam3us: to be efficient, you're going to need 16 lookup table versions for instance 13:36 < petertodd> adam3us: exactly, and at the same time, how bad is the analysis problem anyway? it's *not* an issue for coinjoin the way people seem to think it is, given the version where the bait goes in the txout 13:36 < adam3us> petertodd: yes its not cost free, but its still indexable and the privacy is slightly less bad. 13:36 < petertodd> jtimon: just make sure that a signature can sign stuff in the scriptSig then 13:36 < petertodd> jtimon: there really needs to be a mechanisms to do that 13:37 < petertodd> adam3us: meh, that's not exciting me very much - highly unlikely that version of it will wind up being made into miner committed indexes for instance 13:37 < jtimon> petertodd I don't understand, why is nseq necessary for the signature? 13:38 < petertodd> jtimon: the point of it in the CC example is that you want to sign something in the txin itself because you have some additional data that needs to be signed, but that data isn't known until the tx is created 13:38 < adam3us> petertodd: for example with 1 byte prefix, it cuts your anon-set by 256x. mix in a bit of time correlation, change glomming on input, and any non-trivial use of reusable addr and its a lot worse i think 13:38 < petertodd> jtimon: the OP_RETURN txout solution to that is worse, because it doesn't play well with coinjoin 13:39 < petertodd> adam3us: remember that prefixes are denominated in bits... 13:39 < maaku_> petertodd: we support colored coins explicitly. is there some other reason you'd need data attached to the txin? 13:39 < petertodd> maaku_: upgrading CHECKSIG in a soft-fork is an excellent example 13:39 < maaku_> can you explain? 13:40 < adam3us> petertodd: either bits is enuf to create an anon-set problem, or bits is so small that it doesnt scale 13:40 < petertodd> adam3us: what makes you think it doesn't scale? I mean, shit, without prefixes the idea works reasonable well with 1MB blocks - there isn't that much data to manage 13:41 < petertodd> maaku_: suppose I want to add a signature over the fees paid to CHECKSIG, if I could just make a merkle tree of the txin values, and put that merkle root in the scriptSig, then I could soft-fork that feature in by defining SIGHHASH_CHECKFEE_MERKLE_ROOT 13:41 < petertodd> maaku_: I can't do that right now because any additional data in the scriptSig is unsigned 13:42 < petertodd> adam3us: fundementally the problem is what's the chance of all these extra indexes getting adopted? I'd say nero-zero 13:42 < adam3us> petertodd: i mean doesnt scale to non-full-nodes 13:42 < petertodd> adam3us: near-zero 13:43 < petertodd> adam3us: no, it's just a bandwidht trade-off, a desktop SPV client isn't gonna care about downloading even all blocks frankly, and 1/8th (say) gets to be more and more reasonable 13:43 < adam3us> petertodd: well if u wanna take the 'we cant change shit' stance i guess we hae to take solutions that cause big privacy problems because of that. hmm. 13:44 < jtimon> petertodd I don't understand the use case, probablyit can be made without a new op 13:44 < adam3us> petertodd: your smart phone might care 13:44 < petertodd> adam3us: well hey, this is a much smaller privacy problem then what we have right now 13:44 < adam3us> petertodd: i disagree, its a worse privacy problem. thats my point. 13:44 < petertodd> jtimon: think about it more, it can't 13:45 < petertodd> adam3us: reality is people are going to connect to untrusted SPV nodes, and it's *very* likely that attackers will start (or alredy do) run them for data collection 13:45 < adam3us> petertodd: gmaxwell went over this yday and i wrote about it in detail in one of my bitcoin-dev posts. the privacy issues 13:45 < petertodd> adam3us: additionally we *need* to solve SPV scalability, and prefix indexes are a big part of that (electrum works that way for a reason) 13:45 < adam3us> petertodd: yes. but. as gmaxwell said thats different to putting the privacy leak in the indelible global record 13:46 < petertodd> adam3us: well for instance his analysis re: coinjoin is just wrong 13:46 < adam3us> petertodd: yeah but lets at least try do it in a privacy preserving way eh. we can scale things also by doing other scary things. 13:47 < petertodd> adam3us: that's what I'm trying to do you know... 13:47 < adam3us> petertodd: i think my analysis on bitcoin-dev about the anon-set overlaid on network analysis is correct. 13:48 < petertodd> adam3us: my point is, remember what he said about it reducing the anonymity set in CJ? that's just wrong - it doesn't help you distinguish change and non-change for instance 13:48 < adam3us> petertodd: ok fair enuf. i am just saying, its worse, not better; depending on your threat model, and i think targetted attack is less dangerous than after the fact global analysis attack 15:42 < petertodd> unless you can some PoX-style DAG structure 15:42 < petertodd> ah, that's just dual PoW functions basically 15:43 < realazthat> yep 15:43 < realazthat> I didn't understand what you were just saying now though 15:44 < realazthat> what is PoX 15:44 < petertodd> proof-of-sacrifice directed-acyclic-graph - point being because it's a graph the mining function *doesn't* need to be probabalistic provided you have a way of merging nodes together 15:44 < petertodd> with a key-value consensus system merging is easy 15:46 < realazthat> mmm 15:46 < realazthat> I have yet to fully understand PoS hehe 15:47 < petertodd> It's really pretty simple, you throw away some Bitcoins in a way that's provable, like spending to an unspendable output. 15:47 < realazthat> right 15:48 < petertodd> Because you are doing something that's costly, you can use it to come to global consensus, exactly like Bitcoin. 15:48 < realazthat> and that gives you a chance to win 15:48 < realazthat> yeah I grasped that 15:48 < realazthat> but I don't see how such a thing ... can begin 15:48 < petertodd> No, there's no chance involved, at least in the key-value maps I'm thinking about. 15:48 < petertodd> Remember we're not talking about coins here, more like a namecoin-type system. 15:49 < realazthat> I am not 100% familiar with the structure of nmc 15:49 < realazthat> I wrote my own bitcoin blockchain parser to learn bitcoin lol 15:49 < petertodd> Namecoin is basically Bitcoin, except with a rule where you can do specially marked transactions that are considered to be associated keys with values, in the case of namecoin, DNS settings. 15:50 < petertodd> (although namecoin can do more than just DNS) 15:50 < realazthat> right, thats what I figured 15:50 < realazthat> and there are rules for what is allowed etc. 15:50 < realazthat> ie. you can't reserve someone elses name 15:50 < realazthat> domain transfer rules etc. 15:51 < petertodd> Yup. I'm saying, ditch the mining and currency part, and do key-value consensus purely by what version of history has the biggest total sacrifice associated with it. 15:51 < realazthat> so who actually mints a block 15:52 < petertodd> A "block" is just one or more key:value settings, potentially just one. 15:52 < petertodd> Specifically Hash(key):Hash(value) probably makes sense. 15:53 < petertodd> And you probably want some rules where once a k:v is set initially, it's associated with a pubkey(s) that must sign for subsequent settings. (like namecoin does) 15:53 < realazthat> ok isn't that a TX 15:53 < realazthat> a block is a bunch of TXs 15:54 < petertodd> Exactly, there's no TX's because there's no currency. 15:54 < realazthat> ok 15:54 < realazthat> so I am just struggling to compare it to bitcoin 15:55 < realazthat> in bitcoin there is a centralization for each block minted 15:55 < realazthat> are you saying there is none here? 15:56 < petertodd> Yeah, anyone with some Bitcoins to sacrifice can trivially make a block in this system. 15:57 < petertodd> Each block includes one or two pointers to previous blocks that they consider canonical history. 15:57 < realazthat> wow 15:57 < realazthat> but thats a lot of different conflicting chains 15:57 < realazthat> oh so you combine it somehow? 15:58 < petertodd> Yeah, just merge them and discard conflicts. 15:59 < petertodd> And people should build on the tip of the highest sacrifice part of the graph they have validated. 15:59 < realazthat> mmm 15:59 < petertodd> The incentive is to do that too, because it makes it harder for an attacker to rewrite what you want history to be. 16:00 < realazthat> so what stops someone really rich from double spending 16:00 < realazthat> mmm 16:00 < realazthat> I guess that would just merge in 16:01 < realazthat> no wait, he can put in a conflict, then weigh his tree down 16:01 < realazthat> with a sacrafice 16:01 < realazthat> sacrifice* 16:01 < petertodd> Well of course you can be 51% attacked. 16:01 < petertodd> But that's always true. 16:01 < realazthat> why is it 51%? 16:02 < realazthat> wait 16:02 < realazthat> in order to get your key/value in, 16:02 < realazthat> you put sacrifice some coins, and store this special key/value transaction 16:02 < realazthat> mmm 16:02 < realazthat> right? 16:03 < realazthat> so if you later redo this, on another chain you own, and spend *more* coins, wouldn't this other chain weigh more? 16:03 < realazthat> ie. have more sacrifice/ 16:03 < realazthat> ? 16:03 < realazthat> I know I am misunderstanding something 16:05 < petertodd> Basically whatever part of the DAG you want to rewrite, you have to spend more than the sum of the sacrifices of that part of the DAG. 16:06 < realazthat> mmm 16:06 < realazthat> I think I am beginning to understand 16:07 < realazthat> a nice illustration would help :P 16:07 < realazthat> so what is the source of new coin? 16:07 < realazthat> how does one get coin in this chain 16:08 < realazthat> or would it work tother with the main chain? 16:08 < realazthat> together* 16:08 < petertodd> Yup, it works only with Bitcoin. 16:08 < petertodd> Remember, there are no coins in this chain. 16:08 < realazthat> right ok 16:08 < realazthat> mm 16:08 < realazthat> destruction of bitcoins ... I don't like it :P 16:09 < realazthat> but i guess its good for everyone else :D 16:09 < realazthat> mmm 16:10 < petertodd> Future stuff can send them to mining fees with a soft-fork. 16:10 < realazthat> ah yeah ok 16:10 < realazthat> or 16:10 < realazthat> oh wait 16:10 < realazthat> what is proof of stake 16:10 < realazthat> sounds like what I was about to propose 16:11 < realazthat> essentially, you give it something temporarily 16:11 < realazthat> and eventually get it back 16:13 < petertodd> yeah, key-value could be done with proof-of-stake too actually 16:13 < petertodd> but proof-of-stake has problems... first of all, usually it turns out nothing is at stake 16:15 < realazthat> howso 16:15 < petertodd> You can often mine both sides of a proof-of-stake fork. 16:16 < realazthat> oh 16:16 < realazthat> and sacrifice? 16:16 < petertodd> sacrifice's can't be undone... 16:16 < realazthat> right 16:17 < realazthat> wow these things are hard to comtemplate automatically like side-channels 16:17 < petertodd> ? 16:17 < realazthat> I wouldn't have thought of that difference easily 16:18 < petertodd> ah, yeah it's a big difference --- Log closed Tue Jun 04 00:00:04 2013 --- Log opened Tue Jun 04 00:00:04 2013 17:08 < petertodd> gmaxwell: At the conference you were talking about creating a SCIP proof of the UTXO set, and how it'd take a crazy amount of EC2. 17:08 < petertodd> gmaxwell: Was that because it would create the proof in one go? 17:09 < petertodd> gmaxwell: My understanding is that you can create a proof that a prooof evaluation program was run, which to me says you should be able to create these proofs on a per-block basis... 17:09 < petertodd> gmaxwell: ...leading to a UTXO set + total PoW proof that is self-checking - IE you don't need the blockchain history at all to trustit. 17:09 < petertodd> *trust it 17:11 < gmaxwell> petertodd: I think that even with the log2 decomposition what we want to do is at the upper edge of the scalablity of the software so far. But since the scaling problems there are mostly on the prover side I was throwing out 'big computation can be obtained' 17:12 < petertodd> gmaxwell: log2 decomposition? 17:13 < gmaxwell> petertodd: do stepwise proofs of every block. Then do pairs of validations of validations. 17:13 < petertodd> gmaxwell: Ah, as in what you were talking about previously was exactly what I'm proposing now. 17:13 < gmaxwell> Yes. 17:14 < petertodd> Ah, and hence the ideas for using the SCIP proofs themselves as your PoW function. 17:15 < petertodd> Speaking of, I was thinking SCIP proofs would be a way you could combine multiple proof-of-sacrifices together into one short proof. 17:17 < petertodd> Another idea I had was you could combine multiple proof-of-sacrifices together into a short proof with a probabalistic proof using a commitment. 17:19 < petertodd> So you have some set of PoX proofs, created successively. Each step you get to drop one of the proofs from the set, but for the proof to be valid the one you drop must match a random nonce in the future, such as the txid of whomever spends the anyone-can-spend txout in your coinbase tx. 17:20 < petertodd> Like how non-interactive zero-knowledge proofs use one-way functions and a pre-selected nonce. 17:49 < petertodd> Ok, so this works: Lets say I make fixed sacrifices of 1BTC. Each sacrifice encodes the txids of two prior 1BTC sacrifices. I want to be able to prove 3BTC in total have been sacrificed, but I don't want to provide three transactions. 17:50 < petertodd> So instead I call the two prior ones left and right, and the rule is if the last bit of the block hash subsequent to my transaction is a 1, I have to provide the left tx proof, if it's a zero, I provide the right one. 17:51 < realazthat> eli got back to me 17:51 < petertodd> I can of course make a fake sacrifice, but because I can't control the next block hash I have an equal probability that I'll waste my sacrifice. 17:51 < petertodd> Oh yeah? 17:52 < realazthat> I asked him very politely about Q&A and joining in irc 17:52 < realazthat> i made sure to say only if he had time 17:52 < realazthat> so his response was that they hitting a deadline this week 17:52 < realazthat> and I should contact him later next week 17:52 < petertodd> Promising! 17:53 < petertodd> Contact him in two weeks then. 17:53 < realazthat> and they working on website 17:53 < realazthat> so he wants it to coincide, perhaps 17:53 < realazthat> + he will release early specs of tinyram 17:53 < realazthat> so I can start working on LLVM backend 17:53 < petertodd> Oh, a website would be good. I was having a heck of a time trying to find info on SCIP earlier today. 01:15 < gmaxwell> petertodd: plus there is huge lags on mining. You'd do better to put a ecdsa public key in blocks and have miners announce announcement timestamps for the blocks they made. 01:15 < gmaxwell> I happen to like being alive and not irradated. 01:16 < petertodd> gmaxwell: If you want to reduce the lag, just broadcast sub-target difficulties. 01:16 < Luke-Jr> lol 01:16 < petertodd> gmaxwell: Ok, how about we require bitcoin to run on computers with shittier memory then? 01:16 < gmaxwell> petertodd: I mean there is huge lag in just issuing out work to miners, scanning it, submitting results. 01:17 < petertodd> gmaxwell: That's seconds, I'm thinking tens of minutes is what matters here. 01:17 < petertodd> gmaxwell: Again, this *isn't* for timestamping data! 01:22 < Luke-Jr> gmaxwell: well, who is to say what step the timestamp is meant to be for? :P 01:23 < gmaxwell> any field is defined by its validity rule. 01:30 < petertodd> except for nonce which is defined by the easiest implementation on an ASIC... 01:32 < petertodd> between nonce, version, and timestamp you could commit to 64-bits of data directly in the blockheader, but that's ASIC incompatible 01:33 < petertodd> (efficient mining in general incompatible really) 13:43 < jgarzik> amiller, can you expand("Amiller's high hash highway stuff") 13:43 < jgarzik> ? 13:44 < amiller> jgarzik, i can try 13:45 < amiller> the scenario is, you have a large number of proof of work solutions, and you want to check that their total-work is at least W in total. 13:46 < amiller> lets say they're all at the same difficulty 13:49 < amiller> if it's inefficient to check all of them individually, then the goal is to check just a sample such that it's unlikely the sample could be made in shorter time than W. 13:51 < amiller> (i'm going slow to try not to make mistakes here) 13:53 < amiller> i'm starting to feel like i made a bunch of mistakes or at least unnecessary steps in the solution i had previously 13:53 < amiller> but the basic requirement is that you need to be able to prove that an earlier block is committed to in a previous block 13:54 < amiller> and right now the only way to do that is to traverse backwards along the chain 13:54 < amiller> but you can do this faster if you commit to a skip list (or probably even just a merkle tree to be simpler) that has pointers further back than just the previous block. 13:55 < amiller> you know how the blocklocator works right? it's supposed to make it easy to find the intersection point between two blocks, and it does so by letting you jump back an exponential number of blocks? 13:56 < amiller> basically if you commit to a structure like that in the block header then you can do a secure diff between blockchains. 13:57 < amiller> the main application of this is faster SPV bootstrapping because you can quickly/securely estimate which chain is "longer", making it harder for someone malicious to lead you on a DoS goose chase 14:04 < gmaxwell> Personally, I think reverse header fetching is better. It's not better in the asymptotic complexity case, but under the assumption that the current difficulty is only a small factor away from the sum of the far past (exponential growth), it achieves the same security with only p2p behavior changes. 14:06 < gmaxwell> (the idea there that the difficulty of the most recent blocks is enough to make creating a goose chase very expensive) --- Log closed Thu Jul 18 00:00:59 2013 --- Log opened Thu Jul 18 00:00:59 2013 08:46 < amiller> petertodd, the thing you described could just be a memory-bound proof-of-work function 08:47 < amiller> see https://research.microsoft.com/pubs/65154/crypto03.pdf 08:48 < amiller> also the H' you described is just a digital signature but a memory-hard pow would work just as well too 10:46 < petertodd> amiller: It's more subtle than that; I want to force my peers to consume memory, not do work 10:46 < amiller> well the point is that the work requires memory 10:46 < petertodd> I don't want a POW because I don't want it to be expensive for your usual client with some spare memory to connect, only expensive to make lots of parallel connections at once. 10:46 < amiller> hm. 10:47 < amiller> in that case i think you want the Hourglass scheme from RSA 10:47 < amiller> http://www.tablusqa.com/rsalabs/presentations/hourglass.pdf 10:48 < petertodd> Nah, this has nothing to do with having data or not. 10:48 < amiller> the simplest variation is based on signatures so it's pretty much what you describe... you sign a bunch of pieces of data (that's using the trapdoor) then require them to give it back to you 10:48 < amiller> so the only way they can give it back to you is to store it 10:48 < petertodd> But that requires bandwidth to give them the data. 10:48 < petertodd> I want something that only forces my peer to keep data in ram, ideally it is data then can generate from a seed. 10:49 < amiller> so you want to give them a concise seed, and force them to fill up a lot of memory their memory with it, then give you a concise digest at the end somehow 10:49 < petertodd> Yes, in a sense the "trapdoor" is that it's a function that's cheap to compute, but only if you have a big table in memory. 10:51 < amiller> hm. 10:55 < amiller> so the exponential memory bound proof of work function from fabian coelho is sort of like that too. 10:55 < amiller> http://193.55.130.53/~nitaj/AFrica08Slides/kyushu-pres_Coelho.pdf 10:56 < amiller> i think normally they pick whatever they want for the leaves. 10:56 < amiller> i think there's a way for that to work 10:56 < amiller> basically you construct the leaves from a seed 10:56 < amiller> then you find the root digest, then you use the root digest to help you sample the leaves... 10:57 < amiller> but the unique challenge here is that you want to make sure there's no storage shortcuts e.g. by having identical leaves 10:57 < petertodd> sounds pretty similar to what I'm proposing, done as a NI proof 10:57 < petertodd> well, in my case the proof can be done interactively 10:58 < amiller> either way you use the merkle root as a commitment then choose interactively if you like 10:59 < amiller> so you could give them a seed but then it if you only sample a couple leaves it would be hard to show they were computed correctly from the seed without checking the whole chain. 11:01 < amiller> i don't know how to solve that, hm. 11:03 < petertodd> for the SPV anti-dos you don't have to prove they've done anything, you only have to make it such that using up RAM allows the SPV client to return the correct result much faster than not doing so, and then prioritize based on that response time 11:04 < petertodd> The problem is that you'll need this table to be fairly large, because network latency is high and disks are fast. 11:08 < amiller> well you need them to fill up their memory with data 11:08 < amiller> and then query this data 11:09 < amiller> and you don't want them to be able to do computing on the fly 11:15 < amiller> so that requires putting full-entropy data in each spot 11:15 < amiller> otherwise you could cheat by compressing 11:25 < petertodd> yup 11:26 < petertodd> It's just a matter of how big is reasonable - a 100MB table makes life hard for phones for instance, yet disks are fast enough that we probably want something that size. 11:27 < petertodd> (it's also a trade-off of how often we query peers for the data, a disk can seek and grab 100MB quickly, but it can't serve 100x such requests at once) 11:28 < petertodd> 10MB isn't bad - that's 80MB of data for your standard 8 outgoing peers. 11:29 < petertodd> But it doesn't give that much protection either... 10k peers is just 10GB of ram, pretty cheap. 11:29 < petertodd> er, 1K peers 11:57 < realzies> yay guys 11:57 < realzies> SCIP 11:57 < realzies> got an email from eli ben-sasson today 11:58 < realzies> Dear Azriel, 11:58 < realzies> Some time ago you mentioned that you're interested in trying to write an LLVM backend for our TinyRAM spec. If you're still up to the task, we'll be happy to help out. I'm cc'ing the rest of the research team - Prof. Eran Tromer from Tel-Aviv U., my co-PI, Alessandro Chiesa (grad student @ MIT), Daniel Genkin (grad student @ Technion) and Madars Virza (grad student @ MIT). 11:58 < realzies> Our first paper using TinyRAM has been accepted for publication at the CRYPTO'13 conference this August. A draft is attached, and the full version will be posted in the next few weeks (we need to finish writing down some full-system performance numbers). We think this will make much more concrete our motivation in this project, and also the design choices for TinyRAM (see Section 2.1). 11:58 < realzies> Also attached is the a draft of the tinyRAM spec, and the only reason it's just "0.99" is in case we get suggestions for improvements before we publish it. 11:58 < realzies> All in all, we're very close to a time where everything about TinyRAM is public and ready for open-source development. 11:59 < realzies> Are you still interested in developing a TinyRAM LLVM backend? If so, we'd love to support your effort in any way. 11:59 < realzies> Best, 11:59 < realzies> Eli 11:59 < realzies> (2 attachments) 11:59 < realzies> gmaxwell: ping 11:59 < gmaxwell> petertodd: ISTM you really want a trapdoor functio nthat one party can compute in parallel, the other party must compute sequentially. 12:00 < gmaxwell> petertodd: then your query the sequential party for the Nth output and the a bunch of 0-N. Memorization is the cheapest way to compute the answers. 12:01 < realzies> shall I upload the pdfs somewhere 12:03 < gmaxwell> realzies: tinyram looked super simple. 12:04 < realzies> exactly why I eager to make an LLVM backend 12:04 < realzies> it should be simple 12:05 < realzies> https://docs.google.com/file/d/0Bx3Ty2UX6yDLSnM3aU04YUFSNU0/ 23:16 < petertodd> andytoshi: were they smoking pot at the same time? 23:16 < andytoshi> petertodd: haha, that's the worst part 23:16 < andytoshi> petertodd: in one case, yes, he was the guitarist of a band at the bar near the math dept 23:16 < andytoshi> he kept getting ahead of me tho, and it turned out later that he had a tech startup 30 years ago and walked away with millions to play guitar.. 23:17 < andytoshi> so i think he might've secretly known it all 23:17 < petertodd> andytoshi: it's so much easier in analog electronics... oh wait, I took MIT's second year course on that... :P 23:18 < petertodd> andytoshi: damn! 23:19 < petertodd> andytoshi: you know, it's interesting how many former comp-sci/physics/math/etc students you find in art school - I met easily two dozen, including ones that had pretty substantial degrees. 23:20 < andytoshi> interesting - in math departments, almost all the really good students are musicians, and some are even art school dropouts! 23:20 < petertodd> andytoshi: oh! I never met anyone with an art background at uoft 23:21 < petertodd> andytoshi: well, there was one cute girl who had been reluctantly pushed into biology by her parents in a physics class :P 23:21 < andytoshi> petertodd: nice :P 23:21 < petertodd> andytoshi: every day she dressed like she was going to some kind of anime con 23:22 < gmaxwell> to be fair, music may be far too practical for some mathematicians I've met 23:22 < petertodd> andytoshi: although what was more sad I thought was the sheer number of med students in that class trying desperately to impress admissions to residency or whatever it is exactly :( 23:23 < andytoshi> petertodd: ugh, we had those at SFU too, it was so competitive and so sad 23:23 < andytoshi> but i like this talk of anime con girls, my gf took me to a con once and it there were a lot of them there :) 23:23 < petertodd> andytoshi: did you ever take any summer classes? this was in the summer... 23:24 < andytoshi> petertodd: yeah, one summer i took a variational calc class -- and joined the physics soccer team -- i met a few med students then 23:25 < petertodd> andytoshi: heh, what's funny about it is she was in first year, and I'll bet you had she gone to ocad like she wanted she would have quit that by second year in favor of being a hipster 23:25 < petertodd> andytoshi: exactly 23:26 < andytoshi> petertodd: yeah, in general i found the students at university should not have been there 23:27 < andytoshi> they'd really drag down the classes in later years, hence my retreat to graduate classes -- fortunately i was friends with enough faculty by then that there was no trouble with that 23:27 < petertodd> ah that sucks 23:28 < andytoshi> so my feeling is that uni in general is not a great decision if you want to learn things, better to meet the right people and work with them 23:28 < petertodd> yeah, I've never had any experience with the non-art university environment 23:28 < andytoshi> e.g. #bitcoin-wizards 23:28 < petertodd> yup, which is actually pretty much how my art school went - although the flip side of that is they've got a huge failue rate 23:29 < petertodd> but what's interesting, is the post-graduation outcomes, like employment, are surprisingly good, even compared to stuff you think is a good bet like engineering and medicine 23:30 < andytoshi> yeah, i've heard that -- and the art students i've met tend to be more open-minded and intelligent-seeming than a lot of math/science folks 23:30 < andytoshi> why the failure rate tho? do people give up or is it really difficult? 23:30 < justanotheruser> petertodd: are you an art major? 23:30 < petertodd> yup, and people skills goes a long, long way in our economy 23:30 < petertodd> justanotheruser: yup 23:31 < justanotheruser> petertodd: what do you do that is artistic 23:31 < petertodd> andytoshi: people find it hard to deal with the lack of structure is a part of it I think - art school has this weird existential dread to it where you know you have to keep on coming up with new art to succeed, but there's no magic solution to doing that 23:32 < petertodd> andytoshi: and you've got a very unforgiving social environment that's incredibly elitist, as it should be (though that's not necessarily typical - my school had a reputation for that) 23:32 < gmaxwell> in 1970 college enrollment was ~50% of highschool grads in the US, it's ~70% now. 23:33 < andytoshi> petertodd: that does sound scary, though i can see why the same sorts of people end up in math departments 23:33 < midnightmagic> i woukd be curious to know whether those include the new vocational colleges that have started calling themselves colleges.. 23:33 < petertodd> gmaxwell: sounds like a bubble 23:34 < gmaxwell> midnightmagic: no. 23:34 < petertodd> andytoshi: well, to what extent are those departments like that as research becomes more of a focus? 23:35 < andytoshi> petertodd: it's directly correlated to research, the people doing plug-and-chug degrees weren't artsy at all 23:35 < petertodd> andytoshi: I mean, research can easily have that same kind of treadmill to it 23:35 < andytoshi> yeah, that's absolutely the way it seems to me 23:35 < gmaxwell> petertodd: well I believe that it was in the early 70s that the US government privitized sallie mae and made it so you couldn't discharge student loan debt in a bankrupcy. 23:35 < petertodd> andytoshi: ah, yeah, plug-and-chug has it's own kind of pain I think 23:35 < petertodd> gmaxwell: good point, and they're pretty good at recovering the money, eventually... 23:36 < andytoshi> gmaxwell, petertodd: the student debt situation is a bubble i think, but i've read the first few chapters of the bell curve (1994) which has some scary stats about school enrollment and IQ stratification which suggest that high enrollment rates are not all bubble.. 23:37 < gmaxwell> petertodd: they only have to recovery a small portion of it if they inflate tuitions, made possible by tsunamis of money enabled by the lender favoring law... 23:37 < midnightmagic> yay flynn effect 23:38 < petertodd> midnightmagic: people who complain about "all those dumb poor people" mating with each other forget that if you're at the other end of the spectrum, having a smart partner is strongly selected for 23:38 < gmaxwell> I'm sure there are plenty of papers on largely debt based economies and the relative rates of bubbles in them. 23:39 < midnightmagic> petertodd: mm.. not so sure about that. engineers mating withe ngi eers appears to select for autism. additionally, genetic issues with ashkenazi 23:39 < petertodd> andytoshi: well, it could be both true that the high enrollment rates are perfectly justified, and it's a bubble, not to mention that the whole industry could change rather drasticly with these efficient online courses (that MIT EE class was great, and free...) 23:40 < andytoshi> midnightmagic: the bell curve talks about this, there is a real selection effect which appears to be increasing IQs amongst part of the population almost as fast as it is decreasing amongst other parts 23:40 < petertodd> midnightmagic: yeah, sounds like very strong evidence for selective mating to me... 23:40 < petertodd> midnightmagic: note that autism is a spectrum... 23:41 < andytoshi> s/almost as fast/faster, but amongst fewer people/ 23:41 < midnightmagic> andytoshi: If the research I read is correct, they're destroying their own genetic viability longterm. 23:41 < andytoshi> midnightmagic: let's hope not, they're doing all the crypto research :P 23:41 < petertodd> midnightmagic: and speaking of, when I was a kid my mom had a tutoring/babysitting business that specialized in austistic kids - I ended up hanging around with a heck of a lot of them, and their parents, and it's remarkable how many were comp-sci/engineering 23:42 < andytoshi> midnightmagic: there has a general theme amongst human development of "intelligence overriding medical problems", so personally i am not too worried about such things 23:43 < midnightmagic> mm.. fairly confident that environment nutrition and opportunity are stronger than plain genetics in success. but i'm on my ipad so i can't build a cite frok my zotero library 23:43 < petertodd> andytoshi: that modern culture rejects racism so strongly also gives a chance for genes to be spread across large chunks of the population limiting the worst effects of all this stuff 23:44 < gmaxwell> midnightmagic: I've seen papers on that subject, environment/nutrition/opportunity are so correlated with the parents they're almost completely colinear, any paper that claims to control for that is basically just reporting on the outliers by definition. 23:44 < midnightmagic> (absent actual genetic problems anyway) 23:45 < gmaxwell> unless they plan on doing a controlled study, which has ethical problems. 23:45 < gmaxwell> (its not like we have enough twins data, especially enviromentally distinct twins data, to really say a ton about nature vs nuture) 23:46 < petertodd> midnightmagic: I'm pretty skeptical of anyone who tries to claim modern societies are all that bad at providing everyone with opportunities 23:46 < midnightmagic> gmaxwell: the last study i read from u of.. illi ois? compared like to like re: private and public schools and came up witht he remarkable conclusion that public schools on the whole educated better, while private schools benefitted significantly from the rich person advantages. 23:47 < midnightmagic> petertodd: I have a sociology department or two who would disagree witht hat :-) 23:47 < petertodd> midnightmagic: define "educated better" 23:47 < andytoshi> midnightmagic: right, and they're sitting comfortably in sociology departments instead of on the street, despite having no skills ;) 23:47 < petertodd> midnightmagic: and remember, I spent enough time at arts school to know sociology is often full of shit :P 09:33 < adam3us> jtimon: given the centralized pressures that exist in the world for control i think adding covenants would likely end in the loss of decentralization and effective user policy choice. ie the destruction of bitcoin as a decentralized currency. 09:35 < jtimon> maybe I'm too optimistic or I expect people to be too smart 09:35 < adam3us> jtimon: see our visacoin example, it gives a new outcome other than banning exchanges: ban non AML convenanted coins. that means u can not transfer a coin to an address that is also not AMLed. easy there-forward for governments to mandate that policy. ergo do not build the mechanism for your own demise 09:35 < jtimon> or maybe you're too pesimistic and expect people to be too stupid 09:35 < adam3us> jtimon: seemingly if bitcoin taught us anything its that people are too stupid :) 09:35 < jtimon> and don't distinguish between visacoins and bitcoins 09:37 < jtimon> adam3us: maaku had the same concern when we were discussing freimarkets authorizers 09:37 < jtimon> my believe is that people will tend to prefer non-authorized assets when they can 09:38 < adam3us> jtimon: see there is a hypothetical bootstrap stage where bitcoin density reaches a point where it can continue without exchanges (for some p2p uses). covenants only makes that worse, because each time you interact with someone who is stupid or doesnt care or need the money in a aml form to dosomethin, it removes free coins, let it run for a year and there will be none left. 09:38 < adam3us> jtimon: i agree, but the virality and incremental leaking effect means you have no remaining effective say in the matter. 09:38 < pigeons> yes, its more than just the technical issue of unaware mixing of covenanted coins and unencumbered coins. As the large, "convienent" options force covenanted coins, some of their partners, customers, and suppliers do too, etc 09:38 < jtimon> and at the same time, there's local communities who want to impose strict rules for their local currencies, and authorizers were the most generic way of allowing them to do so 09:40 < jtimon> if btc are destroyed logarithmically, there will always be some of them left 09:41 < adam3us> jtimon: yes but the remaining free coins are not going up in value (much) so if there are 100btc left for those that care its too few, and bitcoin is dead. 09:41 < jtimon> please, don't say value, say price 09:42 < jtimon> you're making a lot of assumptions 09:42 < jtimon> why would the value of btc be correlated to the value of visacoin? 09:42 < adam3us> jtimon: (ok price) overall this is one of the reasons why tinkering with expanding script language power has far reaching implications, even for the very continued meaningful existence of bitcoin with decentralized policy features, and must be approached with extreme caution. 09:42 < jtimon> if there's 1% btc and 99% visa, btc are much more scarce 09:43 < pigeons> its similar to coinvalidate. you would think no one would want to use a whitelist, but once "everyone else" does 09:43 < pigeons> there become less options to use bitcoin and the only options are to use covenantcoin/visacoin/etc 09:43 < jtimon> what would I use whitelisted bitcoins? that's not a p2p currency 09:44 < adam3us> pigeons: right. its as likely that the price of free coins would plummet because the people who think about technical freedom are in an economic minority 09:45 < jtimon> technical freedom is what bitcoin is about 09:45 < adam3us> jtimon: scarce as in about to become dodo i thin, due to incremental virality 09:45 < jtimon> if people think that bitcoin will go higher in price after they turn into visacoins they are blind 09:46 < adam3us> jtimon: i think it is more that the economic majority neither thinks, nor cares, they just want to buy a burger, etc. 09:46 < adam3us> jtimon: so why would they care when they spend the last freecoin for a burger, so long as the visa covenant shop accepts it at parity 09:46 < pigeons> well price isnt the concern, its usability and perhaps fungibility, if network effects help increase visacoin usage as the way to go 09:47 < jtimon> please, stop using the "people are dumb" fallacy 09:47 < jtimon> because the burguer costs 1 visacoin (1000 usd aprox) and 1 bitcoin costs 100,000 usd, for example 09:48 < adam3us> jtimon: ok, say the bitcoin wizard guy gets very hungry, and he wants to eat the burger and he has no visa coins in his wallet. he think h well its only 10mBTC. repeat viraly by the velocity of money and even people who are smart an care, can end up with no free coins left after a bit 09:48 < pigeons> so i like tools that have lots of options too, but also i've seen the "people are dumb" argument supported too well in bitcoin. 09:48 < pigeons> not reall dumb, just acting naturally for conditions 09:49 < jtimon> people are dumb, but if you need that fact to make a point there's something wrong with your reasoning 09:49 < pigeons> so for these matters i like if the features are supported better, but after there are more options to support the underlying p2p bitcoin and keep it viable in spite of other choices 09:49 < adam3us> jtimon: there you assume the exchange for freecoin/amlcoin diverges. aml exchanges and shops will accept freecoin at parity i woul think (and convert them into amlcoins) 09:49 < jtimon> I'm just saying that's a fallacy, not that it is false 09:50 < pigeons> when bitcoin is more "entrenched" these outcomes are less of a concern 09:50 < jtimon> why would shops ask you for 1 btc for the burguer if they can sell 0.01 btc for 1 visacoin? 09:51 < adam3us> jtimon: i think covenants just hand a viral weapon of control to policy risk points. bitcoin has policy risk points: exchanges, regulated businesses and the market success of payment processor policy (say bitpay adopted aml coin, jgarzik resigns in protest, but it has market adoption) 09:52 < jtimon> I could even be fine with assuming most cosnumers and some merchants are dumb 09:52 < jtimon> but certainly not assuming that most shops and producers will be dumb: because they go bankrupt when they're dumb 09:53 < jtimon> ok 09:53 < jtimon> what could happen... 09:53 < pigeons> policy risk points are not about business saavy, they are about external force imposed by regulators 09:53 < adam3us> jtimon: ok agree, no more dugging-krugeresque smugness. lets focus on the virality issue 09:54 < jtimon> no matter the law, if your business sucks you go bankrupt 09:54 < jtimon> no matter how happy the nsa is with say, coinbase 09:54 < adam3us> pigeons: as we've seen with NSA the'll use / abuse what they can get. we thought we were secure because of CAs. in reality government can demand keys, and cooperation from CAs, do MITM and so we are not secure. i called this risk in 1992 or something. took 22 years but here we are. 09:55 < jtimon> f they keep on doing stupid things like using databases without consistency they will go bankrupt 09:55 < pigeons> there is much moral hazard about that i'm not so sure that's true 09:55 < jtimon> but CAs are centralized 09:55 < jtimon> no? 09:56 < adam3us> jtimon: not fully, there are 100s of them in dozens of countries, operated by a variety of types of organizations. 09:56 < pigeons> yes CADs are centralized, but bitcoin also has "policy risk points" as adam3us says. exchanges, mining pools, etc that have aspects of centralization 09:58 < adam3us> anyway bitcoin/altcoin focus i think covenant language extensions are dangerous and we should not introduce them. or we should do language extension with language level provable virality/centralization resisting limits 09:58 < jtimon> I don't know, apparently I wasn't being able to make my point that, bitcoins != amlcoins 09:59 < jtimon> back to your "bitpay ports to amlcoin" example 09:59 < adam3us> jtimon: i think i get what you are saying. that by imposing amlcoins, the "attacker" has created an alt-coin. you are supposing its value will float to the extent that people will not willingly exchange them or wil lthink hard about it 09:59 < jtimon> there will still be people that have eyes to see they're are different currencies 09:59 < adam3us> jtimon: however teh value of the freecoin is heavily hampered by not having access to exchanges. that may defacto make its price quite close to the amlcoin floor 10:00 < jtimon> so the prices will (at first slightly) differ 10:00 < jtimon> people paying with bitcoins don't want to have their btc valued as if they were amlcoins 10:01 < jtimon> and suddenly the impossible happens: bitpay2 appears 10:01 < jtimon> wait wait 10:01 < pigeons> and there are now more things you can buy with amlcoins than with bitcoins 10:01 < adam3us> jtimon: your argument is analogous to the "attacker creates" alt in commited tx, yes i do get the argument. but i am not sure the economics work for it in this case. because the choice is severely limited, and the fungibility reduced which in tur affects the value. the outcome depends on the balance between preference for freecoin (price up) and loss of fungibility/virality (price down towards amlcoin) my guestimate is freecoins lose an 10:01 < jtimon> you're now saying that all exchanges in the world will abandon bitcoin in favor of nsacoin at the same hour? 10:02 < pigeons> and yes you lose the advantage of bitcoins, but here is where you have faith that people will see that and reject the amlcoins, but this i would bet against 10:03 < adam3us> jtimon: well its a given that the main risk to bitcoin is regulation. exchanges alredy impose AML due to regulation. if we give them a way to make aml viral, i predict governments will seize and make that mandatory 10:03 < jtimon> ok, we found were we disagree 10:04 < jtimon> you think people are too dumb to distinguish between bbitcoin and amlcoin and the people who undesrtand it won't be able to explain it to the world 22:29 < amiller> i learned today about the "covert security" model which actually matches exctly what we'd like in terms of auditability 22:29 < gmaxwell> (IOW: a fucking useless model, what is wrong with these people?!) 22:30 < amiller> an adversary might change the outcome, but it will do so in a publicly-detectable way 22:30 < amiller> active* 22:31 < amiller> anyway that's beside the point i'm talking about rational analysis mainly here 22:33 < petertodd> gmaxwell: ...so we're talking security against dumb five year olds? 23:32 < amiller> there's still no way of doing a fair 50-50 bet in bitcoin 23:32 < amiller> there would be if we had even the most basic bitwise arithmetic ops 23:51 < gmaxwell> amiller: hm? you don't like iddo's protocol? 23:53 < amiller> gmaxwell, https://bitcointalk.org/index.php?topic=277048.0 this one? 23:54 < amiller> how do you take the LSB of something you can hash? 23:54 < gmaxwell> ah I thought you said "even if we had [...] arithmetic ops" misread. 23:55 < amiller> so having a bet like that is one of the things you just can't analyze in EU 23:56 < amiller> i think that's one of the reasons why simple games like that have been skipped over by cryptofolk who assume that anything that isn't EU is just irrational and not worth modeling 23:57 < amiller> but it seems appealing to me, if enough people are each willing to pay a small amount of money for a marginally-negative EV but a high variance, then they should be able to get together and do a lottery like this 23:57 < amiller> incurring only transaction costs --- Log closed Tue Nov 12 00:00:14 2013 --- Log opened Tue Nov 12 00:00:14 2013 04:00 < adam3us> amiller_: lsb no, < n/2 mod n, yes? or is < also on small ints 04:51 < adam3us> i guess size limits would get in the way, but the lack of bigint operations in the script lang, invites people to write a sha256 in the script lang USING small ints (if there are enough small int ops ot turing completeness to even do that) 06:46 < adam3us> btw i hope someone has a real-time archive of bitcointalk - didnt seem to be that reliably maintained and managed from the repeated hacks & downtime - be an actual problem if that archive was lost 06:53 < adam3us> btw about "not as described" yesterday ... the fact that bitcoins fungibility is imperfect (and improvements worked on) can not be logically used as a rationale for building non fungible p2p bearer bond 06:55 < adam3us> the 1995 era digital bearer bond had perfect fungibility because of the simplicity of chaum blinding, but limited durability as the combined issuer/transaction server housing the double spend db could (and often did) disappear, like digicash betabucks server eg 06:57 < adam3us> it seems like chris odom's OT model with receipts and multiple competing redundant but not decentralized servers, and users could collaboratively, p2p, detect servers that issue conflicting transactions (each user audits his own view, posts conflict to other users) -and react by switching to another server 06:59 < adam3us> i dont know if the p2p part is implemented - seems more like a dissatisfaction word of mouth, loss of business for tx server argument afaik. but at least the receipts provide some durability, however you may need all users in the tx chain to be around, online, to not lose their own records, to reassemble a server state which sounds fragile 07:26 < jtimon> adam3us maaku wanted to add in-chain chaumian cash to freimarket, but I still don't see much value on it 07:26 < jtimon> chaumian cash is not atomically tradeable by anything else, not even in the same chain/server 07:27 < jtimon> I don't see the problem with non-perfectly-fungible in-chain assets 07:27 < adam3us> jtimon: i think it provides two features: optional privacy, and fungibility arising from the privacy. just because the payment is fungible (due to anonymity) doesnt have to imply you need to use the anonymity: eg you ca be full identified, kyc certified, or pseudonymous or anonymous as you choose 07:28 < jtimon> you do have optional privacy with traceable pseudonyms 07:28 < adam3us> jtimon: if something is not fungible it adds to risk and transaction cost. credit cards being the canonical example - many internet businesses cant take credit cards for this reason 07:29 < jtimon> no, the transactions are still irreversible 07:29 < adam3us> jtimon: if you mean bitcoin current, then yes and the implication is you then get moderate fungibility which many think is a risk that needs fixing 07:30 < adam3us> jtimon: bitcoin transactions? or freimarket transactions? 07:30 < jtimon> both are irreversible 07:30 < adam3us> jtimon: defacto yes, cryptographically no, courts will disabuse people of the difference in due course 07:32 < jtimon> you mean at redemption time, but I don't think that's legally feasible nor how "full p2p fungibility" (whatever that means and if it's possible at all) helps in any way 07:32 < jtimon> let's go back to yesterday's example 07:33 < adam3us> jtimon: say mining was very centrlized, and consensus based (ripple), and claimed defacto irreversibilty, or friemarkets similarly and FBI found DPR coin, they could trace it but not grind the password - they would then apply an NSL or order or pressure on the few central servers to block the transaction, or to forcibly change the owner without signature 07:34 < jtimon> well, that's a problem with ripple consensus, not with bitcoin pow 07:34 < adam3us> jtimon: consider DPR doesnt want to redeem it, he wants to sell his IBM shares for bitcoin to hire a good lawyer 07:34 < adam3us> jtimon: yes and maybe with freimarkets also? 07:34 < sipa> jtimon: it's only not a problem for bitcoin if mining anonymously is possible 07:34 < jtimon> no, freimarkets is supposed to be deployed in a pow chain like bitcoin or freicoin 07:35 < adam3us> sipa, jtimon: its a problem in bitcoin also, as sipa said, because if there are few, central miners, they can block transactions (unless committed tx is implemented and used) 07:36 < adam3us> jtimon: ok. still bitcoin has the issue and freicoin worse unless merged mined due to lower hashrate 07:37 < adam3us> in my opinion something is not a p2p bearer share unless it has full fungibility; the strength of its claim is how close it gets to ZC/chaum like assurances 07:37 < jtimon> what if I mine outside the judge's jurisdiction? 07:37 < jtimon> unless we're assuming a global state or something... 07:37 < adam3us> jtimon: yes but do you have 51% of poer 07:38 < adam3us> the coerced miners may be forced to orphan your transactions 07:38 < jtimon> I see don't see a judge ordering a mining pool to undue all their mined blocks 07:38 < jtimon> doesn't make any legal sense to me 07:39 < sipa> doesn't need to 07:39 < adam3us> jtimon: see most of the mining power is in the us, which is the closest we have to a global state (they think they can apply their laws abroad, and have the gall to put pressure to try emulate that) 07:39 < jtimon> miners are not responsible for Bob stealing from alice, nor selling to Carol, who's not responsible either 07:40 < jtimon> they can only expropriate from Bob to compensate Alice 07:40 < adam3us> jtimon: true, you may have trouble getting 6-blocks confirmation 07:40 < jtimon> if Bob, sold the stolen share, then they will force him to compensate with other assets he owns 07:40 < jtimon> you == bob ? 07:41 < adam3us> jtimon: yes bob the thief 07:41 < jtimon> so you say miners will be forced not to accept the tx where bob sells to carol, mhumm 07:42 < jtimon> if the sell is already in the chain, I think there's no way back they can ask from miners 07:42 < adam3us> jtimon: yep or worse, eg an exchange has alice's money she sues the exchange for its return, as there is taint list and the exchange did not follow best practices in rejecting bob's attempts to cash it out 07:43 < jtimon> wait wait 07:43 < sipa> i think we want a system that works correctly because of technical reasons, and doesn't need to assume reasonable laws or judges around it 07:43 < adam3us> jtimon: yes that is defacto harder as its a 51% attack. 07:43 < adam3us> sipa: bingo 07:43 < sipa> that's not always possible, but if your argument starts with "judges are reasonable", i don't think you're still arguing about the quality of the system itself 07:43 < sipa> even if for practical purposes, you still make that assumption 07:44 < jtimon> no, I'm not assuming that judges are reasonable but you're assuming that they're completely stupid and crazy 07:44 < sipa> i prefer not making any assumption at all, if possible 07:44 < adam3us> jtimon: its a stronger assurance to rely on cryptogahy 07:45 < sipa> i also prefer not assuming reasonable miners 07:45 < sipa> but for the time being, we have to 07:45 < jtimon> yes, completely agree, but I don't think the law can make a pow chain reversible 07:45 < adam3us> sipa: potentiall committed tx addresses both judge issues and miner issues 07:45 < adam3us> jtimon: no but it can block and freeze funds 07:46 < jtimon> I like the idea of blind commiting, but your p2p deployment doesn't convince me 07:46 < adam3us> jtimon: and they love to do that, if anything semi-technical gets in their path they will become irrationally unreasonable so fast it will make your head spin, cognitive dissonance means nothing to them 07:46 < jtimon> well, not completely 07:46 < jtimon> the judge could order US miners not to validate the transaction where bob sells 07:47 < jtimon> but an iran miner could mine it 07:47 < adam3us> jtimon: yes and there is some argumnt that courts are slow, it'll be a few weeks of confirms by the time they react 07:47 < jtimon> would US miners forced to leave that block orphan risking a fork? 07:48 < adam3us> jtimon: its a reasonableness argument so its slippey 07:48 < jtimon> I think they will just attack the redemption side 07:48 < jtimon> if anything 18:09 < adam3us> petertodd: yes but even selfishly there is interest to succeed. mking bitcoin fail and going down with it is not useful to either the meta-coin nor bitcoin 18:09 < jtimon> and I don't think "MM is better than independent mining" is the message that people perceive from bitcoin devs 18:10 < petertodd> adam3us: meh, if you were right then peopel would never pollute, but they do 18:10 < andytoshi> petertodd: it might be interesting to think about an alt with a fixed 1-coin reward, and which capped miner fees at, say, 0.05 coins (and the rest would be destroyed) 18:10 < petertodd> adam3us: remember, we've got anonymous systems here where social pressure doesn't work very well 18:10 < jtimon> people somehow perceive that "all experts prefer scrypt and quark, it's just that bitcoin is not going to hardfork on that now" 18:10 < andytoshi> capped total fees per block* 18:11 < petertodd> jtimon: depends on what bitcoin devs your talking about - gavin regularly writes about how alts are stupid and harmful 18:11 < jtimon> andytoshi what for? 18:12 < jtimon> petertodd: I know there's not one voice 18:12 < adam3us> maaku_: SPV proofs and pegged sidechain. yes. the issue is that you dont really want to rely on as part of the protocol expecting bitcoin validators to follow the side-chain traffic or vice versa 18:12 < andytoshi> jtimon: to change the miner incentives to accept crap in exchange for high fees 18:13 < adam3us> petertodd: yes but it hasnt failed yet. 18:13 < petertodd> bbl 18:14 < andytoshi> jtimon: this would also reduce the potential for fee extortion, since with fees capped at 5% of income there'd be lots of people who simply don't care 18:14 < andytoshi> (this is a far future problem for bitcoin ofc since fees are not even 0.05%) 18:14 < jtimon> 0.05% of total reward to miner? 18:14 < adam3us> killerstorm: your super-rational miner strategy seems plausible 18:15 < andytoshi> jtimon: yeah. (am i wrong?) 18:15 < jtimon> andytoshi I don't know I'm not sure I understand 18:16 < jtimon> if you hash more than 0.05 in fees in a block you only get 0.05 in fees 18:16 < jtimon> but 0.5 will be less and less as inflation increases 18:16 < andytoshi> jtimon: that's right, and any other fees that transactions had included would simply get burnt 18:16 < adam3us> petertodd: you realize he just made the $25k per block fraud shrink a lot? 18:16 < andytoshi> jtimon: right, as will 1.0 (the block reward) 18:16 < jtimon> I think the reward will be eventually too small 18:17 < jtimon> 1.05 will eventually be 0.0000000000000001% of the total supply 18:17 < andytoshi> jtimon: no, currency loss will stop it getting that far i'm sure 18:17 < andytoshi> but i haven't done any detailed analysis to think about how far it will get 18:18 < andytoshi> maybe it will go too low and kill security, i don't know 18:18 < jtimon> oh, I guess you're right, is there any analysis on currency lost? how you do that? 18:19 < andytoshi> jtimon: it's hard to say, numbers exist for physical currency destruction, but that's obviously possible to measure, while cryptocurrency numbers are not 18:19 < adam3us> maaku_: however there are some factors. a) bitcoin is still security firewalled (it wont accept coins that didnt come from its chain), b) individual users/miners may choose to full validate; c) atomic swap is the much more frequently used method and that can be full validated; d) spv proven transfer back is liquidity event for imbalanced in demand, and a little bloated. 18:19 < andytoshi> so perhaps you can import the physical numbers as "percent carelessness" and get a swag 18:20 < adam3us> maaku_: e) 100 block confirmation on spv liquidity transfer on merge mine is still quite secure 18:21 < jtimon> adam3us how is any pegging scheme more secure than non-pegged MM ? 18:21 < andytoshi> jtimon: in the absense of demurrage, i don't think it's possible since people can store physical keying material, and that's identical to the network to a lost coin 18:21 < adam3us> jtimon: its not 18:21 < andytoshi> no matter how much magic crypto (eg OWAS) you throw at it 18:22 < andytoshi> but otoh with demurrage, measuring the velocity (which is easy) would give you an estimate of supply 18:22 < jtimon> adam3us and how pegging encourages or facilitates innovation? 18:23 < adam3us> warren: u know re mem hard complexity limits, dan larimer/bitshare/invictus momentum hash (birthday) does actually kind of work and is very fast to verify (modulo a non-catastrophic TMTO) would be interesting to see if the TMTO could be fixed. see also google for cuckoo hash proof of work 18:23 < adam3us> jtimon: it allows people who are attached to doing things with btc scarcity rather than new scarcity to do so on a different chain and make changes and features that suit their use case. 18:24 < adam3us> jtimon: (rather than for example arguing that bitcoin main should incorporate their changes which imposes dev cost and security risk for btc main and so would tend to be rejected or progress slowly and conservatively) 18:25 < jtimon> I don't quite understand this part "people who are attached to doing things with btc scarcity rather than new scarcity" 18:25 < jtimon> the second sentence seems to apply for both pegged and non-pegged MM 18:26 < adam3us> jtimon: well if they dont care about using btc currency they can do a MM alt-chain with its own distribution params or auxilliary distribution PoW already 18:27 < warren> adam3us: how bad is the TMTO? 18:27 < adam3us> jtimon: i quite like btc scarcity, virtual gold property, capped supply, the supply curve, human policy inflation proof etc. 18:28 < jtimon> what if they do care, and want to experiment but just don't want pegged-MM's inferior security? say they're zerocoin 18:28 < jtimon> btc is still scarce no matter how many altcoins you create 18:28 < jtimon> 21 M at most 18:28 < adam3us> warren: bad enough that some guy claimed $5000 "break the PoW" bounty for demonstrating it would run on a GPU when they thought it would take 750MB per instance. 18:29 < maaku_> adam3us: 100 block wait is not secure. all you need is one global consensus bug and people can start printing money before it is resolved 18:29 < maaku_> it's a non-starter as far as I'm concerned 18:29 < petertodd> adam3us: how did I make what shrink? 18:29 < adam3us> petertodd: what? 18:30 < adam3us> maaku_: they cant print money from btc main perspective, because the SPV proofs have to track back to specific previously moved coins, and that will be allowed only once per moved coin. 18:31 < petertodd> adam3us: momentum (birthday) hashes may work from a theoretical point of view, but like I've said before, from a practical asic hard point of view they don't because they can be implemented with highly specialized content addressable memory techniques 18:31 < petertodd> adam3us: < adam3us> petertodd: you realize he just made the $25k per block fraud shrink a lot? 18:32 < adam3us> petertodd: yeah. i agree with you. came to same conclusion - i guess we talked about that a while back. (asic vs memhard). just curious about the design of them to be memory low verify 18:32 < petertodd> adam3us: as for cuckhoo hashes as far as I can tell where they fail is they are parallizable, and an optimal implementation would be some crazy distributed routing layer ontop of some ram 18:33 < petertodd> adam3us: ah 18:33 < adam3us> petertodd: ah yes. killerstorm was talking about a super-pragmatic or such miner greed where they could be bribed by paying $25k+10c if game theoretically they knew most of the other miners might do the same thing 18:33 < petertodd> adam3us: yeah, the low memory verify aspect is pretty neat, same with cuckhoo hashes 18:33 < sipa> cuckoo... 18:34 < petertodd> adam3us: right, and I'm saying that game theoretic makes too many assumptions about what information each miner knows each miner knows 18:34 < petertodd> sipa: rarely do you correct my engrish :P 18:34 < maaku_> adam3us: ok /print/steal/ 18:35 < maaku_> i really don't think pegging adds much at all 18:35 < petertodd> adam3us: see, what *is* interesting about cuckoo hashes is that the memory *latency* hard part of them looks pretty solid, so in situations where you need a pow and it's not parallelizable, they work great 18:35 < maaku_> most of the interesting alt applications ahve to do with issuing new assets 18:35 < adam3us> jtimon: "what if they do care, and want to experiment but just don't want pegged-MM's inferior security? say they're zerocoin"well its a good example, but it kind of illustrates my point. green et al seemed to think bitcoin would adopt their protocol. when it turned out people didnt like the bloat, they were disppointed. with pegged side chain they could've gone and done it themselves 18:35 < petertodd> adam3us: timelock crypto could be one such example 18:36 < petertodd> maaku_: those new assets are more useful though if you can make contracts exchanging them for bitcoins 18:36 < jtimon> maaku_ apparently it solves a philoshophical problem related to non-scarce scarcity... 18:37 < maaku_> mmm marginally more useful 18:37 < jtimon> adam3us what's wrong with zerocoin not being pegged to btc ? 18:37 < maaku_> not everyone is convinced bitcoin has the right economics to play that role 18:37 < adam3us> jtimon: again with the zerocoin example now with zerocash, they took tht lesson and they're talking about making a zerocash alt coin. so thts a net loss, probably some bitcoin users would like to be able to get zerocash anonymity for their bitcoin, but with a floating rate and an alt the zerocash might not be much fun to use, nor very secure. merge mine would be good step either way 18:38 < jtimon> + 1 for MM zerocash, I don' 18:38 < jtimon> t see how non-peggin is a net loss 18:39 < jtimon> I hope they MM, maybe they prefer to be "anti-specialized-hardware" 13:44 < adam3us> petertodd: (since you last synced your smart phone) 13:44 <@gmaxwell> petertodd: yea but not a shared secret unless you digitize twice. 13:45 < petertodd> adam3us: that's still just over half a mb per day, not bad 13:45 < petertodd> gmaxwell: I know, I'm not solving that problem with that idea 13:46 < adam3us> gmaxwell: yes the shuffle and split is super nice in simplicity. the other ones have complexity, failure etc. the only limitation is 52bits. kinda weak. hence blue sky about flaky alternatives like permutations; double pack is probably better 13:46 <@gmaxwell> if you just want to be subtle, with prp... a boring business card with data stuffed into it .. a "random slogan" that is cryptographic works fine. 13:47 <@gmaxwell> adam3us: yea, double pack fixes the entropy problem well enough. 13:47 < adam3us> petertodd: so the main thing is how does that compare to SPV 13:47 < petertodd> adam3us: thing is, I'm expecting SPV to work like that anyway with prefix filters 13:47 < petertodd> adam3us: so the cost is only in the ECC computations, not extra bandwidth 13:47 < adam3us> petertodd: if 1byte is SPV compatible in overhead, i think we are closer to an spv killer. 13:48 < adam3us> petertodd: spv doesnt have prefix filters, it does fuzzy bloom fetches for requester address set 13:48 < petertodd> adam3us: if anything stealth addresses can be *more* plausible for SPV than stuff like handing out chain codes because the # of addresses you might have to scan for is actually more limited 13:48 < petertodd> adam3us: SPV will be with prefix filters in the future; bloom has shit scalability 13:49 < petertodd> adam3us: also electrum implements them, it's just that the prefix has to be the a full 20 bytes :P 13:49 < petertodd> adam3us: electrum will have proper variable-length prefixes sooner or later 13:49 <@gmaxwell> petertodd: ugh. I don't agree. requring all uses to grind addresses is kinda crazy. 13:49 < adam3us> petertodd: there maybe a small win lurking in there (stealth more plausible for spv more limited scan) 13:50 < adam3us> gmaxwell: maybe better to put the prefix somewhere else, a new field, or a harmless unused/overloadable field 13:50 < petertodd> gmaxwell: depends on how fast it works out to be. Also I think the idea works well in a model where you assume that usually the tx data is just given to the recipient directly; the stealth part is just as a backup 13:50 < adam3us> petertodd: yes but the steath part has to be ground to setup the backup 13:51 <@gmaxwell> petertodd: no, because it screws up wallet determinism or loading random keys from a determinstic wallet. 13:51 <@gmaxwell> petertodd: if you give the data directly, then you can just use a bip32 wallet. 13:51 < petertodd> gmaxwell: no it doesn't, the data required to recover the wallet is still fully deterministic 13:52 <@gmaxwell> petertodd: yes but only with a non-trivial computational cost per address. 13:52 < petertodd> gmaxwell: based on a seed I can regenerate my master pubkey and from that scan the blockchain to find my transactions 13:52 <@gmaxwell> With a _lot_ of computation, which will encourage address reuse. 13:52 < adam3us> gmaxwell: i think the issue is assuming a reliable 2pc to send the data from user to server is brittle. risk of money loss. so you need a network channel bound to the rest of the payment 13:52 < petertodd> gmaxwell: the computational cost isn't per address you use, it's per address in the blockchain 13:52 < petertodd> gmaxwell: if you don't use your wallet at all the cost is the exact same based on whatever prefix length you chose 13:53 <@gmaxwell> petertodd: you have to do the computation to even know what to look for. 13:53 < petertodd> gmaxwell: what do you mean? you have to do computation to check if every address matching your prefix is one you own 13:53 <@gmaxwell> and the privacy of that is very poor. 1/256 is fine for donation addresses. but you really don't want it for general usage. 13:54 <@gmaxwell> petertodd: no you have to do computation for ever index you possibly used to figure out if its your own. 13:54 < adam3us> gmaxwell: i think he is assuming the prefix target is static eg communicated as part of the base address encoding 13:54 < petertodd> gmaxwell: suppose bitcoin has 1,000,000 users, 1/256 is ~4000 users 13:54 < petertodd> gmaxwell: you only have a single master pubkey in the most simple case 13:55 <@gmaxwell> yes which is very small, and thats a large amount of initial users when you consider other factors like time of day or correlation of values transacted and joint spends. 13:55 <@gmaxwell> adam3us: no he's talking about using this not just for donation addresses, and I think thats horiffic. 13:56 < petertodd> gmaxwell: yeah, then if you're unhappy about that make your prefix match more people, worse case is you're doing computation roughly similar to syncing a full node 13:56 < petertodd> gmaxwell: best case is you use a payment protocol like this so normally you don't scan the blockchain at all 13:56 <@gmaxwell> I'm no longer talking about the scanning case, I'm talking about 10:50 < petertodd> gmaxwell: depends on how fast it works out to be. Also I think the idea works well in a model where you assume that usually the tx data is just given to the recipient directly; the stealth part is just as a backup 13:57 <@gmaxwell> this is bullshit garbage rubbish 13:57 * gmaxwell spits in the general direction of the idea 13:57 < petertodd> gmaxwell: how? the tx data says "hey! here's this tx I sent you, add it to your list of funds (as though you had to scan the whole damn blockchain to find it)" 13:57 < adam3us> gmaxwell: he he.. dont mince your words there greg :) 13:58 < adam3us> gmaxwell: LOL 13:58 < adam3us> gmaxwell: but yes i think the network transport has to be considred the primary transport that is hit all the time, because thats how it works 13:58 <@gmaxwell> petertodd: great, now your online system fails and you have to do this very expensive computation to enumerate your determinstic keys. 13:58 < petertodd> gmaxwell: if you fuck up and have to restore from backups, well, then you scan the whole damn blockchain (or some subset) 13:58 <@gmaxwell> or you could just use BIP32. 13:59 < petertodd> gmaxwell: the point is you don't have deterministic keys! the computation is O(1) per tx, or O(n) for the blockchain 14:00 < petertodd> gmaxwell: vs BIP32 where you're match filter will match some subset of the chain, and your telling the nodes you connect too essentially what subset of all addresses you have funds in... if you're conservative you probably have already made it match about 1/256th of that whole set 14:00 < petertodd> gmaxwell: (remember I tend to assume full nodes are out to break my anonymity and figure out what's in my wallet) 14:01 <@gmaxwell> petertodd: if you wanted to give up your privacy then you could generically have bloom bait in _any_ transaction. 14:01 < petertodd> gmaxwell: huh? 14:02 <@gmaxwell> But your 1/256 thing really is risky IMO as you're making a highly public record of this flag, instead of something only your scanning node (Which may be trusted and operated by you!) sees, and you don't know how small the anonymity set you get is, you only know that you added _8 bits_ of distinguisher. I imagine that in a lot of cases now 8 bits is completely identifying. 14:03 <@gmaxwell> imagine a coinjoin where the input owners are the same as outputs. 8 bits is completely deanonymizing. 14:03 < petertodd> gmaxwell: first of all I never said that the 1/256 is set in stone 14:03 < petertodd> gmaxwell: secondly for your change addresses you can easily deterministicly dervive them in a way that is not subject to the 1/256th business 14:03 <@gmaxwell> also you keep saying that its similar to full node syncing, but doing a arbritary point scalar multiply for every transaction is quite a bit slower. 14:03 < petertodd> gmaxwell: (per transaction) 14:04 <@gmaxwell> petertodd: yea sure you can use a smaller distinguisher, I agree. but then you lose the filtering advantage. 14:04 < petertodd> gmaxwell: yes, but computers are fast and bandwidht isn't... needs soem proper numbers, but the difference isn't huge 14:04 <@gmaxwell> yea, I generally agree the speed isn't a huge issue, as I said before I think for donations this is workable without the bloom bait at all. 14:05 <@gmaxwell> just for the sake of correctness, I'm pretty sure it will be worse than 2x full sync cpu. :) 14:05 <@gmaxwell> esp if you have more than one of they keys for privacy among the people you asked to pay you too. 14:05 <@gmaxwell> since then it grows like n*m. 14:06 < petertodd> gmaxwell: why would you have more than one? every payment using this thing is completely independent 14:06 < petertodd> gmaxwell: you only need more than one if you want to maintain multiple *identities* 14:06 <@gmaxwell> petertodd: no, its not independant to the people you asked to pay you. 14:07 <@gmaxwell> and they can even transfer that evidence. 14:07 <@gmaxwell> e.g. the disclose that transaction X is a payment to Y and can do so in a way that everone else can see too. And then someone crops up and shows "hey I paid Z and its the same pubkey!!" 14:08 < petertodd> gmaxwell: which they can do with bip32 14:08 <@gmaxwell> petertodd: only if you actually give them extended public keys. 14:08 < petertodd> gmaxwell: and if you don't, then the user experience for recurring payments sucks 14:08 <@gmaxwell> which you don't need to if your website (the thing recieving a payment protocol receipt) is issuing them one use regular addresses. 14:08 < petertodd> gmaxwell: yeah, and that's a whole bunch of overhead 14:09 < petertodd> gmaxwell: for instance I just can't do that on freenet... 14:09 <@gmaxwell> not just that BIP32 lets you give each seperate user a sub-chain. and those are not linkable. 19:49 < gmaxwell> maaku: I was just saying in the abstract. 19:50 < gmaxwell> The decision problem still exists even in the simplest case. 19:50 < maaku> the real issue with republicoin is that there isn't to my knowledge an adequate proof-of-stake voting system 19:51 < maaku> all the current ones suck big time... 19:51 < gmaxwell> I don't think one is possible. 19:51 < gmaxwell> :( 19:51 < gmaxwell> (This bums me out greatly) 19:51 < gmaxwell> (because in general POS is a great idea, but it seems like you need a consensus system on top of it to make it actually work) 19:51 < gmaxwell> If you give me timelock encryption then I think I can make POS work. 19:52 < gmaxwell> Or at least almost work enough. 19:52 * amiller gives gmaxwell some timelock encryption?? 19:53 < gmaxwell> amiller: e.g. I think you can do a POS consensus with timelock encrypted votes to prevent censorship. By the time anyone knows what the old state is, it's hopelessly burried. 19:53 < gmaxwell> (you use proofs that the hidden states are valid) 19:54 < gmaxwell> and timelock encryption means someone can't wedge the system by failing to ultimately disclose. 19:54 < maaku> gmaxwell: i'm fine with a side-chain. i'm even fine with public votes, although obviously something homomorphic would be better 19:54 < maaku> but yeah it would be a lot easier (trivial, almost) with time-lock encryption... 19:54 < gmaxwell> maaku: the problem with public votes is not that they're public, is that it allows whomever controls the consensus system that gathers them to censor the votes so the outcome is as they choose. 19:55 < maaku> ah, so proof-of-stake would essentially become proof-of-work once 50% of miners are corrupted 19:56 < gmaxwell> right. "I don't like this vote very much, bye bye" 19:56 < maaku> amiller: this is probably the best post : http://freicoin.freeforums.org/demurrage-should-it-all-go-to-miners-t20-40.html#p354 19:56 < maaku> but google 'republicoin site:http://freicoin.freeforums.org' to find some others 19:57 < maaku> it's an idea i would like to pursue, but the technical issues need to get worked out first... 19:57 < amiller> "I have an answer, albeit not a strong one: their own economic self-interest in the future of Freicoin." 19:57 < amiller> i'd love to understand that better but it's hard to reason about 19:58 < amiller> it's not totally wrong but it's tricky 19:58 < amiller> people are like, systematically myopic 20:00 < gmaxwell> maaku: another way to make POS votes work is to require _every_ coin to vote. But then your system dies the first time a key is lost. :( 20:00 < maaku> amiller: i have a crushing rejoinder which will squash any doubts 20:00 < maaku> you're right 20:00 < maaku> like i said, it's not a strong argument 20:01 < maaku> but it is basically the analagous situation as real life politics - what stops the big guys from buying the politicians votes? 20:01 < amiller> nothing, that's exactly what happens 20:01 < maaku> well, nothing really. that is what happens. but within limits 20:01 < gmaxwell> s/stops/tames/ 20:01 < amiller> the limits aren't reliable 20:02 < gmaxwell> sure but it's not unbounded. It's actually pretty tricky to achieve any constraint at all. 20:02 < amiller> Okay so i'm writing up (for a lovely forum post) the idea of doing this soft blacklist 20:02 < amiller> i'm stuck on something 20:02 < amiller> besides getting two consecutive blocks 20:02 < maaku> as I said, not a strong argument, but there is enough room that a middleground might exist.. or at least hope for one 20:02 < amiller> there might be a way to just do one block, and incentivize people to take my block 20:02 < amiller> suppose there are two blocks at roughly the same time 20:02 < amiller> it's undefined which one people will choose right? 20:02 < amiller> whichever one they get first? 20:02 < amiller> there's no prioritization about blocks right now 20:03 < amiller> but suppose one block contains any anyone can pay transaction or something that only is valid if that blocks gets accepted 20:03 < amiller> you could then either mine on block A and get nothing, or mine on block B and get a bonus! 20:03 < sipa> the best pick (for consensus) is the one that you have most confidence in others will also pick 20:03 < amiller> the problem is you can't spend the coinbase immediately and you can't make a transaction pegged to one block 20:04 < amiller> you can in freimarkets where there's an OP_HEIGHT code 20:04 < amiller> is there any way to do that? to give a fee to the miner of the next block for building on the current block? 20:05 < maaku> amiller: give them the fee in the output of the coinbase 20:05 < amiller> no because you can't spend coinbase for 100 blocks 20:05 < maaku> they can't spend it immediatly, but they know it's there 20:05 < maaku> or am i missing something? 20:05 < amiller> they don't get it, the 100th block miner gets it 20:05 < maaku> oh i c 20:05 < gmaxwell> which they have hashrate/total_hashrate probablity of earning. 20:06 < gmaxwell> You can also lower the variation by 'announcing' a not yet valid spend cascade that spread it out over many blocks. 20:07 < gmaxwell> e.g. at height 100 that miner gets half, at 101, that miner gets 1/4, at 102 that miner gets 1/8... and so on. 20:11 < gmaxwell> amiller: speifically preventing this is why I'd said in the OWAS thread that the OWAS payments had to be maturity gated. 20:11 < gmaxwell> otherwise you get stupid randsom effects that screw up consenus. 20:11 < amiller> i'm going to call this a "feather-fork" 20:11 < amiller> because it's like a softer soft fork that only lasts for a couple blocks and only might work 20:12 < amiller> but may still have an influence 20:18 < maaku> i assume you would do that using time locked transactions? 20:19 < gmaxwell> maaku: yea, to space them out. 20:19 < gmaxwell> e.g. one locked at +100, +101, etc. 20:43 < petertodd> BlueMatt: Well frankly I think that's a dumb rule. For instance, would you object to SPV nodes relaying block headers to each other to be sure they had the best chain? I can't see why. Then if you don't object to that, why not relaying blocks too? Relaying transactions of course can have DoS issues, but if you solve those with a PoW or something, again, why not? Knowing more information will never harm you. 20:44 < BlueMatt> petertodd: spv nodes shouldnt relay headers to each other that they cant verify, no 20:44 < BlueMatt> petertodd: spv nodes shouldnt connect to each other to begin with, really 20:45 < gmaxwell> BlueMatt: why not? if both parties connected are consentual participants? 20:45 < gmaxwell> E.g. "I didn't verify this, you still want it?" 20:45 < gmaxwell> "You know I'm stupid, but if you want me to tell you what I hear, I will." 20:45 < BlueMatt> gmaxwell: consensual in this case means policy defined by developer of spv nodes... 20:46 < gmaxwell> BlueMatt: or whatever they've negoiated. 20:46 < gmaxwell> (the nodes I mean) 20:46 < BlueMatt> and developers shouldn't make their policy of spv nodes to peer with other nodes 20:46 < BlueMatt> if someone wants to do that, they sure can 20:46 < BlueMatt> but thats up to their implementation 20:47 < gmaxwell> BlueMatt: right now SPV nodes are pretty vulnerable to a multitude of attacks, increasingly so as the number of accessible full nodes continues to drop. One strategy to combat this might be for higher resource SPV nodes to connect to each other too. 20:52 < BlueMatt> gmaxwell: problem: full nodes aren't available as much as they should be, solution: work around the problem by coding lots of logic for spv nodes to rumor between each other 20:52 < BlueMatt> seems wrong to me 20:52 < BlueMatt> could just code some logic to make full nodes more appealing to run... 20:52 < gmaxwell> BlueMatt: Maybe. Depends on how fundimental the lack of full nodes problem is. 20:52 < gmaxwell> These aren't mutually exclusive. We may eventually need _both_. 20:52 < BlueMatt> true, but Ive seen no data to indicate the issue is really unsolvable with reasonable work? 20:53 < gmaxwell> I don't think we fully understand the reduction in reliable full nodes. 20:53 < BlueMatt> maybe, but I see no reason to code the spv rumoring for some time to come unless we've come a long way 20:54 < gmaxwell> yea, I missed the beginning of you and PT's conversation. This is #bitcoin-wizards after all, and I was just chiming in that I don't think it would be unreasonable in the long term to have SPV nodes who are willing and able play a bigger role in the network. 20:55 < petertodd> BlueMatt: why? 20:55 < petertodd> BlueMatt: heck, blockheaders over twitter is genuinely useful 20:55 < BlueMatt> petertodd: blockheaders over twitter comes from a full node... 20:55 < gmaxwell> BlueMatt: bitcoin-qt's performance has improved _tremendously_ as has its reliablity (except on OSX). 20:55 < BlueMatt> gmaxwell: I dont really like that idea, but yes its an option... 20:56 < BlueMatt> gmaxwell: better: partially-verifying nodes playing a bigger role 20:56 < petertodd> BlueMatt: that's irrelevant 20:57 < petertodd> BlueMatt: blockheaders over twitter is validatable by the fact it's the longest valdi sets of headers you know of, *nothing* else 20:57 < petertodd> Let alone once we start talking about partial probabalistic validation schemes w/ fraud proofs... 20:57 < gmaxwell> BlueMatt: ultimately the shift in nodes type may just be that people do not see any reason to run anything but spv nodes anymore. 20:58 < BlueMatt> petertodd: my point is that, in the current network, there is NO reason for an spv node to take information from a node it knows is not doing any verification 20:58 < BlueMatt> in the future, maybe it will be neccessary 20:58 < BlueMatt> but not now 20:58 < petertodd> BlueMatt: how does the SPV node know the node it's talking to is doing verification? 20:58 < BlueMatt> gmaxwell: yes, which is why nodes should upgrade 01:50 < jrmithdobbs> :P 01:51 < jrmithdobbs> funny, seeing as i distinctly remembering lamenting how i didn't think it was necessary at a point in the not-so-distant past 01:52 < gmaxwell> jrmithdobbs: the sighash types are pretty much entirely about which parts of the transaction get masked out when you sign. 01:55 < jrmithdobbs> oh those, just re looked over the contracts stuff 01:56 < jrmithdobbs> all/none/single are the current ones? 01:58 < gmaxwell> and the anyone can pay modifier. 01:58 < jrmithdobbs> that covers everything I can think of / care about (contracts and escrow) 01:58 < jrmithdobbs> right right 02:00 < warren> jrmithdobbs: does that random embedded shit have any entropy source at all? 02:00 < gmaxwell> jrmithdobbs: oh no way.. say for example that you and 10 friends want to collaborate to raise a 50 BTC bounty. For that what you want is a txn with an ANYONECANPAY and an output that pays 50 BTC that everone signs, but then also a bunch of change outputs signed only by the person providing their inputs. 02:00 < jrmithdobbs> warren: some of it, yes 02:00 < jrmithdobbs> gmaxwell: i always forget change 02:01 < gmaxwell> there are a bunch of examples where change gets in the way. 02:01 < jrmithdobbs> gmaxwell: i thought it was enough to cover multi-party escrow, but ya, you're right=/ 02:02 < jrmithdobbs> to be perfectly blunt, though 02:02 < jrmithdobbs> would it really be such an imposition to have to pre-prep those inputs? 02:02 < gmaxwell> well you go from 1txn to 21 txn in that case. 02:02 < jrmithdobbs> they're uncommon enough specialized txns that you're going to have an hour or so notice before hand usually 02:02 < gmaxwell> er 11 (I said 10 friends) 02:03 < jrmithdobbs> ya but 20 of those txns are very simple and easy to verify and already pass isStandard() 02:03 < warren> If one of those 10 gets hit by a bus, all that money is gone? 02:03 < gmaxwell> huh. no. 0_o why would you think that? 02:03 < jrmithdobbs> warren: huh? no the final couldn't be created until the first 20 were done 02:04 < gmaxwell> s/20/10/ for consistency. :) 02:04 < jrmithdobbs> right ;p 02:05 < warren> ugh 02:05 < jrmithdobbs> gmaxwell: the complexity of handling the change and the infrequency of the use of that type of mechanism ... is it worth handling the change? the minor txn spam argument seems pretty flimsy framed in this way 02:07 < jrmithdobbs> i could be convinced it's worth it if you could maybe postulate on some reasons why the use of multi party escrow or extremely complex contracts would be come the *norm* vs current simple addr txns 02:07 < gmaxwell> jrmithdobbs: Perhaps not. This is -wizards, I'm not talking about a pratical short term change to the system. 02:08 < jrmithdobbs> and i can maybe come up with some with some devil's advocate ones ;) 02:08 < gmaxwell> Handingling the change isn't the only gap in sighash types. They're just the one I was thinking about tonight. 02:08 < jrmithdobbs> oh i know i know 02:08 < jrmithdobbs> just talkin 02:09 < gmaxwell> Now I'm trying to remember what other cases were missing. 02:09 < jrmithdobbs> well it almost needs a _multi 02:09 < jrmithdobbs> so that one can sign more than just one part of nothing 02:10 < jrmithdobbs> but that gets hairy 02:10 < jrmithdobbs> err more than one part OR nothing 02:12 < gmaxwell> then there are things like partial constraints. sign output X but first normalize the value by min(value,1000000). "Output X must be at least 1 BTC". 02:13 < gmaxwell> arguably you can do many of the applications by just SIGHASH_ALL but you can't do anyone can pay in that case. 02:13 < gmaxwell> one possiblity would be to have the scriptpubkey specify a masking script. 02:14 < gmaxwell> basically the only thing you sign is a script. And the script gets the whole txn pushed onto the stack and the signature is valid if the script returns true. 02:19 < jrmithdobbs> i dunno, i've been driving or flying for like 5 days straight now, i'm going to go sleep in my own damned bed finally ;p 02:21 < jrmithdobbs> actually 02:21 < jrmithdobbs> i think we're overthinking that 02:21 < jrmithdobbs> (not the sleep part, that's def happening in a bit, ha) 02:22 < jrmithdobbs> gmaxwell: i think all/one/none + anyone can pay *is* enough 02:22 < jrmithdobbs> gmaxwell: we're falling into that whole "one person/party == one key" mindset 02:22 < jrmithdobbs> if any party needs to sign multiple parts they use multiple keys 02:22 < jrmithdobbs> if proof someone is in control of said group of keys, that's trivial 02:23 < jrmithdobbs> if proof is desired* 02:23 < jrmithdobbs> but maybe i've been paying too much attention to zooko lately, ha ;p 02:24 < gmaxwell> uh. I think you should sleep, 'cause nothing I've said is at all one person = one key. material. :P 02:24 < jrmithdobbs> no it's not 02:24 < gmaxwell> jrmithdobbs: he doesn't have you freebasing bacon greese does he? :P 02:24 < jrmithdobbs> but i'm saying the cases where being able to sign multiple but not all/none parts can be solved with multiple keys per party 02:25 < jrmithdobbs> but ya, i'm incoherent ;p 02:26 < gmaxwell> jrmithdobbs: that doesn't work so well if you want to have everyone sign output zero, and then each person sighash single the rest. 02:26 < jrmithdobbs> why not? 02:26 < jrmithdobbs> that just means you need to know how many keys per party and whether you want to bind their associations at the start 02:26 < jrmithdobbs> doesn't seem entirely out of the question 02:27 < gmaxwell> You're not making any sense to me. 02:28 < gmaxwell> Me and my N friends want to pay bob 50 BTC, and take our change. I don't even know N in advance. But I know I want bob paid, and I want my darn change back. Maybe I want to use N inputs too. in which case each of my N inputs wants bob and my change output to get paid. 02:29 < jrmithdobbs> i'll reread that in the morning/tomorrow and try and translate, i'm sure i'm saying what i think i am, just poorly :) --- Log closed Wed Mar 27 00:00:08 2013 --- Log opened Wed Mar 27 00:00:08 2013 16:58 < sipa> converting C++ to C is boooooring 17:00 < jgarzik> hehehe 17:00 < sipa> and changing a += b; into secp256k1_ge_add(&a, &a, &b); does hurt... 17:01 < warren> sipa: resulting code won't be any slower though, right? 17:01 < sipa> no 17:02 < sipa> btw, a friend of mine contributed x86_64 assembly for a few low-level routines: 20% speedup! 17:02 < warren> nice =) 17:20 < petertodd> sipa: Are you planning on eventually getting rid of the libgmp dep in your secp implementation? 17:20 < sipa> perhaps, yes 17:20 < warren> petertodd: I'm hoping he gets rid of openssl 17:21 < sipa> petertodd: that does mean writing our own mini bigint code, though 17:22 < sipa> which is somewhat stupid if very well optimized alternatives exist 17:22 < petertodd> What are the dependencies like for those well optimized alternatives? 17:22 < sipa> gmp :) 17:22 < petertodd> Ha 17:23 < sipa> and gmp doesn't have dependencies of its own 17:23 < petertodd> I'm working on a really preliminary design for a "merkleized forth"; it should have it's core written in C I'm thinking with no dependencies for easy auditing/running on microprocessors. 17:26 < sipa> eh, relevance? 17:27 < petertodd> I'll need a fast secp256k1 implementation eventually, and probably a bigint implementation too, ideally ones that don't depend on malloc. 18:12 < warren> gmaxwell: regarding p2pool and your idea of share fork merging. There is a potential flaw in the share fork merging idea that I can't think of a solution. Say you allow a share to have up to 4 parents. If colluding buddy nodes own one of those parallel shares, what incentive do they have to relay competing parallel shares if any block solution they come up with is valid? They're better off excluding competing parallel shares as much as p 18:12 < warren> ossible. It would be difficult for the network to detect. 18:15 < warren> Hmm, I suppose it might work if the post-merge shares can be orphaned by another post-merge share that has more parents. 18:16 < warren> But are we then back with the original problem... 18:16 < gmaxwell> warren: as was already said before: the chain chain with the most difficulty wins. 18:17 < gmaxwell> and yea, you do end up with a circular issue there, I wasn't sure how to solve that. 18:18 < warren> gmaxwell: wouldn't this also exacerbate the frequency of new work? Every time your p2pool node receives a parallel share, you would have to restart mining? 18:19 < warren> If so we didn't really solve any problem here. 18:19 < gmaxwell> No. You use it if you have it. 18:19 < gmaxwell> The other work is late you usually have it from the prior cycle. 18:20 < warren> I'm not following. Whenever you receive a new latest share, work restarts at that moment no? 18:21 < gmaxwell> warren: I'm concerned that you're using the word 'restart' 18:22 < gmaxwell> You switch to work based on that, sure. 18:23 < warren> And isn't that switch where we currently have the work return latency issue? 18:23 < warren> Your local node switches work after you receive a new tip share. 18:23 < warren> "Late" shares come in, parallel to your tip share. 18:24 < gmaxwell> Yes, but prior to that happening you've recieved some straggling shares from other peers. 18:24 < gmaxwell> Late shares came in during the prior interval. 18:25 < warren> I might be missing something crucial in understanding this. 18:26 < gmaxwell> The late is merging not shares that were competitors for the current head but shares which were competitors for the prior one. 18:28 < warren> How does that avoid switching work more often than 10 seconds? 18:30 < gmaxwell> What would you switch to? Height-100 comes in, you compute work based on H100 that merges H99 competition. If you get any H99 work after you recieve H100, you reject it. 18:31 < warren> So H101 merges the paralell H99's. 20:36 < maaku> Then you can use it to say "I encrypt this until the network expends X computational cycles" 20:37 < gmaxwell> maaku: no, that gives you no control of the time at all. And you _do_ guarentee that all keys are moved through for all levels under the difficulty. 20:37 < maaku> lack of control over tiem is precisly my point... 20:37 < gmaxwell> you can achieve that in the multilevel scheme by threshold encrypting. 20:38 < gmaxwell> basically the multilevel scheme allows you basically freedom between choosing absolute work, and absolute time (but with race ahead risk) 20:39 < gmaxwell> e.g. you can encrypt the problem to X=0 * 1000 or X=0*500 + X=1*500 or X=0*250 + X=1*250 + X=2*250 + X=3*250 ... to achieve absolute work (to whatever degree you wish to approximate it) 20:40 < andytoshi> [unrelated] new optimization of koblitz curve optimization: http://eprint.iacr.org/2012/519 20:41 < maaku> gmaxwell: but presumably you reveal which ones you encrypt against right? (to avoid combinatorial explosion in decrypting) 20:42 < maaku> so someone need only "work ahead" those keys to decrypt 20:42 < gmaxwell> or you can encrypt to X=0 only, and have absolute time but perhaps a race-ahead risk if the difficulty goes way up. Or you can have some guess at future difficulty (e.g. if the system is already on asics, then projecting mooress law or whatever).. or you can use all of these at once. 20:42 < maaku> (and if they're a miner they can later reuse that work for the subsidy) 20:42 < gmaxwell> No, the work can't be reused. 20:42 < gmaxwell> The attempts you make in the cracking are based on the hashes of the prior blocks, or you don't have a consensus. 20:43 < gmaxwell> maaku: But what I described there achieves absolute work ("X=0 * 1000 or X=0*500 + X=1*500 or X=0*250 +"), regardless of the difficulty. You can "race ahead" sure, but there is no faster way than doing a certan absolute amount of work. 20:44 < maaku> gmaxwell: I'm not sure I follow. the public keys are known in advance right? and the problem is to find the private keys right? 20:45 < gmaxwell> maaku: correct. The hash of your header tells you what part of the solution space to check. Finding a block requires proving you checked the right part of the space and found a distinguished point. 20:45 < gmaxwell> (a distinguished point is either the solution to the current problem, or some 'near miss' based on some arbritary criteria) 20:47 < gmaxwell> Wrt the absolute stuff, I was only pointing out that my hierarchical scheme allows you to get any mixture of "absolute work" or "absolute time with race ahead risk (diff overshoot risk)" or "absolute time with failure to decrypt (diff undershot risk)" that you like. It's not perfect, by any means, but I think it could be reasonably successful. 20:49 < gmaxwell> maaku: e.g. forget that there is a faster way of solving ECDLP than just testing secret keys. To mine this you take your header hash and multiply it by the base point and then measure the current solution's hamming distance to the current digits of pi or whatever is the current x=0 target problem. If its below a threshold you have a x=0 solution. 20:50 < gmaxwell> if you raced ahead previously, that work isn't useful to you because the secret keys you checked weren't derrived from hashing a vaid header. 20:50 < gmaxwell> (at least not useful for mining) 20:53 < gmaxwell> andytoshi: that paper is about classical koblitz which is for characteristic 2 fields. I can't believe people are still doing stuff with characteristic 2 in 2012. 20:54 < andytoshi> oh, damn 20:54 < andytoshi> also it's 2014 :P 20:57 < nsh> let's split the difference for another couple of days eh? :) 21:12 < nsh> *sigh* 21:12 < nsh> https://www.openssl.org/ <-- compromised 21:13 * gmaxwell not going to load a compromised site. 21:13 < nsh> just says "TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _" 21:13 < nsh> no html. but good policy :) 21:17 < justanotheruser> In blockchain time It's already April 2014 21:32 < gmaxwell> So I think I have a goofy convoluted protocol for centeralized timelocking, between alice and a clock though it requires having some substr opcode we don't have. 21:33 < nsh> what's at the centre? 21:33 < gmaxwell> The idea is that alice and the clock can make a (complicted) series of transactions which sets things up so that alice learns a public key for which the clock knows the secret. Alice and the clock both put up funds, if the clock releases the secret on time it gets both its funds back and alices funds. 21:34 < gmaxwell> If the clock releases the secret early, then it doesn't get its funds back. If it doesn't release it alice gets its funds. 21:35 < gmaxwell> the basic idea is that if you give me a signature with a key of yours, and if we had the right opcodes, I could write a scriptpubkey which allowed you to redeem it if and only if you reuse the same k value, thus disclosing the private key. 21:35 < nsh> hmmm 21:36 < gmaxwell> so then you setup a complicated sequence of timelocked n of m fiddly transactions so that there are three ways the thing can be released... early and the funds can only go to fee or alice.. ontime the funds go to the clock, or late and the funds go to alice. 21:40 < gmaxwell> I dunno if it would be useful though, esp I don't know how to prevent people from freeloading. E.g. alice publishes the initial signature and now any number of people can use that timelock 21:42 < nsh> i'm not sure that's too much of a problem, necessarily 21:45 < gmaxwell> well, if the bitcoin incentives are to have any point at all they should be fairly large... and it's not reasonable to ask clock to lock up funds for a long time without a considerable return. the more people who use it without paying the more incentive for clock to make a deal with someone and never disclose or disclose early. 21:47 < gmaxwell> how about a different one, how about a semi-anonymous quorum timelock. 21:48 < gmaxwell> N players have a distributed public private key. The private key is split into polynomial shares such that 50% of them are required to recover the private key. 21:49 < nsh> right 21:49 < gmaxwell> over time, some M of the N player drop out they vanish without any of the other playeryers hearing from them for a while, and so they do some quourum consensus and decide those M players are defunct. 21:50 < gmaxwell> They invite M new players, and do some protocol needing 50% of the original N to update help the new M players recover the shares of the M that left. 21:51 < gmaxwell> ignoring how you'd go about doing that how would this break down? 21:52 < nsh> i think i'm lost 21:53 < warren> http://www.openssl.org/ <--- sigh 21:53 < gmaxwell> nsh: well you get how you can have a key shared among many people such that you need a majorty? You can do this in ec groups such that there doesn't need to be any trusted dealer. 21:53 < nsh> sure 21:53 < maaku> if you love openssl you wouldn't do that... 21:54 < gmaxwell> nsh: just information theoretically, if M of the N leave, but M<N/2 the N-M could still recover the key. So the remainaing N-M should be able to help a new M users recover the missing shares of the missing M that left. 21:54 < nsh> (maybe they love openssl, but not as much as fleeting noteriety in dubious social circles) 21:55 < nsh> gmaxwell, can they repopulate without revelaing the secret itself though? 21:55 < nsh> that seems less obvious 21:55 < gmaxwell> (after all, they could just recover the whole key and than split it up again) 21:55 < nsh> depends on the sharing scheme i guess 21:56 < gmaxwell> nsh: Yea, I haven't figured out how to do it, I'm pretty sure it can be done though. Just assume they can for the moment it's pointless if the scheme isn't useful regardless of doing that. 21:56 < nsh> okay 21:56 < maaku> nsh: probably helps them get their next job. i've heard that some major art thefts are only to enable the theives to get "in" to an organization 21:56 < gmaxwell> nsh: or actually I'm completely sure it can be done, I don't know how easy it is to do it. 21:56 * nsh nods 21:57 < gmaxwell> nsh: I'm completely sure because the remaining N-M plus new M could use secure multiparty computation to secretly regenerate the whole key and then split it back up and give it to the new N users. 21:57 < nsh> yes, that makes sense 21:57 < gmaxwell> Though I also think its likely that there is a less horriffic way than invoking SMPC. 21:57 < nsh> modulo some computational/bandwidth costs 21:57 * nsh nods 21:58 < gmaxwell> seems to me that you could get a pretty darn robust timelock this way. 21:58 < gmaxwell> you just need some sybil resistant way to select players. 21:59 < nsh> i'm missing bits still. how do you go from N of M secrets (with dropouts and repopulation) to timelock? 21:59 < gmaxwell> And then you can do {magic} to continually redistribute the key so that people coming and going don't break you. 21:59 < gmaxwell> oh just as the "rules of the system" the N parties agree that once the time passes they'll all publish their keys. 21:59 < nsh> backed by fidelity bonds? 22:00 < gmaxwell> So it's secure so long as the majority follows the rule. But systems like that often aren't pratical because they don't handle the members changing over time. 22:00 < nsh> hmmm. i don't know how easy it would be to find N people who would reliably publish on schedule 22:01 < gmaxwell> nsh: maybe? or love for their commnuity. It's not like this is an expensive operation. Generally the reason I think majority of N systems are not pratical isn't that you can't trust the majority for most things you'd want, but because of membership complications. 22:01 < gmaxwell> nsh: well its not people, of course, it's people's software. :P 22:01 < nsh> sure :) 23:34 < jrmithdobbs> it's packaged for ubuntu and debian but not in their repos 23:34 < warren> sounds like something that uses ec 23:35 < jrmithdobbs> nah, ruby software 23:35 < jrmithdobbs> noone bothers packaging it because it's impossible to package gems in anything but gems 23:44 < warren> jrmithdobbs: hm, fedora seems to have a 100+ "rubygem-*" packages 23:44 < warren> Fedora takes years to come up with a packaging standard before something like this is allowed. 23:44 < jrmithdobbs> ya it's not packaged, i'm 100% sure of that --- Log closed Thu Apr 11 00:00:07 2013 --- Log opened Thu Apr 11 00:00:07 2013 00:12 < warren> My surgery is a few days before the conference, so sadly I'm not going. 03:11 < warren> gmaxwell: I just had a scary thought. Could p2pool's purported "bad luck" be attributable to a slightly higher chance of orphans because many of those nodes take longer to upload the new block than an ordinary high-bandwidth pool server? 03:14 < petertodd> Absolutely 03:14 < petertodd> >1MB blocks will without a doubt kill p2pool for that exact reason 03:15 < petertodd> Similarly p2pool has the inherent problem that it has no way to get participants to include transactions in the shares they solve. 03:15 < warren> well, that's a benefit, if you believe in decentralization 03:15 < warren> I'm more concerned about the orphan risk 03:16 < warren> When a mining client like cgminer finds a block, what exactly does it upload to the pool server? (I never looked yet) 03:17 < petertodd> "Mining" clients, IE hashing clients, don't need to know what transactions are in a block and just upload headers. 03:17 < warren> ok, so that's fast and tiny 03:17 < warren> petertodd: even with GBT? 03:17 < petertodd> Yup, regardless of what size blocks are. 03:17 < petertodd> GBT is only from pool to client. 03:17 < petertodd> Oh, sorry, that's a bad way to describe it... 03:18 < warren> sure, but the client can change the tx set that it chooses to hash, so I assume it has to upload a lot more to the pool server 03:18 < warren> upon finding a block 03:18 < petertodd> Yes, the client with a true GBT setup needs to tell the pool what TX's they used, whcih is why GBT in that use scenario won't be allowed by pools. 03:19 < warren> Ah, so Luke-Jr's argument that "Eligius is decentralized mining" is not very accurate. 03:20 < petertodd> Yup, it's at best accurate with small blocks, and doesn't scale. 03:20 < warren> So it's fine for Litecoin, which has no tx's! 03:20 < warren> =) 03:21 < petertodd> GBT doesn't solve the competition problem either, that is, the expense of starting a new pool because the old one is dishonest. In addition, pool ops can divert hashing power to other pools, while witholding block solutions, as a way to attack those pools. 03:21 < warren> So ... p2pool can only truly compete with "normal" pools if the nodes are run with high bandwidth. 03:21 < petertodd> Exactly 03:22 < petertodd> Even worse, there is a free-rider problem where naturally people with low bandwidth can connect to p2pool and screw it up for everyone. 03:22 < warren> p2pool currently makes no attempt of optimizing peer selection, among other problems. 03:22 < petertodd> If it did though it'd run into the same problems bitcoin would by optimizing peer selection. 03:22 < warren> forrestv made an excellent proof of concept, but it never went beyond that. 03:23 < petertodd> Yeah, I'm not convicned the proof of concept can be turned into something truly robust though due to inherent issues with Bitcoin. Issues that will be made truly insolvable with large blocks. 03:24 < warren> Perhaps if the nodes were encouraged to be hosted on high-bandwidth, and peer selection scoring measured peer quality in various ways. 03:25 < warren> This will matter if we want multi-ASIC owners to decentralize (not on the big pools). 03:25 < petertodd> Impossible not to game those things though - you can't prove to someone else that a third party posessed bandwidth. 03:26 < warren> You can score things like "who sent me the new share first" and "who responds with incredible lag" 03:26 < petertodd> Yes, but only locally. As I say, you can't prove to someone else that, other than by saying "I have a lot of hashing power and say so", which means your attacker just starts off with more hashing power, and votes for themselves. 03:27 < warren> It isn't really a vote, and the scoring is used primarily to figure out which of your peers is worst and to kick them out eventually. 03:28 < warren> By these measures a high-bandwidth node without hashers could be scored high. 03:29 < petertodd> Ah, yeah, locally that can work, on the other hand, it means you can attack P2Pool by running some high-bandwidth P2Pool nodes and doing stupid crap like splitting the network. 03:30 < petertodd> Hmm.... actually I may be wrong about that, if P2Pool merges splits together by including the work on both sides, which it should. 03:30 < warren> you'd need a large number, and you would need the actual hashers to never be connected directly to each other. Big hashers explicitly connect to each other by IP. 03:30 < petertodd> Getting large numbers of IP's is really easy for attackers. 03:30 < warren> still, hashers will link directly to each other 03:31 < warren> forrestv is considering parallel chain merging as means to get rid of the current annoying 10 second work intervals 03:31 < warren> it's all talk now though, there are some design issues 03:31 < petertodd> Oh good, so he's not doing that right now, but recognizes it. 03:32 < petertodd> P2Pool also needs multi-levels eventually, to keep varience down. IE a p2pool that mines p2pool shares collaboratively. 03:32 < warren> forrestv's priorities are clearly elsewhere. He's wholly unprepared for ASIC's and seems uninterested in working on someone else's Avalon. Folks are waiting for him to get his own Avalon. 03:33 < warren> People thought of that. How do you prevent dust from getting too small? 03:33 < petertodd> he's a young kid in a hard university program, so I can't blame him. 03:33 < petertodd> The sub-p2pool shares don't have to communicate with each other, though yes, I'm sure there will be plenty of tricky design issues. 03:34 < petertodd> sub-p2pool chains I mean 03:34 < warren> right. the hard part there is just the dust gets too small. 03:34 < warren> p2pool LTC payouts are *already* too small for LTC's super high fees. Lots of complaints from CPU miners. (haha) 03:35 < petertodd> On, you mean the dust payments, that's what off-chain transactions are for. 03:35 < warren> off-chain transactions would be entirely outside of p2pool's design goals. If the code is implemented right (it currently isn't), you don't really have to trust the other nodes. 03:36 < petertodd> IE at some point there is someone paying sub-p2pool miners with off-chain tx's, possibly fidelity-bonded banking where you can take humans out of the equation in terms of trust. 03:36 < petertodd> Implemented properly fidelity-bonded banking relies on incentives, not trust. You are trusting the person actually holding the funds to be economically rational, because any fraud has huge costs to you. 03:36 < petertodd> But that's a long way off. 03:36 < warren> what is "fidelity-bond" in a nutshell? 03:37 < warren> the sub-p2pool would be centralized and easy to take down with a DoS attack? 03:37 < petertodd> Long story short, it's a way of proving you threw away value. 03:39 < petertodd> Doesn't have to be. You can have people's bigger nodes make promises to submit winning shares to the main p2pool sharechain, and make those promises dynamically. The actual messages can be passed around by p2pool itself, so you don't need to have any idea who is making the payout or what their ip addr is. 03:40 < warren> p2pool sends the new block to the other nodes *and* to bitcoind. That's promoted as a benefit as other nodes can propagate the block faster. gmaxwell explained this to me before but I don't remember the detail of exactly how much it needs to upload between nodes ... it could be far less than a full block because the block contents were already sent earlier. 03:40 < warren> So I suppose this could counter-balance the bitcoind upload being slower. 03:41 < petertodd> The same methods can be used with bitcoin itself, so p2pool stays at a disadvantage. 03:41 < warren> can? but would it? 03:42 < petertodd> Hard to say, worse case is the blocksize gets lifted without any of the optimizations getting implemented. Although that particular one, sending tx hashes rather than full tx's, is a really dangerous one because an attacker can use it to fork the network. 03:42 < warren> I don't know how that can be true though, given that each p2pool has its own bitcoind choose its own tx's to include. 03:43 < petertodd> p2pool would be making the assumption that tx's have propagated to the whole network 03:44 < warren> So if your patched your bitcoind to exclude SD spam, the sharechain block header upload won't succeed to reconstruct the block elsewhere? 03:44 < warren> OH! 03:44 < warren> the p2pool log shows BLOCK FOUND and sometimes INCOMPLETE BLOCK FOUND 03:44 < warren> That must be it. 03:44 < petertodd> Interesting, that may be exactly the case. I don't actually know the full details. 03:45 * petertodd has a BFL and can't use p2pool. 03:45 < warren> BFL FPGA with the 5 second work return latency? 03:45 < petertodd> yup 03:46 < warren> what kind of hash rate and power usage does that have? just curious. 03:46 < petertodd> I forget exactly, but I remember it was exactly as advertised. 03:46 < petertodd> ~830 and 60W or something 03:47 < warren> nice. especially due to the ASIC delays that must have been good for you. 03:47 < petertodd> Slightly insane that my one unit was bringing in a theoretical $500/month at the very peak of the BTC price... 23:25 < gmaxwell> at least would damper curious operators somewhat. 23:28 < gmaxwell> amiller: for the green address case where you actually do trust the proximal sender, they should just be giving you a signmessage "I promise I won't doublespend txid 12345 with something not paying output 1abcde"--well_known_key out of band. :( 23:28 < gmaxwell> mtgox wouldn't implement that for near incomprehensibly stupid reasons. 23:28 < amiller> well you'd also need to have set the prior transaction old enough 23:28 < gmaxwell> yep. Sure. 23:28 < amiller> like you have to arm the proximal spender with a lot of time in advance, even if you don't know its destination 23:29 < gmaxwell> but thats why this is better than the version where the payee is the 'oracle': the spender could reasonable do this in advance if it were a common practice. 23:30 < gmaxwell> (Magicaltux got it in his mind that recovering the y coorid from the x in ecc was patented. Nevermind that this was disclosed in the original ecc paper, that the patents related to it are specific to specific performance optimizations on binary fields, and that you can't validate the bitcoin blockchain without doing recovery because of compressed keys... but because of this he won't implement signmessage) 23:31 < gmaxwell> (and he's uninterested in most other green-address type approaches because they require something like the payment protcol where the proximal payee communicates with the paid, and his real motivation for "green" addresses was silk road whom he doesn't want to connect to) --- Log closed Mon Sep 02 00:00:00 2013 --- Log opened Mon Sep 02 00:00:00 2013 02:25 < gmaxwell> 23:05 < jorash> gmax: cheers, research is done < I have upgraded my personal assessment of this guy to scammer. 08:38 < Luke-Jr> heh 08:38 < Luke-Jr> if it really was done, I could have BFGMiner doing it in a few hours :p 08:43 < sipa> doing what? 09:02 < Luke-Jr> sipa: efficient quantum simulation to find the solution to a block ~instantly 09:02 < Luke-Jr> ie, break SHA-2 09:05 < sipa> lol 09:27 < Luke-Jr> yeah, pretty much XD 09:39 < HM> oh bollocks 09:41 < gmaxwell> he's surprisingly resistant to the argument "okay, fine, lets say your faster than QC computation on a desktop thing is true ... why do you want to mine bitcoin with it? it would make bitcoin worthless" 09:42 < gmaxwell> presumably because that argument gets in the way of asking for funding. :P 09:42 < gmaxwell> man we should hook him up with the people funding this gonzo altcoin things that work by spamming the blockchain. 09:42 < gmaxwell> at least the funding would go someplace less harmful. :) 10:16 < Luke-Jr> heh 10:16 < Luke-Jr> I've been careful what I say to him, in fear that he might manage to scam people using my ideas <.< 10:41 < Luke-Jr> also strikes me as odd that he can't wait months for funding --- Log closed Tue Sep 03 00:00:03 2013 --- Log opened Tue Sep 03 00:00:03 2013 15:49 < gmaxwell> amusing: people here have been chasing a bug for some users where the workaround has been to just recompile the browser and push an update.. and something non-determinstic in the build makes reported crashes go down. 15:51 < gmaxwell> Turns out there is some revisions of some AMD SOC where when the processor is in some state, and there is a branch misprediction, and then within four intructions from the mispredicted branch there is another branch.. then sometimes it resumes execution 15 bytes later than where it should have. And the build non-determinism seemed to be influencing if that 15 byte offset was a valid instruction or not. 16:00 < jgarzik> gmaxwell, makes one want to distcc each built file to N machines, and verify results match 16:52 < Luke-Jr> [20:52:22] <jorash> So, are we absolutely certain that GPUs are slower than ASIC --- ie. that devs are not missing something in the GPU miner code? 16:52 < Luke-Jr> gmaxwell: ^ lolwut 16:58 < gmaxwell> Luke-Jr: why are you talking to that guy still? 16:58 < Luke-Jr> gmaxwell: I wasn't, he just randomly spit that out :p 17:40 < midnightmagic> lol 17:42 < gmaxwell> For those not in #eligius, he continued on to demand citations for proof that GPUs could not efficiently simulate mining asics, and for proof that mining asics are not turing complete. (and then I gave up and pushed him into a volcano) 17:45 < gmaxwell> ... PM from him: 17:45 < gmaxwell> 14:42 <jorash> you just turned Skywalker into Vader. 17:45 < gmaxwell> just for the record in case my volcano dunking makes him actually go out and prove BQP is in P, so I can collect my credit for this contribution to the effort. 20:15 < midnightmagic> VA-DER va-DER! va-DERRRRR!!! --- Log closed Wed Sep 04 00:00:06 2013 --- Log opened Wed Sep 04 00:00:06 2013 --- Log closed Thu Sep 05 00:00:09 2013 --- Log opened Thu Sep 05 00:00:09 2013 04:14 < gmaxwell> a pigeonhole principal violator looking for funds: https://bitcointalk.org/index.php?topic=288152.msg1958077;boardseen#new 04:15 < gmaxwell> next week we're going to have zeropoint energy people. 14:31 < midnightmagic> hah, awesome. 14:31 < midnightmagic> uber-compression to the rescue 14:33 < midnightmagic> comp.compression.research FAQ needs to be resurrected I guess 14:34 < midnightmagic> "and yes, this game idea would itself be worth millions if you knew everything it entailed" 14:34 < midnightmagic> i love it 15:34 < amiller> now i'm working on a paper about a proof-of-storage puzzle 15:35 < amiller> a couple of high profile professional researchers are surprisingly interested in this and so i get to collaborate with them 15:35 < amiller> it's basically the use-knowledge-of-blockchain-as-mining idea 15:36 < amiller> only they're less interested in it being the blockchain data itself, they think of it as storing arbitrarily useful unrelated data like library of congress, or maybe random user data if a user is willing to put up a bounty for storing their favorite data 15:36 < amiller> it doesn't really matter because the construction is the same 15:37 < amiller> i'm focusing on basically what the optimal mining strategy is for a puzzle like this 15:37 < amiller> especially if you have an ssd or a hard disk, and if you try to outsource it to a centralized storage depot somewhere 15:37 < gmaxwell> amiller: I was trying to come up with a way where the payment in the block would be paid to the author of a proof of storage proof in order to frustrate outsourcing the proof but didn't come up with anything great. 15:38 < amiller> well we have two ideas 15:38 < amiller> one is just to rely on latency making it hard 15:38 < amiller> like outsourcing generally means having round trip latency 15:38 < amiller> and the more latency you have from selecting a nonce to learning the result, the more likely someone else will find an answer in that time, so it's bad for you 15:39 < amiller> especially if the number of iterations is set really high... but that's also bad for proof size 15:39 < gmaxwell> yea, well the latency potentially has other negative implications... like strongly favoring consolidation. 15:39 < amiller> i dont' think i like that approach over all 15:39 < amiller> it also means that an SSD is really ineffective 15:39 < amiller> er an HDD 15:39 < amiller> the other idea is to make the operation at each step actually be a signature 15:40 < amiller> therefore you either need to securely outsource / obfuscate the signing operation with your key 15:40 < amiller> or you need to give the outsourcer your key 15:41 < amiller> i like this approach better, but in any case it's interesting to experiment with the parameters and performance tradeoffs 15:41 < amiller> the main thing i'm interested in is 15:41 < amiller> since the random seek time is somewhat expensive in either case 15:42 < amiller> how much more efficient (in throughput) can you make it by having lots of puzzle attempts pipelined / in a batch 15:42 < amiller> so you can read one block of a file 15:42 < amiller> and service all the threads that are waiting on that block, basically 15:43 < amiller> i think it depends on the ratio of the inner state (one hash, basically) and the effective block size for the disk 16:06 < gmaxwell> amiller: yea, I've thought of making the pseudorandom permutation in the search a trap door, but I think that makes the proofs much bigger. --- Log closed Fri Sep 06 00:00:11 2013 --- Log opened Fri Sep 06 00:00:11 2013 11:07 < HM> the crypto debates with the latest SNowden revelations are so fascinating 11:07 < HM> *Snowden 11:08 < HM> It's kind of shocking to see Schneier outright saying he doesn't trust ECs like NIST P-521 11:15 < gmaxwell> HM: I don't think he was saying that. 11:15 < sipa> because of nist, or because of ec, or because of the p? 11:15 < gmaxwell> also IIRC P-521's parameters are the result of a nothing-up-my-sleeve procedure. 11:15 < sipa> indeed 11:15 < sipa> secp256k1 is much more "constructed" afaik 11:16 < gmaxwell> This isn't to say that they didn't have enough design control to steer it into something that they could optimize for. 11:16 < gmaxwell> But its not obvious how. 11:18 < HM> hmm, well maybe Schneier is misinformed 11:18 < HM> he said on his blog in response to a comment that he doesn't trust the constants out of NIST 11:18 < HM> specifically with regard to P-521 11:18 < jgarzik> are secp256k1 constants out of NIST? 11:18 * jgarzik never researched the "construction" 11:18 < gmaxwell> Yes. 11:19 < gmaxwell> hm actually they may be out of certicom ultimately. 11:20 < gmaxwell> so CSE instead of NSA. :P 11:20 < HM> lol 11:20 < gmaxwell> In any case, there isn't any known way that the public parameter choices could be backdooring these systems. 11:20 < sipa> yes, nist didn't standardize secp256k1 afaik 11:20 < gmaxwell> So I would be concerned that any _other_ random choice would be just as bad. 11:21 < sipa> only secp256r1, which they call p-256 14:29 < gmaxwell> Most of the examples I see are trivally exo-coin-able. The colored coin itself actually serves almost no purpose, there is some other system that assigns meaning to the coin, so you can usually do your transaction there. There are arguments to be made that the other thing might try to censor transactions, but it could just as well refuse to honor transactions... and bitcoin itself is pretty censorable. Maybe it isn't a wash, but I ... 14:29 < gmaxwell> ... think it's far less obvious a gain than it looks at first blush. 14:31 < gmaxwell> worse, since bitcoin is colorblind, it doesn't usefully compute artifacts that help make looking up your colored coins computationally efficient. .. and if you try to make it, via things like inefficient tag addresses and address indexes, you make the colored coins much easier to censor. :( 14:31 < adam3us> gmaxwell: i think the irrevocability surprisingly transfers to even issuer backed items (eg colored usdcoins, goldcoins etc) as well as shares, in a way that ripple can not 14:32 < adam3us> gmaxwell: the issuer may not let you redeem, but you can trade for bitcoin or other exchange tradeable cryptocurrency, and get out 14:33 < adam3us> gmaxwell: though i have reservations about literally coloring bitcoins due to the tx volume of nominal value coins (eg mtgox has internal transaction per second peaks over bitcoins max tps with 1MB block) 14:33 < maaku> gmaxwell: that's why we developed freimarkets, because colored coins were too limited in functionality and huge scalability red flags 14:34 < maaku> it's our answer to the question "if you were to hard-fork, what changes would net you the most bang for the buck in the most general way possible" 14:35 < BlueMatt> gmaxwell: yea, thats a bit washy...in many cases that is true, but putting the colored coins directly in the bitcoin txn disconnects the exchanging from the issuer having to deal with it. and given that in some cases the exchange is a different part from the issuer, that may be a desirable property 14:35 < adam3us> gmaxwell: yes i thought of the definitional anti-mastercoin-dust (msc=literal coloring based) possiblity :) if they disrupt the bitcoin network to the point of seriously affecting normal bitcoin, the necessary openness and detection of coloring implies they can be blocked 14:35 < maaku> adam3us: well, anyone who thinks a decentralized exchange is going to surpass mtgox volume is fooling themselves 14:35 < BlueMatt> ofc there are plenty of cases where colored coins could easily just be handled directly by the issuer in a non-colored-coins way with the same security model (+/-) 14:36 < maaku> although you can take the idea rather far - if, like freimarkets you only ask for concensus on matched trades, not the order book, then you could probably reach mtgox circa-2012 levels 14:36 < adam3us> gmaxwell: actually let me retract that - the way msc does it most likely (and i didnt look at it beyond the initial paper) it could be blocked, but that may not be inherent, eg like my committed tx proposal demonstrates yo can hide the nature of your tx even from all hostile miners 14:36 < gmaxwell> BlueMatt: a bit, but there are big advantages to not dealing with bitcoin. like... there is no promise that your colored coins will actually be transferable in bitcoin in the future. So even if the company is honest, the reality of bitcoin might make life hard for you. 14:37 < gmaxwell> adam3us: the schemes that hide though make the data even less public... and of course, if you can hide successfully, you could also use that with the trusted creator-of-value. 14:38 < adam3us> gmaxwell: i mean the committed tx feature that you can use bitcoin network validation for double-spend, without revealing addresses and tx details to the miners (or anyone not involved in the tx) due to commitments (hash tx detaisl including value, inputs, addresses) other than a one use recipient address to assure no double spending 14:38 < gmaxwell> Basically, whenever I've talked to people they've used examples where you can achieve it without bitcoin. maybe with some somewhat different tradeoffs. But since bitcoin is a _global_ broadcast medium, I generally default to "if you can achieve what you need without bitcoin transactions, you should" 14:39 < adam3us> gmaxwell: strongly agreed. however i wanted to say that you can do irrevocable digital bearer certificates on a block chain, even if they are not mined, just issued; the issuer can refuse to redeem, but you dont need him to 14:40 < gmaxwell> adam3us: yea, now the annoying thing there is that all the users of those systems have to forever be personally trancking every coin in their system, because bitcoin can't do the work for them. And, of course, if the private data needed to do the tracking gets released people can censor the commitments. 14:41 < adam3us> adam3us: because you can trade them, atomically p2p for other cryptocurrency, and if necessary via other exchange if you want fiat 14:41 < adam3us> gmaxwell: actually bitcoin can do the storage for them, what the user has to store in committed tx in that variant is tiny, fixed size 14:41 < maaku> adam3us: if the issuer stops redeeming, I doubt there will be much liquidity to do that 14:42 < adam3us> maaku: no i mean about irrevocable DBC status, ecash like status; in my lexicon something i snot a DBC or not ecash if it has fungibility issues arising from selective non-tradeability 14:42 < gmaxwell> yea, if you imagine a money like asset whos value is pure scarcity ... there is an argument, but of course a money like asset is competative with bitcoin and miners have all the more reason to .. uh not look kindly on it. 14:42 < maaku> but anyway i think it's rather rare that you need global concensus when there is a trusted issuer involved 14:43 < maaku> let an exchange or the isser themselves run an accounting server 14:43 < adam3us> maaku: i think you are over-estimating the issuers involvement 14:43 < gmaxwell> I think you're talking about different cases. 14:43 < adam3us> maaku: the point is once there are usd colored coins on the network , people wont need to use fiat wire xfer to get into and out of gox etc 14:44 < gmaxwell> One of the things people talk about are shares in companies. (e.g. like bitcoin businesses) there have been a lot of bitcoin stock markets .. and everyone worries that the next one will vanish and swallow up everything.. and so they ask for something p2p. 14:44 < adam3us> maaku: they can load exchanges with usdcoin, or type3 exchanges that just order match and green sign confirm a p2p atomic swap btc for usdcoin 14:44 < gmaxwell> adam3us: LOLOLOLOLOL 14:44 < adam3us> gmaxwell: ?? LOL ref? 14:45 < maaku> adam3us: what happens if the person acting as the gateway for usdcoin up and disappears? 14:45 < gmaxwell> adam3us: because everyone is totally going to be trusting that their adam3-usd is redeemable. That idea is a farse. Especially because creating notes for USD is generally believed to be regulatory unlawful... which is problematic if for nothing else than because you need the USD to actually be transferrable at some point. 14:46 < BlueMatt> adam3us: ehh, it still requires a similar level of trust on issuers... 14:46 < adam3us> maaku: sure, no diff to now what happens if gox goes under and you loe your goxusd (which btw are only worth 90c on the dollar) 14:47 < gmaxwell> adam3us: yea sure, but gox acts as a centeral clearing house. So goxusd is (in theory) liquid. 14:47 < adam3us> gmaxwell: "adam3-usd" tee hee pun. in my way of thinking some innovator sticks their neck out forms a company in a digital currency conducive jurisdiction and issues them with auditors, banking reuglation and everything else that goes into it 14:48 < gmaxwell> We could call it DigiCash, if the name isn't already taken. 14:48 < adam3us> gmaxwell: its not liquid there are extreme backlogs getting the money out, daily limits, per tx limits, multiple month delays thats why its wort 90c on the dollar 14:48 < maaku> adam3us: hence our decision to domocile in St Vincent... 14:48 < gmaxwell> adam3us: that was the "in theory" part. Still, people consider it better than random-scammer-usd. 14:48 < adam3us> maaku: again, go maaku 14:49 < gmaxwell> adam3us: and in these cases you don't need colored coins for any of this. Have random-scammer run an open transactions server. The RSUSD is useless if RS goes kaput in any case. 14:49 < maaku> but the earlier point, that goxusd has any value is because you trust mtgox ltd. to redeem them (or you slightly trust them, and have 0.9 valuation) 14:49 < adam3us> gmaxwell: clearly its better if its a person people know, using their real name, with a real company in a credible, well regulated banking jurisdiction, with transparency, credible investors and backers 14:50 < maaku> you're trustin them to be honest anyway, so what is gained from public, global consensus of goxusd transactions? 14:50 < adam3us> gmaxwell: i dont think thats true; yes if it goes under you're in as much trouble as if gox goes under; but gox lived for some years so far, an presumably a few more yet 14:50 < gmaxwell> adam3us: sure, and if it is they can maintain their own ledger ... even using chaum tokens. 14:50 < adam3us> maaku, gmaxwell: again DBC have to be irrevocable or they are not DBC 14:50 < maaku> DBC? 14:50 < adam3us> digital bearer certificate 14:50 < maaku> ok 14:50 < gmaxwell> adam3us: if gox goes under all goxusd is worthless.. if RS goes under all RSUSD is wothless. Why not make RS run the ledger for them? 14:51 < adam3us> back in like 1995-2005 there were people running around ranting about DBCs, smart-contacts, chaum ecash etc 14:51 < adam3us> gmaxwell: there is a difference 14:51 < adam3us> gmaxwell: the ledger is central it can be hacked 17:24 < jtimon> of course we agree that most of the volume will be off-chain 17:24 < maaku> hopefully the law will change to be more bearer-instrument friendly, but until then... 17:25 < jtimon> until then maybe there's companies smaller than IBM and in other jurisdictions that can just issue shares without KYC 17:26 < maaku> yeah maybe we can start a movement for bitcoin startups in St Vincent and the Grenadines, as they have favorable laws towards bearer assets 17:26 < jtimon> but still IBM can be KYC compliant, I just don't think will be the most common case for in-chain assets 17:27 < maaku> but definately common for private servers, especially where convertible currencies are involved 17:28 < jtimon> what I still don't understand are adam3us and gmaxwell worries on "pseudonimously held" in-chain assets 17:29 < jtimon> I don't see the need for full anonimity in bitcoin itself, "user-defined anonymity" seems ideal to me 17:30 < maaku> jtimon: the issue is certain coins being marked as 'dirty' and black listed 17:31 < maaku> if you allow this to happen, it's a very slippary slope to full centralized, KYC control over bitcoin 17:32 < jtimon> but that doesn't makes much sense 17:32 < jtimon> who's going to maintain the centralized list of dirty coins? 17:32 < maaku> Financial regulators 17:33 < jtimon> and what happens to me if I spend those dirty coins? 17:33 < adam3us> jtimon: you need in my view the transaction layer to offer final settlement otherewise legal disputes increase costs and we're back to status quo 17:34 < adam3us> jtimon: but that doesnt mean anonymous, you can attach KYC info outside the fungible bearer certificate 17:34 < maaku> jtimon: good for you if you can actually get rid of them. but the point is that *everyone* will be checking this list of dirty coins to make sure they're not receving anything tainted 17:34 < jtimon> if the bearer contract says that a chain transfer is final after 3 blocks, then is final after 3 blocks 17:34 < adam3us> jtimon: only if its block chain hardened 17:35 < adam3us> jtimon: otherwise a judge can come in and say that malware share hack, all those have to be undone 17:35 < adam3us> jtimon: and any consensus system will have to obey the judges in their jurisdiction 17:35 < jtimon> that's impossible 17:35 < adam3us> jtimon: i view it as the analog of why credit cards have high fees and why banks have high wire fees etc 17:35 < maaku> adam3us: well, widely deployed coinjoin woudl be sufficient too, right? 17:36 < adam3us> maaku: sure, the main point is it is defacto impossible to undo because you cant tell you are punishing the right person 17:36 < jtimon> the judge can't just say, "hey, Bob, undo the last 1400 bitcoin blocks where you stole the IBM shares from alice" 17:37 < adam3us> maaku, jtimon: but it is orthogonal to identity, pseudonymity, privacy (say every knows everyone they interact with and can prove it btu the block chain doesnt see it) etc 17:37 < adam3us> jtimon: right thats good, the bad part is when they got to the OT server and undo the share 17:37 < jtimon> if privacy is possible, full traceability is not 17:38 < adam3us> jtimon: maybe not enogh assurance.. courts are very fuzzy, if there is a common sense argument as it being obvious who it was, they'll do it anywy 17:38 < adam3us> jtimon: i think privacy has to be near uniform ideally 17:38 < adam3us> jtimon: with identity added back on top as needed 17:39 < adam3us> jtimon: so you can prove who ripped you off, take them to court, and get a decision requiring them to reimburse you; but not get the court to find the actual share and give it back 17:39 < jtimon> but the thieft is the one responsible for the crime, not the person currently holding the coin 17:39 < jtimon> exactly 17:40 < jtimon> how that's not possible with the current input/output system? 17:40 < gmaxwell> Luke-Jr: I don't know that it matters, tracable = censorable. They can refuse to acknoweldge any share that hasn't had its whole history through KYC. 17:40 < adam3us> jtimon: yes, but we are not sure courts will care about that distinction, logical though it is, hence eg bitcoin fungibility worries from taint tracing, maybe a thief victim sues someone with deep pockets (gox) to get back their stolen "digital stamp collectible" from gox under handling stolen property rules 17:40 < adam3us> gmaxwell: yes and that could happen 17:40 < Luke-Jr> maaku: whenever it doesn't matter between public/shared or private, private is always the better option 17:41 < adam3us> gmaxwell: so i think give them the kyc, have opacity (privacy, but kyc inside provable by user), but have fungibility level anonymity of the bearer asset people are attaching the required KYC to 17:42 < jtimon> but with private the accountant (the server) has full control 17:42 < jtimon> with in-chain assets they only have control over issuance and redeption 17:43 < adam3us> jtimon: well one argument gmaxwell made above i that there were a few bitcoin related share issuing/trading compnies over the few years that were shutdown or disappeared leaving customers with claims on a nn-existant server 17:44 < adam3us> so it seems minimally necessary for the bearer asset/share to survive a transaction server shutdown 17:44 < jtimon> yes, scams will be possible under any system 17:44 < jtimon> I'm just talking about cheaper auditing 17:44 < adam3us> jtimon: i dont really mean scams, just that if the server shuts down for some reason 17:45 < adam3us> jtimon: you want your shares in the companies that were trading on it to persist and be tradeable and accountable afterwars 17:45 < maaku> jtimon: GLBSE being the example 17:46 < jtimon> that's a reason to better use colored coins for it, no? 17:46 < jtimon> there's no "accountant", the chain is the accountant 17:46 < gmaxwell> jtimon: dude, a chain is _far_ from free. 17:46 < adam3us> yes i guess thogh we should separate the term colored coins because its a mechanism (and maybe not the best one) to achieve bearer assets 17:46 < jtimon> with GLBSE you had to trust both issuer and accountant 17:46 < gmaxwell> It's basically the most expensive account system to ever be imagined, it actually sounds like a joke until you reason out that it can work at least at some scales. 17:47 < jtimon> ok, p2p bearer assets 17:47 < adam3us> i think you probably can use a side chain or something to spare bitcoin the volume of nominal value transactions which it badly does not need 17:47 < adam3us> jtimon: yes good name 17:47 < jtimon> or just in-chain assets 17:48 < adam3us> jtimon: so maaku was discussing above about using OT servers 17:48 < adam3us> jtimon: however while there are receipts and users can switch to another server, its still quite centralized 17:48 < maaku> adam3us: well really I advocate for Freimarkets' private accounting servers, but OT is better understood to this crowd 17:48 < jtimon> gmaxwell, in-chain assets can be far more scalable than current colored coins 17:48 < adam3us> jtimon: and the threat is basically if the system degrades the users migrate to a chain i suppose instatiated with the receipt history 17:49 < jtimon> I don't like OT much 17:49 < adam3us> maaku: (yes i hae some reading to catch up on, i dont mean to focus on OT, just i did not yet read the paper you published some time back) 17:50 < jtimon> OT assets are not atomically tradeable for in-chain assets, or even assets in other OT servers, for that matter 17:50 < adam3us> jtimon: in chain do u mean an altcoin with p2p assets on it? like a bitcoin extension that includes the asset issuer signature rather than mining evidence 17:50 < jtimon> yes, basically that 17:51 < jtimon> no 17:51 < jtimon> I mean, yes, the asset issuer signature is only required at issuance 17:51 < adam3us> jtimon: but that meets gmaxwell point that chains so far dont scale that far 17:51 < adam3us> jtimon: (yes) 17:52 < gmaxwell> jtimon: almost anything with script as powerful as bitcoin can be near atomically traded with bitcoin. 17:52 < jtimon> we could have bigger blocks 17:52 < adam3us> jtimon: at least while retaining their p2p nature (bandwidth too high if 1GB block eg) 17:52 < gmaxwell> jtimon: https://bitcointalk.org/index.php?topic=321228.0 17:52 < gmaxwell> (this works just as well when the endpoints are on different cryptocurrencies) 17:52 < adam3us> thats 23mbit symmetric i have nice internet in malta 100mbit/4mbit up but even i cant do that 17:52 < jtimon> yes, you cannot run NASDAQ on a p2p chain, I know 17:53 < maaku> adam3us: it's the consensus algorithm that doesn't scale, not the block chain datastructre itself 17:53 < adam3us> maaku: ok 17:54 < gmaxwell> jtimon: we could have bigger blocks < this isn't a free choice. There is a direct tradeoff with decenteralization. Since the chain has grown from 2GB to 14GB we've gone from around 40k reachable nodes to closer to 4000 reliable reachable nodes (actually there was an uptick in the last week, presumably due to the market activity, but we'll see how it settles) 17:54 < jtimon> we have problems to solve that we won't have in the future 17:54 < maaku> just pushing transactions through a beefy central server could easily handle 1000's of transactions per second, even with checkpoints and secondary replication, etc. 17:54 < adam3us> i think actually (in exploring what could change about bitcoin validation) some of the design decisions arise from supporting SPV 17:54 < gmaxwell> So yea sure, we could have bigger blocks but beyond some point it comes at a _direct_ expense of decenteralization. If the goal to not use something like OT was because of better decenteralization .. then thats counterproductive. 17:54 < jtimon> we don't need to download the whole chain 17:55 < adam3us> gmaxwell: agree, if that happens we have swift 2.0, and the miners will be public companies, they'd just as well sign paper contracts and stop mining 12:58 < andytoshi> as for the weird miner incentives, i'd really have to think about that 13:50 < Emcy> "BitTorrent Sync was designed with privacy and security in mind. The system uses SRP for mutual authentication and for generating session keys that ensure Perfect Forward Secrecy. All traffic between devices is encrypted with AES-128 in counter mode, using a unique session key. Modification requests are all verified using Ed25519 signatures and only systems with full access keys can generate valid modification requests." 13:51 < Emcy> that seems ok right. apart from the closed source ofc 14:02 < gmaxwell> lol 14:02 < gmaxwell> "Hmm. Low fat. Low Sodium. That seems ok right. apart from the gives you cancer part ofc" 14:07 < Emcy> but bt sync is so usable..... 14:09 < maaku> jtimon: having transactions expire is a requirement of the system we are building. no way around that 14:11 < Emcy> i did notice in the android client sync gives you the option to email somewhere that nifty shared secret string you just generated 14:11 < Emcy> derp derp 14:11 < maaku> Emcy: that email is PGP encrypted, of course? :P 14:12 < Emcy> of course not, just uses whatever email handler you have in android. Liekly gmail 14:13 < Emcy> they should take that out and add the QR reader to the desktop app instead. The android client can already scan a QR produced by the desktop program, dont know why its not both ways 14:13 < Emcy> i guess thats why its still beta 14:18 < phantomcircuit> Emcy, i dont see any really good reason why you couldn't implement bittorrent sync with nothing more than a private tracker and a shared key 14:18 < phantomcircuit> it shouldn't even be that difficult 14:19 < Emcy> i think thats essentially what theve done 14:20 < Emcy> theyve just automated the hashing and .torrent publishing parts, and have some sort of metadata files hanging around so the nodes dont get confused about timestamps and such 14:21 < Emcy> it seems to be really quite usable though so far 14:21 < phantomcircuit> Emcy, depending on whether you trust the filesystems modification timestamp you can do all of this very very efficiently 14:21 < Emcy> its not quite dropbox level of brain absentia though 14:21 < phantomcircuit> im surprised it took them this long to do it actually 14:22 < Emcy> yeah well no one wanted to do anything with torrent tech because muh piracy 14:22 < phantomcircuit> if they wanted to make it really fast they could share the block hashes for all the files 14:23 < phantomcircuit> so you have 2 files that are 90% identical you only transfer the diff blocks 14:23 < phantomcircuit> but i bet they didn't do that and have each file setup as basically a torrent with private peering 14:23 < Emcy> i think there was actually a BEP for that for normal bittorrent 14:24 < Emcy> a thing which could maybe bring avail. <1 torrents back fromthe dead by matching data blocks from seeders of other torrents 14:26 < jtimon> maaku I though gmaxwell was proposing an alternative with multisig, but probably not the same use case 14:27 < jtimon> andytoshi, I'm not sure what you mean by "the whole transaction sub-DAG is risky", but I don't see how the 100 block wait is necessary 14:30 < jtimon> I'm not very informed on the bittorrent sync topic, but wouldn't a tahoe-LAFS GUI be better? 14:31 < andytoshi> jtimon: if a tx gets expired as a consequence of some reorg, the receiver of the btc loses out -- and so does everyone he spent to, and everyone they spent to, and so on 14:31 < andytoshi> the whole transaction chain is invalidated, so the risk model is the same as that for coinbase transactions 14:31 < andytoshi> hence the 100 block wait 14:31 < jtimon> that's the receiveer problem, why didn't he wait for reorgs to be unlikely? 14:32 < maaku> jtimon: they like the fact that any non-coinbase tx that hits the chain can only be made invalid by malicious/buggy clients 14:32 < jtimon> or by a later double-spend 14:32 < andytoshi> jtimon: because he's an spv node and he didn't know that there was an nExpiresTime tx 2 layers back in the blockchain 14:32 < maaku> jtimon: that falls under the malicious category 14:33 < jtimon> can SPV wait less confirmation than rational people just because they have less information about the global state? 14:33 < maaku> as you say, it is trivially solved by having the receiver wait 100 blocks, then you have the same security as other transactions 14:33 < andytoshi> jtimon: and actually, if people are doing this sort of analysis when considering whether to receive coins, then the coins are non-fungible 14:33 < andytoshi> (at least temporarily) 14:33 < jtimon> why 100? where that number comes from? 14:33 < maaku> or, alternatively, tracing inputs back 100 blocks to show that they are not expiring soon 14:33 < maaku> coinbase maturity 14:34 < andytoshi> jtimon: 100 is arbitrary, just to be consistent with coinbases 14:34 < maaku> i'm just saying that would get you to the same level - right now any bitcoin transaction could get reversed in a reorg of >100 blocks 14:34 < jtimon> if you wait 50 blocks you are probably pretty secure despite previous coinbases or expiries 14:34 < maaku> well not *any* txn, but as a SPV node you don't know which ones 14:35 < adam3us> jtimon: thanks for the url btw i was unable to find "original ripple" before archive.ripple-project.org! all other urls and history redirects to ripple.com which maybe moderately different 14:36 < maaku> adam3us: significantly different 14:37 < jtimon> adam3us that link was to the 2PC distributed Ripple protocol, which is radically different from ripple.com 14:38 < maaku> jtimon: you know i think this is a non-issue, but it falls in a similar category as refheights 14:38 < maaku> you have to change your behavior slightly, and maybe adjust how clients/wallets work 14:38 < jtimon> everything is "off-chain" and you can actually trade 2PC assets for bitcoins (not btc denominated IOUs) atomically 14:38 < jtimon> if there wasn't expiries 14:39 < jtimon> all clients should probably determine the "secure number of confirmations" from the value of the transaction received 14:40 < jtimon> my point is that with expiries, transaction value is still the more important criterion 14:40 < jtimon> for both SPV and non-SPV clients 14:41 < maaku> jtimon: the ~100 blocks of security becomes a concern during network-wide problems like the March fork 14:41 < maaku> where opportunistic people can build chains off of expiring transactions on the bad fork, and cause merchants to lose money 14:41 < jtimon> maybe some miners 14:41 < jtimon> sorry 14:41 < maaku> but there are solutions that could be put in place on the merchant and wallet side to fix that 14:42 < maaku> by estimating nethash you'd be able to see the drop in hash power that would signal a fork, and delay/postpone any irreversable actions 14:43 < jtimon> march fork was exceptional, it was an unexpected hardfork 14:43 < jtimon> what are the chances of that happening again? 14:44 < maaku> pretty high, just not on a regular basis 14:44 < maaku> or you can make 100 confirms, or something as absurdly high the norm for high-value transactions 14:45 < maaku> and let clients/wallets use old coins with short proofs showing that they can't be reversed in less than N blocks 14:45 < jtimon> "high-value" doesn't exist in chain 14:45 < maaku> it's not something you have to reach consensus over 14:45 < jtimon> value is only in our heads, thus outside the chain 14:46 < jtimon> oh, I see 14:46 < jtimon> client policies 14:46 < maaku> i'm just saying the merchant waits until processing your gateway withdrawal or shipping your order or whatever 14:46 < maaku> yeah 14:46 < jtimon> yeah, I'm with client policies as well 14:46 < maaku> unless your client used old coins and provided proof, which could even be made the default behavior with little more than a UI checkbox for "expediatd transaction" 14:47 < jtimon> in certain way I'm with miners policies too I don't like "non-standard fees" for the long run 14:48 < maaku> so my position is that like refheights this is a developer education problem 14:48 < maaku> but what we get out of it is absolutely worth it 14:48 < maaku> what do you mean? 14:48 < jtimon> I still I don't see how unexpected hardforks can be common anyway 14:49 < gmaxwell> who cares if its common, if you play your cards right its world ending. 14:49 < jtimon> and although I think the devs did the right thing, they could have been chosen the other solution 14:49 < gmaxwell> As in .. some event happens and it can never be recovered. 14:50 < jtimon> it was the ref implementation which wasn't following the protocol specification 14:51 < jtimon> we could have had much lower hashrates until the ref implementation was fixed 14:51 < gmaxwell> ... thats what we did. 14:51 < gmaxwell> we fixed the ref implementation to match the old. 14:51 < jtimon> that's the opposite of what I'm saying 14:52 < gmaxwell> uh. 14:52 < maaku> gmaxwell: you get just as much gloom and doom from a >100 block reorg now, and merchant policies can limit their exposure to be the same 14:52 < jtimon> we said "the rules aren't the specification, the rules were the old implementation" 14:52 < gmaxwell> jtimon: something like 80% of nodes were on the other fork including every major merchant, it would have been a non-issue except for the fact that 3 upgraded miners constuted >60% of the hashpower. 14:52 < jtimon> we could have as well said "the rules are the specification, fuck the old implementation for not following it" 14:52 < gmaxwell> maaku: yes, >100. But the events we've had have been <20. 14:53 < maaku> "merchant policies can limit their exposure to be the same" 14:53 < maaku> the only guys who got screwed are the ones who weren't doing adequate coin safety 14:53 < gmaxwell> jtimon: gee thats nice, except for the 80% of nodes including all major merchants who were actively being defrauded. 09:15 < Emcy> if they accepted the loss of cpu mining then why the fuck are they even there? I feel the same way about some of what people want to do to bitcoin too 09:16 < Emcy> grq? 09:17 < Luke-Jr> get-rich-quick 09:18 < Luke-Jr> Bitcoin has value to non-miners 09:18 < Emcy> like i said, so many ltc pump threads on /g/ now that OPs are actually starting to get banned 09:18 < Emcy> ive even seen feathercoin and peercoin (whatever that is) threads 09:20 < Emcy> damn you know youre poor when you have to learn to mouse left handed cos thats the side the heat vent is on your laptop and you can really afford as much heating as you need anymore...... 09:20 < Luke-Jr> sure, my point is there's nothing left once the pump goes away 09:21 < Emcy> i gather ltc bubbled and popped this week. Again gathering from various butthurt on /g/ from people who just did what /g/ told them to. 10:47 < skinnkavaj> Dear wizards, how can I protect my site from being ddosed to death without giving up all control to a company to Cloudflare? It's impossible right? Would it work better if everyone used namecoin instead of the current dns system? 10:48 < Luke-Jr> namecoin does not improve the situation at all 10:48 < pigeons> namecoin wouldn't stop idiots from saturating the pipes to your ipv4 endpoints ior the servers using those addresses 10:49 < skinnkavaj> So it's not possible to do what cloudflare does in a p2p decentralized way? 10:50 < Luke-Jr> p2p does not help against DDoS 10:51 < skinnkavaj> Right now it's not good that so many big exchanges use cloudflare. Really serious problem I think. 10:51 < Luke-Jr> they're just exchanges *shrug* 10:51 < Luke-Jr> it's not like Cloudflare controls the bitcoins or fiat 10:52 < skinnkavaj> But hack Cloudflare and peope LOSE millions.. Of course it's not like everyone would stop using bitcoin. But it could lower the confidence in bitcoin for a longer period. 10:57 < Emcy> cloudflare is just caching or somthing 11:04 < Emcy> "I know you devs are busy selling coins, but you owe the community solving this problem at least, before buying your ferrari." 11:04 < Emcy> check out this fucker 11:04 < Emcy> this will kill bitcoin. Ignorance = entropy 12:48 < nOg4nOo> Good morning, bears. 16:00 < MoALTz> question: does it really matter what the PoW function is (as long as it's a valid PoW one)? counter-point to answering "no": the ASICs already invested in and running on the network 16:05 < HM2> I think it should be calculating pi to 5000 trillion decimal places 16:06 < HM2> where's sipa? I need to his wisdom on serialising public keys 16:14 < maaku> MoALTz: yes, proof-of-work needs to be fast to compute 16:15 < Luke-Jr> s/fast/easy/ 16:15 < Luke-Jr> where "easy" can be defined multiple ways 16:16 < Luke-Jr> eg, a memory-hard PoW would need to use less memory to verify 16:18 < phantomcircuit> Luke-Jr, it would be at least vaguely interesting to use a variable memory scrypt 16:18 < Luke-Jr> phantomcircuit: AFAIK scrypt always requires the same memory to verify than to find 16:18 < Luke-Jr> which is why it doesn't work as a proof-of-work 16:19 < phantomcircuit> Luke-Jr, iirc there is a "hardness" factor which can be changed 16:19 < phantomcircuit> it changes the number of prng's used 16:19 < phantomcircuit> maybe that's bcrypt 16:20 < maaku> phantomcircuit: yes, but that's symmetrical 16:20 < phantomcircuit> right but it would make developing ASICS for it very expensive 16:21 < maaku> i think Luke-Jr is talking about a hypothetical situation where a miner uses GBs of RAM in the search, but only kilobytes are required to verify 16:21 < phantomcircuit> yeah i know im talking about something different 16:21 < phantomcircuit> you would have to build them with extra prng pipelines that would go unused right up until the chip became useless 16:25 < jtimon> phantomcircuit to justify anyting different from merge-mineable SHA-256 first you have to explain why AISCs are bad for "you" as a network 16:26 < phantomcircuit> jtimon, ASICs necessarily lead to semi centralized mining efforts 16:26 < jtimon> defining ASIC as an artifact specifically created to be only able to serve you as a security provider 16:26 < maaku> phantomcircuit: not in practice... 16:26 < phantomcircuit> capital costs and non recurring engineering costs dominate 16:27 < maaku> we've gone from very centralized botnets to very distributed asics 16:27 < phantomcircuit> electricity is basically just a foot note 16:27 < jtimon> it is now, let's wait until asics are really optimized 16:28 < jtimon> profits tend to zero no matter the pow 16:28 < Luke-Jr> [21:25:26] <nwoolls> https://github.com/nwoolls/bfgminer/blob/feature/updating-windows-build/windows-build.txt 16:28 < Luke-Jr> [21:26:51] <Anixs> my Avast said that was a malicious text file 16:28 < Luke-Jr> lol 16:28 < jtimon> and in the end electricity is what makes the difference 16:28 < jtimon> paradoxically, taxes/subsidies on energy 16:30 < jtimon> Anixs stop using malware and you won't need to install avast or update it 16:31 < jtimon> that's my generic answer when my relatives asks me about viruses "I'm sorry, I don't use viruses so I don't know much about antiviruses" 16:32 < Luke-Jr> :D 16:32 < jtimon> then people ask "what do you mean you don't use viruses" 16:32 < jtimon> -you know, malware is software that does things you don't want it to do 16:33 < jtimon> do you have windons installed? 16:33 < jtimon> -yes 16:33 < jtimon> -that's what I mean, I don't use viruses 16:34 < jtimon> I guess you could adapt it to mac in the us ;) 16:35 < jtimon> as said, the best thing an asic can do you serve you as network, GPUs can do many things and leave you in the dark 16:36 < jtimon> if litecoin dropped to 1 usd cent tomorrow 16:37 < jtimon> miners would go to a more profitable scryptcoin fairly soon 16:38 < jtimon> how long would it take for the next "faster than bitcoin confirmation"? 16:39 < jtimon> on the other hand, asics that are not mining namecoin are just rejecting cheap income 16:40 < jtimon> namecoin is far more secure than litecoin 16:41 < jtimon> people often forget the limitations of the attack 51 16:42 < jtimon> you cannot change the rules no matter how much hashing power do you have 16:42 < jtimon> your orphan invalid chain contains more pow? good for you, you can eat it 16:43 < jtimon> we users are looking to the blocks that follow the rules, period 16:44 < jtimon> you can do bad things with 90% of the pow, sure 16:45 < jtimon> but the machines (capital) want to yield as much as they possibly can 16:46 < jtimon> and that's mining 16:47 < MoALTz> good heating if you live somewhere cold 16:47 < jtimon> not reorging 16:48 < jtimon> yeah but you will get the heat either properly mining or trying to disturbe the network 16:50 < jtimon> so if all asics end up in iceland and alaska 16:50 < jtimon> and two meteorites hit those places at the same time 16:50 < jgarzik> iceland is ideal, for energy as well as cooling 16:50 < jtimon> it's not such a big deal 16:51 < gmaxwell> MoALTz: there are certian requirements which are met by secure cryptographic hashes and are maybe met by other things. In general its useful that the work have no value outside of getting into the longest chain, though even for PoW merged mining breaks this a bit. 16:51 < jtimon> you just need to make a hard fork reducing diff deus ex machine and take the opportunity to change to maaku's diff filter ;) 16:53 < jtimon> gmaxwell what do you think about a snark-based pow in which you do "voluntary" (it would start to be paid) computing instead of sha-256? 16:54 < jtimon> that would be GPU friendly so "less secure" in that respect 16:55 < jtimon> I heard that "specialized is better" argument first from jgarzik, and it really convinced me 16:55 < gmaxwell> the only space and validation compact snarks I'm aware of let the chooser of the validation key (e.g. the circut) bypass the proving time. 16:56 < gmaxwell> jtimon: also, it would sort of be dishonest, e.g. snark prover time is a huge multiple of program execution time. so this wouldn't usefully be a way of getting work computed for you in the real world, regardless of the fact that theoreticians like to talk about outsourced computation as though it were a real application of their work. :P 16:58 < jtimon> yeah, wouldn't it be magical? trust-less boinc? 16:58 < gmaxwell> also, as a side effect of their zero knoweldgeness, all the compact snarks I'm aware of are trivally rerandomizable. E.g. you do execution once and then you can trivially generate an infinite number of distinct proofs from your first proof. 16:58 < jtimon> yeah, but with snark you don't need repetitions anymore do you? 16:59 < jtimon> boinc send the same work unit to many clients to prevent them from lying 16:59 < gmaxwell> oh sure, but if its 1000x slower... the repetitions are cheaper. 17:00 < maaku> jtimon: yes, but the cost of making the snark proof probably dwarfs the inefficiency by orders of magnitude -- what gmaxwell said 17:00 < gmaxwell> (and actually I think 1000x is really small as things are today, but perhaps with specialized hardware you could start to get it down to numbers like 1000x slower) 17:00 < jtimon> I understand, I just don't want to believe I guess 17:01 < gmaxwell> It's magic in any case, but all real magic has limits. :) 17:01 < gmaxwell> I think it's silly to promote this stuff with general delegated computation, but I think thats just what some of the research groups have found that gets them funded. 17:01 < gmaxwell> since if that actually was efficient, e.g. overhead < 2x it would be commercially interesting. 17:02 < jtimon> I don't know how many repetitions boinc does, but 2000 is still "unsecure" the way they do it, so maybe they use the 1000x thing 17:03 < jtimon> mhumm, I'm just speculating but I would say boinc does 100 repetitions or so 20:43 <@gmaxwell> petertodd: ah. point, right I knew this before. 20:44 < petertodd> gmaxwell: damned if you do, damned if you don't, unless everyone just uses the same nTweak, but then you have DoS attacks 20:44 < petertodd> gmaxwell: I mean, prefix-filtering has those DoS attacks too of course, but at least we know they're expensive 20:44 < BlueMatt> petertodd: this is why you dont use the same nodes multiple times (but mitm?: no, at that point you already know your target, whats the point?) 20:44 < petertodd> BlueMatt: your target can easily run a high % of the nodes on the network 20:44 <@gmaxwell> [OT] http://www.gwern.net/Blackmail I'm amused by this both because of gwern whining about people thinking he's satoshi while he's been super agressively trying to deanonymize satoshi elsewhere, and also accusing random people of being satoshi. Also amused by the moron he's talking to who _cant_ get pgp right. 20:45 < petertodd> BlueMatt: s/target/attacker/ 20:45 < petertodd> BlueMatt: less relevant given that bitcoinj doesn't do Tor yet, but one day... 20:45 < BlueMatt> petertodd: yes, at this point you're fucked anyway... 20:46 < BlueMatt> petertodd: (note the model here is a phone who's ip changes every 10 minutes) 20:46 < BlueMatt> petertodd: bitcoinj /does/ do tor now 20:46 < BlueMatt> (on master, no support for hidden services) 20:47 < BlueMatt> sure, with enough nodes you can AND everything together and find results which have large intersections, but that should be very expensive 20:47 < petertodd> BlueMatt: no, I don't think you necessarily are. e.g. many scalability schemes spread the work out over multiple shards, which means a client can just subscribe to some subset 20:47 < petertodd> BlueMatt: why? running nodes is cheap - all you need is ip addresses 20:47 < petertodd> BlueMatt: they don't actually need to even be unique nodes... 20:47 * gmaxwell waits for one of you guys to find http://percy.sourceforge.net/ 20:48 < petertodd> gmaxwell: meh, that's the kind of thing only a wizard would understand, oh wait... 20:48 < andytoshi> gmaxwell: wpsoftware.net/coinjoin/chime.wav 20:49 < andytoshi> it is actually a MIDI of a c chord run through the fluid soundfont that came from fedra 20:49 < andytoshi> fedora* 20:49 < petertodd> BlueMatt: with payment protocols you're doing especially well, because fixed filters (prefix or bloom) mean it's basically like a well design bitmessage: all the adversary knows is you keep on getting some consistent % of the transaction space 20:49 < petertodd> BlueMatt: they can't do any better than that to deanonymize you 20:50 < petertodd> BlueMatt: (ie, you never actually send a transaction) Handling sends can be done via special-purpose mixnets and what not too 20:50 <@gmaxwell> petertodd: except you suggest making the data visible to everybody instead of a finite number of possibly evil servers. 20:50 < BlueMatt> petertodd: I didnt say it wasnt possible, I know its very possible to become some large % of network nodes 20:51 < petertodd> gmaxwell: not necessarily: remember the version where all you leak is the fact that *a* payment was made, not the details of what txout in the transaction was involved, which is doubly hidden via coinjoin 20:51 < BlueMatt> petertodd: I was saying that if you're a client who's ip changes regularly (ie you cant identify one client from one session to the next), then the AND attack is difficult due to the large cost of ANDing together all combinations of filters you've ever seen.... 20:52 < BlueMatt> s/large/impossibly large/ 20:52 < BlueMatt> generally the "ip changes regularly" part is quite ugly, but its realistic on many networks, especially mobile ones 20:52 < petertodd> BlueMatt: problem is IP's don't neccessarily change like that - NAT maps things to the same IP, and the clients leak a bunch of info because they give version strings 20:53 < BlueMatt> on android the upgrades happen at ~the same time, so version string doesnt leak much there 20:53 < petertodd> BlueMatt: sure in a perfect world the ANDs are hard, but that's a perfect world... 20:54 < nsh> 1. make perfect world 20:54 < nsh> 2. build cryptosystems 20:54 < BlueMatt> petertodd: agreed, there are certainly cases where its not good...my point is just that coming up with a realistic threat model where these things break down and where the attack is still realistic is pretty hard 20:54 < petertodd> BlueMatt: heh, that's in some ways worse: you probably can use update lags to start tracking down your target, although at least that's a NSA adversary 20:54 < BlueMatt> (if you already know who it is, just go hit them with a wrench instead...) 20:55 < BlueMatt> easier for an nsa adversary to just hack your baseband :p 20:55 < BlueMatt> and, again, anyone who's concerned about an nsa adversary probably wants an anonymity set of the whole network, not any subset thereof 20:55 < petertodd> BlueMatt: maybe... they don't like using their sophisticated exploits if they can help it 20:56 < petertodd> BlueMatt: anyway, my main point is there's a shitload of tradeoffs involved here, and there probably are good designs that we haven't considered carefully enough 20:56 < BlueMatt> yes, certainly 20:56 < BlueMatt> my point is that there are more pressing issues as what we have is ~workable 20:56 < petertodd> BlueMatt: that there isn't a master tradeoffs document outlining the thought process isn't a good sign... 20:56 < BlueMatt> maybe with some small tweaks 20:57 < BlueMatt> petertodd: lol, what in bitcoin has such a doc? 20:57 * nsh imagines compropedia -- the definitive interactive animated guide to trade-offs in security models 20:57 < nsh> with sliders 20:57 < nsh> mmmm, sliders 20:57 < petertodd> BlueMatt: well, remember that it looks like electrum will be implementing prefix filtering because of how it fits there model well, so I'd like to understand that well, and this stealth address stuff involves a similar set of considerations 20:58 < petertodd> BlueMatt: gee, I dunno: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03508.html 20:59 < BlueMatt> petertodd: ok, what before very recent stuff in bitcoin has master tradeoff docs like that? 20:59 < petertodd> BlueMatt: heh, fuck all 21:00 < BlueMatt> petertodd: :) 21:00 < petertodd> BlueMatt: I also gotta do one up for, dare I say it, mastercoin... 21:00 < BlueMatt> ewwwwww 21:01 < petertodd> BlueMatt: so much disgust as blank canvases, just waiting to be filled with beautiful consensus systems... 21:01 < petertodd> BlueMatt: s/as/about/ 21:01 < BlueMatt> petertodd: anyway, the analysis for bloom filters was largely started on an original version that looked up input scriptPubKeys (which was a bit disk expensive, surprise, surprise...) and the privacy provided vs efficiency tradeoff on the client side was really quite good 21:02 < BlueMatt> petertodd: yes, I would like it if it were 1:1 pegged to bitcoin and on its own merged-mined chain 21:02 < BlueMatt> until then, ewwwwwww 21:03 < BlueMatt> petertodd: if you can come up with a script type that is easily matched by one element in both the scriptPubKey of an output and the scriptSig spending that output, the bloom filter model would go back to that 21:03 < petertodd> BlueMatt: it's not going to be merge-mined unless some major advances in crypto-coin theory are made 21:03 < BlueMatt> and the anonymity set could be ramped up with tiny thin clients being able to handle it fine 21:03 < BlueMatt> (eg, push the hash160(pubkey) to the back of the scriptSig after the pubkey/sig) 21:04 < BlueMatt> well, ok, if you can come up with a way to do it so that you dont risk missing txn if a key is imported to a different client (or block that?) and a good upgrade path 21:04 < BlueMatt> petertodd: why not? 21:06 * BlueMatt hurtles at a runway a few hundred mph and decides to get off irc 21:07 < petertodd> BlueMatt: isn't just defining bloom v2 that matches H(element) and element simultaneously enough? 21:07 < petertodd> BlueMatt: merge-mining is insecure 21:07 < petertodd> BlueMatt: ha, have fun 21:08 < BlueMatt> petertodd: too expensive for servers, I think 21:08 < BlueMatt> needs further testing, I suppose 21:08 < petertodd> BlueMatt: why? it's just one extra hash and comaprison per element 21:08 < BlueMatt> petertodd: yes, a 1:1 pegged merged-mined coin can be more secure 21:08 < BlueMatt> there are currently 0 cryptographic hashes per element right now 21:08 < petertodd> BlueMatt: no it can't - merge-mining means the cost to attack is near zero 21:08 < BlueMatt> youre now making it 2 21:08 < petertodd> BlueMatt: hashes are fast... 21:09 < petertodd> BlueMatt: gurantee you disk io is a bigger problem 21:09 < petertodd> BlueMatt: also, those hashes can be cached easily and re-used for multiple clients 21:11 < BlueMatt> petertodd: yes, disk io is currently the problem, I'm not entirely convinced that the hashes arent also expensive if you assume nodes are only serving some small section of the chain (ie the past 1k blocks served out of memory) 21:11 < BlueMatt> petertodd: if you're gonna cache them on disk, you should just match both scriptSig and the scriptPubKey its spending 21:11 < BlueMatt> thats more general and as easily cached 21:11 < BlueMatt> anyway, actually landing 21:11 < petertodd> BlueMatt: heh, have fun 21:12 < petertodd> BlueMatt: That is a good point: any per block index of scriptPubKeys should have a per-block index of scriptPubKey's spent. 21:12 < petertodd> *of scriptPubKeys created 22:10 <@gmaxwell> andytoshi: can you setup a simple http page that gives a one line coinjoin status? e.g. something we could ask nanotube to have gribble query? 22:11 <@gmaxwell> andytoshi: e.g. the number of txn in the queue, popular output(s), time remaining. 22:12 < andytoshi> sure, one moment 22:14 < andytoshi> plain text? 22:16 <@gmaxwell> nanotube: what would be useful for gribble? 02:32 < petertodd> Yes, or more to the point, adapt the pow function to what they have no choice *but* to build. Fortunately memory is incredibly simple. 02:32 < adam3us> at present it seems the oligopoly is existing below that barrier 02:33 < adam3us> ie a non-profit could do what i said for now i think 02:33 < petertodd> It is, only because Intel doesn't make Bitcoin mining gear. When they decide they want to be in that market we'll have a monolopy controlled by Intel. 02:33 < adam3us> come up with the money for some big runs 02:33 < petertodd> Big runs that Intel can deny if they want to. 02:33 < adam3us> tmsc also can compete 02:34 < petertodd> For now they can compete, in the future either they or Intel will lose the race and there will be only one. 02:34 < adam3us> yes that is the limit, but we are far from that limit at the moment 02:34 < adam3us> limit that hw manufacturers will themselves hoard, premine, or refuse to fab or sell competing mining hw 02:34 < petertodd> We're not "far", we're just a few years away. The point is to have a viable pow scheme that can be useful when Bitcoin mining equipment itself becomes regulated. 02:36 < petertodd> ...and really, that's why I'm inclined to make the "work value" be proof-of-work*proof-of-stake, where the former acts as a random beacon for the latter. 02:36 < adam3us> then its what you said: someone really does have to find a way to make a gpu pow 02:36 < petertodd> Why would you want it to be a GPU? They aren't simple. Memory is simple. 02:37 < adam3us> yeah: proof of something they're building anyway for general use 02:37 < adam3us> that doesnt have a big hw/sw advantage 02:37 < petertodd> SRAM, DRAM, DDRAM whatever all consists of one or more banks, where each bank is an xy array of bits. It'll never get simplier than that. 02:37 < adam3us> my worry about ram is ram architecture may not be optimized for pow 02:37 < petertodd> Sure those banks get surrounded by reams of routing logic these days, but the routing logic area is always less than the area of the memory itself. 02:38 < adam3us> such that there maybe soe hw advantage in novel ram architecture that they are not going to make for you 02:38 < petertodd> But that's it, ram architecture can't be optimized for a "fill it up with random junk, access randomly" PoW. 02:39 < petertodd> In fact, what you can do, is use hiarchy: your PoW consists of a *mandatory* selection of powers of two bank sizes over a wide range, so whatever is the bank size of the memory actually out there you meet it. (thus preventing power down tricks) 02:39 < adam3us> well there's a big diff in ram latency l1, l2, l3, main; and most of these memory bound have time-memory tradeoffs too (eg scrypt) 02:40 < petertodd> Yes, which is why you need to target multiple bank sizes to ensure that you force latency into the domain of commodity hardware. 02:45 < petertodd> BTW, so a modern SDRAM chip is basically a set of multiple banks, where each bank is an xy array; SDRAM stands for synchronous DRAM, and the synchronous just refers to how there is a synchronously clocked command/data bus as the interface. 02:47 < petertodd> So what happens on a random access? Well, the memory controller tells the chip "make bank n active", wait, "set row address to x", wait, "set column addr to y", wait, "read", wait, etc. Subsequent chances of row and col are quite a bit faster than the initial activate. 02:48 < petertodd> Why have the banking stuff? That's just because there's a size-speed tradeoff to bank size, make the banks larger and it takes too long for the row select signals to propagate across the surface of the chip due to the higher capacitance. 02:49 < petertodd> More to the point, what that means is the moment you're pool of memory exceeds the size of the largest bank, every work-cycle includes some chance of having to turn the bank on - at a higher level as your working data set gets larger the latency increases. 02:50 < petertodd> The other trick is that if you don't access a given bank of ram the same can *somewhat* power down, but only somewhat. (DRAM still needs to be refreshed) 02:51 < petertodd> Either way, the optimal implementation "band" is very wide and what you're really doing is forcing the memory to exist, even though other than the bus interface it isn't actually getting used all that hard. But that's good, because the optimal bus interface is also a wide band of optimal solutions. 02:53 < petertodd> The power thing is important, because proof-of-work really comes down to proof-of-energy in the end, and we want to ensure that the memory access patterns are such that the data must be in DRAM so that the optimal minimal power design looks like commodity hardware. 02:53 < petertodd> Fortunately for all this stuff, conventional applications also have hideous access profiles where access jumps all over main memory due to how much programmers rely on things like linked lists, so engineers have optimized random access to death already for us. 02:55 < petertodd> Litecoin's scrypt implementation of course screwed all this up simply because the working set was designed to fit into L1 or L2 cache where the optimal implementation is very far from how conventional computers are made. But you know that... 02:57 < petertodd> ...and finally, so for future proofing, have multiple working sets of different sizes each consuming a small portion of total work. Sure you can have a stupidly optimized implementation for a 64KiB working set, but so what if that's just 5% of the work? UTXO storage proofs are nice here, because as amiller pointed out, the working set size is the data you should be good at verifying anyway. 12:16 < amiller_> "<adam3us> [02:31:44] u say: adapt the proof-of-work function to what they are building - maybe yes" 12:16 < amiller_> i say the alternative is to make them do r&d on whatever functionality you want, i.e. whatever helps the network scale 12:16 < amiller_> i think the idea of commodity hardware is unsupportable 12:17 < amiller_> people don't mine because they have spare commodity hardware 12:17 < amiller_> they mine deliberately 12:18 < jgarzik> petertodd, still prefer miner's fee to anyone-can-spend or burn-money. it's a public good, and the mechanism to sweep donated funds already exists, and is already automated. 12:21 < petertodd> jgarzik: anyone-can-spend *is* a miners fee 12:23 < jgarzik> petertodd, in theory only 12:24 < jgarzik> petertodd, in practice, miners will not update their software just for an experimental project. a true miner's fee is already supported by the system. 12:25 < petertodd> jgarzik: miners already need to update their software to attempt to redeem the announce-commit sacrifice, the step to collect anyone-can-spend is trivial 12:26 < jgarzik> petertodd, making miners unlikely to adopt either immediately, putting it in the user realm for the first many months 12:27 < petertodd> so what? just add anyone-can-spend to IsStandard() at the same time as adding prunably unspendable 17:21 < amiller_> so if i'm a miner i can generate identities for free, right 17:21 < amiller_> petertodd, 17:22 < amiller_> just pay my own money to myself? 17:22 < petertodd> Of course not: announce-commit means every miner has an equal opportunity to mine the fee. 17:24 < amiller_> i see so i announce it and then it's only the #100th block next that wins it 17:24 < petertodd> Exactly 17:24 < petertodd> Using nLockTime 17:26 < amiller_> i guess it would be pretty impractical to try to reudce the cost of identieis by jsut trying really hard ot be the one that mints that 100th block 17:27 < petertodd> Doesn't even have to be 100th block; mining is a random process so the next block is fine. (unless the sacrificed value >> block reward) --- Log closed Sat Jun 29 00:00:46 2013 --- Log opened Sat Jun 29 00:00:46 2013 --- Log closed Sun Jun 30 00:00:56 2013 --- Log opened Sun Jun 30 00:00:56 2013 --- Log closed Mon Jul 01 00:00:01 2013 --- Log opened Mon Jul 01 00:00:01 2013 --- Log closed Tue Jul 02 00:00:04 2013 --- Log opened Tue Jul 02 00:00:04 2013 12:29 < jgarzik> petertodd, RE announce/commit, sorry missed that 12:31 < petertodd> Basically because we allow "pubkeys" to be up to 120bytes in size in the standard transaction code fitting a whole tx in a tx is actually pretty easy. 12:32 < jgarzik> petertodd, FWIW I'm currently thinking about how an alt-blockchain for this identity data could be timestamped into the blockchain in a normal transaction 12:32 < petertodd> Did you see my write-up in -dev for a 1s resolution timestamp chain? Not dissimilar... 12:33 < jgarzik> petertodd, what, do a 1-of-20 (picking absurd example) multisig, and stuff the whole tx in there? 12:34 < jgarzik> petertodd, I was pondering a rule that permits an OP_TRUE w/ a standard transaction inside, to be made standard 12:34 < jgarzik> petertodd, validate the inner tx according to IsStandard and spendable rules 12:34 < petertodd> Nope, a 1-of-3 just fits: 2d201879608ed2d14c362dff713a6d17d680cb42d5175dfe42e960e94736be04 12:35 < jgarzik> I dislike multisig hackery ;p 12:35 < petertodd> I was thinking of that too - weirdly like P2SH... 12:35 < jgarzik> petertodd, precisely! 12:35 < jgarzik> better than stuffing unvalidated data in odd places, IMO 12:36 < petertodd> I can see the anti-spam argument, although myself I'd lean more towards just allowing OP_RETURN <data> to have a decently sized payload. 12:37 < jgarzik> <= 80 bytes OR standard, spendable TX 12:38 < petertodd> As always unless we go to the extreme of gmaxwell's P2SH^2 people will always stuff data in the system. 12:38 < jgarzik> indeed 12:39 < jgarzik> IMO you strike a zen balance. Make it easy but not too easy 12:39 < Luke-Jr> petertodd: extreme? seems perfectly reasonable to me 12:39 < petertodd> The tx validation machinery could easily have it's own bugs... 09:53 < BlueMatt> compete on regulation and refuse dumb things that america tries to push 09:53 < TD> EU governments can't/won't push back strongly against FATCA even though it means the end of their sovereignity, because they've all been on the war-path against "tax avoiders" so can't afford to look soft on tax now. especially as there are so many people who are being kept alive only through taxation 09:53 < BlueMatt> compete on regulatory burden and figure out what regulation should be instead of just taking what is forced on them from washington 09:53 < adam3us> they paid some lip service to that after snowden's haul revealed spying on the politicians themselves (merkle etc) 09:53 < phantomcircuit> BlueMatt, americans largely hate politicians 09:54 < TD> then it only takes a few to crack and what little unity existed is gone. divide and conquer. easy. 09:54 < phantomcircuit> but the reality is by and large we're wealthy enough that doing something about it is risky 09:55 < BlueMatt> phantomcircuit: for good reason 09:55 < adam3us> TD: well i hope the swiss vote against it, in their citizen led referendum; they managed to keep out of EU through the same process, the problem is the man in the street may not understand the issues well enogh 09:55 < phantomcircuit> BlueMatt, dat welfare, placating the masses 09:55 < TD> the problem is if the swiss reject it, they will be completely wrecked 09:56 < TD> it's not just the USA that will impose massive sanctions. every other country that agrees to FATCA has to as well 09:56 < BlueMatt> phantomcircuit: lol 09:56 < TD> that's why it's viral and like an empire - countries that are theoretically "allied" will be forced to fight the swiss, or become enemies of the empire themselves 09:56 < TD> i don't think switzerland can survive a sudden, overnight 30% loss of trade and foreign assets 09:57 < TD> ultimately the swiss will have to agree that they are no longer a free, independent people, and relinquish that, or risk becoming the next iran 09:57 < TD> and that will be incredibly painful. i am not sure what they will do. 09:57 < TD> no other government is ever going to put this to referendum for exactly the same fear - that the people will reject this takeover, fight it and get killed in the process 09:58 < phantomcircuit> BlueMatt, sadly that isn't really a joke, my personal experience has been fairly strongly that people on welfare strongly support the governments power to tax and give them more money 09:58 < phantomcircuit> ironically they get all mad when some cop shows up and shots someone 09:58 < TD> of course they do. you would too, if you were on welfare 09:59 < phantomcircuit> i've literally never met anybody on welfare who could see the irony 09:59 < phantomcircuit> TD, i honestly cant say i'll likely ever know 09:59 < TD> i wouldn't be too sharp there. times change. i've met out of work programmers who couldn't get a job for whatever reason. 10:00 < TD> but if you really can't imagine this, imagine it's your girlfriend/wife/son/daughter/best friend/whatever 10:00 < adam3us> so does facta extend to other countries than US? 10:00 < phantomcircuit> TD, i went to high school with a ton of people whose parents were on welfare 10:00 < TD> the problem is not taxation. the problem is this idea that every government has to know everything about every country in order to implement it 10:00 < adam3us> i mean does it have implications for non americans? 10:01 < phantomcircuit> TD, (like nearly the entire school was on some sort of assistance) 10:01 < TD> adam3us: green card holders, ex citizens too. otherwise no. but the issue is - now america went ahead and did it, suddenly that strategy is legitimised. other parts of the world are talking about the same thing, which would have been unthinkable a few years ago 10:01 < TD> which is stupid because they can't possibly collect any significant amount of tax that way 10:01 < TD> even FATCA is seriously net-negative when you add up the costs and expected extra revenue 10:02 < TD> and the US has citizenship-based taxation which nowhere else does 10:02 < adam3us> TD: well there is also the EUSTD but realistically the UK is dragging its feet because its a bigger tax haven than switzerland (with its offshore dependencies) 10:02 < TD> so if the USA can't make it work, financially, nobody else can even get close. 10:02 < adam3us> TD: and austria is also pushing back 10:03 < TD> yeah but these places all have no chance. 10:03 < adam3us> TD: they are working on EUSTD2 at present 10:03 < TD> basically, the future is automatic data exchange between all countries. 10:03 < phantomcircuit> TD, and the vast majority of us citizens living outside the us dont end up paying much tax anyways 10:03 < phantomcircuit> (if any) 10:04 < TD> ah well, just wait until the people who were supposed to file lots of paperwork and didn't (because they didn't know/would have paid no tax) start getting their savings confiscated to pay the fines 10:04 < phantomcircuit> since the first 90k is exempt entirely and then you can deduct taxes paid to the local authorities 10:04 < adam3us> TD: UK might they have some veto power in europe and vested interest to keep their financial center status, and while they cant say it, they also like their offshore dependent's tax haven status 10:04 < TD> no, no, no they don't: http://www.caribjournal.com/2013/11/05/cayman-islands-united-kingdom-sign-fatca-type-agreement/ 10:04 < TD> the UK is busy imposing its own fatca-lite on the caymans 10:05 < TD> anyway, i'm actually all for the idea that if you live in a country you should pay taxes there 10:05 < adam3us> TD: I think views on it are mixed, as i recall the guy who was reviewing one of these things for the uk govt, some lord or something, was himself the beneficiary of a like $100m offshore trust 10:06 < TD> FATCA is evil because for poor old americans there's no easy way to escape. 10:06 < TD> you can't just leave the country and say goodbye to the IRS 10:06 < TD> (and because of how it's being implemented) 10:06 < adam3us> TD: yes i agree - you have to vote with your feet, not dodge local taxes, that way lies legal risk 10:07 < phantomcircuit> TD, it's also fairly difficult to renounce your citizenship 10:07 < phantomcircuit> there's a comical number of people who think they have but infact haven't 10:07 < adam3us> TD: the americans are screwed already. my wife and brother in law are american dual nationals. have to avoid joint accounts 10:07 < TD> oh dear. they should try and fix that ASAP 10:08 < TD> my brothers girlfriend is a dual british/us national 10:08 < TD> she can barely pay her british taxes, which are trivial. i bet she's never heard of an FBAR 10:08 < TD> i really worry one day her savings (or whatever she has of them) are just going to vanish 10:08 < TD> sent to the IRS to pay fines for not filing paperwork she never even heard of 10:08 < adam3us> phantomcircuit: correct. i do not believe you can renounce us citizenship. my sister in law did it, but i doubt it would make a difference if there is tax involve, they can reject the renunciatoin on tax grounds as invalid 10:09 < phantomcircuit> adam3us, no they cant 10:09 < adam3us> TD: yes my brother in law who lives in canada is avoiding flying to the us until his accountants work through the retroactive legislation 10:09 < jgarzik> TD, That's modern life in modern society. There are enough laws that (a) no one can credibly know them all, and (b) everybody is a criminal, because everybody is likely violating /some/ law like these. 10:09 < TD> they claim they can actually 10:10 < phantomcircuit> adam3us, you have to go into a us embassy on foreign grounds and renounce your citizenship to the ambassador 10:10 < TD> i've read this too. if the embassy suspects you're giving up citizenship for tax reasons, they can deny it 10:10 < jgarzik> Thus you exist at the whim of prosecutors not focusing their attention on you. 10:10 < phantomcircuit> TD, they can try but that would never fly in court 10:10 < TD> jgarzik: well, she hasn't broken any local laws. she was born into dual nationality, she never lived in the USA 10:10 < TD> phantomcircuit: which court? "citizenship" just means "the US considers you to be an owned asset". they can enforce whatever they like if they get brutal enough 10:10 < TD> courts or no courts 10:10 < adam3us> phantomcircuit: yes, it doesnt work. my sister in law got irish citizenship first, then renounced us; but if there was tax involved it is explicitly within their rule book that they can reject it or look past it for tax purposes 10:11 < TD> FATCA just bypasses the whole civic infrastructure of laws and courts. the banks will fine you for them 10:11 < phantomcircuit> TD, you'd end up having to sue the IRS 10:11 < TD> and you'd fail. you're technically a criminal, right? 10:11 < TD> (in their eyes) 10:11 < phantomcircuit> TD, im pretty sure you would succeed 10:11 < phantomcircuit> there's a reason that this has never gone to court 10:12 < phantomcircuit> they dont fight battles they will lose if they can bullshit people instead 10:12 < TD> i'm pretty sure you would fail. what ground would you have to sue them? they're just implementing laws congress wrote 10:12 < adam3us> phantomcircuit: courts dont work because they make the rules, and they interpret the rules, and they can interpret the very loosely and they have infinite money. you lose. 10:13 < TD> now this is all well and good, but the *real* fun will begin once the US starts to tax people and things that don't have any US connection at all 10:13 < TD> the current definition of "us person" is already so expansive that it bares little relation to the intuitive definition 10:14 < adam3us> TD: being the world currency reserve is a form of global hidden tax via USD inflation. its relatively significant bonus to the us 12:24 < petertodd> Just signed up for the Financial Cryptography and Data Security 2014 conference. 12:24 < petertodd> Who else is going? 12:26 < justanotheruser> I wish I could take a vacation to Barbados 12:27 < petertodd> justanotheruser: heh 12:28 < petertodd> justanotheruser: kinda eye-opening the overall cost - I'm gonna have to bring a tent :P 12:29 < justanotheruser> petertodd: Is Financial Cryptography conference a fancy way of saying bitcoin conference? 12:29 < petertodd> justanotheruser: yup, btc workshop on one of the days 12:30 < petertodd> justanotheruser: http://fc14.ifca.ai/bitcoin/index.html 12:30 < petertodd> justanotheruser: or more interestingly: http://fc14.ifca.ai/bitcoin/accepted.html 12:31 < justanotheruser> petertodd: what, interesting that RS are there? 12:31 < justanotheruser> Or just S 12:32 < petertodd> justanotheruser: ? 12:32 < justanotheruser> nevermind 12:32 < justanotheruser> Interesting that I don't see any familiar names on that list 12:33 < justanotheruser> Seems like a bunch of PhDs are going to explain bitcoin to the bitcoin devs 12:35 < petertodd> Ha, yeah pretty much from the looks of it, will make for an interesting workshop... 12:35 < petertodd> I think amiller said he was going, so maybe it won't be all people totally removed from the dev community. 12:35 < petertodd> (not that him and I write much code...) 13:11 < Emcy> petertodd sleep on the beach 13:16 < Emcy> did anyone figure out how TPB is planning to use bitcoin for its little thing 13:16 < Emcy> or have you been talking about it and its way over my head 13:17 < Emcy> thye best not be spamming the chain......why dont they use namecoin instead 13:31 < maaku> Emcy: have they stated any details? 13:31 < maaku> all they've done is name-drop bitcoin, as far as I can tell 13:32 < maaku> their plan is, apparantly, "BITCOIN!!" 13:33 < Emcy> sounds about right 13:35 < skinnkavaj> gmaxwell: https://litecointalk.org/index.php?topic=12404 13:36 < maaku> skinnkavaj: sure, google "geistgeld" 13:36 < Emcy> maaku isnt there a data feild in a TX that cam be used for arbitrary data without really bloatingit 13:37 < Emcy> or somthing like that 13:37 < maaku> Emcy: sure, any OP_RETURN output 13:37 < Emcy> and that was specifically done to give people a place to dump thier crap, if they must? 13:38 < maaku> yes 13:39 < Emcy> wait is that a new feild or something repurposed? If its new isnt that just appeasement 13:39 < maaku> and by putting the hash instead of the data itself (or better, the Merkle root of a structure that can hold lots of data), you can keep the wire size small 13:39 < maaku> i think most people here are ok with committing data by hash to the chain 13:39 < maaku> it's an integral part of many of the protocols we design 13:40 < maaku> its just that putting raw data straight on the chain is wastful, inefficient, and (if it's not provably unspendable) freeloads off of full nodes 13:41 < maaku> it's part of the scripting language not a specific field, and it's always been there 13:42 < maaku> it's just being made standard so it can be relayed in 0.9 13:42 < Emcy> so TX will get slightly bigger, albeit by something that was already in the protocol but disabled until now? 13:43 < maaku> not disabled, you could always use it 13:43 < maaku> just not relayed by default just like other non-standard scripts 13:44 < michagogo|cloud> maaku: It freeloads off of full nodes even when it's provablt unspendable 13:44 < michagogo|cloud> It's still in the blockchain 13:44 < maaku> michagogo|cloud: no, full node != archival node 13:44 < maaku> it's not in the utxo set 13:44 < michagogo|cloud> It just isn't in the utx- 13:44 < michagogo|cloud> oh 13:45 < michagogo|cloud> Erm, do non-archival full nodes exist atm? 13:45 < Emcy> that archival node thing isnt really gonna happen is it? 6tb helium disks soon 13:45 < michagogo|cloud> Emcy: It;s safe to assume that at some point in the future there will be non-archival full nodes 13:51 < Emcy> michagogo|cloud i hope not out of stict neccesity, but to try and poke people into running a node at all 13:53 < Emcy> hmm asking on TPB irc and no one seems to know shit...... 16:19 < maaku> at some point in the near future 16:20 < maaku> i know both petertodd and myself have separately gotten some money to work on a pruned bitcoind 16:21 < maaku> we just have to good sense to make sure that some other fixes make it in first 16:21 < maaku> like headers-first syncing, and being able to advertise which blocks you hold 16:38 < gmaxwell> the later I think is most of the actual work in pruned bitcoind. 16:39 < gmaxwell> I mean, right now you can just delete the old block files and it works until you run a rpc that would access an old block or a peer tries to sync from you.. it's probably just a few lines of code to make those failures tidy. 16:39 < gmaxwell> and a few lines of code to just automatically delete old files. 16:49 < Emcy> id say it was probably a tradeoff worth making if the alternative is full verifiers dwindling to the hundreds because no one wants to run one 16:49 < Emcy> then again im not sure it will help, because even a pruned node is the same mental distance away from "just works instantly" as a proper node 16:50 < gmaxwell> Emcy: it's just a good thing to have even without that concern. 16:50 < gmaxwell> I now only run one full node at home and one on my laptop, because I just don't have the space for N copies of the blockchain. 16:50 < Emcy> SSDs? 17:31 < Guest22406> Anyone bought from iMine.org.uk? 17:32 < Guest22406> http://iminecryptos.webs.com seems to be their temp. page 19:19 < michagogo|cloud> Hmm, another benefit of pruning is that it means that a full node can be bootstrapped from another trusted full node very easily 19:22 < gmaxwell> michagogo|cloud: I don't see why you think thats a benefit of pruning. 19:26 < sipa> the only advantage is less data that needs to be copied in that case 19:26 < sipa> but making it easy to run in a way that requires absolute trust in another node is not really a priorit 19:37 < michagogo|cloud> gmaxwell: because you don't need to copy 12+ GB 20:13 < Luke-Jr> combined with SCIP it could be trustless perhaps :p 20:13 < gmaxwell> Luke-Jr: yea sure, but we're currently a long way from authoring proofs of state for bitcoin. 20:15 < gmaxwell> e.g. see the benchmarks in 13:59 < andytoshi> a new snark paper from ben-sasson: http://eprint.iacr.org/2013/879 20:16 < adam3us> gmaxwell: just have to use it recursively as the pow :) (self-evident) proof of making snark proof as the pow 20:17 < andytoshi> adam3us: i was about to say that .. you'd have to tie the reward to the number of transactions considered, otherwise including transactions is costly 20:17 < gmaxwell> less crazy than it might seem. 20:17 < andytoshi> but can you do that in zero knowledge? i'd have to think about it 20:17 < gmaxwell> andytoshi: nah, just pretextually. 20:18 < gmaxwell> andytoshi: e.g. make your POW SHA256(SNARK_PROVE(SHA256(header)))<target ... (ignoring the fact that the pairing snarks are like.. perfectly malleable). 20:19 < andytoshi> just MAC them ;) 20:19 < gmaxwell> and of course you use a nice universal circuit inside the snark_prove in order to hopefully cutoff sha-256 specific optimizations. 20:20 < andytoshi> gmaxwell: so the idea is, changing the nonce is just as hard as adding transactions? 20:22 < gmaxwell> andytoshi: well thats true but its not the idea, the point there is that it creates an incentive for people to optimize the SNARK_PROVE() function. :P 20:24 < andytoshi> gmaxwell: well, if transactions are hard to add that kills the idea immediately because there'd be only empty blocks 20:25 < andytoshi> as it is, an alt could be written today which does this 20:25 < andytoshi> (and nobody would be able to mine it :P) 20:26 < gmaxwell> Luke-Jr: in the vnTinyram paper (I think their vnTinyram is slighly slower than regular tinyram), they're showing that their prover basically runs at 25 Hz ... can you imagine verifying the blockchain on a 25Hz cpu? :P ... a dedicated blockchain checking circuit could be maybe 1000x faster, but it would still be verfy slow to generate the proofs. 20:26 < gmaxwell> andytoshi: Is it late where you are? :P 20:26 < gmaxwell> andytoshi: transactions are no harder to add than incrementing the nonce. 20:26 < gmaxwell> so there is no incentive to not add them. 20:27 < andytoshi> gmaxwell: no, i think i've just got a cold :P 20:27 < gmaxwell> :P 20:27 < andytoshi> when adam3us first said "use a snark as a POW" i thought, SHA256(SNARK_PROVE(transaction updates) + nonce) 20:27 < gmaxwell> yea, don't do that. 20:28 < gmaxwell> there might be some interesting way to do a reward for producing proofs of prior states though. 20:29 < gmaxwell> two ways to mine the coin: producing blocks or producing proofs for the state in prior blocks. 20:30 < andytoshi> that'd be excellent because you're also paying people to be archival nodes 20:31 < gmaxwell> in any case, I think we're still a ways off. E.g. you can't even download and screw around with any of this stuff. 20:31 < gmaxwell> and I'm sure what exists is Academic Quality code. 20:31 < andytoshi> i concur 20:31 < andytoshi> i'm about halfway through the first snark paper, the impression i get is that i can't reimplement this just based on the paper 20:31 < gmaxwell> (meaning it's probably crashy garbage and half of it runs in matlab and the other half works by manually pasting things from matlab into mathmatica and back) 20:31 < andytoshi> (though maybe the tinyram paper is more detailed) 20:32 < andytoshi> gmaxwell: i've never worked with cryptography people, but that's standard MO for the rest of math 20:32 < gmaxwell> a lot of the theoretical crypto people just don't implement at all. 20:33 < gmaxwell> actually the verifyable computing stuff is unusual in that people publishing papers have implemented something. 14:54 < jtimon> exactly, the decision was taken (sanely) counting miners and merchants, instead of being strict with the defined rules 14:54 < gmaxwell> jtimon: not to mention the utterly insane risk of rapidly forcing everyone onto bleeding edge software... including god knows how many people who had highly customized code who are _still_ on 0.7.x with patches. 14:54 < adam3us> the 2pc ripple seems a bit like OpenTranscations security model also... get signed/timestamped receipts from servers, users audit servers, if they detect malicious server, they have proof, and can rebuild server state with the receipts (in theory though maybe the rebuild part may not be automated yet) 14:55 < gmaxwell> jtimon: the decision was simply "the deployed software is the spec" 14:55 < jtimon> I'm not saying the decision was wrong 14:55 < jtimon> but I hate that justification 14:56 < jtimon> I prefer to justify it as "following the specs instead of the ref code would have had worse consequences" 14:56 < gmaxwell> jtimon: You can point at a stack of paper and say "but the rules!" all day... but the paper doesn't do shit. The behavior of the participants is what defines the rules in a consensus system. 14:57 < gmaxwell> jtimon: well of course, it's not like we say "the deployed software is the spec" because God gave that to us on a tablet, rather, its the necessary thing to achieve good outcomes in 99.99% of cases. 14:57 < jtimon> agreed, of ALL the participants, not just miners 14:57 < jtimon> as some seemed to imply at the time 14:57 < gmaxwell> absolutely not just miners, and double absolutely not hashpower. 14:57 < jtimon> let me put it another way 14:57 < gmaxwell> Those implying that are not competent. 14:58 < jtimon> if 90% of the hash power was in the old code and 90% of merchants and users are on the specs (I know that wasn't the case), what's the right chain? 14:58 < gmaxwell> (And as you may note, in that hardfork the majority of hashpower was the new behavior... due to the fact that hashpower is controlled by basically 3-4 people, and they'd upgraded faster than the rest of the network due to the competative incentive of orphaning reduction) 14:59 < jtimon> yeah, ok, good point 14:59 < gmaxwell> Merchants and users would be the right chain generally. 14:59 < adam3us> i suppose this is another reason pooled mining can be a problem 14:59 < jtimon> the majority of hash was on the specs back then and we went with users 15:00 < adam3us> and economies of scale in mining 15:00 < jtimon> I agree, merchants and users are the right chain 15:00 < gmaxwell> (90% hashpower might just be 50 people that need to fix themselves) 15:00 < gmaxwell> (but even ignoring that, I think its reasonable and prudent that mining basically takes more of the risk, and pratically every miner whos thought about any of this would agree) 15:01 < adam3us> gmaxwell: how do u think that fork would've played out if there was no pooled mining and mostly decentralized mining power? better or worse? (more distributed consensus on sw upgrade, maybe slower reaction time) 15:01 < jtimon> adam3us, 2PC is similar to OT in some senses, but simpler (not so many instruments) and...in OT all atomic stuff occurs in a single server, with 2PC, there's atomic trades involving an arbbitrary number of independent servers that don't necessarily trust each other 15:01 < gmaxwell> adam3us: I don't think the fork would have happened, in fact. 15:02 < gmaxwell> (well, it would have self resolved) 15:02 < adam3us> gmaxwell: well wasnt the fork the result of the level db bug? how would it have self-resolved... a few people early would've noticed problems 15:02 < adam3us> gmaxwell: and been outvoted anyway, and then the bug backed-out? 15:02 < maaku> adam3us: It would have been much harder to side with the users 15:02 < gmaxwell> adam3us: it would have been hashpower overtaken 15:02 < maaku> if there weren't any big miners you could get to switch chains 15:03 < gmaxwell> maaku: there wouldn't have been an artificial miner/user split there. 15:03 < adam3us> jtimon: i think OT also has a concept called voting pools like k of n pools have to agree for a tx to complete 15:03 < gmaxwell> most _miners_ were also on old code at the time too. 15:03 < maaku> gmaxwell: yes there would. miners-set doesn't overlap well with user-set 15:03 < gmaxwell> it's just that most hashpower was on the new stuff. 15:03 < adam3us> gmaxwell: we could really do with direct mining protocol for that reason also. difficult to make that work though. 15:04 < adam3us> gmaxwell: a lesson therefore without decentralization, is the centralized parties need to use intelligence and gradual phase in 15:04 < gmaxwell> maaku: at the time most of p2pool's hashpower stayed on the 0.7 side.. though it was complicated by the fact that 0.7 didn't reliably reject the new chain. 15:04 < adam3us> gmaxwell: however i think from views expressed here that most of the mining power has very limited "intelligence" applied to it at all 15:04 < gmaxwell> (it wasn't a real hard fork, it was a softboiled fork. :P ) 15:05 < maaku> adam3us: iirc Luke does a good job of this. he runs blocks past multiple node versions 15:05 < gmaxwell> yes, it would be easier for more to do that if we'd merged luke's patches for that.. but they were pretty invasive. 15:07 < jtimon> adam3us, but that's not more scalable, that's like a "shared server" much like ripple.com's consensus mechanism 15:09 < adam3us> maaku: yes Luke-Jr is a rare example of pool intelligence 17:15 * andytoshi-logbot is logging 17:17 < andytoshi> hey, it came back on its own :) 18:42 < gmaxwell> but ... now it seems to have a droopy leg and a strange interest in brains. 19:44 < justanotheruser> Is there any trustless way to pay someone in BTC to mine an altchain that is inherently worthless? (specifically I was wondering if you could subsidize merged mining of a votecoin)) 19:49 < Emcy> i suppose you could make some shitty system that bloats the fuck out of bitcoin because they wont merge mine a specialised votecoin 19:50 < Emcy> but i dont think we really know how reluctant the poolops are to merge mine something decent because no ones ever tried 19:51 < justanotheruser> Emcy: I don't really want to use the bitcoin blockchain. A new blockchain could be created cheaply and be disposable. 19:51 < Emcy> well thats a refreshing attitude 19:53 < justanotheruser> Emcy: anonymous voting would require many coinjoins and coinswaps. If there were millions of voters, the election could cost millions of dollars in bitcoins 19:54 < justanotheruser> with all the transaction costs. Not much of a point. 19:54 < Emcy> i wonder how much those shitty diebold contracts cost 19:54 < Emcy> did you work out how to issue votes anonymously 19:55 < Emcy> *issue ballots 19:56 < justanotheruser> Emcy: everyone gets a vote, everyone has a public bitcoin address associated with their name. 19:56 < justanotheruser> Coinswaps and coinjoins are used to anonymize the votes 19:56 < justanotheruser> then when everyone has sufficient anonymity, they to 1ALGORE or 1GEORGEBUSH 19:56 < justanotheruser> *they pay to 19:57 < justanotheruser> I just wish I could pay someone automatically in bitcoins for finding a block without a central authority 20:00 < Emcy> what about vote selling 20:00 < gmaxwell> justanotheruser: thats really dumb. sorry, it's often repeated enough you should have seen other people calling it out. 20:00 < gmaxwell> Bitcoin is not a jamming resistant network. Congrats you just let the miners decide the election outcomes. 20:01 < justanotheruser> gmaxwell: What do you mean by jamming resistant 20:01 < justanotheruser> Emcy: That is possible without decentralized voting (but I agree, this makes it easier) 20:02 < Emcy> oh yeah hes right 20:02 < petertodd> gmaxwell: timelock crypto can be used to circumvent miner censorship of votes in some conditions 20:02 < Emcy> i think when i first brought up some sort of votecoin was years ago back when i still thought every responsible citizen could have a miner in the cupboard 20:02 < justanotheruser> Blocks could be rejected if they didn't include a certain number of transactions 20:04 < Emcy> justanotheruser when youre talking about elections there are incentives which easily override money concerns 20:04 < petertodd> justanotheruser: now you've turned pow mining into a weird pow/proof-of-stake/proof-of-sacrifice combo, doesn't necessarily help re: elections 20:04 < Emcy> in the money/power chicken and egg game, power always came first 20:05 < justanotheruser> petertodd: What? How is there any prooof of stake/sacrifice? 20:05 < petertodd> justanotheruser: the transactions - how do you distinguish a "legit" tx from one the miner made? 20:06 < justanotheruser> petertodd: network rule that only allows a coin to be transacted a certain number of times 20:07 < petertodd> justanotheruser: right, so by including a transaction you have sacrificed someone, hence, it's proof-of-sacrifice 20:08 < justanotheruser> petertodd: how have a sacrificed someone? 20:08 < petertodd> justanotheruser: you sacrificed something, coinage, or coins, or whatever scheme you decide to use 20:09 < justanotheruser> petertodd: to get a block you have to have done a PoW with a certain number of transactions. The miners have no sacrifice 20:10 < petertodd> justanotheruser: something was sacrificed, or miners can stuff the block full of their own transactions at zero cost 20:10 < petertodd> justanotheruser: anyway, this works for voting: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03524.html 20:10 < justanotheruser> petertodd: The miners can only have a limited number of transactions 20:11 < petertodd> justanotheruser: limited how? 20:11 < justanotheruser> petertodd: because everyone only gets one votecoin and they only can be transacted 100 times from the coinbase 19:00 < adam3us> maaku_: "3 people to donate <$1000" i a not sure what this says about the crypto currency market. seems like so far its telling us that scamcoins and crazy but high PR things get the most money. if the market keeps voting that way an the money is used accordingly (ie nothing good morphs out of bad money) ... hmm depressing 19:00 < jtimon> maaku_ adam3us re not the end of the worl: specially if litecoin was MM 19:00 < adam3us> jtimon: but its different PoW 19:01 < maaku_> adam3us: yeah, depressing :( 19:01 < jtimon> yeah, I mean assuming it was a SHA256 improvement instead of a scrypt one 19:01 < adam3us> petertodd: do something good with msc money to restore our faith in humanity :) please! 19:01 < killerstorm> people regularly ask me how to buy colored coins, I have a hard time telling them that it's impossible :). they do this much research before "investing"... 19:01 < petertodd> adam3us: don't worry, going to vegas with my first paycheck to find some strippers 19:02 < maaku_> pics or it didn't happen 19:02 < petertodd> killerstorm: lol 19:02 < jtimon> re: 1M usd destruction it would be funny if the guy said "it was a joke" 19:02 < petertodd> jtimon: the guy is anonymous 19:02 < maaku_> killerstorm: that sounds like every investor conversation Jorge and I have had (save one, maybe something will come of that) 19:02 < jtimon> petertodd does it make it less funny? 19:03 < petertodd> jtimon: it makes it more plausible 19:03 < petertodd> jtimon: well, more likely 19:03 < maaku_> he sure as hell is going to stay anonymous now 19:03 < adam3us> petertodd: did someone look at the code of xcp? it claims to actually have stuff working? 19:03 < maaku_> adam3us: honestly the crypto currency investment market reminds me of Lemmings 19:04 < petertodd> adam3us: I did, not much too it 19:04 < killerstorm> BTW is anybody interested in reviewing design/implementation of colored coin client (NGCCC aka ChromaWallet)? We don't have people who are familiar with bitcoin clients in our team, I just want to confirm we aren't doing something stupid... 19:04 < adam3us> maaku_: i think there is a lot of dumb money. people who got lucky with various mining/buying things and are not considering it real money 19:05 < warren> adam3us: maaku_: I'm open to diverging more from bitcoin. it just isn't clear what are the good ideas at the moment. 19:05 < killerstorm> We can probably allocate some bounty for it (review). 19:05 < warren> adam3us: maaku_: meanwhile litecoin has mainly been useful in discovering bugs that are in bitcoin 19:06 < adam3us> warren: could try zerocash but integrated in the way zerocoin was planned if you like being a canary 19:06 < warren> adam3us: the original zerocoin? 19:06 < maaku_> adam3us: unfortunately that pool of dumb money will eventually empty itself on mostly useless projects :( 19:06 < maaku_> there's some other interesting ones out there 19:06 < adam3us> warren: well u recall that it was a trustless mix attached to the block chain 19:06 < maaku_> but quality of the project seems to be inversely proportional with funds received 19:06 < jrmithdobbs> maaku_: nah that's not the sad part 19:07 < warren> adam3us: I'm actually very interested in P2SH^2 and something like p2pool in the standard client 19:07 < warren> adam3us: I don't like data storage in the blockchain and mining centralization is a long-term existential threat. 19:07 < killerstorm> Oh, BTW, is anybody working on cryptocurrency which uses something other than ECDSA? 19:07 < adam3us> warren: whereas now that bitcoin said "nah too heavy" with zerocash which is actually light enuf to be sensible, they're taken the msg that they will create an alt instead. 19:07 < maaku_> warren: be careful the trapdoor in zerocash though... not ready for prime time imho 19:07 < jrmithdobbs> maaku_: the sad part is that it's self fullfilling and there doesn't seem to be a way to break the chain, it's like people actually actively attempt to invest in the worst ideas in the space because they think they have intuition for the system they're buying into when they really have no fucking clue what's going on 19:07 < warren> maaku_: I'm aware 19:08 < maaku_> killerstorm: we're eventually going to add schnorr and laport signatures 19:08 < jrmithdobbs> maaku_: but maybe i'm just jaded :) 19:08 < adam3us> killerstorm: gmaxwell investigated using EdDSA as a bitchoin 19:09 < adam3us> killerstorm: new sigtype which is schnorr and so has some nice features (compact k of n sig, blind sig) 19:09 < jtimon> maaku_ lol lemmings 19:09 < warren> Is the latest thoughts on P2SH^2 written anywhere? 19:09 < warren> I lost my IRC logs. 19:09 < adam3us> maaku_ warren: yes the setup time trapdoor is a problem someone has to be trusted to delete it 19:09 < justanotheruser> maaku_: I think it's already been implemented, it's just not public 19:10 < killerstorm> maaku_: I think it would be interesting to implement optional upgrade-to-lamport. I.e. script references both ECDSA pubkey and Lamport pubkey, normally only ECDSA pubkey is used, but optionally if ECDSA is broken :), one can use Lamport pubkey without revealing ECDSA pubkey 19:10 < adam3us> warren: if you dislike centralization and have not much SPV clients? you could consider committed-tx experiments 19:10 < petertodd> warren: I can send you my logs 19:11 < maaku_> killerstorm: that would be perfectly doable using multisig 19:11 < warren> adam3us: regarding zerocash, even if it is efficient in terms of blockchain bloat, I am concerned about the regulatory implications. The current situation with bitcoin less-private-than-case-even-with-coinjoin might strike a good balance of needed transactional privacy with the need to prevent unfettered criminal uses. 19:11 < adam3us> warren: i agree mining centralization is bad. committed-tx is an attempt to have user polic choice even with quite high centralization by denying miners information with which to make policy on 19:12 < warren> less-private-than-cash 19:12 < adam3us> warren: yeah the risk is not lost on me. hence "if you want to be a (regulatory) canary" 19:12 < maaku_> you'd accomplish this by sighash extension, so the signature itself specifies which scheme is used (of course it would have to match the pubkey) 19:12 < petertodd> adam3us, warren: committed txin may be even more interesting along those lines 19:12 < warren> adam3us: mastercoin is asking to be a regulatory canary 19:13 < warren> adam3us: I think centralization should be a top priority, it is an existential threat. 19:13 < maaku_> killerstorm: lamport sigs are big ... even in a post-quantum world i think we'd still use elliptic curves 19:14 < warren> centralization is *THE* existential threat 19:14 < petertodd> warren: +1 19:14 < adam3us> warren: btw i think its not as clear cut as all that. you can make different privacy tradeoffs by choice. zerocash is a building block as much as ecdsa. you could have fungible coins with new "wallet addresses" that have a similar payment level linking as today. 19:15 < adam3us> warren: sign me up no that call too "centralization = existential threat" 19:15 < warren> petertodd: I'd like logs covering all the recent P2SH^2 discussion 19:15 < adam3us> warren: which i think is a quite interesting tradeoff. no more private than current, but fully fungible. (coinvalidation falls on its face) 19:16 < warren> is zerocash's design published? 19:16 < maaku_> warren: no 19:16 < adam3us> warren: ie current privacy at payment level, but fungible/anonymous at coin level. so if you trade a bad actor you ask them to reimburse you but you cant freeze the coin 19:16 < petertodd> warren: sent 19:17 < adam3us> warren: gmaxwell knows more about it (zerocash) 19:18 < adam3us> warren: also there was a podcast recording of matthew green talk on it at real world crypto conf, can google for 19:18 < killerstorm> maaku_: I think the idea is to have something as a backup IF shit hits the fan. E.g. if ECDSA vulnerability is discovered, people can use Lamport signatures temporarily, and then hard-fork upgrades cryptocurrency to something small and safe. 19:19 < adam3us> warren: you could always build holes to plug it into, then wait for zerocash to release their code & link in the library 19:19 < warren> IMHO, I rather focus entirely on the centralization existential threat. 19:19 < warren> That's uncontroversial. 19:19 < adam3us> warren: ok. see if u can do something with committed tx. 19:20 < adam3us> warren: are you willing to complicate SPV model to do it? 19:20 < petertodd> killerstorm: you realize that lamport sigs are implementable easily in even bitcoin's original scripting system right? 19:20 < petertodd> killerstorm: not possible now that op_cat is disabled, but it doesn't take much 19:21 < killerstorm> Well, how do you hide ECDSA pubkey? 19:21 < Luke-Jr> meh, "disabled" really means "removed" in this context :/ 19:21 < warren> adam3us: it depends, need to read all the current thinking on committed tx. is this written down anywhere? 19:21 < petertodd> Luke-Jr: yup 19:21 < warren> adam3us: I really dislike the current way SPV is done. 19:21 < jrmithdobbs> petertodd: ya well the disabled ops have enough to implement salsa/chacha too (inefficiently and insecurely) 19:21 < jrmithdobbs> heh 19:22 < petertodd> jrmithdobbs: well, scripts are limited to 10,000 opcodes so... probably not, lamport however is practical within the limits (modulo disabled ops) 19:22 < petertodd> warren: what do you want changed re: SPV? 19:22 < adam3us> warren: sort of but not really cleanly bct thread https://bitcointalk.org/index.php?topic=206303.0 ask if it doesnt make sense 19:22 < jrmithdobbs> petertodd: i think that's still true for at *least* chacha with the real limits 19:22 < killerstorm> Ok I guess it isn't hard to hide it... 19:22 < jrmithdobbs> petertodd: not that anyone should do so, ever 12:04 < jtimon> sipa: yeah, I guess that's the word we were looking for: p2pool and eligious are both trustless pools 12:05 < sipa> yup 12:05 < Luke-Jr> sipa: that might be better terminology, but it's not the common terminology already in use 12:05 < adam3us> Luke-Jr: does eligius reject/not support non-GBT shares? 12:05 < Luke-Jr> adam3us: Eligius supports all protocols at the moment 12:05 < sipa> Luke-Jr: i don't think anyone but you considered eligius decentralized (i know it satisfied some definition of decentralized that's common, though, but not all) 12:06 < adam3us> Luke-Jr: so its trustless to the extent users use GBT then 12:06 < brisque> Luke-Jr: what sort of percentage of users use GBT over stratum? 12:06 < Luke-Jr> brisque: probably near zero :/ 12:06 < sipa> trust-free doesn't mean you cannot trust anyone - it just means you don't need to 12:06 < Luke-Jr> the solution is to make decentralised mining just as easy/painless as centralised mining 12:07 < Luke-Jr> sipa: trust-free implies more than decentralisation IMO 12:07 < adam3us> Luke-Jr, sipa: so it seems to me there is some pain. the bw consumption. 12:07 < brisque> Luke-Jr: imagine i'm a miner, is there an incentive for me to use GBT on eligius over Stratum? 12:07 < Luke-Jr> brisque: only for the good of Bitcoin 12:07 < jtimon> Luke-Jr open transaction is trustless but centralized 12:08 < brisque> Luke-Jr: mm, there's the reason why lots of people don't use it. 12:08 < sipa> Luke-Jr: they overlap, but neither implies the other 12:08 < sipa> jtimon: trust-free to an extent - you still need to trust the issuer 12:08 < Luke-Jr> sipa: p2p != decentralisation 12:09 < jtimon> sipa : for non-p2p currencies you always need to trust the issuer anyway 12:10 < jtimon> if you issue usdCoins using colored coins is no different 12:11 < adam3us> jtimon: i think there are two aspects to trust for issued units. 1. the issuer to redeem, maintain 1:1 backing, 2. the network to secure ownership transfer. so it can still make sense to use decentalized ownership tracking (blockchain) for an issued asset. 12:12 < adam3us> jtimon: (you probably would personally redeem by selling to the unit for another crypto curreny or on an exchange, not via redemption with the issuer) 12:12 < jtimon> adam3us: my point is that, despite being centralized, you don't need to trust the OT server 12:13 < adam3us> jtimon: agree. i just mean with open transactions you need to trust it for some things but not others i think in their terminology an issuer is a different entity from a tx server. 12:14 < jtimon> yes, the same issuer can operate in different OT servers at the same time 12:15 < jtimon> the main problem with OT is you can't trade assets that are in different servers atomically, you have to move them all to the same server first 12:15 < stonecoldpat> adam3us: it would certainly add extra-security (if thats a phrase), but the way im thinking about it ... SPV clients arent really part of the hashing power (as they are not mining). As you said - they are just observers. So you would still need to trick over 50% of miners for the attack to work. my comment is probs a bit old now (got distracted at work) 12:15 < adam3us> anyway on the decentralization from pools. its good that eligius supports GBT and more users should use it. Luke-Jr is also right that hosted mining is likely even worse. but an even better outcome would be if there was a way to not need pools. ie to solo mine with reasonably frequent and predictable payout. 12:16 < jcrubino> does there need to be any protocol level changes for stealth addresses? 12:16 < Luke-Jr> adam3us: I don't think that's very practical on a wide scale. 12:16 < adam3us> stonecoldpat: heaven forbid to let work distact from btc :) yes i recall the context. this is true. but there could be a large payout you could mint millions and millions of $ of tx that didnt even exist and an SPV client would temporarily accept it 12:16 < Luke-Jr> adam3us: for the low variance many miners want, you *need* to keep a running balance somewhere 12:17 < jtimon> jcrubino: I don't think so, just the payment protocol 12:17 < adam3us> jcrubino: i do not think so. just client work. 12:18 < jcrubino> and does anyone in here have bitcoin-dev mailing list archived from the beginning? 12:18 < adam3us> Luke-Jr: yes i am talking spherical cows territory like changing the minimum reward. having 100s of mini-rewards per block, such things 12:18 < Luke-Jr> jcrubino: I think SF has an official archive 12:18 < jcrubino> Luke-Jr: can I download it all at once? 12:18 < Luke-Jr> no idea 12:21 < jcrubino> hmm 12:21 < jcrubino> I want to try to do a topic mapping of the messages 12:22 < adam3us> jcrubino: maybe wget -r from the right base url might do the trick 12:24 < jcrubino> adam3us: It looks like the actual messages are id with every other message on SF 13:27 < michagogo|cloud> ;;seen andytoshi 13:27 < gribble> andytoshi was last seen in #bitcoin-wizards 12 hours, 30 minutes, and 7 seconds ago: <andytoshi> i assume jon matonis was involved in that list .. 13:28 < michagogo|cloud> ;;later tell andytoshi Did you make any more progress on the cj client? Let me know if/when it's ready for more testing. 13:28 < gribble> The operation succeeded. 13:32 < wallet42> so stealth addresses are base58_check encoded compressed pubkeys? whats the version byte? 14:25 < justanotheruser> Is it possible to make an easy to confirm hashing function that involves all the previous confirmed tx? 14:26 < justanotheruser> *easy to validate 14:33 < gmaxwell> justanotheruser1: you mean what we're already using in Bitcoin? 14:34 < justanotheruser1> gmaxwell: no I mean your idea that would require miners to have the blockchain 14:35 < gmaxwell> justanotheruser1: I assume you mean easy to validate you mean fully validatable by someone who doesn't have that data? 14:37 < justanotheruser1> gmaxwell: no. I mean easy to validate in general. I thought of two methods, one where the hash you generate would require you to look up a tx based on that hash and include that in a new hash, but I think miners would just end up trying to find hashes of the tx in their cache to circumvent that. The other method I thought of involved having each tx be at the leaf of a merkle tree and the nonce be an adjacent leaf, but that would be hard 14:38 < gmaxwell> justanotheruser1: I thought I described such an approach in the post about that? 14:38 < justanotheruser1> gmaxwell: I haven't seen your post, just the wiki page. Could you link me it? 14:39 < gmaxwell> you can use the block header to force you to do N lookups and make a hash tree. And then you use the hash of the solved block to select which M of those N lookups to publish. 14:39 < gmaxwell> This way you can publish a relatively small number of values, but grinding the preselection isn't too effective because it's picking N. 14:41 < gmaxwell> e.g. 32 random lookups is not going to do well with a small cache. And then you find a block and you're forced to prove one of them. 14:41 < justanotheruser1> gmaxwell: So N is generated based on the block header? 14:43 < gmaxwell> e.g. H(prev header) tells you to pick N transactions at random. you include a hashtree over them in your block. H(your header) tells you which of the N to include with your solution. (this can be pooled, to prevent pooling for it, you'd need to put it in the inner loop which makes the pow utxo throughput hard) 14:44 < gmaxwell> I'd also suggested a simplified version where you just do queries on the inputs consumed in the prior block. The rationale being was that we really just wanted you to prove you had the required data to do the validation. 14:45 < justanotheruser1> Why not make H(Prev head) also tell you which N to include? Couldn't miners modify the header to make it so they only have to look at the 1mb of tx they have? 14:45 < justanotheruser1> (in a hypothetical situation where miners only store 1mb of tx to save space) 14:47 < gmaxwell> previous header. as in the prior block. 14:49 < justanotheruser1> gmaxwell: yes, but you are using "your header" to find the block. Couldn't a malicious mining pool make it so their header tells them that they have to include only tx in the set of tx the miners own? 14:49 < justanotheruser1> s/to find the block/to find the tx for the block 14:50 < gmaxwell> only by doing N fold the work of finding a block. 14:52 < justanotheruser1> gmaxwell: well the work of finding a block is memory hard, but finding an easy header isn't. 14:53 < justanotheruser1> unless there's something I'm missing 14:53 < gmaxwell> I have no freeking clue what you're talking about there. 14:54 < gmaxwell> The only point of the proposals of preventing people from mining without the blocks was to stop botnets that just mined using the headers and processed no txns. 14:54 < gmaxwell> The explicit goal of that was not to make the POW memory hard. 14:57 < justanotheruser1> gmaxwell: I thought the purpose was to keep centralized pools that don't require blockchain ownership infeasible 15:00 < maaku> adam3us: there would need to be some infrastructure for recognizing and handling covenants at the user interface level. 15:00 < maaku> users will probably have to whitelist which covenants are accepted under which circumstances... there are some nontrivial problems here. 15:00 < gmaxwell> No. If you want to do that then you need a utxo query throughput pow where the hardness comes entirely from random queries. 15:00 < maaku> but they are solveable. certainly the default should be that added covenants are non-fungible. this is part of why a strongly-typed, simple, theorum-proovable language should be preferred. that way a wallet could ignore / cordon off incoming coins which can't be proved to be covenant-free 15:00 < maaku> and that should certainly be the default behavior 15:51 < adam3us> michagogo|cloud: it was a month ago, i tried 10, 12 as main advertised iso on ubuntu.co and i think 10 server at suggestion of a hacker friend of mine that server maybe less chatty 15:51 < adam3us> .04 16:50 < andytoshi-away> gmaxwell: cool, glad to see (a) that the list is active and (b) we're not crazy to think we can be throwing hash circuits everywhere 16:51 < andytoshi> i have another concern, which i haven't mentioned since i haven't read the whole paper, about verifying input.. 16:51 < andytoshi> presumably to make a snark-based blockchain we would want VERIFY (old chain state, new chain state, transactions) 16:51 < gmaxwell> someone needs to find a bored grad student to go generate circuits for sha256 and all the sha3 finalists and see which results in the fastest proofs. 16:51 < andytoshi> and we'd want the old and new chainstate to be public, but the transactions to be zero knowledge 16:52 < andytoshi> the impression i get from the paper is that if we want inputs to be public and provably there, we'd need them to appear in the preprocessing stage 16:52 < andytoshi> is this right? 16:54 < gmaxwell> andytoshi: no, the preprocessing stage just takes in the description of vntinyram itself, the time limit bound, and the _number_ of public inputs. 16:54 < andytoshi> are the public inputs what they call 'auxilliary inputs'? 16:55 < gmaxwell> no, public inputs are "program inputs", while "auxilliary inputs" are the ZK inputs. 16:55 < andytoshi> ok, thanks, great 16:55 < gmaxwell> (also non-determinsim used to simplify the tinyram circuit, e.g. like magical answers that tinyram divide by only having a circuit to check the answer) 16:56 < andytoshi> yeah, i noticed that, that was really clever 16:57 < gmaxwell> andytoshi: also, in your description above there is an extra thing that needs to be provided.. full nodes would also demand a set of updates to change from the old state to the new state. 16:58 < andytoshi> the proof would not be enough for them? 16:58 < gmaxwell> E.g. the transactions are ZK but you do actually need to know the final state (not intermediate states) in order to make the next proof yourself. 16:58 < andytoshi> right, that's what i mean by 'new chain state', they can just use that as 'old chain state' in their next proof 16:58 < gmaxwell> oh okay, I read what you were saying as a commitment to the state. 17:00 < gmaxwell> A non-miner in that model doesn't actually need to pay attention to the state much of the time... so commitments are good enough.. then they could just get fragments of the state from filtering nodes to prove they were paid. 17:01 < andytoshi> right 17:02 < andytoshi> and full/filtering nodes would have to figure out some way to efficiently store the series of chainstates 17:03 < andytoshi> perhaps snark-proving chainstate diffs would be more efficient, i dunno, these are just details at this point :) 17:03 < gmaxwell> its useful to commit to the diff as well, since then you can get it from someplace else. 17:03 < andytoshi> oh, good point, doing both gives the best of both worlds 17:05 < andytoshi> full nodes would use the diffs, non-full user nodes would use the full state to verify what the full nodes are telling them 17:08 < gmaxwell> if you want to be really snazzy, you have a hiearachy of backpointers to old blocks, and at each backpointer level you keep a state snapshot and periodically commit big gap proofs. 17:09 < gmaxwell> then hotstarting a full node just involves evaluating log2(blocks)+ proofs, and pulling down a full state. 17:09 < gmaxwell> but since the proofs are so fast, I goes O(N) proofs isn't so bad. 17:10 < andytoshi> we'll see what hardware looks like wherever this becomes feasible :P 17:10 < andytoshi> though my money's on "before 2020", and then things will look pretty-much the same 17:14 < andytoshi> justanotheruser: the 1-1 peg discussion starts (i think) at http://download.wpsoftware.net/bitcoin/wizards/2013-12-18.txt 17:14 < andytoshi> (for some reason my logs from 12-17 to 12-27 were not on the website, that's why i couldn't find them earlier) 17:16 < michagogo|cloud> 2014-01-08 22:11:18 REORGANIZE: Disconnect 7880 blocks; 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f.. 17:16 * michagogo|cloud 2014-01-08 22:11:18 REORGANIZE: Connect 31489 blocks; ..00000000ce13e2d877387db6a418974481fdcd946bcc72c3a52f1ed7ad34f2a5 17:17 < gmaxwell> michagogo|cloud: is that testnet? 17:17 < michagogo|cloud> It's Jesuscoin 17:17 < andytoshi> phew 17:17 < gmaxwell> ... Jesus coin?! 17:17 < gmaxwell> (I did a reorg on testnet that big) 17:17 < michagogo|cloud> gmaxwell: coingen 17:18 < michagogo|cloud> second coin on http://coingen.io/status.html 17:18 < gmaxwell> ohhh you blew up a coingen coin?! 17:18 < gmaxwell> hah 17:18 < michagogo|cloud> Well, my script is breaking 17:18 < michagogo|cloud> since the reorg lags jesuscoin-qt 17:19 < gmaxwell> hah 17:19 * gmaxwell titters at "jesuscoin-qt" 17:19 < gmaxwell> does it have an icon where a coin outline forms a halo around jesus? 17:21 < helo> it proclaims to _be_ the second coming 17:21 < michagogo|cloud> gmaxwell: http://imgur.com/Wldyc7t 17:22 < gmaxwell> aww 17:23 < michagogo|cloud> Okay, added begin,rescue,retry,end lines 17:23 < phantomcircuit> opportunity missed 17:23 < michagogo|cloud> that should make it stop crashing 17:24 < michagogo|cloud> If you're interested, here's my script: http://0bin.net/paste/OFWqJ7Lj0k0GO0o4#Rd6uP8VFxwv3SEO4HQAwtF+Vy5M3ZtaUrrKC9m3qI+w= 17:25 < michagogo|cloud> Anyone happen to know when Bitcoin's first difficulty increase was? 17:25 < gmaxwell> block 80k? 17:26 < michagogo|cloud> thanks 17:26 < michagogo|cloud> Heh, looks like the real chain is fighting with my replay of the bitcoin chain 17:27 < michagogo|cloud> Reorging back and forth 17:27 < andytoshi> ah, this is from before BlueMatt fixed the 'same genesis' 'bug' 17:27 < shesek> oh, it was fixed eventually? when? 17:28 < shesek> we were talking about it just yesterday 17:28 < gmaxwell> michagogo|cloud: oh I'm wrong about the height 17:28 < BlueMatt> no, it was fixed a long time ago 17:28 < gmaxwell> michagogo|cloud: 32256 17:28 < michagogo|cloud> Hmm, what did it rise to? 17:29 < gmaxwell> 1.18289953 17:29 < shesek> oh, I was under the impression it was still like that yesterday... someone said it was 17:30 < michagogo|cloud> If anyone feels like watching jesuscoin get killed, https://secure.join.me/671-648-265 17:30 < michagogo|cloud> (tailf of jesuscoin's debug.log) 17:32 < michagogo|cloud> Hey, I think I might have just pulled ahead 17:33 < michagogo|cloud> BlueMatt: How many coingen coins used Bitcoin's genesis block? 17:33 < gmaxwell> michagogo|cloud: too bad there aren't any huge tx fees until fairly late. 17:34 < michagogo|cloud> gmaxwell: Why? 17:34 < gmaxwell> otherwise I'd say it would be fun top play it up to right before the point where there was a block with huge tx fees. Then mine that txn yourself. 17:34 < BlueMatt> michagogo|cloud: no idea 17:34 < gmaxwell> Then continue on.. and you get the huge tx fees. 17:34 < michagogo|cloud> gmaxwell: heh 17:37 < helo> where's the boom? 17:37 < michagogo|cloud> helo: https://secure.join.me/671-648-265 17:39 < michagogo|cloud> shh, nobody tell Luke-Jr that I killed Jesus(coin) 17:39 < helo> interesting date 17:39 < michagogo|cloud> helo: hmm? 17:40 < helo> jesuscoin has blocks as far back as 2010? 17:40 < michagogo|cloud> helo: It's the Bitcoin blockchain 17:41 < michagogo|cloud> I'm just using http://0bin.net/paste/OFWqJ7Lj0k0GO0o4#Rd6uP8VFxwv3SEO4HQAwtF+Vy5M3ZtaUrrKC9m3qI+w= to replay the bitcoin blockchain onto Jesuscoin 17:42 < helo> wouldn't the hard coded genesis block make that not work? 17:42 < shesek> they share the same genesis block 17:42 < helo> bad move :/ 17:42 < shesek> coingen used to give the altcoins it created the same genesis block as bitcoin's 18:20 < gmaxwell> andytoshi: the proving process for QAP snarks is ludicrously parallel, I wonder if it would make sense to have distributed generation of the proofs? ... I think the problem is that they need communcation similar to the prover key in size. 18:23 < maaku> adam3us: I've done multiple ubuntu installs without network connection ... i know it works for 12.04 18:26 < andytoshi> gmaxwell: hmm, a high communication requirement is going to incentivize centralization 18:26 < andytoshi> and in general, if you break the proof up it is hard to decide what part any individual miner should work on 18:27 < andytoshi> which i think also encourages centralization since it is easy to organize a single mining farm to not step on its own toes 18:30 < andytoshi> i think "ludicrously parallel" will just mean that we don't have a gpu-hard mining algorithm here 18:30 * maaku downloads jesuscoin-qt and goes to make some popcorn 18:32 < michagogo|cloud> maaku: not much to see 18:32 < sipa> i expect jesuscoin to be able to fork, and keep both instances alive... 18:32 < michagogo|cloud> It'll just look like Bitcoin-Qt syncing 18:32 < maaku> is it off of git-head, or 0.8? 18:33 < michagogo|cloud> 0.8.6 18:33 < sipa> 0.8.6 iirc 18:33 < maaku> oh :\ 18:33 < michagogo|cloud> Why? 18:33 < michagogo|cloud> Which git feature were you hoping to use? 18:33 < maaku> i was hoping for some fine grained timestamps on the log messages to get a good idea of how the reorg was spreading through the network 18:33 < maaku> vs. the "honest" miners 18:34 < michagogo|cloud> maaku: you can roll your own 18:34 < michagogo|cloud> Just built git head and change the pchMessageStart 18:34 < maaku> yeah true. i suppose I just need the port & msg bytes 18:34 < michagogo|cloud> port 9336 18:34 < michagogo|cloud> Don't know the magic, though 18:34 < michagogo|cloud> Sorry 18:35 < maaku> np. thanks 18:35 < maaku> i'll read the first 4 bytes of blk*.dat 18:35 < michagogo|cloud> (Not at my computer anymore, I'm writing this from my bedroom) 19:55 <@gmaxwell> CodeShark: I suppose that it just reduces to the storage throughput stuff on the altcoin page as one way of showing you have it at all times. 19:55 < Luke-Jr> CodeShark: not sure I agree 19:55 < petertodd> Luke-Jr: well, for me it's about the pay-per-hour-of-studying-cryptocurrencies, and mastercoin's offering full-time crypto-coin studying :) 19:55 <@gmaxwell> e.g. instead of paying you just make storage a byproduct of mining. 19:55 < Luke-Jr> petertodd: is that really all they expect of you? 19:55 < CodeShark> Luke-Jr: or at least, we wouldn't need currencies that are deliberately scarce 19:56 < petertodd> Luke-Jr: mastercoin is roughly speaking a blank slate, so roughly speaking yes 19:56 < maaku> BlueMatt: "merged mining isn't very good" -- because of the security risk of diluting the reward function? 19:56 < BlueMatt> petertodd: well, instead of working on fun cryptocurrencies problems like scaling, you've ended up working on how to best hide data in coins not designed for it... 19:56 < BlueMatt> instead of designing for it 19:56 < petertodd> BlueMatt: yes, but once you accept that as your model... then obviously you should work on scaling 19:57 < BlueMatt> maaku: because if you make a new researchcoin today, getting it merged-mined by enough mining power isnt a trivial problem, mostly 19:57 < petertodd> BlueMatt: see, if mastercoin is merge-mined, there's no reason to work on making bitcoin scale better, but if mastercoin isn't merge-mined and is embedded in the blockchain, then there's every reason to make bitcoin scale better 19:57 < nsh> scaling is a solved problem. we just all have to trust random people we've never spoken to in strange countries with unknown interests. cf. BGP 19:58 < nsh> , GRX, &c. 19:58 < CodeShark> I do not agree with the notion that the bitcoin protocol is a general low-level protocol - if we really want to build a network like that, we should design a low-level blockchain-based protocol (for, say, timestamping) 19:58 < CodeShark> without attaching anything else to it 19:59 < CodeShark> it should be completely agnostic as to the contents of data packets 19:59 < petertodd> CodeShark: I suspect we're going to end up with that, and specifically, the magic word is "proof-of-publication" 20:00 < maaku> CodeShark: and that's a problem? 20:00 < CodeShark> furthermore, proof-of-publication doesn't require all the data contents to be stored on the blockchain itself 20:00 < BlueMatt> petertodd: my view: ignore all non-btc-denominated cryptocurrencies: they all need to die and should be treated as shit anyway. after you do that, you have to somehow make the total throughput of btc-denominated transactions scale, that can come in the form of alts that are on their own btc-denominated chain or however you want, the whole system has to scale 20:00 < CodeShark> hashes would be sufficient 20:01 < CodeShark> we could completely separate the data storage/query mechanisms from the timestamping mechanism 20:01 < petertodd> CodeShark: no it does: if it's not in the blockchain there's no proof anything was in fact published. that siad, the existing bitcoin system is kinda weak on that respect... 20:01 < nsh> petertodd, there are different (but overlapping) use-case sets for proof-of-existence and proof-of-publication 20:01 < petertodd> CodeShark: the ideal might be some pow function that forces you to prove you have access to some data set, but that's not what we have 20:02 < BlueMatt> petertodd: if it were easier to get mastercoin merged-mined (eg to the scale of namecoin), and you can do 1:1 exchange to a secondary chain, do you not agree mastercoin /should/ be on a separate chain at that point? 20:02 < CodeShark> ok, yes, I get the distinction now between proof-of-existence and proof-of-publication 20:02 < nsh> also publication might have gradations, as not everything is published to * 20:02 < petertodd> BlueMatt: if you can wave a magic wand and get it to reasonable hashing power, lovely, but there is no such magic wand so I can't advise them to do that 20:02 < petertodd> BlueMatt: more likely I'd get there by designing a good merge-mined proof-of-publication scheme 20:03 < BlueMatt> ok, so our disagreement is how hard it is to get merged-mined a new coin 20:03 < CodeShark> besides the fact that mastercoin represents extra blockchain bloat, I'm also concerned about the unpredictable nature of block intervals and the average length of that interval 20:04 < petertodd> BlueMatt: pretty much, and there's lots of ways forward: IE if I managed to find a way to make bitcoin tiself scale in some unspecified way, then mastercoin dumping data on the blockchain wouldn't matter 20:04 < CodeShark> 10 minutes on average doesn't seem like sufficient granularity for a lot of things 20:04 < sipa> petertodd: better != infinitely 20:04 < petertodd> CodeShark: given the selfish mining stuff I think we're going to find that 10 minutes was optimistic... 20:05 < petertodd> sipa: my suspicion is there is a fundemental security and scalability tradeoff with proof-of-publication, so you'll wind up with some scheme that lets you make choices about that tradeoff - pay more for more secure coins 20:05 < petertodd> sipa: txout storage fees based on value are nice there, but they change economics... 20:05 < sipa> very much so 20:06 < CodeShark> shouldn't the storage fee be based on size, not value? 20:07 < petertodd> CodeShark: NO, based on value because more value needs more security needs wider spread holders who actually have the data 20:07 < CodeShark> ah, ok 20:07 < andytoshi> if we used a base-1 encoding, we could make size and value be the same 20:07 < andytoshi> am i a wizard yet? 20:07 < petertodd> CodeShark: e.g. Suppose I want to destroy all (public) copies of some blockchain data, in the Bitcoin system that's going to be extremely hard, roughly a 51% attack, but if bitcoin mining was sharded such that you could mine with 1/8th of the blockchain data, you'd wind up with a system where you may be able to do a 51% * 1/8th attack instead 20:08 * petertodd gives andytoshi a robe and pointy hat 20:08 < maaku> why not put mastercoin on namecoin? 20:08 < maaku> or hey, devcoin or ixcoin 20:08 < CodeShark> right, I get it now, petertodd 20:08 < petertodd> maaku: why bother? it's not mastercoin's problem that it crowds out other uses of the blockchain 20:09 < CodeShark> the fundamental problem here, IMO, is the misplaced incentives 20:09 < petertodd> CodeShark: agreed 20:09 < CodeShark> there are no rewards in the bitcoin network for providing storage nor for relay 20:09 < maaku> petertodd: just pointing out that there are other merged mine chains with high hash rates 20:09 < petertodd> CodeShark: especially with regard to the UTXO set... 20:09 < maaku> i actually think that it is perfectly fine to put whatever you want on the block chain 20:10 < BlueMatt> petertodd: well, I find the difficulty of getting a real research coin merged-mined to be a problem that needs solving, so I'd argue that you (as someone paid to work on this) should work on fixing that problem instead of working on hiding shit in the chain so that people cant block it 20:10 < maaku> and if anyone has a problem with that ... it's your own damn fault for not coming up with and implementing a better fee system 20:11 < petertodd> BlueMatt: meh, I think I've basically solved the "hide shit in the blockchain" problem very thoroughly, something we need *someone* to have done if only to understand the risks 20:11 < sipa> without fees going to those providing the storage that is wasted, the incentives can't align 20:11 < petertodd> BlueMatt: note I also have a half-decent solution to UTXO bloat, so it's not like it's the only thing I've been working on 20:12 < maaku> sipa: and fees can't go to those providing the storage because ... ? 20:12 < andytoshi> i think there is always an incentive for people to put stuff on the blockchain, it's not their problem ... so it's up to bitcoin to figure out pruning strategies 20:12 < maaku> not saying it's easy, but also no one's shown it impossible 20:12 < CodeShark> petertodd: I'd love to see some of those implemented :) 20:12 < sipa> maaku: well, i wouldn't call it bitcoin anymore in any case 20:12 < petertodd> maaku: modulo utxo bloat, the existing fee system works just fine: really we've got people whining that they aren't getting cheap transactions because something else can afford a higher fee/byte 20:13 < petertodd> CodeShark: heh, well actually I've got an unreleased upload-files-to-the-blockchain tool that makes them into a shared consensus namespace... add timelock crypto to it and you'd have a rather frightening system 20:14 < petertodd> CodeShark: fortunately $0.1/KB is kinda pricey, and it's even higher if you want to hide in normal-looking transactions 20:15 < CodeShark> petertodd: I also wrote a tool once to upload arbitrary text (base58 encoded) to the blockchain :) 20:15 < CodeShark> I'm only guilty of using it a few times :) 20:15 < andytoshi> there is a rickroll somewhere in testnet (i have the command to play it, but not on me right now) 20:15 < petertodd> CodeShark: heh, it's not rocket surgery... although I think the trick is the retrieval side of things so people find it useful - hence my shared consensus namespace thing 20:15 < andytoshi> i think one of you guys did that 20:16 * petertodd looks guilty 20:16 < andytoshi> i thought it was petertodd, didn't want to accuse since i wasn't sure :P 20:16 < CodeShark> lol 20:18 < nsh> j'accuse! 20:18 < nsh> (best chess move) 20:19 < petertodd> andytoshi: heh 20:19 < petertodd> andytoshi: everytime someone claims bitcoin scales I edge a little closer to releasing the upload tool :P 20:19 < CodeShark> haha 20:19 < CodeShark> petertodd: someone uploaded the source code for a python tool to upload arbitrary data 20:19 < CodeShark> it's still somewhere in the block chain 21:12 < gmaxwell> petertodd: meh, that doesn't worry me _that_ much. The verifier is just a couple dozen lines of code given a sutiable pairing library. (which they don't provide, but there are several sutiable liberally licensed ones available) 21:14 < gmaxwell> the interesting code they provide is the circuit generator and the prover which are non-normative so long as you don't make something which is married to a single validation key. 21:16 < adam3us> about coloring in the context of zerocash, i think they could include another value in the hash, being the color 21:17 < adam3us> gmaxwell: that kind of sucks about the EdDSA high bit.. i was looking forward to compact k of n sigs, blind sigs & such :( 21:19 < gmaxwell> adam3us: I mean, it would only be a couple of lines of code to add schnorr signatures to sipa's library. compact k of n is kind of a killer feature. 21:20 < adam3us> gmaxwell: kind of annoyed at DJB now that is an unclean hack disguised as a feature. it fails composability 21:23 < gmaxwell> adam3us: well, I was made kind of annoyed by the "Safe or Not" summary table most recently added to safercurves 21:24 < gmaxwell> which has now three times caused me to get questions with urgent concerns that bitcoin's curve is not safe. 21:25 < adam3us> gmaxwell: the guys on IRTF/CFRG are making an RFC for safe curves.. can be good place to ask questions or complain if u see problems. they seem to have a good collection of people who understand ECC & coding 21:26 < adam3us> gmaxwell: as there is a guy moving pretty fast on getting an RFC through standardizing the safe curves 21:26 < gmaxwell> It's my opinion that the addition of the binary safe or not table debased an otherwise thoughtful site to marketing tripe... since it happily fails bitcoin's curve because the endomorphism shaves off 1.5 bits of security, while meanwhile his curves cofactor of 8 shaves off at least three bits of his already smaller curve, and then his implementation throws away another bit for that optimization. 21:30 < CodeShark> "safe or not" is pretty stupid when it comes to proclamations of security completely devoid of context 21:31 < maaku> if someone wants to advocate for schnorr and bip-32 comaptability with the RFC safe curves, that'd be a noble thing to do 21:35 < sipa> what is considered unsafe about secp256k1? 21:35 < gmaxwell> http://safecurves.cr.yp.to/ 21:35 < gmaxwell> scroll down 21:35 < gmaxwell> it's "not safe" if it doesn't meet all of DJB's criteria. 21:36 < gmaxwell> the criteria are all interesting. Few of them would justify not-safe for failing them 21:37 < gmaxwell> esp since the critiera omits other no less reasonable considerations like "cofactor == 1", presumably since his own curves fail it. 21:37 < maaku> chiefly, the fact that it doesn't have "25519" in its name 21:41 < gmaxwell> I gave a somewhat irritated response here: https://bitcointalk.org/index.php?topic=380482.0 (being that it was the second time that day I'd been asked about it) 22:28 < andytoshi> wizards, i am enrolled in a "numerical iterative methods" class which is very open ended 22:28 < andytoshi> can you think of any interesting (or useful to bitcoin) numerical analysis projcets? 22:35 < gmaxwell> andytoshi: network simulations can fall in that bucket. 22:36 < gmaxwell> andytoshi: if you wanted to fool with an altcoiny thing, control loops for difficulty adjustment. What else? Hm. anti-spam/dos attack hurestics perhaps. --- Log closed Tue Jan 14 00:00:09 2014 --- Log opened Tue Jan 14 00:00:09 2014 00:22 < phantomcircuit> gmaxwell, just take your entire hardfork list and implemetn them 01:12 < justanotheruser1> Is there an alternative to pandora that has a GP or BSD license? 01:12 < justanotheruser1> * 04:12 < adam3us> andytoshi: numerical iterative analysis? perfect one for you: selfish attack? 04:51 < adam3us> is there a EdDSA mailing list? or should i just email DJB? want to figure out this highbit/constant time 'hack' limitation on composability, thats kind of broken. 07:18 < andytoshi> adam3us: the 'hack' is pretty simple, the second answer here explains it: http://crypto.stackexchange.com/questions/11810/when-using-curve25519-why-does-the-private-key-always-have-a-fixed-bit-at-2254/11818 07:19 < andytoshi> and it's also easy to avoid, even if you want to run in constant time -- but then we'd have a nonstandard implementation 07:21 < andytoshi> it might be worthwhile to bug him and ask what he was thinking, because it really is ugly and you're a name he ought to recognize.. 08:28 < adam3us> andytoshi: hmm so neves is saying it doesnt matter, if the code does the defense as the reference does, it is still constant time. what about the other bits? a[255]=0,a[254]=1, a[2]=a[1]=a[0]=0 08:28 < adam3us> adam3us: none of those will necessarily be the case after public HD derivation 08:29 < adam3us> adam3us: andytoshi: a[255]=0 maybe ok, as |n| < 255 (the order) i presume from the h=8 (cofactor) 08:36 < andytoshi> adam3us: a[255] it appears is always zero, yeah, we'd be fine there (though why are we "using 255-bit strings" with only 254 actual bits??) 08:36 < andytoshi> and as you say (and gmaxwell has been whining for weeks), bit 254 might not be set after pubic HD derivation, or multisig with additive signatures 08:37 < andytoshi> this seems weird, i dunno why the reference implementation didn't just hardcode the 254 in there 08:38 < andytoshi> maybe add a big comment saying not to change that if you are reimplementing, but i think it's pretty obvious that if you make your loop bounds depend on the input you are asking for timing attacks 08:38 < adam3us> andytoshi: 256-bits (0..255) probably just for power 2 & word size divisibility. not necessary he says you can reuse the bit in bit-stealing if u want. 08:39 < andytoshi> oh, good to know 08:42 < adam3us> andytoshi: so the thing with the co-factor is there is think a small subgroup also as n=h*l (l subgroup size, h cofactor, no points on curve), so trailing 000 is actually computing d=rand(0,l), Q=dG, Q'=8Q i think to avoid the small subgroup, 08:44 < adam3us> andytoshi: (ie the useful private key is 251 bits, and presumably |l|=251) but still u stay in the subgroup once u start there, so Q"=Q'+MAC(chain,ctr)G is still in the subgroup (hopefully!) 08:45 < adam3us> andytoshi: actuall i guess |l|=252, the top-bit is not "useful" as its fixed but its still part of the private key 08:47 < andytoshi> adam3us: understood, though i suppose i don't understand why this subgroup is so bad that we actually need to zero it out 08:47 < andytoshi> i guess fixing a representative of the coset is needed for determinism 08:48 < adam3us> andytoshi: actually take that back |l|=253, paper: l is the prime 2^252+2... 08:50 < adam3us> andytoshi: maybe its fixable. its just an obtuse way of saying d=rand(0,l-1) Q=8dG right? 08:50 < adam3us> andytoshi: so do the *8 part after HD derivation 08:51 < andytoshi> that's my understanding, and also i think it's just obtuse so that he can hold bit 254 fixed 08:54 < andytoshi> adam3us: at first glance, doing *8 after derivation would make HD work, i don't think the cofactor is a problem for us (though it weakens security by those 3 bits, and gmaxwell is pissed that djb considers this "better" than the ~1.5 bits our curve loses by fast parameter choices) 08:54 < andytoshi> but i don't see how we can hold bit 254 on 08:54 < andytoshi> though i guess we could grind through HD keys until we get one with bit 254 set :} 08:56 < andytoshi> (kidding!) anyway i've gotta run, good talking to you 08:58 < adam3us> andytoshi: Bernstein et al's style is obtuse in general :( cleary if ou do Q=dG (d chosen rand(0,l-1)) then you do HD derivation Q"=Q+M(c,i)G, and finally Q"=8Q' then there is no guarantee that top bit is 1 as its mod l, but we dont care about that anyway 08:59 < adam3us> andytoshi: well with public derivation u have no way to know what the top bit of the private key is. 12:39 < maaku> farewell net netrality, we hardly knew ye 12:41 < nsh> :/ 13:05 < gmaxwell> maaku: you don't have any great ideas on how to prevent incentive buggary with expensive validation do you? 13:10 < gmaxwell> andytoshi: you called it correctly on my complaints. WRT cofactor there are two complaints, one it that there is the direct rho security reduction from the decrease in the order, compariable in magnitude to the rho reduction he dings secp256k1 on. The other is that having a non-trivial cofactor is a necessary precondition for index calculus, though just a single extra distinct prime factor is probably no concern, all thing equal we ... 13:10 < gmaxwell> ... should prefer thing with a cofactor of 1. 13:26 < adam3us> gmaxwell: so do u know does the trailing 000 bits of d matter? that also will be lost by HD derivation 13:28 < pigeons> andytoshi: is there an irc channel or bitmessage broadcast address or something anouncing pending coinjoin sessions? 13:32 < gmaxwell> adam3us: so long as you compute the derivation the right way you can preserve it. Basically the scalar you compute in it has to also be a multiple of 8. 13:33 < gmaxwell> adam3us: because the order is prime*8 the sum of any two numbers which are themselves a multiple of 8 will still be a multiple of 8, thats what results in it being a subgroup. 13:33 < andytoshi> pigeons: no, not yet, i have just released a client and having trouble finding testers during my free moments 13:34 < andytoshi> i'll check out bitmessage tho, that'd be fun to set up 13:35 < adam3us> gmaxwell: but if you are working in the subgroup, the scalars are then mod l not mod n=8l? or is B a generator of the full group? 13:36 < gmaxwell> oh darn. hm. I think you're right. obviously the basepoint isn't going to generate the full group. 13:37 < gmaxwell> then I don't understand anymore why the private key is constrained. 12:30 < andytoshi> is the s/2 characteristic random now? istm if i'm publishing coinjoins with inconsistent signatures 12:30 < andytoshi> that screams "this is a coinjoin" 12:30 <@gmaxwell> yes its random now. 12:31 <@gmaxwell> bitcoin git produces signatures where S is always in the lower half. <=0.8.6 S is randomly in the upper or lower half. 12:31 < andytoshi> ok, thanks 12:32 <@gmaxwell> sadly the compressed vs uncompressed is a distinguisher but there isn't anything you can do about that. 12:33 <@gmaxwell> normal users also end up with a mix, so you having a mix doesn't distinguish it as a CJ, but it may hurt users privacy. 12:34 < andytoshi> ok, thanks 12:34 < andytoshi> maybe when i get time to do this 0.9 will be out .. it'll be 3-4 weeks 12:35 < andytoshi> i have been learning crypto 12 hours a day for the last week or two, but i have schoolwork to get on :} 12:36 <@gmaxwell> Certantly not a priority. 13:25 < maaku> very appropriate response to telegram : http://thoughtcrime.org/blog/telegram-crypto-challenge/ 13:29 <@gmaxwell> thats really quite brillant. 13:30 <@gmaxwell> I've suggested a thought expirement of the same ilk in the past imagine bitcoin with the hashes replaced with md5 and the crypto replaced with 512 bit RSA. .. what is the security like? as a metric in how robust the overall system is to weak crypto. Neat to use that as a test of a test. 14:06 < phantomcircuit> maaku, i love that 14:07 < phantomcircuit> gmaxwell, as long as people didn't reuse addresses? still pretty secure 14:07 < phantomcircuit> neat 14:07 < phantomcircuit> i think the biggest issue there would be someone generating collisions with block hashes/transactions 14:07 <@gmaxwell> So cryptocurrencies which "fail inflationary"... which is a property that things like USD has, if you print really good fake USD .. well everyone takes the cost. Not the person that accepted the fake USD, at least not if its sufficiently good. 14:08 <@gmaxwell> phantomcircuit: yea, but that would mostly be a DOS vulnerablity and it would result in invalid data, so you could just ban peers that give it to you. 14:08 < phantomcircuit> right 14:08 < phantomcircuit> except now you need to have the full set of txids 14:08 < phantomcircuit> or actually you dont 14:08 <@gmaxwell> It would be totally plausable to make it so that if you get tricked by a recentl valid looking bitcoin fork, that both parties get paid. Thus moving the cost of such an attack to everyone holding bitcoin and not just the guy accepting it. 14:09 < phantomcircuit> as long as it's not in the utxo right now reusing a txid wouldn't break things 14:09 < phantomcircuit> theoretically 14:09 < phantomcircuit> gmaxwell, heh incentivize miners to intentionally build forks though 14:09 < phantomcircuit> incentive 14:09 < phantomcircuit> word* 14:10 <@gmaxwell> phantomcircuit: maybe. setting it up right might be tricky. 14:10 < phantomcircuit> heh understatement of the year goes tooooo 16:15 < nsh> ;;title http://thoughtcrime.org/blog/telegram-crypto-challenge/ 16:15 < gribble> Error: This url is not on the whitelist. 16:16 < nsh> nu 16:16 < nsh> "So Telegram developers, by way of a response, I have my own crypto cracking contest for you. Below is a horrifically bad protocol that wouldn t last a second in a real world environment, but becomes when presented in the exact same framework as the Telegram challenge." 16:16 < nsh> +1 17:20 < adam3us> phantomcircuit: what requires a lot of private key ops? 17:21 < brisque> adam3us: importing a deterministic wallet maybe? 17:22 < HM2> Moxie is grand 17:25 < brisque> Moxie has an incredibly awesome name. 17:26 < phantomcircuit> adam3us, signing 17:26 < HM2> Diffie said at an RSA conference, not sure if last or this year, that he thought Moxies name was a joke when they first met 17:27 < HM2> (they were talking about Convergence) 17:29 < HM2> I'm guessing Moxies challenge is actually pretty hard because 896bit RSA is reasonably outside computable for average readers 17:30 <@gmaxwell> HM2: his point was to make it clearly unacceptably insecure in serveral ways but still almost certant to not be broken in the context of the challenge. 17:30 <@gmaxwell> In reality such a system would be broken if it were used for a long time on something high value. 17:31 < HM2> right, if there's a time limit you can get away with weak crypto 17:31 < HM2> but i'm not sure how it's a fair comparison 17:32 <@gmaxwell> http://crypto.stackexchange.com/questions/12425/why-are-the-lower-3-bits-of-curve25519-ed25519-secret-keys-cleared-during-creati 17:32 <@gmaxwell> wtf are with the responses there? 17:32 < HM2> ah 17:33 < HM2> RSA is still more secure than I thought 17:33 < HM2> you can claim $75,000 for factoring 896 bit 17:33 < HM2> 768 bit was factored in Dec 2012, so Moxie has chosen that deliberately 17:34 <@gmaxwell> HM2: hm? the challenges were withdrawn. 17:34 < brisque> HM2: did he use the factored key in his challenge? 17:34 <@gmaxwell> HM2: sure he did. but at the same time we know that 896 is clearly achievable. 17:35 < HM2> sorry, you're right. 2010 17:35 < HM2> why did they retract the challenges? :S 17:35 < HM2> it seems people have been factoring the keys published under the challenge without the financial incentive 17:35 <@gmaxwell> Yes, they have been. 17:38 < HM2> I wonder if he really did dig up an instance of Dual_EC_DRBG to compute the super_secret 17:38 < HM2> I'd wager he didn't 17:38 < brisque> lots of things support EC_DRBG 17:38 < phantomcircuit> HM2, cat /dev/random on a recent but not too recent freebsd box isn't too hard 17:38 < brisque> he probably did, given the way the "contest" is presented 17:40 < brisque> this is something I thought of when helping somebody with their botched job of making a d dropped the end off and I had to remake the hash portion for them to be able to import it. 17:40 < brisque> most of the problems people encounter seem to be with private keys, spending from them and screwing up the keys, not writing them down with capital letters, all very preventable errors. it seems to be proposed in the mailing list that the will be removed and replaced with which seems to fix many of these issues. 17:40 < brisque> could we go further, and make a paper wallet system. the user selects an amount, and an address is created and the funds sent to them. the token is then presented for writing/printing/saving and not saved to the wallet. the token is armoured with a large amount of parity, enough to save the user if there is user created damage. it can only be spent from by destroying it by importing it, and the UI mak 17:40 < brisque> it removes a lot of the danger, and gives the users something useful at the end of it. is this madness, stupid, fantastic? I can 17:41 < HM2> you should just send the keys to moonpig.com and have them sent to them on festive cards 17:41 < HM2> i'm sure they have an API 17:42 < brisque> HM2: a snowman with a carrot phallus, charming. 17:43 < HM2> you obviously made snowmans differently when you were younger to how I made mine 17:44 < brisque> it's one of the cards on the page you linked to 17:46 < HM2> you know, it occurs to me that you could can bruteforce moxies challenge 17:46 < HM2> feasibly 17:48 < brisque> you can brute force lots of things, that doesn't mean it's worth the money to 17:48 < HM2> he's not offering any money hah 17:49 < brisque> I meant it's not worth spending my money on EC2 instances 17:50 < phantomcircuit> HM2, bruteforce which part 17:52 < HM2> well i was thinking his message is only 16 bytes 17:52 < HM2> and its probably something fun 17:52 < HM2> or seasonal 17:52 < brisque> could just as well be /dev/random though 17:52 < HM2> it might even contain words from his post 17:52 < HM2> sure, but this is Moxie 17:53 < HM2> it doesn't help anyway 17:53 < HM2> he makes a good point 17:57 < phantomcircuit> HM2, come up with a message 17:57 < phantomcircuit> xor it against the cipher text 17:57 < phantomcircuit> present as key 17:58 < phantomcircuit> laugh as people who dont understand xor go wild 17:58 < HM2> heh 22:41 < Emcy> http://engineering.bittorrent.com/2013/12/19/update-on-bittorrent-chat/ anyone think this will be much cop? 22:41 < Emcy> seems like theyve just said "moar dht" again 22:42 <@gmaxwell> I wish them luck. 22:43 <@gmaxwell> I would certantly be happy if DHTs were the magical tools people often assume they are. The more systems that get built which fail obviously when the DHT doesn't work the more likely people will work out the issues. 22:44 <@gmaxwell> and even if it only hardly works, we can still abuse it for carrying bitcoin traffic. :P 22:44 < Emcy> haha 22:45 <@gmaxwell> (after all, when we have multiple transports no single one needs to be perfectly reliable) 22:45 < Emcy> their existing sync product uses dht too. They claim its secure and everything, but theres no way to really tell 22:47 < Emcy> i dont think bram cohen likes just throwing the complete spec out there anymore, after what happened with bittorrent 22:52 < nsh> what happened? people made clients? 22:53 < Emcy> basically 22:54 < Emcy> bittorrent has been trying to 'go legit' quite hard recently though 22:56 < nsh> hmm 23:02 < Emcy> http://engineering.bittorrent.com/2013/12/19/dht-bootstrap-update/ hmm thats more technical detail, theyre trying to harden dht against sybil 23:03 < Emcy> also open sourced the bootstrap server which is nice 23:11 <@gmaxwell> I think I'd mentioned before, but the businesses that screw with bittorrent for the recording companies and movie studios already pay ISPs for huge amounts of address space spread across many /8s and /16s as possible. 23:24 < Emcy> hmm 23:33 <@gmaxwell> maaku: wtf is a "varchar()" is it a null terminated string? 09:25 < adam3us> TD: "TD: (too hard to build secure software systems)" i worry about this. baseband hacking smart phones, targetted sophisticated malware, code base targetted tampering, human error over time. 09:25 < sipa> /ignore WOODMAN 09:25 < TD> adam3us: best "solution" such that it is, is to avoid large pileups of value in one place 09:25 < adam3us> TD: it doesnt seem like security has even warmed up yet. even the trezor & armory wallet are not safe from address substitution and payment protocol still leaves a gap in the merchant server 09:25 < TD> however, wealth inequality will not go away anytime soon. so .... not sure how far that takes you 09:26 < adam3us> TD: i think u could operate quite a bit of bitcoin ecosystem with airgap security protecting funds and airgap level of assurance of ownership of addresses 09:26 < adam3us> TD: even an exchange. 09:28 < adam3us> TD: (using color coin or better labelled /tagged coins on a pegged side chain and an offline issuer key issuing USD against a client funds issuer account. with a high reputation issuer) 09:31 < adam3us> TD: i think the airgap could save it as the exchange then has no btc funds or usdcoin funds at stake. all cash funds are held in offline airgapped wallets at all times. physical security for a merchant is like any supermarket... an armored truck deals with emptying. but even better than can sweep electronically to a vault with armed guards at company HQ. 09:31 * TD -> away 09:35 < adam3us> hmm so maybe a solution is a different property coins circulating though. optionally intentionally (time-limited) revocable coins for large tx by companies to derisk their storage from physical assault. and you can convert from revocable to irrevocable simply by waiting for the escrow smart-contract clause to expire 09:37 < adam3us> and similarly irrevocable become revocable by adding the escrow agent smart-contract. actually for storage the revocability needs to be permanent. the way you remove it is to spend it to an irrevocable address with the cooperation of the escrow agent. 10:40 < adam3us> TD: btw something else on the topic of software security and not daring to make changes to btc anymore, it seems to me there maybe scope to simplify high value storage & tx and perhaps layer the assurance. eg full node only model requires less validation, less code, less assumptions, and high value can afford full node reliance. not sure how to layer that upwards to SPV separately, but it seems like a desirable property 10:41 < CodeShark> adam3us: what about high values formed by aggregating lots of small ones? 10:41 < adam3us> TD: also apropos of the new discovery of a 23-year old remote root in all intervening? versions of X11. how would that look for btc as a world currency. 10:42 < adam3us> CodeShark: doesnt change the picture, we're talking systemic risk of value bug 10:47 < michagogo|cloud> ;;later tell shesek Looks like the magic bytes appear 250,010 times in the first 250,000 blocks on disk (bootstrap.dat) 10:47 < gribble> The operation succeeded. 10:54 < sipa> michagogo|cloud: they could be occurring a few times just randomly as part of other data 10:54 < sipa> though 10 times is a lot 10:54 < michagogo|cloud> sipa: Yeah, I know that 10:54 < michagogo|cloud> (we had this discussion earlier (today or last night)) 10:55 < jgarzik> adam3us, RE X11... url? 11:36 < adam3us> jgarzik: http://lists.x.org/archives/xorg-announce/2014-January/002389.html 11:38 < adam3us> jgarzik: "checked in on 1991/05/10, and is thus believed to be present in every X11 release starting with X11R5 up to the current libXfont 1.4.6" 11:39 < andytoshi_> adam3us: that bug is older than i am! 11:39 < sipa> andytoshi_: wow :o 11:39 * sipa suddenly feels old 11:39 < andytoshi_> well, only by 3 months :) 11:39 < sipa> well, I was in my first year at school in 1991... 11:42 * adam3us *is* old :) was starting CS PhD degree then 11:42 < sipa> haha 11:42 * sipa feels young 12:00 < WOODMAN> sipa take it somewhere else 12:00 < WOODMAN> sipa now 12:00 < WOODMAN> take it to lethargic IRC chat 12:00 < WOODMAN> now 12:00 < WOODMAN> go 12:00 < WOODMAN> run 12:01 < helo> :/ 12:07 < WOODMAN> you kids are funny 12:07 < WOODMAN> B) 12:39 < justanotheruser> andytoshi_ 12:40 < justanotheruser> do you have logs from the 2 way pegging discussion? 12:41 < nsh> justanotheruser, it's still in my buffer. can pastebin it 12:41 < nsh> (was meaning to give it another read later anyway) 12:43 < justanotheruser> nsh: please do 12:43 < nsh> moment 12:44 < justanotheruser> nsh: you mean the discussing I wasn't involved in right? 12:44 < nsh> oh, i meant from earlier today. i missed the discussion when gmaxwell mooted it 12:44 < andytoshi_> justanotheruser: one sec, i'm pretty sure i do.. 12:45 * nsh defers to andytoshi 12:45 < nsh> (here's today, in any case (unlisted on pastebin): http://pastebin.com/Aefaxfew ) 12:47 < justanotheruser> thanks nsh 12:48 < nsh> np 12:54 < andytoshi_> justanotheruser: sorry, i can't find it on my server's logs, will check my laptop's logs when i get home 12:55 < andytoshi_> there are memories in my brain of it, so i'm pretty sure i was present 12:55 < justanotheruser> andytoshi_: ok please PM me them, thank 12:55 < justanotheruser> s 13:53 < gmaxwell> andytoshi_: I made a kind of boring comment about the vntinyram paper: https://groups.google.com/forum/#!topic/scipr-discuss/1psbALDMkAI (mostly I just wanted an excuse to post to the list and see if anyone was reading it, since there were no posts ever) 14:46 < nsh> gmaxwell, is that what you were referring to in this: "but the really small ones have some uncomfortable security tradeoffs (CRS assumption) the ROM ones are somewhat larger (eg 20kb, though I did invent a novel compression scheme which may help, so they may not be good for compressing header proofs" from earlier? 14:49 < gmaxwell> nsh: no. 14:49 < nsh> k 15:08 < jgarzik> adam3us, sounds like the root hole is in BDF font installation 15:09 < jgarzik> adam3us, thankfully, not really an actively used or triggered area 15:10 < adam3us> jgarzik: yes. i was well is the coe in the bdf or the code is in a malicious font no? the latter is bad as someone can send u a font file. did u know fedora 18 dvd wont install without network and downloads amongst other things fonts? (they are crazy) 15:10 < adam3us> jgarzik: or is bdf font an optional font system? so no risk if u havent installed that component? 15:11 < jgarzik> adam3us, well, (1) F18 installs fine without network and (2) any download exists inside a GPG-signed universe 15:12 < adam3us> jgarzik: hmm it depends which image u download, i tried 3 of them until i found one that installs without network cable. their new installer is a bit of a mess, but i was pretty determined to get an all offline install and trid 7 isos from ubunu an fedora over pretty much 2 ays 15:13 < jgarzik> adam3us, at which step did you get stuck? I might have had to do some magic to get my F18 going in its network-free VM 15:14 < jgarzik> adam3us, I keep several network-free VMs as virtual condoms for various things 15:16 < adam3us> jgarzik: about the gpg-sig. the problem is 2-fold: one the WoT is sparse, secondly it doesnt define a merkle tree, so the content can be tailored to u and there is no rpm sig equivalent of certificate transparency 15:18 < adam3us> jgarzik: i finally gave up as i recall an used ethernet briefly i was very annoyed by that point, 2 days burnt on fedora & ubuntu i was astounded that it would fail for network on a DVD iso. 4GB and they want to fetch a font on the network or the install aborts. actually it was probably fc 19. i even tried ubuntu server install. 15:18 < jgarzik> adam3us, well each package comes from signed metadata package repo summary 15:18 < jgarzik> adam3us, I agree this does not solve 'tailored to u' problem 15:18 < adam3us> jgarzik: yes my point is say NSA has a copy ... ok right u get it 15:19 < adam3us> jgarzik: there is a solution.. merkle tree of snapshot of packages at iso release time, then your entire install is hardwired to the merkle root. 15:19 < jgarzik> adam3us, nobody wants packages of an era circa iso release time ;p 15:20 < jgarzik> adam3us, familiar problem as with routers: the moment you open the box and turn on the computer, it is out of date and missing security and other critical bug fixes 15:21 < adam3us> jgarzik: actually i would happily take an out of the box for this app, which is admittedly completely atypical (i was testing armory prebuilt stuff and source stuff.) that the DVD wouldnt install therefore was just the opposite. 15:24 < helo> hmmm... ubuntu without network has worked fine for me (via iso-on-usb) 15:27 < adam3us> jgarzik: also i guess we're going to need sooner or later the SSL / cert transparency, for rpm signatures, or something. its pretty much spelled out in like schneier and applebaum research in teh docs and articles from that that NSA has well placed TCP hi-jack infrastructure with selective payload delivery. u could imagine they might hve hacked some important signing keys via physical intrusion, black bag, NSL etc. 15:29 < adam3us> helo: i am not in a hurry to repeat that experiment it was the least fun i've had with a computer in quite a while. this was ubuntu 10 and ubuntu 12 (whatever armory claimed to be prebuilt for, or latest stable for source) and fedora 18. tried lots of isos. i dont think i was dreaming. been using linux since slackware 0.9 so i am not unusually fat fingered about linux installs 15:30 < helo> yeah, sounds pretty terrible 15:31 < gmaxwell> the fedora stuff kinda shuffles users torwards the crappy live image based installers, which I think do have to be online. 15:50 < michagogo|cloud> adam3us: 10 and 12? 15:50 < michagogo|cloud> Which ones? 15:50 < michagogo|cloud> (.04 or .10?) 17:48 < petertodd> Luke-Jr: you realize I've proposed basically the same thing with my zookeyv proposal, and I even took advantage of that by ensuring that proof-of-sacrifice "blocks" in the scheme were always visible in the bitcoin blockchian, so you could know if a 51% attacker was waiting to reveal their attack to the world and outspend them 17:48 < petertodd> Luke-Jr: tl;dr: I'm way ahead of you :P 17:50 < petertodd> sipa: the problem is that if you tie things as tightly to the bitcoin chain as luke is suggesting, the moment someone mines an alt-coin block but *doesn't* publish it you're screwed because all alt-coin clients can see the block header commitment, but dont have the data to go along with it 17:50 < petertodd> sipa: OTOH if you're system doesn't have that vulnerability, it's still longest chain wins and your 51% attack vulnerable 17:50 < Luke-Jr> .. unless we softfork bitcoin 17:50 < petertodd> Luke-Jr: sure, but then it's not a merge-mined chian anymore 17:50 < Luke-Jr> petertodd: sure it is 17:50 < petertodd> Luke-Jr: No, you've just made the blocks bigger with a fancy hash commitment. 17:51 < Luke-Jr> bitcoin miners can enforce disclosure of the merged data to some degree 17:51 < petertodd> Luke-Jr: the whole point of merge-mining is that it's *voluntary* 17:51 < Luke-Jr> petertodd: hence the degree limit 17:51 < petertodd> Luke-Jr: yes, and if disclosure is enforced you've just made the blocks bigger and contain extra data 17:51 < sipa> yup, i see the problem 17:52 < Luke-Jr> only bigger for miners 17:52 < petertodd> Luke-Jr: so what? that's the problem we keep trying to solve 17:52 < killerstorm> OK, let's formulate in a different way: is there a game-theoretic research of Bitcoin? Particularly, double-spend-via-a-bribe attack: somebody wants to double-spend a large amount of money and will pay miners a bribe to help him to do that. 17:53 < sipa> killerstorm: yup, will work for large amounts; you just need to have enough confirmations that reverting it costs more than what one might pay a miner to revert it :) 17:53 < petertodd> killerstorm: yeah, and the results are ugly, don't accept 1 conf payments for $1million and do irreversable things based on them 17:54 < petertodd> killerstorm: notably it's why tx fees being the only thing paying miners leads to really ugly consequences 17:54 < jtimon> killerstorm exactly, the bigger the transaction the more you have to wait, it's not 6 blocks 17:54 < sipa> the 6 blocks number is based on statistics that assumed a much less centralizing mining landscape in any case 17:54 < petertodd> FWIW peter from the bitfoin foundation asked me last summer if I or someone else would be willing to do some research to make up a whitepaper and similar tools to advice merchants on exactly that issue. 17:55 < petertodd> dunno if that project ever went anywhere, but it's an important one 17:55 < killerstorm> I'm afraid it's much worse than you think... 17:56 < Luke-Jr> personally, I don't think merchants want to have to read a paper.. 17:56 < petertodd> killerstorm: lots of people forget an attacker might be ripping off multiple people at once for instance 17:56 < petertodd> Luke-Jr: indeed, which is why peter's vanesses idea was to eventually create some calculators for said merchants to do the thinking for them 17:56 < petertodd> Luke-Jr: Like, input in the value of the tx and spit out how long they needed to wait. (subject to certain assumptions about the attacker) 17:58 < Luke-Jr> petertodd: re MM, the problem we need to solve is not forcing people to store data against their will, but also enable innovation beyond Bitcoin taking advantage of the same securing hashpower 17:58 < petertodd> Luke-Jr: yeah, well, MM isn't necessarily that innovation 17:58 < adam3us> Luke-Jr: that seems like an interesting idea. (merge mine where the bitcoin blocks are valid alt-chain blocks) 17:58 < Luke-Jr> present-day MM style does that just fine, really. the 51% risks aren't really a real concern. 17:59 < petertodd> Luke-Jr: you realize that one of the reasons mastercoin hired me was because they realized they needed someone to study that 17:59 < Luke-Jr> petertodd: MM is what is needed to *enable* that innovation 17:59 < petertodd> Luke-Jr: again, MM fails in a hell of a lot of scenarios 17:59 < adam3us> Luke-Jr: I agree 17:59 < adam3us> petertodd: so lets see if we can improve it 18:00 < petertodd> adam3us: heh, what do you think I'm working on? 18:00 < adam3us> petertodd: judging from the above stego encoding msc into btc? :P 18:00 < killerstorm> Well, here's what I'm thinking about: Suppose we have 100 independent miners each having an equally powerful mining rig (thus one of them solves the next block with equal opportunity). Block reward is 25 BTC, normal tx fees are negligible. Somebody sends a transaction with Y BTC in it. Gets 6 confirmations. Then publishes a transaction which pays X BTC to fees. What happens next, super-rational miners realize that all super-rational miners will tr 18:00 < killerstorm> y to do a reorganization. Only 6 miners are NOT interested in reorganization, thus we'll have 94 miners working on a fork. 18:00 < killerstorm> Note that X is not used in equation: it can be very low. Like 1 BTC. 18:00 < petertodd> adam3us: in the mean time, my advice *without* those theoretical - and maybe impossible - improvements is that stego encoding has a hell of a lot of advantages 18:00 < adam3us> petertodd: fair enuf. 18:01 < killerstorm> You can get 25 BTC of a normal reward, or 25.1 BTC of reward + bribe, what do you do? 18:01 < petertodd> adam3us: and remember, knowing that stego encoding is useful, and damn near impossible to stop, is very valuable knowledge for bitcoin too 18:01 < adam3us> petertodd: yes i think however that its a bit of a dead end. it much more attractive to have secure pegged side-chains or unpegged alt-chains for innovation 18:01 < killerstorm> All super-rational miners will decide to take bribe. So one only needs, say, 0.6 BTC to buy them all. 18:02 < maaku_> adam3us: I don't think you can call pegging "secure" until you get rid of the SPV trust 18:02 < killerstorm> Which basically means that if miners are super-rational and there are many of them, we should just pack and go, it doesn't work. 18:02 < killerstorm> What am I missing 18:02 < maaku_> and incidentally, i have an ignore bit to the topic until that is done :P 18:03 < petertodd> adam3us: it's a "dead end" only because I've shown that you don't need to go any further with the theory; I solved the problem modulo invasive censorship like whitelists, or P2SH^2 v2.0 - and that isn't very likely to get implemented 18:03 < petertodd> killerstorm: 0.6BTC isn't enough because the work done to get all that reward is done and there's a valuble return 18:03 < adam3us> petertodd: yeah i already figured out the stego and kept it to myself :) 18:04 < petertodd> adam3us: heh, did you figure out the timelock crypto version of it? 18:04 < petertodd> killerstorm: for the miners if they don't reorg and keep trucking they get to keep the block rewards that are already there 18:04 < jtimon> petertodd parasitism is more secure and unstoppable, fine, who cares? it doesn't scale MSC can't do the things willet wants atscale with parasitism, at some point you will have to tell him that 18:05 < killerstorm> Well, first miners to win a block will pay 0.5 BTC to OP_TRUE, script, second will pay 0.4 BTC and so on. Each one will collect only 0.1 extra BTC, but it is nice and shiny. 18:05 < petertodd> jtimon: which is why my job there is more aimed at making *bitcoin* scale 18:05 < killerstorm> All super-rational miners think in the same way, so they will find a strategy which rewards everybody who are working on the fork. 18:05 < petertodd> jtimon: (we're all lucky they have enough cash around and pr to consider to do things that may not be stricly economically rational) 18:05 < adam3us> petertodd: no, but better. just publish the key. i think you do not need consensus on the key because consensus is reached on the ciphertext and its non-malleable. same argument s committed-tx 18:06 < petertodd> adam3us: publishing the key doesn't guarantee consensus though - the idea being the timelock crypto is to be able to guarantee that 18:06 < petertodd> adam3us: e.g. if the key doesn't get published, and is uncrackable, you'll never know for sure if one isn't waiting to be published 18:07 < jtimon> ok, then I guess I would just ask you to encourge parasitism over altcoinism more openly, not just over MM 18:07 < killerstorm> petertodd: I think you're missing that 6 miners will get rewards through chain which appeared earlier, and 94 miners will get reward through a fork. Basically, 94% of hashpower will work on forking chain in these conditions. 18:07 < petertodd> killerstorm: ok, I see your point, but the problem is there's no way for those super-rational selfish miners to know they're all working on the same fork, and if they aren't, then defection makes sense 18:07 < jtimon> as always, my claim is that MM is better than independent mining 18:07 < adam3us> petertodd: no i mean dead end like focusing all energy ontop of bitcoin may saturate bitcoin tx throughput and hit its scaling limits, and damage crypto currencies generally. i think there is better scope for innovation if we can focus on uncoupling innovation (btc denominated with pegged side-chain and other with mm alt-chain) 18:08 < petertodd> adam3us: that's a nice concern, but for the individual alt-coin thing they're incentive is still to defect and do what's best for them individually 18:09 < petertodd> adam3us: simple example: I want to timestamp a document. Why do I care about the "bitcoin environment" when I just want to easily timestamp something and my desire not to lose the timestamp is worth more than the tx fee to bloat the UTXO set? 08:22 < adam3us> petertodd: say with committed tx; the miner sees which tx arrived first from his point of view, but he has no idea what the tx is about its an opque crypto blob to him, so if he sees also a double-spend of it, it doesnt actualy matter whcih he chooses 08:22 < petertodd> Ah, yeah, the only order that matters is the order in the blockchain. 08:22 < adam3us> petertodd: he dosnt have to be honest to what he received over the network first 08:23 < adam3us> petertodd: so then the other thing is the miner and a given user could be in collusion (so called 51%) 08:24 < petertodd> yeah 08:24 < adam3us> petertodd: you could imagine multiple network hop encryption of the tx before ordering so that the miner and his cheating buddy cant even recognize which tx is which at that stage 08:24 < petertodd> right, but anyway, the fundemental thing is that consensus on order has to be based onw hat's in the blockchain, end of story! 08:25 < petertodd> don't worry about in flight transactions and other stuff 08:25 < adam3us> petertodd: yes... so its not really arbitration of what comes first, its just pick a random tx and enforce it ... coin toss if you like 08:26 < adam3us> petertodd: which is weaker than an auditable first come first served namespace 08:26 < adam3us> petertodd: or publication as you put it 08:27 < adam3us> petertodd: so can you securely define a globally consistent transaction order after the fact without thte timestamper having any input involvin your transaction? 08:27 < adam3us> petertodd: i think... maybe 08:27 < adam3us> petertodd: the timestamper timestamps random numbers 08:28 < adam3us> petertodd: you later apply some arbitratoin logic using the 6-block old timestamp output as a becaon to drive that decision deterministically 08:28 < petertodd> So here's the other thing: with this "proof-of-publication" sharded blockchian, what a transaction should look like is you would have a merkle-sum-tree of transaction inputs, that is a reference to the previous output, and a scriptSig, and then a corresponding inverse merkle-sum tree of *outputs*. Now from any output, you can audit back to any input, and because it's summed in both directions you're guaranteed for the amounts to add up. IE: an output is considered valid if you can prove a path back to a sufficient number of valid inputs. 08:29 < adam3us> petertodd: truncated at IE: an outpu 08:30 < petertodd> IE: an output is considered valid if you can prove a path back to a sufficient number of valid inputs. 08:34 < petertodd> So, now lets look at the proof-of-publication side of things: what's the absolutele minimum thing you need to prove has been published? So we can define transaction outputs uniquely as H(txout)=txoutid. That txoutid commits to the scriptPubKey associated with the txout. Thus what you want to know, is has there ever been a valid scriptSig for that scriptPubKey ever published? This means we can take the entire space of all possible txouts, turn it into a radix tree, and at the base of the tree either have NULL or a "never been published" txout, or H(txin) if the transaction output has been spent. 08:35 < petertodd> (did that get cut off?) 08:35 < adam3us> petertodd: after turn it int 08:35 < petertodd> turn it into a radix tree, and at the base of the tree either have NULL or a "never been published" txout, or H(txin) if the transaction output has been spent. 08:35 * petertodd googles irssi split messages 08:37 < sipa> petertodd: http://scripts.irssi.org/scripts/splitlong.pl 08:37 < petertodd> sipa: what's the magic thing to actually load that? 08:37 < sipa> put it in ~/.irssi/scripts/autorun :) 08:38 < sipa> or use /scriptload <filename> 08:38 < sipa> /script load, sorry 08:38 < petertodd> ha, cool, thanks 08:39 < adam3us> petertodd: catching up "valid if sufficient number of valid inputs" but i think the miners dont care whats in the block i think you have to go back to genesis 08:39 < adam3us> petertodd: not that thats a problem 08:39 < petertodd> anyway, so mining is now a matter of making new versions of that radix tree, and mining fraud is confirming a transaction output as spent when no valid scriptSig existed 08:40 < petertodd> you still need blocks, but blocks are just proof that you manipulated the radix tree in the right way, and how much of that tree you choose to store is up to you. 08:40 < adam3us> petertodd: wel there are two possible lvels of validation i think you are still valdiating sigs at mining level, with committed tx i didnt even do that 08:41 < adam3us> petertodd: so maybe you are heading back towards increasing validation again in a diff design towards an alternate spv model with this input/output trie 08:42 < petertodd> Right, see, if miners didn't validate sigs, this system would work only slightly differently: the bottom of the radix tree would be a list of data items. Generally the data items would represent spends of the transaction that could be validated, but they wouldn't have too. 08:42 < petertodd> Again, the fact that there can only be one data item stored in the chain per txout is an optimization. 08:42 < adam3us> petertodd: yes 08:44 < petertodd> So now ask, as a Bitcoin 2.0 user, how do I know a transaction was valid? Well, this is where it gets a bit ugly: for every input required by that transaction output, you need to prove to yourself that the part of the radix tree that committed to the fact that your txout was unspent, has always been unspent. 08:44 < adam3us> petertodd: problem encountered at detail level when trying to do this with committed tx is that you ave to be able to prove to your recipient that a forged spend is bogus and you cant do that with hashes (not easily ... i didnt see a way) so i had to use a MAC so you can prve ok if you see the mac & sym encrypt so you can give the recipient hte enc key and they can see it matches the mac but decrypts to junk 08:45 < petertodd> IE, by doing that, you've proven that miners have been honest, with respect to that particular transaction output. 08:47 < petertodd> Ah, ok, so this is an interesting point: lets suppose a miner changes the state of the TXO set they commit to from, say, unspent to spent, but you've never actually spent the transaction? What then? 08:48 < petertodd> This is really ugly, because you can't prove a negative: the bottom of the tree is a hash, and you can't show that the has is invalid! 08:48 < adam3us> petertodd: yes that sounds probably analogous - what i found was i need to be able to demonstrate to my recipient that the spend is fake 08:49 < petertodd> All you can do is show that every block ever mined *didn't* have a transaction in it spending that txout. 08:49 < adam3us> petertodd: precisely 08:49 < petertodd> Which gets to the other issue: this radix tree shouldn't be all TXO's ever, it should only be the TXO's in some time period! Now you *can* show this, by providing proof on a block-by-block basis. 08:49 < adam3us> petertodd: i had to possible solutions: requre that it be signed, and you reveal your pub key ontly the recipient nd hten they can see this is garbage 08:50 < petertodd> um, retype that? 08:51 < adam3us> petertodd: so eg what goes i the tree is ecdsa r, s value rather than hashouput, so no-one has a clue what it means (except tweaked in some way so they cant compute Q from r,s via ecdsa recovery) 08:52 < petertodd> So maybe to keep this proof small, what we want is to "merge" old history: first commit to the transactions that were in the past block, then all in the past two blocks, then four blocks and so on. The proof is now "I prove a valid spend didn't exist in the past 1 block, or the two blocks, prior, or the 4 blocks prior to that etc." 08:52 < petertodd> You can prove fraud, simply by showing that a spend did exist at layer 2^n, and layer 2^n+1 didn't include it. 08:53 < petertodd> adam3us: hmm... I'll have to read up on that again... I'm not familiar enough with the details. 08:55 < adam3us> petertodd: basically (i forgot also details) but you want to ensure that you can prove forgeries are garbage via encryption, or signature so that while someone can forge "spends" you can prove they are garbage, using the advantage that ou have the signature private key of the undisclosed public key hashed in the address 08:55 < petertodd> Basically what this 2^n scheme is doing is making miners make commitments to what txouts were spent over increasingly larger fractions of the blockchain. The *point* of it, is to be able to recover from the case where an invalid tree is committed, and no-one catches it: you give the person you're sending the coins to the proof of miner incompetence, and they take that into account. (or conversely, a miner distributes that along with their block) 08:55 < adam3us> petertodd: so then its not proving no spends, its proving no spends or all spends are forgeries 08:55 < petertodd> Ah I see. 08:56 < adam3us> petertodd: not in a clever way... you just give the recipient a key to decrypt all of the forgeries and then test them as if they were dsa sigs.. if they are not the recipient throws them away 08:56 < petertodd> yeah 08:58 < adam3us> petertodd: so it circles back to your comment that suppressing doublespens being stored is just a storage optimization; if you give the miner some way to verify the sig, he can throw them away himself 08:58 < petertodd> adam3us: Yes... and no. Someone's gotta have this !@#$ data at some level. 09:00 < petertodd> As clever as all of the above is, without the data it's just commitments. Even worse, without the data you can't change what is being committed too. 09:00 < adam3us> petertodd: the objective with committed tx is to keep the miner in the absolute dark so he knows nothing, as that robs him of policy based decision making and so the amount, sender, and recipient are all hiden 15:25 < jrmithdobbs> i think test-driven-development (besides making me want to kill people) actually *PROVES* (like, possibly mathmatically, with a bit of fiddling) that SSL/TLS is broken by design 15:25 < jrmithdobbs> think about this for a second 15:25 < jrmithdobbs> so, I'm trying to add proper cert validation to some code acting as a tls client 15:25 < jrmithdobbs> let's assume i can get the code correct, i move on to writing the test cases for it 15:26 < jrmithdobbs> let's even assume we get past that part 15:26 < jrmithdobbs> now the test suite needs to act as a tls server in order to use the certs in the test cases 15:26 < jrmithdobbs> which means the code now needs functionality completely irrelevent to it's actual purpose 15:26 < jrmithdobbs> which means you have a new set of functionality to test 15:27 < jrmithdobbs> problem: a valid tls server implementation requires valid x509 validation 15:27 < jrmithdobbs> so we can't test the tls server code without solving the original problem the tls server code is meant to solve 15:27 * jrmithdobbs MIND BLOWN 15:27 < jgarzik> hmmm 15:27 * jgarzik scrolls back, after putting down wife and 2 kids for naps 15:28 < jrmithdobbs> if it can't be proven to "broken by design" it can at least be proven that there is no such thing as a tls *client* only servers acting as clients 15:28 < jrmithdobbs> (which to me really, is the same level of brokeness due to complexity in this context, really ;p 15:28 < jrmithdobbs> ) 15:29 < HM> jrmithdobbs: i just give up 15:29 < HM> throw stunnel up in front of your server, firewall things properly 15:32 < jrmithdobbs> that doesn't fix the fact that this shit isn't validating certs properly on outbound connections and the fix to make it so wont get merged without test cases ;p 15:32 < HM> what 'shit' is this? 15:33 < jrmithdobbs> (all of the above came from a real scenario, not imagined PKI/x509 whining, jfyi https://github.com/gitlabhq/gitlabhq/issues/3445 ) 15:33 < HM> yeah 15:34 < jrmithdobbs> this shit is unimplementable in a deterministic fashion =/ 15:34 < jrmithdobbs> what a clusterfuck 15:35 < jrmithdobbs> can't even blame ruby (let alone rails, this is the non-rails part of the app, though the rails part uses https for git cloning without verifying too! ugh!) 15:35 < jrmithdobbs> this is a problem with the standards not the language =/ 15:35 < HM> how can CN verification be off? 15:35 < jrmithdobbs> because it was never on 15:36 < HM> actually stunnel does this as well 15:36 < jrmithdobbs> openssl doesn't do that for you, it just verifies the chain 15:36 < HM> " Specifically for level 2 every non-revoked certificate is accepted regardless of its Common Name" 15:36 < HM> default is level 0 15:36 < HM> stunnel is a proxy frontend for OpenSSL basically 15:36 < jrmithdobbs> binding it to an identity (the fqdn in the case of https) is outside the scope of openssl's implementation 15:36 < jrmithdobbs> believe it or not 15:36 < HM> wouldn't surprise me if those levels were part of the openssl api 15:36 < jrmithdobbs> people don't seem to realize this 15:37 < jrmithdobbs> so nothing but browsers validates properly, basically 15:37 < HM> hmmm 15:37 < jrmithdobbs> gmaxwell linked a paper that backs up that statement a while back 15:37 < HM> what about SNI? 15:37 < HM> that moves the requested hostname up to the SSL/TLS protocol level 15:37 < jrmithdobbs> doesn't matter if you don't check the identity after performing the sni operation 15:38 < jrmithdobbs> sni solves a different problem 15:38 < HM> sure 15:38 < jrmithdobbs> the problem is nothing verifies the identity, not in requesting the right identity (though that is a problem too, and i'm not sure how well sni addresses it because i've not looked at it much because nothing supports it) 15:38 < amiller> gmaxwell, tpm and split key are so *boring* i wish you would toss along "or another blockchain" as another kind of delegation 15:39 < jrmithdobbs> amiller: imagine the tpm is controlled by an agent, not so boring now, eh? 15:39 < jrmithdobbs> ;p 15:39 < amiller> that's just a tpm 15:39 < amiller> agent is a non-word there 15:39 < HM> i think SNI would solve it 15:39 < jrmithdobbs> HM: it doesn't. 15:40 < jrmithdobbs> HM: sni doesn't have anything to do with the fqdn -> subject/subjectAltName binding/verification step 15:40 < HM> for http? 15:40 < HM> i don't know what gitlabhq is 15:40 < jrmithdobbs> HM: it's a method for requesting the identity you intended, if you don't verify it afterwards sni doesn't force you to verify it afterwards any more than plain https 15:40 < amiller> the options are a) use a magic tpm remote attestation device, b) use an M-of-N split of designated trust identities, or c) an anonymous public competitive process like bitcoin 15:40 < jgarzik> amiller: boring but useful, in the stated use case (spend to address -> trustworthy, automated split of spent funds to N independently controlled addresses) 15:41 < jrmithdobbs> HM: think github / gitolite / gitorious 15:41 < HM> perhaps you're right 15:41 < jrmithdobbs> sni is kind of stupid too 15:42 < jrmithdobbs> because http just needs a real starttls command ;p 15:42 < amiller> jgarzik, fair enough, in order of usefulness i'd say the order goes (most useful) an anonymous public competition, (second most useful) m-of-n trusted designees, (last most useful) tpms 15:42 < jrmithdobbs> sni already requires argeement on protocol level changes, if you're conceeding that just add starttls to http damn it 15:43 < HM> jrmithdobbs: https://www.ietf.org/rfc/rfc2817.txt this isn't good? 15:43 * amiller reads up and finally sees jgarzik's original question though 15:43 < amiller> that would be really easy to encode with more powerful scripts and wouldn't require any of the three *fancy* solutions... 15:44 < jrmithdobbs> i should write a paper about this experience 15:44 < jrmithdobbs> and title it "An indictment of x509, tls, and the security community at large." 15:44 < jrmithdobbs> ;p 15:44 < amiller> so any bitcoin value sent to this address is automatically split three ways 15:45 < amiller> that's cool 15:46 < jgarzik> amiller: ? 15:46 < jrmithdobbs> HM: you mean the 13 year old document that has no chance of ever being implemented? no there's nothing wrong with it per se, it's just never getting implemented ;p 15:47 < HM> i thought Googles SPDY was going to require TLS by default 15:47 < HM> the HTTP 2.0 scene seems to have gone quiet though 15:47 < amiller> jgarzik, that application is really cool, i haven't seen anyone talk about it before, and it's a great example of something that shouldn't require 'fancy' trust splitting techniques and would be a good justification for slightly more powerful scripts that can constrain txouts in subsequent txes 15:49 < jrmithdobbs> HM: but actually, yes, in glancing over it i can come up with a few problems with that too =/ 15:49 < jrmithdobbs> HM: implementing that requires concession of http proxies, big ones 15:50 < HM> Websockets upgrade is also broken in the face of shitty proxies 15:50 < jrmithdobbs> HM: it basically MUST be possible to CONNECT through an http proxy to port 80 and 443, for starters, which if you're somewhere trying to use said http proxy for egress filtering in a non-evil-mitm way it makes things difficult without conceeding to evil and mitm'ing the traffic 15:51 < gmaxwell> amiller: I don't even know how you're really usefully express those limits... and they wouldn't be compact at all... kinda sucks to have to carry around a bunch of data in the distributed consensus for a one time operation. 15:51 < jrmithdobbs> (assuming you have access to the client, which in these scenarious you usually do) 15:51 < gmaxwell> (obviously I know how it can be expressed at all 15:51 < jrmithdobbs> HM: also i see about 10 different ways implementations could shoot themselves in the foot with that (it's too complex) 15:52 < amiller> gmaxwell, the limits for jgarzik's split-three-ways txouts? 15:52 < HM> This is why I don't like implementing SSL/TLS 15:52 < jrmithdobbs> HM: but then, so are the range/etc operators introduced in http/1.1 that are related to that connection upgrading stuff (outside of that tls extension) is guilty of the same, so in this case it's an http and tls problem for once at least ;p 15:53 < jrmithdobbs> http or without tls is a security nightmare to implement correctly, adding tls in any way makes it that much more convoluted =/ 15:53 < amiller> i don't know why i never thought of it before but it might be exactly the simple killer app i've been hoping for... 15:53 < gmaxwell> amiller: Yes, well he didn't say /three/ ways... 15:53 < jgarzik> amiller: arbitrary split, not 3-way 15:53 < HM> jrmithdobbs: let's leave http now :P 15:54 < amiller> the basic thing that this would need to work is a way for a txout to validate txouts in subsequent txes 15:54 < jgarzik> amiller: Example: lead dev gets 50% of funds, remaining devs split remainder of funds. 15:54 < gmaxwell> amiller: hm? I thought you'd talked before about constraining following txouts? but it becomes messy fast. e.g. what happens when you want to spend two coins in the following txout with conflicting constraints? 15:54 < amiller> the representation would be like a remaining balance for each of the parties, rather than one total btc amount 15:54 < jgarzik> a "fund broadcast" almost 15:55 < amiller> so each 'change' tx would have to put back the correct amounts for the other parties 15:55 < amiller> oh or the simplest thing 15:56 < amiller> maybe make it so anyone can spend it 15:56 < amiller> but... the only 'valid' way to spend it is to split it into however many txouts 16:03 < amiller> so yeah i have talked before about constraining following txouts but i've never had any example where that was necessary or the easiest way to implement, but this is a good candidate 07:15 < adam3us> petertodd: it is a deterministic signature however, if you spend to the same recipient, same amount you release the same sig, so no leak 07:16 < petertodd> yup 07:16 < petertodd> but anyway, I gotta go 07:16 < adam3us> petertodd: so you need like database transactional behavior 07:16 < adam3us> petertodd: 'night! 07:16 < petertodd> later 07:16 < petertodd> read through that txin post if you could btw 07:16 < petertodd> thanks 07:16 < adam3us> petertodd: i am 07:26 < jtimon> petertodd I'm still reading your proposal, looks very promissing 07:38 < jtimon> I have some questions when you get back 07:45 < warren> The obscure exploit in Litecoin's code for the clones with non-Litecoin parameters might not actually work. They're failing to make a copy of our code work at all. 08:16 < Emcy_> it seems like you really want to see that logic bomb go off 08:21 < Emcy_> did i just hear right that the foundation is involved in some sort of child protection "task force" 08:23 < Emcy_> tht pretty much precludes any endorsement of measures to counter things like CV, or even indifference since theres no way to magically seperate out 'good' uses of privacy from bad ones 08:23 < Emcy_> however desirable that may be especially in this case 08:25 < warren> The logic bomb may or may not exist. They lack the ability to figure out if it exists. 08:25 < warren> They can't even get the code to run. 08:27 < Emcy_> also i find it interesting that the first panel consisted of the reps from the very serious and scary agencies and depts of government, and the second panel they threw a child protection guy in with the actual 3 reps from the bitcoin community. 08:27 < Emcy_> an attempt to steer the commentry or am i just cynical 08:30 < Emcy_> god did he relly have to namedrop somr of those onion sites........ 08:32 < Emcy_> now he just basically said we need to break privacy for everyone because actual police work is expensive and difficult 11:52 < petertodd> jtimon: thanks! 11:53 < petertodd> warren: lol 11:53 < TD> wow 11:54 < TD> tony actually submitted my smart property auto loan protocol as an example to the US Senate 11:57 < petertodd> TD: congrats! 11:57 < TD> thanks! a little bit of #bitcoin-wizards has gone to washington :) 14:43 < BlueMatt> TD: nice! 14:43 < sipa> it's in 45 minutes, right? 14:43 < sipa> *47 14:43 < BlueMatt> yea 14:51 < TD> BlueMatt: wanna see a video of micropayments based file download app? 14:52 < BlueMatt> TD: really? yes! 14:52 < TD> http://www.youtube.com/watch?v=r0BXnWlnIi4 14:52 < TD> i made this for a journalist who is writing a story about cool stuff you can do with bitcoin, contracts and so on 14:52 < TD> he wanted to see it 14:53 < TD> it's not _quite_ ready to ship yet but a guy has turned up to help and is serious, he's been submitting patches. so i think it should launch by EOY 14:53 < BlueMatt> TD: wow, that is beautiful 14:53 < BlueMatt> is the code public? 14:53 < TD> https://github.com/mikehearn/PayFile 14:54 < TD> there's a CLI and a server as well, of course 14:54 < BlueMatt> awesome 14:54 < BlueMatt> out of curiosity, how long did it take you to bootstrap that? 14:55 < BlueMatt> ok, this seems unreasonably high, sending a block from new york -> sydney -> new york is taking multiple seconds??? 14:55 < BlueMatt> is that a shitty network stack or is that shitty tcp? 14:56 < TD> the actual amount of code is small, but i developed the wallet template app and fixed a bunch of micropayments issues along the way so hard to say 14:56 < TD> but if you look at the code it's not very complicated 14:56 < TD> switching it to use a properly abstracted protobuf rpc layer like p2proto would reduce the code size even further 14:56 < TD> also it's java 8 so i get to use lots of lambdas and CompletableFuture 14:56 < TD> which is sort of like ListenableFuture but on steroids 14:57 < TD> but payfile was an evenings and a few weeks jobby 14:57 < BlueMatt> ahh, well, still...thats awesome 14:58 < TD> when it's done i was thinking of making some video tutorials where i actually code it up, on the video 14:58 < TD> i reckon we can make the code required small enough that a code spring from start to finish could be just a few hours 15:00 < BlueMatt> yea, in theory it shouldnt be hard, but yea, thats pretty awesome 15:00 < BlueMatt> a tutorial would be pretty cool, get people using micropayments 15:01 < TD> right 15:06 < TD> anyway glad you like it. and yeah i put in some effort to make it look nice and be usable, like with the qrcode button 15:07 < TD> i'm looking forward to seeing what people make of it. we found a really nice java installer creator as well - you can even create windows installers from mac/linux without needing windows (signed!) 15:07 < BlueMatt> damn 15:08 < BlueMatt> yea, Im not sure about the use it will get, but its a perfect example for micropayments and it should drum up some interest for other related projects 15:09 < TD> well downloading files isn't terribly important. 15:09 < TD> but simon, i think, is ambitious. he wants to evolve it towards gmaxwell's StorJ vision. like after v1, he wants to do uploads, and from there .... 15:11 < BlueMatt> ooo 15:11 < BlueMatt> yea, ok, thats very useful 15:36 < coryfields> Luke-Jr: around? 15:37 < cfields> Luke-Jr: just in case i was invisible just now, re-ping 15:44 < phantomcircuit> hmm 15:45 < phantomcircuit> im running master on a server with zfs 15:45 < phantomcircuit> a client is reporting that the time of a block it's sending is too far in the future 15:45 < phantomcircuit> given it's zfs im not thinking disk corruption is likely 15:59 < Luke-Jr> cfields: ? 16:12 < petertodd> TD: in addition to data streaming, here's another application for your micropayments: http://www.reddit.com/r/Bitcoin/comments/1qzr3n/when_escorts_start_accepting_payment_in_bitcoin/cdi450c 16:13 < TD> like pay-per-minute sex? i think that establishes the wrong incentives .... 16:13 < petertodd> TD: hehe 16:13 < TD> i guess camgirls could use it though 16:13 < warren> cfields: you still going to do the qt dep upgrade? 16:14 < TD> if there was a generic pay-per-second stopwatch 16:14 < TD> petertodd: btw, economist writes up fidelity bonds/sacrifices on the babbage blog: http://www.economist.com/blogs/babbage/2013/11/internet-security 16:14 < petertodd> TD: actually that'd be a nifty thing... generic payment-protocol-using pay-to-time-money 16:15 < TD> (unfortunately the journalist called it "Mr Hearn's protocol" at one point, I wrote him to correct that, dunno if he'll update the blog) 16:15 < petertodd> TD: thanks, that's awesome 16:15 < petertodd> TD: do mention the computational financial side of it too - they're both distinct use-cases 16:16 < TD> there's a larger article coming out at the end of the month in the print edition that covers more topics, not sure what it'll contain exactly 16:17 < petertodd> TD: interesting; the economist tends to have good insight 16:17 < TD> well after spending ~1 hour talking to one of their journalists, i am not really surprised by that, they do their homework 16:18 < TD> after he heard about the anonymous ID protocol he got really excited by it and obviously wanted to write about it ASAP 16:18 < TD> so that's pretty cool 16:18 < petertodd> Yeah, I think in the short term the anonymous ID stuff is much more interesting - financial uses for sacrifices are much more abstract and theoretical. 16:19 < TD> yeah 16:19 < petertodd> I mean, it's cool and all you can make fidelity bonded banks with all those nice incentives, but that doesn't mean they're useful. 16:21 < cfields> warren: osx dmg built in linux, up and running on osx :) 16:22 < cfields> Luke-Jr: deterministic dmg's would be a major headache, if even possible 16:22 < warren> cfields: can the toolchain itself be deterministic and unpacked in one of the existing VM's? 16:23 < cfields> warren: yea. going to take a while to clean it up, but that will be the end result 16:23 < warren> cfields: awesome 16:23 < petertodd> http://www.reddit.com/r/Bitcoin/comments/1qz6hn/dont_believe_the_numbers_in_blockchain_scam_alert/ <- cryptographic proof, you don't grok it 16:24 < warren> cfields: what is the minimum macosx version that it will run on? 16:24 < warren> cfields: I think we can drop 10.5.x 16:24 < cfields> warren: should be 10.5 16:24 < cfields> it's currently running on my 10.6 box 16:25 < warren> cfields: following gavin's instructions our binaries don't work on 10.5 16:25 < warren> 10.6 works 16:25 < warren> in any case are there really 10.5 users? 16:26 < cfields> warren: that discussion is tangential. 16:27 < warren> cfields: how much more work would it be to make it 32/64bit in the same binary? 16:28 < cfields> not too bad, you'd basically just do the whole things twice 16:29 < warren> cfields: can users crypto verify the .app without executing anything in the .dmg? 16:30 < warren> since the .dmg can't be deterministic 16:31 < cfields> not saying it can't be, just saying it may be an unreasonable amount of effort. .app is a much more reasonable (first) goal 16:31 < cfields> and yes 16:32 < cfields> there's still a long way to go.. it's big, it's not pretty, it was built by hand, etc 16:33 < cfields> just figured i'd mention that it's up and running 16:36 < warren> cfields: are you still doing the planned qt dep upgrade? we've held off from touching that stuff because you requested. 16:36 < cfields> hmm, forgot about that 16:36 < cfields> yea, i'll dig it up and PR it 16:37 < warren> cool 16:37 < Luke-Jr> cfields: DMGs are just disc images, why would that be a headache? O.o 16:38 < cfields> Luke-Jr: hehe, they're far from 'just disc images' :) 16:38 < Luke-Jr> they *can be* at least 16:38 < cfields> Luke-Jr: yea. seems there's all kinds of randomness baked into the spec 16:39 < cfields> i can get to the bottom of most of it.. but to go further means really nasty hacks 20:51 < gmaxwell> This leaked information about the distribution of balances, ... with the right tree contstruction the leak could be reduced, but it still leaked.. and this is perhaps commercially interesting data. 20:52 < gmaxwell> So instead: You make a sum-tree over the funds you can spend, which commits to all your spendable coins and their sum value... and you commit to this in a super public way so that all customers get the same value. 20:53 < gmaxwell> oh @#$#@ I forgot it now darnit. 20:54 < phantomcircuit> gmaxwell, :) 20:55 < phantomcircuit> gmaxwell, is there already a branch which doesn't keep archived blocks? 20:56 < phantomcircuit> (or rather doesn't ever save the info at all) 20:56 < phantomcircuit> i'd like to see how well it works on my raspberry pi with it's terribly slow sd card 20:56 < gmaxwell> phantomcircuit: no. Needs fairly minor p2p changes to be correct. (also, you will need to keep the recent blocks for reorgs, since their is no promise that you can fetch them again once the network has reorged... so not saving at all isn't really an option) 20:57 < phantomcircuit> gmaxwell, yeah the idea here is more of a poc than a production ready example 20:58 < phantomcircuit> it would be connecting directly to a node i control such that it can guarantee having 100% of the previous blocks for a reorg 20:59 < phantomcircuit> dont worry i wont be going around telling people they should all switch to my brilliant code 20:59 < phantomcircuit> :) 20:59 < gmaxwell> ohohoh right. so you sort all if your spendable outputs... and then assign contigious ranges of spendable outputs to each customer equal to their balances. You build a tree which commits to the the output<->customer correspondance. Make it highly public. And then when customers connect you give them proof that they have coin assigned to them in this proof. 21:00 < gmaxwell> phantomcircuit: we've been talking about completely inhibiting serving blocks which aren't on the main chain. though it works now.. I mean for POC.. just go delete the files ... if nothing requests them it works (if something does it'll crash. :P ) 21:01 < gmaxwell> phantomcircuit: so the service has committed to one set of coins and one set of user<>coin mappings the actual mapping is irrelevant, so long as there only exists one at a time and you're not giving a custom one to each user. 21:01 < gmaxwell> This way people do not learn how much funds the service has (except very roughly be the size of the tree), and they do not learn anything about the balances of other users, except a tiny amount where a single coin owned by the service has to be split between two users. 21:02 < gmaxwell> and users only learn the identity of coins owned by the service ~proportional to their own balances. 21:03 < gmaxwell> you could prefer mappings to use coins that were deposited to the user in question to so in the case where it isn't behaving as a shared wallet (where you really don't need the proof) the proof teaches you ~nothing you don't know from the blockchain. 21:47 < amiller> i have a really good idea, it uses a lot of fancy generic zero knowledge though 21:47 < amiller> i've been trying to make an anti-outsourcing proof of work puzzle 21:47 < amiller> one that would make something like gpumax totally implausible 21:48 < gmaxwell> amiller: one problem I had thinking about that space is that I wasn't sure that I could really define outsourcing. 21:48 < amiller> the idea is that doing the mining necessarily requires knowledge of a secret key, such that that knowledge acts like a trap door that can be used to steal the reward somehow 21:48 < gmaxwell> yea, thats the best idea I've seen here. where you do signing in the innerloop of the POW. But how does one then make the proof small? 21:49 < amiller> maybe if we're already doing lamport signatures then that's okay 21:49 < amiller> well yeah that's the best idea so far but it's also not neouhg 21:49 < gmaxwell> if there are few signatures then the communication overhead will not be great enough to prevent outsourcing? 21:49 < amiller> the problem is that just having that secret key doesn't make the trapdoor necessarily easy to use 21:49 < amiller> gmaxwell, imagine you need to do a signature to scratch off a single attempt 21:49 < amiller> mining requires lots of attempts and therefore it's hard to outsource that without leaking the key 21:50 < amiller> etiher way give me a pass for that part, it's the relatively easy part 21:50 < amiller> the thing is even without outsourcing and leaking that key, in any ordinary scheme that looks like hash cash but with signatures, it's not obvious that the centralized service provider can't just promise not to use the trapdoor 21:51 < amiller> if the service provider could steal from one client but then would be found out, then it would be easy to believe it's not in the service provider's best interest to do so 21:51 < gmaxwell> interesting: so don't pool the payments and then this is outsourcable. :( 21:51 < gmaxwell> actually I kinda have a solution for that. 21:51 < amiller> so what i really need is a kind of silent trapdoor that can be used to steal the reward and money if it's known, but that doesn't leave any trace whether it was used or not 21:52 < amiller> something like this would create the perfect environment of distrust, which is exactly what's needed for bitcoin mining resources to be decentralized 21:53 < amiller> i have a scheme in mind to do this but it sounds a bit ridiculous, i'm going to explain it anyway and maybe it can be simplified 21:53 < gmaxwell> OKAY 21:55 < amiller> the way it works is that a successfully mined block doesn't result in a bonus immediately, instead the bonus is learned later, and it's drawn from some lottery probability distribution 21:55 < amiller> the drawing depends on information in future blocks 21:55 < amiller> in particular the drawing is influenced by statements in some future block that looks like: 21:58 < amiller> "the block reward bonus from several blocks ago is X, which is drawn from probability distribution p, and either: a) the probability is p0, or a) I know the trapdoor private key, Y, in which case the probability is only p0/3, and with separately probability p/3 if it wins then some of that sneaks out a secret channel to pubkey Z" 21:58 < gmaxwell> This may be a sign I've read too many papers, but why not use a signature scheme specifically constructed to have this vulnerablity: http://link.springer.com/content/pdf/10.1007/s10207-005-0071-2.pdf#page-1 21:59 < gmaxwell> The idea is that you would have the work definition. like H(header) and then the payee would sign the header. Then the miner would UTXO hard work on it.. and if it's a winner the miner could use the weakness to change himself to be the payee. 22:00 < gmaxwell> E.g. UTXO hard mining and making it so the miner can steal the work... but they could still pass back unstolen shares to get credited. The trick is making it so no one else can steal the block. :P 22:00 < amiller> i don't see how that prevents the service provider from basically promising that won't happen and preventing the client from detecting it 22:00 < gmaxwell> amiller: no no UTXO hard work, and you make the client the theif not the provider. 22:01 < gmaxwell> amiller: you can solve your problem by making so that either side can cheat. 22:01 < amiller> i don't think that's enough because the client doesn't necessarily have to be paid out directly to his own key 22:01 < phantomcircuit> gmaxwell, pst pm 22:01 < gmaxwell> A lot of people spaz out thinking "omg what if the miner keeps the block for himself!" when talking about pooling. ... so make that possible. 22:04 < amiller> hm. 22:04 < amiller> well one problem with the key substitution vulnerable signatures is that the signature has to be deterministic, in order for it to be suitable for use as part of a PoW puzzle 22:05 < amiller> well maybe that's not exactly true 22:05 < amiller> hm 22:05 < gmaxwell> if the signature is before the POW hard part (E.g. it isn't the hard part itself) it doesn't have to be. 22:05 < amiller> yeah but if it's not part of the PoW hard part then it's really easy to outsource the rest 22:05 < amiller> to outsource the hard part i mean 22:06 < amiller> but anyway that's not a problem 22:06 < amiller> with this substitutable signature i mean 22:06 < gmaxwell> Right but the idea is that you make it so the solver of the hard part can retrospectively replace the address that it's paying to. But I'm not quite sure if its possible to make it so that he and only he can do it while at the same time make it impossible for him to tie his hands. 22:06 < gmaxwell> (e.g. and prove that he's arranged it so that he can't do it) 22:07 < amiller> so one key about my scheme is that the trapdoor holder is able to reduce the probability distribution arbitrarily 22:07 < amiller> that means he can choose any small amount that avoids detection 22:07 < amiller> or for example, only skim from the 'rare' events 22:08 < amiller> which are less likely to be detected given a lot of samples 22:08 < gmaxwell> one way to do it would be with some kind of commitment scheme to decide who a block pays to. E.g. instead of the block specifying woh it pays to, you instead announce to the network the ID of a winning block and who it should pay to. And once thats propagated enough you announce the block. but then we need a blockchain to secure our blockchain, yo dawg. 22:09 < amiller> none of that prevents the mining service provider from promising to commit the winnings to the client 22:09 < amiller> it doesn't prevent the mining service provider from being detected doing that 22:09 < gmaxwell> Yep but its the user you have to worry about doing that. 22:10 < amiller> the mining provider doens't have to share the mining key with the user 22:10 < gmaxwell> What mining key? 14:52 < maaku> adam3us: Jorge and my poposal (in the Freimarkets PDF) is to have "private accounting servers" -- private servers that speak bitcoin p2p, but with the consensus algorithm sergically removed 14:52 < adam3us> gmaxwell: the leger is central there can be a court order to modify it 14:52 < adam3us> gmaxwell: if there is no mining there is no security against modification 14:52 < maaku> digitally sign blocks instead of proof-of-work 14:52 < maaku> but you could use open-transactions too 14:52 < gmaxwell> adam3us: the value behind the ledger is central regardless. Some court orders RS to pay cert 12345 to 23456 instead. "What now, bitches?" 14:52 < maaku> either way, you get the same security properties and don't force everyone to track your ledger 14:53 < adam3us> maaku: i dont think consensus like ripple cn actually make a DBC nor a smart-contact because the transaction layer does not finally and (fairly) instantly settle 14:53 < gmaxwell> as maaku says.. what OT supposidly does is let you distribute that stuff (but not decenteralize it) and it also produces recepts that can show when the ledger operators cheat. 14:53 < adam3us> gmaxwell: as i said the thing is the issuer for adam3-usd :0 is not online 14:53 < adam3us> gmaxwell: it doesnt get involved in exchange, just in changing the money supply, with an airgapped key 14:54 < gmaxwell> adam3us: there is no reason for the consensus and issuing to be the same keys... It's not like bitcoin instantly clears. 14:54 < adam3us> gmaxwell: yes sure but OT is still centralized just slightly redudant 14:54 < maaku> so if random OT server just disappears, the people using it have all the information necessary to reconstruct their accounts in their receipts, without trusting each other 14:54 < adam3us> gmaxwell: ok let me make a ripple example of why consensus fails 14:54 < maaku> adam3us: our point is that adam3-usd, goxusd, or any X-issued coin is centralized anyway, so why demand decentralization? 14:55 < adam3us> (finding email) 14:55 < adam3us> maaku: there is a reason... one sec find th eemail 14:55 < maaku> ok 14:55 < maaku> adam3us: are you talking about OpenCoin/Ripple.com concensus algorithm, or Ryan Fugger ripplepay accounting? 14:55 < gmaxwell> maaku: an argument is, for example the centeral party could be online only rarely. But I think this is a pretty thin advantage vs the tradeoff e.g. losing instant transactions and running into the global scaling and possible censorship problems with bitcoin. 14:55 < adam3us> it distinguishes ripple from bitcoin-like and makes bitcoin (mining based) inherently superior in irrevocable final settlement which keeps dispute costs out of the transaction level 14:56 < adam3us> screw it my filing system is stupid, i'll explain 14:56 < adam3us> gmaxwell: thats not it either 14:57 < adam3us> gmaxwell, maaku: lets say we're talking about ripple when they implement the ripple script 14:57 < adam3us> (they also have aspirations to do smart contracts, you can consider their gateway ious as a kind of issue) 14:57 < adam3us> except its consensus based 14:57 < adam3us> ok now imagine someone gets scammed, eg malware causes them to sign something they did not intend (their computer lied to them and they bought shares for 10 the advertised price) 14:57 < maaku> gmaxwell: very true, which is why we want to deploy Freimarkets to Freicoin, not just private servers although we expect most traffic to be private... 14:58 < adam3us> they take the evidence to a court, the court decides in the favor, slaps > 50% of ripple gw with court orer to undo that 14:58 < maaku> also I imagine reconciliation at the highest level will happen on the public chain (e.g. gox and bitstamp paying each other) 14:58 < adam3us> unlike bitcoin mining-hardened block chain, there is no 50 day minng equiv param so they comply 14:59 < adam3us> with bitcoin like block chain, the court cant make that order, because its basically mathematically impossible at current compute rates, by the time a court has issued an expedited decision, the block chain will be months in at 5ph/s 15:00 < gmaxwell> adam3us: except they can just slap the stock issuer with the same order, and damn the consensus. Of course that doesn't reverse the bitcoins, but it still wouldn't reverse the bitcoins if bitcoins were transacted in bitcoins and the stock leger was run by the company. 15:00 < adam3us> so a ripple smart contract is actually a dumb contract, and a ripple xrp is not ecash, its a revocable IOU, and a ripple usd is not aecash, and a ripple share is not DBC etc 15:00 < adam3us> gmaxwell: yes but it doesnt matter to you 15:00 < adam3us> gmaxwell: as long as the transactoin layer is fungible who cares if the court puts a random number somewhere 15:01 < gmaxwell> because it's not fungible, you just trace the colored coins and don't honor them. 15:01 < gmaxwell> "it's only fungible if you're not looking" 15:02 < adam3us> gmaxwell: yes well thats a bitcoin fungibility flaw too eh... thats why i proposed committed tx 15:02 < gmaxwell> Lets imagine that share ownership is run by the company, and people can exchange them for bitcoin by doing an atomic transaction. court orders a reversal. You still can't make the bitcoin network reverse the bitcoins, and you still can make the company not honor them. 15:02 < adam3us> gmaxwell: bitcoin also not quite ecash until this fungibility issue is addressed somehow 15:02 < gmaxwell> adam3us: but committed tx doesn't help, because eventually the company needs to see the history to honor the shares, and in doing so they can distinguish ownership. 15:02 < BlueMatt> a court cant force the chain to change algorithms because they only have jurisdiction in some area, and they would literally fork the system if they tried to 15:03 < gmaxwell> and even if you make bitcoin fungable, you do so at the expensive of making colored coins impossible. 15:03 < gmaxwell> Colored coins are achieved by breaking fungibility! 15:03 < adam3us> gmaxwell: think of the DBC share as like a chaum signature, they cant selectively dishonor them 15:03 < BlueMatt> whereas they can force a given issuer to not honour certain coins 15:03 < gmaxwell> BlueMatt: yes, what are you disagreeing with? 15:03 < BlueMatt> nothing, i was agreeing and restating 15:03 < adam3us> gmaxwell: i dont think fungibility and prurpose / currency field are incompatible eg brands ecahs has attributes and blinding unlinkability 15:04 < BlueMatt> youd have to have decentralized issuance/redeeming, but that becomes an issue of trust... 15:04 < BlueMatt> how do you trust all the issuers if anyone can be an issuer? 15:04 < adam3us> gmaxwell: also when you have a share in IBM, you dont turn up at IBM and demand they have an emegency stock holder meeting to do a 10 share buyback, you atomically trade them 15:04 < gmaxwell> BlueMatt: well decenteralized redeeming doesn't generally make sense. :) 15:04 < BlueMatt> yep 15:05 < adam3us> gmaxwell: ye not decentralised redemption, decentralized trading 15:05 < gmaxwell> adam3us: because there is no way to distribute a classical stock market because we're not using ecash for usd. :P 15:05 < adam3us> gmaxwell: thats circular man 15:05 < adam3us> gmaxwell: so we need to issue usdcoins 15:06 < gmaxwell> adam3us: and I'm arguing that for most things decentralized trading has very little marginal value (but not zero) when issuing and redemption are centeralized. 15:06 < adam3us> gmaxwell: but also once you have shares, it doesnt actually matter what they are redeemed or listed in... could be bitcoin 15:06 < gmaxwell> adam3us: if we had USD coins then I'd expect every major corporation to just run its own stock servers (or at least contract to people to do it for them) 15:07 < adam3us> gmaxwell: irrevocability and the above story about ripple implications of court case 15:07 < adam3us> gmaxwell: if a server has a database (the double spend db) it can get shutdown 15:08 < adam3us> OT receipts help but i am not sure its as robust as a block chain, and also it can be undone 15:08 < gmaxwell> adam3us: consider colored coin vs external ledger and cross chain trades. In either case you can order IBM to not honor certan shares, or to redeem for a different party than the keys imply. 15:08 < gmaxwell> In either case the bitcoin side is irreversable. 15:08 < adam3us> eg basically what makes OT secure is that the users have receipts so if a court made all OT servers do something unpopular they could form a p2p network filled with the receipts and resume 15:09 < gmaxwell> adam3us: but doing that is worthless for shares of IBM if IBM isn't going to honor or pay dividends to those share holders. 15:09 < gmaxwell> Empty victory. 15:09 < adam3us> gmaxwell: if they are properly fungible i do not think they can order IBM to do anything 15:09 < BlueMatt> adam3us: yes they can... 15:09 < gmaxwell> adam3us: so explain how colored coins can be properly fungable in a way that IBM can't cut through? 15:10 < adam3us> gmaxwell: because tehy do not know hwo the owner of the share is 15:10 < BlueMatt> you can jump up and down all day in front of a judge and say "but...but...thats not possible" 15:10 < BlueMatt> and they will just say, "ok, make it possible" 15:10 < adam3us> BlueMatt: yes thats why central severs are bad and block chains are good 15:10 < gmaxwell> ... 15:10 < gmaxwell> again, please, tell me how its possible to do this with colored coins? 15:10 < adam3us> gmaxwell: say zerocoin 15:11 < maaku> adam3us: the problem isn't the chain/server, it's the issuer 15:11 < adam3us> gmaxwell: i'm not even saying coloring coins (literally) is a good idea, i'm just saying that a transaction layer anonymous (fully fungible) system can not discriminate at the issuer redemption point 15:11 < gmaxwell> adam3us: great and if zc were implemented as described the coin color wouldn't traverse the zc. 19:15 < gmaxwell> deciding a winner with multiparty computation is easy, and I can point you to sofware which you should just be able to run to do that.. but getting a transaction out of it is hard. 19:15 < maaku> nanotube: no, expected proceeds are lower for a first price auction 19:15 < gmaxwell> I don't know how to do that except by computing the signature under MPC and ... uh. hope you've got a while. 19:16 < maaku> yeah, if you figure out a truly efficient way to do that, let me know so I can co-author ;) 19:16 < maaku> the link i posted is the best i've found so far, but it's still hours or days of computation for the signature 19:17 < nanotube> http://en.wikipedia.org/wiki/Vickrey_auction#Revenue_equivalence_of_the_Vickrey_auction_and_sealed_first_price_auction 19:17 < maaku> (at least verification is fast though 19:17 < gmaxwell> Someone on BCT recently linked to a paper claiming massive MPC speedups and also security against active attackers with a only one partitipant required to be honest... but it was all moonmath not something I could run so.. :P 19:18 < gmaxwell> (computing the winner is easy, you just do a sort and only output the first guy and the second price but doing a bunch of EC group operations under MPC sounds pretty painful) 19:19 < maaku> nanotube: the equivalence only holds if all bidders are using the same strategy 19:19 < maaku> with 2nd price they would be, if they are acting rationally 19:20 < maaku> with 1st price there are many pareto optimal solutions 19:20 < maaku> if their strategies are mismatched, then the result is worse off 19:24 < nanotube> mmm 19:40 * jgarzik reads scrollback 19:41 * sipa doesn't 19:41 < jgarzik> I'll probably just do sealed bid because it's easy and clearly works with bitcoin tech 19:41 < jgarzik> should be able to do a design where the HTTP server and bitcoind are both free of private keys 19:44 < jgarzik> one of the more difficult parts isn't writing the server, but getting some usable client thingamajigger 19:45 < jgarzik> command line bitcoind is decidedly sub-optimal (as TD noted earlier, on another channel and subject) 19:45 < jgarzik> need to: add an unsigned input, add a signed input, add an output to the auction, and add one or more other outputs (change or whatever the user needs) 19:46 < gmaxwell> jgarzik: it would be really not so hard to have an advanced send tab that let you pick your outputs, then calculate/pick inputs, then sign.. and at the bottom its displaying the in-progress raw transaction. 19:46 < jgarzik> certainly I can write a JS or python tool to do that, but it's still ugly CLI and Linux-only 19:46 < gmaxwell> So you'd just use this and not hit send, but instead copy out the transaction. 19:48 < jgarzik> yep 19:48 < jgarzik> the familiar problem of building and passing around an advanced transaction 19:49 * jgarzik had once pondered a PyQt tool, that could be a companion to bitcoind, for this 19:57 < maaku> jgarzik: i'd rather have that in Bitcoin-Qt 19:58 < gmaxwell> maaku: some advanced things really want a python interpeter. 19:58 < jgarzik> maaku, it would be nice in Bitcoin-Qt but there is not necessarily a requirement to tie it tightly to the ref client 19:58 < jgarzik> having an external tool to sign transactions is nice 19:59 < jgarzik> (as I've seen with the command line txtool) 19:59 < gmaxwell> the one challenge with have an external tool is that you need to fetch the inputs to sign for them. 20:00 < gmaxwell> and so this basically requires something have access to the utxo set. 20:43 < petertodd> jgarzik: how do you intend for the timestamping to work? 21:09 < jgarzik> petertodd, to satisfy the SIN protocol, you may provide your MPK (hash of public key) to a third party provider, who timestamps the MPK into the chain in the specified manner 21:09 < jgarzik> petertodd, or do it yourself 21:09 < petertodd> jgarzik: what's the specified manner? 21:10 < jgarzik> petertodd, https://en.bitcoin.it/wiki/Identity_protocol_v1 21:10 < jgarzik> petertodd, announce/commit sacrifice 21:10 < petertodd> jgarzik: ah, so not just a timestamp then 21:11 < jgarzik> petertodd, "timestamp" was shorthand, sorry 21:12 < petertodd> jgarzik: so basically, what you really need is just a little script that creates a new address, and when sufficient funds are deposited makes the sacrifice, and has some mechanism to give you back the sacrifice data (email even?) 21:13 < jgarzik> txtool will handle the DIY part 21:13 < jgarzik> a website will work for the lazy 21:14 < petertodd> yup 21:24 < jgarzik> gmaxwell, I suppose a best-practice would be for bids to set nlocktime to auction expiration time 21:25 < jgarzik> and the tool should create a refund transaction (double-spend) at the same time it creates the bid transaction 21:25 < jgarzik> perhaps setting nlocktime=$expiration+30 minutes 21:25 < gmaxwell> jgarzik: I wondered about that but I actually think it doesn't matter. If you bid and the seller wants to accept a bid and close the auction early, the winning bidder surely doesn't mind 21:26 < jgarzik> true 21:26 < jgarzik> seems like an option people might want, for added fairness 21:38 < gmaxwell> sipa: I'm mildly excited about this pairing crypto aggregate signature idea. Not because of the anonymity stuff, but because it makes scalable relay fees viable. and can also reduce transaction sizes in the non-anonymous case. 21:45 < gmaxwell> (or even in the anonymous case when there are more inputs than outputs: basically this thing requires one pubkey per input (duh), one pubkey per anonymous (or added by a relayer) output, and one shared signature for the whole block. (and each of these are just of field element each, e.g. 256 bits) 21:45 < gavinandresen> gmaxwell: link? 21:46 < sipa> gmaxwell: i don't know anything about pairing crypto or what you're talking about 21:46 < gmaxwell> gavinandresen: They propose it as an anonymity thing, https://bitcointalk.org/index.php?topic=290971.0 21:48 < gmaxwell> sipa: signature algorithim that allows one way aggregation of signatures. e.g. {message1,key1,sig1} + {message2,key2,sig2} -> {{message1,key1},{message2,key2},agg sig} and they show how to use it to unlink inputs and outputs for privacy. 21:48 < gavinandresen> I'll always be interested in ways of making transactions smaller. 21:48 < gmaxwell> I say: the privacy use is not as exciting (coinjoin is sufficient): but this thing also gives you the ability to pay relayers, the ability to make blocks smaller, and a bit of anti-censorship. 21:49 < gmaxwell> (Anti-censorship because if someone has combined some transactions and gives them to you combined you can't uncombine them to only mine one) 21:53 < gmaxwell> But yea, I dunno much about pairing crypto. 22:25 < jgarzik> OK 22:26 < jgarzik> Decentralized auction protocol (json-rpc): https://gist.github.com/jgarzik/6546194 22:26 < jgarzik> Well, the protocol itself is not decentralized; it is decentralized in the sense that anyone may set up a server 22:28 < jgarzik> each bidder provides a common, unsigned input, guaranteeing that only one transaction in the auction will be valid 22:28 < jgarzik> inside their bid 22:28 < jgarzik> protocol users must be able to grok hex-encoded bitcoin transactions and txout's 22:30 < jgarzik> bitcoin addresses are used for identity 22:30 < jgarzik> (hopefully that gets migrated to SIN) --- Log closed Fri Sep 13 00:00:32 2013 --- Log opened Fri Sep 13 00:00:32 2013 00:31 < midnightmagic> uh.. there was an old scientist, old when black and white film could be shot of him, a famous man, who for all the world looked like the early Dr. Who, and there's a video of him on youtube somewhere talking about god and how he's an atheist. i don't remember his name. can so ekne give me a clue? 02:15 < gmaxwell> petertodd: http://sourceforge.net/p/bitcoin/mailman/message/31397880/ < this needs a blog post with some pretty "illustrations" of the scripts. 02:58 < petertodd> yes it does! 02:58 * petertodd needs to get petertodd.org running again 02:58 < gmaxwell> maybe an animation of the stack 02:59 < petertodd> yeah, that'd be good 02:59 < petertodd> webbtc.com actualy can give you step-by-step stack traces, although being bitcoin-ruby it's buggy... 03:22 < amiller> that's cool :) 07:54 < jgarzik> Got "auctionpunk" server skeleton going last night. It creates auctions for a fee, accepts bids and checks the bids, and reports progress on the auction. Next step: handle auction ending (which might be off-server, since it requires private keys, and I am trying to create a setup that does not require private keys on the server itself) 07:55 < jgarzik> just got first-price-sealed-bid for now 07:55 < jgarzik> *does 13:09 < nanotube> 112 connections, 749/329 M mem usage. and that's with a 2329 tx pool. 13:12 < gmaxwell> Cool. 13:13 < jgarzik> no-wallet will make that mem usage even smaller :) 13:13 < gmaxwell> http://www.reddit.com/r/Bitcoin/comments/1mavh9/trustless_bitcoin_bounty_for_sha1_sha256_etc/ < responses to the collision bounties has been pretty good. 13:14 < jgarzik> gmaxwell, I forwarded it to Bruce S, though (a) he is probably mega-busy and (b) it requires a lot of bootstrapping introduction, even for knowledgeable tech folks 13:15 < jgarzik> gmaxwell, I see you had to do similar bootstrapping on the reddit post, in fact 13:16 < gmaxwell> jgarzik: yep. 13:51 < nanotube> jgarzik: 50mb doesn't make that much difference to me atm. i recall you said the difference was roughly 50mb? 13:52 < jgarzik> nanotube, 40mb for me. warren reported upwards of 200mb on some Fedora installs. 13:54 < nanotube> hm, how come such a big difference? 13:54 < nanotube> (also, i'm on debian) 13:55 < jgarzik> nanotube, no one knows but The Shadow 13:55 < gmaxwell> jgarzik: it's only when you run the gitian builds on fedora. 13:55 < gmaxwell> presumably something to do with bdb static linking and The Shadow 13:57 < nanotube> heh 18:23 < adam3us> gmaxwell: yes. there are also some computational versions with lower overhead, and even single db pir (though that one is not cheap) 18:23 < gmaxwell> lower communications overhead. 18:23 < gmaxwell> But not computational overhead. 18:24 < adam3us> gmaxwell: in fact yes 18:24 < adam3us> gmaxwell: (i mean i agree) 18:25 < gmaxwell> the computational ones use things like homorphic encryption and they're very slow on the server, which I think takes them out of the realm of viablitity. Vs the information theoretical constructions can just be done with xor, and can be stupidly fast. Though they'd have overhead on the order of the number of servers you need to be secure against colluding. 18:26 < gmaxwell> in other words, I think the information theoretic one is actually at least theoretically deployable in bitcoinland... which I think the single server ones not so much, at least not unless we can figure out how to pay a server to filter for you. If only we had digital cash. :P 18:30 < adam3us> gmaxwell: its not really clear what the bloombait could be as its sent by the spender in the clear, must produce something from a predictable set or offloadably encrypted searcheable; any one can see the address and compute the bloombait set and infer who it is to 18:31 < gmaxwell> adam3us: well the point of the bait is that there would be lots of collisions but few enough to reduce the data sent to an acceptable amount. 18:31 < adam3us> friend of mine thought up a homomorphic equality test base on weil pairing years ago, but that only incues n^2 overhead vs on for scan for someone fishing for info which is not a convincing security argument 18:31 < gmaxwell> You don't have to have encrypted matching for the bait. 18:31 < gmaxwell> If the bate is small you just send the whole bait to index map. 18:32 < gmaxwell> Then the user does a PIR queries to get the indexes they want. 18:32 < adam3us> yeah 18:32 < gmaxwell> Other fun thing: you put the SPV proofs for the transaction in with the transactions, which will thus prove the query results were of the right database. :) 18:33 < adam3us> that makes sense eg hash public key 8 times with counter 1.. 10 pick 8 lsb, pick on eof those at random 18:35 < gmaxwell> adam3us: though its interesting that the PIR could be done block at a time... might actually be feasable to do single server PIR for a wallet... at least as a commercial offering. Dunno if it would get any customers though. 18:37 < adam3us> bandwidth is high for the client also, but yes thats probably effiicient enough with some GPUs 18:39 < adam3us> gmaxwell: hmm yeah not working out too well so far, so TD's pragmatic view is winning still (i am not overl prone to pragmatism - getting the right communication matters in architecture even if you have to work hard to achieve it) 18:41 < gmaxwell> well single server can be low bandwidth, there are computational pir which have just small constant overhead (wtf?!), but they aren't fast. .. uh .. though there be dragons: I've never seen an implementation of any of these leading edge schemes, and sometimes the theoreticians are misleading. ... in any case, it would perhaps be interesting in the mobile context, where communication is costly and the server has a lot of computation ... 18:41 < gmaxwell> ... potentially. 18:43 < petertodd> gmaxwell: replace-by-fee scorched earth doesn't necessarily work unless the sending tx is of minimum size anyway unfortunately 22:50 < amiller> i broke and subsequently fixed my non-outsourceable puzzle. 22:50 < amiller> the solution, remarkably, involves hash-based signatures :) 22:55 < gmaxwell> amiller: does it result of your choice of two things to sign? if so, I came up with that too and it doesn't work because you can be forced to make the other one jibberish. :P 22:56 < amiller> nope 22:56 < amiller> the problem is just that i need a deterministic public key signature and those are expensive in pinocchio 22:56 < amiller> i could make the pow signatures under RSA for example 22:57 < amiller> or BLS if you want to use elliptic curves 22:57 < amiller> basically i want to have a default-option where an ordinary non-outsourcing user can just prove that work is valid without having to do a zk trick 22:57 < amiller> but it does have to avoid revealing the actual seret 22:57 < amiller> any public key signature would suffice here 23:01 < amiller> the problem with my scheme before is that i said the cheap option is the user just actually reveals the secret, but then anyone that sees that can do the zero-knowledge trick later so that's bad 23:01 < amiller> a race condition at best 23:02 < amiller> so any public key is sufficient, but then for the zero knowledge option the outsource server has to be able to relatively efficiently do a zk proof and that's a bitch with any actual publickey primitive 23:02 < amiller> but you can build a merkle tree just out of pretty simple hashes (ajtai lattice hashes in particular, would be efficient) 23:03 < gmaxwell> amiller: I suggest you go post someplace right now about your method for doing a determinstic signature that would be cheap under pinocchio. :P and which one you'd propose. 23:04 < amiller> you mean besides right here 23:07 < gmaxwell> so with your anti outsourcing.. say some miner manages a run of 6 consecutive blocks... can he not produce infinite variations on them and only later commit to them with more blocks? ... so really should we be counting zk blocks the same in security? 23:08 < amiller> you should add 1+ of security to the zk blocks 23:08 < amiller> they don't stack 23:08 < amiller> in other words suppose a miner connects to every single node 23:08 < amiller> finds a winning solution 23:09 < amiller> and gives each node a distinct winning block 23:09 < amiller> now every miner is working on n different forks of length 1, but as soon as one of them wins it, they are committing to a *single* one of those forks 23:09 < amiller> and everyone that builds on it is picking one 23:09 < gmaxwell> unless they zk that one too. 23:09 < amiller> the zk block does *not* hide the previous block it attaches to 23:10 < amiller> that's committed and can't be changed 23:11 < gmaxwell> gotcha. yea, hm. have to be careful that there are no free bits that can be used as marking. 23:13 < amiller> the previous blockhash is literally the only thing not hidden in the zk 23:16 < gmaxwell> being able to retime your blocks is interesting... :P 23:16 < gmaxwell> like ... my block is always 2 hours in the future. oh its a minute later? I've got a new block for you. 23:20 < amiller> i guess :p 23:20 < gmaxwell> I hate that all these ideas have so many angles you have to reason about to be sure you haven't created @#$@#ed up incentives. --- Log closed Thu Nov 14 00:00:35 2013 --- Log opened Thu Nov 14 00:00:35 2013 00:26 < nanotube> wonder if anyone has seen the protoshares pow scheme. https://bitcointalk.org/index.php?topic=325261.0 00:27 < gmaxwell> nanotube: this its the 3rd (or 4th) POW scheme from those same people whos pow I eviscerated before. 00:28 < gmaxwell> Sadly they didn't get the memo I was trying to give them which was: stop coming up with novel cryptographic things out of your rear end where you don't really need them. 00:29 < gmaxwell> I think PT cut down their 3rd generation one. 00:30 < nanotube> hehe ic 00:30 < gmaxwell> I regret telling them about the first, would have been more fun to just exploit it in production. oh well. 00:31 < gmaxwell> I'd hoped that they'd actually believe me that it's hard to get this stuff right. 00:31 < nanotube> hah well, now you know better, and can do that with their fourth. 00:32 < gmaxwell> well, the first was ... basically riddle grade. Just hard enough to be enjoyable to break but not actually hard. 00:33 < gmaxwell> with enough iterations it would actually be work to break. 00:33 < gmaxwell> but its just goofy, they haven't gained any useful properties over scrypt, and scrypt has security proofs that have been reasonably well reviewed. 00:44 < warren> where's the URL for petertodd's MMR proposal? 00:56 < Luke-Jr> gmaxwell: isn't theirs actually a POW algo? 01:48 < gmaxwell> https://bitcointalk.org/index.php?topic=333487.0 01:48 < gmaxwell> couple thousand btc will pay for a lot of transaction fees. 03:42 < petertodd> gmaxwell: oh, and I misunderstood what you said re: scorched earth: it's actually not an issue for the other parties to the coinjoin, because the scorched earth spend just means the original tx is even more likely to be mined - only the funds going to the merchant can be turned into fees. The real issues are complex than that 03:43 < petertodd> gmaxwell: for instance, suppose the coinjoin is the double-spend... 03:43 < gmaxwell> petertodd: no consider 03:43 < gmaxwell> you are a merchant. 03:43 < gmaxwell> I want to pay you. I am honest. I coinjoin with alice. Alice is paying someone else. 03:44 < gmaxwell> Alice is not honest. 03:44 < gmaxwell> Alice double spends her coin, paying to another party. The double spend does not pay you. 03:44 < gmaxwell> You do scorched earth. Sending my payment to you to the miners. 03:44 < gmaxwell> Now everyone is unhappy except the person alice was trying to rip off. 03:45 < gmaxwell> this happens because you didn't know that my contribution to you wasn't being double spent, only alices input to the join which was irrelevant to you was. 03:45 < Luke-Jr> oh crap 03:46 < Luke-Jr> gmaxwell: payment protocol beats it? 03:46 < Luke-Jr> then the merchant has an isolated transaction to refer to 03:47 < gmaxwell> yea, if you can tell the merchant whats up even give him a non-cj'ed spend of that input to sit on.. things are happy. 03:47 < Luke-Jr> "ok, my original transaction is still valid with this double-spend; I'll hold off" 03:47 < Luke-Jr> (and broadcast the isolated tx obviously) 09:04 < adam3us> sipa: ok but bitcoin hashrate as a ballpark is well known to be n the peta hash range 09:04 < sipa> yes, 4 PH/s 09:04 < sipa> that's 2**52 H/s 09:05 < adam3us> log(2,4*1000^6*600) 09:05 < adam3us> 71.02352439846840313959 09:05 < sipa> you must still be off; i get 2**61 per 10 minutes 09:06 < sipa> 1:kilo, 2:mega, 3:giga, 4:tera, 5:peta 09:06 < adam3us> sipa: well i did before, but KH=1000,HM=1000.. etc 09:06 < sipa> so it's ^5, not ^6 09:06 < sipa> ^6 is exa 09:06 < adam3us> sipa: oh doh 09:07 < adam3us> sipa: damn i was right the first time, undo wiki edit! (confusing exa and peta order) 09:07 < sipa> adam3us: the reference client outputs the total amount of work done in a chain when it updates the tip 09:07 < sipa> SetBestChain: new best=0000000000000000bd36abfbfaf30511e69d9747b1b4c9238739b20d7a92e760 height=267715 log2_work=73.502314 tx=26423141 date=2013-11-03 13:58:03 09:07 < adam3us> sipa: gotcha, thats nice 09:07 < sipa> i trust that computation very much, as it is consensus-critical 09:08 < sipa> (it's used to determine the longest chain) 09:08 < sipa> adam3us: http://bitcoin.sipa.be/powdays-50k.png 09:09 < sipa> that's how long, at max-hashrate-ever-seen-until-point-X, it would take to redo all the computational work in the best chain known at point X 09:09 < adam3us> sipa: a quite relevant metric :) 09:09 < sipa> it's painfully low these days 09:10 < sipa> we came up with it, when trying to reason like "how many days of PoW-equivalent work would it take, to safely reduce verification" 09:10 < adam3us> sipa: indeed it is - i think it should be temporary perhaps as asic catchup with moore's law 09:10 < sipa> so for example, one idea was to only do signature checking in the last month worth of PoW 09:10 < adam3us> sipa: however the other metric is the market availability 09:10 < sipa> but as you can see, that would mean everything now :) 09:12 < sipa> hmm, i wonder, is this coincidence? 09:12 < sipa> tera ~ quatro (1000^4) 09:12 < sipa> peta ~ penta (1000^5) 09:12 < sipa> exa ~ hexa (1000^6) 09:13 < sipa> at least for peta and exa it is not coincidence 09:13 < sipa> tera ~ tetra works even better 09:14 < adam3us> yeah, you see it in greek naming for geometric shapes also 09:14 < sipa> and above: zetta ~ hepta 09:14 < sipa> yotta ~ octo 09:16 < adam3us> sipa: i think i just illustrated even to myself that k=61 O(2^k) security notation is better - it gets confusing to work with metric units you dont normally use 09:17 < sipa> yup 09:19 < sipa> knowing that an exabyte addresses is close to what you can represent in a 64-bit integer, also helps :) 09:22 < adam3us> sipa: probably proof of stake contribution to voting is a defense though that also is imperfect 13:21 < warren> more leveldb corruption "Getting same error on 8.5.1 OS/X 10.9 Mavericks out of the blue, my system never sleeps and Litecoin was shut down properly, but received this error on re-opening wallet." 13:21 < warren> clean shutdown 14:43 < adam3us> sipa: re pow-equiv days - you might consider also the days to redo all work since last checkpoint, an even lower number 15:20 < gmaxwell> adam3us: we hope to remove checkpoints or at least significantly reduce their role. They're creating seriously problems for people understanding the consensus model, to the extent where people are producting altcoins where the developers just constantly announce checkpoints via an alert like mechenism to control the consensus and this is judged to be the same kind of thing as bitcoin. 15:26 < jrmithdobbs> you know, haskell really is the most fun i've had with CS stuff since initial dive into bitcoin stuff 15:26 < jrmithdobbs> why doesn't everyone use this language? 17:27 < sipa> jrmithdobbs: haskell is cool :) 17:28 < sipa> adam3us: right, as gmaxwell says: this idea of using PoW-equivalent time as a criterion is mostly intended as a replacement for checkpoints 17:29 < adam3us> sipa: i see i didnt get that before; so you propose to eg pick a number of days, and say a new client only starts that far back with its validation? 17:30 < adam3us> sipa: or validate back to current pow-equivalent 17:30 < sipa> adam3us: you always start from the genesis, there is no way to retrieve the UTXO set at any other point in a trust-free way 17:31 < adam3us> sipa: wonder if there's a way to batch process DSA sig verify 17:31 < sipa> adam3us: but some parts of the validation, in particular script validation, can be skipped without impacting 17:31 < sipa> adam3us: there is, but it requires the full R point, instead of just R.x mod n 17:33 < sipa> without impacting later state 17:33 < adam3us> sipa: so (the proposal would be) you just validate inputs add to outputs and the hashing, but not the sigs before pow-equiv? reasoning being the whole network could've forged history to that depth? 17:33 < sipa> i had to finish that sentence 17:33 < sipa> indeed 17:34 < sipa> or some compromise, like only checking a random N% 17:34 < sipa> when buried deep enough 17:34 < gmaxwell> adam3us: right, or move to probablistic validation of deep history. So you still can be reasonable confident that if there is trechery and a good number of honest users it will be discovered... but removing 99.9% of the computational cost for the far history. 17:35 < sipa> then again, saying "more than a month of PoW" won't work anytime soon :) 17:36 < gmaxwell> sipa: I dunno if I ever mentioned it, but I was thinking that it actually should be validation of the history where it is uniquely dominated by POW-days work. E.g. if there are two compeating forks with less than powdays-tresh between them, you still check both completely in case the signatures are a cause for the fork. 17:36 < sipa> you have mentioned that before, i believe 17:37 < gmaxwell> okay. Wasn't sure. 17:39 < adam3us> sipa, gmaxwell: i wonder if you only need 50% PoW-equiv , because isnt sying full hashrate PoW days assuming 100% hashrate hostility? 17:40 < sipa> it's a scaling factor anyway 17:40 < sipa> something to judge what a potential attacker could amass 17:40 < gmaxwell> adam3us: bitcoin, in the original vision promises to now allow some attacks even in the face of full hashrate hostility. This is important because its part of what makes greedy-optimal miners behave honestly (in the ficticious world where miners are optimal self interested agents, hah). 17:42 < gmaxwell> So it's not really quite good enough to say "we're going to make things maximally brittle against >50%" because part of the argument that an attacker won't amass 50% is the limitations on what they can do with it. For example: if it were sufficient for 50% of miners to peg the subsidy at 25 btc forever then the argument that it wouldn't happen is pretty soft. 17:42 < gmaxwell> (since even if the miners are independant they have a common interest in continuing to recieve subsidy) 17:43 < adam3us> gmaxwell: yes there are somethings eg also committed coins seemingly you can continue to transact in the face of 99% hostlle (maybe 100%) their attack degrades to random DoS if they cant tell whats happening 17:44 < adam3us> gmaxwell: (commited tx not coins) and also 50% is probability argument only: you can double spend with various probabilities with 25% of 75% hashrate its not binary 17:45 < gmaxwell> adam3us: yea, well at >50% you can exclude other blocks and if you can attack for infinite time you'll eventually get ahead. (infinite becoming smaller the more over 50% you are). 18:16 < adam3us> sipa: (about batch ECDSA verification) "sipa: adam3us: there is, but it requires the full R point, instead of just R.x mod n" - you could arrange that in a format compatible way analogous to the s vs -s issue; just only use R=(r,f(r)) with positive f(r). 18:17 < gmaxwell> you still have to then 'uncompress' the r there then, which would remove some (much?) of the batch speedup. 18:33 < sipa> i believe it would still be a speedup 18:34 < sipa> but it's pointless: it would mean an incompatible change of the script language, or at least an op_eval like structure with a new address structure 18:34 < sipa> and if we do that, there are far better changes to make 18:35 < sipa> hmm, i didn't read what you said entirely 18:36 < sipa> putting an extra requirement on r is always possible of course, and only a soft fork 18:59 < adam3us> sipa: maybe could restrict f(r) >= 0 while fixing (r,s) vs (r,-s) sig malleability (and the serialization ones) .. just towards enabling batch sig vrfy later? 18:59 < adam3us> sipa: mean R.y>=0 19:00 < sipa> the '>' operator doesn't have much meaning in a Z_p set 19:00 < gmaxwell> gonna make life hard for determinstic dsa signers. Also makes life harder for people to make txn slightly smaller by chosing smaller rs. 19:01 < sipa> i'm not sure batch verification is worth it 19:01 < sipa> iirc the speedup wasn't very impressive 19:01 < gmaxwell> in any case the speedup from batch verification is pretty small. 19:01 < adam3us> sipa, gmaxwell: seems like forget that then :) 19:24 < amiller> hm, i wonder if there's an accelerated utxo check 19:24 < amiller> well nvm it probably wouldn't make much difference 19:26 < amiller> but you don't have to use a *random access* data structure just for checking a utxo, since you can have some untrusted hints about after how many blocks an element will have to be removed at all 19:30 < sipa> amiller: anything that adds performance increases for the common case, means a potential DoS attack by someone not following the common case :) 19:35 < amiller> i guess... can't stop anyone from just downloading a "trusted" utxo and skipping validation anyway though, so it seems like reducing the cost of actually checking it (if that's even possible) would be good to know how to do --- Log closed Mon Nov 04 00:00:16 2013 --- Log opened Mon Nov 04 00:00:16 2013 17:11 < amiller> uh.. does anyone have a rough figure for the gate count of an asci/fpga mining unit 17:47 < sipa> if the sstables corresponding to that state have been deleted, there is a problem 17:47 < sipa> warren: then they have a hardware problem, i guess 17:48 < gavinandresen> sipa: right -reindex I'm actually copying known-good copies of the chain to a second drive, and restore from there if I get corruption. 17:49 < gavinandresen> sipa: and right, truncating manifest should just get to a previous state, which is why I thought truncating it might be a quick-and-dirty way of mitigating the problem 17:50 < gavinandresen> I haven't looked to see if any other leveldb files were corrupted 17:51 < sipa> if you ever get a snapshot of a corrupted state, that would certainly be something useful to try 17:51 < sipa> increasingly truncating more off the manifest, and seeing whether you end up with something valid 17:51 < gavinandresen> I've got a couple of snapshots of corrupted state, will try at some point if the problem doesn't get fixed before it percolates up to the top of my TODO.... 18:27 < Luke-Jr> warren: I was referring to bitcoin-next; that is only ACK'd things. 18:27 < Luke-Jr> warren: next-test tests everything 18:29 < warren> ok 18:29 < warren> Luke-Jr: I notice that you didn't try to merge watchonly 18:29 < warren> it goes kaboom 18:29 < Luke-Jr> warren: it didn't exist at the time either 18:30 < Luke-Jr> when autotools have stabilised I'll probably make a new next-test 18:30 < Luke-Jr> still a bit too buggy imo 18:39 < phantomcircuit> gavinandresen, i have actually regularly told people not to use os x for servers, but for security not integrity reasons 18:40 < BlueMatt> who uses osx as a server? 18:43 < warren> jgarzik: hmm, disablewallet=1 needs a GUI error message if someone tries it with bitcoin-qt 18:49 < phantomcircuit> BlueMatt, silly people 18:50 < BlueMatt> then again, I suppose some use windows as a server too, which is far worse... 18:58 < phantomcircuit> BlueMatt, prior to last year it was actually much better 18:58 < phantomcircuit> (the joke is apple discontinued x servers like last year or something) 20:02 < warren> gmaxwell: jgarzik: updated fedora 19 openssl http://wtogami.blogspot.com/2013/05/openssl-with-ecdsa-for-fedora-18.html 20:15 < warren> gmaxwell: shoot, I lost the IRC log about the desired forum features, could you please copy that for me? --- Log closed Sat Nov 02 00:00:49 2013 --- Log opened Sat Nov 02 00:00:49 2013 07:17 < adam3us> can you do the opposite of timelock >= time ie timelock < time for an offline time-limited offer? 07:18 < adam3us> (other than using online update to retract the offer by sweeping the funds off the contract txout at the expiry time) 08:17 < sipa> adam3us: bitcoin transactions are pretty intentionally designed to be non-retractable 08:17 < sipa> once valod, always valid 08:17 < sipa> so they can enter a mempool, and later a block, without breaking dependencies afterwards 08:24 < adam3us> sipa: but they are sometimes updateable, and first-spend invalidates later spends (even if the later spends were constructed earlier just not sent to the network) 08:27 < adam3us> sipa: (when sequence is not UINT_MAX), so I guess you could implement a time-limited cheque by giving someone the cheque and yourself spending the txout it relies on if they do not before the time-limit; however bitcoin network doesnt help you 08:29 < adam3us> sipa: eg think of an option as a smart-contract (the right but not the obligation to exercise), it has a time-limit 08:32 < adam3us> sipa: maybe one can use timelock on the non-exercise address, and sequence to allow update; the update is to take the funds, and its the option seller (writers) job to reclaim the funds after expiry, but the timelock prevents him reclaiming the funds early (undermining the buyers right to exercise during the validity period) 08:34 < adam3us> (unrelated) in script hash addresses if someone can find two scripts that has to the same string, thats a problem right? 08:35 < adam3us> eg I could find addr1=RIPE160(SHA256(SIG(a) and y=H(x))) and addr2=RIPEMD160(SHA256(SIG(b)))) where addr1=addr2 is a full birthday collision then I can cheat all those protocols that rely on inter-locked necessary revealing of x to claim 08:37 < adam3us> and I think I can do that for cost O(2^80) which is significantly below the normal bitcoin target of O(2^128), though still above the hashrate - each mine hashcash-sha256^2 is about O(2^62) per 10mins but a big bet in a few years with O(2^70) hashrate and faster miners O(2^80) is the weak point 08:51 < gmaxwell> "Based on this reasoning, we are planning to go forward with a draft SHA3 FIPS with all the n-bit fixed hashes having capacity = 2n, thus providing n-bit preimage resistance" 09:03 < sipa> adam3us: is a collision enough? 09:03 < sipa> you want at least one of the scripts to be spendable, and the other is not undet your control 09:03 < sipa> sounds more like a constrained preimage to me 09:04 < sipa> just having two scripts, and sending to one and spending by thebother doesn't gain you anything 09:24 < adam3us> gmaxwell: spectacular that makes SHA3 usable without tweaks for bitcoin hashcash-SHA3 if needed in the future 09:25 < adam3us> sipa: the thing is many of the interlocked protocols like atomic swap, coinswap, iddo/my fair-coin toss rely on this property 09:27 < adam3us> gmaxwell: I hope I did my bit in disabusing Kelsey of the idea, of gaining a tiny % perf for introduction of sqrt(n) attack on preimagine on the crypto list :) but i think the feedback was loud and wide 09:27 < sipa> ah 09:28 < gmaxwell> adam3us: I don't think they do require that property. Like sipa said, having a collision that can't be spent is harmless, since it can never show up in the chain, and thus can't prevent the one that can be spent. 09:28 < adam3us> https://bitcointalk.org/index.php?topic=323443.msg3463719#msg3463719 09:29 < adam3us> gmaxwell: i am talking about two spendable inputs, one bypassing the y=H(x) preimage interlock 09:29 < gmaxwell> adam3us: yes, sure, but thats not a free collision. The collision must be constrained to be spendable. This means it's harder than 2^80. I'd hard to say exactly how much harder. 09:29 < adam3us> gmaxwell: well two script versions basically with the same p2sh output, which you as a participant in an interlocked protocol have incentive and opportunity to create 09:30 < gmaxwell> er s/I'd/It's/ 09:30 < adam3us> gmaxwell: there are lots of candidate inputs > 2^80, adnd they are no harder to create than random ones 09:31 < gmaxwell> adam3us: Random scripts are overwhelmingly invalid. 09:31 < adam3us> gmaxwell: its a pure brute force play 09:31 < adam3us> gmaxwell: yeah who said random: just create H(s_i) for i from 1 to a trillion, generate s'_j) for j from 1 to a trillion, store in efficient hash table, repeat 09:32 < gmaxwell> adam3us: sure, I understand. It's a multi-collision with 1:{huge number of targets} so it's closer to 2^80 than 2^160, agreed. 09:32 < adam3us> gmaxwell: where s'_i can spend s_j without needing to know y=H(x), the interlock falls apart if that can be setup before the bet 09:33 < adam3us> gmaxwell: yes, the main thing that makes it more than 2^80 is probably its sqrt(pi/2)*2*2^80 = 1.25*2^81; but realstically the TMTO need makes it > O(2^80) cos you dont have an efficeint way to store that even with bloom filters nor skip tables (as there is no sequence you can use) 09:34 < gmaxwell> In any case, I'd expressed sadness before that we'd specialized P2SH too far, and made it not able to use the 256 bit hashes we have in script. 09:34 < gmaxwell> For coinswap your attack doesn't quite work, because the preimage interlock never needs to be in P2SH. 09:35 < adam3us> gmaxwell: i think p2sh addresses are different serialization than pub key addresses right? otherwise you could bypass it and make AH(Q_i) == AH(s'_j) 09:36 < adam3us> gmaxwell: (where AH=addr-hash(z) = RIPEMD160(SHA256(z))...) 09:36 < gmaxwell> adam3us: you couldn't possibly confuse them, no. 09:37 < gmaxwell> Cute attack: http://7habitsofhighlyeffectivehackers.blogspot.ca/2013/11/can-someone-be-targeted-using-adobe.html 09:39 < adam3us> gmaxwell: what no salt? ;) 09:40 < adam3us> gmaxwell, sipa: but also for my understanding, its optional to use P2SH, you can instead serialize the script in the transaction right? thats another generic work-around (if you care about O(2^80) + TMTO yet) 09:40 < gmaxwell> adam3us: a lot of places "salt" their passwords by adding the name of their site to the hash. :P (because they misunderstand the purpose of salt) 09:40 < sipa> adam3us: P2SH is optional indeed 09:40 < sipa> adam3us: but using it has some advantages regarding size of the UTXO set 09:41 < gmaxwell> adam3us: One of the malleability workarounds I gave requires using p2sh, alas. 09:41 < gmaxwell> (It uses p2sh to make the transaction the attacker would need to mutate indistinguishable, so they'd have to try to mutate all transactions) 09:42 < gmaxwell> But e.g. for coinswap you'd only need to do that for the inital escrows, and the 2^80 attack is irrelevant there. 09:43 < gmaxwell> the hashlock releases don't need to be p2sh. 09:43 < adam3us> gmaxwell: well one defense is if you have 2^80 you have more profitable thing sto do with it: mine 09:44 < adam3us> gmaxwell: but maybe as a component of high stakes poker, if done like the fair-coin-toss with a multi-million pot, maybe if you can precompute something 09:45 < adam3us> gmaxwell: of course the other players should chose their interlock signature keys 1hr before the game 09:47 < adam3us> sipa, gmaxwell: i was wondering about a generic p2sh kind of defence, like in hashcash version 0 it was to find a 2nd preimage to a fairly chosen image, ie find h=H(s,x) and h'=H(s,x,c) where h'/2^(n-k)=h/2^(n-k) ie k leading bits of h and h' match the target 0 string came later as a suggestion from Hal Finney and another guy 19:20 < gmaxwell> Really the best thing to do now is publish publish publish. You can't use defensive patents to negoiate with patent assertion entites in any case, since they only assert, not practice. Defensive patents are only really useful for a licensing negotiation between parties with remotely equal standing. ... though I know VCs often pressure startups to build patent portfolios ... but I dunno how they'd feel about them being put into a ... 19:20 < gmaxwell> ... general disarming pool. 19:23 < adam3us> gmaxwell: well to my way of thinking they are benefiting from satoshi's work and lots of volunteer effort in developing and innovating bitcoin, which they use for free, and most of the bitcoin startups have no innovation, just deploying things (which is useful, necessary) but its an insult if they then grab biz process patents or patents on permutations of others work 19:24 < gmaxwell> Indeed, but that won't stop people. Most patents are very very incremental. 19:24 < adam3us> gmaxwell: so the community would be easily in its rights to have the foundation frown on tem etc 19:25 < midnightmagic> There are also groups of people who agree, collectively, that jointly-developed technologies or jointly-developed standards can be shared by all members, they disclose their patents, and then sign agreements that the disclosures are full and that they all agree that *if* any of the patents apply to the jointly-developed technology, they won't bring them to bear on any agreement-signers.. 19:25 < adam3us> gmaxwell: yes been in enough startups to see the vc, ex-big-co patent hungry people at work, they either dont care, or just want to make money fast, long term consequences be damned 19:26 < gmaxwell> (I actually went as far as writing a provisional patent application for the use of the EC additive homorphism for publicly derivable wallets, but didn't go through with it because there were no other bitcoin relevant applications being filed and didn't consider it worth the risk that it would inspire more bitcoin patenting, etc.) 19:27 < adam3us> gmaxwell: yes. i expect there are some patents in the dozens of bitcoin related companies already or pending now 19:28 < gmaxwell> At some point someone probably needs to get a patent application on something bitcoin related with a relatively complete description of the system just so it shows up in examiner prior art searches. (they sometimes search the internet ... but uh, it seems pretty rare!) 19:28 < midnightmagic> it would be amusing somehow if some company were awarded some patents on bitcoin core technologies and then they asserted them.. 19:29 < gmaxwell> midnightmagic: it's possible, they wouldn't be valid of course... but examiner prior art searches are lame, and the applicant is required to disclose, but often don't (for obvious reasons...) 19:30 < midnightmagic> "clean room" defense. 19:30 < adam3us> midnightmagic: not in a good way though, courts and patents are largely hamfisted idiots, viz the apple/samsung to and fro and product freezes $1b awards, on xor-cursor level patent pool stuff; retardation^n 19:30 < gmaxwell> I suspect if they called it bitcoin in the patent they'd be likely caught. But if they didn't they'd likely get it through. 19:31 < gmaxwell> At least on the core stuff the age of it is unequivocal and digital cash was kind of a dead field in 200x. 19:31 < gmaxwell> There are some patents I'm aware of that probably read on _all_ DSA but are also new enough that they're necessarily invalid if they do. 19:31 < midnightmagic> adam3us: Maybe in a good (but absurd) way because patents have territories and people typically forget Canada exists. 19:32 < midnightmagic> "America's hat" 19:32 < adam3us> ok my turn to sleep 19:32 < midnightmagic> night adam 19:32 < gmaxwell> in any case, this is a much bigger risk for any better-than-bitcoins. .... as they might run afoul of new patents that bitcoin is old enough to be prior art for. 19:34 < midnightmagic> Say, did djb ever reveal the list of patents that NaCL was written to specifically avoid somewhere? 19:34 < midnightmagic> .. can't believe I even feel like I should know that. software patents. urg. 19:34 < gmaxwell> "We are now aware of this issue and we will perform an internal investigation to find out who is responsible for this. 19:34 < gmaxwell> Thank you for pointing out. " 19:35 < gmaxwell> https://bitcointalk.org/index.php?topic=327767.msg3552672#msg3552672 19:35 < gmaxwell> I guess I need to send these guys a christmas card for making me victor of the internet in all those arguments where people told me if a pool was evil miners would notice right away and switch. 19:37 < maaku> gmaxwell: 501c6 only goes bankrupt if its members let it 19:37 < midnightmagic> lazy/crazy? 19:37 < gmaxwell> maaku: it can become bankrupt as a result of litigation, e.g. if its found to have some neigh unbounded liability. 19:37 < midnightmagic> lol 19:38 < maaku> not that it isn't a risk - plaintiff could use the risk of bankruptcy as blackmail to raise settlements 19:39 < gmaxwell> maaku: at least thats less bad, a settlement can't free one from a perpetual patent grant. 19:40 < maaku> i guess my point is if the 506c3 is about to go bankrupt due to litigation, the members have option to make donate to cover the settlement & preserve the pool 19:41 < maaku> er, c6 19:41 < gmaxwell> midnightmagic: so it looks like a 25% hashpower pool doublespent the shit out of a service almost a month ago, even using the procedes of the activity to pay out miners. people only noticed about a week ago. It's known on the mining subforum now, but no one is leaving the pool. 19:41 < midnightmagic> gmaxwell: That's pretty funny. 19:41 < maaku> so if they let it go bankrupt, then presumably it's because the members made that cost-benefit analysis and decided the patent pool wasn't worth it... 19:41 < gmaxwell> maaku: yea, but that could be very expensive. Either way the bitcoin community could have to pay a lot of funds due to patents stuffed there. 19:41 < maaku> yeah 19:41 < gmaxwell> (compared to the patents not existing or being handled some other way) 19:42 < maaku> better to publish and prevent a patent in the first place ;) 19:42 < midnightmagic> gmaxwell: This is one of those "people should insist on coinbase payouts" things that miners just automatically avoid getting entangled in. 19:42 < kill\switch> ^ 19:42 < midnightmagic> still have no idea why I was never asked to return that 2x payouts on that mining pool a while back. 19:43 < gmaxwell> what pool did that?! 19:43 < Luke-Jr> midnightmagic: NaCL doesn't even avoid *copyright* problems, let alone patents 19:43 < gmaxwell> and why were you mining on it? 19:43 < gmaxwell> Luke-Jr: he means djb nacl not google nacl. 19:43 < midnightmagic> gmaxwell: I was invited after my Avalons came online but the database was for a while recording like 2x my hashrate than I was actually putting into it. And went through the payouts. And I notified the pool operator. And got paid out anyway. 19:44 < gmaxwell> midnightmagic: you see 50btc's letter? 19:44 < midnightmagic> Most of it was originally from coinbase, but a couple hops out but.. 19:45 < midnightmagic> no, were they laundering for shadowy Tor people? 19:45 < gmaxwell> https://50btc.com/news/status_28_10_en 19:45 < gmaxwell> Conman thinks 50btc is mostly a cover for a botnet, they're certantly weird. 19:46 < midnightmagic> I hate it when people don't date their PR. 19:46 < gmaxwell> well the URL says 28_10 but I think its (or at least the en version) is newer than that. 19:49 < midnightmagic> What's the pool that keeps getting stolen from? Is that 50btc? Like over and over.. 19:50 < gmaxwell> a few weeks back 50btc had all their user balances set to crazy amounts and people withdrew until their wallet ran out of coin. 19:50 < gmaxwell> ...and it sat like that for weeks. may even still be like that now. 19:50 < gmaxwell> and more coin was going in and people were pulling it out. 19:51 < gmaxwell> ozcoin got robbed a bunch of times. :( 20:02 < Luke-Jr> what is djb nacl? O.o 20:03 < Luke-Jr> hm 20:05 < maaku> Luke-Jr: super cool crypto 20:05 < maaku> http://nacl.cr.yp.to/ 20:06 < gmaxwell> petertodd: can you please generate a new dust-b-gone txn? I'm sure you've had more submission since.. I want to take another pass at getting it mined. 21:05 < petertodd> gmaxwell: there's four txins for a few satoshi's, submitted it, but it's not likely to get mined 21:07 < gmaxwell> petertodd: hm? I don't think the first one got mined and didn't it have more than that? 21:07 < petertodd> gmaxwell: also: cbebc4da731e8995fe97f6fadcd731b36ad40e5ecb31e38e904f6e5982fa09f7 WTF! 21:07 < gmaxwell> I've gotta stop assuming you made all the weird txn. 21:08 < petertodd> gmaxwell: some of them eventually got mined - I'm talked about the total 21:08 < gmaxwell> I've seen it. 21:08 < gmaxwell> it forked some alt implementations 21:08 < petertodd> gmaxwell: might have been me - I am a crack addict 21:08 < petertodd> heh, figures... 21:08 < gmaxwell> and confused some of their implementors. 21:08 < petertodd> not good... 21:09 < gmaxwell> (confused because the 0 in the scriptsig position made them think it was like the checkmultisig behavior) 21:10 < midnightmagic> Luke-Jr: NaCL from dan bernstein, the NaCL paper he wrote on it sold me pretty good.. 21:11 < gmaxwell> petertodd: care to give me the hex the submitted txn so when it doesn't get mined I can nag luke and wizkid about it? 21:11 < petertodd> gmaxwell: http://0bin.net/paste/qel7hbPIRFtSLRGc#Lwd7vxfMuyQPwhunBDq1SmWVvysX99wKozKgEYnkY24= 21:13 < gmaxwell> petertodd: weird, I know I sent you a388195b8c39caf20c7774045287ebc370b57db59909fe97668b7872b3396514:0 value "amount" : 0.00040000, 21:14 < midnightmagic> Luke-Jr: http://cr.yp.to/highspeed/coolnacl-20120725.pdf 21:14 < gmaxwell> a while back, but its not been mined nor is it in that one. 07:58 < adam3us> sipa: yep, everyone thinks about it, i thought about it also 07:58 < brisque> I take the primecoin comment back, it seems to be semi-sane but the "work" it's producing is just as useless as anything else. 07:58 < sipa> yeah 07:58 < adam3us> brisque: no there is something wrong with primecoin, algorithmically; its not exactly progress free and the probability distribution is slightly wrong i think 07:58 < sipa> adam3us: i'd probably implement most of it from scratch, though 07:59 < brisque> adam3us: on my first read I thought the work was based on a 32bit hash, but it's not. I haven't looked any further than that. 08:00 < brisque> sipa: why wouldn't you? there's lots of little niggles in Bitcoin that could be fixed with a complete rewrite. 08:00 < adam3us> sipa: yes that is actually what got me to thinking about 1-way pegged side-chain and i presume BlueMatt/gmaxwell about 2-way peg was that it makes more sense to respect the initial bootstrap as a one-off event, the it becomes possible to do significant innovation, overhauls, re-writes without having the barrier to actual adoption of a new digital scarcity 08:01 < sipa> brisque: not following, i'm saying i prefer to total rewrite over patching 08:01 < brisque> sipa: I'm agreeing with you. 08:01 < sipa> ok 08:02 < adam3us> the only other people i saw who even tried to tone down the "make money fast" motivation (which is actually a smart thing to tone down for adoption) were jtimon & maaku, there was like a charitable donation, and a temporary but modest (i think?) development fund, plus the new economic bit about demurrage 08:03 < sipa> maybe ironically, i just don't care about economics much 08:03 < adam3us> sipa: yeah the thing that i find awesome about 1-way or 2-way pegged side-chain (if we can figure out the details) is that it fully allows major feature experiments, securely 08:03 < sipa> adam3us: link? 08:04 < adam3us> ohh i am not sure there was a 1-way peg write up on bitcoin-dev, one sec for link; 2-way was a thread on here, been meaning to update the email thread with that discussion 08:04 < sipa> one way pegging through burning bitcoins to create coins in another system seems simple enough 08:04 < sipa> being able to go back... i don't see how 08:05 < adam3us> https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02945.html 08:05 < adam3us> thats the 1-way 08:06 < adam3us> sipa: so the 2-way works if you make changes to bitcoin 0.9x to honor transfers back. but only once for previous transfers out. in that way the security is limited to damange ONLY the current holders of transferred out bitcoins (if security issues appear on bitcoin 1a.x) 08:07 < brisque> adam3us: so you would have coinbase TXs without a block, sorta? 08:08 < sipa> i don't understand 08:08 < sipa> you send a coin to a dead address to instantiate it in betacoin 08:09 < sipa> how do you turn it back into a bitcoin coin? 08:14 < adam3us> sipa: sorry about that free airport wifi expired onto the next laptop 08:15 < adam3us> sipa: the reason i thought 1-way peg is interesting is i was frustrated about adoption rate of simple (but soft/hard-forking) clear improvements to bitcoin (of which i think there are many) 08:15 < adam3us> sipa: so i though 1-way peg servers as a security insulator and doesnt require bitcoin 0.9x changes (which was the bottleneck i was trying to think of a way to unblock) 08:16 < sipa> i'm not following what you're talking about now 08:17 < adam3us> brisque: "coinbase tx without a block" no the pegged side-chain would have no reward mining (that would be done via transfer/destruction on bitcoin main) but it would have tx reward (denominated in btc) 08:18 < adam3us> sipa: did u skim the url about bitcoin-staging? which bit of the above? 08:18 < sipa> adam3us: sorry, your mails are too long :) 08:18 < adam3us> sipa: yeah i tend to write tldr stuff oops. 08:19 < adam3us> sipa: so i guess we agree that there are a number of things that could be simply fixed, but arent worth the security/value risk of soft/hard forks, and interesting features to enable 08:20 < sipa> it depends whether it's about things that could reasonably once be enabled in bitcoin itself 08:20 < adam3us> sipa: (eg enable some more scripting, or change it so the value is signed - which bites trezor & offline armory) 08:20 < sipa> yeah 08:20 < sipa> that stuff is fine 08:21 < sipa> but things like utxo-walking pow, or transactions committing to a particular chain, or tx fees that are spread over multiple blocks 08:21 < sipa> i doubt those can be considered "bitcoin" 08:21 < adam3us> sipa: so its not exclusive right, there can be a bitcoin 1a.x bitcoin 1b.x etc which are competing pegged side-chains if maaku & jtimon want to go implement the freimarket script extensions on one thats cool. another one can focus on shorter term fixes like the above. maybe bitcoin might merge some of them later or switch over bitcoin to 1c.x if users demand it and move everything to 2.x 08:23 < adam3us> sipa: well i think the interesting thing to preserve if people are genuine about wanting to move the tech forward is the digital scarcity definition. eg one can preserve bitcoin 0.9x as the only reward miner, that way it respects the 21 mil coin limit, and people can innovate on an existing currency base (which i do not think its reasonable to attempt to restart) 08:23 < sipa> i don't want 1-way pegging, as it means you have to burn (valuable) bitcoin to obtain a potentially worthless successor coin 08:24 < sipa> if you kbow a way to do actual two way pegging, i like to hear it 08:24 < adam3us> sipa: so whether its a rewrite or just enabling queued simple/nice things or some script/market experiment that can all be done on competing pegged side-chains. they can interoperate if you can move coins back (via main) 08:25 < sipa> (in a way that doesn't force the side chain to be very compatible with bitcoin, as that would limit the degree of innovation there) 08:25 < adam3us> sipa: i think the main limitation is you have to enforce security so that security/value bugs in the side-chains can not leak back into bitcoin main. for more adventurous things (utxo walking pow)) you'd probably have to make do with a 1-way peg 08:25 < sipa> right, of course 08:26 < adam3us> sipa: yes. 2-way peg is far nicer as nothing is destroyed, just moved. just pointing out the limits with 2-way tieing back to the more adventurous changes that cant easily say preserve a security/value firewall because the value definition is too redefined 08:26 < sipa> right 08:27 < sipa> there is of course the centralized approach using an exodus address which has an actual private key known to some people 08:27 < sipa> but that already smells way too scammy 08:28 < brisque> smells like mastercoin to me. 08:28 < adam3us> sipa: so gmaxwell & BlueMatt were exploring using SPV security from the merge mined 1:1 pegged side-chain (with a long conf time like 100blocks) . even that is pretty complex. i guess we'd have to explore that first before figuring out if you can go further and two-way peg something with quite different value semantics 08:30 < adam3us> sipa: maybe you can do something, the main point being that nothign must be possible to move back from the side-chain twice. ie it must be tied back to the demonstrable ownership (in SPV model say) of a previous bitcoin that was destroyed, and then allowed (once) to be recreated (though the cycle could repeat, it must be allowed once in each cycle) 08:31 < gmaxwell> the key observation in that discussion that I came to was that it doesn't really matter if the value transfer mechenism is very slow (e.g. taking many blocks), because you could just do regular atomic coinswaps so long as the liquidity on each side was reasonably balanced, you only need the direct chain moves to move funds without a counterparty. 08:32 < adam3us> gmaxwell: yes i agree with that. its the expectation of later fairly certain settlment, market can do the rest (pay day loan for the impatient) 08:33 < adam3us> gmaxwell: sipa was wondering if more esoteric/bigger value definition/ownership changes could be two-way pegged "sipa: if you kbow a way to do actual two way pegging, i like to hear it 08:33 < adam3us> (in a way that doesn't force the side chain to be very compatible with bitcoin, as that would limit the degree of innovation there)" 08:34 < adam3us> sipa: even if it were not (significantly) possible, just a two-way peg could allow quite a lot of new parallel development flexibility and innovation on existing value base. that alone is a big project. 08:35 < brisque> if a two way peg were possible namecoin would be a lot more interesting. 08:36 < gmaxwell> brisque: no thats not possible. 08:36 < sipa> souns like that requires every utxo in the beta currency to be backed by a bitcoin utxo 08:36 < gmaxwell> namecoin already exist. 08:36 < adam3us> sipa: (another change would be like the tagging of additional meanings directly on the side chain rather than coloring; freimarkets proposes tagging, and its better than coloring as coloring is i think inherently SPV incompatible, and tends to spam the bitcoin network) 08:37 < gmaxwell> sipa: not quite, perhaps someone should go extract that conversation from logs. 08:37 < brisque> gmaxwell: well yes, unfortunately. 08:38 < brisque> gmaxwell: not sure anybody would argue that the project isn't stale though. 08:38 < sipa> well if you can create a bitcoin output script that requires a proof of transfer through betacoin and back... ok 08:38 < gmaxwell> sipa: in any case, basically you add a softforking change to bitcoin that lets you write txouts which can be spent according to terms that come with SPV-like proofs from the other chain. 08:38 < gmaxwell> right. 08:38 < sipa> but SPV proofs cannot prevent double spending 17:24 < petertodd> maaku: it'd be done 100% publicly 17:25 < jtimon> butthey can only paralize the network, never change the rules 17:25 < petertodd> maaku: you may work for government, but I work in a field where I have to have a itar security clearance - I know how hard it is to buy custom equipment that the governmetn has decided shall be regulated 17:26 < maaku> it's a lot easier to buy that equipment in china. or singapore. or south africa 17:26 < petertodd> maaku: no it's not, the manufacturing capacity simply doesn't exist for a lot of this stuff. As I say, only a tiny number of companies in the world can make top-of-the-line ASICs. 17:27 < petertodd> maaku: in fact, only a tiny number can make even low-performance digitial ASICs... 17:27 < petertodd> fab plants are fucking expensive 17:29 <@gmaxwell> maaku: WRT sha512 speed, the compression function is slower, but it handles twice the data, and it's not twice slower. 17:30 < jtimon> will anybody be prohibited from building another asic when asic's yield is 0% and is clearly stupid to build another one? 17:30 < petertodd> jtimon: huh? 17:30 < jtimon> who's going to be the champion who thinks that can control the users by controllling the pow? 17:31 < petertodd> jtimon: still huh? 17:31 < jtimon> the hashing alg is somthing you can change whenever you want 17:31 < petertodd> in a hard-fork yes 17:32 < petertodd> which is why I'm *not* suggesting bitcoin change the pow right now, I'm suggesting that asic-hard pow's be researched so we'll have them ready if we need them 17:32 < petertodd> after all, governments may very well play nice and we'll be just fine, great! 17:32 < jtimon> if users are screwed up and just need a hard-fork to be where they were, they wll download the next version 17:32 <@gmaxwell> I did make a Modest Proposal to LTC to change their POW. When people started attacking my character I departed the thread, I dunno how that discussion has gone since. 17:32 < petertodd> and they're more likely to play nice if they know the community has alternatives 17:33 < petertodd> gmaxwell: try again when LTC is 51% attacked by an ASIC vendor :P 17:33 < jtimon> of course you would need "social consensus" whatever that is 17:34 < jtimon> probably not something to look for in a cuLTC 17:34 < jtimon> sorry 17:35 < maaku> helo: btw, one system we (jtimon and I) came up with for the namecoin 2.0 system is squatting resistance by having a market-set cost assocated with the domain 17:35 < jtimon> that's pretty economic actually 17:36 < maaku> heh, i hadn't seen cuLTC 17:36 < jtimon> sorry again 17:37 * petertodd didn't realize he wasn't the only Canadian in the room 17:37 * maaku is a canadian whenever he travels 17:37 <@gmaxwell> midnightmagic: is here 17:42 < jtimon> hey wizards, if it had an application, how would you define the pow ADDition operation? 17:42 < jtimon> like if tx could have pow fees or something 17:46 < nsh> i would define it constructively if possible, otherwise existentially 17:46 < petertodd> jtimon: just add the work together is one way 17:46 < petertodd> anyway, bbl 17:49 < maaku> jtimon: not sure what you mean 17:50 < helo> maaku: you create a limited supply of domains that can be created in each block so fees compete? 17:50 < maaku> helo: no, domains are unlimited in supply 17:51 < maaku> but domains are not a fungible commodity 17:51 < helo> how do you create a market of price competition without scarcity? 17:52 < maaku> helo: there is scarcity. domains are like land 17:52 < maaku> only one person/scriptPubKey can own google.bit 17:53 < maaku> so you have a mechanism for registering committed bids to buy domains from the current owner 17:53 < jtimon> maaku I've been thinking lately about incorporating petertodd's input-only txs to freimarkets with per-tx pow which with you can build "pow chains" you can hash your transaction on top of some others that already have pow, adding it all for the txs that haven't appeared "latelay" 17:54 < helo> so initial squatting is cheap, but you construct a bidding market to allow people to purchase the domains from the initial squatters? 17:54 < maaku> so long as there is an outstanding valid bid, the current owner has to pay (by destroying coins) a small percentage of the highest bid 17:54 < jtimon> you could also have hash-only transactions 17:55 < helo> interesting... 17:55 < maaku> yeah, and if the owner doesn't pay upkeep than the highest bid can claim the domain (but in doing so, they have to pay the owner the amount they offered) 17:56 <@gmaxwell> maaku: certantly not socially optimal. How would nike-exploits-children.bit exist in that world? 17:56 < maaku> jtimon: i'd have to see a more therough description / example to understand it 17:56 < helo> i think it would be uneconomical for me to keep my namesake's domain as i have for 15 years in such a system :/ 17:57 < jtimon> so you cannot bid up a domain for free, google could actually accept your million 17:57 < maaku> gmaxwell: in what way are you thinking? 17:57 <@gmaxwell> helo: you have hello.something? 17:57 <@gmaxwell> maaku: I mean that powerful voices could silence people just by outbidding them. 17:57 * helo dot org :) 17:57 < maaku> gmaxwell: that gets expensive, fast 17:57 < maaku> (the upkeep is destroyed, but the payment goes to the previous owner) 17:58 <@gmaxwell> When you're nike and your opponent is some broke activists? 17:58 < maaku> helo: that's two sides of the same coin. can't get rid of squatting or achieve ultimate utilization without annoying some early adopters 17:59 < helo> yeah... 17:59 < maaku> fwiw this is actually an application of georgian land tax theory 18:00 < jtimon> helo: if nobody else like the domain, you would pay a percentage of your "reserve" until somebody offers more, but you can always stop paying and leave the domain available 18:00 < maaku> which seeks to show that tax on the basic value of land (what I'm calling upkeep fees here) is the only known tax to *increase* economic production, and thereby (a georgist would claim) a moral tax 18:01 <@gmaxwell> maaku: making money is not the only valid use of a domain name. 18:01 < maaku> gmaxwell: i think it's more likely to work in the reverse direction 18:01 < maaku> re: nike 18:01 <@gmaxwell> nike-explots-children.bit doesn't make any money, its good cannot easily be monetized. 18:02 <@gmaxwell> so yes, letting people outbid popular names may well increase economic production, it may not improve human welfare (at least in all cases) 18:02 < maaku> so the activists pay their own upkeep fees as nike keeps upping the bid, then finally they run out of money and give in 18:02 < maaku> and get paid by nike, 20x what their annual upkeep fee was 18:03 < maaku> and then they register nike-enslaves-children.bit 18:03 <@gmaxwell> The most valuable economic production of wikiipedia.org (note typo) is, no doubt, a malware installer or other scam. I'm glad that it's owned by wikimedia instead. :) 18:04 < maaku> i'm more worried about solving the ideal distribution problem 18:04 < maaku> i'm not a crypto-anarchist, so I'm comfortable with some legal fallback for libel and such 18:05 < nsh> that's exactly what a crypto-crypto-anarchist would say, to throw us off the scent 18:05 < nsh> i'll be watching you... 18:05 < maaku> heh 18:05 < jtimon> but he has a point, how do you prevent people from getting sick when they get into wikipedia.bit ? 18:05 < nsh> :) 18:05 <@gmaxwell> I'm not uncomfortable about fallbacks for libel, but I don't think creating default economic incentives which fixate everything on money is a great way to achieve social justice. 18:05 < jtimon> into fake-wikipedia.bit, I mean 18:06 <@gmaxwell> (e.g. I am not a capitalism-is-everything-ist) 18:06 <@gmaxwell> There is merit to first come first serve. 18:07 <@gmaxwell> maybe something like com should be pay to park, and .org should be first come first serve. 18:07 < helo> i definitely like the idea of in-band domain bidding. the adversarial anti-bid fee is kind of spooky though. 18:07 < maaku> gmaxwell: that's a solution i'd be comfortable with 18:08 < maaku> for context, this originally came was designed for registering locations in a virtual world 18:08 < Luke-Jr> in other news, I am now officially a home owner <.< 18:08 < maaku> but there's going to be an alternate system for registering loations in the real world 18:08 < jtimon> but there has to be some cost, even or .org or you would bloat the "domain-UTXO" 18:08 <@gmaxwell> The idea that some names have more productive use than others is ... somewhat true but limited, thats probably only true for relatively few names, and we're faced with the problem that almost always the most 'productive' use of a name is a bad one (like scams) since good uses don't depend on their _name_ in order to be prodctive. Naming is not like land. Land has properties beyond location. :) 18:08 < maaku> for the purpose of augmented reality 18:08 < maaku> which is similar 18:08 < maaku> Luke-Jr: congrats :) 18:09 <@gmaxwell> Luke-Jr: congrats. 18:09 < Luke-Jr> now I need to hack this silly Nest thermostat so I can put some free software on it <.< 18:09 <@gmaxwell> you bought a place swank enough to have a nest thermostat .. in florida? really? :P 18:09 < Luke-Jr> .. or just wait and see if they give in to my legal demands :P 18:09 < Luke-Jr> gmaxwell: nah, bought the Nest separately 18:09 <@gmaxwell> hehe 18:09 < Luke-Jr> couldn't find a cheap IP humidity sensor 18:10 < nsh> what happens if your nest gets too warm/cold? 18:10 < nsh> are you running a hatchery on the side or something? 18:10 <@gmaxwell> mining should have been called incubating. 18:10 < Luke-Jr> heh 18:10 < nsh> hehe 18:10 < nsh> just hatched a block! 18:10 < Luke-Jr> Nest should put a miner in their tstat! 18:10 < warren> not digging? =P 18:11 < Luke-Jr> then it'd always report a higher-than-reality temperature <.< 00:21 < andytoshi> well, i'm going to move to #bitcoin.. 00:21 < warren> andytoshi: that update was to stop a massive dust attack. they had a mintxfee of 0.0001 when coins were very plentiful ... much hilarity 00:22 < gmaxwell> andytoshi: yea, it'll keep creating more forks if the non-acceptable-to-all-nodes chain has a majority hashpower. 00:22 < andytoshi> oh man, such wow 00:22 < gmaxwell> er "acceptable-to-all-nodes" 00:22 < gmaxwell> not non-. 00:22 < gmaxwell> if the non-acceptable has a majority then you'll get exactly two. 00:23 < warren> how do I format a mocking doge message to post in litecoin dev news 00:23 < petertodd> warren: heh, I wish I had the time to add really easy multi-currency support to python-bitcoinlib to make writing attacks for non-btc crypto-coins easier... 00:23 < grau> gmaxwell: there could be a lesson for us in this. Let's see how the worst case unwinds. 00:23 < gmaxwell> if the acceptable to a majority has a majority you'll get constant reorgs and more forks but most will be short. 00:23 < Luke-Jr> gmaxwell: I thought you left? :P 00:23 < warren> petertodd: you're sitting on a lot of unearned funding... 00:23 < gmaxwell> grau: things like this have happened with smaller alts before, they just release another version and tell everyone to hurry up and upgrade. And because there is no major economic activity no one cares and its forgotten. 00:24 < brisque> presumably they aren't using the alerts system to notify clients because they didn't change the key from Litecoins. 00:24 < petertodd> warren: one of the reasons I'm not working on python-bitcoinlib... 00:25 < petertodd> warren: and for that matter, why I quit the day job (mastercoin was just good luck) 00:25 < andytoshi> i like how this happened less than a hour after i decided to write an alt faq 00:25 < andytoshi> brisque: classic 00:25 < warren> I need a doge speak primer to format the mocking message properly. 00:26 < grau> I regularly write doge, without intent :) 00:27 < petertodd> warren: verb noun, verb noun, verb noun etc. (all lowercase) make the layout alternate sides, but not symmetrical. 00:27 < brisque> https://github.com/dogecoin/dogecoin/commit/2ee5cb3396df66c10fef34480a183d00e3bec635 00:27 < brisque> ^ that's the forking change, if anybody was curious 00:27 < petertodd> specifically the change to the definition of MAX_MONEY 00:28 < brisque> https://github.com/dogecoin/dogecoin/blob/94b99f5cc7d997d9c656b9d08ce5f74caa6a3ec3/release/dogecoin.conf 00:28 < gmaxwell> wtf they totally did just change max_money, halarious. 00:28 < brisque> what's with the hardcoded RPC password? 00:28 < warren> prior to making that change they e-mailed me asking for help 00:28 < brisque> default rather, not hardcoded. 00:28 < gmaxwell> worse than I guessed, initially I thought perhaps not all instances of max money were made into the define and they only got one right. 00:28 < gmaxwell> "Fix dust issue" misleading commit message too 00:28 < warren> I didn't intentionally not respond, I was sleeping the entire time including that commit. 00:29 < petertodd> lol " 00:29 < petertodd> wallet_bgcoin.png should not be modified on every release, as it would increase the size of the repository time by time... 00:29 < gmaxwell> and the commit was by " dogecoin " no actual attribution. 00:30 < warren> I didn't verify this, I was told one of the dogecoin devs is an engineer at IBM. 00:30 < brisque> oh, so Dogecoin is a fork of "Linkcoin" rather than Litecoin? 00:30 < petertodd> ha, and dogecoin doesn't sign their commits 00:30 < petertodd> or even tags 00:31 < petertodd> warren: they do have an android client on the front page though 00:32 < brisque> petertodd: and a web wallet. 00:32 < warren> brisque: not all that different from most coins. people mine directly into an exchange wallet. 00:32 < petertodd> brisque: with twitter bootstrap like the big boys! 00:35 < grau> Alt holdings could wash to BTC now en masse. 00:37 < warren> https://plus.google.com/+LitecoinOrg/posts/3iVBu7bC1h6 <--- this is the best I could do 00:37 < petertodd> warren: lol 00:37 < grau> :) 00:41 < brisque> there's a comment in that reddit thread asking the developer to use the alerts system to notify people, the response is "in good time"- they definitely can't because they don't have litecoin's alert private key. 00:42 < warren> they actually copied our alert key? 00:43 < andytoshi> i bet "in good time" means "when a litecoin dev names his price to sign an alert for us" 00:43 < brisque> warren: https://github.com/dogecoin/dogecoin/blob/2ee5cb3396df66c10fef34480a183d00e3bec635/src/main.h#L1589 00:43 < warren> andytoshi: can't do that. that alert would be on our network too. 00:43 < brisque> andytoshi: http://www.reddit.com/r/dogecoin/comments/1ufl1e/much_concern_dogecoin_block_chain_has_split/cehkh91?context=1 (I misremembered, that quote wasn't verbatim) 00:44 < warren> andytoshi: litecoin's alerts already jumped onto 20+ clone networks 00:44 < petertodd> warren: isn't dogecoin on 0.6? could limit display to just 0.6 00:44 < andytoshi> warren: oh, i thought because the nodes won't talk to each other litecoin would be isolated 00:44 < brisque> andytoshi: they would be isolated until someone just manually transported the alert to litecoin and made a mess. 00:45 < andytoshi> brisque: yeah, i realized that as soon as i typed that 00:45 < brisque> andytoshi: if I've read right, some people on bitcointalk have designed their systems to go into a safe mode when they see an alert on the network too 00:46 < warren> litecoin does regular alerts for color changes, so they shouldn't be surprised. 00:46 * warren is exaggerating, a little. 00:48 < petertodd> I like how in the reddit thread about the dogecoin split, specifically warning people not to send dogecoin during the split, people are tipping each other like crazy... 00:50 < brisque> petertodd: it's fairly obvious that the community has no clue what they're doing. the "co-founder" is saying everything is fine and they had 10 days to update (not realising that as soon as they made the commit the network could have been split {if anybody actually builds from master and runs it behind something}) 00:51 < petertodd> brisque: and with their fast block rate and fast diff adjustment we can see first-hand what forks look like when coinbase payouts are destroyed! 00:51 < andytoshi> brisque: where are these claims being made? 00:52 < brisque> andytoshi: http://www.reddit.com/r/dogecoin/comments/1ufl1e/much_concern_dogecoin_block_chain_has_split/cehkbm8 and there's other bits scattered about the thread 00:53 < andytoshi> i love the talk in that thread about the "real chain" and "bad chains" 00:53 < andytoshi> apparently they have a reddit-based consensus system now.. 00:54 < petertodd> BlueMatt: ^ there's an option for the coingen! 00:54 < petertodd> "So, now what do we do? Is there someone who is in charge of maintaining the blockchain?" <- lol 00:55 < brisque> petertodd: I would absolutely love to have a real time visualisation. connect to multiple nodes on different forks and watch them race. the short block time for make for an incredibly interesting display. 00:56 < petertodd> brisque: it'd be extra fun if someone decided to DoS attack the network right now 00:58 < warren> petertodd: coingen.io is for sale 00:58 < brisque> petertodd: I doubt they need it really. the network is so fragmented and so little actually relies on Dogecoin that the entire system will likely just collapse. 00:59 < petertodd> brisque: I sure hope so, but good luck on that... 00:59 < petertodd> brisque: communities of people around a technology that doesn't actually need to work for the community to exist can be surprisingly durable 01:01 < brisque> petertodd: I suppose, if they don't understand as a whole how bad this situation is then it won't collapse. strange situation. it's a bit like NXT supporters still being optimistic when their closed source currency posted it's source. 01:02 < petertodd> brisque: well remember the "situation" is they have a fun meme and a community built around that meme. if anything the problem is just as likely to get *more* people interested in dogecoin 01:04 < andytoshi> well, as fun as this is to watch, i've got an early flight tomorrow 01:04 < andytoshi> have a good night guys 01:05 < brisque> petertodd: like all "memes" the velocity will die off (if it isn't already). 01:05 < andytoshi> petertodd: i'm going back to austin, vancouver is freezing !! 01:05 < petertodd> brisque: sure, but that die-off may have little to do with tech 01:05 < petertodd> andytoshi: ha 01:05 < petertodd> andytoshi: pretty though :) 01:06 < andytoshi> that's true, i'll miss it 01:06 < brisque> petertodd: the meme is already losing staying power, it could just be that massive incompetence and forks is enough to destroy the coin as well. http://www.google.com/trends/explore#q=doge%2Cdogecoin 01:07 < brisque> http://www.google.com/trends/explore#q=doge%2C%20dogecoin&date=today%2012-m&cmpt=q 01:08 < brisque> that's a much better graph. 01:16 < warren> this fork didn't seem to affect its exchange rate 01:17 < brisque> logically exchanges would have closed their doors temporarily when they saw the network wide alert about the chain fork (haha). they risk double spends if they don't. 01:18 < warren> I'm just pointing out that networks being reliable has nothing to do with alt value. 01:19 < brisque> alright, I agree. 01:27 < nessence> it is near ~midnight throughout most of US on a saturday 03:06 < warren> petertodd: ooh... with the dust spam attack, I wonder if their massive reorg triggered the BIP50 05:08 < brisque> looks like dogecoin released another update that adds check pointing to try and get around their hardforks issue. 05:08 < brisque> confusingly in two commits "checkpoint" and "checkpoints". 05:09 < gmaxwell> brisque: oh boy, did they back out the change? 05:10 < brisque> they did not. 15:25 < gmaxwell> adam3us: I know it does, thats why I'm crying to you. 15:25 < adam3us> gmaxwell: so couldnt we add a new signture schme? 15:25 < gmaxwell> adam3us: we can, it's non-trivial though. 15:27 < gmaxwell> worse, there is no sutiable prefab EC schnorr sitting ready to use. The Ed25519 formulation, for example, breaks this stuff. 15:27 < adam3us> gmaxwell: maybe you could joint validate multiple input keys. add up the public keys from the input addresses and provide one signature with it 15:28 < adam3us> gmaxwell: why do you say ed25519 breaks ec schnorr? 15:28 < gmaxwell> adam3us: meh, never been a fan of that kind of layering violation, as it binds script too tightly to the choice of underlying crypto. 15:28 < adam3us> gmaxwell: :) more compact though. cisc vs risc argument 15:29 < gmaxwell> adam3us: I mean, if bitcoin worked that way now talking about adding schnorr would be much harder. :) 15:30 < gmaxwell> adam3us: IIRC Ed25519 modifies schnorr by adding an extra hash input. I am not sure if it breaks these things, but I had a vague recollection that it did. 15:31 < adam3us> gmaxwell: yes - i understand. its not that serious of a suggestion what you could say is its an optional op only avalable with some sig types eg opcombosig or whatever. as you say layer violation, agreed. you'd have to decide if it was worth the bandwidth saving 15:31 < gmaxwell> If it doesn't ... then my evaluation of the usefulness of Ed25519 has gone up a lot. 15:32 < adam3us> gmaxwell: i dont know the answer... anyone else on here read djb stuff in enough detail to know? 15:32 < gmaxwell> I mean, both sipa and I have, but I know I don't currently remember. :) 15:33 < gmaxwell> At the time, while I knew there were schnorr things to do threshold crypto I was totally not thinking about that. 15:33 < gmaxwell> For some reason DJB himself never points out that Ed25519 is applicable to that stuff. 15:34 < adam3us> gmaxwell: i think sooner or later we should add/move over to schnorr it is just better in so many directions that its a design/efficiency win 15:34 < adam3us> gmaxwell: mainly the flexibility enables new things, that are not possible without it 15:35 < gmaxwell> I think the notion that it enables new things which are externally indistinguishable from old things is one I hadn't considered before and is also pretty compelling. 15:42 < adam3us> gmaxwell: trying to decipher EdDSA - has he done something funky to the H (aka sha256) etc output? seems like he went slightly too far in optimization, maybe use his curve but not the most extreme of the optimizations 15:43 < gmaxwell> I think the optimization was to try to eliminate some precomputation attacks. 15:52 < adam3us> gmaxwell: djb can be one crazy dude at times. i think this is more like a speed hacked, mangled, curve specific, bigger hash schnorr! (i thought it was dsa lke from the name) 15:54 < adam3us> gmaxwell: he might've broken the algebraic properties with the speed hacking for n of n etc 15:55 < adam3us> gmaxwell: i reckon this djb edDSA has its own protocol violation layers; i reckon use sipa's ECDSA,and if/when switching use ECSchnorr with your favorite EC curve 15:57 < gmaxwell> yea, but then you've taken the whole setup out of the realm of something well known, which is unfortunate. 16:00 < adam3us> gmaxwell: btw there are even arguments schnorr is more secure than dsa see p10 of bernstein paper. there's another paper just on that topic by someone else. i dont think edDSA is something that specific - its just a speed hacked tweaked schnorr. but the signature size is bigger a he doesnt want to count the cost of uncompressing 16:01 < adam3us> gmaxwell: i do like his idea to include Q the schnorr hash (he labels it A) alternatively someone figures out if it doesnt break the desired features n o n, brands, blinding etc and if it can be optionally used in compressed form 16:13 < adam3us> gmaxwell: btw here in lies the problem (of why we are even having this conversation) "Practical use of Schnorr's system was hampered by a patent (which expired in 2008)," 16:13 < adam3us> gmaxwell: hence the introduction of the inferior DSA (slower, less flexible, less secure to some attacks) 16:14 < adam3us> gmaxwell: and less security proofs, and more complex... something like a quintuple fail as the standardized algorithm because prof schnorr decided to get himself a patent - i bet he never got much money from it 16:17 < gmaxwell> adam3us: yea, I know. (I thought I previously defeneded bitcoin's use of ecdsa instead of it on that basis, but maybe I didn't because the patent expired in 2008 ...) 16:17 < gmaxwell> And 12:16 < gmaxwell> If they do, it'll be sad because the history of crypto says that patented crypto is dead on arrival. 16:17 < gmaxwell> (on a seperate subject) 16:18 < adam3us> gmaxwell: and dsa was also designed by NSA, and has fragility due to extreme reliance on unbiased randomness (withotu the determinsitc change) and the original dsa spec had a suspicious bias only rectified as an advisory after bleichenbacher spotted it. something like 8 negative points 16:19 < gmaxwell> i was unaware of issues in the original dsa spec! 16:20 < adam3us> gmaxwell: the algo for generating k had a bias... given the other attacks on computing d given even a few bits from a few hundred sigs, thats suspicious to me in hindsiht 16:21 < jrmithdobbs> adam3us: i hadn't thought about it before, but that is indeed very suspicious in light of recent events 16:21 < jrmithdobbs> but as used/specified now it just has the randomness reliance so is 'safe enough' if implemented well afaict 16:22 < adam3us> http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1002_reportDSA.pdf by vaudenay section 5. i think bleichenbacher is another one of those people who doesnt bother to write papers... 16:22 < gmaxwell> yea, requiring good randomness is a neat trick, you can be sure your own stuff is secure just by doing better engineering, and then trust everyone else will get it wrong. 16:23 < jrmithdobbs> ya, i've always wondered why dsa did that, i didn't realize it came out of the nsa (was aware of that paper you just linked though) 16:23 < adam3us> 4 million signature key recovery attack (say a busy web server)... i dont think he tried very hard to optimie it either 16:24 < adam3us> gmaxwell: thre was a greenwald article that said expliclty that> they did that intentionally as a form of soft sabotage, complexity and fragilize standards and use their influence with nist to get it through 16:24 < jrmithdobbs> adam3us: papers over a decade old, might not have seemed feasible/worthwhile to try at the time 16:25 < adam3us> jrmithdobbs: bear n mind you do not get FIPS certification beyond a certain level if you do not follow their method. even certification rams through their defective designs, because some sectors wont buy non fips certified sw 16:26 < jrmithdobbs> adam3us: ya, i worked in compliance "industry" for a while, i know. 16:27 < jrmithdobbs> what I want to know is what's non-obviously wrong with keccak that they chose it over blake or is this the one nist crypto standard nsa failed to get in on? 16:27 < jrmithdobbs> and the fact that i think thoughts like this constantly these days without feeling paranoid/dellusional hurts my head in itself :( 16:28 < Luke-Jr> in other news, some Linux kernel devs are "complaining" to me (simply because they recognised my name on the forum thread) that tips4bitcoin is "spamming" them XD 16:28 < adam3us> its probably hard for them to damage the primitives... they attack the key management - its a more valuable target then you can mitm and decrypt despite strong primitives 16:28 < gmaxwell> Luke-Jr: lol 16:29 < Luke-Jr> .. along with a complaint that Linus shouldn't get so much for mere merge commits 16:29 < jrmithdobbs> adam3us: didn't stop them with md*/sha* 16:29 < adam3us> jrmithdobbs: (i mean because these days its an international design competition and a lot of expert participation, open etc) 16:30 < maaku> jrmithdobbs: you could say the same about AES 16:30 < maaku> NSA doesn't seem to be targetting the core algorithms, but rather the constructions on top of them 16:30 < maaku> (Snowden said that in an interview somewhere) 16:31 < BlueMatt> d-ec-drbg... 16:31 < adam3us> sha0 was a mistake, sha1 also later, i thnk it just shows the nsa doesnt have a lead anymore for some time now. they just sabotage. md4, md5 blame rivest 16:31 < jrmithdobbs> except you could say that they may have influenced the decision that chose rijindael as aes in favor of it's weaker key schedule to exacerbate those issues 16:31 < jrmithdobbs> they claimed "performance" re: the key schedule thing, but looking back, every time they claim performance they seem to mean "nsa backdoor of some form" 16:32 < jrmithdobbs> (note: I do not believe rijindael was influenced directly by nefarious parties, just that it's shortcomings may have been intentionally overlooked due to influence from same parties) 16:32 < adam3us> maaku: yes i think i saw that article. also sabotaging standards, including complicating crypto standards and open protocols to make them prone to impl mistakes, and also pressuring us companies to modify system arhcitecture to create central choke points for inerception/attack 16:33 < TD> the IPsec thing was interesting 16:33 < gmaxwell> jrmithdobbs: nah, I mean, look at DUAL-EC ... no one could claim "performance" for that. And atm I believe that is the only absolutely known for sure backdoored thing. 16:34 < jrmithdobbs> did someone finally own up to intentionally convoluting ipsec so that's impossible (except on openbsd, basically, and with a very knowledgable admin) to actually construct a secure ipsec tunnel that provides encryption and authentication in a way that isn't recoverable (pfs) given keys 16:34 < jrmithdobbs> because ipsec is one fucked spec 17:45 < gmaxwell> Though the power consumption of their stuff is better than the 65nm asics today. Well, the 55nm bitfurry stuff, which was a careful hand layout is more power efficient than knc. 17:45 < MC1984> its like where there is a huge breakthrough in hashrate security actually decreases for a while 17:46 < gmaxwell> MC1984: you've noticed sipa pointing out that we're down to ~1 month work to replace the chain. 17:46 * jgarzik returns 17:46 < MC1984> yeah a while ago 17:47 < MC1984> do you still keep very close tabs on the asic manufacturers gmaxwell 17:49 < gmaxwell> There is a new chinese company claiming to have parts that are 1.47GH/j on 55nm, parts in hand near release, pretty close to what hashfast and cointerra are claiming to have targeted at 28nm. 17:49 < gmaxwell> ( https://bitcointalk.org/index.php?topic=330665.0 ) 17:49 < gmaxwell> MC1984: somewhat. 17:49 < midnightmagic> adam3us: Based on my experience with p2pool, if I pretend everyone is smart, I ask myself the same thing. Why the heck doesn't everyone p2pool. I'd bet if it were included with mainline and "just worked" if people pointed their miners at their bitcoind(-qt) it would probably dominate. 17:50 < MC1984> midnightmagic, true 17:50 < MC1984> i called for that ahwile ago 17:51 < MC1984> the power of default seems to override even rational economic interest a lot of the time 17:51 < midnightmagic> gavin has mentioned (don't know if it's still true these days) that if p2pool were c++'ized he would want to include it in mainline 17:51 < adam3us> do it! 17:51 < MC1984> whats it written in 17:51 < gmaxwell> midnightmagic: there are two things that increased p2pool rate a lot in my expirence: google ads (no kidding), and people paying random bonuses to p2pool users. And there was two things that decreased its usage, it not working right with the lastest miner of the month, and people posting FUD about it. 17:52 < MC1984> the FUD really pisses me off 17:52 < MC1984> like people are content to post total shit as long as it makes them look like they know something everyone else dont 17:52 < midnightmagic> most of it was corrected with the most-recent versions of p2pool which now operate with the major miners just fine, along with the major devices. 17:53 < midnightmagic> actually, I don't know about jupiters. 17:56 < maaku> MC1984: Python (twisted) 17:57 < gmaxwell> midnightmagic: so far the people complaining about jupiters have so far turned out to people with hosted ones, who also complain about stale rates on other pools. I don't know if people with regular jupiters are all happy or if none have tried. 17:57 < gmaxwell> The firmware and mining software for the jupiters has apparently turned out to be a bug fest. 17:57 < maaku> forrestv (or someone) should apply for money from the foundation to C++'ify it for mainline 17:57 < MC1984> i bet you could do a successful bounty to port it to c++ 17:58 < MC1984> i have zero idea how hard that would be mind 17:58 < gmaxwell> it's a decenteralized consensus algorithim... not exactly the easiest stuff to work on. 17:58 < gmaxwell> It also goes further than strictly needed for just decenteralization purposes. 17:58 < maaku> MC1984: it would be a rather large undertaking.. and not necessarily worthwhile. it actually benefits a lot from the Python ecosystem 17:58 < gmaxwell> As I've been promoting, coinbase-only mining lets people keep something closer to the existing model. 17:59 < gmaxwell> And it avoids the need for a decenteralized consensus. 17:59 < midnightmagic> If I were to do it, it would end up as pure C. I'm not sure whether people would appreciate that.. 17:59 < midnightmagic> Python is sooooo fast for prototyping. 18:00 < maaku> and for writing concurrent servers 18:00 < midnightmagic> the GIL is pretty annoying to get around tho 18:00 < maaku> eventlet, not multi-threaded is what i generally do 18:04 < maaku> gevent, actually 18:04 < midnightmagic> maaku: Is gevent friendly? 18:04 < maaku> it's pretty much a drop in for threading 18:04 < maaku> monkey patches all the APIs 18:06 < midnightmagic> cool 18:18 < gavinandresen> midnightmagic: I'd love to see a "start mining" button in bitcoin core that did the p2pool thing and knew how to find / talk to asics.... 18:19 < gavinandresen> midnightmagic: or, actually, any other withing-an-order-of-magnitude technology for mining (still wondering how power-efficient the SHA256 Intel CPU instructions will be) 18:20 < gavinandresen> (order of magnitude power-efficient, I mean 18:25 < MC1984> sha256 acceleration wont be viable because the funciton is actually sha256^2 right 18:25 < maaku> MC1984: it isn't sha256 either 18:25 < maaku> it's a primitive you can use to build efficient sha256 18:25 < maaku> or sha256^2 18:52 < phantomcircuit> maaku, which actually might be better 18:52 < phantomcircuit> although i suspect it'll be the same thing as the AES-IN which are effectively a set and an update function 18:56 < gmaxwell> in intel the SHA256 stuff is just a function that implements two rounds of SHA256. 18:58 < gmaxwell> I think I figured a 3GH/s cpu would be a 50MH/s miner or something, with a guess at the throughput of the round function instruction. So I don't think this will bring cpus back in the running for mining, though it may make other things we do faster... 18:59 < warren> block propagation? 19:00 < gmaxwell> I don't think hashing is the real barrier in performance there by far... but if everything else gets optimized it may be, so that would help then. 20:40 < midnightmagic> gavinandresen: ah cool 21:17 < amiller> i really like this tweet from matt green https://twitter.com/matthew_d_green/status/399236330581786624 21:17 < amiller> "Every new idea has already been discovered, inaccurately discussed & totally forgotten about on the Bitcoin forums." 21:24 < gmaxwell> amiller: Emin's character attacks on people expressing doubt about their work is exactly as I predicted. 21:33 < MC1984> @matthew_d_green Every random noise channel will eventually transmit every transmissible message. 21:33 < MC1984> #iceburn 21:47 < amiller> actually, what do you mean by predicted 21:48 < amiller> predicted like based on this guy is, or predicted after first seeing the paper, or predicted about computer science academics looking at bitcoin generlaly 21:54 < gmaxwell> predicted after seeing his initial comments, and his sell pumping on twitter. 21:55 < amiller> yeah, he's such a douche bag and a bad example 21:57 < amiller> everything about it pisses me off, even the random noise comment 21:57 < amiller> there are at least a non-negligible polynomial number of ideas 21:57 < amiller> like 1/n of the user's have at least 1/k of their posts are good ideas 21:58 < amiller> the result is fine and i don't even care so much about the press whoring because frankly it's part of the process and if pr people suck up to university professors they've at least earned it or something, bitcoin companies etc do it too, 21:59 < amiller> i think what i hate most about the paper itself is that the proposed fixes are so dumb and introduce more problems and there's a specific section that's like "they should implement exactly these suggested patches immediately or else face imminent collapse" which is total crap 22:00 < gmaxwell> yea, the proposed fix is obviously pretty dumb. 22:00 < gmaxwell> And bytecoin's analysis was not random noise. He performed a simulation, posted figures. He considered a somewhat different model, indeed and it wasn't developed in the same direction or to the same extent as their work, and their work was interesting beyond it... but this isn't a complete surprise. Amusingly, the most interesting proposed improvement in response I've seen is from bytecoin. 22:00 < amiller> it would be really sad if this causes other legit researchers just to steer away from the topic, i don't actually think it will have that effect 22:00 < amiller> yeah definitely 22:02 < gmaxwell> also the fact that there is no acknowledgment that they have an implicit incentives model which doesn't appear to be supported by reality is irritating. 22:04 < gmaxwell> e.g. assuming that miners are frictionless spherical objectivsts in simple harmonic motion. 22:06 < amiller> "the obviously desired and hinted-at theory is unsound under some circumstances" is a whole lot different than "this is about to collapse, panic immediately" 22:07 < gmaxwell> claims like "it shows that, even under the best of circumstances (i.e. the attacker has terrible network connectivity, no Sybils, no control over information propagation and loses to the honest miners every single time), defending against the attacker requires at least 2/3rds of the network to be honest" 22:07 < gmaxwell> are just outright untruths. 22:08 < gmaxwell> It's adding an additional assumption that an "honest" miner will behave adversely to bitcoin's long term interest if its more profitable to do so. 22:08 < gmaxwell> Thats not a very good defintion of "honest" 22:09 < amiller> no one is "honest", or else honest miners mine and donate the reward to p2pool 22:10 < amiller> it's a significant result to show that beyond 33% gets disproportionate reward, because other miners would want to join that pool so there's a slope toward larger and larger up to 50 22:10 < amiller> it's not an "attack" its just a lapse in the ideal incentives-keep-everything-okay argument 22:11 < gmaxwell> amiller: Sure but it isn't accurate, not even in the slightest or smallest way, to say that their 2/3rd number is a replacement for the majority number. 22:11 < amiller> well yeah 22:11 < amiller> the 51% number we're used to is 51% honest 22:12 < amiller> hypothetically we can imagine that people also believed that 51% is also the threshold for rational 22:12 < amiller> in that if no coalition controls more than 50%, then there is no way to profit by deviating from the protocol 13:49 < petertodd> adam3us: as a thought experiment, consider how it'd work if you made the grinding bloom filter compat: that's basically what gmaxwell is proposing 13:49 < petertodd> adam3us: (specifically with a random nTweak value) 13:49 < adam3us> petertodd: well actually it might if non-change is an prefixed reusable addr and change is a one-use adr 13:49 < maaku_> jtimon petertodd: well i think this particular application could be better done wih etotheipi's WITHINPUTVALUE sighash mode 13:49 < petertodd> adam3us: the whole point is that you can't distinguish a prefixed reusable *output* and a change output 13:50 < petertodd> maaku_: yes, but where in the scriptSig do you sign the input value? 13:50 < petertodd> maaku_: again, if the signature covers some of the scriptSig, that's easy 13:50 < adam3us> petertodd: i know. but prefixes are unchanging. there lack of presence eliminate some tx from the network analysis. that effect can be cumulative. it might leak more bits of entropy per edge than a coin join with random (possibly malicious join to self parties) adds 13:51 < jtimon> petertodd maaku_ I can't think about it because I don't know what is trying to be done 13:52 < maaku_> jtimon: he's trying to have his signature cover the fee, by signing both the input values and the output values 13:52 < adam3us> petertodd: ( i mean if i know because its public your prefix is FF and i see a coinjoin that doesnt have FF in the output then i know you're not in it with that addr. maybe there's another CJ feeding into the previous and it does have FF in it.) 13:52 < petertodd> adam3us: again, you're totally missing my point here. you can't distinguish the output in the prefix-tx, so all you've maanged to do is narrow down who the tx might pay in terms of probabilities (and even worse, you can't rule out stealth addreses with longer, or no, prefixes) 13:53 < jtimon> ok, first solution: using joyscript and a load_utxo-family opcode (I know, this is another opcode) 13:54 < maaku_> jtimon: and doesn't work for hostcoin 13:54 < petertodd> jtimon: anyway, just look up what I've written on bitcointalk about OP_CODESEPARATOR 13:54 < maaku_> hrm, well this is actually an interesting question about a more expressive script - sighash will have to be implemented differently 13:54 < adam3us> petertodd: ok look at it from a black box perspective. there's 1000 tx going into a cluster of CJ, two inputs have FF on them, two output have FF on them. there are two uers we've noticed who use CJ who have FF, anon-set reduction by factor of 1000 13:54 < jtimon> maaku_ to disable covenants you just need to disable load_tx 13:54 < jrmithdobbs> petertodd: OP_CODESEP is just bottom really isn't it? 13:54 < petertodd> jrmithdobbs: ? 13:55 < maaku_> jtimon: ah, reading failure 13:55 < jtimon> maaku_ how so? 13:55 < maaku_> jtimon: you're fine i misread what you said 13:56 < petertodd> adam3us: again, you can't distingish outputs using stealth and ones that aren't 13:56 < jrmithdobbs> petertodd: give me a few and i'll restate ;p 13:56 < adam3us> petertodd: i think you said it yourself even "all you've maanged to do is narrow down who the tx might pay in terms of probabilities" right exactly :) it weakens the already fragile anon-set coming from CJ with random parties. there are flood attacks on mixers near and dear to people who analysed mixaster remailers which apply 13:56 < maaku_> but about sighash, the issue is that how it determines what script to put in the serialization only really makes sense for a linear language 13:56 < adam3us> petertodd: correct. but that doesnt stop you ruling out a given stealth address. 13:57 < adam3us> petertodd: full node stealth addresses are of course immune as they can have zero prefix. 13:58 < petertodd> adam3us: look at it this way, I agree with you that there is an info leak, is it enough to say "wait stop! lets not implement this and delay!" no 13:58 < adam3us> petertodd: so either you are saying they arent used, or if they are used they decrease anonymity. less than address reuse, but more than one-use address. 13:59 < petertodd> adam3us: what gmaxwell proposes is a linear increase in anonymity set size, with a linear increase in peer work because of extra indexes. will that be implemented? I'm not seeing it 13:59 < adam3us> petertodd: well it was for me. i figured out the same stuff on bct and thought, hmm no thats not good for privacy, put in bucket of fun but not quite safe things. (other than for full-node use case) 13:59 < gmaxwell> ditto, fwiw. 13:59 < gmaxwell> (That this idea wasn't new to me I knew it from bytecoin's thread, but I simply thought it wasn't good enough) 13:59 < petertodd> adam3us: tough, it's a hell of a lot safer than the *actual* alternative people are going to be using 14:00 < adam3us> petertodd: what are they going to be using 14:00 < petertodd> adam3us: don't live in a dream world of users doing what's absolutely optimal vs. "Hey, this works!" 14:00 < adam3us> petertodd: TD is working on HD wallet for bitcoinj. 14:00 < petertodd> adam3us: they're going to re-use addresses left right and center 14:00 < jtimon> maaku_ is there any reason not to make withinput value the default? 14:00 < petertodd> adam3us: that's got nothing to do with it 14:01 < petertodd> adam3us: HD is orthogonal to the problem stealth addrs try to solve 14:01 < gmaxwell> having your security depend on unknown factors esp including the attacker's statistical prowess... kinda lame and sometimes less secure than no privacy at all. In any case, it's worth at least doing the thought to get the best design within that space we can. 14:01 < adam3us> petertodd: i think it has a lot to do with it. most addr reuse is on bitcoinj dependent smart phone wallets i hazard 14:01 < maaku_> jtimon: yes, that's been my thinking. just have to be careful about compatability 14:01 < maaku_> petertodd: so you'd want a some sort of code-separator like device for the scriptSig? 14:02 < petertodd> gmaxwell: I forget if I got around to proposing it, but the wider blockchain data thing that be made more private in exactly the same way as you're proposing by having full-nodes maintain redundent indexes 14:02 < petertodd> adam3us: that's change addr reuse, not payment related 14:02 < petertodd> adam3us: I'm solving the user-payment side of things, and that's a hard problem without bi-directional comms 14:02 < adam3us> petertodd: aslo while you and jeremy spilman are in implemention mode why not focus on full node case? 14:02 < jtimon> valitationScript may serve too, but again I'm missing the practical use case of the problem, small memory nodes? 14:03 < petertodd> adam3us: because that's stupidly limiting 14:03 < petertodd> adam3us: anyway, long-term this prefixing stuff will either end up being common for scalability in general, or bitcoin doesn't scale... 14:04 < petertodd> adam3us: equally, in the near future we're going to see prefix lookups being used for wallet syncronization, so that part of the infrastrucutre is getting implemented 14:04 < petertodd> adam3us: did you read my blockchain privacy paper btw? 14:05 < jtimon> I'm not following the stealth addresses discussion in detail, but petertodd are the prefixes needed for sharding? 14:05 < petertodd> jtimon: exactly 14:05 < adam3us> petertodd: thats just admitting defeat. i dont think we've necessarily hit a tech wall yet. eg gmaxwell cooked up the fuzzy bloombait in a few mins yesterday. 14:05 < maaku_> jtimon: it's an avenue for future expansion of capability, by being able to include stuff in the scriptSig which is covered by a signature 14:06 < adam3us> jtimon: no he's just trying to make addresses recognizable but with some privacy in a bloom subset like sense 14:06 < adam3us> petertodd: blockchain privacy? where was this? 14:06 < petertodd> adam3us: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03612.html 14:06 < jtimon> petertodd then I guess you need to convince people sharding is feasible to make it count as an argument in the stealth address discussion 14:07 < petertodd> jtimon: sharding isn't just related to blockchian structure, it also works even in the "big-block" scenario because it lets nodes handle a subset of the blockchain bandwidth 14:07 < jtimon> adam3us: I think he uses it for two purposes I don't understand the one you mentioned, but don't bother I still have too much to read from stealth addresses 14:08 < adam3us> jtimon: yes like views it as somehow inevitable for sharding maybe.. i dont get that bit either ;) (talking about you third person there petertodd) 14:09 < petertodd> adam3us: read that paper first... 14:09 < petertodd> adam3us: there is logic to it :P 14:09 < jtimon> petertodd: so it could work even without changing anything, miners could just do it to be able to manage a partition 14:10 < jtimon> petertodd I am understanding what you're saying? 14:10 < jtimon> ma I 14:10 < jtimon> am I 14:10 < jtimon> ug 14:10 < petertodd> jtimon: miners can't mine without the whole blockchain right now, but full-nodes passing around archival data and serving SPV can easily shard and process bandwidth subsets 14:11 < petertodd> jtimon: they can do so securely with the committed (U)TXO stuff that's been floating around 14:11 < jtimon> assuming we already have commited utxo 14:11 < jtimon> what's the next step for sharding? 14:12 < petertodd> jtimon: very simple: adversie what prefix of the UTXO space some full node has, and SPV clients connect to full nodes with the data they need 14:13 < petertodd> jtimon: well, and make "full" nodes themselves only get tx's from their peers matching the prefixes 14:13 < jtimon> I see, thanks 14:13 < jtimon> wait 14:14 < jtimon> full nodes also select a part of the UXTO, where do the prefixes come in? 14:14 < jtimon> oh, sorry 14:14 < petertodd> jtimon: the prefix is what part they select 16:31 < gavinandresen> sipa: double-spends are weird, though: they're not really "invalid", just "I saw this one first" 16:32 < gavinandresen> (0-conf double spends) 16:32 < petertodd> Yeah, and it's hard to say which one was first anyway; what matters is that two exist. 16:33 < gavinandresen> sipa: Also: only double-spends of another 0-conf transaction will get sent; once a transaction is mined and the TxOut isn't in the UTXO, a double-spend will just get dropped. 16:33 < sipa> it's not even detectable as a double spend at that point 16:33 < gavinandresen> sipa: right 16:34 < phantomcircuit> warren, has anybody tried disabling the write cache on their hdd and seeing if that fixes it? 16:34 < warren> phantomcircuit: I personally got my first mac yesterday. 16:34 < petertodd> gavinandresen: this will make it easier to get tx's into people's wallets where a different double spend was actually mined; what's your thinking on fixing the 'never-will-confirm' tx's that'll show up in people's wallets? 16:34 < warren> I don't know how to do that. 16:34 < gavinandresen> phantomcircuit: reproducing it is the problem 16:34 < phantomcircuit> i can definitely see drives sold with apple hardware lying about the write cache being flushed 16:34 < phantomcircuit> gavinandresen, yeah it's a several month experiment 16:35 < gavinandresen> petertodd: that's just a bug that should be fixed. 16:35 < BlueMatt> petertodd: let other wallets that are smarter fix it :) 16:35 < warren> gavinandresen: is the foundation willing to pledge funds to this? 16:35 < BlueMatt> let bitcoind's wallet die 16:35 < phantomcircuit> my first guess is that the hdds apple uses are tuned to lie their asses off 16:35 < petertodd> BlueMatt: ha, some of them have IIRC 16:35 < warren> we've wasted a great deal of time failing to figure this out 16:35 < BlueMatt> yes, bitcoinj handles it very well 16:35 < gavinandresen> warren: foundation isn't, but I still have donated bitcoins for testing I'd be willing to pledge. Say 5 BTC ? 16:35 < petertodd> BlueMatt: oh good! replacement for fees would trigger that one a lot 16:36 < BlueMatt> petertodd: well if replacement for fees ever gets enabled... 16:36 < warren> gavinandresen: that's a start, I'll try to find someone else to administrate the money holding 16:36 < petertodd> BlueMatt: heh, only needs epsilon hashing power for some value of epsilon to become an issue :P 16:37 < petertodd> BlueMatt: I mean, it annoyed me when I originally wrote the code... 16:38 < gavinandresen> warren: getting money from the foundation means going through the grant process, I don't want there to be a special "Bitcoin-Qt gets whatever it likes, other wallet/implementations have to jump through hoops" 16:38 < BlueMatt> petertodd: if replace by fee gets enabled, bitcoinj would get lots of transactions marked DEAD, I think, but it would be smart about it 16:38 < gavinandresen> too much confusion about relationship between the Foundation and the reference implementation already 16:38 < BlueMatt> unlike bitcoind's wallet... 16:39 < gavinandresen> "patches welcome" : as long as they come with a good test plan. 16:40 < petertodd> BlueMatt: that's plenty good enough for now - tx replacement is mainly useful because fee estimates will never be perfect after all. (modulo complex scorched earth game theory stuff) 16:48 < petertodd> gavinandresen: min standard tx size is ~134 bytes, 100,000/134=746 times cheaper to bandwidth DoS the network. 16:50 < petertodd> though $4/MiB is probably something we can live with... 16:51 < petertodd> wait, doh, no that's $0.04/MiB 16:51 < gavinandresen> petertodd: I'm still not following you. Today, I can send 134 bytes to a peer and get 746 times leverage in terms of DoS bandwidth amplification. Right? 16:51 < gavinandresen> petertodd: today, I can do that once for each UTXO I own in the UTXO set (assuming I'm willing to pay fees) 16:52 < petertodd> gavinandresen: My point is it's 746 times cheaper to do that, because you only pay the fees for the 134 bytes, rather than 100KB 16:52 < gavinandresen> petertodd: if first-double-spend is pulled, I can do that two times for each UTXO I own. So the delta increase is 2, not 746. 16:52 < gavinandresen> cheaper to do it than what? Than a world in which I cannot transmit any transactions? 16:53 < petertodd> gavinandresen: It's really simple: if I want to DoS the network now, I have to pay fees to do so, and I pay 0.1mBTC/KB or expensive priority. 16:53 < petertodd> gavinandresen: But with first-double-spend, I broadcast that 136 bytes tx first, then broadcast a 100KB double-spending tx, yet it's the ifrst one that is getting mined. 16:54 < petertodd> gavinandresen: Hence I'm paying ~750 times less for that bandwidth. 16:54 < gavinandresen> petertodd: 100KB won't be sent if it doesn't have enough fees-- MUST PASS ISSTANDARD CHECK 16:54 < petertodd> gavinandresen: But if the 100KB isn't mined, I didn't pay the fees! 16:55 < petertodd> gavinandresen: But if it is mined, then we've somehow enabled replace-by-fee basically... 16:55 < gavinandresen> Meh. Might could be mined, depends on miner policies.... 16:55 < petertodd> I mean, first-double-spend is totally safe re: DoS attacks so long as replace-by-fee is enabled! 16:55 < gavinandresen> and your luck on when miners enter/leave network... 16:56 < petertodd> Yeah, so real world, maybe with bad luck I'm down to 500x, which is still a big improvement. 16:56 < sipa> ideally, you'd have a small proof of double spend 16:56 < sipa> rather than broadcasting the whole transaction 16:57 < petertodd> sipa: which you can do, you just prove the signature, but that's a fair bit of code 16:57 < gavinandresen> ideally we have a generic active queue management for managing bandwidth 16:57 < sipa> gavinandresen: true, but that's a different problem 16:57 < gavinandresen> so that 100K double-spend is simply de-prioritized. 16:57 < petertodd> gavinandresen: right, but then that means double-spend detection isn't reliable 16:58 < petertodd> gavinandresen: I just have to simultaneously flood that channel while I do my attack 16:58 < gavinandresen> petertodd: if the detection isn't reliable, then the mining isn't reliable, either, and that is just fine 16:58 < petertodd> gavinandresen: no, you're saying it's deproritized, while tx's go through, so mining is reliable 16:58 < petertodd> gavinandresen: if it isn't reliable, then my DoS attack *is* effective 16:58 < gavinandresen> if it is deprioritized in relaying then it won't get to miners 16:59 < gavinandresen> I am ignoring Finney attacks, they are not solved by first-double-spend-relay 16:59 < petertodd> gavinandresen: right, but the that still doesn't solve the "broadcast simultaneously at two points" problem 17:00 < gavinandresen> petertodd: ??? 17:00 < gavinandresen> petertodd: attacker does what-- broadcast a 150 byte txn at one point, and a 100K txn at another? 17:00 < petertodd> gavinandresen: you're solving the problem where a merchant doesn't know if you've broadcast simultaneous double-spending transactions. 17:00 < petertodd> gavinandresen: No, attacker disables double-spend detection by flooding it, then in totally unrelated transactions does a double spend. 17:01 < gavinandresen> flooding what? 17:01 < petertodd> gavinandresen: flooding the channel for double-spend detection - you said you'd de-prioritize that information channel 17:01 < gavinandresen> no, I would de-prioritize large transactions in that channel 17:01 < petertodd> gavinandresen: yes, and that doesn't help, because my double-spend can be large 17:02 < gavinandresen> okey dokey. If both spends are large, they will both (likely) not make it to merchants or miners. 17:02 < petertodd> but anyway, I don't get why I'm arguing because for my purposes I'd rather see the patch happen... 17:02 < gavinandresen> If one is large and one is small, the smaller is likely to be mined/seen by merchants. 17:37 < warren> gavinandresen: did 0.7 or earlier have any mac corruption like this? 17:37 < warren> or it started with leveldb? 17:37 < sipa> bdb had different corruption patterns 17:37 < warren> (I wasn't around back then.) 17:37 < warren> linux and windows corrupted equally? 17:38 < sipa> unsure 17:38 < gavinandresen> I don't remember OSX having more issues with bdb 17:39 < sipa> this may actually be a leveldb-on-osx problem 17:39 < warren> does any other software use leveldb on osx? 17:39 < gavinandresen> I haven't seen "OSX sucks for running a database server", either, which makes me suspet the issue is leveldb specific 17:40 < gavinandresen> Chrome uses leveldb on OSX, but with a very different usage pattern and I think they don't use the same os-specific code we're using 17:40 < sipa> indeed 17:40 < sipa> chrome has its own environment layer 17:41 < warren> I have a hunch, but I need to be able to reproduce the corruption to confirm it... 17:42 < gavinandresen> sipa: could we mitigate the problem by truncating the leveldb MANIFEST file up to a known-good point? Or would that screw up the integrity of the UTXO set.... 17:42 < sipa> gavinandresen: my guess it it's something with interaction between mmap'ed files and writing, or some synchronization barriers 17:43 < sipa> i doubt we trying to "fix" it outside of leveldb is the right way 17:43 < gavinandresen> sipa: I agree, not the right way, but if it prevents "re-download-the-entire-blockchain" 50% of the time it might be worth dong. 17:45 < warren> making the problem happen less often will increase the chance of never fixing it 17:47 < sipa> i hope you're not downloading the entire blockchain every time, but just use -reindex 17:47 < sipa> anyway, truncating the manifest will just reset you to a former state, right? 17:47 < warren> sipa: some mac users are reporting that -reindex doesn't fix their mac problem. it's difficult to confirm ecause these people don't respond to follow up questions. 14:54 < adam3us> amiller: yeah; only justification i can see really 14:56 < amiller> i think incentive-compati-bullshit should trump honest-reorg friendliness, but who's to say :p 14:57 < gmaxwell> amiller: because even without dishonesty on the part of the transacting parties locking in the other direction can screw people. 14:57 < gmaxwell> amiller: they should be, they're not the same as non-fresh coins. 14:58 < adam3us> amiller: well someone (satoshi, someone else) must've put 100 confirms on coinbase tx for some rationale, maybe its even mentioned in the code 14:58 < gmaxwell> They have an additional risk. If the chain reorgs to far they are forever gone no matter how much people wish it were otherwise. 14:59 < gmaxwell> vs if the chain reorgs that far they merely _could_ be forever gone, in the presence of an attack involving a grandparent transaction. 15:01 < adam3us> gmaxwell: this is true, but if chain reorgs much > 6 occurred with any frequency someone may try repeatedly double spending (simultaneously to about 50% of hash rate) sooner or later he'll get lucky 15:01 < amiller> past a small distance, the difference of freshness is a negligible matter 15:01 < amiller> if you're really concerned about forks that far back, then you shouldn't consider fungibility anyway 15:01 < gmaxwell> adam3us: Right, but the criteria of "there must be an attack at all" is a major one. 15:02 < gmaxwell> adam3us: I agree, debate can be had what the small difference was. 15:02 < amiller> i guess you're saying that a major fork is more likely to occur due to honest things that will largely preserve transactions rather than a fork that introduces some magnificent double spend in the past 15:02 < adam3us> gmaxwell: say once per month average this happened (i imagine its never happened ignoring the db bug) people would do it as it would pay off 15:04 < adam3us> gmaxwell: (because double spending to something fungible can have nearly zero cost either you pay yourself (and say oops and pay again) or you pay the seller; sell it back and repeat) 15:05 < gmaxwell> Satoshi picked 100 blocks. I like that figure, you may not. it's hard to argue for any specific value. 15:07 < adam3us> gmaxwell: yes, anyway its nice and conservative and not causing a problem; i do find the script language limitations require extra interlocked transactions, to avoid abort/extort attacks etc but i also appreciate that changing script is very what-if and would have to be very carefully validated for implications 15:08 < gmaxwell> 100 blocks fits well in the timescale of large scale (national level) internet partitionings we've had in the past 15 years. 15:08 < adam3us> gmaxwell: eg opentransactions allows eg javascript or other script langs, ripple draft script lang is not very constrained (to the point of probably security risk) 15:09 < adam3us> gmaxwell: eg imagine halting problem in jscript, or vm escape - all hell could break loose 15:09 < gmaxwell> yea, plus its at the center of a consensus protocol... all implementaitons must agree. 15:09 < gmaxwell> (in bitcoin) 15:09 < gmaxwell> Javascript!@#! 15:09 < gmaxwell> :P 15:10 < adam3us> gmaxwell: (even apart from the cryptographic security of the script language - its hard to prove that the script language changes do not introduce crypto attacks) 15:10 < gmaxwell> OP_RETURN 15:10 < gmaxwell> (facepalm) 15:11 < adam3us> gmaxwell: didnt get the return ref 15:11 < adam3us> gmaxwell: like anyone can cash? sure you can write dumb scripts, but more the worry is the script lang itself introduces a risk for other peoples payents 15:11 < gmaxwell> adam3us: in the original bitcoin source code you could push 1 then OP_RETURN in a _ScriptSig_ and spend any coin you wanted without it ever executing the ScriptPubkey. 15:11 < adam3us> gmaxwell: oh ha ha ha :) 15:12 < adam3us> gmaxwell: thats like being able to write your own script, and then satisfying it tautalogically 15:12 < gmaxwell> this was fixed by turning OP_RETURN into a RETURN(FALSE) effectively. :) 15:13 < adam3us> gmaxwell: well wait shouldnt the satisfying inputs be constants not script keywords generically? 15:13 < gmaxwell> (which was a safe but somewhat kludgey fix... ideally it would have just been prohibited in scriptsigs or.. that) 15:14 < gmaxwell> adam3us: there are slightly useful things you can do with scripts in scriptsigs to make txn slightly smaller, but not worth the problems it creates. 15:15 < gmaxwell> e.g. instead of PUSH_Hash(1) you could PUSH_1 OP_HASH... 15:15 < adam3us> gmaxwell: that seems like a robust fix now i need to go see if i can confuse someone else's script with more script code in front of it (excluding return) is that generically safe even? 15:15 < amiller> it doesn't matter whether 100 blocks is a good value, any number of blocks is bad if you buy my argument about incentive compatibiltiy and stray transactions 15:15 < amiller> i think the question should be whether or not incentive compatibility is a first-class design goal and if so how to cope with it and what to trade off for it 15:16 < maaku> amiller: is that even a question? why would you not want incentive compatability? 15:16 < adam3us> amiller: well i reckon in an ideal world you should be incentive immune - you participate all day long with the devil himself 15:17 < adam3us> amiller: you only fall back to incentive when you cant cryptographically enforce 15:17 < amiller> maaku, i wrote an argument why the coinbase maturity actually leads to an incentive compatibility glitch 15:17 < gmaxwell> amiller: Transaction independance from the consensus mechnism is a first order design goal of bitcoin. 15:18 < gmaxwell> (in one direction) 15:18 < midnightmagic> incentives are the reason why when people see bitcoin's floodfill and declare it useless because it's O(mn) they're missing the point 15:18 < amiller> maaku, https://gist.github.com/amiller/cf9af3fbc23a629d3084 15:19 < adam3us> amiller: eg re enforcement up to 99% hostile network with committed transactions thats fun, that the best the attacker can do is random DoS that costs him money, its like a DoS counter measure where the victim can cost the culprit a massive multiplier 15:20 < amiller> i don't understand 15:20 < maaku> amiller: but we can't really change that rule, except by adding it to the someday, maybe hard-fork wishlist... 15:20 < gmaxwell> amiller: I think any argument for incentive-compatible at least for short-term-self-interested is pretty insanely hard to achieve. 15:20 < adam3us> amiller: about commited tx? or ther thread 15:21 < gmaxwell> amiller: e.g. incentive arguments fail to things like miners can just perform a double spend attack of far greater value for the subsidty, enough to pay off a bunch of miners. 15:23 < midnightmagic> amiller: hah, great gist. :) i love it 15:24 < amiller> i think that's fine for my model of attacker 15:25 < amiller> which is a) it's an individual's decision how long to wait, which depends in part on how long *other* individuals wait 15:25 < amiller> b) any attacker that makes a profit has to target some maximum length of attack, so it doesn't harm eventual consensus 15:25 < amiller> thanks midnightmagic :) 16:11 < BlueMatt> gmaxwell: though I agree it is unlikely that analysis is correct and any miners are delaying blocks, does anyone actually have monitoring in place that would tell them if they were? 16:11 < gmaxwell> BlueMatt: I watch for orphans. 16:12 < gmaxwell> I assume other people do to. 16:12 < gmaxwell> (I also get a phone call for reorgs >2 blocks, though that hasn't fired for a while, I ought to set up some test so I know if it stops working) 16:13 < BlueMatt> hmm, fair enough 16:13 < sipa> how often does >2 happen? 16:15 < gmaxwell> sipa: basically never (but not never) 16:16 < gmaxwell> looking at my logs, I see a reorg of 2 once in the last three months. 16:16 < gmaxwell> I don't have logs going back to the last time I saw 3. 16:16 < gmaxwell> but that was the point. At 3 I can reasonably drop whatever I'm doing and go worry about bitcoin... it should be rare enough that its not a terrible disruption. 16:18 < phantomcircuit> gmaxwell, that file is the blocks folder 16:20 < ielo> oh hi there 16:24 < phantomcircuit> nope actually it's an entire .bitcoin folder 16:24 < phantomcircuit> that's bad 16:29 < gmaxwell> phantomcircuit: with wallet too? :P 16:33 < phantomcircuit> sadly no 16:42 < amiller> justaskingplz is the only person working on a bitcoin p2p and mining simulator 16:42 < justaskingplz> hi 16:44 < sipa> cool 16:48 < ebfull> so this is where the cool kids hang out 16:48 < amiller> http://ebfull.github.io/ this is a selfish mining simulation 16:48 < ebfull> a very naive one 16:49 < ebfull> it does appear to work though, shows a sybil+selfish attack together will significantly increase revenue under this topology 16:49 < ebfull> for certain percentages 16:49 < ebfull> of network hashrate 16:53 < adam3us> ebfull: does it take into account that the non-selfish winner will not be convinced by the raced announce? (and that 80% of the network is pooled, in pool sizes of 30%, 20%, 15%, 7% etc stats from blockchain.info)? 16:54 < adam3us> ebfull: i hacked up a simultator few dys ago but was unsatisfied with its in ability to model latency (i did start coding the above though) 16:55 < ebfull> it doesn't take into account pools and other large miners, but it can if i change the way nodes are created 16:55 < adam3us> ebfull: also do you have correct parameters to create the approximate correct ratio of accidental orphans 16:55 < ebfull> originally it did 16:55 < ebfull> i adjusted the natural orphan rate to mimic bitcoin's 16:55 < ebfull> everything else is completely different, latency between nodes etc. 16:56 < ebfull> arbitrary that is 16:56 < ebfull> i can adjust the orphan rate, if i make it higher the attacker will get a better lead and earn more revenue 16:56 < ebfull> (as you'd expect) 13:56 < petertodd> Yeah, for for domain names, a perpetual auction may be acceptable, or an auction that goes into effect every n blocks. 13:56 < petertodd> I doubt people would like that domain name system, but it's an option... 13:57 < petertodd> For PGP->email CA's, full email addresses don't get reused all that often really. 14:02 < petertodd> Oh, mind, for a PGP CA, you do need to handle key updates. So immutable sitll isn't great. 14:03 < jgarzik> yeah 14:04 < jgarzik> Trying to think through balancing the value of immutable (cannot be attacked via change) versus the real world need to expire master keys 14:04 < jgarzik> If there is a lesson to be learned from security in the past 10 years, it's that keys (and the passphrases protecting them) are inevitably vulnerable via human/human attacks like social engineering, poor passwords, ... 14:04 < petertodd> Well, the mutability rule can be just "there must exist an unbroken chain of keys signing keys" 14:05 < jgarzik> humans suck at password and key management 14:05 < jgarzik> agree 14:05 < petertodd> Proof size should be reasonable in the real world. 14:06 < petertodd> One issue here, is what's the equivilant of a UTXO proof? Maybe a merkle mountain range of every value ever associated with a given key? 14:08 < jgarzik> heh, merkle mountain range 14:08 < petertodd> The merkle-mountain range is prunable, and the incentive to get it right is that others will see you screwed it up, and won't build upon your sacrifices. 14:08 < petertodd> jgarzik: do you know the explanation for the name? 14:08 < jgarzik> no, but I can guess 14:08 < amiller> in the most general setting it's called a verification object (VO) 14:08 < jgarzik> tree of trees? 14:09 < petertodd> jgarzik: https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 14:09 < petertodd> Pretty similar to a merkle-skip-list, but it has an unusually simple visual image to expalin it. 14:10 < petertodd> ...and my dad thought the name was hilarious. 14:12 < jgarzik> hmmmm. Can the identity chain be purely PoS-based, ditching PoW completely? Not sure. 14:12 < jgarzik> PoS ties you to the bitcoin chain, but loosely 14:13 < petertodd> Well, PoS does always make it possible for a wealthy attacker to attack your chain, but on the other hand, that's really true of PoW too. 14:13 < petertodd> At least PoW makes figuring out how much money they'll have to spend really easy. 14:14 < petertodd> The real problem is what's the incentive to pay enough for the PoS chain, other than "shit, an attacker attacked us, lets go outspend them and and put the chain back!" 14:14 < jgarzik> yeah 14:15 * sipa somehow always reads PoS as 'piece of shit', instead of the (slightly) more common interpretations in the Bitcoin world (including point of sale) 14:15 < jgarzik> PoSa 14:15 < jgarzik> distinguishes between proof of stake and proof of sacrifice 14:15 < petertodd> For low interest chains, your PoS for a block would converge to the fees required to get the root bit of data into the bitcoin blockchain. 14:15 < jgarzik> and point of sale 14:16 < jgarzik> petertodd, true 14:16 < sipa> PrOSt, PrOSa, PoOS 14:16 < petertodd> we should call proof-of-stake PoT in reference to what the creaters of proof-of-stake systems usually seem to be smoking 14:16 < jgarzik> hah 14:17 < petertodd> also, keep in mind that not unlike Bitcoin, with any k-v system where updates are signed, the attacker has to rewrite the whole chain all the way back to the initial insertion 14:18 < petertodd> and there's nothing stopping you from using manual checkpoints, as ugly as that is 14:18 < jgarzik> most chains bootstrap into existence using this ugly solution 14:18 < jgarzik> including bitcoin ;p 14:18 < petertodd> indeed 14:20 < petertodd> also with signatures on updates, the chain *can* be a dag structure, with conflict resolution being done via highest total PoS 14:20 < petertodd> it's totally ok to "mine" a block with some secret k/v setting, and reveal it much later provided that there aren't conflicts 14:22 < petertodd> re: namespaces, note how the tradeoffs are kinda weird here, bigger blocks are definitely better up to the decentralization limit, because they allow as many parties as possible to share one PoS 14:22 < jgarzik> nod. Some k-v will definitely be private, to be revealed only to chosen parties 14:23 < jgarzik> e.g. you might not publish your real name and government attestation, but you would give permission to give out that info to certain parties. 14:24 < jgarzik> Get to a point where you, A, reveals info to party B. party B keeps that info private, but publicly attests to fact F 14:24 < jgarzik> then another party C can see F from B 14:24 < petertodd> yup, and it works at both the value level, and the block level 14:27 < petertodd> brb 14:27 < jgarzik> In the KYC context, you can remain private, but have a trusted firm digitally attest to your lack of criminality: Alice receives a signature from Identity Checking Inc., after undergoing full identity exam including rectal check. Alice only needs the sig, to prove she went through KYC. 14:28 < jgarzik> The KYC check is as valuable (or useless) as Identity Checking Inc.'s services and reputation, and private details need never be revealed. 14:28 < jgarzik> This certainly exists today but in a centralized fashion, with massive redundancy (everybody checks government ID etc., everybody runs background checks, etc.) 14:48 < petertodd> The debugging tools for analog electronics have such terrible UI's... 14:49 < petertodd> Hmm... so with KYC though, exactly how does the k-v consensus actually help us? 14:49 < petertodd> There's no zooko's triangle involved, well, there is, but you have trusted Identity Checking Inc. 14:54 < jgarzik> petertodd, That's all an attestation really is Bob trusts Identity Checking Inc. attestation of Alice (or not). 14:57 < jgarzik> petertodd, in theory you don't strictly _need_ a unified view of this global database; it's more for convenience. Two parties just need sufficient amounts of data from each other, just like PGP WoT today. The idea with decentralized identity is to generalize that and make it easier (+ attaching a cost) 14:57 < jgarzik> a chain would be very helpful in solving several problems though 14:57 < petertodd> Exactly, this whole system is rather complex... although it'd be useful for so much stuff. 14:58 < petertodd> A chain is required to be sure you have a recent copy of, say, revocation certs. 14:58 < jgarzik> yes 14:58 < petertodd> Not unlike the fidelity-bonded-banks problem actually... 15:01 < petertodd> Here's another thought: what's we've created here is more general than k-v store, it's basically a general purpose PoS-mined alt-chain system. 15:02 < petertodd> However, the problem is the PoS algorithm I've described isn't all that useful for alt-chains representing monetary value. 15:04 < jgarzik> as discussed, data chains are quite useful for several things 15:04 < petertodd> Yeah, see, what I'm curious about is are there cases where they are useful for "transactional" data, IE not the k-v model? 15:05 < petertodd> (although, I guess you could say a transaction *is* a k-v pair with a height) 15:05 < petertodd> (and k=H(v)) 15:05 < jgarzik> either way, with zero trust you gotta prove history from genesis to present, transactional or not 15:05 < petertodd> yup, at best you namespace it 15:06 < petertodd> ok, so with a merkle mountain range k-v history proof for every k-v pair, you don't actually need to validate anything *about* the k-v pairs, you are just proving that they existed 15:07 < petertodd> so that the "SPV" client equivalent can know if they've seen full history since the genesis block 15:07 < petertodd> *maybe* add a really general purpose signature for subsequent updates mechanism, where the pubkey is uncensorable 15:08 < petertodd> for any given k, first occurance is that k's "genesis block" so to speak, and subsequent are validated by the sigs 15:08 < petertodd> no sig == junk, and not in the mmrange k-v history 15:09 < jgarzik> hmmmmm 15:09 < petertodd> (add in expiry etc. as required to keep proof size reasonable) 15:10 < petertodd> Oh, actually... so the signature just has to sign the mmrange of the key! 15:12 < petertodd> So you can prune everything but the first occurance... still need to figure out expiry though, because after the fact it looks like the key never existed if pruning is used... maybe some kind of interval thing. 15:13 < petertodd> Bigger issue: what exactly are the incentives for doing k-v history proofs anyway? How do full-nodes and SPV nodes interrelate? why would you run a full-node anwyay? 15:13 < petertodd> If there aren't any notion of SPV, the whole thing becomes way easier. 15:13 < petertodd> s/aren't/isn't/ 15:15 < petertodd> semi-related: amiller's concept that losing PoS markers contribute to total PoS doesn't work, because how exactly do you decide who lost? 15:16 < jgarzik> Indeed. The incentives for running a node are possibly lower, residing mainly at identity attestation firms, auction market providers, and other businesses that need identity 15:16 < jgarzik> *possibly lower for the average user, I mean 15:17 < petertodd> also, PoS sum should somehow take block size into account, so if my data is large I lose out to a small block with the same sacrifice amount 15:17 < jgarzik> agreed 15:17 < petertodd> Yeah, like Bitcoin, is running nodes is cheap, people will do it anyway, but resources are limited and demand is infinite. 15:17 < jgarzik> provides incentive for efficiency 15:19 < petertodd> value/size is probably fine... but just like Bitcoin, consensus and decentralization demands limits on size 15:21 < jgarzik> As soon as v0.1 of this identity system exists, people will complain that it does not immediately support all ~7 billion people on Earth 12:46 < jgarzik> Troll patches are famously employed by Linus Torvalds' #2 in Linux, Andrew Morton. A mild-manner, Gavin-like guy for the most part. But if an issue is sticking, he'll post a patch that solves the issue in an ugly way, "encouraging" people to do a better job than he. 12:47 < sipa> haha 12:47 < jgarzik> (it works because he merges tons of patches, has plenty of merge power) 12:47 < jgarzik> ultimately all changes are pulled by Linus, so no ACK/NAK consensus system in Linux. It's either pulled by Linus, or not. 12:48 < petertodd> jgarzik: potentially bad incentives there re: busses 12:48 < petertodd> 12:47 < jgarzik> ultimately all changes are pulled by Linus, so no ACK/NAK consensus system in Linux. It's either 12:48 * sipa wonders what a 'SYN' comment on a patch would mean 12:48 < BlueMatt> wait...we have a consensus system? 12:48 < petertodd> jgarzik: though I suspect Linux isn't *quite* as political as Bitcoin... 12:48 < BlueMatt> hah 12:48 < jgarzik> petertodd, You would be surprised! 12:48 < petertodd> sipa: It means the patch is ECN capable. 12:48 < jgarzik> petertodd, billion-dollar companies competing for your attention, where a patch merged might greatly benefit one business over another 12:49 < petertodd> jgarzik: I hear DRM has been an exception... 12:49 < jgarzik> petertodd, here in bitcoin, we "merely" have a handful of million dollar startups 12:49 < petertodd> jgarzik: True, lots of sunk engineering costs that managers don't want to change. 12:49 < sipa> BlueMatt: yes, it is "make someone with merge rights feel confortable enough he won't be drowned in alpaca piss by the other devs for merging something" 12:50 < jgarzik> pretty much 12:50 < BlueMatt> sipa: ok....I /guess/ that counts 12:50 < jgarzik> RE DRM never a real problem for Linux. Being open source, it's kinda pointless to create software that locks down data 12:50 < petertodd> jgarzik: So how often does a proposed patch lead to a 3 minute animated video done by some guy with an arts degree? :P 12:50 < jgarzik> The DRM problems were always with hardware gadgets, that need upper level Linux drivers 12:51 < petertodd> jgarzik: Well, I could see more remote attestation stuff being practical, if anthetical to open source. 12:51 < jgarzik> never with Linux kernel itself _serving_ / providing DRM protection 12:51 < jgarzik> petertodd, with a benevolent dictator, crowd pressure is less effective 12:52 < jgarzik> petertodd, that's sorta where the linux/bitcoin analogy breaks down 12:52 < petertodd> jgarzik: indeed, and Linux is not a global consensus system. Bitcoin isn't just a piece of software. 12:52 < sipa> so we need a benevolent dictator! 12:52 < sipa> yay decentralization! 12:52 < petertodd> sipa: sounds like an AI problem... 12:53 < jgarzik> we need The Daemon 12:53 < sipa> i propose a blockchain mechanism to achieve consensus about what decisions to take wrt project management 12:53 < petertodd> sipa: <shudder> 12:53 < sipa> perhaps a controversial opinion, but i'm not convinced that is necessarily contradictory 12:54 < sipa> i like to see bitcoin more as an experiment in building a decentralized system, rather than a (fully) decentralized system itself 12:54 < petertodd> The problem is any pure blockchain mechanism is really a miner vote. 12:54 < sipa> (of course, that part was a joke) 12:55 < petertodd> sipa: Reminds me, for keepbitcoinfree I've already proposed a -talk email list with whitelisting done by fidelity bonds. 12:55 < petertodd> sipa: good, but best that people reading IRC logs understand the problem 12:57 < petertodd> You see, the fidelity bonds thing sounds good, but the real advantage is you implement it with PGP, which means people are forced to use PGP to post, which inherently filters out so many crazies... 12:58 < sipa> it also filters out so many 12:58 < jgarzik> indeed :/ 12:58 < petertodd> Yeah, it's a trade-off. 12:58 < sipa> (though the filtering percentage for crazies is likely higher) 12:58 < jgarzik> PGP key signing is geek wanking :) 12:58 < petertodd> I'm and jdillon am the only guys who regularly use PGP on the -dev email list. 12:58 < jgarzik> (though that means admitting I'm a wanker?) 12:59 < petertodd> jgarzik: but it feels so good! 12:59 < jgarzik> A real life fingerprint (mannerisms, coding style, coding smarts) is always more useful, more natural than PGP WoT 12:59 * sipa wonders if anyone will sign his keys based on his presentation slides 12:59 * jgarzik wonders if anybody validates the PGP signatures on bitcoin downloads 13:00 * sipa also wonders whether he should trust such a person to do good identify verification 13:00 < petertodd> jgarzik: Yes, but using PGP lets you establish a link to that link history of mannerisms and coding style. 13:00 < jgarzik> or if anybody checked my PGP sig, in my exmulti->bitpay PGP signed message to the -development ML 13:00 < sipa> jgarzik: i haven't 13:00 < petertodd> jgarzik: See, I would have, had I had a reason to trust your first PGP key... (other than the fact I timestamped it months ago) 13:01 < jgarzik> hehehe 13:01 * jgarzik needs to backup the BitPay keyring, speaking of 13:02 < petertodd> sipa: you haven't even signed my key, and I gave it to you personally :P 13:02 < petertodd> jgarzik: you're not using a hardware key? 13:03 < jgarzik> I like the idea (Adam's?) of having little pull-off paper strips, with the pgp fingerprint on it 13:03 < jgarzik> petertodd, hah, no 13:03 < sipa> petertodd: i haven't had access to my private key yet 13:03 < jgarzik> petertodd, my PGP usage merely gains me entrance into the technological priesthood 13:03 < sipa> petertodd: but i can't actually remember verifying your identity :) 13:04 < jgarzik> other that that it's a circle jerk ;p 13:04 < petertodd> jgarzik: I've got two types of hardware PGP keys, but in all honesty, gnupg smartcard support is a buggy pain in the ass. 13:04 < jgarzik> gnupg is a PITA 13:04 < petertodd> sipa: Do you think I'm Peter the crazy off-chain guy? Or was I too sane in person? 13:04 < sipa> petertodd: pretty sure you're the same guy, but what i think isn't relevant 13:04 < jgarzik> where is the easy-to-use PGP library? Every single program that wants to use PGP must exec(2), it seems 13:04 < jgarzik> that's part of the problem 13:05 < sipa> jgarzik: you know why, right? 13:05 < petertodd> sipa: heh, see, I disagree with the government-issue ID business in that respect 13:05 < jgarzik> ditto Tor. no "link this lib", but "run this proxy" 13:05 < jgarzik> sipa, there is an official reason? 13:05 < sipa> jgarzik: yes, mlock 13:05 < jgarzik> besides "RMS blessed this code" or NIH? 13:05 < petertodd> jgarzik: yes, all total BS. The python gpgme library is particularly embarassing. 13:05 < sipa> jgarzik: they mlock the entire process, because anything else isn't guaranteed afaik 13:06 < jgarzik> sipa, understandable but mostly pointless IMO 13:06 < petertodd> sipa: yes, but that could be done far more sanely with fork followed by brk to reduce the memory footprint, and some pipes 13:07 < sipa> there are libraries that do that 13:07 < petertodd> sipa: instead you get libraries that literally run the gpg exec, and do crazy text grabbing 13:07 < petertodd> sipa: oh good, hopefully I just missed the saner ones, although last I needed it I was only looking at Python stuff 13:08 < jgarzik> yeah, it's awful 13:08 < sipa> petertodd: anyway, about identity checking: yes and no: imho, gpg identities should list (perhaps just in the form of a free-form text field) what authority the identity claims to provide the identity (not sure about terminology) 13:08 < petertodd> and it just gets worse if you try to integrate with a PGP hardware thingy (I briefly looked into it for timestamping, and gave up screaming) 13:09 < petertodd> sipa: Indeed. Where authority can be "Internet Reputation" 13:09 < sipa> petertodd: for example, i could have an identity that says "Bitcoin developer 'sipa'", without claiming anything about my real name 13:09 < petertodd> sipa: Heck, I signed jdillon's PGP key soley on the basis that I was one of the first people to talk to him in Bitcoin. (AFAIK) 13:09 * petertodd needs a keysigning policy, no wait, a life... 13:10 < sipa> or, the other extreme, i could have an identity that claims corresponding to the Belgian citizen registry entry named "Pieter A. S. Wuille" 13:11 < sipa> so you also know what to ask for to verify an identity 13:11 < petertodd> There's on and off discussion in gnupg-devel and openpgp mailing lists about that stuff actually - seems semi-consensus is it's just too complex for people to understand. 13:12 < sipa> it probably is 13:12 < jgarzik> That's what I want to do with a decentralized identity system. Take a UUID and a database, and attach various signatures (your own, PGP, ECDSA, etc.) and various endorsements (signatures from third parties, be it personal ("sipa is a great guy") or identitybased ("sipa == Pieter Wuillle, national ID number 1234-5678") or reputation based ("sipa is a 5-star trader on MyEbayClone") 13:12 < jgarzik> Just need a protocol/data definition, and your decentralized identity can be as private or public as you like. 13:13 < sipa> but the problem is, many of the people who signed my GPG key (most was at a FOSDEM keysigning party with 100-200 people), did check my identity based on government-issued paper (and i'm sure they wouldn't have if i couldn't provide such paper) 13:13 < sipa> so they likely expect me to do the same sort of checking when signing other keys 13:13 < petertodd> sipa: indeed, I don't want to be mean, but jgarzik here is an excellent example: having a separate signing key in addition to your master signing key is a good thing, because it lets you limit the damage from a compromise. But seriously, understanding that crap is just not worth it. 13:14 < sipa> well, nobody understands GPG in the first place :p 22:16 <@gmaxwell> I assume plaintext is fine, since thats what the old blockexplorer api was. 22:17 < andytoshi> https://www.wpsoftware.net/coinjoin/status.php 22:18 < andytoshi> when there is a transaction in there, it is pretty verbose.. 22:18 < andytoshi> echo 'The current session is open for ', Session::time_to_switch(), ' more minutes. There ', 22:18 < andytoshi> 'are currently ', Bitcoin::unsigned_tx_count(), 'transactions in the pot. The most ', 22:18 < andytoshi> 'popular output value is ', Bitcoin::most_popular_output(), '.'; 22:19 <@gmaxwell> does the way it works now have a session 'close' and open for signing? e.g. is there also a need for a status.php?id=deadbeef to find out if a past session is still in need of signatures? 22:19 < andytoshi> yeah, there is a flag in the database which sets the "active" session 22:20 < andytoshi> one moment.. 22:21 <@gmaxwell> (might be useful in harassing people to finish signing in an IRC join) 22:25 < andytoshi> see eg https://www.wpsoftware.net/coinjoin/status.php?session=fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 22:26 <@gmaxwell> andytoshi: maybe a lark you'll think is stupid. But I think it should display a "round name" from the session ID, which is converted to english using a spookwords list (e.g. http://attrition.org/misc/keywords.html ) so it tells you that "session fissionable Indigo speedbump is live in three signatures." 22:27 <@gmaxwell> I have no idea where a good name generator is though, the link there was a random google result. 22:27 < andytoshi> :P i think that'd be awesome 22:27 < andytoshi> i'll look into it 22:27 < Luke-Jr> Is there a reason alex_fun hasn't had at least a kick or warning in #bitcoin-dev yet? He seems to intentionally flaunt being off-topic :/ 22:28 < andytoshi> my brainwallet uses six random words from Great Expectations, and they always come out as stories 22:28 < andytoshi> in fact, i never use it as a brainwallet, just for making passwords 22:28 <@gmaxwell> Luke-Jr: I prodded him in PM which promoted 22:28 <@gmaxwell> 19:07 < alex_fun> guys and girls whatever really , u feel rigid its u choise 22:28 < andytoshi> nanotube: the source for status.php is here: http://pastebin.com/ra8NTFxA 22:29 < andytoshi> nanotube: i'm happy to change the formatting however you see fit 22:30 <@gmaxwell> andytoshi: there doesn't seem to be any good "topsecret codeword" generators though there are lots of lists of sutiable words. 22:33 < maaku> CodeShark: the joiner I'm working on 100% p2p 22:33 < maaku> but it's not something I'm spending a lot of time working on ... 22:34 <@gmaxwell> I think of andy's thing as something fun that people can use right now. It's obviously not what we need long term, and (at least right now) doesn't really overlap or compete with better ways of doing it. 22:35 < andytoshi> to Luke-Jr's point, alex_fun has been around for many months (years?) 22:35 < andytoshi> i thought luke was yelling at ghosts, and it turned out that there was in fact some alex_fun in my /ignore list, which i'd put there so long ago i'd forgotten 22:36 < maaku> yeah he's a troll that's been around a while 22:36 <@gmaxwell> I think he's just another yibbering idiot. 22:36 < maaku> gmaxwell: i don't mean to imply anything negative. CodeShark just asked earlier if anyone is working on a server-less joiner 22:36 <@gmaxwell> ah! 22:38 < andytoshi> maaku, gmaxwell: i agree with gmaxwell's opinion of my joiner, i'm glad it's usable but it's mostly a way for me to learn rust 22:46 < maaku> it's good work andytoshi, and better to have something working than the perfect unimplemented whiteboard design 22:46 < maaku> my weakness is that I spend too much time on the latter (see: freimarkets) 23:23 < nanotube> ;;alias add cjs web fetch https://www.wpsoftware.net/coinjoin/status.php 23:23 < gribble> The operation succeeded. 23:23 < nanotube> ;;cjs 23:23 < gribble> Error: This url is not on the whitelist. 23:23 < nanotube> >_> 23:23 < nanotube> just a sec lol 23:23 < Luke-Jr> lol 23:24 < nanotube> ;;cjs 23:24 < gribble> There is no currently open session. 23:24 < nanotube> there :P 23:24 < nanotube> ;;alias add coinjoinstatus cjs 23:24 < gribble> The operation succeeded. 23:24 < nanotube> for those who prefer a more verbose command. :) 23:24 <@gmaxwell> nanotube: hurrah 23:25 < andytoshi> nanotube: can we make ;;cjs fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 go to status.php?session=fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 23:25 < andytoshi> ? 23:26 < andytoshi> also, thanks! :) 23:26 < nanotube> yes, technically speaking. :) question is, if session id is blank, will it still work? 23:26 < nanotube> ;; web fetch https://www.wpsoftware.net/coinjoin/status.php?session= 23:26 < gribble> There is no such session. 23:26 < andytoshi> nope, one moment.. 23:26 < nanotube> ;; web fetch https://www.wpsoftware.net/coinjoin/status.php?session=fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 23:26 < gribble> This session is complete. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1. 23:27 < andytoshi> ;; web fetch https://www.wpsoftware.net/coinjoin/status.php?session= 23:27 < gribble> There is no currently open session. 23:27 < andytoshi> there we go 23:27 < nanotube> nice. :) i could do it either way, but it would be more trivially easy if empty sessionid defaulted to general query. 23:28 < andytoshi> yeah, this is probably the better behavior for when users put a blank session= anyway 23:28 <@gmaxwell> ;;cjs Halcon Capricorn 23:28 < gribble> Coinjoin Status: There is no such session. 23:28 <@gmaxwell> aww 23:28 < andytoshi> i've got a python script which converts to codewords, but not the other direction 23:29 < nanotube> ;;cjs fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 23:29 < gribble> Coinjoin Status: This session is complete. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1. 23:29 < nanotube> ;;cjs 23:29 < gribble> Coinjoin Status: There is no currently open session. 23:29 < andytoshi> :D 23:29 < nanotube> there we go. :) 23:29 < nanotube> ;;help cjs 23:29 < gribble> (cjs <an alias, 0 arguments>) -- Alias for "echo Coinjoin Status: [web fetch https://www.wpsoftware.net/coinjoin/status.php?session=@1]". 23:29 < nanotube> ;;cjs Halcon Capricorn 23:29 < gribble> Coinjoin Status: There is no such session. 23:29 < nanotube> heh 23:30 < nanotube> ;;sl halcon capricorn 23:30 < gribble> http://www.youtube.com/watch?v=DITktReXJpI | 4 Dic 2011 ... Horoscopo Maya 2012 KosmosErika HALCON, para los nacidos del 7 de ... CAPRICORN Horoscope for JANUARY 2014 - Karen Lustrupby 23:30 < nanotube> >_> 23:30 < andytoshi> right now this fd1d19 guy turns into "DIA sorot van 1071 JSOFC3IP Cornflower Electron PBX Ionosphere CSC EG&G MKNAOMI PBX Iris WWSP RSO MD5 USACIL JCE NSWC IACIS LEASAT Yukon GGL NAIA" 23:30 < andytoshi> so it should be a bit shorter :P 23:30 < nanotube> heh yea... but it is a pretty long string.... 23:31 < andytoshi> so, the sessid is actually only 32 bits from /dev/urandom right now 23:31 < andytoshi> i just run it through sha256 :P 23:31 < andytoshi> it has lots of room to go shorter 23:31 < nanotube> ah good old sha2 23:34 <@gmaxwell> making the small big and the big small since 2001. 23:35 < andytoshi> ok, future sessions will use 8 bytes of randomness and output the first 16 chars of the hash 23:35 < andytoshi> that translates to 7-8 words, which looks good 23:35 < andytoshi> [username@titanic spookwords]$ ./main.py fd1d19c88eaa675d 23:35 < andytoshi> FID DDP Embassy Bluebird GEO Canine 1911 --- Log closed Mon Dec 23 00:00:19 2013 --- Log opened Mon Dec 23 00:00:19 2013 02:16 < andytoshi> ;;cjs fd1d19c88eaa675d7151a625bcb911e05d8b58e35faf51a974ba73c565ba6a63 02:16 < gribble> Coinjoin Status: Session Delta USAFA SAMU SIGS DCSS spook RRF LASINT CFC spookwords NSDM Uziel NRO PLO MSNBC JPL plutonium FINCEN JANET Fortezza ESN SATKA toffee eavesdropping fissionable : completed. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1. 02:17 < andytoshi> ;;cjs Delta USAFA SAMU SIGS DCSS spook RRF LASINT CFC spookwords NSDM Uziel NRO PLO MSNBC JPL plutonium FINCEN JANET Fortezza ESN SATKA toffee eavesdropping fissionable 02:17 < gribble> Coinjoin Status: Session Delta USAFA SAMU SIGS DCSS spook RRF LASINT CFC spookwords NSDM Uziel NRO PLO MSNBC JPL plutonium FINCEN JANET Fortezza ESN SATKA toffee eavesdropping fissionable : completed. The submitted transaction ID was 33854f625c90e3287eae951103489a2449f91bfe039aa4d4c810bd66450edbf1. 03:14 <@gmaxwell> hahahah 03:16 <@gmaxwell> ;;cjs 03:16 < gribble> Coinjoin Status: There is no currently open session. 03:42 < maaku> why is JPL a scary word? :P 03:47 <@gmaxwell> maaku: the spookwords lists have a whole bunch of generic military-industrial-complex keywords. ... someone's idea of unusual words that in the early 90s might have triggered some government keyword filter, at least in the busy imagination of some cryptoanarchist. 03:48 <@gmaxwell> (and, well, probably in reality too at least for some of the words) 03:49 < CodeShark> gmaxwell: were you able to install boost_log? :) 03:49 <@gmaxwell> CodeShark: s'not yet. I figured I'd upgrade fedora and got as far as downloading it. :) 03:50 < CodeShark> well, in the worst of cases you can just ./b2 --with-log :) 03:52 < Emcy> what am i reading 07:50 < adam3us> petertodd, gmaxwell: sender derived address/code and stealth-addr write up on my older thread (still to locate bytecodes to link) feel free to correct https://bitcointalk.org/index.php?topic=317835.new#new 10:08 < petertodd> ;;cjs 10:08 < gribble> Coinjoin Status: There is no currently open session. 10:33 < andytoshi> petertodd, gmaxwell: if you throw a tx into the joiner it'll trigger a new session 13:21 < gmaxwell> helo: The payouts to the pool itself are generated, the payouts to the users would be instant spendable. 13:21 < maaku_> our current approach (for freimarkets, freicoin we screwed up) is to have the block height indicate the hard-fork transaction format 13:21 < gmaxwell> (I think doing coinbase payments in such a model would add a lot of complexity for not a ton of data) 13:21 < petertodd> gmaxwell: (U)TXO commitments should be structured such that multiple low-bandwidth parties can create a block co-operatively. Shouldn't be too hard to pull off in a trusted scenario, harder in untrusted. (though could be fidelity bonded)_ 13:22 < maaku_> which is somewhat undesireable around the transition, although that is one-time and can be mitigated by creating new-format transactions early 13:22 < petertodd> maaku_: that's reasonable, although remember that you can do a nVersion voted hardfork too 13:27 < jtimon_> kind of off-topic, but now that you're talking about coinbase...nVersion=2 of joke I think I heard here 13:29 < jtimon_> The success of coinbase surprises me given that their transactions take 100 blocks to confirm. That latency surprises me even more given that they use mongoDB, whose writes are almost as fast as writes to /dev/null 13:31 < jtimon_> just a mix of jokes really 13:31 < petertodd> jtimon_: well, that was more funny than the comedian they hired for the san jose conference 13:31 < jtimon_> hehe 13:31 < jtimon_> I saw him a little bit, but yeah, not funny at all, I couldn't watch the whole video 13:31 < gmaxwell> jtimon_: I think it's because they have to send their transactions all the way to blockchain in the UK for processing. 13:32 < jtimon_> hehe 13:32 < petertodd> gmaxwell: these services need a little <hex> button that gives you the raw hex of your tx 13:35 < gmaxwell> petertodd: We got blockchain.info to add that. (well not a button but a ?format=hex on the transaction page) 13:35 < petertodd> gmaxwell: nice! 15:00 < orperelman> Jtimon & Peter, it's all about the PR and marketing, one of the reasons they are so successful, they are doing an amazing PR work - gotta give them that 15:01 < orperelman> It's amazing me to this day - there is almost no normal wallet out there today that I can recommend to new bitcoin users heh 15:45 < adam3us> gmaxwell: proof of (holding) bitcoin - (for bandwidth allocation in bitmessage etc) but with 100btc i can take 100 shares of bandwidth at no cost (if i was holding them anyway). 15:46 < adam3us> gmaxwell: "as of right now in git bitcoin allows data in OP_RETURN though given what people are saying I hope we back that out." dont object to backing out (say NO to block-chain spam!), but what are they saying missing context? 16:17 < adam3us> gmaxwell: ps still musing about how to do a subliminal channel free sig (motivated by such things). one thing wondering is the existing possibility to make a ECDSA key that can sig that is valid for two different msg hashes (by chosing public key at time one msg is known). thinking it might be enuf flexibility to do something 16:37 < gmaxwell> adam3us: there have been a number of articles about how bitcoin has been "upgraded" to enable "distributed storage" and such horrifying things like that. 16:40 < adam3us> gmaxwell: ah yes. its a scary situation indeed. the flip side is there are then people who will stego encode then in multisigs if you dont, and create needless non-compactable TXOs and on. Cant win:( well maybe... there's the subliminal channel plugging drive - could try how far you can get with that. eg all outputs are blinded somehow by the next mining event and unblinded by recipient or inputs blinded by spender and unblinded by mi 16:41 < gmaxwell> adam3us: thats why I didn't oppose it initially. Though the trade off of people thinking it is a good non-antisocial and supported application is concerning. 16:41 < gmaxwell> Esp what happens if abusive use arises and it must be turned back, but there is also non-abusive use? 16:41 < adam3us> gmaxwell: pegged side-chain, pegged side-chain, pegged side-chain 16:42 < gmaxwell> I mean there is a whole seperate stupid altcoin "datacoin" 16:43 < adam3us> gmaxwell: seriously. if that can be bootstrapped there is no rational excuse for not using one. i mean maybe we'll need a pegged-side-chain-gen.io because of lameness but otherwise... 16:45 < adam3us> gmaxwell: yes it seems like the msg was interpreted badly as a big GREEN light, that people can do any random stuff like its an API, or I dunno "HTTP on top of TCP" 18:13 < gmaxwell> andytoshi: I wonder in a public CJ server if there would be a value in using a socialist millionaire protocol so that a prospective CJ player could query the available sessions to test for an output size match, without disclosing what size they're looking for (and without learning what any of the ongoing sizes is) 18:17 < andytoshi> gmaxwell: what would they learn in the case that a match exists? 18:18 < andytoshi> it seems like they could get a good idea of the sessions just by testing various output values to see if they can join 18:18 < gmaxwell> andytoshi: you can limit them by making them show you inputs they're interested in using as a rate limiter. 18:19 < andytoshi> ok, fair enough 18:20 < andytoshi> i'll put this on my list of "things to do when we have enough people for more than one session at once" :) 18:20 < gmaxwell> I mean ultimately what you can do is a multiparty computation where the server has a list of possible CJ's and the user has a set of inputs/outputs they're interested in and the MPC tells the user and the server which one they ought to be joining and no one learns anything beyond that... but thats getting into moon technology where socialist millionaire protocol is straightforward. 18:20 < andytoshi> well, if it's tractable moon technology then i'll look into using it one of these days .. 18:21 < andytoshi> i am being selfish and using other peoples' privacy desires for my own learning purposes 18:23 < andytoshi> if i can get my bitcoind back to life i'll have a coinjoin client written by sunday evening, then this week we'll see if i can spur some popularity 18:23 < gmaxwell> It's not intractable, but not a 1 hour hack either. 18:31 < gmaxwell> there may be a 'simple' way to implement it where the server and the client disclose a bunch of fake data about the candidate joins and inputs/outputs (including the real data), and then the server and the client compute which would go with which, and then you do a far simpler multiparty computation just to learn a single one of matchups which involve real transactions. 18:32 < gmaxwell> (lets you keep the coinjoin matching outside of the multiparty computation.. the multiparty computation would just be "take two bitstrings, return a random index which has a 1 in both bitstrings" 18:32 < gmaxwell> ) 18:44 < maaku> gmaxwell: would there be a chance at analagous technology for the p2p case? 18:45 < maaku> for my architecture I'm still assuming a broadcast architecture for requesting potential joins 18:46 < maaku> which isn't as privacy enhancing as I would like... 18:48 < gmaxwell> maaku: nothing fundimentally prevents it, e.g. you could do multiparty computation with any number of parties. Though I think the complexity of hacks like I suggested to keep the mpc part maximally simple would not scale well. 19:21 < jgarzik> New torrent, http://gtf.org/garzik/bitcoin/bootstrap.dat.torrent 19:21 < gmaxwell> maaku: fwiw, you can do a very easy implementation of socalist millionaire using only blind signing. 19:23 < gmaxwell> maaku: you hava a database you'd like me to check for matches it. You sign each entry and give me the signatures. I learn nothing useful from this. Then when I want to see if X is in the database, I blind X and ask you to sign it. You learn nothing about X. Then I unblind and can see if it was in your list. 19:34 < Emcy> jgarzik do you have the previous 2 or 3 bootstrap torrents you made anywhere? 19:34 < gmaxwell> maaku: though I think until someone works out what an 'optimal' CJ decision looks like, it's hard to reason about what it would take for some magical private process to generate them. 19:34 < Emcy> it occurs to me i can seed them all from the same file 19:39 < Emcy> well actually ive got 3, 4.5gb, 9gb and this new 13gb 19:39 < Emcy> i think thats all of them right 19:41 < maaku> gmaxwell: what do you mean by 'optimal coinjoin decision'? 19:56 < jgarzik> Emcy, sf.net/projects/bitcoin has current; above is current+1 19:58 < Emcy> huh? 19:58 < Emcy> thats the bitcoin client 19:58 < gmaxwell> maaku: I mean, say given a set of transactions, which partipants will not gain any privacy under an assumption that the attacker understands coinjoins and are unravling them based on the assumption that users_inputs==users_outputs? 22:18 < gmaxwell> oh. I think I just reduced the complexity of my trivial NIZK proof to O(N) without substantially increasing the complexity of it, though by adding a discrete log hardness assumption. 22:19 < gmaxwell> The point I'd made at the end is that you could remove the N^2 by using an xor-homorphic commitment as that would allow you to just combine the gate key commitments directly. 22:23 < gmaxwell> But really the xor-homorphic commitment only needs to be xor-homorphic for a single bit, which means straight up additive homorphism over any field should work. E.g. the commitment can be X*g in some EC group. 23:38 < gmaxwell> Oh, interesting. I can get a simpler CoinSwap protocol if prior to any transactions, one party proves to the other H(X),H(Y),X xor Y for some undisclosed X,Y in other words, having this proof in hand you know that if you know the preimage of H(X) the you also know the preimage of H(Y). 23:39 < gmaxwell> I think I can do a proof for H(X),H(Y),X^Y with sha256 under 40 megabytes now. 00:54 < amiller> because if you bind the new transactions after the reward it makes converging to a singe block less likely 01:03 < amiller> so i need to have a commitment to some transactions before the work 01:04 < amiller> so that a winning proof of work can be counted as a vote for at most one block 01:04 < amiller> but!!! 01:05 < amiller> the whole stealable/non-outsourceable thing can work if revealing the transactions is optional 01:07 < amiller> agh i guess if one's bad for consensus then the other is too 01:07 < amiller> actually i think it doesn't matter in either case 01:08 < amiller> nevermind 01:09 < gmaxwell> MAGNETS! 01:11 < amiller> anyway tl;dr is that the current way proof-of-work is revealed poses an existential threat to bitcoin because it makes outsourcing effective which leads to decentralized 01:11 < amiller> (which starts with d and that rhymes with p and that stands for pool) 01:11 < amiller> lkasdjflkadjsf 01:12 < amiller> and the main fix is to make it so the proof-of-work is like a digital signature, it doesn't reveal the solution 01:13 < gmaxwell> I am not following. it's already like that. E.g. if I give you a block header you do not have a solved block. 01:14 < gmaxwell> obviously I can make you give me a solved block but likewise for a digital signature. 01:14 < amiller> no not like that 01:15 < amiller> in order to prevent the outsourcing bogeyman, you need to be able to claim the reward (get your block accepted) without revealing anything about the solution you found 01:15 < amiller> even if it's just the nonce and extranonce 01:15 < amiller> i can pick a random prefix of nonce/extranonce and use that as a watermark 01:16 < gmaxwell> right you want a signature of knoweldge over a valid solution. 01:16 < gmaxwell> which is created posthoc but can't be rebound otherwise. 01:16 < amiller> right 01:17 < gmaxwell> "I have a valid block, and I am bob. Accept my might!" 01:17 < amiller> yeah! 01:17 < gmaxwell> this is also perhaps useful for anti-censorship. 01:19 < gmaxwell> (other miners could still demand other signatures of knoweldge e.g. prove your solution doesn't include blacklisted txn before we mine on it) 01:19 < gmaxwell> one problem is that you couldn't mine any more transactions until that SoK block is revealed. 01:19 < amiller> yeah so 01:19 < amiller> i think it's not like you just get your block accepted 01:20 < amiller> and reveal the tx at ay point 01:20 < amiller> it's basically you have a choice 01:20 < amiller> you either reveal the transactions 01:20 < amiller> or you have your block mined as an 'empty' block 01:20 < gmaxwell> or steal the generated coin! 01:20 < gmaxwell> ohhh thats cool, except it doesn't work if most of the generated coin is fees. 01:20 < amiller> this means that someone who hears about your block can pretend they didn't get the txs and just mine on top of it 01:21 < amiller> i think even that's fine too 01:21 < amiller> like 01:21 < amiller> the point is to give as much flexibility as possible 01:21 < gmaxwell> (thats, unfortunately, pro-censorship) 01:21 < gmaxwell> amiller: yea but it would be superior if you could still steal the fees. 01:21 < amiller> it's only pro censorship for one block 01:21 < amiller> yeah so the point is 01:21 < amiller> to make the outsource server capable of theivery 01:21 < amiller> it has to be able to steal as much as possible while omitting any detectable watermark 01:22 < amiller> so if it's confident that the fees are public 01:22 < gmaxwell> oh so you have to hide the txn for that. I see. 01:22 < amiller> then they're not watermarks 01:22 < amiller> so really the point is just to allow it to hide as much as it wants 01:23 < gmaxwell> oh thats an interesting point. E.g. it could show some txn, and get the fees on those, but hide other potentially watermarking txn. 01:23 < gmaxwell> I think you can prevent a later miner for censoring. 01:23 < amiller> if you're honest you can prevent later miners from censoring you 01:23 < amiller> by only signing one set of trnasactions after the fact 01:24 < amiller> you could also sign two equivocating sets of transactions and try to split the network 01:24 < amiller> but it wouldn't really have much effect 01:25 < gmaxwell> Maybe there is a way to prevent a third party from gutting a block without producing a watermark. 01:25 < amiller> that's definitely prevented 01:26 < amiller> if you are honest and publish only one set of tx's along with your pow, no third party can create a second set of tx 01:26 < amiller> because the pow still involves a secret that only you know and that you use to sign the txs 01:26 < gmaxwell> gotcha okay. 01:36 < amiller> so, yeah 01:36 < amiller> this can be done pretty easily with discrete log group things 01:37 < amiller> y = g^x can be used as a hash function 01:38 < amiller> you can check that y is in an arbitrarily small subset of the group, zeros in front and everything 01:39 < amiller> ah, hm, i need to hash the previous block in there too 01:42 < amiller> i'll work it out, i don't think it will be complicated, but it would be simultaneously a signature and proof of work 02:37 < Luke-Jr> gmaxwell: I wonder if anyone has conceived of an imaginary/fictional primary colour before; Google doesn't seem to turn up anything 02:37 < gmaxwell> you mean like a super intelligent shade of blue? 02:38 < gmaxwell> http://en.wikipedia.org/wiki/List_of_races_and_species_in_The_Hitchhiker%27s_Guide_to_the_Galaxy#Hooloovoo 02:39 < gmaxwell> Luke-Jr: there are actual extra-spectral colors, which I'm not sure if that qualifies what you're looking for since they're "real" :) 02:40 < Luke-Jr> gmaxwell: like a colour that cannot be represented with real colours 02:40 < Luke-Jr> yes, those are too real :P 02:41 < gmaxwell> I suppose that you can actually have complex wavelengths as solutions to wave equations, but they're just phase shifts of other colors. 02:42 < Luke-Jr> I'm thinking more along the lines of something beyond what we can conceive of in our mind, but can understand the theory maybe. 02:43 < gmaxwell> well thats why I was thinking of complex wavelength... something where the math worked out but it didn't really make any sense. 02:44 < Luke-Jr> if the math works out, it makes sense :P 02:45 < gmaxwell> But if you don't have _some_ constraint then you are free to say anything, and end up with super intelligent blue or the like.. which isn't all that satisifying. 02:45 < Luke-Jr> depends on the goal. 02:47 < gmaxwell> You end up with something like Feltrabl a highly controlled and secret color used by Tristero's Empire conspiracy to mark rubbish bins for special collection by their agents as part of their secret message relay network. 03:01 < petertodd> Luke-Jr: Fictional primary color? That's easy, long red. (actually an exercise in a science of color class I took to consider the ramifications of sight if we had a cone that could sense infrared) 03:05 < gmaxwell> I have some marks on my arm that prove that I can sense infrared! 03:05 < petertodd> lol 03:05 < petertodd> ...but only once per eye. 03:05 < gmaxwell> nah, I've got lots of square cm of skin to turn to plasma. 03:06 < petertodd> Sheesh, and I thought I was playing it dangerous with the 1W or whatever it was blue diode laser I was using to make cave formations glow-in-the-dark at Christmas... 03:07 < petertodd> What were you doing with IR lasers anyway? I thought you did light shows... 03:08 < gmaxwell> petertodd: most cost effective way to get lots of green light used to be to frequency double the 1064 nm output of an arclamp pumped NdYAG laser. 03:08 < petertodd> Ah 03:08 < gmaxwell> (and still pretty much is, but they're laser diode pumped now) 03:10 < gmaxwell> because the conversion process is non-linear its much more efficient the higher your peak power is, so not only IR lasers, but ones which are q-switched: microsecond long pulses at 10KHz packing an _average_ power of many watts. 03:10 < petertodd> ...damn.... 03:10 < gmaxwell> While realigning one of my lasers I caused some ESD that made the qswitch trigger and got a dump with a peak power output of probably >100kw that grazed my arm, ... also exploded the optics. 03:11 < gmaxwell> BANG. 03:11 < petertodd> Heh, reminds me: I got a chance to visit a laser lab some years back - my arts school had a holography course for decades - and they had some insane 1nS pulsed laser or something in the visible spectrum. Kinda insane to see that flash. 03:12 < gmaxwell> I was always terrified by that thing, even with the qswitch open the continuious IRC circulating beam in the reasonator was probably about 300 watts. 03:12 < petertodd> nuts - should have worn the ESD handcuffs! 03:13 < gmaxwell> and it wouldn't lase with the arclamp turned down too far... maybe I could get the IR down to 10w while working on it, which still will burn you quickly, and blind you instantly. 03:13 < gmaxwell> (obviously I used IR safty goggles) 03:13 < petertodd> That's obvious because I know first hand that you can see. 03:13 < gmaxwell> In florida ESD was almost never an issue due to high humidity 03:14 < petertodd> hah, very true, not so true here... 03:14 < petertodd> We grudingly have those ESD mats all over the place at work, although I've only used the wrist straps a handful of times. 03:22 < petertodd> gmaxwell: You could have done worse though: http://www.ncbi.nlm.nih.gov/pubmed/9510099 03:24 < gmaxwell> the @#$@$#@$ 03:24 < gmaxwell> crazy! 03:25 < petertodd> Heh, my brother's got a few tattoos from the chain of his mountain bike, but that takes the cake... 03:26 < gmaxwell> Nah, I have a tiny scar where a bit of tissue was removed and instantly cauterized. May have even been from a reflection as the optics exploded and not the main beam itself. 03:26 < petertodd> Ha, yeah, depends so much on exactly what happened too; the energy could have easily been absorbed by the smoke emitted. 23:15 < amiller> i've been wanting to meet him for like 2 yrs and somehow convince him that proof-of-work based consensus and not inherently wasteful or inferior to designated identities 23:17 < gmaxwell> did he set you on fire and throw you out a window? 23:18 < amiller> no but it didn't go as well as i hoped anyway 23:18 < amiller> we kinda rambled at each other for a while 23:19 < amiller> he thinks during the conversation he came up with a great improvement that resembles proof-of-stake a bit 23:20 < amiller> an interesting (imo) line of thought came out of it though, which is that any spending on "defense" always appears as waste if it's spent to defend against an attacker that has no plausible chance of existing 23:21 < amiller> paranoid spending 23:21 < petertodd> ...yet we still have nuclear subs... 23:21 < petertodd> makes sure the attacker doesn't exist because they take one look at it and say "why try?" 23:23 < amiller> if someone comes to you with a proposal for building a defensive forcefield, there's only a few ways to go about good deciding 23:24 < amiller> i guess it helps if everyone can agree on what kinds of attacks we should defend against or deter 23:24 < petertodd> I prefer to think about it in terms of the value asymetry: in bitcoin an attack can spend much less than the total value of the currency to destroy it. 23:26 < petertodd> or in short, attack money is probably fungible 23:29 < amiller> in bitcoin's steady state, however the fees work out, the total amount of fees collected (funds raised) basically equals the amount of mining power expended on defending against bitcoin's particular 51% attacker 23:30 < petertodd> well, that's actually my key point: the fees may work out, but that's all you've got - it's hard to just spend more fees or something to defend against a previous unknown attacker 23:30 < amiller> so it's a sound/efficient system if it's basically a good way to in a decentralized way decide how much to spend on defense and how to decide who pays what 23:31 < petertodd> well see I'm mainly thinking in comparison to proof-of-sacrifice blockchains, which can be arrange in such a way that you sacrifice what funds you have left to stop the attacker - but they need an underlying proof-of-work to actually work... 23:32 < amiller> so what does it mean to choose an attack model by consensus 23:32 < amiller> basically everyone gets to have their own bogeyman 23:32 < petertodd> for me it's aliens 23:32 < amiller> and when it's done correctly the attacker likely won't even show up 23:32 < amiller> well aliens are far away so you can use my new overwhelmingly-powerful-but-distant-attacker proof of work model 23:32 < petertodd> for my brother it's fear that all his efforts towards preventing an attack will prove to be wasted against a phantom threat... 23:33 < petertodd> lol 23:33 < amiller> that's so tricky 23:33 < amiller> because you never get a good signal that you're wrong in that case 23:33 < petertodd> heh 23:33 < amiller> maybe leaving some cheap coins around as a decoy is a good principle? 23:34 < petertodd> interestingly I was talked to peter vesessenes the other day about changing the proof-of-work function, and he had been convinced that the option needs to be on the table and planned for 23:34 < petertodd> good indication of the social environment around btc 23:34 < amiller> yeah 23:35 < petertodd> he's right though in a way: the biggest strength is that bitcoin can fundementally change what it is to adapt 23:35 < amiller> well lets see how the community handles fragmentation and dozens of these cryptocoins as well 23:36 < petertodd> heh, hence having a entity named "the foundation"... 23:46 < amiller> i have a contradiction in even my really simple model 23:46 < amiller> i'm not really sure what to make of this, even intuitively 23:46 < amiller> here's the problem, i think of bitcoin as a protocol for synchronous networks 23:47 < amiller> the proof sketch in the satoshi whitepaper essentially assumes that blocks are broadcast immediately 23:48 < amiller> and there's no trouble carrying that through with some maximum delay, but that delay certainly has to be *known* and set globally as a parameter 23:49 < amiller> the problem is that given this assumption, it seems like it's possible to get security against even an arbitrary >50% attacker 23:50 < amiller> the reason why is that if you imagine that every honest node is able to broadcast, and also that somehow stale/parallel/fork blocks get included in every chain in a specially marked 'wastebin' pile or whatever, 23:51 < amiller> then you could also change the best block rule to ignore blocks you haven't heard about from a while ago 23:52 < amiller> or to put it another way, bitcoin is really lenient about time when picking the largest chain, which is good because it makes it tolerant to longer partitions 23:53 < gmaxwell> yea, means an modest intercontential partition doesn't just end the currency, even absent an attacker other than ActOfGod. 23:54 < amiller> it does basically require shutting down service though 23:55 < amiller> i mean, an intercontinental partition is still really harmful, especially if the attacker is better connected 23:55 < amiller> even eclipse-attacking an individual node is pretty bad 23:58 < amiller> how to reason something that's half-in and half-out of the attack model --- Log closed Mon Aug 19 00:00:20 2013 --- Log opened Mon Aug 19 00:00:20 2013 01:59 < gmaxwell> https://bitcointalk.org/index.php?topic=277389.0 01:59 < gmaxwell> "Really Really ultimate blockchain compression: CoinWitness" 12:14 < realazthat> mmmm --- Log closed Tue Aug 20 00:00:24 2013 --- Log opened Tue Aug 20 00:00:24 2013 08:02 < gmaxwell> Hey everybody, Tonal bitcoin is a more likely reality than you might expect! 08:03 < gmaxwell> https://bitcointalk.org/index.php?topic=278122.0 "CoinCovenants using SCIP signatures, an amusingly bad idea." 08:03 < gmaxwell> Luke-Jr: I think it would be super awesome if you'd reply to that with a "finally I've found a way to move everyone to tonal!" 08:04 < gmaxwell> (e.g. by constraing txouts never be round decimal values, and requiring higher transaction fees if the numbers are not round tonal values) 08:06 < petertodd> gmaxwell: that's exactly what I was doing here: http://permalink.gmane.org/gmane.comp.bitcoin.devel/2612 08:06 < Luke-Jr> might not be politically wise right now :p 08:06 < petertodd> Luke-Jr: 0.1BTC if you do 08:06 < Luke-Jr> petertodd: lol 08:06 < Luke-Jr> has anyone suggesting SCIP scripts to blind the inputs? 08:06 < petertodd> might not be politically wise right now :p 08:07 < Luke-Jr> eg, have the public info just be a UTXO set hash, and have the SCIP script verify the secret transaction inputs are part of it 08:07 < petertodd> yeah, could work... gmaxwell said 144 minutes for what, ~100 instructions? That's plenty to evaluate the merkle tree 08:07 < gmaxwell> Luke-Jr: you need to remove the utxos from the set though. 08:08 < petertodd> oh, right... 08:08 < Luke-Jr> ah 08:09 < gmaxwell> you certantly can do things like input blinding though, just not quite so directly. 08:09 < petertodd> yeah, the timestamping oracle is a good mechanism, and it'd be a wonderful way of forcing authorities to make public services like timestampers lie 08:10 < gmaxwell> petertodd: so yea, one "problem" with this SCIP stuff is that even if you introduct it as a script feature in its _MOST_ limited form, in is insanely powerful, even including power we'd probably choose to not offer. 08:10 < petertodd> vessenes did bring up the issue of allowing people to restrict their transactions to meet local regulations... which SCIP would be just ducky for 08:11 < gmaxwell> e.g. we would probably not want to make scripts able to go do a bunch of math on the nlocktime of their containing transaction. But any SCIP signature system would have to be able to be used to preform general computation on anything it was signing. 08:11 < gmaxwell> petertodd: well the regulations are almost never a function, ... and when they are they are usually wrong headed. 08:11 < petertodd> which means they either have access to nlocktime or don't 08:11 < petertodd> *maybe* you could add a specal purpose opcode, but... 08:12 < gmaxwell> could you imagine CoinCovenant viruses? haxers break in, they don't steal their coin. They encumber them so you have to include a "I LOVE GNAA" OP_RETURN txout in every transaction. 08:13 < petertodd> ha, lovely 08:13 < gmaxwell> fortunately scripts don't pass through to fees... :P 08:13 < gmaxwell> (and SCIP can't extend them there) 08:13 < petertodd> I've been thinking about posting high-value partially signed tx's with, stuff in them 08:13 < petertodd> actually, I posted one to bitcointalk, and no-one has found it yet 08:14 < petertodd> gmaxwell: in practice it can: anyone-can-spend-except-for-gnaa outputs 11:42 < realazthat> lol 11:48 < gmaxwell> I'm sad, iddo didn't give a terrible example. EmperorBob made up for it. 11:49 < petertodd> oh, so rick-roll was a good idea? cool 11:49 < gmaxwell> the snowballing taint is pretty awesome. It's like cancer, it has a moral imperative to grow! 12:32 < gmaxwell> petertodd: I powered up EmperorBob's spamcoin. 12:33 < petertodd> ? 12:34 < gmaxwell> - Smashcoin: Any spend of a coin with this covenant must retain the covenant and provide proof of an attack on an alternative cryptocurrency. (e.g. SPV proof of bloating some other cryptocoin's UTXO, or mining multiple blocks at the same height (with some committed data)) 12:34 < gmaxwell> (In particular, if it required that there be no payee at all beyond the covenant for one of its outputs. ... and it becomes a self-administering bounty for attacking something else 0_o spooky. Fortunately most attacks are not cryptographically provable) 12:34 < petertodd> Ha, lovely 12:35 < petertodd> I'll refrain from posting about my genocide coin... 14:31 < adam3us> gmaxwell: (not saying its not a problem, just that maybe we currently have a close to analogous problem) 14:32 < gmaxwell> adam3us: yes because it results in a natural way to rate limit their activity. They have to spend their coins to do it. Perhaps I've forgotten your proposal, but I though you could create invalid transactions and no one could tell that they weren't valid. 14:32 < adam3us> anyway blind sigs between commited tx spends for payee anonymity - thats neat, i have to think what else can come out of that plus homomorphic vale; also there is another (big) homomorphic value tweak i need to work on 14:32 < adam3us> gmaxwell: yes that is true, however there were clear text fees 14:33 < gmaxwell> adam3us: how can cleartext fees work if the public doesn't know what coin is bein spent? 14:34 < adam3us> the fee has to be from some clean coins.. not ideal but the miner can not see the coins so necessary 14:34 < jtimon> ok, it wasn't what I thought it was, but I think I understand now 14:36 < jtimon> it's like putting hashes of transactions in the chain, and not reveal the actual transaction until it is sufficiently buried 14:37 < jtimon> but what if the dihonest miner doesn't want to include the "revealed transaction"? 14:37 < gmaxwell> adam3us: the other issue with it is that the privacy was very brittle. If you recieve a coin from someone you must be able to decrypt the whole history to know its valid. 14:38 < adam3us> jtimon: in many senses the transaction already happened, revealing it is just to reduce utxo 14:38 < jtimon> but the "revelation" must get into the chain too, no? 14:38 < adam3us> gmaxwell: yes. its not so much private as non-public 14:39 < adam3us> jtimon: its optional, they can be respent in committed form indefinitely 14:39 < jtimon> adam3us, no as gmaxwell says, you need the whole history public to be sure is valid 14:40 < gmaxwell> not quite. 14:40 < gmaxwell> jtimon: it has to be known by people accepting the coins. 14:40 < adam3us> gmaxwell: when the trail grows long privacy becomes quite weak, so i think its more like ensuring peers can chose policy of who to accept transactions for 14:40 < gmaxwell> but then you get fungibility issues. 14:40 < jtimon> let's say the chain contains hidden(A->B) 14:41 < jtimon> now B wants to pay C, he shows C the reveal of A->B plust B->C and broadcasts hidden(B->C) 14:41 < adam3us> jtimon: yes 14:42 < jtimon> How can C know for sure that hidden(B->C2) and hidden(B->C3) aren't already in the chain? 14:43 < adam3us> jtimon: because a committed spend includes a hash of the address, so you can check that 14:43 < jtimon> if there's no public validation there's no guarantee against double-spend 14:43 < jtimon> of the source address B ? 14:43 < adam3us> yes 14:44 < gmaxwell> jtimon: no, not so. It's basically blinded. 14:44 < adam3us> and if the tansaction is spent in non committed form, it reveals the public key so then anyone can compute the committed form hash, so both committed and non-committed forms can be double-spend protected 14:44 < jtimon> hidden(A->B) contains a hash od address B? I'm confused 14:45 < adam3us> jtimon: no hash of A 14:45 < adam3us> gmaxwell: yes its curious it seems like a symmetric form of blinding approximately 14:46 < jtimon> So, I'm C, you include hidden(B->C), how can I be sure that you haven't spent what you got from hidden(A->B) 5 times already? 14:46 < gmaxwell> jtimon: because when you recieve a hidden coin you must evaluate and unblind its whole history. 14:47 < adam3us> because it has to go to the chain in committed form, which reveals H(B) 14:47 < adam3us> sorry you sid A->B, so rather it reveals H(A) 14:48 < maaku> gmaxwell: but where is the double-spend protection there? 14:48 < gmaxwell> maaku: in the recievers. 14:48 < jtimon> committed form == public form, non-commited form == in-chain but hiden form, right? 14:48 < maaku> i'm not following 14:48 < adam3us> jtimon: only back to the point of the last uncommitted spend 14:48 < maaku> i have my history, but how there aren't other alternate histories? 14:48 < adam3us> jtimon: uncommitted is normal bitcoin tx form 14:49 < jtimon> ok, uncommited == public 14:49 < gmaxwell> maaku: because you know non-public data that lets you identify any spends of the coins you care about. 14:49 < maaku> gmaxwell: even though all the other histories are encrypted? 14:49 < adam3us> jtimon: basically you can sort of do a (committed/hidden) spend, then later convert that into a normal spend 14:49 < jtimon> can we follow the example please? 14:49 < gmaxwell> maaku: yes, because if you're accepting the coin you have the key. 14:49 < jtimon> I'm getting lost 14:50 < jtimon> A has its funds from a public tx 14:50 < adam3us> jtimon: it generated a long thread until everyone was convinced, its somehow counter-intuitive 14:50 < jtimon> A->B is in the chain in hidden form 14:50 < adam3us> ok 14:50 < gmaxwell> adam3us: he's asking about the case where you are d in a chain of hidden spends. a->b b->c c->d And he's confused about how you know that a->q didn't happend first. 14:51 < adam3us> gmaxwell, jtimon: so if a is spent, in committed or normal form, you see evidence of it on the chain 14:51 < gmaxwell> And, as far as I recall, the reason is if these are all non-public, you will know a's key so that you can see that a->b was the unique first spend of a. 14:51 < maaku> and the reason is that you get the key to a, so you can go back and decrypt all the transactions of the form "a -> ..." and make sure that "a -> b" is the first, right? 14:51 < adam3us> gmaxwell: so you demand sufficient info from the sender to validate that this did not happen 14:52 < adam3us> maaku: yes 14:52 < gmaxwell> maaku: right. You'll demand to know, as adam3us says. 14:52 < maaku> ok 14:52 < maaku> so it's basically encrypted mastercoin :\ 14:52 < gmaxwell> maaku: yea, basically. 14:52 < adam3us> gmaxwell: yes, this is a trick that a normal signature include sthe public key and so then anyone can correlate it with any previous committed versions of it 14:52 < adam3us> hey take it easy there.. i am not a mastercoin fan :| 14:53 < gmaxwell> maaku: but it doesn't invoke another currency. :P 14:53 < gmaxwell> though the there is fungibility break, a long chain coin is not as valuable as a public one. 14:53 < adam3us> gmaxwell: are the mastercoin guys on here? 14:54 < maaku> adam3us: no, I don't think so 14:54 < adam3us> i think petertodd is putting archives of this in the clear on amazon, so nothing too biting can be said 14:55 < adam3us> anyway my issues with mastercoin are funding model, not technical ideas 14:55 < maaku> meh, J.R. seems to take genuine technical objections pretty well 14:55 < petertodd> adam3us: only when requested - it's not something I've been doing regularly 14:55 < maaku> doesn't learn from the pointed out mistakes though, but that's a separate issue 14:56 < adam3us> maaku: i havent made any technical comments about msc, i just commenting n the funding model 15:03 < gmaxwell> in any case, adam3us's proposal becomes potentially more interesting if the network can validate a ZKP of a transcript of a validation of his coin scheme. 15:03 < adam3us> so what about this p2p blind sig on the coin transfer idea 15:03 < gmaxwell> as it would allow you to reemerge and make public a coin without making the keys public. 15:04 < adam3us> gmaxwell: SCIP/SNARK fo the encrypted history? wowsers the inefficiency of that :) 15:05 < gmaxwell> adam3us: right. SCIP a validation of the encrypted history to emerge the coin in zero knoweldge ... and yea, costly, but the validation is fast, so the public part wouldn't be an issue. 15:05 < adam3us> i think the p2p blind sig on transactions could achieve something committed coin similar but on normal transactions, payee anonymity 15:05 < adam3us> gmaxwell: wouldnt it be big? 15:06 < TD> proofs are small 15:06 < adam3us> gmaxwell: i dont know in my head it just seems like its a compiler for what you could do manually with generalized fiat-shamir transform of cut & choose repeated on a program, plus all the systematizable optimizations 15:06 < TD> an OP_SCIP would not be unthinkable 15:06 < adam3us> gmaxwell: and i cant see that being very compact somehow 15:07 < gmaxwell> adam3us: no, the proofs are small (they are not proportional in size to the program). Authoring the proofs is painful. 15:07 < adam3us> gmaxwell, TD: ok that could quote be interesting & powerful as a building block 15:08 < TD> gmaxwell: it got a LOT better, apparently. 15:08 < TD> not sure if i'm allowed to discuss their latest performance results in public, or how that works, etiquette wise 15:09 < adam3us> gmaxwell: eg hal finney made a presentation of what it took to prove a SHA1 hash in zkp it did not look pretty, they must've made some new insight 15:09 < TD> yes they did 15:09 < gmaxwell> adam3us: there has been a _lot_ of avancement here. 15:09 < jtimon> sorry guys, my laptop died 15:09 < adam3us> gmaxwell: ok, its interesting though because whatever they are doing is general - one could use it oneself manually, hand optiize it etc 15:10 < adam3us> gmaxwell: eg can it make a smaller homomorphic valued coin? 15:10 < jtimon> maaku can you paste me the conversation from "A->B is in the chain in hidden form" somewhere else? 15:10 < gmaxwell> adam3us: yea sure the compiler part is obviously never going to be as efficient as hand circuit optiomization. 15:11 < gmaxwell> TD: well, so, they do have multiple backends on this stuff, the really compact things is the knoweldge of expoenet pairing crypto stuff, and adam3us's skin with crawl at that. :P 15:11 < amiller> (this is totally irrelevant, but it irks me that eli ben sasson has gotten everyone to use SCIP as a generic name for this, SNARK is the generic name, SCIP is just the name of his particular project, his paper for scip is even titled SNARKS for C) 15:11 < TD> SNARK sounds dumb 13:01 < gmaxwell> But if we can use POW hashes to pick the subsets, I think we can make non-interactive require some multiple of the networks computing power to cheat. 13:01 < gmaxwell> And yea, absolutely I agree. 13:02 < gmaxwell> The non-interactive system is just a derandomization of the interactive one. 13:02 < petertodd> In fact, with SPV proofs for each txout, you can still have an interactive node sync from another interactive node I think - again, gota think about the economics. 13:02 < petertodd> Oh, no, that doesn't work: can't stop the peer from removing a UTXO and not telling you. 13:03 < petertodd> Though it may be enough to use these challenges to determine if the delta-UTXO of some block of history is correct, meaning you don't actually need to get that whole block of history from a peer, just how it changed the UTXO set. 13:04 < gmaxwell> thats why I was talking about a committed utxo, since it makes the state transition implicit. 13:04 < petertodd> For sure, again, just thinking about doing a meaningful prototype prior to changing th eprotocol. 13:08 < gmaxwell> well I do think that unfortunately a random check of the past headers needs a protocol change. 13:08 < gmaxwell> because you can't tell if random headers are connected. :( 13:08 < gmaxwell> well no, I suppose you could ask a peer to commit to a hashtree over the past headers.. without having it in the protocol. 13:08 < gmaxwell> and if you catch them cheating you ban their ip. 13:16 < petertodd> Oh, I'm assuming you have all the headers first. 13:16 < petertodd> This is just to optimize getting the blocks themselves. 13:29 < petertodd> Hmm... the problem is if any 1 element in the UTXO set is either invalid, or missing, the attacker can fork you. The numbers just aren't going to work out for checking enough of the proof to be sure there isn't an invalid txout in there, other than getting copies of every tx for every txout in the set. The same applies to being sure that you aren't missing a txout. 13:29 < petertodd> With UTXO commitments it's another story, but without them I think it's hopeless. 13:31 < gmaxwell> The forking you isn't so bad. 13:31 < petertodd> How so? 13:32 < gmaxwell> ask the guy who gives you a block to prove any txo you can't prove for yourself. 13:33 < petertodd> But that leads to bandwidth forks - the proof of a txout is the tx, and that's far larger than the txout itself. 13:34 < gmaxwell> it's not just the tx, it's a spv fragment for the tx.. a lot larger, sadly. 13:35 < petertodd> For a small tx sure, but you could arrange for those tx's to be all MAX_BLOCK_SIZE large... 13:36 < gmaxwell> I'm agreeing with you. this is another reason that it blows that our tx format is not tree structured. 13:36 < petertodd> Yup 13:36 < gmaxwell> ideally the proof for an output should be log(blocks) hashes + log(txn in block) hashes + log(outputs in txn) hashes.... 13:36 < gmaxwell> plus the output. 13:36 < petertodd> Yup 13:37 < gmaxwell> but instead it block hashes + log(tx in block) hashes + the whole size of the transaction, which could be enormous. 13:38 < petertodd> Supposing it was though, you could pass around tx's and blocks with txout proofs relatively cheaply (k*~log() increase in bandwidth) and all nodes could start validating blocks fully fairly well. 13:40 < gmaxwell> petertodd: yea, would probably only tripple transaction sizes, assuming max size blocks. 13:40 < petertodd> yup 13:43 < petertodd> Would work nicely with fraud proofing too, because a fraud proof for an invalid txin is just to point out that it's invalid. 17:50 < gmaxwell> amiller: so for pinocchio, you just have your transcript with steps*words memory, and you compute a hashtree over that.. and then the circuit satisfication runs and just validates that every access is consistent with the transcript memory snapshot? 17:50 < amiller> yeah 17:50 < amiller> it's only a little different than tiny ram which doesn't use a merkle tree to represent ram, but it does do this weird sorting/routing thing which has almost the same effect 17:51 < gmaxwell> well kinda, the sorting is provably correct with non-determinstic advice, so it can be very minimal. Though how the efficiency ultimately plays out I dunno. 17:52 < amiller> it's kind of just an optimization of the write-to-merkle-tree-every-time 17:52 < amiller> like the tinyram begins empty and doesn't write back anything when it's finished 17:52 < amiller> so it's almost like a cache 18:03 < gmaxwell> I had a weird dream about this proof systems for software last night. Where someone had some new technique which was particularly powerful, and I went to go try to convince them to not let MIT patent it because they'd be typical licensing idiots and prevent everyone from using it. ... and then I got lost in mit. very weird. 18:10 < amiller> so i've studied the hell out of this recurive snark composition paper 18:10 < amiller> and i'm writing my own now 18:10 < amiller> they argue that their construction only works for constant-depth circuits 18:10 < amiller> which means it works for turing machines with a fixed polynomial bound 18:10 < amiller> on the number of steps 18:10 < gmaxwell> right. 18:10 < amiller> i claim that you can do it for unbounded length computation 18:11 < amiller> because you can build a fixpoint verifier 18:11 < gmaxwell> by nesting proofs? 18:11 < amiller> in either case you nest proofs 18:11 < gmaxwell> interesting. 18:11 < gmaxwell> oh I see, right nesting gets you the polynomial bound. 18:12 < gmaxwell> making the computation unbounded would be nice... having to precompute for different work sizes stinks. 18:12 < amiller> yes 18:13 < gmaxwell> (esp in the model where if the generator cheats it can produce false proofs, because you'd really want to only ever run root generator once since gaining confidence in it will be expensive) 18:14 < amiller> i can't figure out why they didn't do it this way in the recursive composition paper 18:15 < amiller> but i can describe my scheme really easily 18:15 < amiller> to start with the snark consists of a triple G,P,V 18:15 < amiller> G(k,C) takes a circuit C, security k, and outputs a verification key v 18:16 < amiller> prover P(C,x,w) takes a circuit C, input x, witness w, and outputs a proof p 18:16 < amiller> the circuit is a function C(x,w) -> {0,1} 18:16 < amiller> x and w are the combined inputs of the circuit but it's split into a part x that the client provides and a part w that the prover provides, think of the x as a blockhash and w as untrusted block data that gets checked during the circuit 18:17 < amiller> so the conciseness of a snark is that v is always constant regardless of the size of C, and so is p, and V takes constant time to run 18:17 < amiller> next part (two of three) is a constant step turing machine 18:17 < amiller> this is easy because i can represent the tapes of a turing machine as a hash chain 18:18 < amiller> so M(s0,s1,w) -> {0,1} returns 1 is s0 -> s1 is a single valid state transition 18:18 < amiller> s0 and s1 are digests of the turing machine state including the remainder of the tape to the left and to the right 18:18 < amiller> blank tapes have like the genesis digest 0000000 sentinel value 18:19 < amiller> w contains like one element of the tape, either the left or the right, so it's enough untrusted data to check one step 18:19 < amiller> okay so the final part is putting these together 18:19 < amiller> the trick is to build a circuit that contains the single step M and the verifier V, and it also takes a key v as its input 18:19 < amiller> and passes through 18:20 < amiller> so you can compile that whole circuit v* and pass v* as input and that's a fixpoint verifier 18:20 < amiller> so more specifically, 18:20 < amiller> i'll define M* as a circuit 18:21 < amiller> M*((s0,sF,vk), (w1,p1,s1)) -> {0,1} 18:22 < amiller> M* returns 1 if M(s0,s1,w1) and either V(vk, (s1,sf,vk), p1) or s1==sF 18:23 < amiller> i forgot to write the form of the verifier V earlier in part 1 about snarks, so it's V(vk, x, p) = 1 only if there's some witness w such that p = P(C, x, w) 18:24 < gmaxwell> yea, thats obvious enough, thats what the snarks prove. 18:24 < amiller> okay so that circuit is like a fixpoint operator 18:24 < amiller> v* = G(k, M*) gives you a special key 18:24 < amiller> that you can pass in 18:25 < amiller> so basically the final verify function is like V*(proof,s0,sF) = V(v*, (s0,sF,v*), proof) 18:25 < amiller> you use v* as the verification key, you also pass it through as input 18:25 < amiller> that's the whole damn thing, no troubles incurred. 18:26 < gmaxwell> But doesn't the verification key grow linearly with the depth instead of being constant? 18:27 < amiller> verification key is constant in the size of the circuit 18:28 < gmaxwell> oh I see, right. It's not N verification keys, it's a verficiation key of a circuit that includes a verifier for itself. 18:29 < amiller> it's a verification key of a circuit that includes a verifier for any verification key 18:35 < amiller> i'm beginning to understand the problem of extraction for security thouhg 19:03 < amiller> this seems like a ridiculous technical detail. 20:28 < amiller> yeah this is frustrating, i think it's a crypto-definitions quirk more than anything practical 20:28 < amiller> the problem is that security for these snark things is defined using a non-black-box extractor 20:28 < amiller> the scheme is secure if an extractor exists 20:29 < amiller> if some adversary P' produces an untrusted proof, then the extractor is given non-black-box access to the code of P' 20:29 < amiller> and the extractor is supposed to produce the witness, and run in polynomial time relative to the time of P' 20:30 < amiller> so the problem is this definition composes really poorly 20:30 < amiller> because if P' altogether runs in time t 20:30 < amiller> then E(P') might run in time t^2 *just to give you the next-to-last proof* 16:07 < amiller> i still think it would be a lot easier to argue about whether any of these schemes are sufficient by first describing the ideal function of the ledger using zero knowledge 16:07 < adam3us> (from hashing).. 16:07 < gmaxwell> adam3us: then you'd have to know which utxo is which. (to prune) and the advantage of the snark emergence is that you don't have to ever disclose anything... 16:07 < maaku> hrm.. MMR double-spend db might work very well 16:08 < amiller> in a perfect world you'd learn nothing except that the transaction was valid, and the state could be updated by anyone without having to know anything else 16:08 < adam3us> gmaxwell: but if its an opaque blob, wahts the damage to say yes this was my txin. 16:08 < adam3us> gmaxwell: if the entire chain was in hidden form 16:08 < gmaxwell> adam3us: because it disclosed where it came from and so you can build a transaction graph. 16:09 < amiller> i wonder if accumulators are the right thing because if you know x, you can prove that x is included in acc{...,x,...}, you can also produce acc' = acc - {x} without knowing any of the other committed values 16:09 < adam3us> gmaxwell: yeah but tx graph of opaque blobs isnt so bad - you dont know who they're to who theyre from or the amount 16:09 < adam3us> gmaxwell: i mean even the addresses arent disclosed, there's nothing 16:10 < amiller> i don't think i believe that adam3us's scheme actually sufficiently protects against blacklisting policies etc 16:10 < gmaxwell> amiller: it doesn't but it makes it softer. 16:10 < gmaxwell> adam3us: ... if you can remove the utxo this emerge consumed, then you could also look to see which utxo it removed and so on. 16:10 < adam3us> gmaxwell: i think it could be about the right model, for privacy you can subpoena a person in the chain, and they can prove the blob they got it from 16:10 < gmaxwell> adam3us: if bitcoin is used correctly the addresses are all single use anyways, hiding the addresses isn't that helpful. 16:11 < adam3us> gmaxwell: yes but coin control fails in real life seemingly 16:11 < amiller> yes and elaborate zk fails to exist in real life seemingly too 16:12 < gmaxwell> adam3us: I mean, the top most wallet promoted on bitcoin.org forces you to constantly reuse an address, as does the most popular wallet software. I don't think you can say there is any fundimental failing, ... and you can't cure people's disinterest by making transactions much more expensive (in size and computation) 16:12 < amiller> isnt coin control an easier thing to get right for this level of improvement 16:12 < maaku> adam3us: these are user interface problems 16:12 < maaku> in short time, with the proper tools, bitcoin addresses will be 1-use-only 16:12 < gmaxwell> What maaku says. 16:13 < gmaxwell> There are things in the pipeline which will help, and eventually we will need to grow some balls and threaten to delist wallet software from bitcoin sites when they force known bad behavior. 16:13 < gmaxwell> But thats mostly orthorgonal from crypto stuff, there is huge information leaks from the transaction graphs even when addresses are not reused. 16:13 < adam3us> gmaxwell, maaku: i dont thnk so quite, hence coinjoin etc 16:14 < gmaxwell> adam3us: coinjoin actually buggers the graph analysis. 16:14 < adam3us> gmaxwell: exactly 16:14 < adam3us> gmaxwell: good,somewhat, still prefer opaque blobs if we could find an efficient way to do it 16:14 < adam3us> unencrypted value is also hideous 16:14 < gmaxwell> But what you're suggesting (snarking at each step) doesn't. It just hides reused public keys, which is kinda boring... I mean, it's better but so long as it has a cost.... 16:15 < gmaxwell> right. okay, I don't think we actually disagree. Maybe just on the exact tradeoff points. 16:15 < adam3us> gmaxwell: it hides value as well 16:15 < maaku> mostly it's just a matter of getting payment protocol and hd wallets accepted everywhere and built into every wallet 16:15 < maaku> coinjoin is a separate issue, is it not? 16:15 < adam3us> gmaxwell: you could probably mix some ORs into the snark 16:16 < gmaxwell> In any case, I think it's not good enough to do one thing, we must do all the things. 16:16 < adam3us> maaku: i think coin control is not enough 16:16 < gmaxwell> But I think humans have a lot of inertia so we need to do the more user visible things first. 16:17 < adam3us> maaku: still plenty of transaction graph leaks 16:17 < maaku> adam3us: ? by coin control do you mean coinjoin et al? 16:17 < adam3us> amiller: i think it could block miners 16:17 < gmaxwell> e.g. if we get enormous bitcoin businesses depending on being able to infer refund addresses from chain analysis, any improvement will be hard to deploy. 16:17 < adam3us> maaku: no i mean not picking coins at random from your wallet 16:17 < adam3us> gmaxwell: yes that has to die 16:18 < adam3us> gmaxwell: btw that is why i proposed a publicly creatable chian code like thing (bip 38?) extension 16:18 < maaku> adam3us: yes, that's not enough. which is why we need payment protocol + hd wallets (don't reuse addresses) and coinjoin (spread the taint around) 16:19 < adam3us> hd wallets are a great invention on multiple grounds (nice job), but it is interactie, and people like static addresses for usabiity and chain is private 16:19 < gmaxwell> adam3us: it's not interactive. 0_o 16:20 < adam3us> gmaxwell: well if the site has a chain code online and hands it out right then to the sender 16:20 < michagogo|cloud> Interactive? What does that even mean? 16:20 < adam3us> michagogo|cloud: spender goes to web site, web site uses chain code to make new address, spender recieves address, sends to block chain 16:20 < gmaxwell> adam3us: the idea is that you can give someone who will pay you multiple times a extended public key for a child chain. Then they can pay you without interacting. 16:21 < gmaxwell> adam3us: thats one possible usecase, another is that you give them their own subchain the whole extended public key. 16:21 < adam3us> you give htem a subchain key so they can generate more? 16:21 < adam3us> gotcha 16:21 < gmaxwell> adam3us: yes. 16:21 < gmaxwell> You can use it either way, interaction is optional. :P 16:21 < adam3us> yes i got that picture i think from the bip etc 16:21 < adam3us> gmaxwell: my point is you could have a print advertisement in a newspaper, and still have each sender use a different address 16:22 < gmaxwell> adam3us: you could, but they'd need to figure our which addresses were used already first. 16:22 < adam3us> gmaxwell: i wrote it somewhere... i think you replied on the thread, sender does Q'=xG+Q x=random, and encrypts x for Q 16:22 < adam3us> gmaxwell: no it would be random 16:22 < gmaxwell> I know, bytecoin proposed exactly that a long time ago. 16:23 < adam3us> gmaxwell: tht seems to answer peoples seeming desire to work with static addresses... its probably its just simpler to think about 16:23 < michagogo|cloud> The only thing is, you'd need to generate a sufficiently long series of addresses to watch from that subchain key 16:23 < gmaxwell> but this requires a lot of work from the reciever. e.g. he has to do cryptographic work for every tansaction and can do nothing like bloom filtering. 16:23 < michagogo|cloud> Or, provide some mechanism for people to let you know which address they sent to 16:24 < adam3us> gmaxwell: probably you could put some bloom bait on it 16:26 < maaku> for printed advertisements, payment protocol is often the better solution 16:26 < maaku> which is why we need both 16:27 < maaku> "send coins to myfoundation.org/donate" 16:28 < gmaxwell> adam3us: also, your scheme requires the recieve have an online decryption key to identify their own transactions. (so did bytecoins) 16:28 < jtimon> they could say in the ad how to build the address 16:29 < gmaxwell> Bytecoin's suggestion IIRC was that you include an extra random public key in your transaction. And then the key you payto is ECDH between the recievers private and your public, plus his public. This also gave you a nice identity for the sender of the transaction (the public key) 16:29 < gmaxwell> by it required doing a free point multiply for every transaction on the network, and also keeping your private key online for doing it. 16:29 < jtimon> in freicoin foundation, for example, is organization_id/months_after_launch but you could have a deterministic mapping between username and an int 16:29 < maaku> jtimon: yes, but equally important is the other end of it. they need to know what addresses to listen for 16:30 < jtimon> all_my_registered_usernames/start_incrementing_from_0 16:31 < maaku> yes, but again: printed ad - you don't know your future donors 16:31 < maaku> hd wallets fit some situations, payment protocols others 16:31 < maaku> typically hd wallets are good for existing relationships, payment protocols for new ones 16:32 < maaku> it would be nice if payment protocol had a mechanism for specifying an hd address (there was some discussion on the list about this, I believe) 16:32 < jtimon> printed add is too much, you can't do it on your own 16:32 < adam3us> gmaxwell: yes bytecoins seems similar and similar side effects. 16:32 < jtimon> but if they register in your web is different 16:32 < jtimon> there was a video "pay to protocol" 16:33 < maaku> ? 16:33 < adam3us> my additional probaby unstated thought on the btc thread is maybe the sender can give you a hint, that allows you to narrow which are for you, or safely delegate searching to a full node 16:33 < jtimon> where the receipt was used to build the payment address from the recipients seed_key 16:33 < maaku> the UI for payment protocol would presumably be the same - you use a url in place of a address and your wallet handles the magic 16:34 < adam3us> gmaxwell: have to think about details coud be interesting as fixed addresses are seemingly what users understand and they are setting a bad direction as is 23:08 < gmaxwell> I think making a concrete argument the whole of the interior rules are a cryptosystem is important. It's a bit sad that OP_CAT is off and that we don't havea OP_PUSH_TXN_HASH as you could implement lamport signatures in script with that. 23:09 < gmaxwell> bluematt's think will help, in a couple of months you'll be able to claim that many alts are created by people who can't use a compiler. 23:09 < gmaxwell> so there will be no illusion that there is some latent stock of cryptographic genuises putting out these things. 23:09 < andytoshi> yeah, that's excellent 23:11 < andytoshi> i might even describe this as a "social experiment which Matt Corallo proposed to the bitcoin developers to illustrate this point" 23:11 < andytoshi> because people on the btct thread seem to think he is some random guy.. 23:12 < andytoshi> though i really don't want to give the impression that the bitcoin developers are holy people directing the currency somehow 23:12 < andytoshi> because that kind of thinking causes alts with convergence issues 23:12 < Luke-Jr> Matt Corallo is a bitcoin developer O.o 23:12 < gmaxwell> well, also, while not a secret emphasizing that the tool is intentionally cynical may lower matts income from it. 23:13 < andytoshi> Luke-Jr: i know, i guess i phrased that badly 23:13 < gmaxwell> andytoshi: and fwiw, I do think I was the first person to suggest it. :P (though perhaps matt had been thinking about it independantly) 23:13 < andytoshi> oh, sorry :} 23:13 < gmaxwell> (I spent a while in #bitcoin-mining trying to convince Luke-Jr and/or petertodd to do it. (luke has the nice ability to tie in merged mining)) 23:13 < gmaxwell> like ... N months ago. 23:14 < andytoshi> my intention in saying that was exactly to claim it is cynical .. but you are right that i'd be just taking money from Matt 23:15 < gmaxwell> well I think its cyncism is not secret, but emphasizing it now might reduce his income from it, and given the two choices I'd rather have the latter. 23:16 < gmaxwell> the cynical aspect of it is super obvious (it even was one of the first comments in the altcoin thread about it) 23:16 < andytoshi> okay, that's good then .. one of my concerns was that having Matt involved publically might make alts seem legitimate 23:19 < grau> I assume you talk about coingen.io: I think it greatly damages alts, showing how pointless they are, unless there is a network of people supporting one. 23:22 < gmaxwell> grau: thats the idea. 23:22 < gmaxwell> Were you in the #bitcoin-mining discussion where it was proposed eons ago? for some reason I had the impresion you were. :P 23:23 < grau> I never joined #bitcoin-mining 23:23 < gmaxwell> hm! okay! 23:23 < gmaxwell> well as I just said: super obvious. 23:23 < gmaxwell> :P 23:23 < gmaxwell> Part of it is a network effect thing, dillution hurts smaller coins more than bigger ones. 23:24 < grau> but is it good in your opinion, or should we rather embrace alts? 23:24 < gmaxwell> I think it's good to dillute "worthless" alts. I don't think coingen.io does anything harmful at all to ones that have a solid reason for existing (which currently is .. not very many) 23:26 < gmaxwell> it highlights the worthlessness of things that are clearly worthless, and somewhat undermines the efforts of people who use the internet version of boilerroom techniques to promote worthless things trying to get a quick buck. 23:26 < justanotheruser> I think altcoins are an interesting phenomenon. Normally people wouldn't flock to a new version of software with a new logo and a few variables changed. For example, if I made altfirefox where the scroll bar was half the size and the logo was a dog, it wouldn't get any downloads let alone a thread with hundreds of replies. 23:26 < gmaxwell> though I still have no real answer to altcoins which have good _sounding_ reasons to exist but which are without substance when you pull back the technical covers. 23:27 < gmaxwell> justanotheruser: yea, you're not promoting the altfirefox with an investment ... scheme. 23:27 < warren> protoshares! 23:27 < justanotheruser> exactly, people buy into a purposeless piece of software because they think they will make money off it 23:28 < gmaxwell> right and coingen.io probably dashes those hopes for "YAAC" (yet another altcoin) though not for something with an elaborate vaporware story. 23:28 < gmaxwell> obviously then next thing to do is a coingen2.io that makes whitepapers for non-existing altcoins using a hidden-markov-model 23:29 < grau> those get rich schemes depend on being able to convert to BTC (since direct to fiat is absent) and this keeps me wondering why someone is selling BTC for some alt. 23:29 < andytoshi> gmaxwell: my hope is that i can write a faq which talks about smart-sounding alts 23:29 < justanotheruser> andytoshi: You should. There are only a handful you would have to cover 23:29 < grau> assuming there is no get rich, then motivation might really be the need for cheap tokens 23:29 < andytoshi> e.g. litecrypt and it's goofy scrypt implementation, feathercoin and its super fast alts 23:30 < andytoshi> blocks* 23:30 < grau> there could be applications for near worthless tokesns e.g. for games. 23:30 < justanotheruser> grau: if you want a cheap token, you should buy uBTC 23:30 < andytoshi> realsolid's difficulty algo 23:30 < gmaxwell> grau: my guesses include things like (1) people with large amounts of illicitly gained btc which can't easily be spent other ways, (2) exchanges buying them with fake BTC to pump prices for their own profits, (3) ... just people trying to repeat bitcoins rise in value a second time 23:30 < justanotheruser> I suppose you are talking about small transaction fees though 23:31 < gmaxwell> grau: sure, but we've got plenty of altcoins already, we don't need public exchanges for cheap tokens either. 23:31 < andytoshi> for that matter, solidcoin's seemingly solid reputation, and the character who turned out to be behind it 23:32 < justanotheruser> Is there going to be a point where most of the transactions are off-chain? I mean if we keep the block size at 1mb, people will eventually be competing with higher transaction fees to get their transaction into a block. 23:34 < andytoshi> my feeling is that some sort of {snark+agressive pruning}coin will be released before bitcoin is seriously strained by the tx load 23:34 < petertodd> justanotheruser: nah, hopefully we'll just uncap the blocksize and gmaxwell and I will get the smug satisfaction of being proven right 23:34 < petertodd> andytoshi: snark's don't help with scalability the way I think you think they do 23:35 < justanotheruser> petertodd: how do we deal with the massive blockchain and bandwidth? 23:35 < andytoshi> petertodd: i'm not suggesting they can be used for pruning, but for quicker transaction validation 23:35 < grau> gmaxwell: (4) maybe a also scheme of anonymizing with recourse to BTC 23:35 < andytoshi> (and i'm aware that in 2014 even that is not true) 23:35 < gmaxwell> andytoshi: they're not quicker than trivial txn today. even the fastest stuff is .. well see that tinyram paper you linked to. 23:36 < petertodd> justanotheruser: by sharding the blockchain so that no individual node has to deal with all of it, but that's very tricky 23:36 < gmaxwell> But to the extent that they allow binding offchain systems they do improve scaling. 23:36 < andytoshi> could petertodd's MMR stuff be implemented in an alt today and enable massive block pruning? 23:37 < petertodd> andytoshi: yes, but not in the way you think so :P 23:37 < justanotheruser> petertodd: Is that in development at all? Is there anywhere I can read about that? 23:37 < andytoshi> petertodd: ok, this time you're right that i believe unjustified things :) 23:37 < petertodd> andytoshi: MMR TXO commitments actually make scalability a lot worse 23:37 < andytoshi> really? 23:38 < petertodd> andytoshi: yes, the bandwidth required to prove txin existence is about an order of magnitude more than what it is now 23:38 < gmaxwell> they make the blocks really big, but they allow a bandwidth/storage tradeoff if you can optionally send them when a node already has the data. 23:38 < BlueMatt> andytoshi: yea, I love that comment 23:38 < andytoshi> i thought with TXO commitments we could get away with only storing the last $small_time of actual blocks 23:38 < gmaxwell> bandwidth does tend to be more scarce than storage. though the ratio is kinda hard to reason about 23:38 < petertodd> andytoshi: where they can make things better is in conjunction with sharding techniques that allow that much worse bandwidth to be spread out over multiple nodes 23:38 < BlueMatt> Luke-Jr: I'm not a "bitcoin developer"? 23:39 < Luke-Jr> BlueMatt: you're not? 23:39 < BlueMatt> not a core dev sure, but I think everyone here is... 23:39 < gmaxwell> andytoshi: you can but you made the blocks much bigger because they're carring around kilobyte proofs per txin instead of 32 byte hashes. 23:39 < andytoshi> gmaxwell: ah, i see, that's what i was missing 23:39 < petertodd> BlueMatt: heh, people are starting to call even me a core dev, which you have a much better claim to :) 23:39 < gmaxwell> of course if you have the txo set you don't need the proof, so it could be made optional. 23:39 < andytoshi> i thought this MMR business was basically a smart version of "add a hash of chainstate/ to the blocks" 23:40 < gmaxwell> andytoshi: sure but when a tx spends coins committed in that state the tx has to include a proof that its inputs are in it. 23:40 < andytoshi> and you'd request a copy of the chainstate dir instead of IBD'ing 23:40 < andytoshi> gmaxwell: oh, okay, so my understanding was not wildly far off 23:40 < gmaxwell> andytoshi: oh no, that just SPV security for full nodes you're talking about. sort of orthorgonal 23:40 < petertodd> andytoshi: that's completely right, but bandwidth, esp. anonymous bandwidth is the importatn thing 22:47 < nanotube> i think it's pretty cool, as far as raising dos costs 22:48 < jgarzik> I'm incredibly thrilled, though unsurprised, that Chinese like bitcoin. Under a layer of thick communist oppression, there is an amazing undercurrent of raw capitalism in China. Sometimes they are more libertarian/capitalist than Americans, though they basically operate under "wrath of God" mode: In china, you will be OK as long as you don't wander into the political realm or make. If you do, they aim a huge cannon at you 22:48 < jgarzik> and your business. 22:48 < jgarzik> *make waves 22:49 < jgarzik> hopefully bitcoin gets entrenched. freedom++ 22:49 < nanotube> heh 22:49 < nanotube> aye 22:49 < HM3> sell treasuries, buy bitcoin :P 22:50 < nanotube> gmaxwell: what prevents the attacker from calculating the hash tree on the fly when needed? 2^32 hashes are pretty fast to calculate. 22:54 < gmaxwell> nanotube: Adjust the hash cost vs size to taste. E.g. last step in the tree can just iterate the hash N times. It needs to be just slow enough that simply recomputing it every query isn't a win. 22:56 < gmaxwell> But yea, this is a bit of a pain, because you can get a hardware speedup on that. Point. 22:57 < nanotube> yea, stick a couple of ati gpus on your attack node, and you'll outcompute anything running on a vps. 22:59 < gmaxwell> nanotube: well, not quite that bad, I mean the storage full clients has a ~4 billion advantage factor over your gpu device once their table is built. 23:00 < nanotube> well, 4billion/32 :) so only 134million advantage. 23:01 < nanotube> i suppose if the challenge/response in frequent enough 23:01 < nanotube> you won't be able to maintain too many connections even with significantly more computing power. 23:02 < nanotube> it just has to be something on the order of minutes, rather than on the order of days/hours. 23:03 < gmaxwell> right, and its cheap for the server so it could be querying you once every minute or two. 23:03 < nanotube> yes, and a 'legitimate' storage client should have no problem responding. 23:03 < nanotube> mk then, back to our regularly scheduled programming. :) 23:03 < gmaxwell> yea, not even a burden to query fairly often. 23:15 < nanotube> hm, so if we're targeting 1gb storage, and a sha3-512 hash is 64bytes, we can store roughly 2^24 hashes in the tree. which gives us roughly a 2^20 advantage for query vs response. since a couple-gpu box is roughly 2^10 faster at hashing than a cpu, that makes the attacker a disadvantage of only 2^10. still not bad. a couple-gpu box could probably handle a hundred or so connections without using storage... but at this rate it's cheaper t 23:15 < nanotube> o just buy a few 1tb hdds and handle even more. 23:16 < gmaxwell> nanotube: well not quite, you don't need to store the whole hash. 23:16 < nanotube> speaking of which... i could buy 10 1tb usb disks for roughly $700. which is the cost of maybe 1 high-end ati gpu. 23:16 < nanotube> so for 1gb per connection, it'd only cost me 700 bucks to eat up 10k slots. 23:17 < nanotube> which is still a lot more than what it'd cost me right now to eat those same slots, i suppose. 23:18 < nanotube> gmaxwell: ok fair point. by storing only a large-enough-to-effectively-guarantee-uniqueness subchunk of a hash, we can achieve a much higher compute cost per GB. --- Log closed Mon Oct 14 00:00:08 2013 --- Log opened Mon Oct 14 00:00:08 2013 01:03 < BlueMatt> sipa: :( 02:28 < warren> sipa, gmaxwell : http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02751.html should we go ahead with a BIP number assigned? 02:36 < BlueMatt> why can you have NODE_BLOOM && !NODE_NETWORK? 02:36 < BlueMatt> that makes no sense 02:37 < BlueMatt> if you are gonna relay something, you better check it first 02:37 < warren> BlueMatt: It is not clear why NODE_NETWORK exists, maybe it was just an example? 02:38 < BlueMatt> well, ok, my point is that that bip as written clearly says you can relay without having full verification 02:38 < BlueMatt> which is evil 02:42 < warren> BlueMatt: I agree that part really wasn't necessary to mention in the BIP. 02:54 < warren> hmm, what was the original purpose of NODE_NETWORK? 02:55 < warren> as there really aren't any service bits, there's no example code of how they're supposed to be used. 03:09 < sipa> i think we need to diversify node bits further 03:10 < sipa> as nodenetwork implies both relying of new block and historical storage pf everything 03:10 < sipa> either of these combined with nodebloom makes sense 03:10 < sipa> spv nodes do neither 03:13 < warren> ah 03:13 < warren> sipa: then the pruned proposals have talked about partial blocks available ... how would you advertise which? 03:16 < sipa> i'm just disagreeing with BlueMatt that Bloom without Network is meaningless... once we have pruning 03:25 < warren> sipa: we intend on launching pruned + expiration sometime after bitcoin 0.9, with the pruned part being submitted to bitcoin. are the pruned proposals written spelling out all the diverisified node bits? 03:26 < sipa> there were objections to my proposal earlier 03:28 < warren> where was the proposal and objections? 03:28 < warren> I don't even know where to look. =) 03:35 < sipa> proposal was on the mailing list 03:35 < sipa> but it doesn't really matter, we just need to start talking about itt again i guess --- Log closed Mon Oct 14 09:13:21 2013 --- Log opened Mon Oct 14 09:13:35 2013 14:23 < BlueMatt> sipa: ok, though, again, the bip as stated is very misleading 14:24 < BlueMatt> sipa: "may have data that its peers may be interested in, but is not a full node" 14:25 < jgarzik> BlueMatt, RE relay, the current code is pretty stupid, and just offers everything to all connected, unless something changed in the past year or so... 14:25 < jgarzik> regardless of what a spec says 14:26 < BlueMatt> yep 16:57 < maaku> possible academic weakness in linux /dev/{u,}random: http://eprint.iacr.org/2013/338.pdf 16:59 < gmaxwell> maaku: yea, that paper was making the rounds a couple months ago. It's boring though. 16:59 < sipa> BlueMatt: not sure why that is misleading? 17:00 < BlueMatt> sipa: it seems to indicate that you may want to relay unconfirmed data 17:00 < gmaxwell> it basically shows that if an attacker somehow knows the whole internal state of the rng (how?) he can trick the entropy estimator that he's been adding entropy when he really hasn't so the system will continue to return numbers he can derive... so long as he's the only input (how?). 17:00 < sipa> BlueMatt: well, if it's ambiguous itneeds improvement :) 17:05 < jgarzik> maaku, is that what Bruce S is on about? 17:07 < gmaxwell> (Not that I'm a huge fan of linux's /dev/random ... but god knows it's probably impossible to improve now since everyone would assume every effort to do so was an attempt to backdoor it :P) 17:09 < maaku> jgarzik: yes 17:21 < gmaxwell> maaku: IIRC that paper recommends replacing /dev/random with something is very much like AES-GCM (incrementing the galois counter by new random data that comes in). Paranoid people have already called out using AES stream ciphers as CSPRNGs in the context of the intel stuff. So their proposal is unlikely to be attractive to too many. 17:24 < maaku> gmaxwell: i see 18:42 < warren> jgarzik: do you have to mail your passport along with the application? 18:44 < gmaxwell> warren: apparently you do, intern in the office here went to china and had to send him his actual passport. They turned it around right away though. 21:42 < HM3> gmaxwell, more reason to move to schnorr-esque signatures that don't require absolute randomness for signing i guess? 21:44 < HM3> I'd be more worried about Windows RNG than Linux's 21:44 < HM3> I'm sure i read an article some time ago that illustrated with bitmaps that Windows' had patterns 21:47 < HM3> nevermind, i think maybe it was PHP 21:54 < HM3> yep PHP, but Windows did have RNG flaws some time ago. According to Matt Green Windows uses FIPS 186-2 22:06 < gmaxwell> HM3: that irrelevant, you don't need randomness for DSA, and if your system RNG is bad you're already screwed (because your keys will be bad) 22:15 < jgarzik> warren, a good question 22:15 < jgarzik> warren, my FB is recommending Travista 22:15 < jgarzik> er, Travisa 22:27 < maaku> fraudian slip? 22:36 * jgarzik isn't sure what Freud would think of a vista 22:36 < jgarzik> unless you mean to imply I am using Windows Vista, which I assure you I would never do... 22:38 < HM3> gmaxwell, what do you mean randomness isn't needed for DSA? 22:38 < HM3> although i agree with your other point 22:39 < gmaxwell> HM3: You use derandomized DSA. 22:39 < HM3> but that's not DSA is it 22:39 < gmaxwell> It's indinguishable from DSA. 22:40 < HM3> and what's the magic ingredient to derandomize it? 22:40 < gmaxwell> and in particular, you don't need to go about deploying _yet another_ cryptosystem to use it. 22:40 < gmaxwell> HM3: http://tools.ietf.org/html/rfc6979 22:41 < gmaxwell> HM3: effectively, K = HMAC(message,private_key) 22:42 < HM3> that's basically what Schnorr did 22:42 < HM3> and why I suggested Schnorr signatures 22:42 < HM3> Schnorr predates DSA 22:42 < HM3> It's also what djb did in Ed25519 22:43 < gmaxwell> HM3: Yes, I know. 22:43 < gmaxwell> (and you can find me pointing to Ed25519 in arguing to do this prior to RFC6979) 22:43 < gmaxwell> In any case, you don't need to change anything about the cryptosystem, require any upgrade, or create any incompatiblity in order to do that. 22:43 < HM3> true 22:44 < gmaxwell> (and if you want you can also do HMAC(message||nonce,private_key) to belt and suspenders it... though you lose the auditablity value of determinism) 22:44 < HM3> it's a bit grotty though 22:45 < warren> jgarzik: it's quite a mess. You can't mail the application, you must apply at a consulate in person or have someone else (usually an a visa agent) do it for you. 07:40 < adam3us> brisque: fantastic :) innovation wow. should allow param-tweaks, its part of the game. 15sec block interval ftw! 07:41 < brisque> I'd say that's planned. 07:41 < brisque> it's got more features than last time I looked. 07:41 < brisque> ;;tell later BlueMatt you might want to move that URL pronto, it's been posted in the main chat. 07:41 < gribble> Error: I haven't seen later, I'll let you do the telling. 07:42 < brisque> ;;later tell BlueMatt you might want to move the coingen URL, it's been posted in the main chat. 07:42 < gribble> The operation succeeded. 07:42 < adam3us> brisque: i suggest to BlueMatt that it may be interesting to generate params randomly from the hash of the coin name (for the genetic algorithm approach to chosing coin params) maybe we'll get a surprise winner 07:43 < brisque> do we have the density of altcoins for that to work? 07:43 < adam3us> brisque: (it might have been my idea to do coingen... BlueMatt & I were talking about it a few weeks back. encouraging crypto coin diversity & innovation & lowering the barrier to entry) 07:44 < adam3us> brisque: well i was thinking maybe we'd get aaacoin through zzz coin, that' be quite varied 07:44 < brisque> adam3us: probably was. I can't imagine anything coming out of increased diversity, but it should be fun finding out 07:45 < brisque> I bet /somebody/ will make a block target of 1 second. that will be fun to play with. 07:46 < adam3us> brisque: maybe we can get better price discovery if dogecoin competes with aaacoin with parms=rng(seed=aaa) through zzz 07:47 < brisque> you can't eliminate the effect of the name from the other variables though 07:47 < adam3us> brisque: it will be very interesting to observe the marketing efforts of aaa vs aab vs bbq 07:49 < gmaxwell> adam3us: it was also a proposal of mine from some time ago. 07:49 < adam3us> brisque: yes thats most interesting. you may detect some dogecoin wow tongue in cheek about the whole endeavor but i think it could have real benefits, unimagined by the promoters of particularl BBR coins. maybe branding and features have to be stronger if there are more brands 07:49 < gmaxwell> I was trying to talk Luke-Jr into it because I thought he could do a nice mining pool tie-in with merged mined ones. 07:49 < adam3us> gmaxwell: figures... too many reinventions :) still i like the idea very very much.. 07:50 < gmaxwell> yea, as I said previously, ... dillution effects break the economics of the small ones much worse than the big ones; so presumably with enough of this there will be no more param tweak coins with a non-zero market value. 07:50 < brisque> adam3us: I don't think you can eliminate the effect of the name on the value without using large control groups. have you considered enlisting parallel universes? 07:51 < adam3us> gmaxwell: yes, i was trying to keep the tongue in cheek, but i agree this is the predicted positive outcome. i wonder if it will surprise us also though :) 07:52 < gmaxwell> win win 07:54 < adam3us> gmaxwell: i think we were talking about it, but for others it could be interesting to encourage or facilitate competition in the form of like hash rate spikes, 'coin of the day' placement, an automatic exchange listing 07:55 < adam3us> gmaxwell: i wonder also if there is a way to do this without consuming electricity. a trusted server approach maybe. renting virtual vsp, buying virtual asics that virtually fail to be delivered on time etc. then we could even add random events to mix it up a bit! 07:57 < adam3us> gmaxwell: u could even define proof of work functions with so far impossible to achieve properties :) 07:58 < brisque> adam3us: RSA coin. solve a block by factoring a private key. 07:58 < sipa> is factoring progressless? 07:58 < brisque> pretty much 07:59 < gmaxwell> depends on how you do it. 07:59 < kinlo> there is no way to factor rsa's so you'll just have to guess/brute force the values 07:59 < gmaxwell> it's very very very not progressless for the subexponential methods. 07:59 < kinlo> but who is going to generate the rsa keys? 07:59 < kinlo> that person will (at least temporary) have access to p & q 08:00 < brisque> MD5 proof of work would be fun. 08:01 < brisque> you'd have to prove that md5(block + a) = md5( block + b) and b!=a 08:01 < brisque> ie, finding a collision. 08:01 < gmaxwell> Most of modern factoring is based on https://en.wikipedia.org/wiki/Dixon%27s_factorization_method which is pretty much grade-school accessible... kinda fun to read about and play with if you've never toyed with fancy factoring methods. 08:02 < gmaxwell> brisque: not progress free, but doesn't have to be for the tool. 08:03 < brisque> gmaxwell: the issue if there was progress made in a linear fashion you'd just all be racing to the same goal, wouldn't you? 08:03 < brisque> that is, the fastest person would always win. 08:03 < gmaxwell> kinlo: Bytecoin sent me email saying that he had a trustless way to do RSA number generation. 08:04 < michagogo|cloud> ;;later tell BlueMatt Looks like Magiccoin crashes when you issue the getblocktemplate command, btw... 08:04 < gribble> The operation succeeded. 08:04 < gmaxwell> brisque: right thats if it's 100% progress, there are degrees in between. 08:04 < gmaxwell> michagogo|cloud: did you pay for it to be mineable? :P 08:05 < michagogo|cloud> Hmm, actually 08:05 < michagogo|cloud> bitcoin-qt on Windows crashed the first time 08:05 < michagogo|cloud> now it's just hung 08:06 < michagogo|cloud> odd 08:09 < kinlo> gmaxwell: that would be cool 08:10 < michagogo|cloud> ;;gentime 3.8 1 08:10 < gribble> The average time to generate a block at 3.8 Mhps, given difficulty of 1.0, is 18 minutes and 50 seconds 08:14 < michagogo|cloud> ;;gentime 18 1 08:14 < gribble> The average time to generate a block at 18.0 Mhps, given difficulty of 1.0, is 3 minutes and 58 seconds 08:14 < michagogo|cloud> Ooh 08:14 < michagogo|cloud> Just realized I might be getting the BE that I ordered later today 08:14 < sipa> BE? 08:15 < sipa> a big endian? 08:15 < kinlo> block eruptor? :) 08:15 < michagogo|cloud> block erupter 08:15 < sipa> ah 08:15 < michagogo|cloud> Woot, just mined a MGC block :-D 08:16 < brisque> mgc? 08:16 < michagogo|cloud> brisque: magiccoin 08:16 < michagogo|cloud> brisque: http://coingen.bluematt.me/status.html 08:16 < brisque> oh 08:17 < brisque> michagogo|cloud: hold on, I want some magic too 08:17 < michagogo|cloud> ;;genrate 1 330 08:17 < gribble> The expected generation output, at 1.0 Mhps, given difficulty of 330.0, is 1.5239591407 BTC per day and 0.0634982975291 BTC per hour. 08:17 < michagogo|cloud> erm 08:17 < michagogo|cloud> ;;gentime 330 1 08:17 < gribble> The average time to generate a block at 330.0 Mhps, given difficulty of 1.0, is 13 seconds 08:19 < brisque> michagogo|cloud: damn, no autotools. 08:20 < michagogo|cloud> brisque: Nah, it's 0.8.6-based, I think 08:20 < kinlo> gmaxwell: you wouldn't happen to have the theory behind this trustless rsa generation? 08:20 < michagogo|cloud> brisque: Are you not on Windows or Linux? 08:20 < brisque> michagogo|cloud: debian, just spinning up a new VM for it. 08:21 < michagogo|cloud> So you don't need autotools :P 08:21 < brisque> makes my life easier though 08:22 < kinlo> eh, did BlueMatt really created a coingenerator? :O 08:22 < michagogo|cloud> kinlo: yeah, coingen.bluematt.me 08:22 < kinlo> yeah, just a bit startled :p 08:23 < michagogo|cloud> Wait, this is known outside of this channel? 08:23 < kinlo> not that I know of :) 08:23 < brisque> yeah, someone posted it on #bitcoin ahead of time. 08:23 < michagogo|cloud> Someone appears to have posted it on Reddit... 08:23 < brisque> someone needs to tell him to move it, it's nowhere near ready for public release. 08:23 < kinlo> eh, why not? :) 08:24 < michagogo|cloud> ;;seen BlueMatt 08:24 < gribble> BlueMatt was last seen in #bitcoin-wizards 4 hours, 39 minutes, and 55 seconds ago: <BlueMatt> whatever generates lots of use 08:24 < michagogo|cloud> Someone created an account just for this, it seems 08:24 < michagogo|cloud> http://www.reddit.com/r/Bitcoin/comments/1u861l/coingen_create_your_own_altcoin_in_60_seconds/ 08:24 < michagogo|cloud> http://www.reddit.com/user/altcoin_fan 08:24 < michagogo|cloud> "redditor for 41 minutes" 08:25 < brisque> doubt it would have been him, there's a lot more features to add before it's ready 08:25 < brisque> changing the address prefix for starters 08:27 < brisque> michagogo|cloud: what's your MGC peer running at? 08:27 < michagogo|cloud> brisque: I have one running on my laptop behind a NAT 08:27 < michagogo|cloud> And one on 2a01:4f8:190:1405:beef:: 08:28 < michagogo|cloud> or 5.9.140.23 08:28 < michagogo|cloud> 5 blocks at the moment 08:28 < michagogo|cloud> But later today (potentially in a few hours) I may be able to point a couple hundred mh at it 08:29 < michagogo|cloud> Mh* 08:30 < brisque> hm, could you try adding 95.85.34.118? 08:30 < kinlo> heh 08:30 < kinlo> I'll start creating a pool :) 08:31 < brisque> there we go 08:38 < michagogo|cloud> Okay, g2g for a bit 08:38 < michagogo|cloud> 9 blocks so far 08:42 < brisque> heh, threw an old miner at it. there's a few more blocks now. 09:05 < michagogo|cloud> brisque: how many? 09:06 < brisque> michagogo|cloud: 104. 09:06 < michagogo|cloud> When I get home in 45 mins or so, I'll be able to churn them out every 13 secs or so 09:07 < brisque> michagogo|cloud: found my Block Eruptor and burnt my fingers on it. 09:07 < michagogo|cloud> Do they heat up quickly? 09:07 < michagogo|cloud> I just got my BE -- it's much smaller than I pictured 09:08 < brisque> surface of them is absolutely untouchable when they're running. just be careful not to grab it on the aluminium edge and you'll be fine. 09:09 < michagogo|cloud> How quickly does it get to that point? Is it a matter of seconds? Minutes? 09:09 < michagogo|cloud> Also, how long does it take to cool down? 18:49 < sipa> if only one could strangle non-living things 19:47 < HM> ;p 19:47 < HM> i had many ways of expressing frustration in mind, and none of them made it coherently to my keyboard 19:59 < gmaxwell> sipa: killall -19 thing 20:06 < sipa> sigstop? 20:07 < sipa> what a boring way of strangling 20:07 < amiller> hardly a strangle 20:07 < sipa> it should be more violent 20:07 < sipa> -9 comes closer 23:59 < amiller> i think i figured out a good way to model bitcoin --- Log closed Tue Jul 30 00:00:35 2013 --- Log opened Tue Jul 30 00:00:35 2013 00:00 < amiller> there's tons of protocols that are trivial with a trusted third party and impossible with just a bunch of separate players 00:01 < amiller> a trusted third party is typically allowed to keep secret state 00:01 < amiller> that seems essential, since basically the way a ttp is used is that you have to know you're talking to the ttp, so it basically has to hold a private key and it is recognized by its public key 00:02 < amiller> so bitcoin seems like it could do almost anything a trusted third party could do, except for keep a secret 00:02 < amiller> which means it can't sign anything 00:02 < petertodd> heh, bitcoin's signature algorithm is simply a very hard problem... 00:02 < amiller> this is the sense in which the proof-of-work acts as a substitute for holding a secret 00:03 < amiller> it's the network aggregate signature 00:03 < amiller> it's almost like secret sharing, except for the secret 00:03 < petertodd> interesting cncept, sounds about right to me --- Log closed Wed Jul 31 00:00:38 2013 --- Log opened Wed Jul 31 00:00:38 2013 15:40 < jgarzik> petertodd, about to integrate announce/commit TX support into txtool 16:11 < petertodd> nice 18:26 < jgarzik> petertodd, your audit report is not directly linked to something render-able in the browser? poo. 18:27 < petertodd> jgarzik: It's PGP signed and people should be verifying that stuff. 18:27 < petertodd> jgarzik: Though I could also to a zip file of it... 18:28 < jgarzik> petertodd, pipe dream, just like the PGP WoT 18:29 < jgarzik> Just decreases the reader audience size dramatically, due to lack of ease of reading, and lack of SEO indexing 18:29 < petertodd> pff, there's nothing I can do that's better other than putting it on petertodd.org, and I haven't had a site there for ages 18:29 < jgarzik> ;p 18:29 < petertodd> Litecoin can do what they want for SEO. 18:29 < jgarzik> off to Fry's, for UPS's 18:30 < petertodd> I'm posting it because I want Bitcoin people to see and learn, and critisise! 20:02 < Luke-Jr> any know why glibc seems to have zero real wide character support? :/ 20:08 < midnightmagic> Luke-Jr: drepper ..? 20:08 < Luke-Jr> sigh 20:08 < Luke-Jr> and ncurses lacks UTF-8 support 20:09 < midnightmagic> it does?! 20:09 < sipa> wut? 20:10 < midnightmagic> I thought it does do widechars. 20:10 < midnightmagic> Yeah, http://invisible-island.net/ncurses/ncurses.faq.html ncursesw ? 20:15 < Luke-Jr> midnightmagic: it supports wide chars, which glibc doesn't 20:15 < Luke-Jr> it doesn't support UTF-8, which is distinct from wide chars 20:15 < Luke-Jr> and if the locale is UTF-8, it won't render wide chars using it 20:16 < Luke-Jr> although that's arguably the libc's job 20:16 < Luke-Jr> maybe 20:17 < Luke-Jr> all the documentation for glibc infers it works, but in practice, iswprint only returns non-zero for ASCII characters, and wprintf prints only the last 8 bits of every character 20:29 < midnightmagic> That's weird. I recall using ints for character printing in an old ncurses app I wrote and graphs worked just fine. 20:32 < jrmithdobbs> have they actually provided details on that iphone charger hack thing? 20:32 < jrmithdobbs> at blackhat 20:37 < midnightmagic> oh awesome. apple messed up with their proprietary cable stuff? 22:16 < Luke-Jr> hrm, it works if I set a null locale 22:16 < Luke-Jr> but only using C setlocale, not LANG= 22:18 < Luke-Jr> oh weird, setlocale does more than just what its name suggests! --- Log closed Thu Aug 01 00:00:41 2013 --- Log opened Thu Aug 01 00:00:41 2013 18:33 < gmaxwell> realazthat: did you see that mill cpu arch stuff on hacker news? 18:34 < gmaxwell> it looks a lot more like the SCIP underlying machine than the tinyram stuff.. I wonder if it wouldn't make for a better implementation, assuming you had a good compiler for it. 18:37 < realazthat> mmm no gmaxwell 18:37 < realazthat> link? 18:38 < gmaxwell> https://www.youtube.com/watch?v=QGw-cy0ylCc 18:40 < realazthat> mmmm 18:40 < realazthat> I'll watch it part now part tonight 18:40 < realazthat> love the comment: "This is the most exciting new development in computing and hair fashion in ten 19:16 < petertodd> looks easier in some ways than bitcoin's forth-like... 19:18 < gmaxwell> yea, well, it's a limimted horizon single static assignment rolling window, actually looks a lot like a compiler register allocator. 19:19 < gmaxwell> I also though it looked like the routing topologies in the SCIP stuff, which is sort of interesting. 19:20 < petertodd> yeah, matches up nicely to how they actually work 19:20 < petertodd> I'm also thinking that on a really practical level, it'd be a nice way to refer to previous results more efficiently 19:20 < realazthat> yes 19:21 < realazthat> I think a RA would take such a FIFO into account 19:21 < gmaxwell> on the other hand, ssa form is pretty hard to read code in. 19:21 < realazthat> instead of doing RA 19:21 < realazthat> ie. it would store if it needs to remember something longer 19:21 < realazthat> is there only the belt? 19:21 < realazthat> I stopped in middle 19:21 < realazthat> he said he was splitting temporary storage off 19:22 < realazthat> but I didn't get to that 19:22 < realazthat> is there another register pool for short term storage? 19:22 < petertodd> gmaxwell: yes, although so is pure stack 19:22 < gmaxwell> There is really no belt in the actual implementation. There are a bunch of parallel lanes, one for each delays outputs, and then it shuffles from them into the end. The belt is just a way of visualizing this delay line system. There is a logical belt per stackframe basically. 19:47 < realazthat> mmm 19:47 < realazthat> I'll finish the vid tonight 19:54 < amiller> i'm convinced there is a huge need for a really different cpu model 19:55 < amiller> circuits suck, turing machines suck, ram machines (including tinyram) suck, and term rewriting machines suck 19:56 < amiller> circuits are the only ones that map well onto modern crazy-crypto, term rewriting is the only one amenable to formal semantics 19:57 < amiller> they're all polynomially (like, quadratically) convertible in between but that's not very precise 20:08 < sipa> wow, impressive stuff 20:09 < gmaxwell> I've programmed for the VLIW DSP he's referring to (c64x) ... its a bit of a pain to program for. But works pretty nicely. 20:14 < sipa> i've watched most of the video 20:57 < amiller> hey i have a simple practicalish idea 20:57 < amiller> why not have block locked transactions 20:58 < petertodd> isn't that what gmaxwell and I have proposed in various ways? 20:58 < sipa> a practicalish idea? 20:58 < sipa> from amiller?? 20:58 < sipa> :o 20:58 < amiller> where you can include a block hash such that your transaction is only valid if that block is in the ancestry 20:58 < amiller> this would basically allow you to limit what could happen if there's a reorg 20:59 < petertodd> right, gmaxwell's idea 20:59 < petertodd> also doable with my "getblockhash" opcode ideas 20:59 < amiller> that makes sense. 20:59 < amiller> welp, good one gmaxwell, i must have never understood it if i've seen it before :p 20:59 < sipa> iirc gmaxwell's idea does require the hash being present, but revokes fee claiming when it's not 21:00 < sipa> which sounds less dangerous in any case 21:00 < amiller> it's a nice simplification if you've already been living in a fantasy world where everyone's RationalClients automatically doublespend coins back to themselves, you know, just in case... 21:00 < gmaxwell> https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas 21:01 < amiller> a getblockhash opcode is a good way of doing it 21:01 < gmaxwell> Transaction checkpoints. Each transaction (or signature?) should contain a block index and 32 (?) least significant bits of the block hash. The transaction's fees are only valid (or only their full value?) if they are mined in a chain they agree with. This would let people making bitcoin transactions 'vote with their wallets' on the identity of the chain they consider important. This isn't a viable POW replacement, but would greatly reduce 21:01 < gmaxwell> Nodes would typical checkpoint a few blocks in the past from their current height to avoid overstating their opinion unnecessarily. 21:01 < petertodd> amiller: you see my suggestions on how to add as many opccodes as you want with a soft-fork? 21:01 < gmaxwell> Deep checkpoints could be automatically triggered by observing a crtical mass of coins-day-destroyed confirming them creating a PoS-ish system, though this is subject to the 'nothing at stake' problem of PoS, and is probably very dangerous. (e.g. isolation risk for inewly bootsrapping nodes) 21:02 < amiller> petertodd, not sure which one you mean, link? 21:02 < amiller> petertodd, if you're thinking about opcodes, in general i think it is interesting to let transactions basically make 'queries' to arbitrary indices 21:03 < amiller> so if you support getblockhash, everyone must keep a index of at least query-by-blockhash 21:03 < petertodd> amiller: hmm... kinda buried in bitcointalk somewhere, but the basic idea is that OP_MAST_EVAL can be done as a soft fork, therefore any opcode can be 21:04 < amiller> the basic functionality is query-by-txid 21:05 < petertodd> hmm... I think the main thing with that king of querying, is figuring out a sane way to actually do it that is understandable 23:08 < CodeShark> for most coins, if you sold 10% of it on any public orderbook, the price would drop to zero :) 23:08 < phantomcircuit> maaku, lolol i love that 23:09 < phantomcircuit> BlueMatt, the most meaningful thing is the total size of all the bids 23:09 < phantomcircuit> asks are useless since you'll have some fools with things like 1 BTC @ 100000000000000000000000 USD 23:09 < BlueMatt> phantomcircuit: yes, agreed 23:11 < CodeShark> you could look at depth on both sides up to, say, 1% of total coins in existence 23:12 < phantomcircuit> for example 23:12 < phantomcircuit> there is 39275377.92397302 USD in bids on mtgox 23:12 < phantomcircuit> which is actually not even that much money 23:13 < phantomcircuit> but iirc the kraken XRP exchange has the equivalent of like a few thousand dollars total 23:13 < BlueMatt> phantomcircuit: yea, but that is mtgox...you cant really count mtgusd as usd anyway 23:13 < BlueMatt> anyway, yea, total bids isnt that high compared to the market cap 23:14 * BlueMatt ponders how that ratio compares to other assets... 23:15 < phantomcircuit> BlueMatt, it's difficult to compare because most assets the orderbooks are full of highly leveraged offers 23:15 < phantomcircuit> especially currency markets 23:15 < phantomcircuit> people there are often trading on 10000:1 leverage 23:16 < phantomcircuit> or more 23:16 < BlueMatt> true, but you can trade on leverage on btc on...whats the exchange again? 23:16 < phantomcircuit> bitfinex? 23:16 < phantomcircuit> the idiot who stole the bitcoinica source code 23:17 < BlueMatt> I suppose you cant really compare the numbers until the exchange markets grow up a bit, but still, would be interesting to compare those numbers --- Log closed Fri Dec 27 00:00:31 2013 --- Log opened Fri Dec 27 00:00:31 2013 01:16 < jcorgan> /clear 13:13 < Emcy> https://twitter.com/zestyping/status/416570841720438785/photo/1 theyre mental. 13:13 < Emcy> i wonder if its actually a statement about how fuckd up the internet is now 13:13 < Emcy> "welp everyone back to pneumtics" 13:31 < nsh> greenwald keynote starts: http://streaming.media.ccc.de/saal1/native/lq/ 13:33 < TD> thanks 13:37 < BlueMatt> nsh: thanks 13:37 < nsh> np 15:31 < goedgoed> nsh: Shit. CCC totally slipped my mind. Thanks for reminding me! 15:33 < nsh> np 16:46 < Emcy> greenwald isnt do ing anything particularly amazing or insightful 16:46 < Emcy> hes just telling it like it is, according to occams razor mainly 16:47 < Emcy> unfortunately the weave of lies and obfusication of whats really going on has run so deep for so long, when he opens his mouth it feels like a lungful of air after a freedive 16:48 * nsh nods 16:57 * daira2 nods too 17:33 < gmaxwell> Went out to lunch a bit ago, heard random people talking about dogecoin. The person promoting it was proposing it as a fun way to try out cryptocurrency. 17:34 < nsh> whatever happened to experimenting with psychedelic drugs and rock music :/ 17:35 < gmaxwell> I wonder if we should rebrand testnet as Courage Wolf coin. "Bitcoin too stable and secure. Use testcoins!" 17:36 < nsh> go full hog and gamify the whole system of cryptocurrency experimentation 17:37 < nsh> it'll be like spore but with a lot more hashing 17:37 < gmaxwell> well, my point there is that if you really want coins for futzing around with, testnet is better than some total alt, since at least testnet is guarenteed to track development. 17:38 < Emcy> serioualy isnt dogecoin only about 3 weeks old 17:38 < Emcy> either that was very improbable or cryptocoins in general are getting some wicked mindshare 17:39 < nsh> well, doge represents the intersection of cryptocurrency and inane internet sensations 17:39 < nsh> which have a much wider and more rapid mindshare proliferation function 17:40 < Emcy> we havent had a really good meme since the great meme collapse of 2011 17:40 * nsh smiles 17:40 < Emcy> when facebook kids started unironically posting the meme templates everywhere and then arrow knee blew the lid off the whole thing 17:40 < gmaxwell> Emcy: I mean, I am in silicon valley, hearing people talk about bitcoin in public is basically a daily event. 17:41 < Emcy> oh cool didnt knew you went there 17:41 < Emcy> that skews the probabilities somewhat 18:00 < pigeons> i know people who have never used bitcoin and aren't interested in it but are trying dogecoin for fun and to buy steam games. i don't get it, but people like it for some reason 18:01 * andytoshi-logbot is logging 18:02 < Luke-Jr> gmaxwell: update topic? 18:02 < Luke-Jr> andytoshi-logbot: got a link for topic? :P 18:02 < andytoshi-logbot> I'm logging. I don't understand 'got a link for topic? :P', Luke-Jr. Try /msg andytoshi-logbot help 18:02 < andytoshi> lol 18:03 < andytoshi> Luke-Jr: i need an ack from gmaxwell .. and i'm not sure i'll get one as long as people are talking about bitcointroll users candidly here :P 18:05 < andytoshi> the last thing we need is altoz posting "see, andy and luke really are out to get me!" 18:05 < Luke-Jr> haha 18:08 < nsh> i will happily volunteer to be a few order of magnitude more offensive than anyone else to deflect log-flac 18:08 < nsh> (just one of my many services) 18:08 < Luke-Jr> lol 18:10 < gmaxwell> logging is fine, but something more reliable than andytoshi-logbot should be doing it if we're going to have public logs. :P 18:10 < gmaxwell> also, I think the topic is public editable in here. 18:10 < andytoshi> aww, you don't trust the perl script i downloaded and ran without reading? 18:11 < gmaxwell> andytoshi: I mean I see your bot bouncing in and out a lot. 18:11 < andytoshi> i know, it is supposed to detect disconnects and come back, but it doesn't 18:12 < andytoshi> i'll spend some time working on it over in #andytoshi.. 18:17 < sipa> dogecoin even still uses irc seeding... 18:17 < sipa> or rather, again 18:22 < gmaxwell> sipa: I assume it's a fork of the pre 0.8 litecoin codebase? 18:24 < Luke-Jr> gmaxwell: it's not (topic public edit) 18:25 < warren> gmaxwell: it's 0.6 based 18:27 < andytoshi> ok, i see, the logger's "reconnect" code just deletes the PID file and assumes somebody else will respawn it 18:27 < andytoshi> i'll give it its own user, write some systemd unit files and do this properly.. 18:52 * andytoshi-logbot is logging 18:52 < andytoshi> ok, it shouldn't disconnect for more than a few secs from now on 18:53 < gmaxwell> andytoshi: Is your CJ thing available as a tor hidden service? 18:54 < andytoshi> oh! gimme five minutes.. 18:55 < gmaxwell> yea, part of why I asked was because its so easy to setup. :P 18:58 < andytoshi> http://xnpjsvp7crbzlj3w.onion/ 18:59 < andytoshi> let me just confirm that none of the links assume it is under domain.net/coinjoin/ ... 19:01 < andytoshi> cool, all good 19:06 < gmaxwell> andytoshi: cool. it works, you might want to put both links on the bottom of the page. 19:10 < andytoshi> done 19:11 < andytoshi> now i'll go spam anontalk with it.. 19:12 < gmaxwell> Whats anontalk? 19:12 < andytoshi> i don't think that's what it's called .. there used to be an anonymous board at http://ci3hn2uzjw2wby3z.onion/ 19:12 < andytoshi> maybe it has gone down 19:13 < gmaxwell> I guess the next missing piece for your tool is an auto-participater. e.g. something that polls periodically and if there is a open CJ of the right size, it participates for you. 19:15 < sipa> TD: what timezone are you in? :) 19:17 < TD> currently 19:17 < TD> GMT 19:17 < TD> sipa: why? 19:18 < sipa> not used to seeing you join at this time :) 19:18 < andytoshi> gmaxwell: yeah, that'd be cool 19:19 < andytoshi> right now i'm working on having any coinjoins going on, when i'm not 50% of the participants 19:20 < gmaxwell> andytoshi: yea well part of the challenge, of course, is that when someone uses it there may be no one else, or /worse/ just someone with a non-match that doesn't really increase their privacy. 19:29 < andytoshi> yeah, that happened to my this morning.. 19:29 < andytoshi> ;;cjs c11fc9bd5b462946 19:29 < gribble> Coinjoin Status: session ``AMEMB Lanceros PFS Sex Tess IDB 15kg'' is completed. The submitted transaction ID was 80819213bb25df35f890fab55f8d3b71c8f5bed3b823bb949ce26e1471686e61. 19:29 < andytoshi> https://blockchain.info/tx/80819213bb25df35f890fab55f8d3b71c8f5bed3b823bb949ce26e1471686e61 i was the 0.2's 19:29 < andytoshi> it clearly said, "most popular output is 0.2. use that output size" 19:32 < gmaxwell> might be better if the person starting a join could mandate a size? 19:34 < andytoshi> maybe, i dunno, i don't want to make it too irritating .. i am already disappointed by the ~0 uptake 19:35 < gmaxwell> andytoshi: yea, sorry about that. I could have warned you. See also the ~0 uptake in PT's dust-be-gone. 19:37 < andytoshi> lol, s'fine, i learned a lot from this 19:37 < andytoshi> and i found a bug in the rust compiler, so my github account claims i have "contributed" to rust, which is cool 19:40 < gmaxwell> My expirence with dust-b-gone suggests that even with an automated participater the usage will be low. I'm not sure what it takes to get it used. 19:41 < andytoshi> calling it doge <.< 19:41 < gmaxwell> I ... worry... that there are basically few actual cryptocurrency people in Bitcoin. 19:42 < sipa> is there anything coinjoin-related already usable/released? 19:42 * sipa has hardly followed up recently... 19:43 < andytoshi> i worry about this too, but then i remember that there are like 30-40 serious people here, and we are able to connect on #bitcoin-wizards and exchange research in a way that would've been impossible even 10 years ago, even if we'd had bitcoin back then 19:43 < andytoshi> well, irc was around 10 years ago, but i don't think the preprint archives were, nor do i think academics spent a lot of time on public forums 19:44 < andytoshi> sipa: i have a joiner at http://xnpjsvp7crbzlj3w.onion/ which is "usable" if you can deal with rawtx's 19:45 < sipa> ok 00:44 < gmaxwell> justanotheruser: it's not, but what you want is a resource rate limiter. You want to give each user 1/Nth of the capacity, but since users are anonymous you need a way of to prevent a user from claiming that they are 100 users and gobbling it all 00:44 < gmaxwell> holding bitcoin at a particular instance of time is something that prevents unlimited cloning. 00:46 < justanotheruser> gmaxwell: I suppose an attack on the network would cost as much as in a system with PoB because they would have to create a large number of new addresses with coins and pay the tx fee for all those just like if they were doing a large number of burns 00:47 < gmaxwell> yea, well I think a real sacrifice is stronger, but it's not clear to me that something bitmessage like would need a real one, and just showing you were holding coins as of a daily txoutset snapshot would be easier to accept for users, I suspect. 00:48 < gmaxwell> in any case, I also think that because of the aformentioned ecdsa an actual sacrifice would be easier to implement. 00:48 < justanotheruser> gmaxwell: funny to see you promoting proof of stake btw :D 00:49 < gmaxwell> justanotheruser: PoS is fine, so long as you're not expecting it to operate its own consensus. 00:49 < justanotheruser> yeah 00:49 < gmaxwell> you could mine a PoS altcoin based on bitcoin holdings, you just can't the chain itself. :P 12:08 < jtimon> petertodd why does litecoin need a softfork? 12:45 < petertodd> jtimon: to implement height in coinbase, and warren wants to see single-satoshi dust made unspendable 12:46 < jtimon> thanks 12:46 < jtimon> so are they making a protocol antidust rule? 12:47 < petertodd> jtimon: yup, if nValue == 1 satoshi treat the output like a provably unspendable OP_RETURN 12:47 < jtimon> is not only in isStandard, interesting 12:47 < sipa> petertodd: why not 0 satoshi? 12:47 < sipa> what makes 1 special? 12:48 < petertodd> jtimon: Note that this *isn't* because doing so will actually have a big impact on anything, but rather the argument is to do it "symbolicly" for future, more invasive, anti-dust efforts. 12:49 < petertodd> sipa: Litecoin had a bunch of 1 satoshi dust spam a while back, and it's conceivable that a future soft-fork feature might want to use 0-value outputs for something. 12:49 < jtimon> we haven't even make sub satoshi (sub-kria) outputs unspendable in freicoin. Yes, demurrage still applies to a single satoshi so you won't be able to spend it, but you may want to spend 0 coins? 12:50 < petertodd> Indeed, zero-output txouts could be used to implement a increased divisibility soft-fork for instance. 12:50 < jtimon> well, maaku was reluctanct to have any form of escheatment 12:50 < jtimon> yes, and we also plan to increase divisibility on freimarkets so... 12:51 < petertodd> Add nNewValue to transactions and define nSumValue = nNewValue + nValue, then do divisibility by moving value from nValue to nNewValue, which means you can re-combine sub-satoshi outputs, it's just that old clients can't see the fact you've done so. 12:52 < petertodd> Note how this depends on the fact that miners can destroy coins forever rather than taking them as fees. 12:53 < jtimon> I think that's what we have in freimarkets 12:53 < jtimon> nValue :: int64 12:54 < jtimon> dValue :: decimal64 12:54 < jtimon> dValue = nValue * 10^369 12:54 < petertodd> Oh, interesting! 12:54 < jtimon> but maaku told me that gmaxwell told him we're not using nVersion as it was intended 12:54 < petertodd> how so? 12:54 < jtimon> I'm not sure I did understood that 12:54 < petertodd> how are you using it? 12:55 < jtimon> for us version 2 are transaction with an additional refHeight, necessary for calculating demurrage 12:55 < jtimon> so all freicoin transactions are v2 12:55 < petertodd> is refHeight actually a different binary format? 12:56 < jtimon> and freimarkets introduces v3 with more modifications 12:56 < jtimon> it's an additional field 12:56 < petertodd> right, nVersion was meant to signify to *interpret* a otherwise backwards-compatible transaction differently 12:56 < jtimon> so if bitcoin were to adopt freimarkets, interest bearing assets could be moved with v2 transactions 12:57 < jtimon> ours aren't backward compatible, are hardfork changes 12:59 < jtimon> here's the commit that adds nRefHeight: https://github.com/freicoin/freicoin/commit/cee818350d857029e0e7148fece35646d479aea1 12:59 < petertodd> for instance P2SH could have been done with a nVersion bump 13:01 < jtimon> but some other version number was changed for that, no? 13:01 < petertodd> jtimon: right, you could have done that as a soft-fork 13:01 < petertodd> jtimon: no, that was done with voting by putting the string "P2SH" in the coinbase - not a great mechanism 13:02 < petertodd> jtimon: the "height in coinbase" soft-fork was a lesson learned there, and was done with a CBlock.nVersion bump. 13:02 < petertodd> jtimon: oh, sorry, and come to think of it the voting *wasn't* software evaluated 13:02 < petertodd> jtimon: IE, miners "voted", then a bitcoin was released that turned on P2SH on a specific day IIRC 13:03 < petertodd> eh, I might have to double-check the code for that, don't quote me :) 13:04 < jtimon_> petertodd: "right, you could have done that as a soft-fork" what? adding the nRefHeight field? 13:04 < jtimon_> anyway, the tx-nversion looked ideal for our changes, I'm not sure what we should use instead 13:05 < petertodd> jtimon_: yeah, you'd do it by just recording nRefHeight in a different datastructure that was stored along-side the block 13:05 < jtimon_> no, no 13:05 < jtimon_> the nRefHeight goes with EACH transaction 13:05 < petertodd> Yes, and along-side the block you store an nRefHeight array for each tx. 13:05 < jtimon_> oh, I see 13:06 < jtimon_> but... 13:06 < jtimon_> that number has to be signed 13:06 < jtimon_> it really belongs in the tx 13:06 < petertodd> See, what might be good is a hard-fork to allow arbitrary junk to go at the end of CTransaction's, and then forever after you could add new fields in soft-forks by bumping nVersion. 13:07 < jtimon_> interesting 13:07 < petertodd> jtimon_: oh right, well, that's another thing: SignatureHash() should have been written so that the presence of unknown flags makes the signature always evaluate as true, so that new flags could be defined in soft-forks. 13:07 < petertodd> Additionally you need different OP_CODESEPARATOR there too, long story. :P 13:09 < petertodd> (well, actually, better to only define *some* of the unused flag bits as "return true") 13:09 < petertodd> (though an even better system wouldn't have a "all-in-one" CHECKSIG anyway, but I digress) 13:09 < jtimon_> well, I think it was much simpler to just add the nRefHeight field after nLockTime (if I remember correctly, that's where it is) 13:09 < petertodd> sure, given you're doing a hard-fork 13:10 < jtimon_> so there's no way to signal hardfork versions for transactions? 13:10 < petertodd> point is, if you're doing a hard-fork you don't have too really 13:11 < jtimon_> well, it just simplifies the implementation, since older versions will still work the same 13:11 < petertodd> yeah, older code 13:12 < gmaxwell> petertodd: sig flags are set by the signer. So I write a txn with an unknown flag and freely spend your inputs. :P 13:13 < jtimon_> I guess we will keep using the nVersions even if it wasn'te the purpose for a lack of a better alternative 13:14 < petertodd> gmaxwell: gah, damn, that's right 13:14 < petertodd> gmaxwell: yeah, guess that just leaves the OP_CODESEPARATOR solution so you can put arbitrary signed data in the scriptSig 13:15 < jtimon_> the "junk-at-the-end-of-the-tx and nversion for softfork additional fields" is really interesting though 13:16 < petertodd> yup, basically you just need to hard-fork in a total-transaction-length field and then go nuts 13:17 < petertodd> you probably want OP_CHECKSIG to be made to include the *contents* of the extra data in the signature hash, which nicely can be done backwards compatibile - generally the extra contents are empty 13:17 < shesek> though it'll make it impossible to prevent arbitrary data storage on the blockchain, as something like p2sh^2 intends to do 13:18 < gmaxwell> petertodd: on another subject I don't know if you saw my musing; wrt coinbase only pooling, if the payout is to some M of N keys, then shares could be submitted to N entities and they could share the shares to achieve a consistent state and then do consensus signing of payouts. So you can even distribute the payout trust in coinbase only mining. 13:18 < petertodd> shesek: if you genuinely make arbitrary data storing impossible you've probably made future soft-forks difficult to impossible 13:18 < petertodd> shesek: e.g. you need to change the signature algorithm, now what? 13:19 < maaku_> are all forms of transaction storage length prefixed though? 13:19 < petertodd> gmaxwell: ha, nice 13:19 < gmaxwell> petertodd: also the entities need only about 1mbit/sec of bandwidth if you assume eligius' current user count and that each user is targeting 4000 shares / day (which gets them to the point where weekly performance <98.5% if less than 1% likely) 13:19 < petertodd> maaku_: not yet, but they can be made to be in a hard-fork 13:19 < helo> would those then be unspendable for 100 blocks? 13:19 < gmaxwell> which means you could easily support additional observer entities over the N. 13:19 < maaku_> regardless though I don't think it will work - before the soft-fork the length-extending version means nothing, after it means there's extra bytes 13:20 < petertodd> maaku_: doing that in a soft-fork is much less trivial, I'm talking about a hard-fork 13:20 < maaku_> well ok, i guess it'd work if every instance of transaction storage is made length prefixed 13:20 < gmaxwell> helo: the payouts in what I'm talking about? yes. 13:20 < petertodd> gmaxwell: not bad 13:32 < adam3us> maaku: the online validity check is for double spend checking, and if you want privacy then you have to get it refreshed by the issuer (swap a signed certificate for a new one) 13:33 < maaku> the online validity check is the only show stopper for me then, at least in the public chain case 13:34 < maaku> I wonder how much we can reduce the burden of maintaining a double-spend db 13:34 < adam3us> maaku: yes but if its a certificate rather than a signture, you can delay or do that publicly 13:35 < adam3us> maaku: the chaum thing is like you end up with a signature on a random number which they chose to interpret as "the bearer is the bearer of 1 ecash unit" 13:36 < adam3us> maaku: in bitcoin terms its cashable by anyone! so the recipient has to connect with haste to the issuer and send the coin to it over ssl, because its about as secure as a bitcoin private key that the other user still has 13:36 < maaku> but with credentials it's basically like any other output, minus the traceable history 13:37 < maaku> except that validators have to keep a list of which credentials have already been spent 13:37 < maaku> so you lose the benefits of needing only the utxo for chaum/brands outputs 13:37 < adam3us> maaku: yes so if you replace the random serial number with a publc key hash, then you can define seeing the certificate doesnt confer anything excet that the person wththe ability to sign with this is roving they are the owner of a freshly unlinkable ecash unit 13:39 < adam3us> maaku: i think bitcoins blockchain is a double spend database, its analogous though we think about it differently because of bitcoin mechanics, semantics and terminology - but its a distributed double spend db in functionality 13:39 < maaku> adam3us: yes, but validation must not require access to the entire blockchain history 13:40 < adam3us> maaku: eg its going to be far more scalable for a few validators to keep a list of spent coins, than to broadcast the double spend db 13:40 < maaku> that wouldn't even scale to current levels 13:40 < maaku> that's why we extract out only the information relevant for validation to the unspent transaction output index 13:41 < maaku> but chaum credentials would require keeping a history of all spent blinded outputs, which grows linearlly with total history 13:41 < maaku> that's not scalable 13:41 < maaku> s/keeping/miners maintaining an index of/ 13:42 < maaku> of course it's all there in the block chain history, but right now miners or other full validators don't need the entire block chain history to validate new blocks 13:42 < maaku> so it'd be a large step backwards 13:43 < adam3us> maaku: its a bit analogous to zc 13:43 < maaku> but i suppose some sort of system could be designed to pay for this storage, and to retire old series of coins 13:43 < maaku> speaking of which, what's the advantage of zc over this? 13:43 < adam3us> maaku: yes they do have the concept of issues, retire the key 13:44 < maaku> is it that there's no centralized mint? 13:44 < adam3us> maaku: this is a new permuation i think - to have a single issuer, but use blockchain storage of double spend db 13:45 < adam3us> maaku: its a more robust alternative to OT having multiple servers 13:46 < adam3us> yes with zc there is no central issuer, and ll the coins can be in one anonymity set; if an issuer goes down, its keys are lost, then future issues will have a different key - but also this is an issuer - if it goes down maybe they become non-redeemable to the underlying also 13:47 < maaku> adam3us: yes, generally speaking except for the host currency (bitcoin/freicoin) it's okay to have some trust in the availability of the issuer, if the issuer == the redeemer 13:50 < adam3us> maaku: it could be reactive... like start with a separate redundant storage for the dbl spend (peers, validators, redundant servers) but rely on a transaction server. if thre start to be big problems with transaction servers remaining online, then the redundant stores can populate a blockchain and probalbly receipts and timestamps can prove its the full set 13:50 < maaku> it would be ideal if there were some way that proof-of-uniqueness could be maintained by the holder, not the network, and provided upon redemption 13:51 < maaku> adam3us: no, not if dbl spend status is a concensus property (a double-spend is not a valid transaction, right?) 13:52 < maaku> then every full node would need to have this info, if we want to maintain bitcoin's decentralized properties 13:53 < adam3us> maaku: a few days ago gmaxwell was suggesting you can get most of the benefit just trusting the issuer to be available (or his transacton server... his actual issuing key maybe not online) 13:55 < maaku> i'm not sure how that relates to the issue i'm seeing 13:56 < maaku> i'm a full node, i receive a block with a chaum spend in it. how do I know if it's valid (not double spent)? 13:58 < adam3us> maaku: as it stands the usage pattern people gravitate to is that you check its not double spent 14:00 < maaku> and i see two options for that: (1) check the authoritative block chain history (not scalable because you must always remember spent tokens), or (2) ask a transaction server, which decentralizes bitcoin 14:00 < adam3us> maaku: maybe you could get other tradeoffs; currently by having a double spend db, then any coin spent could be any previously unspent coin from any previous withdrawal (blind issue event) so the anonymity set is maximal 14:03 < maaku> still, all these reservations aside, that only affects the public chain case 14:03 < maaku> there's no reason not to include these blinded credentials on private accounting servers 14:03 < maaku> where the server itself can maintain the dbl spend list 14:03 < maaku> jtimon: ^^ 14:04 < adam3us> maaku: lets say you use a brands credential which supports zkp attributes. you unblind the token, then you prove the block height it was issued at is < 144, and therefore the miners add it, you can later prove you own it, transfer it to the new owner, who cn request the issuer create a new one replacing the old one 14:05 < adam3us> then full nodes only need to keep last 144 blocks of double spend 14:06 < adam3us> maaku: you have anonymity within the last 144 blocks of withdrawals, and the can look for spend transactions to check if its valid 14:07 < adam3us> maaku: (the recipient) presuming the transfer of ownership is itself logged 14:07 < adam3us> maaku: then you have some kind of blind smaller anonymity set utxo like concept 14:14 < adam3us> actually maybe you can make a p2p blind signature for the transfer of ownership. combined with committed tx that is actually quite interesting, it means you dont know the address of the person you paid (payee anonymity) 14:15 < maaku> committed tx meaning utxo hash tree committment? 14:16 < jtimon> I think commited tx are more like a chai nthat timestamps everything without validating anything 14:16 < adam3us> maaku: no its something else with a badly labelled bitcoin talk subject heading. you can have the blockchain validate double spends 14:16 < jtimon> if I understood it correctly, of course 14:16 < adam3us> maaku, jtimon; right, so the block chain doesnt see who is spending to who, nor how muc 14:16 < maaku> link? 14:17 < jtimon> then validators interpret the transactions by the order they appeared 14:17 < maaku> and yeah that's a horrible name 14:17 < jtimon> so if a double-spend is commited, no problem, it will just be ignored by validators 14:18 < adam3us> https://bitcointalk.org/index.php?topic=206303.0 14:18 < jtimon> but yeah, I should read it, I'm trying to guess how the proposal works really 14:19 < maaku> jtimon: well that's really my point - how do the validators validate without keeping a O(n) history 14:19 < adam3us> maaku: they either pass it with the transaction, or its on the block cin, and being in the transaction path, they get to see its history back to genesis, or to uncommitted form 14:20 < jtimon> the transactions can refer to a previous block 14:20 < adam3us> maaku: you can reveal it back to the network fairly soon, or keep it offchain for ever 14:20 < adam3us> maaku: you can respend a committed tx 14:20 < maaku> "they get to see its history back to genesis" <-- that's what we've got to avoid 14:20 < adam3us> maaku: (in committed form) 14:20 < adam3us> maaku: yes its not had much work on trying to figure out a spv concpt 14:21 < adam3us> but i think the new idea to use a blind signaure for the p2p transfer may nudge some possibillities out of it 14:21 < adam3us> another interesting aspect is had homomorphic encrytped values worked out, then you can disclose those also, without loss of privacy 14:21 < maaku> well it's not really about spv - even full validation would not be possible at current transaction rates if validators needed random access to the entire block chain history 14:23 < adam3us> maaku: it may not be as bad as that, the sender gives you everything you need to validate 14:24 < adam3us> maaku: you can have prevalidated and indexed encrypted utxo (actual forged double spends are ignored so are useless other than spam) 14:25 < gmaxwell> adam3us: "useless other than spam", which there is absolutely no way to defend against in that scheme. 14:25 < adam3us> maaku: combining it with homomorphic value is interesting because you can have normal validation then 14:25 < gmaxwell> so one wizeguy with a while true ends your system. 14:26 < jtimon> maybe transactions can be required to also provide som pow? 14:26 < jtimon> some 14:29 < adam3us> gmaxwell: yes agreed spam needs defending. there are (cleartext) fees however. and you can already pay to spam. however this is messing up a different aspect, which is the utxo size. i guess you can spam that too currently? 14:30 < gmaxwell> adam3us: only by creating valid transactions. 14:30 < adam3us> gmaxwell: is that a useful distinction? (in the eyes of the spammer) 15:12 < gmaxwell> adam3us: okay, well I can't argue with a non-specific system. There may be some way to do it.. but the colored coin stuff people talk about does not accomplish it. As far as I can tell it's not a useful tradeoff over issuer ledger with cross chain trades. 15:12 < maaku> gmaxwell: you could have per-asset zc accumulators, no? 15:12 < adam3us> gmaxwell: dont attach to much to coloring as a process, if you had moderately efficient zc, you can extend it like brands so there are ibm coins and usd coins and bitcoin zcs 15:12 < maaku> ok that's not "as described" 15:12 < gmaxwell> maaku: it's not as described. :P 15:13 < adam3us> so my point is (about why fungibility and fairly immediate final settlement is important) that if you let courts get into canceling and undoing transactions it introduces dispute costs into the trasction layer and you ahve no improvemnt over the status quo 15:14 < adam3us> they can still do their dispute resolution, just their job is to identify the party who commited the theft and demand he reimburses the victim 15:14 < gmaxwell> adam3us: I agree with that advantage only where it actually exists. Eg. yea the ledger has that weakness but so does _every_ colored coin system which I've ever seen described in detail. 15:14 < adam3us> you no more want the court undoing transactoins than you want the convenience store heist to result in usd paper in your wallet to be seized 10 tranactions later 15:14 < gmaxwell> And yea sure, if you postulate a system which doesn't have that problem then I revoke my complaint, there would actually be a reason to use that one vs issuer ledgers. 15:15 < gmaxwell> But where are the proposals for those systems? :P 15:15 < adam3us> gmaxwell: ok ok yes; i am eaning on idealized ecash system property which bitcoin does not currently robustly have 15:15 < BlueMatt> gmaxwell: except for the insane overhead of running your own ledger if you just want to issue some bond...contracting out the ledger without contracting out the issuance is actually quite nice 15:15 < BlueMatt> same with running your own chain 15:16 < gmaxwell> adam3us: fair enough, though it makes my other arguements stronger. e.g. ZC is hundreds of times less scalable than bitcoin * global blockchain = yuck. 15:16 < adam3us> gmaxwell: i think all agree that bitcoin should have that property as fast as we can figure out how to do it, viz coinjoin, coniswap, mixes, zc, committed tx, homomorphic encrypted value etc 15:16 < gmaxwell> yes, bitcoin should be ecash, ideally. 15:16 < adam3us> gmaxwell: alright lets do it then :) 15:17 < adam3us> gmaxwell: btw i saw you made the same argument i did in one bct thread that fungibility is orthogonal to identitytracebaliliy/etc 15:17 < maaku> you could do straight chaum or inefficient zc on a private server though (OT or Freimarkets) 15:17 < maaku> that's one advantage over doing IBM shares on the public chain 15:18 < adam3us> maaku: this is true, and chris odom has chaum, and expressed an interest in homomorphic encrypted values (if i would get off my butt and implement the protocol) and brands also likewise 15:18 < gmaxwell> maaku: yea I almost argued that a moment ago, but I'm contemplating the court arguing IBM to rewind the entire state. Of course they could do that to bitcoin to... E.g. snapshot the ZC accumulators for IBM coins as of height=12345 and now all IBM shares are offnet. 15:19 < gmaxwell> If it's really blinded to ibm, then I think you get most of the advantage of non-revokablity (because it would create a disaster of doublespending) without requiring a global consensus network to create non-revokablity. 15:19 < gmaxwell> The non-revokablity comes from it being a suicide pact not the pow. 15:19 < adam3us> gmaxwell: i dont know that the court really need to go there, i think its better if the parties can be identified (eg by each other with proof) and the court can tell the guy who ripped the other guy to reimburse him 15:20 < adam3us> gmaxwell: after all there is currently not much bank note serial number blocking 15:20 < gmaxwell> I assumed we didn't exploit serial numbers more because we don't want to ruin fungiblity. 15:21 < gmaxwell> the obvious thing to do would be to catch counterfeit bills, by making serial numbers digital signatures and having banks announce ID's in their possession .. but as soon as we do, the USD would be unsafe to accept. 15:21 < adam3us> gmaxwell: (i mean in the paper usd analog, when they have rcrimes they go after criminals, not after tracking down the individual notes an seizing off the current innocent owners under "receiving stolen property" rules) 15:21 < gmaxwell> adam3us: right, I understand. 15:21 < maaku> gmaxwell: i always assumed banks did this behind the scenes... 15:22 < gmaxwell> maaku: no, you know they don't because you've never heard of someone getting @#$#@ due to accepting a superdollar. 15:22 < gmaxwell> If they are they're silent about it and not making the customers eat it. 15:23 < adam3us> gmaxwell, maaku: they dont want to dent confidence in fiat, its a fragile confidence bubble with no underlying value, apparently when the deflate, historically they are almost impossible to reinflate without going back to eg gold backing and then weaning off slowly) 15:23 < maaku> i mean, if I was DHS I would make every atm or teller counting machine scan the serial number and submit it with tx info 15:23 < maaku> i just assume, operationally, that is what they're doing 15:23 < adam3us> maaku: yes but whats the point.. no criminal is ever going to pay their note direct to a bank or atm deposit 15:24 < gmaxwell> yea, it's probably a safe "paranoid" assumption. 15:24 < gmaxwell> I don't know if its true but it could start at any time. 15:24 < maaku> adam3us: yeah, but if you had this info for every piece of paper that enters a bank, you can detect flow of money, deduce drug routes, etc. 15:24 < adam3us> maaku: they might track it and ask people, if there is something unique to try track down a forgery ring, but generally its hard, a shops cashdrawer is like a digital mix, they have no idea 15:25 < adam3us> maaku: oh sure they probably log and scan the crap out of it, but they're not breaking fungibility 15:25 < maaku> not with real bills, but they do reject counterfits 15:25 < gmaxwell> maaku: well, only bad ones. 15:26 < adam3us> gmaxwell: so back to your comment above that most of this can be done by IBM operating their own double-spend db, online, and be done with it (with chaum for fungibility) 15:26 < gmaxwell> maaku: rejecting counterfits that a careful shopkeeper could also reject doesn't break fungibility. 15:26 < gmaxwell> Rejecting ones that can only be detected with trusted online read/write access to a bank database would. 15:27 < adam3us> gmaxwell: one diff is ibm is central and could get their db hacked, the same way various bitcoin business had bitcoi thefts or ownership database modifiction 15:28 < adam3us> though they could append only write once log everything, if its fungible thats still a problem as you dont know which tx to accept after fixing the db 15:28 < gmaxwell> adam3us: imagine what IBM runs is a private fork of bitcoin with ZC, a seperate network.. and instead of POW they use IBM signed blocks and WORM media. 15:28 < adam3us> hmm maybe you could think of the block chain as a distributed secured append only double spend implementation 15:28 < maaku> adam3us: OT or OT-like private accounting servers would prevent this - every affected participant would know that the server reversed it's state 15:29 < adam3us> gmaxwell: its not bad, while they can undo things, they cant usefully udo them because of the blinding anonymity based fungibility 15:32 < adam3us> it does mean ibm has to be online and be involved in every trade of ibm for usd, or btc. 15:32 < adam3us> as you cant securely transfer without their confirmation of non-double spent status 15:33 < adam3us> maaku: they may know but what are they going to do about it? i presume the OT argument is to instantiate a new OT server, repopulate it with their combined logs and start with a new key 15:35 < adam3us> gmaxwell: i think another diff is the central server approach has full control and sets its own rules and can change them at any time 15:36 < adam3us> gmaxwell: eg with blockchain, there could be a smart-issueing-contract n a share, that says they cant issue more without 25% share holder approval, they cant do a share buy back without similar, and the approval is validating the amount; in this way the issuer is relatively powerless and has to behave within its contract 15:36 < gmaxwell> adam3us: yes, but I think thats true even using bitcoin since ultimately IBM controls the redeeming. e.g. "We're gonna go issue new shares over here, too bad for you guys that don't agree, since we're paying out the dividends" 15:37 < adam3us> gmaxwell: also redemption is a mini-buy back, so if those are allowed they would be required to prove posession and to prove destruction 15:38 < adam3us> gmaxwell: yes while the details are hazy at this point, i think where this is heading is like a scrupulously honest, uninfluenceable virtual bot enforcing as much of the companies stock rules and finances as can be coded 15:39 < adam3us> gmaxwell: except that as its block chai validated it is the down stream recipients that validate and reject if the terms were not followed, so th epotential to apply the smart-contract apriori enforcement can cover more and more of financial function 15:40 < adam3us> gmaxwell: ie the profits are mathematically defined, and the dividend voted on, and the company cant override the agreed rules for dividen issue 15:41 < adam3us> gmaxwell: and no one would pay an address for IBM not covered by its company contract, as they'd know there would be elevated risk the company execs would line their pockets iwthout shareholder and board approval 04:49 < gmaxwell> we had big farms with gpus, amd is now raising their gpu prices due to litecoin. I don't think hardware selection saves you from consolidations, being worthless does. :P 04:49 < adam3us> gmaxwell: amiller's thing might be easy to make work no? as i recall we were talking about eg chameleon hash so the miner can chose after the fact what the reward address is 04:50 < adam3us> gmaxwell: yes probably no diff from that perspective 04:51 < adam3us> gmaxwell: it might be hard to pool two fast computers super-linearly with momentum because of latency and bandwidth of ethernet vs ram, however simpler proof of work doesnt have that problem to start with 04:52 < gmaxwell> adam3us: I think it's tricker than that, because you can't have people going and replacing 'ordinary blocks' later. ... but regardless, as I mentioned above, I don't think it helps even if its easier because while it would kill pooled mining completely dead, people would still cloud mine... and without pooling they'd probably only cloud mine. 04:52 < adam3us> gmaxwell: in principle a fixed momentum could be a memory hard proof of work, but with no memory to verify. verification is h(a)=?h(b) mod 2^k, and h(a,b)<target 04:53 < gmaxwell> The way all the popular pools today (excepting p2pool) work their operators could be easilly skimming a couple extra percent from users nearly undetectably in any case... and few care (as measured by the p2pool hashrate). 04:53 < adam3us> gmaxwell: yes and cloud mining is in many ways worse - even if he user is independent, the hosting provider can comply with court orders to tamper and not tell user (gag on top) 04:54 < gmaxwell> or it could all be going along in a lovely way ... until it isn't and all the hardware has been handed over to someone else. 04:54 < adam3us> gmaxwell: i am having a "if they dont care" make some technical approach to make them care moment - eg hack them, or make them easier to hack 04:54 < adam3us> we are lacking a disincentive to idiocy motivator 04:55 < gmaxwell> well, I don't have anything to offer, in darker moments I've mused that the only "fix" is to go out and run dishonest pools and mining companies and just rip people off ... but even there, that doesn't work: it's already been done and here we are. 04:56 < gmaxwell> I suppose that in the limit, with enough theft, people will eventually clue up or go broke... but a little doesn't appear to be enough. 04:57 < adam3us> gmaxwell: anyway something useful from this discussion, it seems there is scope within coinbase only eg gbt extension to give people who do care something they can do using existing pools; though why they would not use p2pool already is a mystery (if it really does scale) 04:57 < gmaxwell> as I mentioned before, 50btc is eating all coins, and it still has non-trivial hashpower. People even show up on IRC asking about it from time to time... I went and updated the wiki page the last time someone showed up in #bitcoin-mining asking about using it: https://en.bitcoin.it/wiki/Comparison_of_mining_pools 04:58 < adam3us> gmaxwell: LOL pps fee=100%, 1.8TH ha ha ha 04:59 < gmaxwell> adam3us: p2pool scales but has some tradeoffs in the payment mechensim / variance. ... at least right now it 'scales' by keeping the pool-wide share rate to 1 share per 30 seconds. Which means that if you're a "small" miner, e.g. 60gh/s you're only getting a couple shares a day, and not getting paid in every block. So higher variance than you would get mining at eligius. 05:01 < gmaxwell> Personally I think people worry too much about variance if you're getting paid multiple times a week meh, nothing bad will happen. But its a much more visible thing to miners than things like the risk of a pool attacking the network or skimming an extra 1% on top of their 3% stated fees. 05:02 < gmaxwell> plus you have to run p2pool which adds an extra 500MB memory and 2kB/s of network traffic, on top of running a full node. Coinbase-only could let you have more payment pooling flexibility, and potentially outsource the full node running to a third party (distinct from the pool) 05:03 < adam3us> gmaxwell: according to 50btc.com it has 3.26 TH i guess its not so much only $1670/day 05:04 < adam3us> gmaxwell: i do like stuff Luke-Jr does. like down prioritizing reused address and other fun. would happily delegate vote to him 05:05 < gmaxwell> yea "only" $1670/day. "I'm in the wrong business" when you could just run a pool for a bit then stop paying people and recieve $1670/_day_. :P 05:05 < adam3us> gmaxwell: of couse he already has 12% 05:06 < hno> gmaxwell, I would hope it declines rapidly if trying to pull that off. 05:06 < gmaxwell> yea, thats a somewhat recent event. 05:06 < gmaxwell> hno: they stopped paying over two months ago. It did decline rapidly, but it seems like it's taking a loooong time to die completely. 05:07 < gmaxwell> there are people who lost >100 btc in accrued funds on the pool. 05:07 < hno> right, that pool... 05:08 < adam3us> gmaxwell: $600k/year :) seems odd - their own stats show their % nosedivided from 122TH in oct to 3TH now. even so they had 3% fee so 3% of 122 > 100% of 3.26 (just) seems more like bitrot- but why bitrot something paying high income? weird 05:08 < gmaxwell> basically every major pool has been hacked at some point, except eligius. (and maybe except ghash.io, but I'm actually not sure there) 05:10 < gmaxwell> adam3us: well they were losing their position due to growth of cex hashrate. ... now, they claim to have been "hacked" so it may not have been a choice, but otherwise 100% of 3TH _plus_ hundreds of btc in balances vs 3% of 122 with prospects of rapid declines in the share of the total... 05:10 < hno> same rule as always.. keeping funds online / at control of others (not sure there is a distiction between those two) is high risk. 05:12 < adam3us> gmaxwell: but it seems bizarre - hacked and locked out and hackers just left it that way? didnt care? "hacked" ie they took their own funds and pretended it was a hack and moved onto other projects 05:12 < gmaxwell> I, personally, think the latter is fairly likely.. but the pool was basically always very absentee-operated. E.g. lost a whole bunch of blocks when p2sh was deployed because they hadn't updated. 05:15 < gmaxwell> The way it played out is that they were "hacked" and then didn't respond at all for two weeks. The 'hackers' scrambled up everyone's balances and ran off with all they could. it's since been locked down and there is apparently some story about some randsom for the balance data. 05:16 < adam3us> eligius approach for immediate payout in the coinbase is more sensible, then miners can validate their address is in the coinbase and central theft risk is largely avoided 05:17 < gmaxwell> not completely, since it could be live stolen, e.g. hack in and make it pay any found blocks to the attacker until someone notices. 05:18 < gmaxwell> but there are independant people running sanity checkers on the eligius coinbases. 05:18 < gmaxwell> and the operators phone numbers are on the website and irc channel, so its unlikely that would last long 05:30 < maaku> adam3us: how do you distribute mining fees if the pool doesn't select transactions? 05:32 < maaku> gah, tx fees 05:33 < gmaxwell> maaku: pretty straight forward, you report the fees in your shares submitted to the pool, and the pool does some proportional thing for at least the fees portion of the payout. 05:36 < maaku> gmaxwell: so you pass fees as a parameter to gbt? i guess that can work 08:43 * andytoshi-logbot is logging 08:57 < andytoshi> nOgAnOo: http://download.wpsoftware.net/bitcoin/wizards/ 08:57 < andytoshi> i should probably have the logbot announce that url.. 09:11 < michagogo|cloud> andytoshi: Note that freenode policy is that public logs of a channel need to be authorized by channel operators, and all users need to be made aware (the suggested method is a note in the topic) 09:12 < michagogo|cloud> (chanserv says that the only op in here is mindspillage... no idea who that is) 09:16 < michagogo|cloud> Google (and NickServ's listing of the cloak on the account) suggests it's someone named Kat Walsh, a former chair of the Wikimedia Foundation and attorney for Creative Commons 09:17 < michagogo|cloud> Still no idea who this person is and why she registered this channel... 09:18 < pigeons> michagogo|cloud: someone in this channel is very close to her 09:19 < pigeons> i've seen him use her irc account, as can sometimes happen when you share machines with someone 09:19 < michagogo|cloud> Ahhhhhh 09:19 < michagogo|cloud> A google search for (mindspillage OR "kat walsh") bitcoin 09:20 < michagogo|cloud> turns up http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/03/03 09:20 < michagogo|cloud> Hi Greg :-) 09:20 < michagogo|cloud> Gregory Maxwell (greg@wikimedia/KatWalsh/x-0001) is authed as mindspillage 09:21 < michagogo|cloud> They share a NickServ account? o_O 09:23 < michagogo|cloud> ;;later tell gmaxwell I noticed http://en.wikipedia.org/wiki/User:Gmaxwell has an outdated version of your pgp key... missing 2 UIDs, 2 subkeys, and 158 signatures 09:23 < gribble> The operation succeeded. 09:27 < andytoshi> michagogo|cloud: thx 09:30 < andytoshi> ;;later tell gmaxwell freenode policy is that i notify a channel op before running andytoshi-logbot, and that the log url ( http://download.wpsoftware.net/bitcoin/wizards/ ) wind up in the channel topic 09:30 < gribble> The operation succeeded. 09:31 < michagogo|cloud> andytoshi: s/notify/ask permission from/ 09:31 < andytoshi> oh :) 09:32 < andytoshi> if anyone has a problem, i will take it down -- but i have mentioned to gmaxwell that i'm running this log bot before 09:33 < michagogo|cloud> andytoshi: It's actually in the motd 05:19 < TD> that would be useful. the scheme in your post sounds like a wallet would have to sync with the network regularly just to keep money spendable, not only like today to learn about new inbound coins 05:20 < Mike_B> a "merkle mountain range" just looks like a set of merkle trees? 05:20 < Mike_B> where there's no single top node? 05:21 < gmaxwell> TD: kinda! in order to spend it would need some data this is kept updated by an online node, but it doesn't have to have this data itself, if there are other nodes providing this service. 05:21 < TD> right 05:22 < gmaxwell> Mike_B: it's an insertion ordered binary tree where you keep the right edge of the tree constantly. So you can keep inserting while only storing ~log2(n) data. 05:23 < gmaxwell> see also, https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 05:30 < Mike_B> gmaxwell: what do you mean by keeping the right edge of the tree constantly? looks like in the example above that they append nodes to the right and the left is constant 05:30 < Mike_B> in that github link 05:32 < gmaxwell> Mike_B: "keeping constantly" mean keep that data all the time. sorry for the confusing language. :) 05:33 < TD> gmaxwell: did you see the multi-party lottery paper? 05:34 < TD> probably the most impressive piece of academic research into bitcoin yet, too bad the paper has a fair few spelling errors and is quite hard to follow 05:34 < gmaxwell> I did. and their transaction. 05:34 < gmaxwell> (I didn't comment in the thread.. instead I used my diabolical mod powers to copyedit amillers post :) ) 05:36 < TD> hehe 05:37 < TD> i sort of understand why they invented their own notation for the scripts and transactions given the complexity of their programs, but ... i really wish they had avoided greek letters 05:37 < TD> english pseudocode is so much easier to follow 05:38 < gmaxwell> I was just talking to Iddo about it earlier, he's emailing them to point out the efficiency improvements Adam Back and he came up with in their cointoss thread. 05:39 < Mike_B> gmaxwell: sorry for being so slow here, i'm trying to get caught up to speed fast 05:39 < Mike_B> you guys have a tremendous amount of knowledge at the ready 05:39 < Mike_B> i'm totally new to the game 05:39 < TD> yes it reminded me i never wrote up adams/iddos coin toss protocol on the wiki 05:39 < TD> must do that 05:40 < Mike_B> so here's an absolute noob question: when you talk about the utxo set, you just basically mean the total set of coins that each wallet has, minus the wallets with 0 coins (e.g. almost all)? 05:40 < Mike_B> like it's a set of wallets with coins in them that are "unspent," meaning they're still in those wallets? 05:40 < gmaxwell> I wonder if any of those software packages for making illustrations from state machine descriptions could be put to use in illustrating some of these protocols. 05:41 < gmaxwell> Mike_B: Bitcoin doesn't track balances. It tracks transaction outputs, which we often tend to call coins. Every transaction specifies a list of TxIns and a list of Txouts. 05:42 < gmaxwell> Mike_B: the TxIns are the transaction outputs from past transactions that it will be consuming they're represented by encoding a txid and an index (which txout of that txid). 05:43 < gmaxwell> The txouts are the outputs from the transaction, which have a scriptPubKey (identify the rules for spending the output) and the value. 05:43 < sipa> it's very much like a wallet, where you track each individual coin 05:43 < sipa> except that coins can have arbitrary values 05:43 < sipa> to do a transaction, you give some coins, and get some coins back 05:43 < gmaxwell> The UTXO set is all the txouts that haven't been spent yet... keyed by txid:index. with data being .. the scriptpubkey and value (and potentially a little bit of other data) 05:44 < gmaxwell> There are a bunch of reasons why this way of constructing the system actually turns out to be simpler than having balances. And if you're always using new public keys for privacy, its basically the same efficiency. 05:45 < Mike_B> ok, got it 05:45 < gmaxwell> https://people.xiph.org/~greg/tx.flow.png < a simple visualization I did for a post previously. 05:45 < Mike_B> ok, so instead of a set of "wallets with balances," which is what i thought naively, it's just a set of "wallets with individual coins," where each "coin" is a transaction that went to that wallet and is still in there 05:46 < gmaxwell> right, and a coin is spent atomically. If the coin has more value than you want to spend, you add an output to send some of the value back to you. 05:46 < gmaxwell> "Change" 05:46 < Mike_B> oh, i totally get this from satoshi's paper now 05:46 < Mike_B> when he talks about an individual coin being a chain of signatures and etc 05:47 < gmaxwell> Righ! yea, the whole system of transactions works without the blockchain at all so long as no one double spends. :) 05:47 < Mike_B> i was always confused because it sounded like he meant literally one coin, like 05:47 < Mike_B> but a "coin" is just a transaction 05:47 < Mike_B> ha, that makes way more sense now 05:47 < gmaxwell> right you can imagine it as little metal coins that go off to the network to be melted down and reforged with new owners, and the network obeys conservation of mass. 05:47 < Mike_B> yeah that's exactly how i just visualized it in my head right now, haha 05:47 < Mike_B> different size coins 05:48 < Mike_B> beeeeautiful 05:48 < gmaxwell> (if the outputs are of lower value than the inputs, then the remainder is kept by the miner as a fee) 05:48 < gmaxwell> yea, it's a good mental model, though the overloading of "coin" and "bitcoin" creates confusion. :( 05:48 < Mike_B> i had this thought about mining and consensus and it's connection to something from political science called "arrow's impossibility theorem" 05:49 < Mike_B> it seems like the basic point of the blockchain, in a certain sense, is to come up with some way for the network to reach consensus on which transactions happened first 05:49 < gmaxwell> lol 05:49 < gmaxwell> Thats the purpose of it exactly. 05:49 < gmaxwell> I'm laughing becuase I spent a lot of time on IRC telling people that the only real purpose of mining is ordering transactions. 05:49 < Mike_B> say i'm in the US, and you're in japan, and we both control the same wallet with 1 in it, and we try to spend that 1 "at the same time" 05:50 < gmaxwell> yea, there is no _general_ autonoymous way to have a decenteralized order see lamports clock paper. Relativity makes order position dependant, if you want to be uber wanky about it. 05:50 < Mike_B> but there's no such thing as "at the same time" actually, because even if information traveled as fast as possible (e.g. at the speed of light) it'd still take like 30ms or so for information to get from (say) new york and japan, right 05:50 < Mike_B> haha, you called the thing i was about to say "wanky" before i even got to wank :( 05:51 < gmaxwell> I'm allowed to call it wanky because its a position I've earnestly advocated. :) 05:51 < Mike_B> so anyway, *wank wank wank* relativity, no privileged reference frame, etc 05:51 < gmaxwell> But, you know, invoking relativity to explain ... its a little overpowered. :) 05:52 < Mike_B> i did find it useful though, because sometimes you're fooled into thinking that at bottom, there really was a "true" ordering of events 05:52 < Mike_B> and network latency just obscures that One True Ordering 05:52 < Mike_B> i found it useful to realize that i need to completely give up on that because it doesn't even exist 05:53 < gmaxwell> but right, for the most part the system is autonomous and trustless but relativity gets in the way making there be no true order unless you assume a privledged position. So we use a computational vote. Voting sucks. But it's pretty much only used for the ordering. 05:53 < Mike_B> yeah that's what i was thinking 05:53 < Mike_B> the network basically needs to "vote" on a reference frame, and bitcoin is like using the "random ballot" voting approach 05:53 < Mike_B> and the downside to that approach is the 51% vulnerability 05:54 < gmaxwell> right. but if you think about it any kind of "consensus" must have some kind of majority vulnerability... otherwise it has a minority vulnerability! 05:55 < Mike_B> if you used "first past the post" voting, which is kind of ripple's trying to do, you'd run into some other characteristic vulnerability 05:55 < gmaxwell> if there are orthorgonal states that honest nodes can disagree on, and you must pick one... the weak part of bitcoin isn't 51% it's that it's a 51% of computation (well, really energy consumption it seems :) ) which may not map to anything fair. 05:55 < Mike_B> hm need to think about that re minority vulnerabilities 05:55 < gmaxwell> "fair" 05:56 < Mike_B> yes, that makes sense 05:56 < Mike_B> well i was curious if the 51% attack is a special case of that Arrow's impossibility theorem with the "random ballot" voting method 05:56 < gmaxwell> e.g. 51% of computing power could still be 1% of people, which would be a bit unfortunate. Though, if you want to be .. again. wanky.. given enough time 51% of energy means 51% of anything else. If bitcoin was based somehow on counting people, china (favorite boogyman) could use an energy majority to fund mining babies. 05:57 < gmaxwell> 'mining' 05:58 < Mike_B> what do you mean by that 51% of anything else part? 05:59 < gmaxwell> I was responding to my own point that 51% of energy expended on the system is not necessarily a fair representation of the wishes of the users. But at the same time if someone can really outspend the honest users, then upto-some-efficiency-constant-factors they can also out-whatever your metric is. 05:59 < UukGoblin> isn't "wizzard" spelled with two "z"s? ;-) 12:05 < gmaxwell> Well SNARK basically just means "efficient proof", but you mean are there ZKP that are more efficient for cert chains.. and yes, there are e.g. signatures in the identity based encrpytion model are basically that. 12:05 < gmaxwell> (and they can even be smaller than our own signatures; assuming you trust pairing crypto) 12:05 < TD> you mean for IBE/ABE and variants? 12:07 < gmaxwell> TD: http://www.larc.usp.br/~pbarreto/pblounge.html e.g. CC02 there. (Though I don't recall if that one uses short signatures, I think it does) 12:07 < TD> thanks 12:07 < TD> btw, your construction requires a proof of a program that itself runs a program. does that explode the complexity requirements? 12:07 < TD> i mean does the program you prove have to basically be an interpreter for another program? 12:09 < gmaxwell> Nah, it just has to have the function embeded in it. The payer would see the meta program and be happy with it. 12:09 < TD> right. because the secret you're selling is not a program, it's the inputs to the program 12:10 < gmaxwell> right if it is a program you'd have to have the execution inside it. though _technically_ that wouldn't be any harder. In fact thats how tinyram works. 12:10 < gmaxwell> E.g. for tinyram all users use the same validation key, the validation key for the tinyram circuit. 12:10 < TD> yeah, the program it proves is a cpu that runs the real program 12:10 < TD> yeah 12:10 < gmaxwell> well I shouldn't say any, tinyram is a slowdown for many things. 12:10 < TD> well, no, i thought the tinyram circuit was manufactured by a compiler and it is a series of steps customised to the program that has to be run. like in size. 12:11 < TD> so it's somewhat but not completely generic 12:12 < gmaxwell> TD: nah, at least what they're doing right now the tinyram key is constant (at least for a given number of public inputs, and a duration of execution the later being the big thing). and the hash of the program you want it to run is one of the public inputs on the proof size. 12:13 < TD> right, that's what i meant, it's customised for the execution time. 12:13 < TD> i guess in future an obvious optimisation is to customise it further, so opcodes you know can't be executed at time X aren't emitted 12:14 < gmaxwell> Right and indeed. I was thinking about that in particular related to bitcoin, for our applications we often want proofs of hashtrees (e.g. is this transaction comitted), and implementing sha256 in tinyram is stupidly inefficient compared to a direct circuit. 12:15 < gmaxwell> but such programs could usually be arranged as a set of pre-processing steps where there is no control flow, and then a set of tinyram steps. 12:16 < TD> or you could just microcode SHA256 or other primitives so the compiler emits specialised circuits directly 12:16 < TD> i think that's what eli suggested for RSA modular exponentiation 12:17 < gmaxwell> yes, but then you increase the size of the tinyram machine, which makes all the steps when you won't be running the instructions slower. It might make sense for sha256 since you probably would want it in the middle of control flow for many applications. 12:18 < gmaxwell> in any case, at least for the GGPR zk-snarks the validation keys are pretty small. (similar in size to the proofs) and it would be perfectly reasonable to have circuts customized for many different things. 12:19 < gmaxwell> though I don't know if the same is true for some other systems which don't have the CRS security model limitations, if not then you may really prefer everything use the same circuit. 12:28 < andytoshi> man, this password-locked transaction stuff is brilliant 12:28 < andytoshi> such a simple idea 12:29 < TD> this is a new use of the word "simple" i was previously unfamiliar with 12:30 < sipa> "This obviously some strange usage of the word 'simple' I hadn't been previously aware of." 12:30 < andytoshi> well, the "throw a password into what's being proven" idea is simple 12:30 < andytoshi> everything surrounding it is not, but that's as far as i got trying to tackle the problem 12:30 < gmaxwell> I wrote that why_hash_locked page really as a flight of fancy, at the time I wrote it the construction that all the current work is using to make this stuff tractable hadn't even been invented yet! (well, at least not published yet) The existing ZKP stuff for general circuits that I was aware of appeared to have complexity that was infeasable even as a tech demo. (though, in fact there were some somewhat viable things I just wasn't ... 12:30 < TD> sipa: i forget where that quote is from. hitchhikers guide? 12:30 < sipa> TD: bingo! 12:30 < gmaxwell> ... aware of them) 12:31 < TD> yeah it sounds like Adams :) 12:31 < sipa> (it was 'safe' instead of 'simple') 12:31 < TD> sipa: but it's such a brilliant construction that works with any word :-) 12:32 < gmaxwell> There is also the classic, "You keep using that word. I do not think it means what you think it means." 12:32 < andytoshi> hmm, this is really exciting stuff.. 12:32 * andytoshi will look into switching his doctorate to CS 12:34 < gmaxwell> (The Garth2010 paper was out, and I suppose would have worked for this the proofs involve something like 45 group elements, but the proving process is basically the same as the GGPR stuff. ... of course no implementations, ... now we at least have benchmarks of implementations) 12:35 < andytoshi> what is the stuff that zerocoin uses? i have not read that paper yet.. 12:37 < gmaxwell> andytoshi: zerocoin uses a application specific cut and choose zkp, not a general proof for NP. Their ZC2.0 stuff will be based on a zk-SNARK for NP (like the SCIPR lab stuff). 12:37 < andytoshi> kk, thanks 12:37 < andytoshi> i have not read tho zk-SNARK paper yet either :P 12:38 < andytoshi> i've had students wasting my time all morning 12:49 < TD> it's more of a book than a paper 12:54 < gmaxwell> A lot of the papers in this space are quite long.. e.g. 60 pages is pretty typical. 12:55 < gmaxwell> "I thought this was supposted to be a succinct argument??" 12:56 < zooko> Heh heh 13:01 < gmaxwell> I bumped into a survey paper thats probably a handy reference "Verifying computations without reexecuting them: from theoretical possibility to near practicality" (googling that string yields it) 13:13 < gmaxwell> They don't focus as much on the details around public verification as I would have (since its centeral to most of our applications) but it looks like a reasonable survey. 13:27 < TD> thanks 13:37 < maaku> andytoshi: switching to CS from what? 13:41 < iddo> gmaxwell: i was confused earlier, Bob sees the entire refund txn (he only sees hash of the earlier txn that the refund spends), so Bob can see that he gets the right amount of coins back if the earlier txn had some of his coins as input 13:41 < iddo> TD: gmaxwell: i wrote the coin toss protocol as short note PDF: http://www.cs.technion.ac.il/~idddo/cointossBitcoin.pdf 13:42 < iddo> i asked the guys who wrote the new MPC paper to reference this instead of forum post, they haven't replied yet 13:43 < iddo> it's also less cluttered than the entire forum discussion, i suppose 13:43 < iddo> (also i asked Adam Back to write this short note PDF, he agreed) 13:44 < gmaxwell> iddo: I don't think you were. The refund transaction can't be authored unless bob has already signed the escrow transaction. in which case, alice could go ahead and announce it and tie up bob's funds without a refund. 13:46 < andytoshi> maaku: mathematics 13:46 < iddo> hmm 13:46 < TD> iddo: an opcode that pushed the block hash would cause problems after re-orgs. 13:46 < TD> iddo: a re-org could change the outcome of the toss and invalidate all following transactions. that's why there's a maturity rule on coinbases 13:47 < iddo> ok maybe the opcode can require some sort of maturity? 13:48 < maaku> andytoshi: well doctorate-level CS is really a sub-field of math ;) 13:48 < TD> perhaps. but not being able to spend the results of your bet for 100 blocks or so is awkward. and the 100 block rule is arbitrary. for coinbases we just have to suck it up, but i'm not sure we should be spreading the idea of "mature" coins further 13:48 < TD> i mean people love their fungibility, right ;) 13:48 < iddo> i mean a node will evaluate this opcode as some illegal value, unless the block is mature enough 13:48 < iddo> ok 13:50 < iddo> yes when considering safe maturity rules, this idea of pushing block hash on the stack becomes much less attractive 13:50 < iddo> i'll re-word or delete it 13:51 < andytoshi> maaku: yes, but nobody in the math dept does crypto :) 13:53 < gmaxwell> TD: part of the reason for maturity is to ensure fungibility. :) Makes it so you don't have to go inspecting the history of every coin you recieve to make sure it's not a recent coinbase. 13:54 < TD> well yes, and as an arbitrary choice it's fine. but we just sort of pretend the 100 block rule doesn't exist. i mean, otherwise we could just auto-checkpoint every 100 blocks and get rid of the maturity rule entirely. and it'd be basically the same 13:54 < TD> it's just yet another magic number. it's worth it, but not conceptually very clean 13:55 < gmaxwell> Yea, not saying it's clean, another number would have worked. At some point in depth a coinbase is like any other input.. is that number 100? 1000? 50? It's certantly not 12 since we've had reorgs in production that deep though they were special cases. 13:56 < gmaxwell> Having to worry that 2 tx back there was a bet transaction that will be lost in a reorg is lame though. 13:57 < iddo> gmaxwell: i see about bob having to sign the escrow txn before the refund txn is created, so my first coin toss protocol would indeed need the extra complexity, luckily Adam's protocol makes all of the aspects of it as efficent as possible 06:23 < BlueMatt> not that Ive thought about it at all, but it seems to go together there 06:23 < gmaxwell> 32 years until the reward is imprecise. 06:23 * BlueMatt goes back to all-nighter coding parallel algorithms 06:24 < gmaxwell> Mike_B: software engineering nightmare. 06:24 < Mike_B> yeah that's no good 06:25 < Mike_B> i guess the only way around it would be to just get rid of the finite supply 06:25 < gmaxwell> already the range we have is close to what you can do before it's annoying. 06:26 < Mike_B> which is equivalent to everyone on the network paying a very small "tax" to miners 06:26 < gmaxwell> I do kinda wish bitcoin had been programed with some very slight inflation. But ... it sure makes the explination easier to say fixed supply. 06:26 < Mike_B> it would be weird for political reasons, people hate inflation 06:27 < BlueMatt> gmaxwell: i think most people do, but the "deflationary" statement made initial adoption all the more attractive 06:27 < Mike_B> but you could also program it to just suck some tiny percent out of everyone's wallet proportionally totaling 50 or whatever, and then give it to the miner who won as a "tax' 06:27 < BlueMatt> gmaxwell: and despite being little practical difference, there is huge psychological difference between "deflationary" and "barely inflationary" 06:28 < Mike_B> people would probably mind that less even though it's the same thing 06:28 < gmaxwell> Mike_B: there are problems, say you program the inflation rate at 1% and the lost rate is 2% ... after some very large amount of time the inflation is now some large percentage of the actual economy. And thats distorting.. people are like .. out capturing extra stars to implode them to power their miners. 06:29 < gmaxwell> maybe you could get away with some system estimate of the current surviving coin supply to keep that under control... but the solution is not unique. Every part of the bitcoin design which isn't largely unique seems to be subject to endless wasteful debate. 06:30 < epscy> i guess if you use days destroyed that's just a kind of proof of storage, but with the proceeds going to miners rather than the storers 06:30 < Mike_B> i agree having the system estimate the surviving coin supply is bad 06:30 < Mike_B> or likely to cause problems, at least 06:30 < gmaxwell> Mike_B: freicoin does the sucks out thing. ... but their sucks out and pumps in rate is 5% 0_o. 06:30 < jtimon> Mike_B gmaxwell infinite precision to have perpetual reward doesn't make much sense, will an anual reward of 0.00000000000000001% of the supply really make any difference? 06:31 < gmaxwell> jtimon: depends on how many coins are left. Careful with "supply" 06:31 < Mike_B> you could use "total number of transactions in a 2 week time period" or something to gauge how hot the bitcoin economy is 06:31 < Mike_B> the bitcoin GDP or whatever 06:31 < Mike_B> and tie inflation to that somehow 06:31 < Mike_B> dunno how that relates to miners anymore though 06:31 < gmaxwell> jtimon: if you've lost 99% of the coins (the great crypto wars of 2124 ...) then its a fair bit more. 06:31 < gmaxwell> Mike_B: easily manipulated by miners. 06:32 < gmaxwell> (who, of course, recieve the subsidy) 06:32 < jtimon> at some point the reward will be lower than the 0% of coins lost 06:32 < Mike_B> gmaxwell: i was thinking an inverse relationship 06:32 < Mike_B> more transactions = less reward 06:32 < Mike_B> though that's also bad 06:32 < jtimon> and with everrgowing supply but constant reward (aka timecoin) the problem is similar 06:32 < Mike_B> the real problem seems to be the length of time it takes difficulty to adjust 06:33 < gmaxwell> Mike_B: hm? I've never seen that as a problem. 06:33 < jtimon> if you one to have a perpetual reward proportional to the supply the only solutions are freicoin and expocoin (the reward is always growing too) 06:33 < Mike_B> oh nm i misunderstood what you were saying 06:34 < Mike_B> you're saying that if difficulty drops due to a block reward decrease, overpowered miners can come in and try to 51% the network? 06:34 < gmaxwell> Mike_B: yea. 06:34 < jtimon> Mike_B you cannot measure bitcoin's GDP from within the chain 06:34 < gmaxwell> Mike_B: if it drops and leaves the network stranded uhh we have bigger problems. (and it would be 'easy' to do a manual difficulty step to fix) 06:35 < Mike_B> gmaxwell: wouldn't all of these overpowered miners suddenly try to do that though? suddenly everyone's competing to be dishonest instead of honest 06:36 < Mike_B> now all overpowered miners now have an incentive to try to stay in to get 51% 06:36 < gmaxwell> Mike_B: maybe, depends on the form of the dishonesty. Some kinds are not that competitve. ... e.g. if there are very few full nodes they can cause inflation. 06:36 < Mike_B> jtimon: why not? 06:36 < gmaxwell> also, a war of dishonesty is bad for stability. e.g. big reorgs. even if the end result is mostly kinda sort honest. 06:37 < jtimon> because I can pay to myself 06:37 < gmaxwell> esp if jtimon is a miner. 06:37 < jtimon> and if I'm not I can pay fees to pay to myself 06:38 < gmaxwell> you can try some hack with coins days destroyed perhaps that works, but you get deep into hurestics, and I think adhoc solutions are not good inside a cryptocurrency. All the users have to accept that it works right, and if there are 1001 ways to do something thats bad. 06:38 < jtimon> the point is there's no way to distinguish "real commerce" from just "wallet refactoring" 06:38 < Mike_B> ok, very true 06:39 < gmaxwell> you could potentially try a control loop that keeps difficulty forever increasing. 06:39 < Mike_B> though i'd still expect "more volume moved" still correlates very strongly with "bitcoin GDP" (whatever that would actually be) 06:39 < gmaxwell> Mike_B: it does until you add in an adaptive attacker. 06:39 < gmaxwell> as soon as there is an incentive to fake gdp (up or down) miners can block transactions or fill blocks with 'fake' ones. 06:40 < gmaxwell> might as well just have a field in the blocks miners can set: GDP: X :P 06:40 < jtimon> Mike_B that could be useful for an economic researcher that makes estimates about % real commerce, etc, but the chain algorithm shouldn't make those kind of estimates 06:40 < Mike_B> ok right 06:41 < jtimon> gmaxwell I've been thinking more about your "required security is not proportional to the value of the total supply more" 06:42 < jtimon> not taking post coins into account because those are recycled in freicoin 06:42 < jtimon> but I now disagreee 06:42 < jtimon> your example was that you could reverse a 1M tx with the work of one block 06:43 < jtimon> but it is the recipients fault to only wait 1 block (or 6) for a 1 million transaction 06:44 < jtimon> so really any demurrage rate is enough, it's just a matter of people having to wait more confirmations 06:44 < gmaxwell> jtimon: so what if they wait 6? 1M is cheap compared to 6 blocks, e.g. if you assume the attacker can bribe miners, or buy computing power. Bitcoin mining marketplaces offering 115% PPS got a substantial chunk of the hashrate when they existed. :P perhaps enough, though enough might be a really large number. :) 06:45 < jtimon> I'm using 6 just as a number 06:46 < jtimon> the recipient should estimate how much he has to wait to considered himself paid 06:46 < jtimon> maybe he has to wit 4 or 100 blocks, I don't know 06:46 < jtimon> wait 06:47 < gmaxwell> all txn in the block could be attacks however. :( 06:47 < jtimon> what do you mean txs could be attacks? 06:47 < gmaxwell> yes, but if you assume current block volumes in bitcoin assuming an attack with 20% hashpower... you end up with crazy numbers like 35 blocks where attacking isn't provitable over subsidy. (Well, current: I ran these number 9 months ago) 06:48 < gmaxwell> jtimon: an attacker is not limited to making one attack per block. Every transaction in their block could be a double spend attack on a different target. 06:48 < jtimon> oh, I see 06:48 < gmaxwell> so if you are to be conservative you must compare the value of the lost subsidies to the value of all transactions. 06:49 < jtimon> interesting, you would not only need to look at your transaction, but to all transactions near it 06:49 < gmaxwell> which is a bit extreme, I was hoping it would produce tidy numbers like 10 confirmations or whatever, but it turns out in bitcoin it didn't... not if you assume attackrs with 20% hashpower. 06:49 < jtimon> to know the full potential incentive of the attacker 06:50 < gmaxwell> (I was concerned about everyone still assuming 6 was golden and hoped the software could give better advice...) 06:50 < jtimon> but I still think that the rule "the more valuable the coins are, the more security you need" applies 06:51 < Mike_B> 06:28 gmaxwell: Mike_B: there are problems, say you program the inflation rate at 1% and the lost rate is 2% ... after some very large amount of time the inflation is now some large percentage of the actual economy. And thats distorting.. people are like .. out capturing extra stars to implode them to power their miners. 06:51 < Mike_B> i'm still kind of hung on this 06:51 < Mike_B> what would the problem be exactly? 06:52 < jtimon> yes, would be cool to have a configurable client that waits for more confirmations depending on values, maybe querying bitcoinwatch or something 06:52 < Mike_B> if there's an inflation rate of 1% and a lost rate of 2%, you end up with a net deflation rate of 1%, right? 06:52 < Mike_B> why does that lead to dyson spheres or what have you 06:52 < gmaxwell> Mike_B: but compute the proportion of the total remaining economy that is going to mining. 06:52 < Mike_B> oh, i see what you're saying 06:53 < Mike_B> since you never have a clue what the lost rate is 06:53 < gmaxwell> the 1% isn't of the economy, we can't measure that it's 1% of the maximum potential economy. 06:53 < gmaxwell> right. 20:33 < warren> If Litecoin is willing to go through the pain of a hardfork, it better be more interesting than bigger scrypt. 20:34 < petertodd> warren: agreed 20:34 < warren> And I think bigger scrypt is a bad idea, validation is already slow. 20:34 < amiller> you can reject someone's blocks, as part of the rational strategy space 20:34 < amiller> so that can include whether the sum difficulty is over tons of weak blocks or a few bonanza blocks with high diffiuclty 20:34 < adam3us> warren: coelho merkle hash PoW is better. vitalik used it in dagger for ethereum. 20:34 < amiller> obviously the tons of weak blocks is a DoS 20:34 < petertodd> warren: heh, well, doing birthday-style momentum hash would be as temporarily asic-hard as any scrypt tweak, and with fast validation 20:34 < amiller> but we handle DoS on an ad hoc basis at the moment anyway. 20:34 < adam3us> warren: better in that it uses fiat-shamir to only have to spot check the answer, not repeat the work 20:35 < warren> petertodd: temporarily ... 20:35 < amiller> so how about this 20:35 < amiller> accept a range of difficulties 20:35 < petertodd> warren: sure, but at least the barrier to making an asic with that is fairly high - as I say, it gets you the same kind of barrier than an scrypt tweak would, but with less resoruce usage 20:35 < amiller> but not all the way to nothingness 20:35 < adam3us> petertodd: momentum is not too stupid. quite TMTOable but other than that. 20:35 < warren> adam3us: <adam3us> maaku_: yes litecoin & ftc are currently not plausible to overtake <----- huh? ftc? 20:35 < petertodd> adam3us: define TMTO again? 20:35 < amiller> the bottom-out level is a miner policy 20:35 < amiller> minimum acceptable difficulty i mean 20:36 < warren> adam3us: only thing implausible about overtaking FTC is their centralized broadcast checkpoints 20:36 < petertodd> amiller: but difficulty is related to block interval, and you have to have long enough min block intervals so that consensus still works 20:36 < adam3us> warren: it was hypothetical comparison, nothing specific to ltc/ftc 20:36 < warren> adam3us: petertodd: economically the only way litecoin users would accept a PoW change is if the same miners were the beneficiaries (GPU owners). =( 20:36 < petertodd> adam3us: oh, right, Time Memory Tradeoff or whatever 20:37 < amiller> petertodd, okay so the basic way to handle that is to a) make everyone include stale blocks in some way, like GHOST already recommends and i babbled about on irc a year ago 20:37 < amiller> b) the more stale blocks you accumulate, the more penalty you apply to short spammy blocks 20:37 < petertodd> warren: birthday PoW might be GPU implementable actually 20:37 < petertodd> warren: cuckoo hashing seems possibly to be as well 20:37 < warren> adam3us: is Savitch's theorem relevant at all to this? 20:37 < adam3us> petertodd: TMTO is fine for warren's GPU lovers. you ned that to run momentum on a gpu anyway 20:37 < amiller> the effect is that you eventually get enough of a bonus to mining at a hard difficulty, which causes the chain to stabilize 20:38 < petertodd> amiller: gah, I really am against this stale block crap - it gives advantages to those with fast network connections 20:38 < adam3us> warren: i am not sure if it is because momentum nearly works and has an extremely efficient verification (consuming no memory) 20:38 < amiller> they have an adavantage anyway 20:38 < petertodd> adam3us: no actually, I was looking at some papers suggesting that GPU's are actually reasonable good at implementing content addressable memories 20:39 < petertodd> adam3us: it's not a TMTO tradeoff in that case 20:39 < adam3us> petertodd: oh nice. 20:39 < petertodd> amiller: yes, but don't make it even bigger, which ghost does 20:40 < amiller> i'm advocating *allowing* it to get bigger for a much more important reason 20:40 < amiller> the only thing ghost claims you can do is marginally increasing the flux of transactions, which is meh 20:41 < amiller> i'm claiming the main benefit to this is getting user-selectable variance *within* the main mining game 20:41 < petertodd> amiller: wait, what getting bigger? orphan rate? 20:41 < amiller> no the advantage to dudes with better network equipment in data centers, ie the amount of data and latency dependence 20:42 < petertodd> amiller: nah, better ways to get user-selectable varience than screwing up those incentives 20:42 < amiller> like what 20:42 < petertodd> amiller: again, why are you assuming a monolithin blockchain? 20:43 < amiller> how else are you going to get user selectable variance 20:43 < petertodd> amiller: do per-tx PoW and figure out how to make that reasonable 20:43 < adam3us> amiller: above are you talking about p2pool? pooled mining apis in general? variance you mean being able to pick an appropirate to miner pow work size? 20:43 < amiller> small players want to play at lower variance, so yes 20:44 < adam3us> amiller: just because actual low variance can be done via multiple sub-puzzles and redefining work to be the sum of the subpuzzles,however that breaks power-fairness of the PoW for btc style first past post race 20:44 < adam3us> amiller: so u mean low variance in terms of pool shares. 20:45 < petertodd> adam3us: ifthe sub-puzzles earn you money linearly, that doesn't break fairness 20:45 < amiller> it doesn't break power fairness, it does have a subtle security rpoblem related to that though 20:45 < petertodd> amiller: which is? 20:45 < amiller> attackers can revert larger history with *better than negligible chance* if they can increase the difficulty high enouhg 20:45 < warren> petertodd: perhaps it would be more palatable of a change if something like every other block were allowed to be scrypt or birthday. but in any case none of that fixes the issue of centralization, if litecoin has a hardfork I want to tackle that. 20:45 < adam3us> amiller: well if we said you had to make a coelho merkle pow it would have a lot of progress so be power-unfair 20:46 < amiller> adam3us, that's an all or nothing puzzle 20:46 < amiller> adam3us, that's different than letting individuals get their own little reward for a subpart 20:46 < adam3us> amiller: right. the prize is all-or-nothing. 20:47 < amiller> ok so make subdivisible puzzles where there rewards are also subdivisble in the same way 20:47 < petertodd> amiller: right, so devise schemes where we're not letting luck revert large history 20:47 < adam3us> amiller: ok that i think is interesting to explore. (i tried a bit in the past also) 20:47 < amiller> petertodd, no that's fine as long as its not unbounded 20:47 < amiller> unbounded is a problem in the other direction too 20:47 < amiller> unboundedly small puzzles => DoS hazard as attacker floods network with small plausible weak blocks 20:47 < warren> adam3us: petertodd: how well researched is birthday against a worse break? 20:47 < adam3us> amiller: the other problem is you have reward and consensus and they are bound together 20:47 < amiller> unboundedly difficult puzzles => attacker has too good a chance of an attack with less power 20:47 < adam3us> warren: its pretty fundamentally hard 20:48 < adam3us> warren: just time memory trade offs 20:48 < amiller> adam3us, could you be a little more specific about what reward and consensus mean here 20:48 < warren> adam3us: are people already using TMTO to mine it? 20:48 < petertodd> amiller: in any case, I think my binary tree chains thing works for this, because you set it up with diff halved on each step down, and only let miners mine one path, keep separate diffs for each level, but also keep the reward the same horizontally so there's no economic incentives to let them get out of whack 20:48 < warren> scrypt GPU uses TMTO 20:48 < adam3us> warren: there was a thread on the protoshares / bitshare board where a guy was coding one. 20:49 < amiller> petertodd, i don't know what you are talking about, MMR? MMR for blocks? 20:49 < adam3us> warren: he had an example implementation and got the tmto working, but i dont know if he yet coded it for the gpu 20:49 < petertodd> amiller: no, I mean, strucure your blockchain as a binary tree of "blocks" 20:49 < petertodd> amiller: still linear in the time axis 20:50 < adam3us> amiller: reward = 25btc/block, consensus = everyone agreeing on transaction order and validation (over time) 20:50 < petertodd> amiller: point with this, is that you can have PoW per tx, and sum up work simply by the fact that the upper levels of the tree get that lucky less often, yet have higher difficulty 20:50 < petertodd> amiller: related is I suspect such a structure can do better scalability 20:50 < amiller> ok so make the reward proportional to block 20:51 < amiller> fees behave same way as before 20:51 < amiller> consensus = everyone agrees on transaction order same as before... 20:51 < petertodd> amiller: yeah 20:51 < amiller> proportional to difficulty in a block* 20:51 < adam3us> adam3us: but for consensus security there maybe an incentive security tie relating to reward... 20:51 < petertodd> amiller: now I *also* think you can probably structure this so that miners don't have to keep up with the whole chain, only doing subsets, but that's not necessarily directly related to the per-tx PoW aspect of it 20:52 < adam3us> amiller: oh i get you. allow a consensus to be built up from frctional blocks 20:53 < petertodd> adam3us: yup, and the fraction could be as little as a single tx 20:53 < petertodd> adam3us: (obviously it's likely the concept will end up with some notion of work/byte) 20:53 < adam3us> amiller: like you could be 1.5-confirmed. plausible but creates longer chain/complexity, maybe orphan risk, bandwidth usage 20:54 < petertodd> adam3us: yet, if you combine it with a scalability solution w/ sharding, per-node bandwidth can be less 20:54 < amiller> maybe the GHOST guys want to work on this 16:44 < gmaxwell> gwillen: computationally sound basically means a cryptographic assumption, e.g. someone who can search 2^256 spaces can produce a proof which you believe is valid but it's not. 16:44 < gmaxwell> Vs a perfectly sound proof where you can never be fooled even by an unbounded attacker. 16:45 < gmaxwell> (or, if the cryptographic assumption fails discrete log is easy, etc. depends on how the system is constructed which assumptions are at play. Or of P=NP.. then the system allows fake proofs) 16:46 < gwillen> gmaxwell: ahhhh, clever. 16:48 < gmaxwell> There is a similar set of levels of zero knoweldge. Some things have perfect zero knoweldge where an unbounded attacker with unbounded examples of your proof learns nothing, statistical zero knoweldge where the distribution of answers is negligibly different from 'fake' answers so at most they learn very little, and varrious computational assumptions for zero knoweldge. e.g. where they learn nothing unless they can solve some hard ... 16:48 < gmaxwell> ... problem. 16:48 * gwillen nods 16:48 < gmaxwell> Interestingly there seems to be some tradeoff, it seems that many of the systems with perfect soundness can only offer computational zero knoweldge, and vice versa. 16:49 < gwillen> interesting. 16:49 < gmaxwell> For something like blockchain proofs we don't care about zero knoweldge at all, thought we do care if the proofs are small. 16:51 < gwillen> gmaxwell: is this counting or not counting 'I prove that I have a bitcoin without revealing which one' as zk? 16:51 < gwillen> it feels zk-flavored to me 16:51 < gmaxwell> for that you'd want zk, indeed though computationally sound ZK is probably fine for that. 16:51 * gwillen nods 16:52 < gwillen> 'you can break my anonymity if you can do a 256-bit search' is certainly an improvement on what we have now. :-) 16:53 < gmaxwell> likewise, for something like zerocoin you need zk to hide which coins you're spending. So we do have applications for ZK. Things like my contigent payment protocol need fairly strong ZK since the payer can rob the payee if the ZK isn't strong. 16:54 < gwillen> interesting. 16:56 < gmaxwell> then you have the whole axis of publically verifyable vs designated verifier. 16:57 < gmaxwell> A bunch of these systems work easiest where there is a single verifier who generates a challenge, and a single prover. Thats desigated verifier. 16:57 < iddo> gmaxwell: from what i know there is no (working) code yet for non-CRS SCIP, but it's being work on... about CRS SCIP, obviously they will release code with their lame zerocoin altcoin:( but i'll continue to inquire and see if i have updates 16:58 < gmaxwell> Publically verifyable is like a digital signature. Then a number of these systems are "publically verifyable in the CRS model" which is basically publically verifyable but only if everyone has a magical trusted string. 16:59 < gwillen> gmaxwell: what are the requirements on the CRS? 17:01 < gmaxwell> gwillen: depends on the system, most of the CRS models are effectively structured like public key cryptography where the CRS gives you public keys for a trapdoor permutation constructed so that you can encrypt your proof but still check that its valid. if someone knows the randomness underlying the CRS they can trivially create fake proofs. 17:01 < gmaxwell> the crs generation process in that case just ends up looking like generating a bunch of random public keys, more or less. 17:02 < gwillen> gmaxwell: is this the sort of thing where, if we knew that God generated the CRS and threw away the generation parameters, the system would be fine? 17:02 < gmaxwell> Yes. 17:02 < gwillen> Huh. 17:03 < gmaxwell> some of the stuff in the CRS model also loses its zero knoweldge to god, so you can't necessarily safely use it in the designated verifier case where the designated verifier produces the CRS. (annoyingly I find the papers often unclear exactly what the threat model(s) they work under) 17:03 < gmaxwell> (though anythin with a succinct proof is probably still ZK to god, simply because there is so little information at the end) 17:04 < gmaxwell> some people talking about this stuff have suggested you could use multiparty computation to compute the CRS in a way that God is distributed. 17:05 < gmaxwell> But it still would leave you that if the majority (or all) of the multiparty computation players cheated they'd know the parameters. 17:06 < gmaxwell> Also, many of the active-secure multiparty computation systems only achieve security via zero knoweldge proofs ... so you can end up with circular security. :) 17:06 < gmaxwell> E.g. you can take a passive-secure multiparty computation system, one which is only secure if the players follow the protocol and boost it to active security (secure regardless of the players) by having the player use proofs to prove they did their computation according to the rules. 17:08 < phantomcircuit> gmaxwell, is there anything preventing someone from mining a version=3 block? 17:08 < phantomcircuit> other than just stupidity 17:08 < gmaxwell> phantomcircuit: nope. 17:08 < phantomcircuit> is it at least discouraged? 17:09 < gmaxwell> it shouldn't be done, because we will want to use the version field for future changes, and if people are actively producing blocks with other versions it will make that impossible. 17:17 < andytoshi> i like this business of referring to an unbounded attacker as god 17:17 < andytoshi> #bitcoin-wizards could use some wizardly lingo 17:19 < sipa> let's call Him Laplace's Demo 17:19 < sipa> hmm, i actually wanted tot type Demon, but Demo isn't too bad either 17:20 < gwillen> he is Laplace's Demon, Laplace's Demo is when he shows you that your system is insecure. 17:20 < gmaxwell> I wonder if in some of the holographic universe theories if knowing the path of a single partical with enough detail actually describes the entire universe. :) 17:21 < gmaxwell> particle* 17:21 < gwillen> gmaxwell: certain facts about our actual universe makes me like the theory that this isn't true because it has only limited resolution 17:21 < gwillen> (i.e. that you can't in fact get the entire universe from the path of a particle) 17:22 < gmaxwell> gwillen: e.g. what if there is only one universe consistent with our laws of physics and the existance of particle X. 17:22 * gwillen nods 17:27 < edulix> http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/ now in slashdot btw 17:30 < edulix> which makes me wonder, is there any book on bitcoin with internal details etc 17:39 < michagogo|cloud> edulix: yes, it's online at https://github.com/bitcoin/bitcoin 17:39 < michagogo|cloud> (and at http://bitcoin.it) 17:43 < edulix> nice 17:50 < edulix> hehe the author of that post doesn't understand why double spend is fixed the way is fixed in bitcoin 17:52 < Emcy> is it true there were altcoins with fixed difficulty? 17:53 < gmaxwell> Emcy: liquidcoin had that... didn't last long. 17:54 < Emcy> what was the rationale of that 17:56 < phantomcircuit> gmaxwell, what block shunning is there? 17:57 < phantomcircuit> or is that just txs 17:57 < phantomcircuit> ;;seen jgarzik 17:57 < phantomcircuit> no gribble 19:45 < andytoshi> Emcy: no doubt "fairness" 19:46 < andytoshi> or plain old silliness :) 22:40 * andytoshi-logbot is logging --- Log closed Sun Dec 08 00:00:40 2013 --- Log opened Sun Dec 08 00:00:40 2013 13:44 < MoALTz> http://blockexplorer.com/block/00000000000000189ad9b20ed103ac14ca5c08ecfb0f5a0f538e4678f4535c46 13:53 < MoALTz> the smallest block. the next (same-sized) smallest are 181 bytes 18:04 < crispy> fdadf 18:05 < phantomcircuit> gmaxwell, lol mike 18:05 < phantomcircuit> there is no such thing as a secure registrar 18:05 < phantomcircuit> DNE 18:10 < nsh> i hear melbourne IT is pretty good 18:10 * nsh sniggers 19:11 < Emcy> did petertodds pooled-solo mining thing from May go anywhere? 19:16 < Luke-Jr> Emcy: petertodd's? :P 19:16 < Luke-Jr> BIP 22 is from Feb 2012 ;) 19:22 < Emcy> sorry, he did say it was more you and greg 19:23 < Emcy> im going over the dev list again 19:23 < Emcy> you guys send a lot of mail to that list now 19:26 < Emcy> i think when people take discussions private then start ccing list again it breaks threads in my program :( 20:51 < Mike_B> has anyone assessed this new paper about blockchain confirm security? 20:51 < Mike_B> counting orphaned blocks as a confirmation 20:54 < Baz> there's a pretty good thread on it https://bitcointalk.org/index.php?topic=359582.0;topicseen 20:55 < Baz> are there disadvantages for when a wallet client uses a server to read through the blockchain, rather than load it all locally, as armory does 21:39 < maaku> Mike_B: I'm not sure that's an accurate explanation. it doesn't count orphaned blocks as confirmation, but uses work spent on orphans is determining the most-work chain 21:42 < midnightmagic> It seems strange somehow that you can force the network to switch to another sibling by mining multiple side-by-side siblings, and potentially roll back a retarget. 21:44 < maaku> midnightmagic: that requires a 51% attack ... nothing strange about that 21:49 < midnightmagic> as far as I know, a 51% attack can't *roll back* a retarget though can it? the 51% must linearly reach a longer sibling fork which itself is beyond the retarget. 21:50 < midnightmagic> this provides an additional consideration for a 51% direction that an attacker can take the chain. 21:50 * midnightmagic finishes reading 21:51 < maaku> midnightmagic: it most certainly can 21:52 < maaku> there is no limitation on how far back a rollback can go, except for checkpoints 21:53 < midnightmagic> maaku: What I mean is, it must extend it using post-retarget mined blocks. but if you reveal a GHOST-based subtree which is heavier but hasn't yet reached retarget, the network as a whole rewinds to that. 20:54 < warren> <petertodd> warren: heh, well, doing birthday-style momentum hash would be as temporarily asic-hard as any scrypt tweak, and with fast validation 20:54 < warren> To what degree would this be merely kicking the can down the road? 20:54 < petertodd> amiller: heh, well *I* want to work on this 20:55 < petertodd> warren: good question, probably tens of millions down the road, in terms of ASIC development cost 20:55 < amiller> well it basically forces a bunch of other sore issues 20:55 < amiller> like how to make fees match resources consumed 20:55 < warren> tens of millions of dollars? that's nothing 20:55 < petertodd> warren: the scary thing is like any ASIC-hard-but-not-hard-enough scheme the first ASIC to be built is winner take all 20:55 < amiller> i think having parameters to restrict the bounds on either end is important 20:55 < petertodd> warren: sha256 ASICs are hundreds of thousands 20:55 < adam3us> petertodd: well if basic compression (not sending data twice) was implemented a block may cost less bw 20:55 < warren> petertodd: oh, tens of millions factor, not dollars? 20:56 < petertodd> warren: no, I'm saying my gut feeling is that a successful ASIC for such a beast would be tens of millions in dev costs 20:56 < adam3us> warren: i think $ in both cases 20:56 < warren> ok, then that isn't a worthwhile change 20:56 < petertodd> warren: but, what that's really saying is this is something that we need a real hardware person to analyse 20:57 < petertodd> warren: also momentum has interesting stuff: e.g. commodity content addressable memory *is* available because network routiers and the liek use it 20:57 < adam3us> amiller: btw i also thought of ghost a while back :) (saw you mentioned u did above) 20:58 < petertodd> warren: if you could get the community to put up a few thousand, you could probably get a decent bit of research+report on how viable it is 20:58 < warren> who is qualified to analyze it? 20:58 < petertodd> warren: it's the kind of thing MSC should be thinking about too 20:58 < petertodd> warren: good question - some kind of digital electronics/computer engineering person 20:58 < warren> huh? MSC has PoW? 20:58 < adam3us> amiller: in my case i was like hmm this creates compexity not enuf of a win, but they picked out its lower block interval support which i wasnt focusing on 20:58 < petertodd> warren: I've got the contacts to find a person for that 20:59 < petertodd> warren: not yet, but that falsl into things MSC should look into 20:59 < petertodd> warren: note that Ethereum does and it's a MSC competitor/substrate 20:59 < warren> If MSC is on Bitcoin's network, I don't see how it needs its own PoW 20:59 < warren> what is Ethereum? 20:59 < adam3us> warren: oh boy 21:00 < petertodd> warren: a bit part of why I was hired was to determine what the options are there... 21:00 < petertodd> adam3us: lol 21:00 < warren> (I've been busy lately.) 21:00 < petertodd> warren: "TURING COMPLETE CRYPTO CURRENCY INVESTMENT OPPORTUNITY BUY BUY BUY!" 21:00 < adam3us> warren: http://ethereum.org/ethereum.html 21:00 < warren> who made this? 21:00 < adam3us> warren: vitalik 21:01 < warren> a month ago he was all pro-primecoin 21:01 < adam3us> warren: with support of some good marketing folks 21:01 < petertodd> warren: vitalik is smart, but not wise... 21:01 < adam3us> warren: prime coin is a crock (IMO) 21:01 < adam3us> warren: i persuaded him that coelho was better ;) 21:01 < warren> sorry, what is coelho? 21:01 < adam3us> warren: hence he made dagger (linke from the above) 21:01 < petertodd> I was at a talk by him on ethereum and there was a moment kinda halfway through where he really jumped the shark so to speak 21:02 < adam3us> warren: merkle hash PoW with a fiat-shamir trick to reduce the memory for verify to like 4log(n) or such 21:03 < petertodd> adam3us: ugh, dagger is used *so* poorly in ethereum 21:03 < adam3us> warren: it crazy stuff because the script language is like able to do almost anything. the implications are unknowable 21:04 < adam3us> petertodd: critique specific? 21:04 < petertodd> adam3us: the huge advantage with a fiat-shamir trick pow is that you can make the pow depend on block data, with dagger doesn't do 21:04 < adam3us> warren: virus script that like takes all coins? probably not actually. but its openended and people may have fun with it 21:05 < petertodd> adam3us: meanwhile that kind of PoW is still rather parallelizable, including in an asic 21:05 < adam3us> petertodd: ah yes he dropped that bit. he was talking about data tho & i mentioned he could use that feature 21:05 < adam3us> petertodd: (separately proof of storage or something for some other reason... ) 21:05 < petertodd> adam3us: ugh, so he knows that you can do that? fuck 21:05 < petertodd> adam3us: the whole writeup on the ethereum site is just full of hand-wavey numbers too 21:05 < adam3us> petertodd: well he does now. i am not sure it occurred to him at the time he wrote dagger 21:07 < petertodd> adam3us: anyway, the whole idea that memory requirements somehow make something ASIC hard by themselves is very wrong 21:07 < adam3us> petertodd: well it is somewhat memory hard with the params he has and thte sequence of calcs hmm i wonder ou cant keep a cache and skip list and get most of it without memory can you? 21:07 < warren> is dagger fast to verify? 21:07 < petertodd> warren: yeah 21:07 < adam3us> warren: faster than scrypt for the memory used, but slower than momentum. however momentum is more TMTOable 21:08 < petertodd> adam3us: well, you make an asic that's physical strucutre is a tree for instance 21:08 < adam3us> warren: i wouldnt say fast but less slow. 21:08 < adam3us> warren: i think he aims to use the faster verify to demand more memory per instance however, rather than to make faster wall-clock verify 21:08 < adam3us> warren: u could use it otherwise... 21:09 < adam3us> petertodd: i meant even in software! gotta re-read it (didnt occur to e before for some reason) 21:09 < petertodd> adam3us: kindsa reminds me: so one problem I had in coming up with a asic-hard "hash all the data"-style pow was that crypto-primatives like hash functions tend to be pretty slow compared to the bandwidth of main memory 21:10 < petertodd> adam3us: so the question is then what's the *weakest* crypto-primative you can get away with and still be secure - like, could you have the lowest parts of a dagger-style tree only do a single sha256 round? 21:10 < adam3us> amiller: this fractional block seems interesting, but you probably have to use ghost, due to block interval creating orphans, and put a sanity limit like you said. 21:10 < warren> petertodd: so wait, where would MSC use PoW? 21:10 < petertodd> adam3us: where going up the tree enough rounds have been done to be pre-image secure? 21:11 < warren> sorry, I'll be back later, meeting in 30 minutes I need to prepare for 21:11 < petertodd> warren: it'd use it to implement a ethereum layer 21:11 < petertodd> warren: I mean, implement ethereum-style consensus system, as an example 21:11 < amiller> adam3us, sure, it's kind of a dauting engineer effort which is why i've shied away from it 21:11 < adam3us> petertodd: that might not be a bad idea. tree-evaled sha256 rounds 21:11 < amiller> adam3us, but i hope at this point it's at least clear what sort of benefit this can get you 21:11 < amiller> not faster transactions or something trivial like that, but the ability to have user-selected difficulty which means the whole need for pools goes away 21:12 < petertodd> adam3us: yeah, hell, maybe even something as simple as XOR can be used in some cases for lower parts of the tree? 21:13 < petertodd> adam3us: cuckoo PoW could be an example there too: maybe each round of your cuckoo path can be just a single hash round and you can still get away with it given reversing a round may be *sufficiently* hard that just fetching the appropriate bit of memory is easier 21:15 < petertodd> adam3us: though that could backfire too because I suspect an optimal cuckoo implementation is a grid of small memory cells and routing logic to efficiently pass around in-progress solutions without using long, power-hungry wires 21:15 < adam3us> petertodd: i think scrypt has a faster hash to fill memory at one stage no? 21:16 < adam3us> petertodd: there were some earlyer PoW that aimed to stress memory latency by wobber et al. unfortunately they all got broken :) 21:16 < petertodd> adam3us: yeah, that's why it uses salsa20 21:16 < petertodd> adam3us: for consensus pow I think trying to stress latency is hopeless 21:17 < petertodd> adam3us: though for timelock crypto it's perfectly reasonable 21:17 < adam3us> petertodd: why? its another form of parallelizable work... 21:18 < petertodd> adam3us: I'm talking about serial-parallel hash chain schemes 21:18 < petertodd> adam3us: in that case that memory latency leads itself to high parallelism is an *advantage* by making it cheaper to make the timelock 21:20 < petertodd> e.g. prepare x GB worth of lookup table, have n parallel queries going to the lookup table using some scheme using up all available bandwidth, then use the encrypted intermediate steps trick to deparallelize it 21:20 < adam3us> warren: u now in theory sha256 asics are more efficient in the way jtimon was arguing about earlier. it concentrates the reward, but it maybe uses less electricity as a result 21:20 < petertodd> now you have a timelock that was reasonable cheap to make, yet the speed of sequentially cracking it is very directly related to memory latency, and mem latency sucks 21:21 < adam3us> petertodd: he he the first memory (latency) hard paper sent 16MB of random data in the example executable to make it non compactible 21:21 < petertodd> adam3us: sent? ? 21:21 < adam3us> petertodd: they linked it into the exe 21:21 < petertodd> adam3us: ah, I get it 12:43 < tacotime_> And, do I have it right? Okay, payer sends funds to some address generated from stealth address of payee, plus an OP_RETURN that publishes a secret (nonce). Payee scans blockchain looking for a pubkey and secret that will allow him to spend from some address. Payee finds said address, regenerates privkey from secret and pubkey, and then spends funds. 12:43 < sipa> correct 12:44 < tacotime_> Excellent. Thanks. 13:26 < petertodd> tacotime_: all correct. An interesting question is if it would be better to at least have the option for the payment to be recoverable from information purely in the txout - it's plausible that in the future it'd work better once you can get a miner proof of a txout's existence. 13:27 < petertodd> tacotime_: I'm waiting on some Javacsript ECDH benchmarks FWIW before I make any kind of decision - it'd be nice if web-wallets like coinpunk could receive stealth payments entirely in the browser with at least some privacy. 13:28 < petertodd> tacotime_: On the bright side, javacsript SHA256 grinding is plenty fast enough to support stealth + prefixes. 13:29 < petertodd> adam3us: that's exactly what I suggested actually, which leads to an interesting question that BlueMatt(?) brought up: Can you prove to a third party that a given transaction does *not* contain a stego-encoded data packet? With SCIP it's easy to see how that could be possible in principle, but I dunno if it can be made efficient enough to be practical. 13:32 < nsh> you can always upper-bound the redundancy 13:32 < petertodd> nsh: ? 13:33 < nsh> the "spare" information in the transaction after you discount the necessary 13:33 < petertodd> nsh: oh, this isn't standard stego really: you're hiding encrypted data in random junk, so there's no measure of spare to talk about 13:33 < nsh> oh, hmm 13:33 < sipa> well obviously the amount of data that can be stored is limited to the size of the transaction 13:35 < petertodd> the real question is can you prove the execution of a timelock crypto sequence, which is something as simple as 10,000 SHA256 invocations, such that you can prove the end result cheaply to a third party that can evaluate that proof cheaply 13:35 < petertodd> it's obviously possible in principle, but how can it be made practical? 13:38 < nsh> perhaps in the future there will be a market for verify-farms, like compile/render-farms, that perform some computation and provide short/cheap verification proofs for it and its inputs 13:38 < petertodd> nsh: right, that's the "in principle" part :P 13:38 * nsh smiles 13:39 < petertodd> nsh: remember the Blub programmer principle: If Peter can't understand the crypto, it's obviously not practical. 13:39 < nsh> aye 13:39 < sipa> s/Pe/Pie/ 13:40 < petertodd> lol 13:40 < nsh> hehe 13:40 < petertodd> and actually, in practice I use a scricter standard: If Peter can't teach the crypto to someone else, it's not practical 13:42 < sipa> it's not necessarily stricter; you often learn things exactly by trying to explain them to others 13:43 * nsh nods 13:44 < nsh> understanding-in-motion has a value above and beyond understanding-in-stasis 13:44 < petertodd> sipa: very true! in uni my smarter calculus classmates were always confused as to why my marks were so much worse than theirs given I was the guy always leading the study sessions :P 13:44 < nsh> like currency in some ways 13:45 < kinlo> blub programmer principle, does that require peter to be smart? :p 13:47 < petertodd> kinlo: the exact opposite :) 14:02 < gmaxwell> 21:45 < jron> slides from RWC if you haven't seen them yet: https://www.youtube.com/watch?v=Uh6erfE9HYE 14:03 < gmaxwell> (zerocash slides) 14:04 < nsh> the audio is almost comprehensible in that recording :) 14:12 < justanotheruser> What is the most interesting development in the cryptocurrency world? 14:12 < justanotheruser> Preferably something I haven't heard about 14:19 < maaku> Jeb donating 25M XRP to MIRI? 14:19 < maaku> kinda hard to guess what you haven't heard about 14:19 < maaku> also, #bitcoin 14:28 < nsh> wrt zerocash, i wonder if you could have some weird cypherpunk ritualized inaugeration event, with some carefully-selected and mutually-audited public parameter generation set-up, then everyone stands around it in robes looking solemn as the priests generate them and the machinery is then ritually destroyed 14:29 < nsh> some cross between the mimbari gray council and burning man 14:30 < sipa> #bitcoin-priests plz 14:31 * nsh smiles 14:32 * maaku joins #bitcoin-priests 14:32 < orperelman> lol 14:32 < maaku> make it happen nsh 14:32 < nsh> i'll start work on the liturgy 14:35 < justanotheruser> maaku: minecraft jeb? 14:36 < maaku> minecraft? no the guy who started MtGox and Ripple Labs 14:36 < justanotheruser> Is jeb magicaltux? 14:37 < justanotheruser> oh, reading the wiki. Looks like jeb sold it to magicaltux 14:38 < sipa> jed, you mean? --- Log closed Mon Jan 20 00:00:41 2014 --- Log opened Mon Jan 20 00:00:41 2014 --- Day changed Mon Jan 20 2014 05:42 < adam3us> petertodd: "Can you prove to a third party that a given transaction does *not* contain a stego-encoded data packet? With SCIP it's easy to see how that could be possible in principle, but I dunno if it can be made efficient enough to be practical." <-- other than the assertion that stego wins 05:47 < adam3us> petertodd: maybe subliminal channel free signatures would be a starting point 07:12 < adam3us> petertodd: "can you prove the execution of a timelock crypto sequence, which is something as simple as 10,000 SHA256 invocations, such that you can prove the end result cheaply to a third party that can evaluate that proof cheaply" <-- well just Hellman's idea to delete 16-key bits with symmetric crypto is efficiently provable after someone has found the key. or do you mean prove it is decryptable before it has been decrypted? 07:27 < petertodd> adam3us: I mean to prove that some random junk *doesn't* contain data using the appropriate timelock-iterations algorithm 07:29 < petertodd> adam3us: remember that the timelock algorithm in this case is just a fixed number of H() invocations or similar - the question is can you prove the end-result of that algorithm to someone else cheaply? 07:29 < petertodd> adam3us: hellman's idea doesn't work in this case - proves the wrong thing 07:31 < adam3us> petertodd: well hellman's thing shows after you know the key, its certainly easy /cheap for anyone else to verify its the right key, and decrypt it and see what the plaintext was 07:31 < petertodd> adam3us: but that's the thing, there may be no key 07:31 < adam3us> petertodd: ok so you want to prove that its not a DoS msg, ie the person who encrypted actually knew the plaintext 07:32 < adam3us> petertodd: and have that be verifiable before the brute-force decryption happens 07:32 < petertodd> adam3us: no, I have random data, I want to prove that after you apply the timelock stego algorithm, you still have random data 07:32 < petertodd> adam3us: proving that there is a hidden message is the easy part 07:33 < adam3us> petertodd: ok so maybe like if you could prevent proof of publication, eg by proving with SCIP that the contents are the hash of an undisclosed value then you restrict the stego-encoding rate to ground bits of the hash 07:34 < adam3us> petertodd: kind of analogous the p2sh^2 argument frustrating data publication 07:34 < petertodd> adam3us: that still doesn't work 07:35 < petertodd> adam3us: I was referring to using SCIP to prove that you *did* the 10,000 iterations of H() honestly, and thus the result is the honest candidate decryption key, so if that key doesn't work, you know there isn't hidden data 07:35 < adam3us> petertodd: or if there is a static public key, the private key of which is used as the seed of a rng, you could prove that this hidden/encrypted value is with the next rng output, without revealing what the rng output is 07:35 < petertodd> adam3us: remember this is about my timelock crypto for embedded consensus systems thing - you don't get any control over the data other users add to the blockchain 07:36 < adam3us> petertodd: i suppose you dont want to connect the msgs to the same author or they could be blockable 07:36 < adam3us> petertodd: (provable rng seed) 07:37 < petertodd> adam3us: that's irrelevant, it's timelocked so the fact that you can decrypt the stego message in 1hour frustrates the miner who only wants to spend a few seconds at most figuring out if they can put the transaction in their block 07:37 < adam3us> petertodd: btw why scip prove you did the work, you can just reveal the key, if the msg is garbage, people can see that for themselves 07:38 < adam3us> petertodd: yes time-lock works for analogous reasons to committed-tx, there is some similarity in forcing miners to make decisions on encrypted data 07:39 < petertodd> adam3us: it's impossible to prove you revealed the *correct* key if decrypting the candidate stego data with that key results in random junk 07:39 < petertodd> adam3us: you can only use a key to prove data was hidden, not the other way around 07:40 < adam3us> petertodd: oh wait you want to efficiently prove this is the ground key, without attaching it to the useful decryption 07:40 < petertodd> adam3us: remember that there's far more candidate data without steggo data in it, so you save resources if everyone can work together in a trust-free way to decrypt it all 07:40 < adam3us> petertodd: because the decryption maybe garbage, and so have no inherent verifiability 07:40 < petertodd> yes 07:43 < adam3us> petertodd: i was thinking about like rivests rsa-timelock might be tweaked to be efficiently veriable maybe, (i managed to find a blindable version of it so you could securely offload KDF calculation to untrused nodes) but maybe more simply if you make the key to grind have structure (an indirection) 13:43 < gmaxwell> Really the major breakthrough that allows sublinear is bootstrapping, which I think was mostly really inspired by the FHE work. 13:43 < tacotime_> I can tell already that I will never understand that paper. But that's what proves the sublinear size and makes 288 byte SNARKs possible? 13:43 < gmaxwell> You can make it non-interative with fiat shamir IIRC, most interactive things can be. 13:44 < gmaxwell> tacotime_: the GGPR'12 technique is constant size proofs. There are a couple of high level ideas that can help you intutively understand why sublinear proofs are possible. 13:45 < andytoshi> fiat-shamir is also really cool philosophically. it's like you summon a random oracle to do the interactive proof with you and publish the transcript 13:47 < gmaxwell> tacotime_: imagine you have a system which can prove the validity of two operations: executing a single instruction AND verifying a proof that the prior state for that instruction. If the proof verficiation is randomized/probablistic, then its not surprising that the proof size can be proportional to security rather than execution size... and then you nest these operations and get a constant size proof. (bootstrapping approach). ... 13:48 < gmaxwell> ... Efficient systems don't work directly in this way, but its an intutive way to see the possiblity. 13:48 < andytoshi> as for SNARKs being "'only' computationally sound", that seems to be strongly analogous to the quantum-entanglement scenario wherein your "faster than light correlation" can only be verified by communicating slower than light 13:48 < gmaxwell> andytoshi: thats why I pointed it out. 13:48 < andytoshi> gmaxwell: yeah, i realize that. but i'm that slow :) 13:49 < nsh> (slow is pretty damn relative here) 13:49 < andytoshi> realize that now* 13:49 < gmaxwell> amiller: yea, fiat shamir is insanely useful. I'm not sure why its not more widely known. It doesn't help that the original papers on it are a bit opaque. 13:50 < andytoshi> the original paper pretends to be about the smart-card scheme, it's really not obvious that there is anything generally useful in there at all until you read it :( 13:51 < nsh> "The heuristic was originally presented without a proof of security; later, Pointcheval and Stern [2] proved its security against chosen message attacks in the random oracle model, that is, under the assumption that random oracles exist. In the case that random oracles don't exist, the Fiat Shamir heuristic has been proven insecure by Goldwasser and Kalai.[3] Shamir heuristic thus demonstrates a major application of random oracles." - http:/ 13:51 < nsh> /en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic 13:51 < gmaxwell> yea, that article is useless. 13:51 * nsh frowns at irc client 13:53 < nsh> kinda provocative that you could have some empirical security difference that implies the existence or not of random oracles 13:53 < tacotime_> Is there a text book somewhere for this sort of stuff? 13:54 < jtimon> gmaxwell, if you were to design a concatenative merklized scripting language (joyscript), what would be important to take into account so that in the future it is "good for snark" 13:54 < jtimon> ? 13:54 < gmaxwell> Basically it says you can take an interactive protocol and make it non-interactive by commiting to your state with a random oracle, then using the random oracle to play the counterparty in the interactive protcol. If the interactive protocol has the right properties then you can instantiate the system with a hash function in the place of the random oracle and make a secure conversion. 13:55 < andytoshi> jtimon: you want to be able to easily bound the time-to-execute for scripts 13:55 < andytoshi> for a concatenative language maybe that is as easy as computing a tree height 13:56 < gmaxwell> andytoshi: only if you can describe an efficient arithemetic circuit for evaluating the concatenative language such that execution = tree height. This seems unlikely to me. 13:59 < jtimon> wouldn't those problems be solved with the instruction counter? 14:00 < tacotime_> Okay, I think it's starting to make sense. We have algorithm A, with non-arbitrary input I and output O. The proof takes input I_ro from a random oracle (hash function) and produces output O_ro using A(I_ro). We can then prove the execution of A(I) for some non-arbitrary input I. 14:00 < jtimon> btw, maaku, I don't think your message got to the concatenative group maybe you had to enter the tahoo group after all 14:01 < jtimon> http://groups.yahoo.com/neo/groups/concatenative/conversations/messages 14:01 < tacotime_> With some small amount of bytes using SNARK, because the proof is logarithmic in size? 14:01 < gmaxwell> jtimon: current constructions for snarks require costly preprocessing which is program generic but specific to the machine beging evaluated and specific to the length of execution. 14:03 < tacotime_> Is that the overall gist of what's going on? 14:03 < tacotime_> My background is in biochem, so sometimes I'm a little slow for CS stuff, forgive me. 14:04 < jtimon> gmaxwell I don't think I understood that, but I'm asking with the hope that those costly executions become cheaper in the future somehow 14:04 < gmaxwell> tacotime_: I'm not sure I followed what you were saying clearly enough there to agree or disagree. Another way to look at it is that program validation and program execution are not the same problem. Imagine making a transcript of a program execution you write down every instruction that gets run and then the state (memory, registers, etc) along the way. 14:05 < gmaxwell> The result is a transcript or sometimes called a witness 14:05 < andytoshi> jtimon: the other problem is that the preprocessing step has a security parameter which can be used for forging. this is a serious problem when there is one guy (the coin creator say) who is doing the preproccessing step, but it'd kill the scheme if everybody was doing their own preprocessing 14:05 < gmaxwell> If I give you such a transcript I can ask you if its valid, to tell if its valid you walk through the instructions and then check that the instructions match the rules e.g. that an ADD instruction updates the state in the right way. 14:06 < tacotime_> Right. 14:06 < jtimon> for those who are interested in this joyscript thing, this is the message that maaku (tried to?) send to the concatenative mailing list http://pastebin.com/5ScNX7vy 14:06 < gmaxwell> tacotime_: what all of this stuff is based on is that there exist ways of encoding the transcript so that if you only check a tiny portion of it, that you can become very confident that the whole transcript was faithful. 14:06 < jtimon> andytoshi, I see, like zerocoin's trapdoor 14:06 < andytoshi> yeah exactly 14:07 < tacotime_> Given some non-arbitary input? 14:07 < andytoshi> i had some vague ideas about using a variant of FHE to obtain the security parameter from a random oracle in a zk way (so provable nobody knows it) but i ran into serious conceptual problems when i tried to make these ideas concrete 14:07 < gmaxwell> for any input. well technically what you do is provide the inputs and 'outputs' as inputs and then the whole program just decides to accept (inputs agreed with the program) or not... e.g. convert it into a decision problem. 14:09 < tacotime_> Okay. 14:09 < jtimon> and if anyone is more interested, I can forward what maaku has been discussing with an strong typed concatenative language expert (the guy who wrote that "why concatenative matters" article) [unless you maaku haave some objection to sharing it, which I doubt] 14:09 < andytoshi> basically, you want it to be verifiable that you actually got the security parameter from the oracle -and- you only used it for a specific circuit (zk-snark preprocessing) and couldn't have used it in a circuit which reveals the parameter 14:09 < andytoshi> but these two requirements conflict when you try to implement them in the 'obvious' ways it seems 14:11 < andytoshi> that is, if you tie the parameter to a specific circuit it's hard to make it random (it's hard to make it at all actually). and conversely if you want to make it random it's hard to tie it to a circuit, but if you don't then it's trivial to replace the circuit with one that reveals it, defeating the whole exercise 14:14 < gmaxwell> andytoshi: why can't you just pick a ciphertext input to the circuit at random (e.g. because you don't know the decryption key)? 14:17 < andytoshi> gmaxwell: to implement this "tie the input to the circuit" scheme, my thought was to make the key derivation depend on the circuit 14:18 < andytoshi> but when you do this, it becomes hard (or rather outside the things i'm aware of being possible) to create a decryption key without an encryption key 14:19 < andytoshi> the hope was, i could make the output-decryption key be "111111" or something which clearly has no input-encryption key. then i can put whatever i want as input and what the circuit sees will be random and unknown 14:20 < andytoshi> but it seems implausible that just using 111111 will get me a valid decryption key, since my key derivation is so complicated 14:21 < gmaxwell> I still don't understand how the reencryption used in bootstrapping FHE can even work at all, so that sort of leaves me powerless to speculate about how you can get unknown encrypted with known decryption key FHE. I think it would be very powerful and not just for this if its possible. 14:22 < andytoshi> ditto. i have been trying to meet with brent waters, who has published several papers with craig gentry about FHE, because i'm trying to seduce him into supervising me. but he's been out of the country a lot this semester. whenever i get ahold of him i'll bring this up and maybe he can speculate more intelligently 13:59 < gmaxwell> maybe someday when we add new checksig operators we'll make sure there is a sighash flag that leaves the input txid:vout out of the signature. It would make a number of refund cases much easier if that was possible. 13:59 < gmaxwell> (because then you could author the refund before authoring the payment) 14:00 < TD> yes 14:00 < TD> that would be nice 14:03 < iddo> hmm i thought that what's needed is that the txid hash doesn't depend on the signature of the txn ? 14:06 < gmaxwell> iddo: being able to not have a later signature depend on prior txids is more general, I think. 14:07 < gmaxwell> making the txid not depend on the signature removes malleability, while masking the input results in malleability indifference. 14:09 < iddo> i probably don't understand what's meant with "leaves the input txid:vout out of the signature" ? 14:09 < gmaxwell> A silly example of how masking the input is more general. I can compute a timelocked transaction that pays to me in 1 year. In the signature field I put in a nothing up my sleeve number. 14:09 < gmaxwell> Then I recover the applicable public key. 14:09 < iddo> doesn't that mean something about the signature not depending all the data of the txn, instead of the txn hash not depending on the signature? 14:09 < gmaxwell> And author a transaction which pays funds to that public key. 14:10 < gmaxwell> iddo: we have flags in bitcoin to control what parts of the transaction that the signature depends on. 14:10 < gmaxwell> But the flags are not flexible to express "do not depend on the txid:index of the coin this signature is spending" 14:10 < gmaxwell> er not flexible enough. 14:11 < TD> iddo: see the contracts page on the wiki for an intro 14:11 < iddo> ok i'll look, thanks 14:39 < maaku> Mastercoin is looking for devs to hire fulltime (paid in fiat). 14:40 < maaku> I replied with "Mastercoin is a flawed concept and I have better things to do with my time" 14:40 < maaku> But maybe for someone else here it'd beat whatever your dayjob is 14:40 < maaku> Or maybe you can convince them to pay you to work on something actually useful. 14:41 < _ingsoc> Mastercoin is the Antichrist. There, I said it and I don't care. 14:43 < gmaxwell> I think the postive thing is that mastercoin isn't anything but a bucket of money, wrapped in marketing and hope. 14:43 < gmaxwell> So on the technical side it could probably become something substantially different from whatever it is they've been doing so far. 14:44 < _ingsoc> gmaxwell: Can it realistically mess with Bitcoin? 14:44 < _ingsoc> gmaxwell: The whole issue with dumping things into the block chain. 14:44 < gmaxwell> I expect if it survives it'll stop doing that. Thats what I mean by substantially different. 14:45 < _ingsoc> Right, I see. 14:45 < gmaxwell> its funding model made it competative with the bitcoin currency. Dumping data into the blockchain is very easily censored. 14:45 < _ingsoc> The name is stupid anyway. Great. Let's forgoe our fiat master for a new one. :) 14:45 < gmaxwell> Miners, who recieve bitcoin currency ... and not mastercoins .. have every incentive to censor it, and few to not do so. 14:47 < maaku> I would love to take that offer to implement Freimarkets, or even Bitcoin-X 14:48 < maaku> But mastercoin, specifically, serves no purpose and has no future 14:49 < maaku> and unfortunately they can't switch to something better and carry over the investment structure 14:49 < jgarzik> maaku, <shrug> perhaps today, but with a huge endowment I would not project that opinion into the future 14:49 < jtimon> bitshares seems a similar "money bucket", and they aren't obsesed with "it has to be in the bitcoin chain without modifying the protocol" 14:50 < jtimon> although they got a lot of funding and now they launch protoshares? I don't undesrtand 14:51 < pigeons> easier to launch another funding mechanism than implement a promised application 14:51 < gmaxwell> jtimon: do they actually have a lot of money? 14:52 < _ingsoc> Looks like they're just spending money left and right on whoever comes up with the promise of something. 14:52 < jtimon> I think so, that's what amir told me 14:52 < _ingsoc> gmaxwell: They do. 14:52 < gmaxwell> Protoshares seemed like it was an exit strategy for someone. 14:52 < _ingsoc> It's like 4k BTC? 14:52 < gmaxwell> But I've only been watching very lightly. 14:52 < jtimon> well, maybe it looked like a lot of money to me, I don't remember how much they got 14:52 < _ingsoc> That was a very long time ago. 14:53 < gmaxwell> okay, well, 4k btc is only a lot of money at a personal scale. (though I guess thats about the scale of mastercoins funds) 14:54 < _ingsoc> http://blockchain.info/address/1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P 14:54 < jtimon> I think is a substantial quantiy to fund development 14:54 < _ingsoc> That's them. 14:55 < jtimon> maaku do you think we could implement freimarkets with that? ;) 14:55 < jtimon> with what's left on the address, I mean 14:57 < jtimon> wasn't the exodus address a mastercoin thing? 14:57 < _ingsoc> If maaku would listen to me we could do freimarkets and more, but he's too stubborn. :D 14:58 < jtimon> what's your plan? 14:58 < _ingsoc> Aren't you guys sitting on a few million now anyway with your own dev fund? 14:58 < jtimon> what dev fund? 14:58 < _ingsoc> I thought Freicoin had something set up like that. 14:59 < jtimon> oh, the funds that are going to be issued through the foundation? that's not ours 14:59 < jtimon> we want to experiment with issuance mechanisms that aren't as wasteful as mining 15:00 < jtimon> but we can't take such direct decisions 15:00 < jtimon> we should list freimarkets to receive donations here though: http://foundation.freicoin.org/#/donations 15:01 < _ingsoc> How does the foundation decide what to do? And who's the foundation? 15:01 < jtimon> the foundation it's us and 3 other freicoiners 15:01 < jtimon> but the proposals for issuance mechanisms are discussed publicly in the forum 15:02 < _ingsoc> So it's your fund that you can't use without some mechanism? 15:02 < jtimon> yeah, we can't directly chose an amount and finger to a person to receive them 15:03 < jtimon> that's what was promised and the chain is auditable 15:03 < _ingsoc> Right, so you can put up a proposal for freimarkets and get it funded if there's support for it? 15:03 < jtimon> if we fail our promise people can hard-fork and cancel the foundation funds 15:03 < jtimon> yes 15:03 < _ingsoc> That's interesting. 15:04 < _ingsoc> It's too bad the we get tied into camps. If we were fluid, stuff would get done a lot faster. 15:04 < _ingsoc> that* 15:07 < jtimon> yes, this is specially painful in local currenciessoftware 15:08 < jtimon> it's much simpler, but the efforts are even more divided 15:51 < iddo> anyone looked at bitshares or protoshares whitepaper? http://static.squarespace.com/static/51fb043ee4b0608e46483caf/t/52654716e4b01acd1ac8a085/1382369046208/MomentumProofOfWork.pdf 15:51 < iddo> seems like these guys never heard of cycle finding algorithms without space complexity blowup, like pollard's rho ? 15:52 < jtimon> I looked at bitshares paper a while ago 15:52 < maaku> gmaxwell: from what I can tell the bitshares people have convinced some investor to bankroll whatever they do 15:52 < jtimon> there's many people that believes all these anti-ASIC arguments 15:52 < maaku> it's not like they're sitting on a pile of irrevocable funds like mastercoin is 15:53 < gmaxwell> yea, also mastercoin funds are bitcoin. 15:53 < gmaxwell> it's possible that if bitcoin goes up further mastercoin will end up with an amount which is impressive even at an instutional level... 15:54 < maaku> jtimon: heh, we could implement freimarkets with private servers at 5% of what's left of the mastercoin bucket of money... and have a better, more robust system 15:55 < iddo> gmaxwell: did you see the claim in that bitshares pdf that birthday collisions are hard to find without space complexity, but easy to verify? it sounds wrong, because you can find collisions with cycle detection? 15:57 < gmaxwell> iddo: yup. We've talked about that here before. 15:57 < gmaxwell> There is a simple time memory tradeoff. 15:57 < iddo> ahh 15:58 < iddo> i think that this channel should be logged+archived too, like #bitcoin-dev :) 15:59 < nsh> +1 15:59 < gmaxwell> iddo: but ::shrugs:: when they first published their stuff I eviscerated their initial "memory hard" PoW, reducing it from 128MB to 8kb, complete with an implementation. And also a probablistic version with no memory required... and I waged my finger to them about novel crypto. And their response was to hastily rewrite it and claim that the old one (which had been slathered with marketing) was "just a placeholder" 15:59 < gmaxwell> And after that point I decided I was never again going to do any technical analysis of their stuff. 16:00 < iddo> i see:) 16:00 < iddo> that whitepaper has wild claims that they don't try to back up 16:07 < pigeons> gmaxwell: i don't know the details but the new version of the PoW actually released which was supposed to require lots of meory usage already has custom mining software out for it bypassing the need for all that memory 16:08 < pigeons> so yeah, no reason to take them seriously 16:08 < pigeons> now the principal Larmier is in favor of GPU mining 16:09 < gmaxwell> My impression was that they felt they had to invent novel crypto for pure marketing mumbojump purposes. 16:09 < pigeons> because his alternative is botnets/AWS 16:09 < gmaxwell> lol, I believe I made that point to them previously. 16:09 < gmaxwell> (I've certantly made it before) 16:09 < pigeons> yes lots of pure marketing mumbojumbo over there 16:13 < iddo> pigeons: why AWS is bad? 16:14 < pigeons> iddo: i'm not making a judgemnt on it 16:15 < pigeons> there are trade-offs as far as accesability and decentralization to all the approaches 16:32 < tromp__> that doesn't work for random memory access, maaku 16:33 < maaku> tromp__: it absolutely does. an integrated system-on-chip would always be more efficient than having external interconnects 16:34 < jtimon> I still don't understand the goal, and it's sad for me to see so many smart people dedicated to something I consider a complete waste of time 16:34 < tromp__> pls explain how you'd implement pointer chasing on a die 16:34 < maaku> and because of heat dissapation and power issues, it may even end up having asic vs. gpu/cpu be an even *larger* performance jump than sha256 16:35 < tromp__> the goal is a pow constrained by memory latency 16:35 < jtimon> but why? 16:35 < maaku> tromp__: the same way you do on a cpu, but put the cpu + memory on the same die 16:35 < maaku> so, no need for an interconnect (except at the gate level inside the chip) 16:36 < jtimon> why do you think that "pow constrained by memory latency" is any better than SHA256? 16:36 < jtimon> you have to think is somehow better if you're spending on time on it 16:36 < jtimon> s/on/your 16:37 < tromp__> because commoditized hardware gets optimized partly for low latency 16:37 < jtimon> how would bitcoin be better by replacing SHA256 ASICs with cucko ASICs ? 16:38 < jtimon> "[I'm missing a claim here] because commoditized hardware gets optimized partly for low latency" 16:38 < tromp__> i expect cukoo asics will be way harder to develop 16:38 < tromp__> way harder than scrypt ones 16:39 < jtimon> tromp__ harder to develop mean less companies doing it, no? how does that help centralization? 16:39 < tromp__> i think you overerestimate the feasibility of putting many GB of memory with embedded cpus on a die 16:40 < jtimon> no, I believe that making a cucko ASIC will be harder 16:40 < tromp__> i think commoditzed hardware will remain competitive 16:40 < jtimon> I just don't see the point of making pow ASICs hard to develop 16:41 < jtimon> you want GPU mining to be competitive with ASIC mining? 16:41 < tromp__> sure 16:41 < jtimon> because there's many companies building sha256 asics but only two making GPUs? 16:42 < tromp__> no, because it 16:42 < tromp__> 's commodotized 16:43 < jtimon> "it's commodotized" it's starting to sound like "mongodb is web-scale" like if that was something inherently good or something 16:43 < jtimon> I'm confused 16:44 < jtimon> you prefer only two companies, namely ATI and nVidia producing most of the mining equipment "because it's commodotized" 16:44 < jtimon> ? 16:45 < tromp__> because everyone can easily buy a pc that can mine competitively 16:45 < jtimon> even if GPUs could be competitive with ASICs at all, I don't see the point 16:45 < tromp__> mining is no fun if you need to invest tons of capital preordering asics that will quickly become obsolete 16:45 < jtimon> tromp__ buying sha256 is now relatively easy and will only become easier 16:46 < maaku> tromp__: mining isn't about having fun... 16:46 < jtimon> at some point asics will stop "getting obsolete" so fast 16:46 < tromp__> i don't want to have the asic vs commodity hardware discussion right now 16:47 < maaku> tromp__: it'd be great if you could have a pow function that really did benefit from general hardware 16:47 < maaku> but that's rather impossible 16:47 < tromp__> there are many peopl who want a pow for which asic advantage over commodity hardware is mimimized 16:47 < jtimon> ad populum 16:48 < maaku> tromp__: minimizing the asic advantage makes the situation worse off! 16:48 < tromp__> and for them, cuckoo seems like the best option 16:48 < grazs> so the best PoW algorithm would be cryptographically secure, cheap to produce, easy to replicate, hard to improve, add additional value (like curing cancer), distributed as evenly as possible, hard to deanonymize the result and be cheap to verify? 16:49 < jtimon> and I still wonder why would they want such a thing 16:49 < maaku> either make general hardware *exactly equal* to custom hardware (impossible in practice), or make the asic advantage *as great as possible* 16:49 < gmaxwell> jtimon: maximum return from botnets, of course. :P 16:49 < jtimon> grazs add additional value (aka curecoin) is very different, I'm all for that 16:50 < sipa> curecoin? 16:50 < maaku> grazs: not to mention progress-free, and all the other things I'm too distracted to think of which PoW requires 16:50 < jtimon> sipa there was a group collecting bounties and distributing them to people folding@home 16:50 < sipa> ok 16:50 < grazs> maaku: yes, think I included that with 'hard to improve' 16:52 < tromp__> anyway, thx for the "feedback"; i'm gonna have alittle break now 16:52 < tromp__> afk 16:52 < jtimon> btw I actually liked charlee's intervention 16:53 < sipa> ? 16:53 < maaku> jtimon: well additional value is only good so long as it can't be monetized... 16:53 < jtimon> there were some stupid arguments I expected 16:54 < jtimon> and it was funny how he started to answer the question "What was your motivation for creating litecoin? When I created litecoin there was already other alternatives, but those were created by other people." 16:55 < jtimon> but overall good, I don't really think he went too technical, he even explained colored coins 16:55 < grazs> spoken like a tru playa 16:56 < jtimon> maaku would seti pow be monetizable? 16:56 < grazs> no 16:56 < grazs> seti isn't a pow, it's just work 16:57 < jtimon> yes, I mean an hypothetical seti-based pow 16:58 < jtimon> not that SETI is the more useful thin for humanity in the world, but still better than hash collisions or prime numbers I think 16:58 < maaku> jtimon: someone could pay money per work unit completed, as a way of 'donating' to the seti project 16:58 < grazs> results held random until you send seticoins to the coming coinbase 16:58 < grazs> held ransom* 16:59 < maaku> more generally, if it was a general BOINC proof-of-work, it's easy to see how you could setup monetizable tasks 16:59 < jtimon> maaku, yes, I think that's simpler and I would like the foundation to do that 17:00 < jtimon> maaku, you said it yourself, they have to be hard-to-monetize tasks 17:00 < maaku> well, if/when freimarkets is completed it's a rather simple matter to issue assets based on the BOINC point system 17:00 < jtimon> no, general BOINC 17:00 < jtimon> maaku, yes I remember that plan 17:01 < jtimon> and gamers could make money with their GPUs again! everybody happy 17:04 < jtimon> btw, on the hearings, it is curious how so many people think that the blockchain's "main advantage" are somehow "cheap transactions", completely ignoring the big subsidies we have 17:05 < gmaxwell> jtimon: yea, "so you're telling me that your _global broadcast medium_'s value is that it's cheap?" 17:06 < jtimon> off-chain credit transactions will always be cheaper, this is just trustless 17:06 < jtimon> although irreversible actually makes transactions cheaper 17:06 < jtimon> an fees non-proportional 17:08 < jtimon> s/an/and 17:16 < grazs> jtimon: what are these subsidies? 17:18 < sipa> grazs: mining subsidy 17:18 < sipa> grazs: our preset inflation that basically pays for the system's security 17:19 < grazs> sipa: ah, oh yes ofc 17:21 < maaku> you know, just $127,500 per hour 17:21 < maaku> nothing big 17:45 < andytoshi> who can be said to have invented POW? was it adam or hal? 17:46 < andytoshi> i don't mean that to be an exhastive list; english 'or' is ambiguous that way.. 17:47 < gmaxwell> andytoshi: https://en.wikipedia.org/wiki/Hashcash 17:50 < gmaxwell> Am I the only person in here who ever used Hal's RPOW system? 17:50 < gmaxwell> I wonder if I can find some tokens from it. 17:51 < tromp__> this related work predates hashcash by 5 years: http://en.wikipedia.org/wiki/Memory_bound_function#Using_memory_bound_functions_to_prevent_spam 17:52 < maaku> it's not a proof of work though 17:54 < maaku> dwork and naor didn't have asymmetric validation times, which is the important innovation, I think 18:05 < jron> gmaxwell: I downloaded the source yesterday and assumed I was the only one who ever did that :P 18:07 < gmaxwell> jron: oh well it's long since dead as far as I know... or is hal's server back up again. 18:07 < gmaxwell> ? 18:08 < gmaxwell> I downloaded it and used it and talked to hal about it some back when it was new... had suggested some improvements and he tried to talk me into making a GUI for it. :) 18:10 < jron> I was just got an urge to check it out after reading a story about him and his wife. I never compiled it\executed it. 18:13 < midnightmagic> tromp__: Adam Back has a very nuanced understanding of the origin of POW-like mechanisms/concepts and their history, including an extremely detailed response to an edit I made on the bitcoin.it wiki where I was wrecking Steve Gibson's video explanation of bitcoin. It's very fascinating if you can ever corner him somewhere. 18:13 < gmaxwell> you mean like in here where he talks almost every day? 18:13 < midnightmagic> oh is that him? 18:13 < gmaxwell> hahah 18:13 < midnightmagic> jesus 18:13 < gmaxwell> Yes. 18:13 < jron> hehe. 18:14 < midnightmagic> Well how am I supposed to know these nicknames, I live in the frozen north *grumble grumble* 18:14 < midnightmagic> Sorry Adam. 18:14 < gmaxwell> there are certantly differences in the requirements for anti-spam applications and consensus POW. 18:14 < gmaxwell> e.g. progress freeness is probably not really important for anti-spam. 18:14 < jron> midnightmagic: you might enjoy the interview he recently did on letstalkbitcoin. 18:15 < midnightmagic> ah yes I believe I will. He was very generous with his time in his emails with me. 18:16 < midnightmagic> aaargh produced by antonopoulos 18:17 < jron> midnightmagic: it was still enjoyable =) 18:17 < tromp__> midnightmagic: i would love to have adam's feedback on cuckoo cycle 18:17 < midnightmagic> :) 18:19 < gmaxwell> oh apparently BFL's 28nm stuff has a test chip running now. 18:11 < petertodd> see, I'm thinking that the fact that a child block was found would be known from examining *just* the parent blockchain, IE, put the child blockheaders in the parent blocks 18:12 < arbart> makes sense, it is a worked on (child) block with provable difficulty, some hash of it in the parent blockchain, something like that right? 18:13 < petertodd> yup, and importantly, by just examining the parent blockheaders+part of the blocks, you can come to consensus about the state of the child blockchain without knowing what the actual blocks are, just like SPV mode in bitcoin 18:14 < petertodd> and remember that miners who don't care about the particular child chain aren't checking the contents of the child chain's blocks, only that the child blockheaders are valid 18:15 < arbart> its like sharding but in bitcoin, i really like it 18:15 < petertodd> well, it sounds good... but there's a nasty problem with what I've described: What happens if a child-chain miner mines an invalid block, or mines a block and never gives anyone the actual block data? 18:16 < petertodd> Remember, we said the rule was that once the blockheader met the parent chain difficulty, it when in that chain and locked in that version of history so that we had 50% attack security rather than just 25% 18:17 < arbart> yes, i often wonder about that (the data block, where is it published? a concurrent distributed datastore?) 18:17 < petertodd> Excellent question! It's only "published" by giving it to other miners, there's no central place where a block goes. 18:18 < petertodd> So here we've accidentally created a system that grinds to a halt if a blockheader gets in the parent chain - with full difficulty - but the block itself never gets distributed. Ooops! 18:18 < arbart> i see, it is provable and thus accepted, but then missing 18:18 < petertodd> yup 18:18 < arbart> arg :/ 18:19 < petertodd> However, we can fix this, with what I call a challenge: Mine another full-difficulty block that basically says "OK, I want this tx to be mined, and it spends these txouts. Prove that either the tx has been mined in the child chain, or that it's invalid. If you do neither, then we relax the rules and let the chld chain get reorganized anyway." 18:20 < petertodd> Or, equally the challenge could be "Where the !@#$ is block n? Stick it in this chain so we can all see it, and if you don't, we get to reorganize the chain." 18:21 < arbart> Oh, I get it now :) 18:21 < petertodd> With either version of the system (or both!) you still get the property that reorganizing the chain is hard *if* enough child-chain miners actually have the data - they can easily meet that challenge. 18:22 < petertodd> If the data gets lost somehow, or hidden maliciously, or whatever, then at least the system can recover and move on. 18:22 < petertodd> With the former version, where you can force a tx to be mined, you can always pay something like 2x the fees to get a tx mined even if some >25% attacker is trying to make the chian useless with empty block - not perfect, but better than nothing. 18:23 < petertodd> And of course, once you imagine a parent with two children... you can recurse this as deep as you want for as many tx's/second as you want. 18:24 < arbart> I was thinking recursive the whole time :) 18:24 < petertodd> hehe, good 18:25 < arbart> so who issues the challenge block? what basic condition triggers it? 18:25 < petertodd> Anyone can by mining a block meeting the parent PoW difficulty with the special challenge data in it. 18:26 < petertodd> Now, I'd expect that in a working implementation, you'd just make it possible for the 75% majority to see "Hey! Someone really wants a tx mined! Lets make it into a challenge." 18:32 < arbart> A challenge block would just have additional challenge code in it, so the miner is not forgoing tx fees and such? 18:33 < arbart> I do understand the tree-chain part itself and think it is a great idea. 18:33 < petertodd> Good question! I dunno exactly - challenges in themselves are probably possible to use in certain types of attacks. I mean, heck, you're forgetting the even bigger question of "How do I turn this crazy thing into a useful currency transaction system?" 18:35 < petertodd> For instance, can a tx on child left-left-left spend a txout from child right-right-right? Probably, with succinct merkle-path proofs. (like the (U)TXO stuff that people are working on) But what happens on a re-org? Didn't that just cause inflation? 18:35 < petertodd> (specifically double-spend inflation) 18:36 < arbart> This thing? are you referring to Bitcoin? I think it already is :) Tree-chains would augment it to enable killer apps beyond our imagination. 18:36 < petertodd> arbart: Or if not that, to enable killer headaches beyond our imagination. :P 18:37 < arbart> So tree chains might change the nature of Bitcoin as it is? I assumed txs would be rejected if they added inflation. But I think what you are raising then is things like that that would require checking the data? :) 18:38 < petertodd> Ah, but how does the miner on right-right-right know that spending a txout on left-left-left added inflation? Remember, they don't have the blockchain data, they just have a SPV-style proof that the txout existed and was spent. 18:39 < arbart> Yes, I'm seeing what you mean. 18:42 < petertodd> Heh, tough problem 'eh? I've got some ideas, but I'm not sure you can come up with a scheme that makes such systems have transactions as simple as bitcoin. 18:43 < petertodd> But anyway, given I seem to be able to explain it to some random passerby, it's an idea probably good enough to write up and publish. :) So thanks! 18:45 < arbart> It is indeed. If there was a clean recovery from missing blocks you mentioned, and an easy way for an arbitrary node to get any blocks inbetween two points (so alice on right-right-right, bob on left-left-left) in order to verify the merkle-path proofs and all :), that would solve inflation and make it no different than bitcoin as is (well, an evolution, so hard fork as in new version of client, but not incompatible) 18:45 < petertodd> arbart: Crazy thing is you can probably do this as a *soft-fork* even! 18:45 < arbart> If you have it as a pet idea, do you think it is possible? or just interested in mentally checking every so often? :) 18:46 < petertodd> Well remember, the problem isn't getting the blocks, the problem is prohibiting those blocks from getting reorganized, and the txouts getting respent elsewhere. 18:47 < petertodd> Fundementally the system just doesn't have full consensus, and without that it's hard to prevent double-spends. 18:47 < arbart> I was kinda thinking that as you described it. It could be phased in and if not affecting inflation or security, Etc, would be accepted as simply a new version that enhances tx scaling. 18:47 < arbart> I see, possible friction :) 18:49 < petertodd> Yup. Now one possible solution is to move coins around in steps: IE, make left-left-left miners also be forced to mine right-right-right blocks in some pattern, and then move value through that path... but that's inconvenient and takes a long time. 18:49 < arbart> I see, and what bitcoin does is solve the double-spend. I agree that is not something to compromise. 18:50 < petertodd> Yes, although at least we did figure out how to solve double-spending locally and hiarchically. For instance, I could have a transaction spending some 1/4-value token and some 1/2 value token in a parent chain, where the 1/4 value move can only happen if the 1/2 value one does. (but not the other way around) 18:51 < petertodd> Also interestingly, if you have a scheme of binary-sized tokens Adam Back pointed out awhile back that you can easily wind up with something pretty much as private as zerocoin. 18:51 < arbart> Oh that is interesting 18:51 < petertodd> Tokens are kinda inconvenient, but it's a possibility. 18:52 < petertodd> Also, keep in mind that the system as described has inflation as the failure mode, that's stil better than "your tx got reversed and your money vanishes" 18:54 < arbart> Oh I see, interesting. I suppose as long as it is not really possible to purposely cause it in meaningful amounts as an attack. 18:55 < petertodd> well, it's still an attack on the system, arguably, but not an attack on an individual, arguably 18:56 < arbart> Yes, it does seem to eliminate the individual attack. 19:04 < arbart> petertodd: So the current alternative you mentioned many times :) is the trusted third-party. That is something like a (logical/trust) network of web wallets? 19:06 < petertodd> arbart: off-chain tx's? it's a third-party, although the nature of the trust involved depends on how you do it 19:09 < arbart> Actually, I just realized, the third parties wouldn't have to trust each other... just trust the math of the bitcoin-nanopayment? 19:10 < petertodd> Sure, but getting acceptance for that is a social problem. 19:12 < arbart> Heh, totally. My thought was the probailistic payments might not be accepted by the average joe, but perhaps it could work for bitcoin banks to settle with each other without needing to exchange records to settle balances (without them all being separate bitcoin txs), 19:13 < gmaxwell> micropayment channels are better for that. 19:14 < arbart> But what are the existing ideas? https://npmjs.org/package/bitcoin-nanopayment is now the closest one I know thanks to visiting here just now :) 19:14 < petertodd> arbart: ah, yeah if you're talking banks u-payments work well. Or ripple actually. 19:15 < arbart> I think it needs to work with bitcoin. Inflation proof. 19:17 < arbart> petertodd: I meant bank as a concept, even if it were a computer algorithm running somewhere. 19:17 < petertodd> arbart: inflation proofing third-party balances is pretty easy actually - you can always have the bank prove your balance is backed by real bitcoins 16:06 < andytoshi> we were able to specify it, then my girlfriend rosemary found a reduction to the partition problem, which means that it's NP-hard in general to detect whether a transaction might be a cj 16:06 < nsh> (well, it was a maximal-matching over bipartite graph) 16:06 < andytoshi> which is bad, because we wanted to know "how much" of a coinjoin the transaction might be 16:06 < nsh> right 16:07 < andytoshi> so we settled on just looking at the most popular output size and counting the outputs of that size to estimate the maximum possible # of participants, which is an awful estimate 16:07 < nsh> so was the intuition that there is a measure of coinjoin-iness unfounded? 16:07 < gmaxwell> hm? there is a measure. It's just potentially hard to compute. 16:07 < andytoshi> nsh: no, we were able to make the intuition pretty solid. we wanted to measure the amount of information an attacker gains by knowing the exact form of the join 16:07 < nsh> ah, right 16:07 < gmaxwell> though I assume that it's trivial in pratically all cases. 16:08 < gmaxwell> I think though we also realize that if you relax the form slightly and allow one coinjoiner to be paying another then the amount of information gained is far far lower. 16:08 < nsh> hmm 16:08 < andytoshi> yeah, i think we landed on that destroying pretty-much all information since your output owner-set could be completely unrelated to your input owner-set 16:09 < andytoshi> well, that's not quite true 16:10 < andytoshi> i guess in general it is because some participants could be paying several people at once. 16:11 < gmaxwell> if you have some sparsity requirement you still gain information, but its far less... I didn't bother thinking about a formal statement of the sparsity requirement in order to figure out how much less. 16:11 < nsh> is there a practical way to allow participants to negotiate paying for each other to decrease the derivable information? 16:12 < helo> ~ripple? 16:12 < nsh> hmm 16:12 < andytoshi> but otoh, for the joins that we've been doing with my client, everybody is just paying themselves and we have a ton of round outputs alongside N ragged ones. obviously the ragged ones are the change outs and this tells the attacker how many participants there are. and then you can guess which inputs are owned by the same people, and this makes your analysis way easier 16:13 < gmaxwell> (sparsity: each person is paying either 1 or 2 people (potentially but not necessarily including themselves), each output is being paid by 1 or 2 people (again), etc) 16:14 < nsh> i wonder how much correspondence there'll be between this and the zerocash "pouring" dynamics 16:20 < michagogo|cloud> gmaxwell: How far in does ..._1.ts start? 16:20 < gmaxwell> I'm not sure, basically as long as it took me to figure out how to save the data! 16:20 < gmaxwell> someone who actually saw it might be able to tell you. 16:20 < gmaxwell> looks like it's over? 16:25 < c0rw1n> you have the capture gmaxwell? 16:26 < gmaxwell> https://people.xiph.org/~greg/bitcoin_ny_hearing_3.ts is the afternoon session, and this one is complete from start to end. 16:26 < c0rw1n> ok thx :) 16:27 < michagogo|cloud> gmaxwell: So you don't know how much is missing prior to the start of the first file? 16:29 < gmaxwell> No, but for the sake of improving my communications skills, can you help me understand what ambiguity I left in my initial answer to that question? 16:30 < gmaxwell> phantomcircuit: so you say there is archived footage someplace? 16:30 < phantomcircuit> gmaxwell, it's available at the same link as the live video 16:30 < phantomcircuit> http://www.totalwebcasting.com/view/?id=nysdfs 16:33 < jtimon> wget + vlc seems to work just fine, thanks again gmaxwell 16:34 < andytoshi> +1 jtimon, thanks gmaxwell! 16:35 < jtimon> justanotheruser andytoshi I think retroshare does what you want by establishing a F2F network 16:35 < andytoshi> what does f2f stand for? 16:36 < c0rw1n> frined-to-friend 16:36 < jtimon> yep, it's basically a pgp web of trust 16:37 < jtimon> with chat, messages and file sharing 16:37 < gmaxwell> foe to foe network. 16:37 < c0rw1n> foe to foe, that's botnets ddos'ing each other? 16:38 < nsh> ("Old English gefa 'foe, enemy, adversary in a blood feud' (the prefix denotes 'mutuality'), from fah 'at feud, hostile,' from Proto-Germanic *fakhaz) 16:39 < phantomcircuit> retroshare seems like a reasonably good idea 16:39 < phantomcircuit> except i haven't seen anybody break anything on it yet 16:39 < phantomcircuit> which probably means nobody has looked very hard 16:40 < maaku> phantomcircuit: would be even better if they had a group of strong cryptographers looking at it 16:40 < maaku> they're mostly reusing PGP, so if they're even reasonably competent it's probably not horribly broken 16:40 < jtimon> I think the worse part is getting people using it so you're actually not a island in that f2f network... 16:41 < maaku> but that said, I'm not sure PGP is the right construct to use... 16:42 < jtimon> gpg ? 16:43 < phantomcircuit> maaku, doesn't provide for forward secrecy 16:43 < phantomcircuit> there's no reason for a f2f network not to have pfs 16:43 < maaku> jtimon: what phantomcircuit said 16:43 < maaku> deniability, perfect forward secrecy, etc. 16:44 < maaku> PGP is ideal for on-the-record, or point-to-point encrypted email 16:44 < maaku> not really designed for social networks... 16:44 < maaku> which is unfortunate - i wish there was an active #retroshare-wizards community 16:44 * jtimon si reading wikipedia's article on forward secrecy 16:45 < gmaxwell> maaku: I use PGP more than most people, and I can only think of three or four times when the non-repudiation it creates was desirable, and a bunch of other times where it was a liability. 16:46 < maaku> gmaxwell: is it possible to do non-repudiation over store-and-forward, non-interactive medium? 16:46 < gmaxwell> yes. sure. 16:47 < gmaxwell> you mean non-non-repudiation and the answer is still sure. 16:47 < maaku> er, yeah 16:47 < gmaxwell> e.g. just do ECDH with your pubkey and mine, and we have a encryption key which authenticates the channel but in a non-transferable way. 16:47 < gmaxwell> forward secrecy is a bit harder, but can be done. 16:49 < andytoshi> gmaxwell: how is that ECDH auth nontransferable? 16:49 < gmaxwell> E.g. the dumbest way to get forward secrecy is I just generate one pubkey for each month from now till my key expired 10 years from now, and concat them... and then as each month goes by I destroy more of the private key... this is functional but kinda daft. 16:49 < gmaxwell> andytoshi: because you can simulate it without my cooperation. 16:50 < gmaxwell> andytoshi: e.g. I give you my private key and a message encrypted with a session key generated with my private key and maaku's public key. How do you know maaku wrote it and I didn't just make itup? 16:50 < andytoshi> oh, thx, i gotcha 16:51 < andytoshi> i was just being daft. my brain is not working properly today it seems.. 16:52 < gmaxwell> Smarter non-interactive forward secrecy can be done using identity based encryption. E.g. you make an IBE master key and use it to generate your zillion future private keys, but then your public key is juse the IBE master public key. You destroy the IBE master private key... and the ephemerical IBE keys as you go. This has the advantage of making the public key the same size as a regular ECC public key. 16:52 < gmaxwell> (though your private data is large) 16:53 < gmaxwell> There are some IBE based schemes that eliminate the requirement to do precomputation of the ephemerial private keys, but I dunno how they work, just saw papers on them. (sadly most of these papers are not written in comprehensible english... so actually sorting out what they're doing takes more work than justfied unless you need the result 17:06 < phantomcircuit> andytoshi, the key is that you know maaku wrote it because you didn't forge the message, but anybody else cant prove that he did because you could have forged the signature 17:23 < maaku> in other words, you can only prove authorship is maaku OR andytoshi 17:24 < gmaxwell> maaku: not even you prove that the author had help from maaku or andytoshi (or anyone who has one of their private keys, which anyone who verifies it need to have) 17:24 < andytoshi> nice! i'm passingly familiar with the concept but i've never seen a simple example 17:25 < gmaxwell> a ring signature lets you do the actually do "authorship is maaku OR andytoshi" in a publically verifyable way, which can be useful in that space too. 17:25 < maaku> doesn't OTR also have some sort of construction such that after the fact some secret is revealed letting anyone construct fake transcripts? 17:26 < gmaxwell> maaku: yea, so what OTR does is uses seperate keys for authentication and encryption, and intentionally leaks the auth keys once they're used. Then it includes a tool to let you create forged transcripts. 17:27 < gmaxwell> But really, thats kinda unnecessary, the security properties are achieved even without it. But it does make it easy to make demonstrations that transcripts prove nothing. 17:29 < michagogo|cloud> 23:50:29 <gmaxwell> andytoshi: e.g. I give you my private key and a message encrypted with a session key generated with my private key and maaku's public key. How do you know maaku wrote it and I didn't just make itup? 17:29 < michagogo|cloud> gmaxwell: is that what you meant to say? 17:30 < michagogo|cloud> ("give you my private key") 17:30 < gmaxwell> yes. 17:30 < michagogo|cloud> okay 17:31 < gmaxwell> If I don't give you my private key, even telling if the session key is a result of a maaku+me key agreement is the decisional DH problem and is believed to be intractable in a suitable group. 17:37 * michagogo|cloud assumes that in such a case you'd be using disposable privkeys? 15:32 < petertodd> nsh: seems to work, needs unittests with test-cases derived from something else though 15:32 * nsh nods 15:33 < nsh> on github? 15:33 < petertodd> Emcy: 200A service is fairly common, which is 24kW in theory 15:33 < gmaxwell> petertodd: per phase. 15:33 < petertodd> nsh: not yet, but I can if you want to 15:33 < gmaxwell> 'phase' 15:33 < gmaxwell> Emcy: 160 and 200amp breakers (at 240v) is pretty typical. so about 40-48KW. 15:33 < petertodd> gmaxwell: oh right! so double that for US-style wiring 15:33 < nsh> well, no rush on my part, but i'd like to see it whenever 15:33 < petertodd> nsh: if you can come up with a soruce of test cased that'd be great! 15:33 < petertodd> *cases 15:33 * nsh nods 15:34 < petertodd> Emcy: basically, you can easily spend ~$5/hour on electricity :) 15:34 < Emcy> you have a special 240v circuit? 15:35 < petertodd> Emcy: all us-style-wiring houses do actually 15:35 < nsh> people would draw ridiculous currents with massive over-the-top christmas lighting set-ups, before LEDs replaced a lot of the incandescent bulbs 15:35 < gmaxwell> Emcy: in the US our power is really 240v but wired with a center tap on the transformer so you can get 120 or 240 volts depending on how you're wired up. 15:35 < petertodd> Emcy: basically you have two 180 degree out of phase circuits referenced to ground, so 240V across the two 15:35 < Emcy> interesting 15:36 < gmaxwell> There are three lines down from the poll, Hot, Neutral, Hot, and between the two hots you have 240v. Between any hot and the neutral you have 120v. 15:36 < petertodd> Emcy: norway (?) and a few other countries routinely run three phase into the home actually, so that's three 120deg out of phase wires 15:37 < Emcy> we have an earth pin instead ^^ 15:37 < gmaxwell> Big applicances (electric stoves and dryers and air conditoners) are wired on 240v, the rest is usually wired up to 120v. 15:37 < petertodd> Emcy: no, everyone has earth (nearly) 15:37 < Emcy> your plugs have 2 pins, so i ssumed everything is double insulated 15:38 < petertodd> Emcy: earth is for safety, not for current 15:38 < gmaxwell> Emcy: we have an earth pin too. (and usually the neutral is also tied to earth, but some distance away, so it's not a great earth ground on its own) 15:38 < Emcy> lots of UK stuff has a dummy earth pin 15:38 < petertodd> Emcy: US does that too, it's just a engineering decision as to whether to use the earth pin or not to meet the safety requirments 15:38 < gmaxwell> (also if the neutral comes disconnected at the poll, all your appliances end up in series in between the 240v, and the neutral becomes electrified relative to ground, and bad things happen like fire. :P ) 15:39 < petertodd> Emcy: pretty much anything with a metal case exposed to the user will use it as that makes it easy to keep the case at zero potential, but exceptions apply in both directions 15:39 < Emcy> two phase seems complicated for domestic wiring tbh 15:39 < Emcy> over here we have 30A cooker circuits for the big stuff but thats it 15:39 < petertodd> Emcy: nah, it's really simple actually, and makes meeting safety specs easier 15:40 < adam3us> so yes well i picked malta for a reason (very scientific, spread sheet involving a dozen factors and it came out on top for my preferences) i used to live in montreal for 3yrs when i was at ZKS, its not bad; i also spent time in zurich, my mom is from there, I like it a lot 15:40 < adam3us> apropos of telecommuting locations. have been doing it in malta >5 yrs now :) 15:40 < gmaxwell> adam3us: I wasn't aware of that, but I had the impression that your decision to live there was carefully considered. 15:40 < petertodd> Emcy: see, you guys have 240V to earth, so you need 240V-rated insulation, while we get away with just 120V insulation yet get the same advantage of 240V for high power stuff 15:40 < Emcy> and ive never understood how neutral is thus called when it will happily kill you dead too 15:41 < petertodd> Emcy: thing is, as it turns out 240V insulation safety isn't that hard, so just using 240V would be ok too - but that's not changing now 15:41 < Emcy> petertodd that makes sense 15:41 < petertodd> Emcy: you guys have neutral too actually 15:41 < Emcy> yes i know, its the blue one. But its still hot 15:41 < petertodd> Emcy: yes and no. it's only hot in the sense that it *can* be hot 15:42 < petertodd> Emcy: like, if you touch neutral, 99% of the time you'll be fine, but if you touch earth, 99.999% of the time you'll be fine :) 15:42 < Emcy> i like those odds :D 15:42 < gmaxwell> petertodd: well if it's not really well bonded to ground it may often have some residual potential. 15:43 < gmaxwell> e.g. neutral in my dads house was often 30 volts relative to a good earth ground and electronics whos cases ended up connected to neutral would arc against stuff. 15:43 < Emcy> ive gotten a smack of an earth pin before. I learned about PD 15:43 < petertodd> gmaxwell: exactly, and even if it is there's some voltage due to voltage drop 15:43 < adam3us> gmaxwell: from your skimming the delayed private key gen IBE seems interesting did u get the impression that could do the one of the NIFS sub-problems of having the private keys be in some sequence so you could compute forward but not backward? any idea of the hardness assumptions more or less conservative that weil-pairng? 15:43 < Emcy> ive gotten a smack off a tv tube too :( 15:43 < petertodd> Emcy: yeah, those are dangerous... 15:43 < petertodd> Emcy: you could have easily been killed there 15:43 < Emcy> yes 15:44 < Emcy> it wasnt even plugged in, just charged 15:44 < petertodd> Emcy: the problem with electric shock is parts of your body can withstand *much* higher currents than others - like any time you even feel a shock, that's actually enough to stop your heart, but 99.9% of the time the current isn't in the right place 15:44 < Emcy> from memory its 30mA across the heart 15:44 < petertodd> Emcy: so people get complacent when nothing ever happens, when in reality nothing happened only because the current bypassed their heart 15:44 < gmaxwell> adam3us: I didn't contemplate it. I was mostly trying to figure out if I could make the data smaller. Do you see a big need for forward only? My thinking is that sending a new key for every block/day whatever isn't a big overhead... and we actually want a filtering node to stop filtering when we're not connected. 15:45 < Emcy> and skin resisteance is 40v or so dry 15:45 < petertodd> Emcy: more like 1mA directly applied to the heart IIRC 15:45 < Emcy> i was taught to work with one hand wherever possible :) 15:45 < petertodd> Emcy: 40V is a voltage, not a resistance :) but yeah, <48V tends to be safe pretty much wherever due to skin resistance 15:45 < petertodd> Emcy: however, something as simple as a probe cutting into your skin can lower the resistance enough to get you killed 15:46 < petertodd> Emcy: very good avice 15:46 < andytoshi> petertodd: i think he means there is a breakdown voltage of ~40v. i have heard this too but i don't think it's true 15:46 < Emcy> i mean ~40v before a bad current gets going 15:46 < Emcy> but youre right, humans are not zeners lol 15:46 < petertodd> andytoshi: it's very true, well-documented cases of that 15:47 < adam3us> gmaxwell: not strongly interesting for bitcoin reusable addr i guess. fwd-secrecy i was just noticing in passig the other day could have some nominal value perhaps like if your disk got compromised, you couldnt even correlate your own old tx never mind help a full node do it :) 15:47 < petertodd> andytoshi: medical power supplies are orders of magnitude better isolated because of that - even static shocks can be life threatening when your chest is opened up 15:47 < Emcy> hmm thats a point 15:47 < petertodd> Emcy: yeah, but fortunately, when you're chest is opened up normally you're in the best possible place to get a heart attack :) 15:48 < andytoshi> psh. i always keep my chest open for easy maintenance 15:48 < petertodd> Emcy: the real safety concern there is actually that anasthetic gasses are often flammable 15:48 < Emcy> petertodd hell some treatments require it lol 15:49 < gmaxwell> petertodd: did you know that conman is an honest to god anesthesiologist? I'd thought the whole putting people to sleep thing was incompatible with his templerment, but not that you mention the flammability. :P 15:50 < petertodd> gmaxwell: lol! is that the same guys that's a kernel dev? 15:50 < adam3us> about the non-transferable sigs (in store-and-forward comms) various permutations ian brown & I wrote some basic ideas for pgp http://www0.cs.ucl.ac.uk/staff/I.Brown/nts.htm gmaxwell explained it fine abve Ian even drew pretty pictures. 15:50 < gmaxwell> yes. 15:51 < petertodd> gmaxwell: sheesh, some people just make you feel inadequate :P 15:51 < Emcy> adam3us are you adam back? 15:51 < adam3us> Emcy: yeah 15:52 < Emcy> ok 15:52 < petertodd> adam3us: heh, I've done that protocol by hand before 15:52 < gmaxwell> adam3us: I can't fathom why pgp still forces non-repudiation onto people after all this time, what it does is something basically no one wants. If you want encryption + non-repudiation what you want it a clearsigned message which is encrypted so that you can show it to people without dealing with their inability to decrypt. 15:53 < adam3us> gmaxwell: its horrendous. mostly u do NOT want non-repudiability period IMO 15:53 < gmaxwell> yea, I mean, it's useful from time to time. But you always know when you want it. 15:53 < adam3us> gmaxwell: exactly. 99% of the time its unnecessary risk 15:54 < petertodd> adam3us: I'd love to see some court cases where this has actually come up - as I said on cryptography in reality repudation is hard to achive anyway 15:55 < adam3us> petertodd: yeah as i read it courts just make pragmatic decisions... preponderance of evidence bla blah. but OTR with no logging is good. 04:58 < cads> the classes are taught with a combination of pre-recorded lectures, free digital copies of reading materials, and volunteer tutors/study group leaders. 04:59 < cads> and the coins you submit to the class just tell the professors that you have already learned the pre-requisite material 05:00 < cads> if you just want to dive into a high level class without coins, you are welcome to, and you will still earn coins at the end of the class - if you succeed 05:00 < cads> but professors might be discouraged from helping you unless you can prove your level of preparedness in other ways 05:01 < cads> I don't see that these coins would be spent, as such 05:02 < cads> the professors could win a certain part of the purse put up by the students of the class, to signify that they too learned something in the process 05:03 < cads> but the students would also get the coins credited back to them. in essence, the learning transaction would mint coins from nowhere, to signify that the increase in learning wealth came from nowhere but the students and teachers working together 05:04 < cads> if you have enough coins of the right type to qualify as being an expert in a field, you can translate them to a degree 05:04 < cads> or transfer them to a traditional university 05:05 < cads> this is all that I have so far 05:10 < cads> one objection that I have is that it might not be right to try to stretch the currency analogy to education systems. But to that objection, I agree it's easy to see that diplomas _are_ a form of good with a steady value, but they are not a medium of exchange, as they are not transferrable. 05:11 < cads> Here, education coins would not be transferrable as such: when you transfer a unit, you still keep the unit you had. 05:12 < cads> so it's certainly an interesting stretching of the concept, and maybe it's not too much of a stretch 05:13 < cads> I have plenty of other objections, including how could we make this system fair, could the system account for the fact that people forget things they learned (should education coins have built in demmurage that kicks in if you're not teaching or otherwise applying your knowledge?) 05:14 < cads> and who decides what constitutes a degree 05:14 < cads> any other questions or objections would be welcome 05:15 < cads> and I trust that my rant finds a good place here here in -wizards :) 06:44 < amiller> -wizards is a safe place for such rants :] 06:44 < amiller> at first i was gonna say that's a good idea but i don't think that has much to do with bitcoin 06:45 < amiller> but actually it kinda reminds me of something like Mozilla badges 06:45 < amiller> https://wiki.mozilla.org/Badges 06:45 < amiller> it's commonly understood that things like education degrees are a kind of "currency", not inherently a transferable one 06:49 < cads> certainly 06:52 < cads> there is a knowledge component and a related but partially independent social credential aspect, which allows you bank on that knowledge relative to some job market. 06:54 < cads> The knowledge (which we may take to encompass experience) required to do the work in that market is, as it were, just part of the market's entry cost. The other part is whatever means that workers use to signal that their knowledge is authentic. 06:55 < cads> Still a third cost is the investment into the social connections needed to provide an endpoint to receive your knowledge and knowledge credentials. 06:57 < cads> the 'education system' consists mostly of the means to acquire the first two aspects. It's reasonable that any theoretical distributed education system will fulfill those two criteria. 06:57 < cads> reasonable to assume* 06:58 < cads> At least I think so. 06:59 < cads> Most education systems also fulfill the third criterion - they teach which job markets exist, how much each one might profit you, and while you're learning they connect you to people who will support your search for an outlet for your new skills. 07:01 < cads> but I would point out that the best of the systems do a much better job at this last criterion than the lower quality education system. 07:01 < amiller> a cryptocurrency's role in this is pretty small then 07:01 < amiller> just a place where a degree issuer can register the credentials 07:02 < amiller> so for example if i want to convince someone i have a degree, 07:02 < amiller> i have to give them contact info to a university administration 07:02 < amiller> and they have to do things like send Official Transcripts and they're expensive and i'm worried that in 20 years the administration will deteriorate so much they'll fail to do that on demand or something 07:03 < amiller> so it would be simpler if that whole process just consisted of a credential being etched into a blockchain and kept queryable 07:03 < amiller> and by making it simpler like that it can lower the bar to entry so that other issuers could provide just as usable credentials (like badges) without needing that full overhead to be official 07:05 < cads> hmm, I agree 07:07 < cads> by making them like badges you might get higher granularity in the credential's ability to describe your skill set 07:08 < cads> by making them queryable you may also reduce the job search and hiring overhead 07:11 < cads> it's interesting to think that the actual knowledge transfer part may be the cheapest of the three aspects, in some sense 07:12 < cads> MIT has no problem, for example, exposing its courseware for free. But its tuition is higher than ever. 07:13 < cads> of course, the return on investment on a MIT education is the highest of any university in the USA 07:14 < cads> while the return on investing (your time) into the open courseware is "whatever you can make of it" 07:16 < cads> I think this is perhaps an unrealistic comparison, because being on campus, talking to peers, professors, all that contributes to a different and more complete experience than the online classes 07:16 < cads> finally, it builds your network 07:20 < cads> I'm not sure where I'm going with this. I'm free associating, by now :) 07:21 < cads> At some level the market must reward the MIT students the most because those students have been proven to be the most profitable, in the past. 07:24 < cads> But another factor is bound to be this : MIT is a trusted source of knowledge workers, and so hiring from their ranks poses a risk. Employers are willing to pay MIT grads more because they see it as hedge against the risk of hiring an incompetent worker 07:24 < cads> err 07:25 < cads> hiring from their ranks poses a _lower_ risk, I meant to say. 07:25 < cads> heh, that's all I have, for now :) 07:27 < cads> (but now I'm really far away from cryptocurrencies) 21:02 < jgarzik> [ANNOUNCE] OnionBC Escrow launched! - https://bitcointalk.org/index.php?topic=153967.0 21:02 < jgarzik> (as a responder implied, it might very well be a TorWallet-like scam; just noting its presence) --- Log closed Sun Mar 17 00:00:28 2013 --- Log opened Sun Mar 17 00:00:28 2013 01:29 < warren> grau_: saw your bitsofproof git today. I'm curious how big is the data if you use a SQL backend, and how fast is that? 01:29 < grau_> warren: about 12GB 01:30 < grau_> I tried derby and ProgreSQL 01:30 < grau_> The performance is a magnitude below of leveldb 01:30 < grau_> It is only interesting if you want to do quieries of the blockchain 01:31 < warren> I've wondered what kind of backend blockchain uses, you think it is anything like tihs? 01:31 < grau_> warren: I guess so. Performance with relational database is just a question of budget 01:31 < warren> I'd guess they can't achieve that kind of response time with a single SQl db. 01:31 < warren> ah 01:32 < grau_> Having a cluster of Teradata e.g. I would get the performance of LevelDB 01:32 < grau_> likelzy. Did not try 01:33 < grau_> warren: My relational store is also fully normalized 01:34 < grau_> BitcoinJ eg had relational store too but un-normalized. That way you can speed up a lot 01:34 < grau_> but data mining then is not that simple 01:34 < grau_> so it forgoes the point of relational db actually 01:34 < warren> how's memory usage of this? 01:35 < warren> grau_: is anything using this in production? 01:35 < grau_> Well it is Java, so it uses a heap you give it 01:35 < grau_> warren: I would not run under 500mb 01:35 < grau_> I have this running constantly on bitsofproof.com 01:35 < grau_> I do not claim production quality but its beta 01:36 < warren> no website I can load there 01:36 < warren> I just randomly found the git 01:36 < grau_> I know. but there is a bitcoin if you connect and it is bitsofproof 01:36 < warren> ooh 01:36 < grau_> warren: I have not yet pushed it besides dev forums until it is high quality 01:37 < grau_> I want to launch it big in San Jose 02:02 < warren> grau_: does this rely on openssl ecdsa too? 02:02 * warren didn't look at code yet 02:04 < grau_> warren: no, its bouncy castle 21:45 < sipa> just added signing code to my secp256k1... it's not exactly constant time, but close at least 21:45 < warren> sipa: awesome! 21:45 < warren> sipa: will you eventually have a replacement for openssl/ec.h ? 21:46 < sipa> yes, isn't hard now anymore 21:46 < sipa> still need key generation and probably (hell :S) parsing/saving in openssl's secret key format 21:49 < warren> sipa: might as well publish it as an independent library that can be used by other apps then. 21:50 < warren> that might encourage more eyes 21:57 < warren> sorry, meant to make that a question 21:57 < sipa> it's a good suggestion 21:57 < warren> sipa: haven't looked into it yet, but bitmessage is in a similar pickle here 22:27 <@gmaxwell> warren: I don't think bitmessage should care about ecdsa performance. 22:32 < warren> gmaxwell: performance is not the issue, the desire to use bit* without replacing openssl 22:35 < jgarzik> Sigh. The only python irc library in Fedora repos handles its own I/O selecting/looping, presuming that it is the main process 12:27 < michagogo|cloud> Obviously we will never, ever manage to make then safe 12:27 < michagogo|cloud> Otoh.... 12:27 < petertodd> We're not even going to get close frankly. 12:28 < michagogo|cloud> if we implement this warning, people will read more into it than they should 12:28 < petertodd> yup 12:28 < michagogo|cloud> (specifically, absence of said warning) 12:28 < petertodd> the "fix" is worse than the problem. 12:28 < michagogo|cloud> Also: would this also apply for transactions in blocks? Guessing not 12:28 < petertodd> But... I shouldn't discourage anyone, as it *does* help adoption of replace-by-fee. 12:29 < michagogo|cloud> The double-spend relaying thing could certainly be worth adding, if only for replace-by-fee 12:29 < petertodd> yup... 12:30 < michagogo|cloud> Hmm, actually 12:30 < michagogo|cloud> If you do that, you do need to implement some kind of warning 12:30 < petertodd> now if only I could convince gavin to add double-spend relaying that only relayed roughly same-sized txs :P 12:30 < michagogo|cloud> The two things are not separate from each other 12:30 < petertodd> michagogo|cloud: wait, do you know what the scorched earth strategy is? 12:30 < michagogo|cloud> ;;google scorched earth 12:31 < michagogo|cloud> Oh, no gribble 12:32 < michagogo|cloud> "destroy anything that we come across that the enemy might be able to use"? 12:32 < petertodd> https://bitcointalk.org/index.php?topic=251233.msg2669189#msg2669189 12:32 < michagogo|cloud> Or is there something else called that? 12:33 < petertodd> it's brilliant, although jdillon overstates it a little - it heavily depends on a jam-free communications layer, and DoS attacking that can cause it to fail. But overall it's pretty good. 12:34 < michagogo|cloud> Ah, interesting 12:35 < michagogo|cloud> So basically, if someone tries to double-spend a merchant doing this, the merchant will simply throw the amount away 12:35 < petertodd> yup 12:35 < petertodd> aligning the incentives of miners and merchants 12:35 < michagogo|cloud> Well 12:35 < petertodd> main thing I like about it is that it rejects the idea that miners should be "responsible" re: zeroconf 12:35 < michagogo|cloud> You'd still need to wait for confirmations 12:35 < petertodd> nope 12:36 < michagogo|cloud> Because even though an attacker couldn't take the money back 12:36 < michagogo|cloud> (afk for a moment, brb) 12:36 < petertodd> If you can assume that you will "quickly" know about a double-spend, and can "quickly" implement the scorched earth policy with a counter-double-spend, then the attackers gains converge to zero. 12:36 < OrP> Hey Michagogo - I'm from Israel - you guys were correct about NIS 12:37 < michagogo|cloud> petertodd: Even though an attacker couldn't get the money back 12:38 < OrP> Also - I wanted to point our the banks in Israel are investing alot on dollars 12:38 < OrP> A thing I can't figure out 12:38 < petertodd> michagogo|cloud: what do you mean? 12:38 < michagogo|cloud> If you rely on an unconfirmed for anything irreversible, the attacker could still keep the funds from the merchant 12:39 < michagogo|cloud> As a way to damage the merchant, even though you don't get the funds back 12:39 < michagogo|cloud> (though as jdillon says, "The transaction can also be constructed such that the payee pays slightly more in advance, with the merchant refunding the extra amount once the transaction confirms") 12:40 < petertodd> michagogo|cloud: sure, but in a *lot* of real world scenarios the actual damage to the merchant is minimal: for instance if you're selling ringtones you don't actually incur a cost on a double-spend, you just need to make sure it's worth it for the attacker to bother 12:40 < michagogo|cloud> not worth it, you mean? 12:41 < petertodd> michagogo|cloud: I wouldn't want to sell a car with it, but in most low-value circumstances scorched-earth is likely to be enough of a deterrant to keep people honest 12:41 < michagogo|cloud> Right, that's a good point 12:41 < michagogo|cloud> (also, this only helps if you advertise that you do it, right?) 12:41 < petertodd> Same reason coffee shops and bakeries get away with not actually having any sales staff... 12:41 < petertodd> well, if everyone has software that does it automatically... 12:42 < michagogo|cloud> Right, that counts as advertising that you do it :P 12:42 < petertodd> yup 12:42 < michagogo|cloud> Anyway, so it would make unconfirmed transactions somewhat more safe 12:42 < petertodd> even then, an attacker might steal one ringtone, so what? 12:42 < michagogo|cloud> Really, depending on the attacker's motive 12:42 < petertodd> yup, without the nasty politics of trying to regulate miners 12:43 < michagogo|cloud> It makes it much, much safer against an attacker trying to keep their money 12:43 < petertodd> keep in mind, I originally proposed replace-by-fee months ago, not realizing that scorched earth was possible, simply because I though it'd be worth getting miners to do this now before people started trying to take much more dangerous counter-measures to make zeroconf safe 12:44 < petertodd> jdillon came up with scorched earth after that 12:44 < michagogo|cloud> OTOH, since you'd basically be throwing away the money as soon as you detected this attempt, it would make an attack that simply is intended to hurt you much, much easier 12:45 < petertodd> sure, but as I say, in most real-world cases merchant cost is dominated by overhead 12:45 < petertodd> * for low value items 12:46 < michagogo|cloud> (also, worth noting that scorched earth required more than replace-by-fee -- it also requires cpfp) 12:46 < petertodd> yup, and beyond cpfp, it requires the ability to relay multiple-txs in one "packet" 12:47 < michagogo|cloud> Hm? 12:48 < petertodd> the merchant needs to relay both the original tx that paid them, and the pay to fees tx in such a way that even nodes that didn't see the original tx know it's worth replacing the attackers double-spend with the two txs 12:49 < petertodd> also, note how merchants shouldn't let people pay them with txs that are unusually large... which can be a limitation 12:51 < michagogo|cloud> Oh, I see 12:52 < petertodd> yup, really, guaranteed to work is single input, two P2SH outputs 12:52 < michagogo|cloud> Because if you only implement replace-by-fee and not full double-spend relaying, cpfp itself, to work fully, requires a way to relay the parent after or with the child 12:52 < petertodd> yup 12:53 < petertodd> but good cpfp needs that anyway 12:53 < michagogo|cloud> (and of course we don't want to store orphan transactions) 12:53 < michagogo|cloud> Yeah, that's what I just said 12:53 < michagogo|cloud> "cpfp itself, to work fully" 12:53 < petertodd> lol, right 12:53 < michagogo|cloud> :P 12:54 < petertodd> anyway, in the meantime, it's likely that double-spend notification will be implemented, in which case I can encourage miners to adopt replace-by-fee by advertising the fact that I'm making large fee double-spends - join in the fun! 12:58 < michagogo|cloud> lol, nice 12:58 < michagogo|cloud> Though, won't that require a bunch of the network to upgrade first? 12:59 < petertodd> again, no, because of double-spend notifications 12:59 < petertodd> basically you tell miners that you'll broadcast low-fee double-spends, and every time one gets mined, you'll increase the fee 13:00 < michagogo|cloud> Not necessarily replace-by-fee upgraded, but relay-double-spends upgraded 13:01 < michagogo|cloud> "every time one gets mined, you'll increase the fee"? 13:02 < petertodd> See, you want to give people a strong incentive to adopt replace-by-fee, but you also want them to adopt it in such a way that it can be used for any transaction. So by saying "prove to me you've upgraded first" they can't just, say, only do replacement on high-fee txs. 13:02 < michagogo|cloud> Ah, I see 13:02 < michagogo|cloud> (I think?) 13:02 < petertodd> heh 13:02 < michagogo|cloud> eep, power warning 13:03 < petertodd> ? 13:03 * michagogo|cloud goes to find power adaptor 13:03 < petertodd> ah 13:03 * michagogo|cloud is back 13:04 < michagogo|cloud> Well, what's to stop them from just detecting your transactions and mining them? 13:04 < petertodd> Do your double-spends while gambling on satoshidice. 13:05 < maaku> adam3us: atomic swap in freimarkets is in the transaction format, not a hashlock or related 13:06 < maaku> basically we allow hierarchical sub-transactions which themselves don't have to balance, so long as the entire transaction does (outputs < inputs for each asset) 13:07 < maaku> but yeah that's completely unrelated to chaum cash 13:13 < adam3us> maaku: ok, i took it it was still a scriptsig of some form with reference to a merkle root and a timestamp server 13:13 < maaku> for multi-server trade, yes 13:13 < maaku> at least that's one of many options 13:14 < maaku> you can have multiple private servers conditionally accept a transaction based on a timestamp oracle or the state of the public (Freicoin) chain 13:14 < maaku> in a two-phase commit architecture 13:15 < maaku> but within a single server/chain, ripple-like exchange or transitive payments are done by composing pre-signed orders together 13:16 < maaku> if chaumian cash requies a separate online redemption step, then it doesn't work for this 13:16 < maaku> i still need to wrap my head around creditional-chaum to see if it is compatible 13:31 < adam3us> see i think the online aspect is just an artefact of the way they chose to use it, because they did not have a certificate, just a signature, it can be easily stolen once disclosed to anyone, so the model was the recipient immediately deposits it 13:32 < adam3us> maaku: you can as easily have the blind signature be of a signature public key, then you can prove things with it, attach it to a script sig etc. 19:25 < jcrubino> so if I send a payemtn from a reusable address to another resuable address does zerocoin still have a use or case? 19:25 < gmaxwell> ugh yea, I really have mixed feelings on the whole feature. 19:25 < sipa> they are not a solution fo everything 19:25 < gmaxwell> adam3us: it's neither SPV compatible or incompatible. 19:26 < sipa> jcrubino: bitcoin doesn't provide anonimity 19:26 < sipa> even with reusable addresses 19:26 < adam3us> gmaxwell: well an spv client doesnt know what to put in its bloom filter absent another channel then shall we say 19:26 < maaku> adam3us: you'd use prefix filters for SPV 19:26 < gmaxwell> adam3us: well it can be specced with the bloombait idea. 19:27 < adam3us> maaku: yeah same thing i guess (my terminology was bloom bait, petertodd prefix) but that has privacy problems 19:27 < gmaxwell> then you can pick your anonymity set tradeoff. But its an extra thing that has to be 'decided' which is lame. 19:27 < maaku> adam3us: well bloom filters in general have privacy problems... 19:27 < adam3us> gmaxwell: its worse than bloom i think with its apparently small anon-set. because its public to all and the statisitcal analysts will latch on to it 19:28 < gmaxwell> yea, it's worse than bloom, we don't have anything like bloom for it which is as secure in the semi-honest node model. 19:28 < adam3us> maaku: and use it multiple times in your potential graph to narrow in on you. privacy leak stats is cumulative 19:28 < gmaxwell> In bloom you're completely private unless you connect to unfriendly nodes (well ignoring that our links aren't encrypted). So thats not terrible _casual_ privacy. 19:29 < gmaxwell> it's not privacy against powerful forces but its not half bad. 19:29 < adam3us> gmaxwell: yup and prefix is like permanent global record with cumulative privacy loss effect on stats. as if we didnt have enuf stats build up problems. 19:32 < gmaxwell> so an improvement would be to make the bait hmac(tx_nonce,secret)[n-bits] then you have to hand over a secret to the party you wish to scan for you... but it's not unforgable like handing over the agreement key. 19:32 < adam3us> gmaxwell: hmm bit of lateral thinking. giving up on getting much from the reusable address. but other than a bloom bait, what about some kind of randomized fingerprint, that you can illuminate different parts of in a bloom like way with help of the assisting node. created by the sender based on the reusable key 19:33 < gmaxwell> e.g. I could just pick any collection of transactions on the network and search for a secret that makes them part of the same group. 19:34 < gmaxwell> so someone who says "I ran a SPV node and found out adam3us's secret is and thus these transactions are his" can be challenged with "no way, thes transactions are three different other people with these other secrets" 19:34 < adam3us> gmaxwell: yes maybe a public key versoin of that 19:34 < gmaxwell> the fact that its not public key is what makes it forgable. :) 19:34 < adam3us> gmaxwell: so long as its a fuzzy match... 19:34 < gmaxwell> basically there exists some secret such that any selection of baits are related, but finding it takes work related to how specific you want to make the matching. 19:35 < gmaxwell> yea, thats why I said n-bits. it has to be small enough that searching for forgeries is easy. 19:35 < adam3us> gmaxwell: maybe could allow different query for same data somehow 19:35 < adam3us> gmaxwell: yeah i got that 19:36 < adam3us> gmaxwell: also in the hmac how do u get the key to the sender... 19:36 < gmaxwell> dunno maybe there is a way of constructing it with a linear code so that the match is always fuzzy but your real transactions will always have a hamming distance < x. and then you ask for all <x solutions. 19:37 < gmaxwell> adam3us: you put it in the address. 19:37 < adam3us> gmaxwell: yes but then its not a secret, so ah ok its better than a prefix however got you. 19:38 < gmaxwell> yea its just a secret keyed prefix, with a denyable secret, unlike using the derrivation keys for scanning since they aren't denyable. 19:38 < adam3us> gmaxwell: already an improvement on prefix, and Jeremy's about to like write an RFC level of "awesomely done" 19:39 < gmaxwell> down side is that someone scanning for you can't precompute anything to index it... prefixes have that nice property. 19:39 < adam3us> gmaxwell: so the other feature we'd like is pecomputation 19:39 < adam3us> gmaxwell: yes 19:41 < adam3us> gmaxwell: ok i am gonna sleep on it (literally, getting late) interesting problem, with quite useful implications if it can be cracked (I mean I share Jeremy's interest, just not his conclusion about it being solved yet!) 19:42 < gmaxwell> well so, H(nonce) and then split into 16 16 bit parts. pick a part at random, and compute part^secret_bait = prefix and put the prefix in the transaction. 19:42 < gmaxwell> When you ask someone untrusted to scan for you you give them a set of secret baits you're insterested in, including a number of bogus ones you really don't care about. 19:43 < gmaxwell> and they return any transaction where any one of the part^prefix = one of your baits. 19:43 < gmaxwell> e.g. someone doing stats doesn't know which of the token the part is xored with. 19:43 < gmaxwell> obviously some parameter scaling needs to happen to make it sensible, I picked random numbers. 19:44 < gmaxwell> hm. they should probably be 8 bit. in any case, there you go. 19:45 < adam3us> gmaxwell: not bad i think 19:47 < gmaxwell> in any case, this is a member of an infinite space of related schemes based on locally decodable error correcting codes. Effectively this is a fountain code, effectively, the transaction picks a random high dimensional vector space, and when combined with the prefix the result is a codeword in that space which is always within a certian proximity of your secret bait... and there is a cheap test of proximity. 19:48 < adam3us> gmaxwell: is that precomputably indexable? 19:48 < gmaxwell> it's still vulnerable to statstical analysis, in that you can keep intersecting things if you have a prior that they're related until you recover the bait. 19:48 < gmaxwell> adam3us: yea with overhead, e.g. you'd put every transaction in N indexes. 19:49 < gmaxwell> N picked based on how big the vector space is that you're embedding in.. More dimensions means more area covered by a given radius. 19:50 < gmaxwell> e.g. for my 16/32 example you'd be putting each transaction in the index 16 times. But thats okay, I mean, bloom filtering also pulls multiple keys from a transaction. 19:50 < adam3us> gmaxwell: my public key comment was that then it would not be bait recoverable. 19:51 < adam3us> gmaxwell: yes. it seems reasonably good. definitely a couple of increments better than prefix 20:33 < phantomcircuit> that reminds me 20:33 < phantomcircuit> nvm 22:05 < andytoshi> michagogo|cloud: i have refreshed the windows build, the only change is that it saves the rpcport= setting in cjclient.conf, before that would get overwritten 22:06 < andytoshi> michagogo|cloud: but i've got the testnet server working properly, it was just permission issues because i git clone'd the mainnet joiner over on my own unix account :P 23:25 < EasyAt> Where is the correct channel to ask about sybil attack mitigation in a decentralized WoT? 23:33 < amiller> EasyAt, maybe you want #bitcoin-wot 23:34 < amiller> but i'd like to hear about it here too 23:43 < EasyAt> amiller: One second, I'd like to state this concisely --- Log closed Thu Jan 16 00:00:49 2014 --- Log opened Thu Jan 16 00:00:49 2014 00:14 < amiller> gmaxwell, i'm finally starting to realize you're right about snarks 00:14 < amiller> that so far they all require an obnoxious trusted setup 00:18 < maaku> amiller: but it's okay if you trust yourself, right? 00:18 < amiller> no not really 00:18 < gmaxwell> amiller: ones that don't are certantly possible (PCP theorem + fiat shamir shows its possible) though they would not be as compact as the GGPR ones, which are just ludicrously compact. 00:19 < amiller> if i wanted to show someone that the bitcoin community has already been pointing this out, would you recommend a forum post of yours? 00:19 < gmaxwell> maaku: if you don't care about public verifyability then you can use a like an interactive protocol. I'm pretty sure that GGPR is still ZK if the CRS was malicious generated. 00:20 < amiller> i've sort of not noticed it despite mouthing off about how cool my nonoutsourceable puzzle is based on snark 00:20 < amiller> it's more immediately relevant to zerocoin though 00:20 < amiller> i mean, they're aware of it too 00:20 < maaku> gmaxwell, I mean hypothetically if the scriptPubKey were the hash of the SNARK verifying key, and the scriptSig were the verifying key and proof (p2sh replacement) 00:21 < gmaxwell> amiller: http://www.reddit.com/r/ZeroCoin/comments/1uy35p/matthew_green_to_speak_about_new_zerocoin_version/ceo17ut 00:21 < amiller> maaku, creating a SNARK verify key requires someone to have some secrets they are trusted to delete 00:21 < gmaxwell> amiller: A GGPR-12 SNARK. 00:21 < maaku> amiller: yes, see ^^ 00:21 < amiller> yes i just got back from that and chatted with him and his student about this 00:21 < maaku> amiller: if that snark is created by you and only used by you, why is it a problem if you have the trapdoor? 00:21 < gmaxwell> amiller: Eli supposidly is also working on a Linear PCP based on some fiat-shamir transform of a locally testable code, but none of the recent papers are about this. 00:22 < amiller> maaku, if that's the case sure, that's just a much different use case than what i have in mind (or what zerocoin/cash has in mind) 00:22 < gmaxwell> maaku: for _some_ applications it might not matter, for some it would. 00:45 < gmaxwell> That would largely remove the concern that CA's were secretly issuing certs that they ought not be issuing. 00:47 < gmaxwell> BlueMatt: well it's less horrifying than you might think it is: right now _many_ CAs will give a cert to anyone who can drop a file at http://domain/some_random_filename.txt (note: http not https) so DNS control == cert already, but historically that took ~24 hours. 00:47 < gmaxwell> the cloudflare thing means you can do it in minutes. 00:47 < gmaxwell> so, e.g. you can do it to a running site and not be noticed. 00:48 < gmaxwell> in any case, we don't know for sure if a cert was ever issued for bitcointalk.org, because, of course, no normal browser logs the damn fingerprints. 00:48 < BlueMatt> well, ok, yes, but that doesnt mean its any less horrifying 00:49 < gmaxwell> and we can't tell except by asking the CA that cloudflare partners with. 00:51 < phantomcircuit> gmaxwell, a nice blog post about that would be hilarious 00:52 < gmaxwell> phantomcircuit: well I'm going to try to get Theymos to ask Chrome and Firefox to pin the bitcointalk.org CA. Which will be halarious. "Yea, sure, we're a small site, but we've actually been abused this way; something you can't say for many other things that are pinned" 00:52 < phantomcircuit> lol 00:52 < phantomcircuit> Login temporarily discouraged 00:52 < phantomcircuit> lol 00:53 < gmaxwell> phantomcircuit: well the evil dns has not timed out yet, so users may not know if they're on the authentic site or not. 01:34 < midnightmagic> what does a cloudflare incoming connection appear to be to the end-server? 01:35 < phantomcircuit> midnightmagic, from cloudflare 01:36 < phantomcircuit> you can actually put in any ip address you want and cloudflare will gladly proxy requests for you 01:36 < phantomcircuit> including the freenode webchat 01:36 < phantomcircuit> so it's pretty easy to pretend to be cloudflare 01:36 < midnightmagic> name-based virtualhost for incoming cloudflare, plus catch-call? 01:37 < midnightmagic> "You are connecting via cloudflare. Please bug your ISP to update their name servers." 01:39 < phantomcircuit> midnightmagic, doing ip address -> ASN# is not trivial 01:46 < midnightmagic> phantomcircuit: ASN#? 01:47 < phantomcircuit> midnightmagic, basically like ISP number 01:51 < midnightmagic> Ah, that ASN. As in used in BGP routing.. 01:51 < midnightmagic> I see. You're implying there are unpredictable IP addresses coming in from cloudflare. 05:44 < TD> gmaxwell: http://www.certificate-transparency.org/ 05:45 < TD> gmaxwell: i think i mentioned that in my payment protocol FAQ. forcing CA's to publish certs they make is on the long term roadmap and is very likely to happen, it's funded, CA's are getting on board with it, it'll be in Chrome, etc 05:45 < TD> anyway, i fail to see what cloudfare has to do with this. if you lose control of DNS it's game over. it was ever thus and it's hard to see how else it could be. 05:46 < TD> your domain name IS your identity, that's why companies like Google use companies like MarkMonitor to defend their DNS registrations. 05:46 < TD> phantomcircuit: it's not that hard if you have the data set, it's only a few megabytes. i've implement IP to ASN mapping code a few times. the dataset can be obtained from a looking glass (or if you're big enough to have your own routers with BGP sessions, just downloaded directly from that) 05:53 < TD> gmaxwell: also if you look at the chrome pinning list, it's got all kinds of tiny sites in, even peoples blogs and stuff. AGL runs the list, he is very much an old school cypherpunk type, I doubt we'd have any problem getting on the list 05:53 < TD> gmaxwell: but HSTS would be a pre-requisite, i think 05:56 < midnightmagic> TD: can any old joe-blow still grab a copy of the global routing table? 05:58 < TD> it's not exactly a secret. i'm sure you can find copies somewhere. if you want to do one-off queries that's easy, lots of ISPs run looking glass servers. they don't usually allow a full download though 05:58 < TD> the registrations (as opposed to what's actually being announced) are also available from IANA and other places if you ask nicely. you have to fill out a form and convince them you're not a spammer, basically 05:59 < midnightmagic> I seem to recall there was a way you could just randomly register an ASN as yourself and piggyback off the backbone types.. 05:59 < TD> e.g. http://lg.level3.net/bgp/lg_bgp_main.php 06:01 < midnightmagic> The above.net crazies used to be pretty solicitous when they discovered you knew what BGP was. 06:01 < warren> TD: bitcointalk added HSTS today 06:02 < midnightmagic> well. how about that. above.net is gone as of last year and I didn't know it. 06:02 < TD> warren: good 06:02 < warren> i don't know if he did it correctly 06:02 < TD> warren: i hope they also get a better registrar .... and we should consider moving bitcoin.org as well. iirc it's with the same guys 06:03 < TD> midnightmagic: full downloads available here: http://www.ripe.net/data-tools/stats/ris/ris-raw-data 06:04 < midnightmagic> TD: ah nice, thanks man. 06:05 < warren> TD: I think they are moving to another registrar 06:05 < TD> warren: it looks correct to me 06:05 < warren> TD: what does he need to do to get chrome pinning? 06:05 < TD> warren: however it would not help in this case. HSTS simply says "SSL must be used and it must not be self signed". In this case SSL was used but it was being provided by a MITM. there's really no magic fix for losing control over DNS. never ever let that happen 06:06 < warren> TD: pinning would help though 06:08 < TD> yes 06:08 < TD> the process for pinning is basically, file a bug in the chromium bug tracker and ensure agl sees it, as far as I understand 06:09 < warren> TD: can you help after the bug is filed? 06:09 < warren> TD: is it a pain to get unpinned, to update the cert later? 06:10 < TD> or just email agl@chromium.org 06:10 < TD> you pin the public key hash 06:10 < TD> so the cert can change but they key cannot 06:10 < warren> ooh 06:11 < TD> if the key is compromised, then i guess you have to ask agl for another update. given how often bitcointalk has got hacked, i'm not sure he'd be thrilled by this idea - the fact that it still runs on an obsolete closed source copy of SMF is kind of embarrassing. but theymos could ask. 06:11 < TD> http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json 06:11 < TD> btw bitcointalk should probably also be forcing subdomains, even though they aren't used today. 06:11 < TD> in future he might want to change that 06:11 < warren> TD: I personally secured the new server 06:11 < TD> http://dev.chromium.org/sts 06:12 < TD> that's good to hear 06:12 < warren> TD: I couldn't guard against their registrar getting hacked though 06:12 < TD> unfortunately, i tend to assume anything written in PHP is automatically riddled with basic security holes. except maybe facebook. 06:12 < warren> TD: I crafted the new server to asssume the PHP still has backdoors ... 06:12 < TD> well the bar is always being raised. there are special registrars that have better security policies. obviously the anonymousspeech one isn't such a company 06:12 < TD> yeah. that's the best way. 06:12 < warren> no outgoing connections, no connect to local sockets 06:13 < warren> no writing to filesystem 06:13 < TD> cool 06:13 < warren> well, the forum has disabled features now 06:13 < TD> yeah. i saw i can't change the profile picture anymore 06:13 < warren> but it isn't hacked now, AFAIK 06:15 < TD> is it hosted on a dedicated machine ? 06:20 < warren> TD: on digitalocean of course =) 06:20 < TD> a VPS provider? 06:21 < fagmuffinz_> digital ocean is the shit 07:08 < fagmuffinz_> I've gotta say getting chef and capistrano to play nicely on Windows has been a royal pain in the ass 11:56 < gmaxwell> td: the only real difference the cloudflare part makes is that it makes it much faster. I tried simulating the attack previously but it was harder to do secretly because I had to proxy the site for almost 30 hours... and I also had to have another host to proxy it on, etc. with the cloudflare its made somewhat easier to do without being noticed (though they seem to have failed), because someones providing the proxy for you and you ... 11:56 < gmaxwell> ... don't have as long a window you need to run it on. OTOH, you don't get a copy of the certificate yourself. 14:00 < phantomcircuit> gmaxwell, try it again with startssl they issue certs within a few minutes during israeli business hours 15:12 < nsh> <nsh> so i had another look at the work of Eli Ben-Sasson, et al., which seems to have progressed a little since his talk at the bitcoin conference on Succinct Computational Integrity and Privacy. does anyone know if any efforts are underway to do some proof-of-concept for short verification of proofs of blockchain integrity for e.g. SPV clients? 15:12 < nsh> [..] this paper seems to have enough skeleton for a scaled-down PoC: http://eprint.iacr.org/2013/507.pdf 15:13 < nsh> i think the circuit-building part of the key-generation is RAM-limited atm, so it might be (more) tractable to try with smaller chainstate distances 15:14 < nsh> (~1000 constraints per cycle iirc) 15:15 < gmaxwell> nsh: there are some annoying performance issues, e.g. sha256 implemented in tinyram is about 100x more gates than a straightforward circuit compiler version of it. Though I suppose that wouldn't get in the way of a test too much. 15:15 * nsh nods 15:16 < nsh> i suspect there is still room for optimizations though. i haven't managed to see how the circuits look in practice yet 15:16 < nsh> the stated performance of tinyRAM is pretty impressive ( 15:17 < nsh> ~3-5x slowdown relative to x86 16:34 < jtimon> sorry, was pay-to-contract http://www.youtube.com/watch?v=qwyALGlG33Q 16:37 < sipa> adam3us: we should start by stopping to call them "addresses" and call them "key identifiers" instead 16:37 < gmaxwell> we're mostly failing to communicate to the public that these address things should be single use. Joe bitcoin user has no idea of this. 16:37 < sipa> a key identifier can be used as an address if someone wants to receive a payment on it 16:37 < gmaxwell> Even the way bitcoin-qt (in release versions) works basically encourages reuse. 16:38 < maaku> sipa: that's a great idea. i'm going to start doing that 16:38 < sipa> indeed 16:38 < jrmithdobbs> gmaxwell: it's not exactly for a lack of trying, everyone just says "whatever" when it's explained to them and ignore it anyways 16:38 < jtimon> on the previous conversation, what was wrong with snark per hop hidden payments? 16:38 < gmaxwell> (git improves this a fair bit) 16:39 < sipa> most have never been confronted with this idea at all 16:39 < jtimon> what was impeding the prunning if you snark every hop? 16:39 < gmaxwell> jrmithdobbs: it is for lack of trying. 16:39 < sipa> people think bitcoin sends money between addresses 16:39 < gmaxwell> jtimon: pruning is incompatible with privacy. 16:39 < sipa> (and on some level, it does, unfortunately) 16:39 < gmaxwell> At lest git bitcoin-qt is better about not encouraging reuse. 16:40 < gmaxwell> although it does have a checkbox "Reuse an existing recieving address (not recommended)" 16:40 < sipa> i should try qt again 16:40 < gmaxwell> maybe we should change that word existing to something like "stale" :P 16:40 < maaku> gmaxwell: well, it has an address book 16:41 < gmaxwell> maaku: no, not unless you check the reuse thing. 16:41 < jtimon> gmaxwell, I see, H(c) will always be there to prevent double-spend if you snark redemption 16:41 < maaku> well, I mean the very concept of an address book (absent payment protocol or hd wallets) is suspect 16:41 < adam3us> gmaxwell: "pruning is incompatible with privacy." well as above i think its more privacy than current by a large amount 16:41 < gmaxwell> jtimon: unless you make H(c) public while SNARKing but then you are tracable. 16:42 < amiller> can anyone think of a way of estimating the distribution of mining resources among distinct individuals 16:42 < amiller> we really have no idea about that do we? 16:42 < gmaxwell> adam3us: by mining do you mean hashing? 16:42 < jtimon> gmaxwell, yes, undesrtood, you can't have teh cake and eat it too 16:42 < amiller> or how many gpus are out there mining as opposed to asics 16:42 < gmaxwell> amiller: there should be ~0 gpus now. 16:42 < maaku> amiller: politely ask the major mining pools for access to their logs 16:43 < amiller> if i already bought the gpus and i can't sell them, it's unlikely that there's anything to be gained by turning them off 16:43 < amiller> power is relatively cheap 16:43 < gmaxwell> amiller: 0_o 16:43 < adam3us> jtimon: the privacy leak is small compared to current syst 16:43 < amiller> or do you mean you can't even make profit vs the power consumption 16:43 < gmaxwell> amiller: correct. 16:43 < maaku> amiller: they should be very unprofitable by now 16:43 < gmaxwell> amiller: the whole network prior to the introduction of asics was about 20TH/s (and that included a lot of FPGAs), the current network is around 4000 TH/s. 16:44 < adam3us> jtimon: it would be a big net improvement - no value revealed, no addreses linkable. yes poeple shouldnt link addresses. but coin control fails. and even if coin control was optimal there would still be linking 16:44 < jtimon> adma3us yes and it's after republishing, so it makes your example legal attack much harder 16:44 < gmaxwell> so that should give you some kind of upper bound on how many gpus could be in use. ... combined with gpus being power breakeven only if your power costs .... 16:44 < adam3us> jtimon: with scip you never need to republish, the miner just validates it in hidden form wth the scip 16:45 < maaku> amiller: actually you might be able to extra an order of magnitude estimate from the drop in hash following diff adjustment, and corresponding rises in litecoin 16:45 < gmaxwell> $0.028/kwh or lower. 16:45 < gmaxwell> (at $350 exchange rate) 16:46 < jtimon> adam3us: but republishing allows prunning and there's some agents that need transparency (say, nonprofits) 16:47 < adam3us> jtimon: but anyone can validate the scip and see the input is spent, and so the miners can attest to that 16:48 < adam3us> jtimon: its easy to create transparency, publish the hiding sym key 16:49 < jtimon> adam3us if the snark indicates what previous transaction can be pruned, how is this non-traceable? 16:49 < adam3us> gmaxwell: i am starting to feel i will be facing similar break even by the time BFL delivers my april ordered 5GHs never mind my feb 2014 600GH 16:50 < adam3us> jtimon: it does make a graph, but the graph is between opaque blobs 16:50 < gmaxwell> adam3us: You have my condolences for your purchase with BFL. :P 16:51 < phantomcircuit> adam3us, it depends entirely on the rate at which the network continues to grow 16:51 < phantomcircuit> which is to say 16:51 < adam3us> gmaxwell: it was more for amusement and hopefully recoup money than expectation of profit. to lose money might be a bit annoying, never mind, i'll just run it a my contrib to mining decentraliation - 16:51 < phantomcircuit> largely luck 16:51 < amiller> expected income per hash: 3.64e-15 dollars per hash expected power cost per hash, assuming 6 cents per kwh and the most efficient GPU: 8.33e-15 16:51 < jtimon> adam3us my march ordered jalapeno is on the customs (border) right now, I will pay the taxes but I highly doubt I will break even 16:52 < gavinandresen> mining is a zero-sum game you should try to play positive-sum games, the rewards are better and are potentially unlimited 16:52 < adam3us> jtimon: whats jalapeno, 5GH? or previous 16:52 < maaku> adam3us: if there's a graph, it's traceable, right? 16:52 < phantomcircuit> gavinandresen, a better way is to describe it as a perfect market 16:52 < maaku> gavinandresen: ain't that the truth 16:52 < adam3us> maaku: not exactly; it acts like a perfect coin control which is impossible otherwise 16:52 < gavinandresen> "perfect" is the enemy of 16:52 < jtimon> adam3us 4.5GH + 2 iirc 16:52 < warren> phantomcircuit: BFL sure is perfect. =) 16:52 < phantomcircuit> although actually i guess that's not true anymore since the barrier to entry isn't insignificant anymore 16:53 < phantomcircuit> gavinandresen, heh 16:53 < gavinandresen> I did make a tidy bitcoin profit flipping my ordered-first-day jalapeno 16:53 < maaku> adam3us: that seems like a total non-sequitur. i'm not sure what you mean 16:53 < gavinandresen> but my lesson learned was "don't mine" 16:53 < gmaxwell> phantomcircuit: it was never all that perfect when anyone cared. ... even in 2011, all ATI cards everywhere sold out. 16:53 < jtimon> adam3us a graph that comes back to the first public transaction, you can't divide amounts on hiden tx can you? 16:53 < adam3us> maaku: if you do as current and say well there's coin control etc peope should nly use addresses once, that doesn twork in reality 16:54 < sipa> gavinandresen: flipping? 16:54 < gmaxwell> adam3us: there isn't coin control. 16:54 < maaku> adam3us: what i'm saying is you can trace the final output back to the original input(s), even if you don't know what happened inbetween, right? 16:54 < adam3us> jtimon: i think the impilcation is the recipient learns an "argument of knowlege" of the value that he has, and enough to prove it onwards with reference to his own coin 16:54 < gavinandresen> sipa: selling something soon after you bought it== flipping 16:54 < gavinandresen> (selling for a profit) 16:54 < sipa> thanks 16:55 < amiller> gavinandresen, "zero-sum game" more expected-utility dogmatism :p 16:55 < adam3us> jtimon: without scip yes you can divide and all the normal things; with scip i would think so too 16:57 < adam3us> maaku: with scip you would do per hop validation, and that is transitive so all transactions re visibile in a big fat graph, however you dont know the addresses/identities/amounts 16:57 < jtimon> adam3us with snark and divisions it must be traceable 16:58 < jtimon> hmmh, yeah, I guess you could hide the amounts 16:58 < adam3us> jtimon: yes i think you are right, tough the amounts would be hidden 16:58 < gmaxwell> adam3us: I can't see bitcoin doing a soft forking change (which are inherently risky!) and add costly crypto to achieve something that today people can already do. 17:01 < jtimon> maaku I think this would be better than in-chain chaumian cash 17:02 < maaku> jtimon: it'd be crazy expensive 17:02 < maaku> snark is not cheap to use 17:03 < maaku> hrm I think MMR + Chaum was a red herring, but what about this: 17:04 < maaku> store zerocoin serial number in a composable auth tree, and require a proof-path within the spend 17:04 < jtimon> wait, link to MMR? I still don't know what that is 17:04 < maaku> then validation storage requirements are just 256 bits per mint series, and proofs grow log2 17:05 < adam3us> h he i just had paypal cold call me to ask about butterfly 17:05 < adam3us> reckon they got a mountain of disupte and condiering cutting off bfl as a bad paypal user 17:07 < maaku> jtimon: https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 17:07 < adam3us> gmaxwell: "something that today people can already do" isnt hidden tx + scip per hop hiding something new? 17:09 < gmaxwell> adam3us: people can already use a fresh address and then only have blob linkages. 17:09 < maaku> address != identity 17:10 < jtimon> but they can't hide amounts 17:10 < jtimon> that would ne new 20:01 < CodeShark> you provide them with a partially signed transaction 20:01 < CodeShark> now, to invalidate that transaction the way gmaxwell was talking about, you'd also have to incorporate another simple output that only you can redeem 20:02 < CodeShark> so now we need to mix the 2-of-3 policy account with another personal account 20:02 < CodeShark> just to allow us to pull the trigger on it 20:02 < CodeShark> the usability becomes horrendous 20:03 < CodeShark> an expiration time would be a very simple solution to this particular problem 20:03 < sipa> but a very significantly change to force onto every wallet on earth... 20:03 < CodeShark> ? 20:03 < gmaxwell> not just every wallet, but the whole incentive structure of bitcoin 20:03 < CodeShark> you can refuse to accept payments that expire soon 20:04 < gmaxwell> since now you need to think about miners being bribed to reorg or being unwilling to reorg to change to an honest chain because of txn that can't be included. 20:04 < gmaxwell> CodeShark: only if you can determine when the entire (perhaps exponentially sized) history's earliest expiration is. 20:05 < CodeShark> these are healthy concerns - this is why I like to talk to you guys :) 20:06 < sipa> we've heard these suggestion many times already :p 20:06 < CodeShark> however, in a real practical sense right now, one way or another I need a solution - and I don't think deliberately "double-spending" extra outputs is a very clean one, to say the least :) 20:07 < gmaxwell> yea, it's not just applicable to your application. E.g. people have wanted things like lotteries which can read the block hash of some subsiquent confirming block. 20:07 < gmaxwell> CodeShark: why don't you make your protocol such that the originator of the transaction signs last? 20:07 < CodeShark> blinding? 20:07 < CodeShark> hmm 20:07 < CodeShark> that could work 20:08 < CodeShark> yeah, I suppose it does make sense for the originator to be the one who broadcasts (or sends to recipient) 20:08 < maaku> gmaxwell: no i didn't investigate any JS solutions, but "javascript rsa" turns up some hits 20:09 < CodeShark> gmaxwell: without blinding, though, you still have a problem if the originator changes her mind 20:09 < gmaxwell> CodeShark: hm? why? they just don't sign then. 20:09 < CodeShark> but then you get the same issue in reverse 20:09 < CodeShark> now it's the person whose signature was requested that ends up in this unfinished situation 20:10 < gmaxwell> maaku: this is what I'm thinking of proposing, if you care: http://0bin.net/paste/yV7e4WCpZVHEj7nN#fi70f2LMSGO3JyrkNSeOG+ivIpfr2QirZzcNbVc2IXc= 20:10 < CodeShark> if only there were a way to ensure that the signature sharing were atomic :) 20:11 < gmaxwell> CodeShark: whats the problem with everyone except the originator pretending it didn't happen until it ends up in the blockchain? 20:12 < CodeShark> a few: they can't use those outputs without halting a transaction they want to happen, and if they pretend it didn't happen they might overspend their balance 20:12 < gmaxwell> e.g. if the funds in the account form a linked list (e.g. only a linear line of coins) then it's all atomic. Any parallel signatures are mutually exclusive. 20:13 < maaku> gmaxwell: it's a great idea 20:14 < gmaxwell> CodeShark: ISTM you're expecting bitcoin to function as a database for your application giving it SERIALIZABLE atomiticiy for all its data. 20:14 < gmaxwell> thats probably unrealistic in general, because there are probably non-transaction bits of data you'd eventually what to synchronize too. 20:15 < CodeShark> well, there are things like labels, but that's a separate problem for now 20:15 < gmaxwell> Instead of pretending your application is multi-master, it would be a lot simpler to make it master/signer where all transactions are originated in one point normally (except for exceptional recovery cases) 20:15 < CodeShark> ideally I want to reduce the amount of data that needs to be sent over the block chain 20:16 < maaku> CodeShark: I'm a dissenting voice here. How is nExpireTime any different in principle than a coinbase output? 20:17 < maaku> there are very real advantages to having an nExpireTime, and other scripting extensions which invalidate txns over a reorg 20:17 < maaku> Making users wait to get the desired number of confirmations is not a big hurdle 20:17 < maaku> They should be doing that anyway 20:17 < gmaxwell> maaku: a coinbase output can't be spent in the blockchain for 100 blocks. If you wanted to have an identical limit for outputs from those txn, my objections would go away except to point out that it's really trying to cram application logic into bitcoin which might be a poor fit. 20:18 < CodeShark> ok, then how about this: set a limit on number of blocks before an nExpireTime transaction is spendable :) 20:18 < maaku> gmaxwell: I don't like the 100 block protocol rule 20:18 < gmaxwell> maaku: I'm sorry for you then. 20:18 < maaku> but i think clients / wallets should implement something similar 20:18 < CodeShark> doesn't have to be 100 blocks 20:18 < sipa> i think 100 is serious overkill, but the reason the rule exists is very real 20:19 < gmaxwell> CodeShark: I think it does need to be 100 blocks, simply because asking wallets to cope with _two_ kinds of behavior is burdensom. 20:19 < maaku> there's no problem building off a txn that can be reorg'd away, but the user interface better have big flashing red lights 20:19 < CodeShark> but require that any transaction confirmed close to the edge of nExpireTime sit on the block chain for a bit before it can be spent 20:19 < gmaxwell> meh, we've had reorg events a substantial fraction of 100. 20:19 < gmaxwell> Imagine we have another long fork event and then we _cannot_ fix it without people forever losing money. Even if there were no malicious spends. egads. 20:20 < CodeShark> the problem, as I understand it, is the potential for a long chain of dependencies from an edge transaction 20:20 < CodeShark> that seems to be the main concern, right? 20:20 < CodeShark> so we can alleviate that concern by taking similar measures as we do for coinbase transactions 20:20 < gmaxwell> maaku: you even have to be able to detect it. a SPV client can't tell how deep the newest expiring input is from some chained coin. 20:21 < maaku> CodeShark: well you'll get to play with this in any case. Freimarkets has an nExpireTime and other reorg-sensitive constructions 20:21 < gmaxwell> maaku: sadly none of that matters unless the system gets serious usage you'll never learn the folly of your ways. 20:21 < gmaxwell> :P 20:21 < CodeShark> if you have an nExpireTime transaction that confirms 100 blocks before expiration, no problem. but if it confirms one block before expiration, it should not be spendable for a few blocks :) 20:21 < maaku> gmaxwell: it could if you had utxo proofs with embedded heights 20:22 < phantomcircuit> zomg yes pizza 20:22 < maaku> (which is one reason why my proposal keeps the height field even though it is not strictly needed) 20:22 < gmaxwell> exponentially in size, since you have to trace the whole history.. having one height isn't good enough. 20:23 < gmaxwell> I guess you could track for every output a shortest-reorg-that-can-kill-it? 20:24 < gmaxwell> e.g. max(height) 20:24 < CodeShark> yeah 20:25 < sipa> bleh 20:25 < maaku> gmaxwell: I honestly don't think the risk is high enough to warrent doing that calculation 20:25 < maaku> which is not easy to do in general beyond the nExpireTime case 20:26 < CodeShark> I tend to concur, maaku 20:26 < gmaxwell> maaku: We've had long >20 block reorgs in bitcoin, where thousands of transactions would have been irrepariably invalidated if there were just one or a few unreorgable coins. 20:27 < gmaxwell> I think you guys are nuts, it's not even a theoretical problem. We've had at least three events where what you would have proposed would _probably_ have caused severe monetary loss if it were widely used. 20:27 < CodeShark> the risk could be mitigated 20:27 < CodeShark> I'm not saying "pretend the risk doesn't exist 20:27 < gmaxwell> and with expirations near the tip, we could be exposed on each and every block. 20:27 < gmaxwell> coins with the risk are not fully fungible with coins without the risk. 20:28 < maaku> gmaxwell: how is that any different than someone watching a major fork in progress, and doing a double-spend? 20:28 < CodeShark> so you simply don't allow spending of those coins for a while 20:28 < maaku> (as actually did happen back in March) 20:28 < maaku> from the perspective of someone building off the transaction, that is 20:28 < gmaxwell> Because it requires someone to actually be malicious, this doesn't. 20:29 < gmaxwell> CodeShark: if _you_ are defining the "a while" then you have an exponential complexity check of the history to make sure an earlier spender didn't use a more lax definition of 'a while'. 20:29 < gmaxwell> making it a rule as we do for coinbases makes it instantly SPV compatible. 20:29 < CodeShark> yes 20:30 < CodeShark> the "while" could be a predetermined, fixed amount 20:30 < gmaxwell> well, then we have such a number already, it's 100. 20:30 < gmaxwell> :P 20:30 < maaku> gmaxwell: there's a very easy way to make it SPV compatible: wait N blocks before taking action based on the txn 20:30 < maaku> you seem to want a user to absolutely trust a txn as soon as it has 1 confirm 20:31 < CodeShark> maaku: the problem is if there's a chain 20:31 < gmaxwell> maaku: egaha. The problem there is that you don't know if a transaction had an inherently risky past in a SPV compatible manner. 20:31 < gmaxwell> E.g. I want to wait 100 for coinbases, 6 for normal payments. if coinbases were technically spendable at 1, then a spv node couldn't tell your txn was dependant on a coinbase 3 blocks ago. 09:01 < petertodd> Yeah, see here, the miner doesn't need to know anything about what coins the transaction spent, just that some scriptSig satisfied some scriptPubKey 09:01 < adam3us> petertodd: maybe there would be a way to have additional non-identifying info with the previous tx out, which can allow the miner to discard forgeries without having him be able to censor transactions 09:01 < petertodd> OK, so, remember what I said about transactions being two merkle trees? 09:02 < adam3us> petertodd: well a problem can be he scriptPubkey i recognizable to the previous spender in the chain, and who could collude with the miner to block the tx 09:02 < petertodd> See, if you have a txout in this scheme, there's no way to know what the rest of the transaction was, even though the txout irrovocably commits to it. 09:03 < adam3us> petertodd: thogh maybe committed tx itself has problems with that scenario .. its not censor resistant just leaves decisoins up to consenting users 09:03 < adam3us> petertodd: yes 09:03 < petertodd> You can also construct your transaction tree to commit to a nonce in the middle, and then reveal the nonce to others to prove to them the txout is actually linked to the txins, rather than just some data you bizzarely want to publish. 09:04 < petertodd> So yeah, I think this scheme does have the unlinkability that you want. 09:05 < adam3us> petertodd: well i think there is a dependency on the hash of public key being deterministic (precluding nonce) and meaning the previous spender if upset can try to get your onwards tx blocked 09:06 < petertodd> ? 09:06 < adam3us> petertodd: if the public key hash is allowed to have a random element (nonce) you cant prove to other people this key is not spent 09:06 < petertodd> So, a transaction output contains the following: (scriptPubKey, merkle-root), that's it 09:07 < adam3us> petertodd: actually H(scriptpubkey) 09:07 < petertodd> right, that's possible, but not required 09:07 < petertodd> remember that the txout id, is H(scriptPubKey, merkle-root) 09:07 < adam3us> petertodd: yeah depends if you're aimng for committed tx uncensorability or not 09:08 < adam3us> petertodd: yes but it is unprovable if that is spent or not in committed form i think 09:08 < petertodd> Ah, ok, so, lets ask what is being committed? 09:09 < adam3us> petertodd: what i had to do is commit the tx and commit the pub key as well 09:09 < petertodd> So here you're not committing to transations, your committing to things that spend transactions. 09:09 < petertodd> *that spend transaction outputs 09:09 < adam3us> petertodd: and the doublspend protection came from checking no one made a sig or spend with key tht hashes to that pub key commit 09:10 < adam3us> petertodd: yes well both as a pair: a pair of commitments 09:10 < petertodd> Right, this is kinda like that. 09:10 < petertodd> So, going back to that radix tree, the default state is that a valid scriptSig has never been presented for H(txout) right? 09:11 < adam3us> petertodd: yes so without giving the miner more info or visibiity, i think you have to use h(scriptpub) as a second commit, and therefore the person who gave you that input if upset can try to get your onwards spend blocked 09:11 < petertodd> Well, when you show that scriptSig, what you also commit too is the rest of the transaction, but you only need to commit to H(tx) of course. 09:11 < adam3us> petertodd: right 09:12 < petertodd> So basically, in Bitcoin a block commits to a list of transactions. Here we commit to a list of spends of transaction outputs, and the transations themselves are committed to by the spends! 09:12 < adam3us> petertodd: something like that 09:12 < adam3us> petertodd: so how much does it help, what new unentangled things have we been able to optimize by this 09:13 < petertodd> This also means you don't give someone money by committing a transaction to the blockchain, rather, you give someone money by committing to one or more spends of a previous transaction, and then giving them that transaction! 09:14 < petertodd> Ok, so, the big deal re: unentanglement: because mining isn't about validating whole transactions, just individual spends of transaction outputs, to mine some part of that txout space you don't need any adjacent data at all. 09:15 < petertodd> This is a huge win, because that lets mine only a small part of that txout space, and you only need the bandwidth associated with that small part. 09:15 < petertodd> So, basically you need to keep up to date with that part, keep your part of the big radix tree up to date, but no more than that. 09:17 < petertodd> For users, when they receive funds, they are getting proof that some amount of hashing power was mining various parts of the blockchain history and that hashing power all considered there to have never been a conflicting spend. 09:17 < adam3us> petertodd: that sounds a pretty big potential win; i wonder if that fragments hashcash security though? 09:17 < petertodd> They can prove it to themselves by getting a complete copy of that small part of blockchain data. 09:17 < adam3us> petertodd: or i suppose full nodes hash as you said everything else from the last merkle roots they saw also 09:18 < petertodd> I don't think so: the security is about resistance to changing history, what the history itself actually is is ireelevant, because you're supposed to validate that yourself. 09:19 < adam3us> petertodd: one other unstated in the above list of what is bitcoin mining doing: its making a very compact proof of work: one valid one per 10mins (after orphan pruning) anything more distributed will tend to create multiple small proofs to store, not that they are very big .. a proof is probably < 64-bits 09:20 < petertodd> Right, I haven't talked yet about what exactly is going on re: the PoW. 09:20 < adam3us> petertodd: yes but bitcoin single chain model presents a one-true-history path for validatin that rejects orphans 09:20 < petertodd> So does this model, it's just that the history doesn't need to be "true" :P 09:21 < adam3us> petertodd: i think you could have a thicket where each proof of work hashes as inputs all non-conflicting proof tops 09:21 < adam3us> petertodd: i figured out i think that should actually work in the past, but i was thinking meh thats goig to be less space efficient; but maybe actually its not so bad 09:22 < adam3us> petertodd: its a fun fact yes; we dont care what history is, just that it doesnt change 09:22 < petertodd> Pragmatically speaking, so what does a wallet look like then? Well, I think wallet software should be programmed to keep up with enough of the blockchain data to prove, block by block, that your txout hasn't been spent. (particularly fraudulantly spent) 09:22 < petertodd> thicket? 09:23 < petertodd> Hidden problem: what's the incentive exactly to broadcast this data? In Bitcoin, it's because if you don't broadcast, people won't build upon your block. Here you have to figure out something similar. 09:24 < adam3us> petertodd: without the one-true-pow chain (orphans are killed) there becomes a bunch of valid non-conflicting small pows growing up in parallel, each should hash as inputs all non-conflicting tops it saw) 09:24 < petertodd> non-conflicting top? what do you mean by tops? (and for that matter, conflicting) 09:24 < adam3us> petertodd: yes my thicket idea got some hairy incentive scheme, so that was another meh part to.... change bitcoin it becomes worse because tis entangled, and also quite optimal 09:25 < adam3us> petertodd: say for simplicity you want to maintain two chains rather than one going upwards, each time you add to it, you include both chains as an input 09:25 < petertodd> yeah, see, re: incentives, one part to fix this could be to require mining to have the consent of some fraction - proof-of-stake style - of your neighbors in the UTXO space. 09:26 < petertodd> Ah right. 09:27 < adam3us> petertodd: it was another meh moment: bitcoin is entangled and highly optimized - i thought i could make it work, but it was more complicated (incentive rules) and bigger (more blocks) more redundant (repeated data in blocks) and so forth 09:27 < adam3us> petertodd: i mean it did seem to work, but it was worse on 2 or 3 fronts 09:28 < adam3us> petertodd: "pos consent of utxo neighbours" yes maybe 09:30 < adam3us> petertodd: i wonder if not caring about history means miner validation (vs pool validation) doesnt even matter; just mine some random crap blind, it'll define history 09:48 < petertodd> net died 09:48 < petertodd> ok, so, the only way I can find that gets around this issue is to entangle mining and keeping history 09:49 < petertodd> for instance, imagine a system where to get 1/256th of the reward, you had to prove, by mining, that you had 1/256th of the blockchain data 09:50 < petertodd> each enough to do: just require your valid PoW's to have randomly chosen fragments of the blockchain data. 09:51 < petertodd> it's a bit ugly, but it will work 10:24 < amiller> petertodd, adam3us, i'm trying to figure out a way to embed the constitutional rules more strongly 10:24 < amiller> to make it so that any deviation from the rules ruins all the signature security, for example 10:24 < amiller> like any blockchain that contains an invalid commitment also has a trapdoor that lets you make a valid-looking commitment for any signature 10:24 < amiller> something like this would give teeth to the thing everyone says bitcoin currently has, that "21 million limited inflation is guaranteed by a math algorithm cryptography!" which isn't even true, it's only guaranteed by the relative difficulty of getting everyone to change their minds at once 10:26 < petertodd> amiller: I don't think you'll manage to do that with crypto, but as a definition thing you easily can 20:31 < CodeShark> the min reorg depth would need to be somehow propagated through the chain or the SPV client would need a way to obtain a simple proof of at least a certain depth 20:32 < maaku> so? you want it to be safe from any reorg less than 100 blocks? then wait 100 blocks after it hits the chain 20:32 < CodeShark> the burden of proof could be passed to the payer 20:32 < gmaxwell> also if the rule is not consistent we can't reason about the safty of forks. E.g. we know that coinbases are not spendable before 100 so if we must we can do a 99 block reorg to fix the chain and include no double spends and we won't invalidate any spent coins. 20:33 < maaku> so let the payer use old coins so they can provide a compact proof of stability 20:33 < gmaxwell> Also you've increased communications complexity between the payee and payer. Because as a payer now I need to know the payee has some preference for non-risky coins wich differs from payee to payee. 20:33 < maaku> otherwise, sucks to be them and the merchant makes them wait 100 blocks 20:34 < gmaxwell> having to wait 100 blocks at all times, or having to treat coins as highly non-fungible are both pretty poor solutions. 20:35 < gmaxwell> Esp. when the coin is some small improvement which you couldn't even explain to most people. :P 20:35 < gmaxwell> Perhaps its fine in some other system, I don't think its something we can reasonably do in bitcoin. 20:35 < maaku> well having signatures expire is pretty important when its used ina p2p exchange... 20:35 < maaku> or in a server-to-server consensus mechanism 20:36 < gmaxwell> 17:35 < maaku> or in a server-to-server consensus mechanism 20:36 < gmaxwell> yea... except dear gods, the bitcoin blockchain is NOT a communications mechenism for your server to server consensus! _global broadcast network_ 20:36 < maaku> gmaxwell: using the public chain as a semaphore for two-phase commit of a distributed transaction over multiple private asset servers 20:37 < gmaxwell> your asset servers are known in advance! use a freeking ordinary consensus. 20:37 < maaku> that's why we haven't even tried to get anyone onboard with deploying Freimarkets to bitcoin 20:37 < maaku> i just assume it wouldn't fly 20:38 < maaku> gmaxwell: you need to hit the public chain for public<-->private txns 20:39 < maaku> (e.g. atomic swaps of freicoins for private assets) 20:39 < gmaxwell> For anything like that you have a small number (because multisig scalablity) of known-in-advance servers. Which means you can do a regular n-of-m consensus totally external to bitcoin. E.g. an initatior proposes a distributed database update and get a supermajority of the servers to sign off on it. 20:39 < CodeShark> ok, perhaps amore interesting theoretical question (whose solution would work just as well for my problem): is there a practical way to achieve atomic data swaps between multiple entities? 20:40 < CodeShark> homomorphic encryption? 20:41 < CodeShark> would it require quantum crypto? :) 20:41 < gmaxwell> CodeShark: you basically want two people to trade data such that they either both get the data or neither do? 20:41 < CodeShark> exactly 20:42 < CodeShark> and the outcome shouldn't take forever to determine :) 20:42 < gmaxwell> I don't know if its possible, unless you assume both parties are equally computationally bounded. 20:43 < CodeShark> or you use quantum crypto 20:43 < gmaxwell> I'm not even sure how you'd do it with quantum crypto. 20:44 < gmaxwell> lemme think for a minute. 20:45 < gmaxwell> It has to be a two party protocol? Can the protocol have N bystanders who help out, and the protocol is fair if most of the bystandards are honest? 20:46 < gmaxwell> I can give you protocols for this, but they don't work for the two-party case because they need an honest majority. 20:46 < CodeShark> escrow? 20:46 < CodeShark> yeah, the two party case seems to have much more profound theoretical implications 20:47 < gmaxwell> yea, kinda, you split the data up N ways such that N/2+1 can reveal. And then N/2+1 reveals to both and you're done. Of course it can be encrypted so that no one but the right parties learn anything. 20:47 < gmaxwell> With N=2 I think the best I can do involves bitcommitments and a cheater can terminate the protocol early and know 1 more bit than the other guy, plus then they can do computation to grind out the answer. 20:48 < gmaxwell> e.g. say you both can afford 2^64 work to grind out a missing key. I abort the protocol early so that I am missing 64 bits and you are missing 65. It's even worse if the parties are computationally unbalanced. 20:49 < gmaxwell> e.g. you can afford 2^32 and I can afford 2^64. I can terminate it after learning K-64 bits and you're just screwed. 20:49 < CodeShark> right 20:51 < gmaxwell> I know there are some protocols which claim to be able to achieve 2-party active secure multiparty computation. So I suppose I should go look and find out what the catch is, becuase I think thats not possible. 20:51 < gmaxwell> (for the same reason as here) 20:51 < CodeShark> not even with quantum crypto? 20:53 < gmaxwell> I think if you can do it with quantum crypto then you can make something secure in the CRS model (e.g. where there is some magic trusted random tape). 21:06 < brisque> would anybody be available to help me isolate some network oddness? trying to work out if something I'm seeing is my peers behaving badly, or something on a larger scale. 21:06 < CodeShark> what are you seeing? 21:07 < brisque> I'm getting huge floods of double spend attempts in my logs- I know it's not an issue but it's extremely persistent 21:08 < brisque> usually around block boundaries I get 60+ transactions spending spent outputs, which is strange in my eyes. big blocks milliseconds apart. 21:08 < gmaxwell> brisque: I don't think thats anything too new or interesting, some things, e.g. bc.i uselessly flood peers with double spends. 21:08 < gmaxwell> also I think coinbase does this. 21:09 < gmaxwell> after a block that doesn't have some unconfirmed transaction it has, it uselessly floods all its peers readverting them, even if they're conflicted. 21:09 < brisque> ah. I've banned blockchain.info for that, but I wasn't aware anybody else decided it was a good idea. 21:32 < brisque> I'm definitely connected to blockchain.info or coinbase's nodes, but I've no way of knowing which they are out of hundreds of peers. might be a rainy day project to try and isolate them somehow. 21:53 < gmaxwell> brisque: unfortunately it's hard to distinguish idiotic spamming of conflicted transactions vs honest spamming of them from a peer which isn't quite caught up with the blockchain. 21:53 < gmaxwell> If it were, we could just automatically ban those nodes. 21:58 < brisque> gmaxwell: if you were intent on identifying one of the mentioned services, you presumably could just listen and isolate it by forcing the service to broadcast known transactions and measuring the latency. I don't have any inclination to, but even if they're not listening (I'm sure they're not) you could eventually find them. the number of listening nodes in the network is quite small after all, anyone with enough 21:59 < brisque> I seem to remember that Bitcoind avoids talking to multiple peers in the same network, which would make that more difficult of course. 22:01 < gmaxwell> well mostly I think this crap wastes a lot of bandwidth, but right now people have very little incentive to write compently authored node software in any case that won't get them banned. 22:05 < brisque> I suppose bandwidth is cheap enough that nobody cares. ultimately their dodgy patches will just lead to them not updating, which is the real risk. 22:10 < gmaxwell> it's already the case... well it's not just 'dodgy patches', e.g. coinbase has their own node software... and yea, they get isolated from time to time as a result. 22:10 < gmaxwell> The bandwidth might be cheap for them, but it's pretty inconsiderate to the network. 22:10 < brisque> oh god. seriously!? 22:11 < gmaxwell> yea. 22:11 < brisque> why would anybody running a financial service run their own bitcoin node!? 22:11 < gmaxwell> And expose it directly to the world too. 22:12 < gmaxwell> In any case, maybe we could just keep a count of doublespends per-peer preferentially kick the worst offender. 22:13 < brisque> that's just ridiculous. the cost involved in building their own bitcoin node would far outstrip any benefit they would gain from it. no wonder they needed piles of VC money. 22:13 < brisque> it explains a lot, why their outgoing transactions are so slow, get stuck, often don't get broadcast. 22:14 < gmaxwell> it's not just that, if someone goes and finds yet another way to get them to reject the real chain, (which has happened by accident many times) they can potentially buy a bit of hashpower and rob them blind. 22:15 < gmaxwell> ... though in that particular case, I guess its not even the low hanging fruit. At least a month ago it was possible to deposit, and then withdraw before it confirmed.... (I reported it to them, dunno if they fixed it) 22:15 < brisque> surely they would have paid a bug bounty for you. they have a minimum 5BTC policy. 22:15 < brisque> that's an obscenely bad bug for an online wallet to have 22:15 < Luke-Jr> gmaxwell: now I can't even sell until it confirms :/ 22:16 < gmaxwell> oh I guess they fixed it then. 22:16 < gmaxwell> brisque: I didn't ask about that. .. hell I wasn't even trying to discover it. Worse, in the case where I discovered this there was actually a double spend on the network, and I could have _accidentally_ ripped them off. 22:17 < brisque> I think you could have the QT client scream "DONT ACCEPT ZERO CONF TRANSACTIONS" every 5 minutes and people would still do it. 22:18 < brisque> gmaxwell: I'm shocked nobody had realised that before. Mined by dashengbaoer 06:04 < HM2> oh wait you mean pass pass red/blue = win 06:04 < sipa> and there is no difference in result between one being incorrect or all passing? 06:05 < gmaxwell> yea, pass pass pass is lose. 06:05 < gmaxwell> and wrong wrong wrong is lose. 06:05 < sipa> if 3 pass, 0% of winning 06:05 < sipa> if 2 pass, 50% of winning 06:05 < HM2> is it something to do with the order you leave the room? 06:05 < gmaxwell> as is wrong right right and so on. 06:05 < sipa> if 1 passes, 25% of winning 06:06 < gmaxwell> HM2: no, no side channels. 06:06 < sipa> do we know whether we lost, if someone gave the wrong answer? 06:06 < sipa> or does that also count as a side channel 06:06 < sipa> not that it matters, as we're lost in any case 06:06 < petertodd> that we all get to see the same thing minus our own hate is a information channel - is this an ideal situation, or can we use rules like "if the person on the left has a blue hat"? 06:06 < gmaxwell> yea thats communicaton. You're all effectively answering concurrently. 06:07 < petertodd> s/hate/hat/ 06:07 < gmaxwell> petertodd: you can see the other hats, you can have person specific rules if you want (so person ordering is fine) 06:07 < HM2> petertodd, that's what i was thinking. e.g. the person who left before me had a blue hat 06:09 < sipa> gmaxwell: do we have access to a RNG? 06:09 < sipa> (each individually) 06:09 < gmaxwell> sipa: sure, you can flip coins. 06:09 < sipa> oh, right, we can see the other's colors 06:09 < sipa> hmmm 06:09 < gmaxwell> but right. 06:10 < sipa> if i couldn't see the other's hats, i'd say each uses a RNG to determine whether he's going to answer or not 06:10 < HM2> well if 2 pass and 1 doesn't you have 50/50 06:11 < HM2> you have to be able to do better than that 06:11 < sipa> if my math is right, with answering with chance 0.45308, we have a 30% chance of winning 06:12 < petertodd> nothing says we can't agree before hand that two of us are going to pass no matter what, and the last man out always picks blue for 50% 06:12 < sipa> oh, we can communicate in advance? 06:12 < gmaxwell> yea, you can agree on the rules in advance. Sorry. 06:12 < HM2> it'd be a bit difficult to have a strategy if you couldn't communicate outside the room 06:12 < gmaxwell> but you know nothing of which hats you have then. 06:13 < sipa> is there a known probability distribution on the hat colors? 06:13 < petertodd> well, 50:50 is already sounding pretty good :) 06:13 < gmaxwell> coin flip, assume the coin is fair. 06:13 < sipa> ok 06:13 < petertodd> so we can't tell if our other teammates passed or picked right? 06:13 < HM2> If you saw 2 blue hats, write red. If you saw 2 red hats, write blue. If you saw differing colours, pass 06:14 < sipa> HM2: why? 06:14 < gmaxwell> petertodd: that would be communicating. No communicating. 06:14 < sipa> the hat colors are presumably independent 06:14 < gmaxwell> <3 06:14 < gmaxwell> "If you see two of the same color, call the opposite, otherwise pass" 06:14 < gmaxwell> 0 0 0 = 1 1 1 Lose 06:14 < gmaxwell> 0 0 1 = P P 1 Win 06:14 < gmaxwell> 0 1 0 = P 1 P Win 06:14 < gmaxwell> 0 1 1 = 0 P P Win 06:14 < gmaxwell> 1 0 0 = 1 P P Win 06:14 < gmaxwell> 1 0 1 = P 0 P Win 06:14 < gmaxwell> 1 1 0 = P P 0 Win 06:14 < HM2> sipa, because seeing 2 blue hats means if you have red the other 2 will pass 06:14 < gmaxwell> 1 1 1 = 0 0 0 Lose 06:14 < gmaxwell> P_win = 6/8 = 0.75 06:14 < HM2> likewise with 2 red hats 06:14 < sipa> right! 06:15 < gmaxwell> The awesome thing about this is that morons who fail at stats will actually get it right faster than non-morons. 06:15 < gmaxwell> Because if you think the hats are not independant you'll chance into that solution. 06:15 < HM2> So where's my million dollars? 06:16 < petertodd> ha, so I was at least right in thinking that the shared partial view was a communications channel 06:16 < gmaxwell> Now further mindblowing: This works with any number of people, but coming up with the assignment codes is hard. It becomes _more_ successful the more people you have. 06:17 < sipa> right, it's probably harder than generalizing to "vote the opposite of the majority you see" 06:17 < petertodd> right, so now I just need to construct a merkle tree of it, and start picking samples for my non-interative proof :P 06:17 < gmaxwell> This is the covering code problem: https://en.wikipedia.org/wiki/Covering_code 06:17 < HM2> it makes sense from a raw information perspective as well. each player effectively can convey 1 bit of information about what they saw. a guess (worthless) or no guess 06:18 < HM2> so you have 3 bits of information and 2^3 hat combinations 06:19 < HM2> so it at least seems feasible to me that there is a very good strategy 06:19 < sipa> if we're into riddles, here's another (which sounds similar): in a monastery, monks live solitary lives; they only meet once per day for dinner, and only the abbot is allowed to speak. one day he speaks: "brothers, a terrible disease has broken out. the disease is characterized by a black dot on the forehead; anyone who knows he has the disease has to commit suicide at night". A week later, the disease is eradicated, and you can assume no... 06:20 < sipa> additional infections happened during the week 06:20 < sipa> how many were sick? 06:20 < gmaxwell> I'm glad it seemed feasable to you! But I took a while to even realize there was a dumb 50% strategy. :P 06:21 < HM2> the abbot poisoned their dinner 06:21 < sipa> HM2: perhaps, but irrelevant :) 06:21 < HM2> i'm confused as to what the problem is 06:21 < HM2> do they not have mirrors? 06:22 < sipa> nope 06:22 < sipa> no communication at all 06:23 < HM2> so no monks know if they're infected 06:23 < sipa> indeed 06:23 < HM2> and they can't tell their neighbours if they're infected 06:23 < HM2> and a week later the disease is gone 06:23 < sipa> indeed 06:23 < petertodd> was at least one monk infected? 06:23 < HM2> sounds like you have an empty monastary after one week 06:23 < gmaxwell> Do they all have the disease? No one said the disase kills you, only knowing about it. 06:24 < sipa> i'll strengthen: one week later, the disease is eradicated, and not earlier 06:24 < gmaxwell> ahh 06:24 < sipa> and nobody dies of the disease itself 06:24 < petertodd> can you die of the disease? 06:24 < sipa> not within one week :) 06:24 < petertodd> how does the disease spread? 06:24 < HM2> how can anyone commit suicide if they don't know they have it? 06:24 < gmaxwell> What I think happens is that the abbot is being replaced. 06:25 < sipa> petertodd: it doesn't spread within that week 06:25 < gmaxwell> hm. 06:25 < sipa> how we got the current situation is irrelevant 06:25 < petertodd> how can the monks learn they have it exactly? 06:25 < HM2> you cant' even collaborate if you can't communicate 06:25 < sipa> petertodd: for you to find out 06:26 < sipa> oh 06:26 < HM2> there can't be a protocol for solving it at dinner if they can't establish a protocol through communication 06:26 < sipa> no, nevermind 06:26 < sipa> HM2: no need :) 06:26 < sipa> (we have to assume all the monks are highly intelligent and obeying) 06:27 < petertodd> sipa: so basically this monestary is full of the borg? 06:27 < sipa> Potentially. 06:27 < gmaxwell> sipa: does the abbot say anything else or is this just a one time announcement? 06:27 < sipa> that's the only time he speaks within that week 06:27 < HM2> ah 06:28 < HM2> if you kill yourself, you don't show up for dinner the next day 06:28 < sipa> bingo 06:28 < HM2> so there's something there 06:29 < HM2> I'm not sure how that helps you determine if you have it though 06:29 < HM2> I guess dont' show up, then show up the next day and see if anyone is surprised 06:30 < sipa> everyone alive is required to be at dinner 06:30 < gmaxwell> We're all apparently dumb, because Kat solved it like instantly. 06:31 < sipa> i can't remember whether i actually ever found it myself 06:31 < sipa> probably with a lot of hints 06:31 < HM2> the protocol can't be that complex 06:31 < petertodd> can the monks know if the disease has been stopped? 06:31 < HM2> otherwise it couldn't be established without collaboration 06:31 < sipa> petertodd: no need 06:32 < sipa> assume there is only one sick person 06:32 < sipa> what happens 06:32 < HM2> nothing if he doesn't know he has it :| 06:32 < sipa> what does he see? 06:32 < petertodd> right, but the sick person has no way of knowing they are sick... and i take it monks won't kill themselves unless they know for sure 06:32 < HM2> oh, healthy monks 06:32 < sipa> bingo 06:33 < HM2> but how does that work in the general case 06:33 < sipa> first reason on 06:33 < sipa> one sick person; what happens? 06:33 < HM2> he goes home and kills himself because he knows he is the sick one 06:33 < sipa> and what does the rest see the next day? 06:33 < petertodd> sipa: so we damn well better catch it in the first case 06:34 < petertodd> sipa: healthy monks 06:34 < sipa> there you go 06:34 < sipa> now assume there were two sick 06:34 < sipa> what happens? 06:34 < petertodd> sipa: no-one kilsl themselves 06:34 < HM2> no 06:35 < HM2> they both kill themselves the following night 06:35 < sipa> why? 06:35 < HM2> because the next day they see the other is still alive 06:35 < petertodd> how do they know how many are sick? 06:35 < HM2> and realise they are the other unhealthy monk 06:35 < sipa> indeed 06:35 < HM2> and if there are 3 unhealthy monks it still works 06:35 < sipa> they expect that if they 1 see sick monk, that he will be dead the next day 06:35 < HM2> but 7 days only works for an upper bound on the number of monks, i think? 06:36 < sipa> obviously there are >=7 monks (abbot included) 06:36 < gmaxwell> 03:24 < sipa> i'll strengthen: one week later, the disease is eradicated, and not earlier 06:36 < petertodd> so exactly 7 monks were sick? 06:36 < sipa> indeed 06:36 < HM2> damn 06:36 < HM2> i had forgotten the number of sick monks was the actual question 17:07 < amiller> on the other hand, i have a chance at succeeding, and it may discourage other miners from including that transaction because i can harm them too 17:08 < sipa> how so? 17:08 < sipa> they don't care about seeing a competitor-mimer fork off 17:08 < amiller> suppose i have 20% or so hashpower 17:09 < amiller> i have maybe a 1 in 25 chance of succeeding in undermining a block that i don't like 17:09 < amiller> if i commit to doing that anyway, despite the cost to me 17:09 < sipa> they would care if network nodes would start enforcing your rule 17:09 < amiller> then other miners may not want to include transactions that will make me fight them 17:10 < sipa> well if they suspect that you (and those thinking the same way) have more than 50% together, yes :) 17:10 < amiller> no it doesn't need to be anywhere near 50% is what i'm arguing 17:11 < sipa> not sure how 17:11 < amiller> suppose i have 20% of the hashpower 17:11 < amiller> how often is it that i find two consecutive blocks? 17:11 < sipa> once every 25 blocks, i guess 17:11 < amiller> 1/25? 17:11 < amiller> okay 17:12 < amiller> so if i commit to making a one-block attempt to undermine anything with transaction x in it 17:12 < amiller> then you are losing 4% of your effective hashpower if you mine a block with transaction x in it 17:13 < amiller> regardless of what anyone else does 17:13 < sipa> unless they actively discourage a block that does not have x in it 17:13 < amiller> hm, well yeah 17:13 < sipa> in which case the majority sode will always wim 17:13 < sipa> side, win 17:14 < amiller> s/regardless of what anyone else does/assuming everyone else runs like normal 17:14 < sipa> colluding against a <50% party is easy, if you have >50% 17:15 < sipa> in case there are different colluding parties 17:15 < sipa> you only need more than the largest other + non-colluding ones 17:15 < amiller> so perhaps miners will check their work at "doeseligiushatemyblock.com" to make sure they aren't triggering any retaliation 17:16 < sipa> i hope such things won't be necessary :) 17:16 < sipa> but maybe it's inevitablre 17:17 < gmaxwell> hard to say, miners mostly take stock software these days. (eligius being the largest major exception afaik) 17:21 < amiller> i wonder if it would even be meaningful to define a completely zero knowledge consensus protoco. 17:22 < amiller> i guess that's a little bit like the stuff adam3us is trying to think of 17:23 < amiller> the only defense i can think of this is to obscure as much information about the block as possible so that an influencer like that wouldn't easily be able to pick a predicate and enforce it 17:23 < amiller> you'd even want it to be deniable so that it couldn't just hate on everything that doesn't whitelist with it firs 17:25 < gmaxwell> amiller: it's called a timestamper? :P 17:25 < amiller> well no i mean 17:26 < amiller> zero knowledge except for that all applicable validation rules have been followed :o 17:30 < gmaxwell> amiller: part of the challenge there is that when the state is incremental, you actually have to know the state for form another one. 17:31 < amiller> maybe. sort of like what we were just talking about with utxo proofs, 17:31 < gmaxwell> so you can prove to me in zero knoweldge that you have a valid block xxxyyy ... but that isn't enough for me to be able to build a successor blockl 17:31 < amiller> potentially you only need to know about the portion of the state that changes 17:31 < amiller> each transaction output is basically it's own little isolated private state box, no interaction with any others 17:31 < gmaxwell> yea, well if your 'state' is 1 bit and only changed once.... 17:31 < gmaxwell> and starts as zero... 17:38 < amiller> not necessarily? 17:39 < amiller> it's hard to define this even just using generic primitives like universal zk and unuviersal homomorphic encryption 17:39 < amiller> like it would be easy to define as a multiparty copmutation 17:39 < amiller> publicly verifiable private property 17:39 < gmaxwell> yea great, that doesn't help. :P 17:39 < gmaxwell> amiller: the validation essential stuff is just the spentness bit. Pretty much everything else could be encrypted. 17:40 < amiller> but the main problem is that you don't want everyone to have to touch it in every round 17:40 < amiller> only the person doing the transfer should have to interact 17:41 < amiller> so we should have one big encrypted state file where we each know the contents of one part of the file 17:41 < amiller> and if i have privileges to that file, i should be able to update the file without interacting with anyone else, with a publicly verifiable proof that i only interacted with the part that i had authority to 17:41 < amiller> oh or that 17:41 < amiller> perhaps we both have to interact to change both our states 17:41 < amiller> like if i put some of my coins into your account then we have to interact so that you learn you have them 17:41 < amiller> maybe we do a 2 player secure copmutation to pull that off 17:42 < amiller> but the conservation rule would be publicly verifaible 17:43 < amiller> the implicit rule is that people behave "rationally" with respect to incentives like having an auction, but not discretionary 17:43 < amiller> like you should treat all bitcoins as equal and fungible and look only at their amounts 17:43 < amiller> even though that may not be enforced, that's in principle what's expected 18:07 < amiller> maybe removing the blocksize limit could have an unintended consequence of triggering the development of rational mining software 18:08 < amiller> because then it will more clearly be up to individual miners whether to build on a block or delay building on a block for a while 18:16 < gmaxwell> amiller: that kind of decision making is really really bad for convergence. 19:02 < HM2> Ok, time to dive in to Spirit X3 19:03 < HM2> promises 3x the compilation speed of Spirit v2 19:32 < HM2> wow, i managed to fix the broken git HEAD 19:36 < maaku> amiller: are you aware of the "republicoin" discussion that went on surrounding freicoin about a year ago? 19:36 < amiller> no 19:36 < amiller> link? 19:37 < maaku> meh, it's spread all over the freicoin forums, and hasn't been brought together into a unified proposal like freimarkets yet 19:37 < maaku> i can try to find the right threads, but here's a summary : 19:37 < maaku> basically using proof-of-stake + proof-of-work voting to negotiate soft-fork changes 19:38 < amiller> i think proof-of-stake sucks because it's so poorly defined, but i am hoping to change my mind!! 19:38 < amiller> i'm eager to read it 19:38 < maaku> could be any type of soft-fork change, but specifically we were thinking about mandating budgets for the demurrage 19:39 < maaku> and expected that a somewhat parlimentarian style system would emerge - parties advocating their own budgets, forming coalitions, and the one with 51% of the bicamerate PoS + PoW vote would get to say how it is spent 19:40 < amiller> that reminds me a bit of an idea someone told me last week 19:40 < gmaxwell> maaku: I don't understand how having anything but a hashchain majority matters what what is actually a soft forking change... as that majority could just force whatever outcome they want. 19:40 < amiller> about why not make bitcoin, but for the US dollar, since the US has pretty good monetary policy 19:40 < gmaxwell> (or at least force the status quo) 19:40 < amiller> i actually like the idea! 19:40 < amiller> we don't really have a great model for how the monetary policy works 19:40 < amiller> so it's hard to make it an algorithm 19:40 < amiller> on the other hand it has a sort of well defined interface 19:40 < amiller> there's a trusted steward who sets a global interest rate 19:41 < amiller> then that interest rate is offered for overnight borrowing to a handful of trusted/appointed borrowers 19:41 < gmaxwell> amiller: we could call him "real solid" 19:41 < amiller> you could totally import any monetary policy system you like and implement it on top of whatever ledger/transaction/consensus system you want 19:42 < amiller> but hopefully no one would use it because trusted parties suck 19:42 < gmaxwell> There have been a number of coins that basically had centeralized control of inflation. (solidcoin in one of its worthless renditions, for example) 19:42 < amiller> it's not the slightest bit clear to me that parliamentary fighting is any more desirable either :/ 19:42 < amiller> i think i like constitutioncoin better than republicoin 19:43 < amiller> ostensibly what we have is constitutioncoin 19:43 * gmaxwell votes to take amiller's bank account and split it equally among everyone else in the channel 19:43 < gmaxwell> All in favor? 19:43 < amiller> lol. 19:45 < maaku> amiller: heh, no, but freicoin has a perpetual 4.9% subsidy... simply giving all of that to the miners may be paying for too much security 19:45 < maaku> finding decentralized solutions to that is not easy... 19:46 < amiller> not easy, granted 19:46 < maaku> the big problem with republicoin is proof-of-stake - all the current systems suck, big time 19:46 < gmaxwell> maaku: yea thats one of the main arguments against any kind of inflationry coin, ... certantly giving the money to miners is potentially insane. 19:46 < amiller> who else do you give it to 19:47 < maaku> amiller: the republicoin answer is basically the same as the current (real-world) status quo: let a government elected by the people distribute it 19:48 < gmaxwell> amiller: you could lower inflation if you're paying too much for security. 19:48 < amiller> maaku, ^ 19:48 < gmaxwell> but you'd still need a virtual bernake to make that call. 19:49 < maaku> gmaxwell: except in freicoin where "inflation" is determined by the nature of money, not security needs (4.9% demurrage required for 0% basic interest, nothing to do with security needs) 19:49 < maaku> but that's a discussion for #freicoin 12:24 <@sipa> CHECKSIG(P,S) checks whether S is a valid signature for pubkey P 12:24 <@sipa> oh, and CONST(X), just a constant 12:24 <@sipa> ok? 12:24 < HM> sure 12:25 < HM> i would be comfortable with C operators and parens , but more power to you :P 12:25 <@sipa> so a normal (forget addresses for a while) pay-to-pubkey would be 12:25 <@sipa> CHECKSIG(CONST(somepubkey),DATA(1)) 12:25 < TD> i feel too muggle-like for this channel 12:25 < HM> siga: yep trivial 12:26 < HM> ok now i have to injerect a question 12:26 <@sipa> HM: ok, 2-of-2 multisig becomes: AND(CHECKSIG(CONST(somepubkey),DATA(1)),CHECKSIG(CONST(otherpubkey),DATA(2))) 12:26 < HM> hmm 12:27 < HM> Ok, as long as you're explicitly indexing params it doesn't matter which order things are evaluated in 12:27 < HM> How does a merkle hash play in this ? 12:27 <@sipa> exactly 12:28 <@sipa> well, first one way to write a 1-of-2 multisig: 12:28 <@sipa> OR(CHECKSIG(const(somepubkey),DATA(1)),CHECKSIG(CONST(otherpubkey),DATA(1))) 12:28 < HM> yup 12:28 <@sipa> nothing surprising, i guess, except that it requires two checksig operators, and one will always fail 12:29 <@sipa> now, what if we add a new operator: IF(bool,X,Y), which returns X if bool==true, and Y if bool==false 12:29 <@sipa> then you could write it as: IF(DATA(1),CHECKSIG(CONST(somepubkey),DATA(2)),CHECKSIG(CONST(otherpubkey),DATA(2))) 12:30 < HM> errr 12:30 < HM> ok... 12:30 <@sipa> so your input would be [true,sigforpubkey1] or [false,sigforpubkey2] 12:30 < HM> that would mean the final value is chosen by the redeemer 12:30 <@sipa> indeed 12:31 < HM> are we talking arbitrary scripts or just bools? 12:31 <@sipa> doesn't matter, you can restrict it to just bools if you like 12:31 < HM> ok 12:31 <@sipa> the observation is here that one of the two subbranches of IF will never be evaluated 12:31 < HM> yep, just like in code 12:32 <@sipa> so, in case the AST is merkleized, you could just provide the hash of the X or Y subtree, instead of its full data 12:32 < HM> and a path 12:33 < HM> derp derp 12:33 <@sipa> well, when spending, you give the script: IF(DATA(1),CHECKSIG(CONST(somepubkey),DATA(2)),HASH(X))) 12:33 <@sipa> + [true,sigpubkey1] 12:33 <@sipa> or the other way around 12:34 <@sipa> and the merkle root (which is what the txout specified) remains valid 12:34 < HM> what is X 12:34 <@sipa> the hash of the subtree CHECKSIG(CONST(otherpubkey),DATA(2)) 12:34 < HM> right, so your partner in multisig has to construct that part of the script 12:34 < HM> slot in their signature 12:34 < HM> then hash it? 12:35 <@sipa> or you (as one of the receivers) just knew the two full pubkeys 12:35 <@sipa> the point is that you never have to disclose the pubkey you didn't use 12:35 < HM> right, i see. so basically you're revealing the script like P2SH but blinding branches for privacy 12:35 <@sipa> bingo 12:36 <@sipa> well, there's some mild data-size advantages as well 12:36 <@sipa> but indeed 12:36 < HM> hmm 12:36 < HM> but if the tree is binary you always reveal half 12:37 < HM> i.e. if it's complex and deep you still reveal quite a lot of the script on one side 12:37 <@sipa> if the tree is larger, you can cut away much larger subbranches 12:37 <@sipa> anyway, the largest scalability advantage is that txouts are always just one hash 12:37 <@sipa> which means the only thing that ends up in the UTXO set is one hash 12:38 <@sipa> of course, inputs become larger, and they still end up in the full blockchain 12:38 < HM> what about the implications for hash collisions 12:38 <@sipa> well, if those are a problem, bitcoin is fucked 12:38 < HM> if one branch is 5 levels deep and requires 1000 keys you still only need 1 hash collision to bypass that entire part of the script 12:39 <@sipa> you mean a preimage, not a collision 12:39 < HM> yes 12:39 <@sipa> well, we already assume our hash functions are preimage-resistant, because block mining would become trivial otherwise 12:39 <@sipa> or faking transactions 12:39 <@sipa> or faking signatures 12:40 < HM> hmm 12:42 < HM> How does OR work when you have OR(Somescript, HASH(DATA(1)) 12:42 < HM> if you complete and evaluate Somescript you're done 12:43 < HM> but HASH(DATA(1)) isn't then required 12:43 < HM> or am I getting confused 12:43 <@sipa> HASH(X) is just raw data, it's not a real operator as X is not an AST 12:43 <@sipa> HASH_x is perhaps better notation 12:44 <@sipa> ans any attempt to actually evaluate HASH_whatever, probably should result in failure 12:44 <@sipa> as you've pruned a part of the subtree that was necessary for evaluation 12:44 < HM> right yeah 12:44 <@sipa> compare it to CONST_x, which always evaluates to x 12:45 < HM> argh 12:45 <@sipa> the HASH_x entries are just necessary to make the merkle root of the AST work out 12:45 <@sipa> they aren't really part of the script 12:45 < HM> if you have AND(X, Y) then you can't send a hash for one side of the script can you? both need to be evaluated 12:46 <@sipa> i suppose that you can replace Y by a HASH entry, if you can guarantee that X will evaluate to false 12:46 <@sipa> (short-circuiting behaviour) 12:46 < HM> but then the entire branch is false and might as well not be there 12:46 <@sipa> it may need to be there, to make the merkle root work out 12:47 < HM> so what non-trivial systems does this allow? 12:48 <@sipa> it allows just as much as our script system now (though in an easier way, imho) 12:48 <@sipa> but it permits selective revealing 12:48 < HM> you could just reveal 2 hashes 12:48 < HM> and provide no data? 12:48 <@sipa> anyway, i think it's best to see IF and HASH as one operator, and make that the only way to do selection 12:49 <@sipa> i.e., have an operator BRANCH1(X,hash) and BRANCH2(hash,Y) 12:49 <@sipa> which take the place of IF(true,X,HASH(Y)) and IF(false,HASH(X),Y) 12:50 <@sipa> afk! 12:52 < HM> you could also have an operator that simple duplicates it's sibling branch, but applied some transformation 12:52 < HM> like adding 1 to the index of data 12:53 < HM> that'd be easier if data could exist in pairs 12:54 < HM> AND(A.part1, B.part1) OR AND(A.part2, B.part2) 12:54 < HM> could be compressed to 12:54 < HM> DUP(AND(A,B)) 12:54 < HM> or something 12:54 <@sipa> basically, you want subroutines :p 12:55 < HM> yeah but without having to have something insane 12:55 < HM> DUPing cousins would be difficult 12:55 < HM> you'd need a tree of data rather than an array 12:55 < HM> so each script node had its own parameters 12:56 <@amiller> well this no longer resembles a stack language so subroutine rather than dup is necessary 12:56 <@amiller> what you probably want is a closure? 12:56 < HM> where do you define your subrouting? 12:57 < HM> subroutine 12:57 <@sipa> amiller: yeah, let's just turn it into a untyped lambda calculus :p 12:58 <@amiller> well hopefully not untyped :x 12:58 <@sipa> church-encoding a pubkey shouldn't be hard! 12:58 <@amiller> no no no i promise i'm not trying to say that's practical :p 13:09 < andytoshi> i dunno, if you treat transaction outputs as "(defun [hash]0 ...)" "(defun [hash]1 ...)" 13:09 < andytoshi> you could build a lispchain 13:10 < andytoshi> wouldn't be much slower than emacs ;) 13:10 * andytoshi runs 13:11 < HM> i think it'd be wise to keep ops to a fixed size and then you can evaluate a script recursively without actually constructing a tree 13:13 <@amiller> anytoshi the cool thing about describing it that way is you can just refer to a function by its hash so that works perfect 13:13 < HM> e.g. the opcode and the immediate value, if any, e.g. DATA(2), was always a fixed size 13:13 <@amiller> yeah that's right, you'd want fixed size opcodes 13:14 < HM> yeah, so your script is always an odd number of bytes/opcodes 13:15 < HM> assuming it's a binary tree 13:15 < HM> the memory you need is basically fixed, you just need a register file 13:24 < andytoshi> amiller: right, an altchain that did this would hardcode its genesis block with a hundred or so utility functions 13:25 < andytoshi> i guess you'd also want a tiny recursion limit to prevent ddossing 13:27 < HM> recursion? 13:28 < HM> why are you allowing recursion 13:28 < andytoshi> HM: because it allows very tiny programs 13:28 < andytoshi> but now that i think about it, i think it's impossible if your functions are all named for their hashes 13:29 < andytoshi> so it's a moot point anyway 13:31 < HM> it also makes the thing difficult to reason about --- Day changed Sun Mar 03 2013 03:37 < amiller> http://bitcoin.stackexchange.com/questions/3313/are-there-bitcoin-password-crackers-i-can-use-to-recover-forgotten-passwords 03:38 < amiller> it would be nice to be able to offer bitcoins for a reward like that directly in a transaction script, eh 07:40 < HM> hmm 07:41 < HM> this is why secret sharing would be a nice feature for high value wallet passwords 07:41 < HM> or some equivalent 08:15 < HM> http://echeque.com/Kong/anon_transfer.htm 08:15 < HM> i've been reading this explanation of blinded tokens using EC 08:16 < HM> Why i follow the logic, and see how the issuer (Toby) can be used to create valid tokens that retain privacy, I don't see how the transformation can't be used to create new tokens from spent ones 08:18 < HM> ah wait, of course you have to pay again 08:18 < HM> derp derp 08:18 < HM> Toby won't do shit for free 08:27 < HM> hmm toby presumably has to blacklist R when calculating kR otherwise both (R, kR) and (q, Q) are valid spendable tokens 08:30 < HM> still, i suppose token IDs and hashes can be of different lengths so you won't mistake one for another 08:40 < HM> I guess Toby just values everything he doesn't hash at 0 09:08 < HM> oh nm, of course R,kR wouldn't be valid anyway 12:00 < HM> Heh, wow.... digital signatures using merkle trees 13:44 < amiller_> hm yeah digital signatures were the first use of merkle trees 13:44 < amiller_> they're pretty limited on their own because they're sort of one-time use only 23:25 < jgarzik> ideally one generates an address for spending, that may only be redeemed by multiple parties. Smells like P2SH at a minimum. 23:26 < jgarzik> then each party manages one key of a multisig 23:26 < jgarzik> (s/party/bot/ as needed) 23:38 * jgarzik trolls gmaxwell 23:41 < nanotube> jgarzik: if you want to troll gmaxwell, you have to mention DHTs, at least. :) 23:42 < amiller> did someone mention dhts 23:45 * jgarzik guesses... Bots A, B, and C each generate a key. When a user requests a fresh pay-to bitcoin address from (randomly selected) Bot B, B collects data from A and C, writes a multi-sig script, uses that script to generate a P2SH bitcoin address, and gives to user. 23:46 < weex> can the user talk to the other bots? 23:47 < jgarzik> possibly, depending on how the bot addresses are discovered 23:47 < jgarzik> shouldn't matter, for the purposes of internally creating bitcoin addresses for The Collective 23:49 < weex> just thinking you want the user to be able to verify any address with a party other than the bot they talked to 23:49 < weex> doesn't really stop B from losing their key though --- Log closed Thu Mar 07 00:00:43 2013 --- Log opened Thu Mar 07 00:00:43 2013 00:21 < jgarzik> OK, initial project then 00:23 < jgarzik> (gotta start small) Make bots that create P2SH addresses for users, and perform some tests on spending and redemption 01:21 < jgarzik> hrm 01:22 < jgarzik> downside of P2SH: other bots and public cannot scan the chain, and observe to whom a payment was made, versus non-P2SH multisig 01:22 < jgarzik> stating the obvious, yes, but had not thought of that WRT transparency and remote proofs 01:22 < jgarzik> non-p2sh multisig is easier to audit 01:23 < jgarzik> at payment time 01:23 <@gmaxwell> Well, _audit_ is fine, because the auditee guides you. It's harder to snoop. Sometimes snooping is what you want, but auditing is usually sufficient. 01:44 < jgarzik> I definitely understand the motivation behind gavin's work on payment protocol 01:44 < jgarzik> there needs to be a standard framework for passing around transactions before/during the signature process 08:19 < HM> that Multi-party talk is good --- Log closed Fri Mar 08 00:00:45 2013 --- Log opened Fri Mar 08 00:00:45 2013 07:26 < HM2> sipa: how are things? 07:28 <@sipa> good, i guess 07:29 <@sipa> some strange findings though: my naive exponentiation ladder for field inversions runs in around 11us, OpenSSL needs 20us,... and GMP less than 1us 07:29 <@sipa> thankfully, we only need 1 field inversion per signature verification 07:29 < HM2> so GMP basically rocks? 07:30 <@sipa> must be 07:30 <@sipa> for normal field multiplications, my own code is still 3x faster than GMP, but it's very specialized for secp256k1 07:31 < HM2> have you got a full signature verifier built yet? 07:31 <@sipa> no 07:31 <@sipa> layer per layer :) 07:32 <@sipa> CodeShark wrote a field inversion that's a bit faster than mine, but still way slower than GMP 07:33 < HM2> perhaps GMP are using SSE and friends? 07:33 <@sipa> maybe 07:34 <@sipa> but i don't want to go into maintaining several branches of assembly code, for an operation that takes less than 10% of the total time 07:34 < HM2> Indeed 07:35 <@sipa> the fieldelem code i wrote already requires a __int128 type, which means a recent compiler and a 64-bit platform 07:35 <@sipa> so probably we'll need a more generic version that runs on 32-bit as well anyway 07:41 < HM2> pffft 32-bit 07:42 < HM2> bigints are such a pain in the arse, i'm beginning to wish all languages (at least JIT'd ones) just made them their default integer type 07:43 < HM2> Javascript has perhaps the most JIT engineering going in to it at the moment and the default numeric type is a bloody double 07:46 <@sipa> haha 11:10 <@gmaxwell> Anyone read http://matt.singlethink.net/projects/mpotr/oldblue-draft.pdf yet? (may have usefulness for some of the bank stuff where you need to avoid people hiding disclosures, without invoking a whole blockchain for byzantine agreement) 12:02 < HM2> C++ is currently making me want to kill someone 12:14 < helo> that's the problem with human-computer interfaces imo 12:14 < jgarzik> all languages suck 12:35 < HM2> indeed 22:16 <@gmaxwell> petertodd: so wrt, the provable balance bank, we'd talked about having users publish signatures of the root once they've verified their balance, after which the service could forget their past transaction history (since they can no longer dispute it), and it could recover the balances of users who stop signing for too long. (preventing bloat and loss of abandoned funds and encouraging people to check) 22:18 <@gmaxwell> that left an open question of how to avoid cases there the bank would 'fail' to recieve a signature for too long in order to steal funds. An obvious solution there is to have the users share signatures in a broadcast medium, and each signature includes a hash of all the other signatures that signer was aware of. 22:18 <@gmaxwell> so a cheating bank couldn't selectively ignore a single user they wanted to screw. 22:19 <@gmaxwell> e.g. you submit your signature, bank says you have some sigs I don't provide them. So denying one parties signature rapidly makes the bank unable to accept any at all. 22:49 < amiller> that's really similar to truledger / opentransactions / the whole line of triple signed transactions stuff 22:50 < amiller> except that afaik none of those do it the way you described where it's better because it combines multiple users to make it harder for the server to selectively ignore just one of them... 22:51 < amiller> that's really close to a great solution i think... 22:51 < amiller> it's not in any individual's rational interest to include someone else's signatures 22:52 < amiller> it's a social good to do so - but if there's a risk that the server is trying to ignore someone's messages, if you include them then the server might try to ignore yours, so it's not your problem and you should just let someone else can help 22:53 <@gmaxwell> amiller: meh, it's ~costless and if the server ignores yours too you know the server is cheating which is the point. Someone else can them prove to themselves that the server is cheating by including yours and seeing that they also get ignored. 22:54 < amiller> well you can begin to suspect the server's cheating but you can't prove it 22:54 < amiller> i think that's fixable i don't mean to detract from the main idea there 22:55 < amiller> it's like red-balloons fixable 22:55 <@gmaxwell> Well, if you know how to make it sound I'm interest if just for novelty. The ideas we were talking about simple measures for a pratical system rather than a maximally sound one. 22:55 <@gmaxwell> s/interest/interested/ 22:59 < amiller> also just providing a hash of the signatures you know about isn't really good enough 22:59 < amiller> because then you could easily dos someone by providing them a bunch of signed transactions that you _haven't_ sent to the server itself 22:59 < amiller> then the server would send back messages like 'i don't recognize that signature' and it would be legitimate 23:00 < amiller> you could relay all the transactions you know about sure 23:01 <@gmaxwell> well I was reducing to IRC length. You'd presumably send some determinstic tree root, and the server would iteratively query you to agreement. To keep the tree small the server could sign signatures he as recieved, allowing you to prune those. 23:04 < amiller> it's probably cheaper to send a bigger packet than wait for potentially numerous round trips 23:05 <@gmaxwell> true enough, esp if server signatures are constantly pruning the set of unknown signatures. 23:06 < amiller> for the time being i don't have any good clear answer for how to properly incentive-correct this but that would be a really cool goal and the normal way you described would be practical as it is 23:07 < amiller> i think having a good incentive solution for this + metavalidation rules would be exactly the two things needed to have networks of smaller blockchains 23:09 <@gmaxwell> mostly I'm trying to think in the space of ideas that can be implemented incrementally to take a simple system e.g. IRC micropayment bots and make them into something that isn't a straight up scam hazard... stuff that still has most of the scalablity, flexibility, and pratical privacy of centeralized systems but is a little more trustworthy. --- Log closed Sat Mar 09 00:00:46 2013 --- Log opened Sat Mar 09 00:00:46 2013 15:58 < petertodd> gmaxwell: Sounds like a reasonable idea. 15:59 < petertodd> gmaxwell: I was thinking, a good first prototype might actually be an easywallet type site that's auditable via a merkle sum fee tree. 15:59 < petertodd> Just something really simple, but real. 17:37 <@gmaxwell> well, go a step further than that and approach instawallet and put it on a real site. 17:38 < petertodd> gmaxwell: Oh, that's exactly what I meant. 17:39 < petertodd> easywallet seems like a better target, purely because they're targeting slightly mroe techsavvy users from what I can see 17:39 < petertodd> w/ a javascript verifier would be great 17:40 <@gmaxwell> one challenge is that these sizes have a kazillion utxo... not really compatible with small proofs. 17:40 <@gmaxwell> thats why I thought a micropayment system was better than a wallet provider. 17:40 < petertodd> yeah, currently they do, that'll have to be part of the question of how to do it 17:40 <@gmaxwell> Because a micropayment system could quite reasonably just have a few utxo. 17:40 < petertodd> I like your suggestion of having a "backing balance" 17:41 < petertodd> Yup, uc too, although none yet exist, well, sorta. 17:41 <@gmaxwell> well it may be the case that they could easily aggregate 95% of their funds in a few utxo, and then provide the other 5% out of pocket in a single utxo. 17:41 < petertodd> In practice easywallet and instawallet are also upayment systems. 18:18 < Luke-Jr> living it up would be *Beyond* foolish 18:18 < Luke-Jr> you think he'd really fare much better under another jurisdiction? 18:19 < gmaxwell> Luke-Jr: I think there are a lot of other people where no one would care or would just simply have a hard time finding him 18:19 < Luke-Jr> so maybe he really *was* saving up for a cruise ship :P 18:19 < gmaxwell> hah 18:19 < midnightmagic> Luke-Jr: Yeah but he asked to be contacted by the drug suppliers *through the one that was blackmailing him.* I personally would find that pretty laughable, unless one or both of them were just idiots who thought the other was also an idiot. 18:20 < gmaxwell> idiots pretending to be non-idiots pretending to be idiots pretending to be non-idiots? 18:20 < Luke-Jr> midnightmagic: I'm no druggie, but I think I'd have done the same XD 18:21 < gmaxwell> or were they non-idiots pretending to be idiots pretending to be non-idiots pretending to be idiots pretending to be non-idiots? 18:21 < gmaxwell> Luke-Jr: seemed really weird from the messages. Like.. uh. isn't it protocol when asking for someone to kill someone that you first might politely ask if they knew someone who could handle it instead of just offering money? 18:22 < midnightmagic> It could have been just meant as a scare-tactic. 18:22 < gmaxwell> Yea, I think thats the case, honestly. 18:22 < gmaxwell> Unless there is some hidden law of drug dealers that all of them are also hitmen? 18:22 < gmaxwell> :P 18:23 < sipa> Luke-Jr: seeling drugs on SR i'd consider merely foolish 18:23 < midnightmagic> A scare-tactic would match the endless diatribal philosophy rants he would go on, and he was basically just some student in a $1000/month apartment in SF. 18:23 < midnightmagic> what the heck kind of craphole can $1000/month even buy in SF? 18:23 < sipa> running SR is already far beyond foolish :) 18:23 < gmaxwell> midnightmagic: a room in a craphole mostly. 18:23 < midnightmagic> lol 18:24 < sipa> midnightmagic: you mean rent, i hope? 18:24 < midnightmagic> sipa: rent, right. 18:24 < gmaxwell> I assume that its what it looked like to me: the blackmailer contacted DPR pretending to be his supplier, DPR saw through that (duh) and to scare the blackmailer he went straight into offering money to have him killed. 18:24 < gmaxwell> ::shrugs:: 18:24 < HM3> SR apparently collected $80M in commission 18:24 < gmaxwell> HM3: at current bitcoin prices. 18:24 < HM3> yeah 18:24 < midnightmagic> blackmailer can't take that lightly, takes the lesser money (DPR actually negotiated a cheaper price than the original $250k which was half of the blackmailed money) 18:25 < gmaxwell> "and then he burried the private keys in seven 50gallon drums in the desert!" 18:25 < midnightmagic> +1 walter white reference 18:25 < midnightmagic> that nicholas weaver guy is pretty clever. 18:25 < gmaxwell> oh oh oh 18:25 < gmaxwell> If figured it all out 18:26 < gmaxwell> SR = government honey pot. They needed a plausable excuse to take it offline while the goverment was shut down. 18:26 < gmaxwell> :P 18:26 < midnightmagic> except this: https://twitter.com/NCWeaver/status/385428494361956352 18:27 < midnightmagic> :-( Mr. Weaver misses the possibility the browser is *already owned* prior to the view-source. 18:27 < gmaxwell> torify curl http://... 18:28 < midnightmagic> He suggested show-source to Brian Krebs rather than torify'd curl. 18:30 < HM3> why would they serve exploits on a site they've already conquered? 18:30 < HM3> if you're visiting SR it's probably because you have an account 18:30 < HM3> i bought a few items on silk road, nothing actually illegal though. 18:31 < HM3> I'm not worried 18:31 * HM3 buries his laptop 18:37 < gmaxwell> HM3: they served exploits on every site hosted on freedom hosting, including a bunch of totally innocuous sites. 18:38 < HM3> I don't think SR was on freedom hosting? 18:38 < HM3> and it was still a JS exploit. 18:39 < HM3> two big tor busts though in a few months 18:39 < gmaxwell> I was just responding to your "why would" 18:41 < K1773R> if this person only would have used not a single unencrypted wallet... well, such ppl deserve it... 18:41 < midnightmagic> HM3: actually, they got an image back in June, which coincides somewhat with the freedomhosting bust. 18:41 < jgarzik> DPR's opsec was so poor, it was an unintentional honeypot for a long time, I think 18:41 < HM3> Yeah, bit different though. With freedom hosting they were are consumers of illegal content. I doubt they'll go after many SR buyers unless they're worth police/Fed time 18:41 < jgarzik> buyers were also reselling 18:41 < HM3> maybe yeah 18:42 < HM3> Sellers though don't give out their addresses via the messaging system 18:42 < gmaxwell> HM3: they put that stuff up on lots of sites that were just boring stuff with nothing illegal... and generic services like tormail. 18:42 < HM3> lazy httpd config? 18:42 * midnightmagic is not going to call DPR's opsec shitty. 18:43 < HM3> midnightmagic, do you think he was somehow encrypting user->user messages? 18:43 < jgarzik> I mean reselling in the real world, using SR as a wholesaler. 18:43 < midnightmagic> jgarzik/HM3: No, I'm just not so sure most security researchers doing so wouldn't be just as caught if they were doing the same thing. :( 18:44 < HM3> jgarzik, ah, but the evidence for that would be light on SR itself 18:44 < midnightmagic> HM3: No, not at all. Perhaps as far back as his interview where he claimed he was not the first DPR he already knew he was caught and just waiting for the hammer to drop. 18:45 < jgarzik> midnightmagic, according to the indictment, he got forged passports and such shipped to where he lived, hacked in a near-constant locale near where he lived, publicly used his own email addresses a few times, ... 18:45 < jgarzik> either poor opsec or didn't care about being caught 18:45 < HM3> forged passports? intent to flee? 18:45 < midnightmagic> jgarzik: I don't think it's possible to be perfect. There's always info leaking. 18:46 < jgarzik> the indictment made it sound like he was using the forged docs to rent servers 18:46 < HM3> he should have used them to flee :P 18:46 < K1773R> midnightmagic: using public name and public email if you create a stack overflow question is just retarded, tough he edited it, he thougd after editing it would be gone... just idiots 18:47 < jgarzik> indeed 18:47 < K1773R> midnightmagic: ie related to SR 18:47 < gmaxwell> the SO question didn't really sound implicating at all. 18:47 < jgarzik> midnightmagic, Satoshi clearly thought through his entire identity 18:47 < K1773R> gmaxwell: dosnt matter, its a trail to follow. it would just take longer 18:47 < jgarzik> You must work really hard to bootstrap a truly anon id 18:47 < gmaxwell> "how do I use curl to access a hidden service" is hardly a smoking gun, except maybe in retrospect. 18:47 < gmaxwell> K1773R: no, it's not. there is as much trail for anyone else. Its just more supporting data. 18:47 < HM3> jgarzik, are you saying there aren't records like IP addresses somewhere that could reveal satoshi? 18:48 < gmaxwell> jgarzik: it's really really hard, and even satoshi didn't do it perfectly. 18:48 < K1773R> gmaxwell: i agree, finding out its him with jsut that questions isnt possible, but it can be used afterwards (as we see) 18:48 < jgarzik> gmaxwell, that's the difficulty with opsec with the Wayback Machine and such, hindsight / time reversal is everpresent 18:48 < gmaxwell> jgarzik: sure sure. But absent the other leaks that one probably wouldn't have mattered. 18:48 < jgarzik> nod 18:49 < jgarzik> it's the drip drip drip of tiny info leaks that lead Encyclopedia Brown to the source 18:49 < midnightmagic> K1773R: We are all idiots to someone. 18:49 < K1773R> midnightmagic: ACK, its relative :) 18:50 < HM3> they confirmed Rowlings book by analysing her writings. 18:50 < K1773R> anyway, hoping to see lower price for BTC to aquire more :P im out, n8! 18:50 < HM3> that was super cool 18:51 < HM3> little things like whether you punctuate on IRC and the frequency of your lols add a bit to your unique identity hash ;) 18:51 < midnightmagic> jgarzik: I'd be willing to bet that the early break-ins in the forum, plus sourceforge accesses, plus other things probably together yielded enough information to locate at least a real IP for satoshi. 18:52 < HM3> I would have thought he would have come forward by now tbh, or at least started a new project 18:52 < jgarzik> SR was probably one of the more successful San Fran startups ;p 18:53 < HM3> if you haven't cashed in on the glory then it suggests to me you're already cashing in in another way, or you are actually still involved in dev work 18:53 < jgarzik> midnightmagic, I think he's smarter than that, but you never know 18:54 < midnightmagic> HM3: that's pretty cynical of human nature. 18:54 < HM3> kind of 18:54 < jgarzik> HM3, sure, fingerprinting one's writing is nothing new. That's why nutter criminals in past decades would paste together letters, hoping to fool handwriting analysis 18:54 < jgarzik> now computers and stats take it to a whole new leve 18:54 < jgarzik> *level 18:54 < HM3> I mean, i wouldn't walk away from a successful project like Bitcoin unless i was working on something else, or completely sick of it. 18:55 < HM3> Just saying "Yep, done that" and then retiring seems odd 18:55 < gmaxwell> it's very easy to be sick of bitcoin. 18:55 < midnightmagic> HM3: I would say Grigori Perelman embodies a certain spirit of a lot of the more interesting humans who probably wouldn't want money to pollute themselves with. 18:55 < jgarzik> I think statistics (data mining) and data storage growth, more than any government agency, will be the death of privacy. 18:56 < HM3> and if I were sick of it, i'd milk the glory to bootstrap other aspects of my life (work or play) 21:13 <@gmaxwell> ::sigh:: "Another point of evidence on address reuse is the popularity of vanity addresses. Are you suggesting people spend hours, sometimes days searching for an address only to use them once? I somehow find that unlikely." 21:13 <@gmaxwell> adam3us: thats basically the story of all altcoins. 21:15 < jgarzik> sadly true 21:15 <@gmaxwell> I mean, even freicon bubbled up to 0.0005 BTC per FRC and its supposted to be inflationary and not go through these speculative bubbles! :P 21:15 < adam3us> ***adam3us wants to kill all alts 21:15 < jgarzik> I like the proof-of-$somethingelse experiments 21:16 < jgarzik> just fiddling with algo choice or params is droll 21:16 <@gmaxwell> well, I'm certantly more happy when they write more than 0 lines of code with their alt. 21:16 * Luke-Jr likewise 21:16 <@gmaxwell> I thought someone was going to do an altcoin maker? 21:16 < Luke-Jr> I especially like that Freicoin also tries to deter scammers from abusing their alt 21:16 < adam3us> ah that reminds me, i was thinking there might be a way to let people play with alts without wasting electricity 21:16 <@gmaxwell> adam3us: regtest? merged mining? 21:17 < jgarzik> lawcoin: relies on proof-of-wasted-paperwork-filed-at-city-hall 21:17 < adam3us> or at least it would be interesting if a way could be found :) eg just some central trusted server would do, like coinwarz 21:17 <@gmaxwell> jgarzik: I had a few fun ideas like that, ... but SSL doesn't have any way to sign the traffic through it. 21:17 <@gmaxwell> There is that AWS thing for SSL quasi-non-repudiation though. 21:18 <@gmaxwell> Proof-of-frivilous-litigation: You must file a nussance lawsuit against pirate40 to mine a block. 21:18 < adam3us> gmaxwell: yes so general framework for merge mining plus dont waste cpu. pay some virtual VPS and the central server allocates you some corresponding alts, proceeds go to something useful 21:18 < jgarzik> precisely 21:19 <@gmaxwell> I realized the existing merged mining code would only take a few lines of code to turn into a proof-of-attack against the chain its merging with. 21:20 < jgarzik> I do something wonder what the world would look like, if "bitcoin1" remained at 1MB etc. forever, and "bitcoin2" was layered on top of that as a day-to-day transactional currency, used in tandem with the asset-store bitcoin1. 21:20 < jgarzik> *sometimes 21:20 < adam3us> i mean these alts are mostly just a game, and have no non-speculative transactions; so they'd just as well own up to that reality. 21:21 < adam3us> jgarzik: did u see the idea BlueMatt & gmaxwell were talking about yesterday... a 1:1 peg feature, a better way to do bitcoin-staging 21:21 < jgarzik> adam3us, interesting, though not quite what I was thinking 21:21 <@gmaxwell> jgarzik: I dunno if you saw the sub-chain discussion from here with bluematt 24 hours ago. Sounds like we could pretty 'easily' with some changes (perhaps just softforking) have a sub-coin where you could move bitcoin to and from the subcoin. 21:21 < adam3us> jgarzik: then we could make a bitcoin2 that safely allowed coins to be move between bitcoin1 & bitcoin2. (the protection is only coins moved into it can be moved back so there is no security risk for people not participating) 21:21 < jgarzik> I just openly wonder about keeping 1MB forever 21:22 < jgarzik> My statement has always been "it will probably change"... notably not stating "it should change" of which I'm not yet convinced 21:22 < jgarzik> and then logically extend from there 21:22 <@gmaxwell> one of the complicating issues is that some of these ideas like the subchain stuff really only work if Bitcoin1 remains reasonable cheap to validate, because all the sub-things below it must commonly validate bitcoin1 (but not each other) 21:23 < adam3us> jgarzik: i think the 1:1 peg is he best idea i heard in quite a while in bitcoin land. with that we could move ahead and develop the queued ideas and fixes without risking bitcoin1 funds 21:23 < adam3us> jgarzik: and yet avoiding the alt-coin trap and with no market / arbitrage cost/risk and no security risk to bitcoin1 funds 21:23 <@gmaxwell> adam3us: it's not even a new idea really, we've know for a long time that it was possible to do something like this, subject to some limitations. As I mentioned before script is _almost_ powerful enough to express it directly. 21:24 < jgarzik> hmm 21:25 < jgarzik> bah, baby bedtime, bbiah 21:25 <@gmaxwell> adam3us: the point you make about -staging is interesting though, I know you'd proposed 1way for staging, but I think one-way is not so interesting, the point that subchains would be useful for playing with new cryptocoin ideas is quite interesting. 21:27 < adam3us> gmaxwell: too much idea backlog to trace as close as i got was the 1-way peg; i was thinking a) cant change bitcoin because thats the problem the peg is trying to solve; and b) 1:1 peg while desirable requires btc change; and c) i didnt go further 21:27 <@gmaxwell> sort of interesting to consider that maybe in the future the bitcoin network goes away and its replaced with ... another bitcoin network.. and it all happens in a fully consentual way with people just migrating their coins into another system. 21:27 <@gmaxwell> adam3us: well I think we can make the one change to rule them all. 21:27 <@gmaxwell> ... the more useful things a change does the more justifyable the effort. 21:28 < adam3us> gmaxwell: yes i like it; i like that its seemingly possible with a focused change to do this, and this does seem like the one change to rule them all which is why i was interested in the staging idea - i think it solves a real-world dev problem 21:29 < adam3us> gmaxwell: forking things could be done on this network; maybe you can even move coins out, upgrade, move them back; or roll out new forking versions with the analogous coin move protocol 21:29 < adam3us> gmaxwell: all without risking bitcion n-1 funds 21:30 < adam3us> gmaxwell: and also version1.0 could reject further non-defect changes and focus on being a value store afterwards 21:31 < adam3us> gmaxwell: that could be the stable IP protocol on which payment internet is built (or other stupid / non-transferring analogies people like to make) 21:32 < adam3us> gmaxwell: (mostly they actually mean "yay were going to flood bitcoin scarce broadcast channel as if its an IP datagram network") 21:33 < adam3us> and eg people doing well considered script changes would have somewhere to do them outside of alt-space (eg like freimarket extensions) 21:35 < BlueMatt> gmaxwell: the idea of a 1:1 peg is that bitcoin1 could remain easy to verify forever since txn just happen on bitcoinN 21:36 < adam3us> BlueMatt: and reward mining could happen only on bitcoin1 21:36 < BlueMatt> yup 21:36 < BlueMatt> (eg 1MB blocks forever on bitcoin1...) 21:38 <@gmaxwell> BlueMatt: moreover, that kind of design strongly favors bitcoin1 being fairly small blocked, simply because you want bitcoin* also verifying it (so at least security in one direction was _full_, and so if a false proof shows up in the other direction the bitcoinN nodes can take action). 21:38 <@gmaxwell> this has long been one of my concerns with cranking the block size that once it happens some scalablity solutions are harder. 21:39 <@gmaxwell> it's also more egalitarian developers of your coin turning down your awesome automatic stolen coin recovery feature? Okay fine, create a new altcoin, and migrate your coins into it. 21:40 <@gmaxwell> it could even go in hierarchies. Say that your "alt system" is too unblockchain like to be directly bound into bitcoin with this one-change-to-rule-them-all feature. 21:41 < BlueMatt> yup 21:41 <@gmaxwell> thats alright, you migrate your coins to bitcoin3 which has SNARK scriptpubkeys, and with those you can bind your wacky offchain system. 21:41 < BlueMatt> yup 21:44 <@gmaxwell> you could, if you wanted, even expirement with different economic formulas. You can't create bitcoin out of thin air, but you could tax inbound, store, and/or outbound coins. 21:45 <@gmaxwell> oh man, this guy won't give up. 21:45 <@gmaxwell> "'m not certain it's very much discouraged. I've been reading here and /r/bitcoin actively for the past 10 months and this is the first time I'm hearing about the importance of using addresses only once." 21:45 < BlueMatt> wtf 21:46 < BlueMatt> this is the point where you say "I'm sorry, but you're wrong, You should go ask people who actually know (ie work on bitcoin as devs) and give up reading idiots all day" 21:46 < adam3us> maybe the bitcoin fungibility thread might get the msg over (or not) 21:47 <@gmaxwell> Well, I'm not talking with him for the sake of arguing. I don't care about right and wrong, he is in my petri dish now. 21:47 < adam3us> people with that level of understanding are dangerous to be writing code others might use 21:47 < adam3us> brainwallet.org level 21:47 <@gmaxwell> He seems to be especially sour about avoiding reuse, I think because he'd been building an empire in his mind based on having identity services around static addresses. 21:48 <@gmaxwell> So I'm not sure how much is due to that vs the popularity of that misunderstanding in the population, I suspect its a bit of both. 21:48 <@gmaxwell> he was responding to me writing this: 21:49 <@gmaxwell> I hope I didn't come across as suggesting it never happens. Only that its problematic, discouraged, and not done by many (esp. those who know better, or whos livelihoods depend on using Bitcoin well). Because of the rapid growth the overwhelming majority of people you interact with in Bitcoin space are very new to Bitcoin... and pick up bad habits like using "brainwallet" which sound appealing but often burn them with subtle ... 21:49 <@gmaxwell> ... complications. 21:49 <@gmaxwell> ... --- Log opened Fri Mar 01 15:37:32 2013 15:37 -!- petertodd [~pete@76-10-178-109.dsl.teksavvy.com] has joined #bitcoin-wizards 15:37 -!- Irssi: #bitcoin-wizards: Total of 4 nicks [1 ops, 0 halfops, 0 voices, 3 normal] 15:37 !niven.freenode.net [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp 15:37 -!- Irssi: Join to #bitcoin-wizards was synced in 0 secs 15:37 <@gmaxwell> hi. I see you've arrived on wizard time. 15:37 < petertodd> Lol, it's all I seem to be interested in... 15:38 < sipa> a wizard is never late 15:38 < petertodd> It's interesting how this AST idea would have made adding data to transactions a total non-issue. 15:38 <@gmaxwell> Sort of interesting that it would result in some branches being more expensive to excute than others. 15:38 < helo> not a wizard, but enjoy being mystified 15:39 < amiller> imo being able to execute an AST partially is extremely important 15:39 <@gmaxwell> petertodd: well, it would be a one time hash_size scale increase in scriptsigs. 15:39 < amiller> this would entirely remove the concern about nonterminating scripts 15:39 < sipa> and AST have very strong static analysis abilities 15:40 < petertodd> amiller: Yeah, non-terminating would be rejected for having too much AST-related proof data. 15:40 < sipa> so the cpu cost for validation can always be known in advance 15:40 <@gmaxwell> interestingly you could have NP steps in your execution. 15:40 < petertodd> sipa: Well, defined in advance in a opcode cost table. 15:40 <@gmaxwell> If the spender provides a trace of the execution, effectively, then the network is just checking the execution proof. 15:40 < petertodd> gmaxwell: How so? 15:41 < sipa> yup 15:41 < petertodd> Ah, I see, so the algorithm can be NP, provided your n is small enough, and it's still staticly checkable. 15:41 <@gmaxwell> The idea is the network is not a computer, the network is a proof checker for computation the spender did. 15:41 < HM> o_o 15:42 < petertodd> HM is not a wizard... 15:42 <@gmaxwell> :) 15:43 <@gmaxwell> petertodd: I mean we already have NP steps, e.g. checksig. But looking at the network as a generalized proof checker for computation the spender did makes 'checksig' not so special sounding. 15:44 < amiller> i don't see how checksig is np 15:44 < petertodd> So basically a scriptPubKey is now just the AST head, simple enough, a scriptSig should be a list of index/value's, and then you have a scriptTrace, which is essentially the hash of the state of the stack at each step. 15:45 < petertodd> (scriptSig being index values to allow for provided the minimum proof if there could be a lot of potential input data) 15:46 < petertodd> If the scriptTrace includes each opcode executed, it's also staticly analyzable. 15:58 <@gmaxwell> amiller: "provide me a value that makes this ecc signature validation return true". 15:58 < amiller> ah okay i see 15:58 < amiller> yeah. 15:58 < amiller> so that's basically the way of encoding proof of work puzzles within the scripts 15:59 < amiller> it would be really useful to be able to encode a whole chain validation rule within the script 15:59 < amiller> that would be the basic technique to do multichain transactions 15:59 <@gmaxwell> results in ennnnooorrrmmooouuusss signatures. 15:59 < amiller> i don't see why 15:59 < amiller> you can still have ecdsa and hash as primitives 16:00 < petertodd> Yes, but signatures right now are like, 3 steps. 16:00 < petertodd> Unless you are relying on high-level opcodes only. 16:00 <@gmaxwell> doubly so if the other chain is a merklized linked list instead of a merkle mountain or merkle skiplist. 16:01 < petertodd> On the other hand, at least we're honestly forcing them to pay for all that execution. 16:02 <@gmaxwell> 11kbytes/day for a bitcoin SPV proof for just the headers alone. 16:02 < amiller> i don't follow what that consists of 16:02 < petertodd> ...although, it's interesting how now you can run into situations where someone says "Here, I'll pay you by giving you the scriptSig to spend this scriptPubKey" and you need to ensure the protocol knows damn well what kind of proof will be required. 16:02 < petertodd> *how long a proof is requried 16:04 <@gmaxwell> amiller: I make a payment to you conditional on a payment in another chain. To prove it you have to show the fragment, headers after the fragment to show its burried, and headers before the fragment to show its the right chain 16:04 <@gmaxwell> Otherwise I just make N minimum difficulty headers off in forkland and call it a day. 16:04 < amiller> hm 16:05 < amiller> ok i see so that's where the merkle mountain might help 16:05 < amiller> you could encode a looser rule 16:05 <@gmaxwell> if the other chain is something with log n lookup rooted at each block then its less bad. 16:06 < petertodd> Yes, although the merkle mountain chain now needs some idea of how to do random sampling to be sure you didn't just mine some choice headers in the right places. 16:06 <@gmaxwell> Then you want: fragment, next SECURITY_PARAM headers, and a sufficient path to show that the headers are a valid extension of that chain. 16:06 < petertodd> Ideally, which headers are asked for, should be randomly chosen and out of control of the sender. 16:07 <@gmaxwell> petertodd: well what I'd anticipated on my alt chain was making a skiplist where the random backsteps were picked by the apparent difficulty of each block. 16:07 < petertodd> Yes, that would work. 16:08 < petertodd> On the other hand, with merkle mountain, the chain height is provable. 16:08 <@gmaxwell> work being provable is more interesting than height. 16:09 < petertodd> Yes, but height is good for things like "anyone can spend" bonds. 16:09 < petertodd> So I dunno, put in both. :P 16:09 < amiller> even those are probably better off using work but sure 16:10 < petertodd> Ok, so here is a solid AST usage: fidelity bonded ledger refund scriptPubKey's. 16:10 < petertodd> Basically, write a big AST that can accept proofs from anyone wanting a refund, and then only the execution path for the given person being refunded needs to be provided. 16:11 < petertodd> And that path can result in the coins being spent in a way that the remaining people can still get another refund with that txout; IE the txout scriptPubKey will be partially constrained too. 16:12 < petertodd> So the AST itself will encode the bitfield or whatever of remaining tokens to be refunded. 16:12 <@gmaxwell> it simply replaces the terminal leaf with a 0 and then thats required to be the change? 16:13 <@gmaxwell> e.g. a rule that says rebuild this with this node turned to a 0, and thats the change output. 16:14 <@gmaxwell> so as you spend from a AST you could prune the AST to prevent the same code from executing twice. 16:14 <@gmaxwell> kind of a special case for recovery, I can't see another use right now. 16:14 < petertodd> Exactly, or even simplier, the AST includes it's own code in the next AST, and a changing bit of data. 16:15 < petertodd> Now, if these AST proofs are done as an opcode on their own, OP_PARSE_AST, the "what has been spent" thing can basically be just a second AST that puts the stack in the correct way. 16:15 < petertodd> Which means we can implement all this as a soft-fork... 16:16 <@gmaxwell> except for the whole rest of the system which must be replaced, and the security model changes, required to make ginormous signatures viable. 16:16 < petertodd> Finally, rather than provide the whole proof, provide just the hash of, say, the last step of execution, along with an execution counter. The minute that counter hits the limit, script validation stops, yet nodes can still statically analyize how expensive the script could be to spend. 16:17 < petertodd> Not quite as nice, but the scriptSigs are still small. 16:17 < petertodd> (er, sorry, that + the op codes, kinda like a P2SH almost) 16:18 < petertodd> Point is, each op code doesn't need a hash with it for the state of the AST. 16:20 <@gmaxwell> I'm not really following on the ' provide just the hash of, say, the last step of execution, along with an execution counter.' front. 16:21 < petertodd> wait... 16:21 * petertodd doesn't understand the meaning of merkleized... 16:22 < sipa> each node in the AST has a hash associated with it, which depends on that of its subtrees 16:22 < petertodd> yeah, big brain fart there 16:22 < sipa> so the scriptPubKey only needs the root hash 16:22 < petertodd> So basically, scriptSig size is 32 * #of opcodes + leaves 16:22 < sipa> and you provide the path through the tree that needs execution, and hashes of pruned side trees 16:22 < petertodd> (# of opcodes executed) 16:23 < petertodd> Yup 16:24 < petertodd> Actually, with a pile of expensive analyzis, it'd still work, because you would enumerate all the paths through your code... but, that's impractical for anything interesting. 16:24 <@gmaxwell> doesn't have to just be opcodes. The AST could be grouped at the basic block level. E.g. 32 * branches. 16:24 < sipa> yup ^ 16:24 < petertodd> That's reasonable 16:24 < sipa> you'd probably just have one branching opcode 16:24 < petertodd> Yup 16:25 < sipa> that evaluated a boolean, and selects its left or right subtree 16:25 <@gmaxwell> no point in having seperate hashes for each opcode when they are always executed... and no harm in sending a few extra opcodes past an early termination. 16:25 < sipa> and takes a hash for the other 16:25 < petertodd> Yes, and if you hash the strings in reverse order, you can use midstate compression. 16:25 < petertodd> Only provide the proof from the last one you execute. 16:36 <@gmaxwell> random thought what would a txout that had a later specified script be useful for? e.g. you branch to a bit of script that basically checks an ecdsa signature and serialized script on the stack, then OP_EVALS it? 00:45 < andytoshi> maybe withhold those hugs :) altoz replied with 'but this does encryption as well as signing', and he's already got a "can't wait to try it!" reply 00:46 < Luke-Jr> sigh 01:20 < Emcy> wow that guy accidentally sent 20btc fees and then had it mined by p2pool 01:20 < Emcy> super unlucky 01:31 * Luke-Jr thinks we should get rid of spendfrom.py example 01:59 < michagogo|cloud> Emcy: note that he was essentially crafting the transaction manually 02:01 < gmaxwell> bitcoin-qt/bitcoind wouldn't have sentraw that transaction now either. 02:14 < Emcy> yea. creating rawtxs to send coins to some gambling thing 04:10 < adam3us> Emcy: that confirms my thought that fee > value on non-dust level should be invalid (not fwded) its ridiculous. 10k pizza guy ok, but its not exactly a "cool' story to hear now and then of the $20k accidental wire xfer fee 04:17 < gmaxwell> adam3us: I disagree very strongly. 04:18 < gmaxwell> There is no reason to make it non-standard users can be protected by their software, and if the software doesn't then nothing can save them , doing so would have had likely no effect here, since "brainwallet" passes the transactions directly and any miner is likely to instantly rip out that rule, at least after the first time they don't get some mysterious big fee txn, and doing so would break some applications that depend on ... 04:19 < gmaxwell> ... having big fees. 04:19 < gmaxwell> (this stuff: https://en.bitcoin.it/wiki/Identity_protocol_v1 ) 04:19 < gmaxwell> Bitcoind / bitcoin-qt already won't let you sendrawtransaction such a transaction, unless you give it an extra override switch. 04:23 < wumpus> there are tons of ways to shoot yourself in the foot if you work with bitcoin at such a low level. It could just as well have been "person sends 1000BTC with OP_RETURN script by accident" 04:25 < gmaxwell> wumpus: a fun mistake I've made while playing around with those sites: highlight a pre-filled form to clear it out, but doing so copies the default address there and blows away the address in my copy buffer. Then I paste the default address back in, thinking it was the one I intended to use. 04:25 < wumpus> if you add all kinds of nice and fluffy safety measures at the protocol level, the end result may be making peopel *less* careful 04:25 < gmaxwell> (I asked joric to remove the default addresses from the site, pointing out this failure mode, and he declined ::shrugs::) 04:26 < wumpus> gmaxwell: ouch 04:26 < gmaxwell> fortunately I've never lost money that way, but I've been confused while screwing around with it casually. 04:29 < Emcy> does anyone ever worry in the future that a big bank might fuck up a large settlement by working with raw txs and send a good franction of the wealth of a nation to china or something 04:29 < wumpus> (end users should ideally be protected by a user-friendly layer on top... as for dangerous behaviour, you don't expect consumers to go mixing chemicals directly either to make food flavors, and then blame physics for them ending up in the hospital) 04:29 < Emcy> and plunge thier country into poverty...... 04:29 < warren> presumably you would write a parser that double checks your tx before send 04:29 < warren> this isn't a toy anymore 04:30 < warren> (unless you're talking dogecoins) 04:30 < Emcy> only double? for a transfer like that? 04:30 < wumpus> Emcy: they should have actual humans review such a transaction 04:30 < Emcy> thats where the fuckups come in 04:30 < gmaxwell> Emcy: I've had some people on IRC ask me to review transactions of theirs, as a second party review of a large manually constructed transaction. 04:31 < gmaxwell> Emcy: defense in depth. 04:31 < Emcy> i remember the big one a few years abo where barcalays was down for like a week, some human fiddled with settlement code from 1950 or something 04:31 < wumpus> if you transfer such amounts of money, you can hire crypto experts to verify it 04:31 < Emcy> COBOL? 04:31 < gmaxwell> You have machines which cannot fail by design, and then you have humans check too, to catch when the infalliable machines fail. :) 04:32 < gmaxwell> wumpus: at the SJC conference I was joking that it would be fun to have some good "Bitcoin headlines from the future" in a keynotey talk... and I gave some suggestions. 04:32 < Emcy> gmaxwell im suprised you would do that 04:32 < Emcy> for truly serious amounts anyway 04:32 < wumpus> gmaxwell: hah, it sounds pretty weird worded that way 04:33 < Emcy> sounds interesting 04:34 < wumpus> what I sometimes worry about is bitflips due to overheated/damaged CPUs 04:34 < gmaxwell> "January 1st 2016 Kenya announces it's aquired a million bitcoins and is switching to bitcoin" "January 2nd Apparently Kenya used a 'brain wallet'... Anonymous now the wealthies non-governmental entity in the world" "January 1st 2017, 4chan orbiting station launched" 04:34 < Emcy> that really almost never happens 04:34 < gmaxwell> Emcy: they do happen however, if rarely. They especially worry me with change.. e.g. bitflip changes your change address by 1 before signing. oops. 04:35 < Emcy> when it does i think its more liekly to be solar neutrinos or something and not an old electromigrated chip 04:35 < Emcy> quantum effects as chips approach bloody angstroms remain to be seen........ 04:36 < Emcy> gmaxwell yeah its worrying that its possible. Wouldnt ECC memory catch it though for important operations? 04:37 < Emcy> then again wut if a bit flips in your pacemaker, or your plane or anything 04:37 < wumpus> gmaxwell: haha, such stories are a funny way to deliver the message not to use brainwallets 04:38 < wumpus> Emcy: planes have redundant systems (at least I hope so) 04:38 < Emcy> gmaxwell funny moot was depicted as inhabiting an orbital station in that 4chan cartoon short..... 04:40 < wumpus> gmaxwell: i suppose some problems could be avoided by doing a last-minute check on the transaction after signing but before broadcasting.. .then again, everything checked against may be corrupted, how can you ever be sure, it's really difficult to protect against fallible hardware 04:41 < gmaxwell> yea, I opened an issue as a "to do someday" ... after signing just go and check that the change address IsMine, that the amounts and outputs match what we think they should match. 04:41 < gmaxwell> If we redo the base58 decode it'll actually be very strong unless the error is repeatable, since that will check the checksum. 04:43 < wumpus> sounds like a good idea to do an isMine check; if it has a private key for the address, it must still be spendable 04:43 < gmaxwell> key generation should also double check, which I don't think I mentioned on that issue. 04:43 < warren> Coin control lets you set a change address of anything at the moment ... 04:44 < gmaxwell> yea, well, if you do that you get to keep the pieces. 04:44 < wumpus> warren: I've thought about that, not sure it's a good idea to allow non-owned addresses there 04:44 < gmaxwell> (that one could be checked by at least doing the base58 decode, same as regular outputs) 04:45 < wumpus> then again it's coin control not coin nanny 04:45 < gmaxwell> wumpus: it could be kinda handy, I suppose. e.g. if you're migrating between wallets gradually. 04:46 < warren> it says "experts only" 04:46 < wumpus> in any case, adding appropriate some sanity checks wouldn't hurt 04:46 < gmaxwell> I guess we'll see if anyone manages to say, put their destination address there twice "keep the change" not realizing that "change" could be 100 btc. 04:48 < wumpus> warren: I suppose brainwallet also has such a disclaimer though :p there is a point in not making user friendly interfaces for inherently dangerous expert things 04:49 < gmaxwell> there is no disclaimer on brainwallet. 04:49 < wumpus> okay 04:50 < gmaxwell> the guy who created it either doesn't get half these concerns or hes playing dumb. 04:52 < Emcy> why would he? 04:53 < gmaxwell> Well, calling someone stupid isn't nice, so I thought I'd at least credit him with stupid or evil. 04:53 < Emcy> it is just a tool, i suppose 04:54 < wumpus> it is, but it could at least come with a warning 04:54 < epscy> there should be a disclaimer 04:54 < gmaxwell> see some old logs, https://people.xiph.org/~greg/brainwallet.txt 04:54 < epscy> i would be worried about getting sued if that guy was me 04:54 < Emcy> though i had a look and saw a box to put your OWN passphrase in to generate a wallet AND it was prefilled with correct horse staple battery 04:54 < Emcy> thats just asking for it 04:54 < wumpus> the point is, it doesen't look dangerous... most physical dangerous tools at least look dangerous 04:55 < gmaxwell> it looks slick and its promoted by mainstreamish tech media to new users who've never used bitcoin at all. 04:55 < Emcy> if he took off the friendly rounded corners of the buttons do you think that would be enough to dissadle people lol 04:56 < gmaxwell> The broader bitcoin community (not just us tech heads) has started throwing red flags on it. At least now everyone who gets screwed via that site is getting called an idiot ( :( but pretending you knew all along it was unsafe is the first step to actually knowing) 04:57 < Emcy> perhaps its a process which people just have to go thru? 04:57 < Emcy> being deprogrammed to just trust every slick website out there 04:58 < gmaxwell> well it's not just the slickness... all the ideas sound fun in principle, but the devil is in the details. 04:58 < Emcy> i loved the idea of a brainwallet until i learned why its almost always a bad idea 04:58 < Emcy> i still like it but i wouldnt do it 04:59 < gmaxwell> people are awful good at visualizing the sequence of events where everything goes right... 05:00 < Emcy> just another cognitive bias ID_MSG ID_TOPIC ID_BOARD posterTime ID_MSG_MODIFIED modifiedTime modifiedName icon smileysEnabled subject body 10 1 3 1258658586 10 0 xx 1 Re: Welcome to SMF! Another test message 11 4 3 1258695444 11 0 xx 1 SMF Config Notes I left the admin account set to the original SMF theme so if I somehow completely wedge the custom theme I can still get in to fix it.<br /><br />I've got a neat little 12x12 coin image to replace those pip stars with. Should look nice. Also some nice button images to try.<br /><br />The registration page has "hide your e-mail address" unchecked by default. I must fix that in php before we can open up.<br /><br />The Announcements forum is currently moderator access only. 12 4 3 1258785763 12 0 xx 1 Re: SMF Config Notes 12x12 coin for pip stars done.<br /><br />Registration page "hide your e-mail address" checked by default done, haven't tested it yet. 13 2 3 1258825243 13 0 xx 1 Re: Testing the new site platform I have to get the number of posts up over 20 so the topic will have multiple pages, so here goes with a bunch of blank posts. 14 2 3 1258825380 14 0 xx 1 Re: Testing the new site platform blank 15 2 3 1258825426 15 0 xx 1 Re: Testing the new site platform blank 16 2 3 1258825493 16 0 xx 1 Re: Testing the new site platform blank 17 2 3 1258825532 17 0 xx 1 Re: Testing the new site platform blank 18 2 3 1258825572 18 0 xx 1 Re: Testing the new site platform blank 19 2 3 1258825602 19 0 xx 1 Re: Testing the new site platform blank 20 2 3 1258825641 20 0 xx 1 Re: Testing the new site platform blank 21 2 3 1258825776 21 0 xx 1 Re: Testing the new site platform blank 22 2 3 1258825796 22 0 xx 1 Re: Testing the new site platform blank 23 2 3 1258825868 23 0 xx 1 Re: Testing the new site platform blank 24 2 3 1258825933 24 0 xx 1 Re: Testing the new site platform blank 25 2 3 1258826046 25 0 xx 1 Re: Testing the new site platform blank 26 2 3 1258826232 26 0 xx 1 Re: Testing the new site platform blank 27 2 3 1258826291 27 0 xx 1 Re: Testing the new site platform blank 28 5 1 1258913068 28 0 xx 1 Welcome to the new Bitcoin forum! Welcome to the new Bitcoin forum!<br /><br />The old forum can still be reached here:<br />http://bitcoin.sourceforge.net/boards/index.php<br /><br />I'll repost some selected threads here and add updated answers to questions where I can.<br /><br />FAQ<br />http://bitcoin.sourceforge.net/wiki/index.php?page=FAQ<br /><br />Download<br />http://sourceforge.net/projects/bitcoin/files/<br /><br /> 29 6 1 1258914704 29 0 xx 1 Repost: Bitcoin Maturation --------------------<br />bitcoinbitcoin:<br />Bitcoin Maturation<br />Posted:Thu 01 of Oct, 2009 (14:12 UTC)<br /><br />From the user's perspective the bitcoin maturation process can be broken down into 8 stages.<br /><br />1. The initial network transaction that occurs when you first click Generate Coins.<br />2. The time between that initial network transaction and when the bitcoin entry is ready to appear in the All Transactions list.<br />3. The change of the bitcoin entry from outside the All Transaction field to inside it.<br />4. The time between when the bitcoin appears in the All Transfers list and when the Description is ready to change to Generated (50.00 matures in x more blocks).<br />5. The change of the Description to Generated (50.00 matures in x more blocks).<br />6. The time between when the Description says Generated (50.00 matures in x more blocks) to when it is ready to change to Generated.<br />7 The change of the Description to Generated.<br />8. The time after the Description has changed to Generated.<br /><br />Which stages require network connectivity, significant local CPU usage and or significant remote CPU usage? Do any of these stages have names?<br /><br />--------------------<br />sirius-m:<br />Re: Bitcoin Maturation<br />Posted:Thu 22 of Oct, 2009 (02:36 UTC)<br /><br />As far as I know, there's no network transaction when you click Generate Coins - your computer just starts calculating the next proof-of-work. The CPU usage is 100% when you're generating coins.<br /><br />In this example, the network connection is used when you broadcast the information about the proof-of-work block you've created (that which entitles you to the new coin). Generating coins successfully requires constant connectivity, so that you can start working on the next block when someone gets the current block before you.<br /> 30 7 1 1258914720 30 0 xx 1 Repost: Request: Make this anonymous? --------------------<br />anonguy54:<br />Request: Make this anonymous?<br />Posted:Thu 15 of Oct, 2009 (19:58 UTC)<br /><br />Are there any plans to make this service anonymous?<br /><br />e.g; Being able to route BitCoin through Tor. 31 6 1 1258914861 31 0 xx 1 Re: Repost: Bitcoin Maturation It's important to have network connectivity while you're trying to generate a coin (block) and at the moment it is successfully generated.<br /><br />1) During generation (when the status bar says "Generating" and you're using CPU to find a proof-of-work), you must constantly keep in contact with the network to receive the latest block. If your block does not link to the latest block, it may not be accepted.<br /><br />2) When you successfully generate a block, it is immediately broadcast to the network. Other nodes must receive it and link to it for it to be accepted as the new latest block.<br /><br />Think of it as a cooperative effort to make a chain. When you add a link, you must first find the current end of the chain. If you were to locate the last link, then go off for an hour and forge your link, come back and link it to the link that was the end an hour ago, others may have added several links since then and they're not going to want to use your link that now branches off the middle.<br /><br />After a block is created, the maturation time of 120 blocks is to make absolutely sure the block is part of the main chain before it can be spent. Your node isn't doing anything with the block during that time, just waiting for other blocks to be added after yours. You don't have to be online during that time. 32 7 1 1258914915 32 0 xx 1 Re: Repost: Request: Make this anonymous? There will be a proxy setting in version 0.2 so you can connect through TOR. I've done a careful scrub to make sure it doesn't use DNS or do anything that would leak your IP while in proxy mode. 33 8 1 1259172957 33 0 xx 1 Repost: How anonymous are bitcoins? --------------------<br />bitcoinbitcoin:<br />How anonymous are bitcoins?<br /><br />Can nodes on the network tell from which and or to which bitcoin address coins are being sent? Do blocks contain a history of where bitcoins have been transfered to and from? Can nodes tell which bitcoin addresses belong to which IP addresses? Is there a command line option to enable the sock proxy the first time that bitcoin starts? What happens if you send bitcoins to an IP address that has multiple clients connected through network address translation (NAT)?<br /> 34 8 1 1259173043 34 0 xx 1 Re: Repost: How anonymous are bitcoins? > Can nodes on the network tell from which and or to which bitcoin <br />> address coins are being sent? Do blocks contain a history of where <br />> bitcoins have been transfered to and from?<br /><br />Bitcoins are sent to and from bitcoin addresses, which are essentially random numbers with no identifying information.<br /><br />When you send to an IP address, the transaction is still written to a bitcoin address. The IP address is only used to connect to the recipient's computer to request a fresh bitcoin address, give the transaction directly to the recipient and get a confirmation. <br /><br />Blocks contain a history of the bitcoin addresses that a coin has been transferred to. If the identities of the people using the bitcoin addresses are not known and each address is used only once, then this information only reveals that some unknown person transferred some amount to someone else.<br /><br />The possibility to be anonymous or pseudonymous relies on you not revealing any identifying information about yourself in connection with the bitcoin addresses you use. If you post your bitcoin address on the web, then you're associating that address and any transactions with it with the name you posted under. If you posted under a handle that you haven't associated with your real identity, then you're still pseudonymous.<br /><br />For greater privacy, it's best to use bitcoin addresses only once. You can change addresses as often as you want using Options->Change Your Address. Transfers by IP address automatically use a new bitcoin address each time.<br /><br />> Can nodes tell which bitcoin addresses belong to which IP addresses?<br /><br />No.<br /><br />> Is there a command line option to enable the sock proxy the first<br />> time that bitcoin starts?<br /><br />In the next release (version 0.2), the command line to run it through a proxy from the first time is:<br />bitcoin -proxy=127.0.0.1:9050<br /><br />The problem for TOR is that the IRC server which Bitcoin uses to initially discover other nodes bans the TOR exit nodes, as all IRC servers do. If you've already connected once before then you're already seeded, but for the first time, you'd need to provide the address of a node as such:<br />bitcoin -proxy=127.0.0.1:9050 -addnode=<someipaddress><br /><br />If someone running a node with a static IP address that can accept incoming connections could post their IP to use for -addnode, that would be great.<br /><br />> What happens if you send bitcoins to an IP address that has multiple<br />> clients connected through network address translation (NAT)?<br /><br />Whichever one you've set your NAT to forward port 8333 to will receive it. If your router can change the port number when it forwards, you could allow more than one client to receive. For instance, if port 8334 forwards to a computer's port 8333, then senders could send to "x.x.x.x:8334" <br /><br />If your NAT can't translate port numbers, there currently isn't a command line option to change the incoming port that bitcoin binds to, but I'll look into it.<br /> 35 2 3 1259173429 35 0 xx 1 Re: Testing the new site platform Test 36 9 1 1259342242 36 0 xx 1 Repost: Linux/UNIX compile --------------------<br />scott:<br />Linux/UNIX compile<br />Posted:Thu 08 of Oct, 2009 (05:49 UTC)<br /><br />Can we get instructions or modifications to compile and install BitCoin on Linux? A command line version would be great. 37 9 1 1259342829 37 0 xx 1 Re: Repost: Linux/UNIX compile The Linux version is on its way. Martti's Linux port was merged into the main code branch and New Liberty Standard has been testing it. It'll be in the next release, version 0.2.<br /><br />Command line is on the to-do list after 0.2. 38 10 1 1259362119 565201 1318188782 theymos xx 1 [OLD THREAD] Bitcoin version 0.2 development status We've been working hard on improvements for the next version release. Martti (sirius-m) added some nice features to make it more user friendly and easier to run in the background:<br /> - Minimize to system tray option<br /> - Autostart on boot option so you can keep it running in the background automatically<br /> - New options dialog layout<br /> - Setup EXE for Windows, in addition to the archive download<br /><br />I've been working on a number of refinements to the networking code and laying the groundwork for future functionality. Also coming in version 0.2:<br /> - Multi-processor support for coin generation<br /> - Proxy support 41 12 6 1260384310 41 1260385108 satoshi xx 1 Re: A few suggestions Helpful suggestions, thanks.<br /><br />[quote author=madhatter link=topic=12.msg40#msg40 date=1260336886]<br />- When the bitcoin software establishes a connection with a peer (client TCP socket) have the client send the handshake string. Right now you have the server (server TCP socket) send the handshake. My reasons for this are anonymity of course. It is far too easy for ISPs to portscan clients and detect they are running this program.<br />[/quote]<br />That's a good idea. The side accepting the connection just needs to withhold from sending anything until it receives a valid handshake. Any portscan would only get a dead connection that doesn't volunteer to identify itself. <br /><br />[quote]<br />- Use some sort of encryption during the handshake (sort of goes with the statement/request above) to obfuscate what the software is during DPI (deep packet inspection). I am really thinking about people in non-free (as in freedom) countries such as China/Iran.<br />[/quote]<br />I have thought about eventually SSLing all the connections. I assume anything short of SSL would be pointless against DPI. Maybe a better more immediate solution is to connect through TOR, which will be possible with 0.2. <br /><br />[quote]<br />- Some sort of an API is needed so that this system can be integrated with websites to provide instant-on services. A simple https receipt mechanism would do wonders. Have the client post each incoming payment to an https url with all of the relevant information and provide status updates. Also an outbound payment mechanism would be nice. So one could automate payments (and batch payments) outbound. Status could be returned via the https receipt interface.<br />[/quote]<br />That's one of the main things on the agenda after 0.2.<br /><br />[quote]<br />- Static port/Random port. Have a setting to randomly assign the port that it runs on. (also be able to set it statically for very restrictive firewalls).<br />[/quote]<br />Yeah, the other stealth stuff would be kinda pointless if it's always the same port number.<br /><br />[quote]<br />- UPnP support. Have the client automatically create the port forward on upstream routers. Enabled by default. Can be turned off in the options menu.<br />[/quote]<br />I'm looking forward to trying UPnP. Do most P2P clients typically have UPnP enabled by default?<br /><br />[quote]<br />- Ability to compile a headless (console only) install for *NIX systems. Also have the ability to just run as a network service. Perhaps with a telnet-able port for control (or even a unix socket would be ok).<br />[/quote]<br />I'm still thinking about how best to structure the management interface. Maybe command line commands to communicate with the background daemon to query transactions received and initiate sending transfers. That Are blocks full? (self.Bitcoin) submitted 6 hours ago * by danster82 360196 2015-06-09 21:52:17 659 0.02363314 BTC 731.46 kB 360195 2015-06-09 21:53:19 1776 0.18508596 BTC 976.41 kB 360194 2015-06-09 21:45:45 875 0.15928106 BTC 731.68 kB 360193 2015-06-09 21:53:16 2123 0.33089012 BTC 731.60 kB 360192 2015-06-09 21:13:04 1379 0.18733037 BTC 731.62 kB 360191 2015-06-09 21:03:25 737 0.15838678 BTC 731.51 kB 360190 2015-06-09 20:58:59 1092 0.32729993 BTC 731.61 kB 360189 2015-06-09 20:46:42 1208 0.17815014 BTC 731.55 kB 360188 2015-06-09 20:38:43 2747 0.51236461 BTC 976.43 kB 360187 2015-06-09 20:01:53 853 0.24938838 BTC 731.64 kB 360186 2015-06-09 19:55:39 749 0.14674868 BTC 731.56 kB 360185 2015-06-09 19:53:45 1721 0.28684495 BTC 731.68 kB 360184 2015-06-09 19:40:04 2035 0.28641087 BTC 731.60 kB 360183 2015-06-09 19:06:36 2118 0.26776094 BTC 731.50 kB 360182 2015-06-09 18:44:16 1957 0.26420190 BTC 731.49 kB 360181 2015-06-09 18:22:35 1933 0.29158244 BTC 877.96 kB 144 comments share all 144 comments sorted by: best ]93jsdksn30ala0 36 points 6 hours ago Yes, however this sort of block fullness is very out of the ordinary. https://blockchain.info/charts/avg-block-size?timespan=60days&showDataPoints=false&daysAverageString=1&show_header=true&scale=0&address= I think someone is filling up the blocks (manipulating the market) to force the decision on the block size increase, and make it more likely/"necessary" right now. permalink save report give gold reply ]Defusion55 16 points 6 hours ago You are correct. permalink save parent report give gold reply ]XL2Milk 7 points 2 hours ago Regardless, if it is that easy.... isnt it a no brainer? permalink save parent report give gold reply ]MineForeman 5 points 5 hours ago Kind of make me think we need higher fees. It should be prohibitively expensive to dick around like this, when blocks get bigger it will only get worse. permalink save parent report give gold reply ]Defusion55 6 points 5 hours ago* That is what a lot of people demanding 20MB blocks don't get. The miners get to choose which transactions are accepted on the block. I pay a VERY reasonable fee that is higher then all their stupid pointless transactions and I get accepted into the very next block! Imagine that? But wait... They start to complain that there thousands of pointless near feeless transactions are on a back log and are unconfirmed for hours upon hours.. The real problem is when the fee becomes so high that its no longer reasonable to have to pay that high of a fee for a transaction that should be cheap. Which we are approaching, I am not denying that. But even with back logs we are still days faster than CC's. I don't think we should jump from 1MB to 20MB though I think gradually increasing is less risky. permalink save parent report give gold reply ]i_wolf 10 points 4 hours ago That is what a lot of people demanding 20MB blocks don't get. That is why instead of hard limit miners should set their own fees and soft limits. Keeping a hard limit isn't a solution. I don't think we should jump from 1MB to 20MB though I think gradually increasing is less risky. This is absolutely irrelevant. permalink save parent report give gold reply ]capistor 2 points 3 hours ago I was wondering why miners couldn't set their own limits and let that be the solution. permalink save parent report give gold reply ]Noosterdam 1 point 2 hours ago There was some objection to this, saying that large miners would make huge blocks to try to drive small miners out of business, but the Chinese miners from Discus Fish came in and refuted that. permalink save parent report give gold reply ]capistor 2 points an hour ago What did the chinese say? permalink save parent report give gold reply ]rydan 1 point an hour ago They refused to upgrade to 20MB blocks hence it is a non-issue. permalink save parent report give gold reply ]jstolfi 1 point 36 minutes ago Actually, asked by CoinTelegraph or Coindesk, BTC-China and Huobi agreed that an increase would be necessary, only 20 MB is too much. OKCoin tweeted separately agreement with 20 MB. permalink save parent report give gold reply ]b_coin 1 point an hour ago "refute" permalink save parent report give gold reply ]rydan 1 point an hour ago They can set their own limits. But if I can spend 1 ms more to collect a penny I'm going to. The problem with bigger blocks is you can have 20x more transactions before you need to even begin increasing the fees to incentivize miners to pick your transaction over someone else's. This means more work for less pay in the shortrun. It will take an enormous amount of time for us to see them paid fairly. This is especially true now that we have things like bloom filters that speed up the processing. permalink save parent report give gold reply ]xygo -1 points 2 hours ago That would really stop the blockchain spammers ! Yeah !!! permalink save parent report give gold reply ]kostialevin 5 points 5 hours ago Higher fee? Should bitcoin be for rich only? What about the "poor world citizens" that want to start to save their little wealth in bitcoin? Higher fee could be too high for someone.. permalink save parent report give gold reply ]MineForeman 5 points 5 hours ago Higher fee could be too high for someone.. Remember, you can avoid fees altogether by aging your coins 1 day and using an address only once. At the protocol level those kind of transactions are set to high priority. Wallets should by default be doing this for you (but there are quite a few shitty wallets out there). permalink save parent report give gold reply ]cypherdoc2 4 points 3 hours ago you expect ordinary users to figure that out? permalink save parent report give gold reply ]MineForeman 5 points 3 hours ago Na, I expect wallets to be doing it for them. permalink save parent report give gold reply ]cypherdoc2 1 point 3 hours ago hmm, you're asking alot. might as well increase the block size. permalink save parent report give gold reply ]MineForeman 5 points 3 hours ago hmm, you're asking alot. Most wallets already do it. might as well increase the block size. Get off your horse! Increasing block size is another issue altogether. permalink save parent report give gold reply ]cypherdoc2 -1 points 3 hours ago Get off your horse! Increasing block size is another issue altogether. how so? the OP is about filled blocks. permalink save parent report give gold reply ]MineForeman 2 points 2 hours ago the OP is about filled blocks. They are filled with spam, someone is dicking with the network. permalink save parent report give gold reply continue this thread ]Noosterdam 1 point 2 hours ago How the hell is a simple wallet solution less preferable? Increase the blocksize, yes, but don't be a dullard about obvious optimizations that don't even require doing anything with the protocol. permalink save parent report give gold reply ]cypherdoc2 1 point an hour ago I don't know. You'd have to ask the 3 dozen or more wallet coders out there how complicated that would be. That's if you could find them all to ask and alert them to the problem. Is it that out of the question to increase block size? Is that really your position now? permalink save parent report give gold reply ]btcee99 1 point an hour ago Aging one day is only (on average) for 1 bitcoin. If you are sending 0.02 bitcoin, for e.g., then you need to age 50 days, because priority is proportional to the input amounts. permalink save parent report give gold reply ]MineForeman 2 points an hour ago Just for reference the equation is;- priority = sum(input_value_in_base_units * input_age)/size_in_bytes So in essence you are correct BUT it is like being chased by a tiger, you don't have to run faster than the tiger you just have to run faster than the other guy. Spam transactions like the one that is happening today have a miniscule priority because they are the same coins being transferred over and over again. That is why, even though this spam is going on, normal transactions are just popping through like normal. The normal transactions are higher priority so they win. The system works. However, do we want these transactions at all, shouldn't it be more expensive for someone to use the blockchain against us like this? Blockspace is a premium and sometime in the future it may be critical. permalink save parent report give gold reply ]btcee99 1 point 56 minutes ago That is indeed the equation, however what you've said is not true because priority has to meet a minimum threshold of 57,600,000. If the threshold is not met, the tx won't even be relayed (in Core 0.10), if it doesn't have a fee. That's where the 1-day age figure comes from - and it refers to a 1 BTC transaction. If you are sending less than 1 BTC, then the time needed to reach the threshold is inversely proportional to the amount sent. In practice, the time needed is somewhat less than 1 day (for 1 BTC), due to the fact that the size used in the equation is a modified tx size (which discounts inputs). permalink save parent report give gold reply ]MineForeman 1 point 35 minutes ago Yeah, it is complicated, there are other factors that need to be considered but even if you cannot get into the 'free' category you can still have your transaction higher priority than spam ones. .5 of a MB is still reserved for higher priority transactions so in order to have n kb of spam transactions you must have already n+1 kb of higher. ( n being whatever) permalink save parent report give gold reply ]btcee99 1 point 23 minutes ago No, it is not "complicated", you just need to read the code. Please stop saying factually wrong things such as "priority block size is a consensus rule" - that is not true at all. The default priority block size is 50 kB (not sure where you get 0.5 MB from), but miners are free to change it as they like, for convenience it's even a command line option. permalink save parent report give gold reply ]rydan 1 point an hour ago Nothing inherent to bitcoin makes them high priority. At the end of the day the miners decide what to include. Period. permalink save parent report give gold reply ]MineForeman 1 point 49 minutes ago Nothing inherent to bitcoin makes them high priority. The priority equation built into bitcoin makes them high priority, its bu8ilt into bitcoin, is that inherent enough? At the end of the day the miners decide what to include. Period. Not at all true, the first .5 MB of transactions in a block are reserved for high priority transactions. If you break that you are going to break consensus and your blocks are going to be orphaned. permalink save parent report give gold reply ]jstolfi 2 points 26 minutes ago But a rule that depends on the state of the memory pools cannot be part of the protocol. Not everyone will see the same state, and the state will be lost very soon. That means that, by the time the block is mined, the nodes cannot check whether the miner respected the priority rules. permalink save parent report give gold reply ]btcee99 1 point 22 minutes ago the first .5 MB of transactions in a block are reserved for high priority transactions. If you break that you are going to break consensus and your blocks are going to be orphaned. This is utterly false. permalink save parent report give gold reply ]MineForeman 1 point 4 minutes ago This is utterly false. Why do you say that? It is in the code, you can read about it on the wiki. Do you mean that the code does not work in some way? permalink save parent report give gold reply ]waigl -1 points 5 hours ago Remember, you can avoid fees altogether by aging your coins 1 day Only if you have a whole Bitcoin. For smaller amounts, it's longer. permalink save parent report give gold reply ]MineForeman 1 point 4 hours ago Only if you have a whole Bitcoin. For smaller amounts, it's longer. No, while smaller amounts are treated with lower priority they are still high priority, the actual equation is;- priority = sum(input_value_in_base_units * input_age)/size_in_bytes 'Whole Bitcoin' don't come into the equation (at the protocol level there is no concept). permalink save parent report give gold reply ]HitMePat 2 points 2 hours ago Thanks for this. Why doesn't fee get included in the priority equation? permalink save parent report give gold reply ]MineForeman 2 points 2 hours ago The idea is that there are two mechanisms to get into a block, the first being the priority. But there are still circumstances when you just have to spend outputs that have a low priority so adding a fee effectively pays a miner to miner it anyway. It is important to note though, high priority transactions have reserved blockspace (fee paying ones don't) so there will always be room for 'free' transactions for us normal people and the spammers just have to suck it and pay. I actually think they should be paying more. permalink save parent report give gold reply ]coinaday 2 points an hour ago* high priority transactions have reserved blockspace Only by custom, if I recall correctly, not required by protocol. But I think it's a good example of people acting against their apparent short-term game theoretic behavior (don't allow priority rather than fee) and in support of the overall network, whether from the inertia of just using the defaults or because of conscious decision. edit: Apparently I don't recall correctly. permalink save parent report give gold reply ]goldcakes 1 point 54 minutes ago No, it is by custom. Many pools modify iit. permalink save parent report give gold reply ]MineForeman 0 points an hour ago Only by custom, if I recall correctly It is actually enforced in the protocol. Miners could try to 'game it' but chances are they will break consensus and invalidate their own blocks. It is most definitely not in their interest to do so. permalink save parent report give gold reply continue this thread ]HitMePat 1 point 4 hours ago Why does the unit of 1 whole coin effect it? If you hold 0.5 btc for a month can you expect a transaction to be high priority? permalink save parent report give gold reply ]IronVape 1 point 2 hours ago .5 for one month = 1.0 for 15 days = 3 for 5 days etc. permalink save parent report give gold reply ]Defusion55 2 points 5 hours ago This confuses me. Are you just assuming a higher fee means a fee that is unreasonable for a poor citizen? When you think of higher fee what do you think of? Like $5 or what? Cause I am paying "a higher fee" than the spammers are paying to fill the blocks and i am paying $.03 do you consider that too expensive for the poor? permalink save parent report give gold reply ]kostialevin 7 points 4 hours ago I just want to say that with the higher fees solution, there's the risk to leave someone out of bitcoin because too expensive. permalink save parent report give gold reply ]cypherdoc2 2 points 3 hours ago yes permalink save parent report give gold reply ]xygo 0 points 2 hours ago That's what payment channels are for. You net together several payments and send them all with one fee. permalink save parent report give gold reply ]jmaller 1 point 3 hours ago* Until fees are $35 for a transaction and settle in 3-5 days (bank transfer) or 10-20% for large transactions (WU) I think the poor world citizens would still benefit from bitcoin. Not to mention that anyone who can do math and connect to the internet can use bitcoin as opposed to the required documentation needed to create a bank account. And banking infrastructure. Edit: If you are referring to it for remittances, but I see you mention storing their wealth, not sure why they would care about the fee's if that was their intention. permalink save parent report give gold reply ]JacobBubble 3 points 4 hours ago We do that by increasing the amount of transactions then network can handle, not the transaction fees. Give us a tps of 4000, cut the fee by ten fold and you'll have a resilient network. Fill that up and the miners will be happy too. permalink save parent report give gold reply ]xygo 2 points 3 hours ago* Hmm lets see, a tps of 4000 would imply approximately 1.5GB block size. Which in turn would require 75 TB of data storage per year. At current prices you would need to pay something like $10,000 - $20,000 per year for the privilege of running a full node. I think we need to find another solution. permalink save parent report give gold reply ]pointjudith 3 points 2 hours ago Yeeeeaaah, I'm not mondo stoked about these tps reports so if you could just go ahead and make up some better numbers that'd be great. permalink save parent report give gold reply ]xygo 2 points 2 hours ago LOL :D permalink save parent report give gold reply ]JacobBubble 3 points 2 hours ago That's if your only solution is a bigger block size. Full nodes won't really be feasible for the average person. Pruned nodes, that just keep a couple blocks could become more commonplace instead without reducing security significantly. That's just an example I used to show that the solutions should be to scale up, not shrive down into obvlion with higher transaction fees, small block sizes, etc. permalink save parent report give gold reply ]MineForeman 4 points 3 hours ago No, increasing the blocksize won't help stop/slow spam (it may make it worse by providing more space). The fee mechanism is designed to catch spam transactions and it is tuned to let 'normal' transactions through while making spam prohibitively expensive. That is what I am saying might need tuning. Repeat: This is not a blocksize issue, it is a spam one. permalink save parent report give gold reply ]xygo 2 points 3 hours ago Exactly. permalink save parent report give gold reply ]MineForeman 5 points 3 hours ago Thanks, everyone is so keen to argue about blocksize at the moment they think everything is about the blocksize. (Apologies to the strawman). permalink save parent report give gold reply ]JacobBubble 1 point 2 hours ago The issue is high transaction fees. Bitcoin needs to have lower, not higher transaction fees. There's no reason they have to be what they are. The required fees with Bitcoins are NOT market pressures, rather they're somewhat hard coded. permalink save parent report give gold reply ]MineForeman 3 points 2 hours ago I am afraid you just don't understand why fees are there in the first place. permalink save parent report give gold reply ]MineForeman 3 points 2 hours ago* Fees are the only mechanism we have for controlling spam. Without them, no matter what the block size we will have full blocks. permalink save parent report give gold reply ]Noosterdam 0 points an hour ago Tunnel vision. I think we need way bigger blocks, but I'm not blind to the fact that there way wayyyyy the hell more optimizations that could be done at the present level. permalink save parent report give gold reply ]MineForeman 2 points an hour ago Tunnel vision. Indeed, this is not about blocksize this is about filling blocks with spam. I think we need way bigger blocks A side point, but I tend to agree. Sounds good, but again, block size is not the issue with spam. permalink save parent report give gold reply ]JacobBubble 1 point 2 hours ago The main issue with "Spam" transactions are the issues we're seeing now. People are spamming the network, clogging up blocks. If the network is able to handle 20x more trans., it will be about 20x more expensive to clog the system. The other issue cited with spam transactions is the same with email. They're annoying. That should be filtered at the wallet level, not the protocol level. It doesn't affect end users if there's 50,000 transactions that don't affect them. permalink save parent report give gold reply ]MineForeman 1 point 2 hours ago So your solution for email spam would be for everyone to get bigger hard drives? Dont you think we should have a mechanism to prevent (or filter) out the spam? permalink save parent report give gold reply ]JacobBubble 1 point an hour ago What? No. We have spam filtering systems in email. Some wallets already have filtering systems so they don't show tiny "dust" or "spam" transactions in the transactions list. Raising the transaction fee would destroy real world uses cases and possibilities for Bitcoins. That's the mechanism we can use. The same one the email uses. All without reading transaction fees. permalink save parent report give gold reply ]MineForeman 1 point 58 minutes ago Raising the transaction fee would destroy real world uses cases and possibilities for Bitcoins. We dont need to target them.... why on earth would we? That's the mechanism we can use. That is just not seeing the problem, it still would be there. permalink save parent report give gold reply ]portabello75 1 point an hour ago Of course, as a pool operator you have no stake in the game of higher fees.. permalink save parent report give gold reply ]MineForeman 1 point an hour ago Of course, as a pool operator you have no stake in the game of higher fees.. Is this some poorly thought out attempt as character assassination? You know I am not a pool operator right? permalink save parent report give gold reply ]cypherdoc2 0 points 3 hours ago It should be prohibitively expensive to dick around like this what's your evidence this is happening and not ordinary users getting hung up with normal tx's? permalink save parent report give gold reply ]MineForeman 3 points 3 hours ago what's your evidence this is happening and not ordinary users getting hung up with normal tx's? I am not saying that, the evidence is that normal transactions are getting though. What I am saying is 'spamming for the fun of it' should be prohibitively expensive. permalink save parent report give gold reply ]cypherdoc2 0 points 3 hours ago ideally yes the problem being able to identify it. furthermore, who is doing the defining? Lukejr thinks colored coins, factom, and CP is spam from what i understand. i'm sure those guys don't think so. who gets to decide? bottom line is if blocks are getting filled we should be doing something about it otherwise we are going to lose users who are what drives the system. permalink save parent report give gold reply ]MineForeman 2 points 3 hours ago ideally yes the problem being able to identify it. The default equation at the moment is;- priority = sum(input_value_in_base_units * input_age)/size_in_bytes bottom line is if blocks are getting filled we should be doing something about it otherwise we are going to lose users who are what drives the system. Could not agree more, that is why I am saying we might need to look at making sure that spam is prohibitively expensive (as intended). permalink save parent report give gold reply ]cypherdoc2 1 point 3 hours ago i missed the part about how you were to distinguish btwn spam and cc, factom, and cp. permalink save parent report give gold reply ]Noosterdam 1 point 2 hours ago Let fees increase a bit, is what he's saying. permalink save parent report give gold reply ]xygo 0 points 3 hours ago Yes. And the worst possible solution is to remove the blocksize limit completely or to grow it aggressively as some have suggested. permalink save parent report give gold reply ]cypherdoc2 2 points 3 hours ago b/c the miners and users are incapable of establishing a fee mkt? permalink save parent report give gold reply ]xygo 1 point 2 hours ago Oh sure they can. Just that somebody might be willing to pump up the fee market to produce such large blocks that it would effectively end decentralisation in bitcoin. Are cheap transactions really more important to you than decentralisation ? Do you not care about privacy and unblockable transactions ? permalink save parent report give gold reply ]cypherdoc2 3 points 2 hours ago talk me thru that end decentralization logic again. the one you tested. permalink save parent report give gold reply continue this thread ]jrmxrf 1 point 3 hours ago http://data.bitcoinity.org/bitcoin/blocksize/2y?r=month&t=l it's getting there slowly permalink save parent report give gold reply ]btcdrak 3 points an hour ago Oh look, an average of 400kb blocks, just like /u/luke-jr said there were... permalink save parent report give gold reply ]v4vijayakumar 1 point 2 hours ago Who's filling blocks? Known pool, or unknown pool? They just fill the blocks, or also transmit across network (found in others mempool)? These transactions can be traced to a wallet (set of addresses)? Is coin mixing main purpose of these filler transactions? permalink save parent report give gold reply ]btcdrak 2 points an hour ago A number of people have been talking about filling the blocks as an experiment, especially filling up the UTXO set. e.g. https://bitcointalk.org/index.php?topic=1075590 permalink save parent report give gold reply ]v4vijayakumar 1 point 52 minutes ago Browsed through the posts. Someone is providing 'spamming as a service', but why? permalink save parent report give gold reply ]danster82[S] 6 points 6 hours ago cant the pools at least adjust their blocksize to 1mb permalink save report give gold reply ]SatoshisGhost 6 points 5 hours ago apparently the default is autoset to 750, but yet they don't change it... permalink save parent report give gold reply ]xygo 2 points 2 hours ago The costs for the spammer would increase by 20%. Thats not very much help. permalink save parent report give gold reply ]rodfeher 6 points 6 hours ago check out this guy. https://blockchain.info/address/1jFHVUDY1GT4YJtdLhPPWcrusrVTm4zeu permalink save report give gold reply ]SatoshisGhost 5 points 5 hours ago he must have forgot the stress test ended several days ago lol permalink save parent report give gold reply ]xygo 3 points 2 hours ago Could well be this guy: https://bitcointalk.org/index.php?topic=1075590 he seems to think it's a good idea to spam the blockchain. permalink save parent report give gold reply ]Defusion55 10 points 6 hours ago Naturally full? nah. manipulative full? Yes. Is that a bad thing? not really. permalink save report give gold reply ]tophernator 3 points 4 hours ago It's not a bad thing that someone is deliberately spamming the network and bloating the blockchain in an attempt to force their own agenda? permalink save parent report give gold reply ]Logical007 9 points 4 hours ago Not really. Free market at work. permalink save parent report give gold reply ]felipelalli 6 points 4 hours ago Free money to the miners! :) More security to us. permalink save parent report give gold reply ]capistor 3 points 3 hours ago Are those paid spam transactions or free spam transactions? permalink save parent report give gold reply ]Noosterdam 1 point an hour ago It will just force rationality. Most likely an increase in fee structure by the miners. Blocksize will need to increase once there blocks full of transactions paying a very low but slightly higher fee, and should probably be increased preemptively. Bottom line: both fees and blocksize need to increase, though fees only slightly. permalink save parent report give gold reply ]rodfeher 5 points 6 hours ago fullish permalink save report give gold reply ]pointjudith 2 points 2 hours ago burp permalink save parent report give gold reply ]rodfeher 4 points 6 hours ago thank you for paying miner's electricity bill. permalink save report give gold reply ]cypherdoc2 5 points 2 hours ago the more users leave, the richer miners become! permalink save parent report give gold reply ]vbenes 1 point 6 hours ago http://statoshi.info/#/dashboard/file/default.json?panelId=6&fullscreen permalink save report give gold reply ]nobodybelievesyou 1 point 41 minutes ago Are blocks empty? 360231 6,422.05 BTC 437.65kB 360230 25.00 BTC 0.18KB 360229 4,092.81 BTC 185.14kB 360228 15,478.52 BTC 720.99kB 360227 4,202.02 BTC 286kB 360226 25.00 BTC 0.2kB permalink save report give gold reply ]rabidus_ 1 point 6 hours ago Yep, blocks are full. permalink save report give gold reply ]brilliantey -1 points 5 hours ago Poor guy, probably wakes up in the middle of the night with the subj words. Then in the middle of work he logs on to IRC channel to ping like "Are blocks full?". Be honest to me "Are blocks full?". Are blocks full? Are blocks fucking full?!?! permalink save report give gold reply ]HitMePat 4 points 5 hours ago WHAT'S IN THE BLOCKS?! permalink save parent report give gold reply ]_EuroTrash_ 2 points 3 hours ago The blocks are a lie permalink save parent report give gold reply ]itisike 2 points 57 minutes ago But How Can Blocks Be Full If Spam Isn't Real permalink save parent report give gold reply ]kigam 1 point an hour ago Nothing! Absolutely nothing! You so stupid! permalink save parent report give gold reply ]jcoinner 1 point 3 hours ago Where's the beef? permalink save parent report give gold reply ]Phrenico 2 points 3 hours ago Fucking reddit activists. permalink save report give gold reply ]jwBTC 5 points 2 hours ago WHAA! 1MB/640K ought to be enough for anybody eh? permalink save parent report give gold reply ]Phrenico 3 points 2 hours ago If I don't think increasing the blocksize by 20x is advisable, it means I want blocks to remain at 1 MB forever? I should get caught up with the straw men you guys tell me I believe. permalink save parent report give gold reply ]rydan -4 points 4 hours ago This is just a targeted attack on bitcoin trying to get us to increase the blocksize to 20MB. The 20MBers are getting really desperate to try to pull this. My advice is to just ignore it and it will go away. permalink save report give gold reply ]cypherdoc2 5 points 2 hours ago everyone will go away. permalink save parent report give gold reply ]jstolfi 1 point 22 minutes ago targeted attack on bitcoin ... The 20MBers are getting really desperate to try to pull this. It could be seen that way. Or those guys can be seen as heros, who are spending their money to try to show to everybody what would happen if the Blockstream gang is allowed to take bitcoin away from the individual users and turn it into a tool for bankers and big corporations. </trolling> permalink save parent report give gold reply [+]luke-jr comment score below threshold (1 child) That said, this entire debate has jumped the shark. I think people have way too much free time. Just fire up XT and when/if the various 2.0 schemes are tested and deemed safe they'll have their time in the sun as well. permalink save parent report give gold reply ]bitdoggy 3 points 19 hours ago What's the big deal? 20MB now is the same as 1MB 7 years ago. permalink save report give gold reply ]BusyBeaverHP 7 points 1 day ago* Mike mentioned that Gavin has the ability to revoke Github push access of the rest of the core developers. If this is true, it's an amazing testament to Gavin's patience in handling the obstructionist refusal to acknowledge any changes to the blocksize limit. permalink save report give gold reply ]statoshi 17 points 1 day ago Such a move by Gavin would be considered tyrannical by most of the community and he knows full well that the fallout would not be pretty. permalink save parent report give gold reply ]cypherdoc2 1 point 1 day ago i wonder what would happen if gmax were in that position... permalink save parent report give gold reply ]BusyBeaverHP 6 points 1 day ago* GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good. An excerpt: I believe that a Bitcoin like that would be a failure even if the coins somehow retained high value, because it would be just a reboot of the existing infrastructure, but probably worse-- lacking the a design purpose fit for a centralized world, as well as the regulatory history and experience of the traditional systems... ...Instead, I believe Bitcoin can be successful as a truly decentralized system which depends on cryptographic proof rather than trust. To get there we have to frankly face the extreme costs of having a decentralized system, and potentially tolerate slower short term adoption... So Maxwell's got his million dollars from Blockstream's VC rounds, and has leisurely time to mull about theoretical things without running real numbers backing them up, and has no incentive to increase the value of the network in the face of innumerable alt-coins waiting for Bitcoin to fuck up. Just as the construction of the blockchain is a competition, Bitcoin is a zero-sum contestant in the cryptocurrency space. Having less value while there are many competitors who are faster to adopt whatever slow changes you throw their way plus their own innovation, is asking for death by a thousand cuts. When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it. Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? If I was running a company and some engineer was spouting some bullshit like holding off our company's growth (hence increased revenue) in the face of competition, I'd fire him on the spot. Last but not least. GMaxwell's shining leadership on display: If the Bitcoin community wants to go commit suicide, I'm confident that I can sell my most of my bitcoins before most of the public has realized things have gone wrong. permalink save parent report give gold reply ]cypherdoc2 3 points 1 day ago i agree permalink save parent report give gold reply ]Adrian-X 3 points 23 hours ago Nice rant more need to understand this. permalink save parent report give gold reply ]saxon84 1 point 12 hours ago Maxwell is a ginger terrorist. permalink save parent report give gold reply [+]lorempsum comment score below threshold (0 children) [+]Vibr8gKiwi comment score below threshold (7 children) ]jojva 6 points 1 day ago Censoring other core devs would be an extremely stupid and ineffective strategy. permalink save parent report give gold reply ]Vibr8gKiwi 4 points 1 day ago* It's pretty clear from this that certain devs are more interested in other systems than bitcoin and are actively trying to undermine bitcoin and cause people to leave. These devs should no longer be bitcoin core devs. What does it take to remove them? permalink save parent report give gold reply ]BusyBeaverHP 6 points 1 day ago What does it take to remove them? An overwhelming majority vote with our nodes. I've installed XT as a vote that I no longer want the likes of Maxwell to dictate our economic policies by ways of obstructionist gridlock. permalink save parent report give gold reply ]donbrownmon 1 point 12 hours ago Sounds like Gavin can remove them. Do it, /u/gavinandresen ! permalink save parent report give gold reply ]yyyaao -4 points 1 day ago Yes, Hearn and Andresen want a Paypal 2.0. permalink save parent report give gold reply ]110101002 1 point 1 day ago The same could be said of the other four core developers who can do the same and think the opposite of him. permalink save parent report give gold reply ]shesek1 4 points 1 day ago Doing that would be completely insane. He has no authority to make such a move. It has nothing to do with being patience. permalink save parent report give gold reply ]donbrownmon 2 points 21 hours ago What makes you think he doesn't have the authority to do that? permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert 3 points 1 day ago If Gavin did that I wouldn't be at all surprised if github sided with the other half-dozen people with commit access and reversed it. permalink save parent report give gold reply ]dooglus 1 point 22 hours ago If Gavin did that the other developers with commit access would simply switch to working on a different fork of the project. Nobody cares which repository a client was built from. People will either download the real bitcoin client or Gavin's altcoin, depending on which side of the fork they want to be. permalink save parent report give gold reply ]WinkleviBitcoinTrust 1 point 1 day ago who grants commit access? permalink save parent report give gold reply ]rydan 5 points 1 day ago Not sure what Peter Todd is talking about. Github isn't going to get involved in infighting and politics. The account has access, it removes access from others, that's the end of the story. permalink save parent report give gold reply ]tropser 1 point 13 hours ago* Like childs playing in a sandbox.. pfff... time to grow up. permalink save parent report give gold reply ]ProHashing 1 point 5 hours ago In the end, such an action would matter little. By the time you and Andresen finished arguing with each other and Github, Coinbase will have forked the client, implemented its own block size solution, and issued professional press releases explaining why they have offered the solution. People will download it and control of the bitcoin protocol will be permanently shifted away from you to commercial enterprises. What is not present here is actual code. Developers like to talk, but if there really are ten different competing ideas, then why aren't there ten different forks that people can download and vote with their nodes? If everyone's solution is superior to all the others, then why isn't it out there being run? I hope that people understand that there's never going to be a magic consensus formed to this problem. There is no democratic election process in a set of bitcoin bylaws. If nobody releases actual code, then nothing is going to get done. Given the outcry here, the solution is going to come from outside the current developers if nobody takes charge soon. permalink save parent report give gold reply ]pizzaface18 -1 points 1 day ago Shady. Nice to see where your head is at. permalink save parent report give gold reply ]seb2point0 -1 points 20 hours ago I hope you're not being serious. permalink save parent report give gold reply ]awemany 0 points 16 hours ago He was patiently arguing for this since years. He made several proposals, and tried to came closer with his blocksize-increase proposal to what the other devs might accept. But all he got was deafening silence and arguments which basically amount to concern trolling. permalink save parent report give gold reply ]ProHashing 1 point 6 hours ago The new thing on reddit is to call everyone who expresses a disagreement "trolls." Sometimes there are people who have genuine disagreements. Those differing viewpoints should be welcomed, not labeled as being made in bad faith. permalink save parent report give gold reply ]BlockchainOfFools 1 point 1 day ago #justsaying #itcouldhappen permalink save parent report give gold reply ]danster82 4 points 1 day ago Are we just waiting for the fun of it then? or can we implement a dynamic increase now please. permalink save report give gold reply ]anddrade 3 points 1 day ago I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is? permalink save parent report give gold reply ]awemany 2 points 16 hours ago I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is? They did, but to please the other devs - they tried to came down with their proposal, to have a smaller, hopefully more agreeable increase. But all they got is vetoing, arguments which amount to concern trolling, and no constructive input at all. You can see this if you google for 'Gavin blocksize increase' (and similar) and look for different times that he brought this issue up. It is nothing new at all. Gavin has been very reasonable and patient arguing for this since years, but it now looks like Greg and some of the others became outright obstructionist. permalink save parent report give gold reply ]AmIHigh 0 points 23 hours ago If it's dynamic, it's possible to abuse it by spamming transactions to artificially increase it over time. It might cost a lot of money ,and will it actually happen who knows, but that is a reason to consider a hard cap, until a real solution is decided on, and fully tested. permalink save parent report give gold reply ]tropser 2 points 1 day ago It's almost like now or never... If nothing happens until blocks are full and network is clogged we can leave this shit like it is now. There's no reason to do much with it anymore if that's the case. permalink save parent report give gold reply [+]smartfbrankings comment score below threshold (0 children) ]smartfbrankings 4 points 1 day ago It's getting more obvious how he's arriving at his conclusions by treating Bitcoin like a website that hits a capacity spike, so I do appreciate that insight! permalink save report give gold reply ]aminok 5 points 1 day ago They're both hosted by servers. The Bitcoin network's full nodes act as redundant, syncronized servers of data. permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago There are certainly similarities. There are also differences. We are all bound by our own biases, so it's natural we go to them. The key is to recognize when we are blinded by them. permalink save parent report give gold reply ]Apatomoose 2 points 1 day ago What are the differences? permalink save parent report give gold reply ]smartfbrankings 0 points 1 day ago The downsides of "reaching capacity" of a hosted website vs. Bitcoin are significantly different, for starters. The behavior as you start reaching capacity are also different. The decentralization aspect is also different. For a centralized service like Google Maps, you only need to consider costs and serving the customer. Decentralization is another angle to consider impact, and simply isn't relevant when using the compare. The competition is also different. If Google Maps goes down, people are going to have several other choices immediately available, and chances are a lot of those people never come back. The market is a lot different as well. Bitcoin is not even at early adopter phase, and comparing it to mainstream adoption of something like Google Maps has flaws. Super early adopters are far more tolerant of flaws than mainstream adopters. If they weren't, they wouldn't have jumped through the many hoops to come to Bitcoin in the first place. I'd also rather have the pain now than say let's say that Bitcoin adoption rates went up 40x. Analogies are great and mindset is great, but you have to realize what parts of them break down and where, and what things you are being blindsided by. permalink save parent report give gold reply ]zombiecoiner 1 point 1 day ago* One thing I've noticed in these threads is that votes tend to be more toward 1MB arguments the deeper in the thread tree they get. To me this means people who are spending the most time on this issue (much like most of the core developers) lean toward staying at 1mb for the time being. If you don't really care, it's easy to downvote a few highly visible comments you don't like and move on. permalink save report give gold reply ]wonkeydoreyy 8 points 1 day ago That's because the 1MBers constantly have to explain themselves, because the justifications don't add up to being in Bitcoin's best interest. permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago Yes, always question the motives of anyone who disagrees with you. permalink save parent report give gold reply ]zcc0nonA 2 points 1 day ago I think we've been in different forums. As far as I can tell no one is for keeping the 1 mb block long term. Instead everyone agrees it must be raised but how to do it in a responsible way is the question. Any static increase, 3, 8, 20, 21mbs, they will all need to be changed later on and are bad choices. But some feel we are running low on time, so we should push the danger further away and investigate more on a long term solution. Then others want to come up with that long term solution now, so that the number of hard forks in the future is less. This seems like a good option but then the question becomes if such a system could get adequate testing before launch. But before we can address that the aforementioned long term solution must be found. People don't want something that can be manipulated, so it would have to be tied to some other value, the question then is what to peg it to and how. Perhaps a number of metrics, but it would need to be resistant to stalls and surges in the network and usage. permalink save parent report give gold reply ]smartfbrankings 2 points 1 day ago 5 minutes in, and Mike's strawman arguments are strong. permalink save report give gold reply ]marcus_of_augustus 7 points 1 day ago Mike Hearn has been making shit up ever since he started working in Bitcoin. His whole "when I was emailing satoshi" spiel is exaggeration bordering on lies. Yes he was emailing him, but satoshi hardly ever responded .... it seems to have gotten worse since then. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert 1 point 1 day ago satoshi hardly ever responded FWIW there are no publicly available emails from Satoshi to Mike Hearn. There are leaked emails that are publicly available from Mike Hearn to Satoshi however. permalink save parent report give gold reply ]marcus_of_augustus 2 points 1 day ago mmm, so it's on Hearn's word that satoshi ever responded. Seems to have milked a lot of mileage on some reflected glory of a dubious basis. permalink save parent report give gold reply ]Adrian-X 4 points 1 day ago Care to explain? permalink save parent report give gold reply ]smartfbrankings 3 points 1 day ago "These people think we should never increase it." was the first one. Saw a few others, but basically he constantly misrepresents any opposing argument for his own benefit. permalink save parent report give gold reply ]Adrian-X 6 points 1 day ago Most of us see through that, I didn't even notice that, what I see is the one's who say we should wait are not telling us why. I suspect they are not ready to release there other scaling technology embodied in sidechains. The most credible wait solution is if it's a problem we'll fix it. This is not a rush we are just committing to a proposed change in 9 month, while we find a better solution. permalink save parent report give gold reply ]smartfbrankings 2 points 1 day ago I see that argument and understand it. The failure of many is to think this is a permanent solution and we'll just keep upping the size, much like the debt limit. The counter to that argument is increasing this and not letting that pain now will make greater pain later. What is the incentive to solve a problem that when you fear it will be perpetually kicked down the road? A bigger issue is at stake than simply delaying. permalink save parent report give gold reply ]BlockchainOfFools 0 points 1 day ago Most of us see through that More and more of this argument is being aimed at VCs and other forms of professional money which does not see the nuances in these issues, is under pressure to allocate funds as fast as possible to get the scoop on competitors, and whose regard for the allocation of said funds focuses on who seems to have the best team and exhibits strong leadership, not whose hair splitting argument is technically superior. That's where all the brinksmanship talk and doomsaying demagoguery in this debate as well as its close cousin, the "Blockchain without Bitcoin" is creeping in from. permalink save parent report give gold reply ]donbrownmon 2 points 10 hours ago "These people think we should never increase it." was the first one. Judge them by their actions, not their words. permalink save parent report give gold reply ]smartfbrankings 3 points 10 hours ago How can we judge them by their potential actions? Why can't Mike just stick to facts like "They have given us no objective criteria to when they'd consider moving it." That's a fair argument and accurate. permalink save parent report give gold reply ]BusyBeaverHP 3 points 1 day ago But that's the truth, there are these people who think we should never increase it, and somehow create an off-chain wormhole to push potential Bitcoiners onto trusted system. Oh, and you're a Buttcoiner. permalink save parent report give gold reply ]smartfbrankings -1 points 1 day ago But that's the truth, there are these people who think we should never increase it Find me such a person. They are certainly in the minority on this one. No one is pushing for a "trusted" system. People are pushing for untrusted semi-centralized services, if anything. Personal attacks are the sign of not having an argument. permalink save parent report give gold reply ]i_wolf 4 points 1 day ago Find me such a person. Luke-jr permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago Find me a place where he says he'd never advocate raising it. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago I'm a much better example than Luke-Jr... and my position is I expect that the science of decentralized blockchains will advance to the point where the notion of a "blocksize limit" doesn't even make any sense anymore. (e.g. my treechains concept has that goal in mind) permalink save parent report give gold reply ]i_wolf 3 points 1 day ago Good. Then there's no reason why the limit shouldn't be raised to fulfill growing demand while the science isn't ready yet. Also if treechains and other offchains are so good that people would eagerly user them instead of blockchain, then there's no reason for the limit: blocks just will not grow. permalink save parent report give gold reply ]shesek1 3 points 1 day ago treechains and other offchains Peter's treechains proposal is not an offchain solution. https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg04388.html permalink save parent report give gold reply ]i_wolf 1 point 19 hours ago Then we can safely raise the limit. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago Well, tl;dr: the supermajority of Bitcoin devs, including myself, see raising the limit right now as a last-resort measure with significant downsides. permalink save parent report give gold reply ]i_wolf 2 points 19 hours ago The blocks are 40x times larger today than 5yrs ago. What significant downsides do you see in this fact, that would make reducing the limit to 10kb desirable? permalink save parent report give gold reply ]luckdragon69 -1 points 1 day ago Mike Hern thinks your supermajority is in the minority LOL. permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB. I'm of the opinion we should not take emergency action unless there is an emergency. Hearn thinks that someone not being able to send a nickel for under a penny fee is an emergency, so that's why he's advocating for this so strong. permalink save parent report give gold reply ]marcus_of_augustus 3 points 1 day ago Hearn has vested interests in these business models that rely on bigger blocks: Lighthouse's 'crowdfunding' is more like tribe-funding because the size of the crowd is limited by the blocksize https://groups.google.com/forum/#!topic/lighthouse-discuss/J2MHPw5kUBU BitcoinJ will be better able to compete with the federated server models of Electrum and libbitcoin (currently it is getting smoked) so he becomes more relevant again. Yep, it is safe to say that Hearn is conflicted when it comes to blocksize debate. He might become irrelevant if this doesn't happen now and other business models take over. permalink save parent report give gold reply ]i_wolf 1 point 19 hours ago Mike Hearn is irrelevant. Blocks can grow due to raise in demand; If you're implying lighthouse will be actively used for sending money than its good for Bitcoin; that's exactly what Bitcoin was created for. permalink save parent report give gold reply ]smartfbrankings 1 point 12 hours ago I don't think it's his vested interests that define this, but his view of what Bitcoin should be influences what kinds of projects he wants to work on. Same thing with the other side. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB. That said, this entire debate has jumped the shark. I think people have way too much free time. Just fire up XT and when/if the various 2.0 schemes are tested and deemed safe they'll have their time in the sun as well. permalink save parent report give gold reply ]bitdoggy 3 points 19 hours ago What's the big deal? 20MB now is the same as 1MB 7 years ago. permalink save report give gold reply ]BusyBeaverHP 7 points 1 day ago* Mike mentioned that Gavin has the ability to revoke Github push access of the rest of the core developers. If this is true, it's an amazing testament to Gavin's patience in handling the obstructionist refusal to acknowledge any changes to the blocksize limit. permalink save report give gold reply ]statoshi 17 points 1 day ago Such a move by Gavin would be considered tyrannical by most of the community and he knows full well that the fallout would not be pretty. permalink save parent report give gold reply ]cypherdoc2 1 point 1 day ago i wonder what would happen if gmax were in that position... permalink save parent report give gold reply ]BusyBeaverHP 6 points 1 day ago* GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good. An excerpt: I believe that a Bitcoin like that would be a failure even if the coins somehow retained high value, because it would be just a reboot of the existing infrastructure, but probably worse-- lacking the a design purpose fit for a centralized world, as well as the regulatory history and experience of the traditional systems... ...Instead, I believe Bitcoin can be successful as a truly decentralized system which depends on cryptographic proof rather than trust. To get there we have to frankly face the extreme costs of having a decentralized system, and potentially tolerate slower short term adoption... So Maxwell's got his million dollars from Blockstream's VC rounds, and has leisurely time to mull about theoretical things without running real numbers backing them up, and has no incentive to increase the value of the network in the face of innumerable alt-coins waiting for Bitcoin to fuck up. Just as the construction of the blockchain is a competition, Bitcoin is a zero-sum contestant in the cryptocurrency space. Having less value while there are many competitors who are faster to adopt whatever slow changes you throw their way plus their own innovation, is asking for death by a thousand cuts. When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it. Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? If I was running a company and some engineer was spouting some bullshit like holding off our company's growth (hence increased revenue) in the face of competition, I'd fire him on the spot. Last but not least. GMaxwell's shining leadership on display: If the Bitcoin community wants to go commit suicide, I'm confident that I can sell my most of my bitcoins before most of the public has realized things have gone wrong. permalink save parent report give gold reply ]cypherdoc2 3 points 1 day ago i agree permalink save parent report give gold reply ]Adrian-X 3 points 23 hours ago Nice rant more need to understand this. permalink save parent report give gold reply ]saxon84 1 point 12 hours ago Maxwell is a ginger terrorist. permalink save parent report give gold reply [+]lorempsum comment score below threshold (0 children) [+]Vibr8gKiwi comment score below threshold (7 children) ]jojva 6 points 1 day ago Censoring other core devs would be an extremely stupid and ineffective strategy. permalink save parent report give gold reply ]Vibr8gKiwi 4 points 1 day ago* It's pretty clear from this that certain devs are more interested in other systems than bitcoin and are actively trying to undermine bitcoin and cause people to leave. These devs should no longer be bitcoin core devs. What does it take to remove them? permalink save parent report give gold reply ]BusyBeaverHP 6 points 1 day ago What does it take to remove them? An overwhelming majority vote with our nodes. I've installed XT as a vote that I no longer want the likes of Maxwell to dictate our economic policies by ways of obstructionist gridlock. permalink save parent report give gold reply ]donbrownmon 1 point 12 hours ago Sounds like Gavin can remove them. Do it, /u/gavinandresen ! permalink save parent report give gold reply ]yyyaao -4 points 1 day ago Yes, Hearn and Andresen want a Paypal 2.0. permalink save parent report give gold reply ]110101002 1 point 1 day ago The same could be said of the other four core developers who can do the same and think the opposite of him. permalink save parent report give gold reply ]shesek1 4 points 1 day ago Doing that would be completely insane. He has no authority to make such a move. It has nothing to do with being patience. permalink save parent report give gold reply ]donbrownmon 2 points 21 hours ago What makes you think he doesn't have the authority to do that? permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert 3 points 1 day ago If Gavin did that I wouldn't be at all surprised if github sided with the other half-dozen people with commit access and reversed it. permalink save parent report give gold reply ]dooglus 1 point 22 hours ago If Gavin did that the other developers with commit access would simply switch to working on a different fork of the project. Nobody cares which repository a client was built from. People will either download the real bitcoin client or Gavin's altcoin, depending on which side of the fork they want to be. permalink save parent report give gold reply ]WinkleviBitcoinTrust 1 point 1 day ago who grants commit access? permalink save parent report give gold reply ]rydan 5 points 1 day ago Not sure what Peter Todd is talking about. Github isn't going to get involved in infighting and politics. The account has access, it removes access from others, that's the end of the story. permalink save parent report give gold reply ]tropser 1 point 13 hours ago* Like childs playing in a sandbox.. pfff... time to grow up. permalink save parent report give gold reply ]ProHashing 1 point 5 hours ago In the end, such an action would matter little. By the time you and Andresen finished arguing with each other and Github, Coinbase will have forked the client, implemented its own block size solution, and issued professional press releases explaining why they have offered the solution. People will download it and control of the bitcoin protocol will be permanently shifted away from you to commercial enterprises. What is not present here is actual code. Developers like to talk, but if there really are ten different competing ideas, then why aren't there ten different forks that people can download and vote with their nodes? If everyone's solution is superior to all the others, then why isn't it out there being run? I hope that people understand that there's never going to be a magic consensus formed to this problem. There is no democratic election process in a set of bitcoin bylaws. If nobody releases actual code, then nothing is going to get done. Given the outcry here, the solution is going to come from outside the current developers if nobody takes charge soon. permalink save parent report give gold reply ]pizzaface18 -1 points 1 day ago Shady. Nice to see where your head is at. permalink save parent report give gold reply ]seb2point0 -1 points 20 hours ago I hope you're not being serious. permalink save parent report give gold reply ]awemany 0 points 16 hours ago He was patiently arguing for this since years. He made several proposals, and tried to came closer with his blocksize-increase proposal to what the other devs might accept. But all he got was deafening silence and arguments which basically amount to concern trolling. permalink save parent report give gold reply ]ProHashing 1 point 6 hours ago The new thing on reddit is to call everyone who expresses a disagreement "trolls." Sometimes there are people who have genuine disagreements. Those differing viewpoints should be welcomed, not labeled as being made in bad faith. permalink save parent report give gold reply ]BlockchainOfFools 1 point 1 day ago #justsaying #itcouldhappen permalink save parent report give gold reply ]danster82 4 points 1 day ago Are we just waiting for the fun of it then? or can we implement a dynamic increase now please. permalink save report give gold reply ]anddrade 3 points 1 day ago I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is? permalink save parent report give gold reply ]awemany 2 points 16 hours ago I don't understand why Mike and Gavin are talking only about a single 20 MB increase, instead of some hard coded schedule for increasing the cap every so many blocks, kind of like the difficulty adjustments. Any ideia why that is? They did, but to please the other devs - they tried to came down with their proposal, to have a smaller, hopefully more agreeable increase. But all they got is vetoing, arguments which amount to concern trolling, and no constructive input at all. You can see this if you google for 'Gavin blocksize increase' (and similar) and look for different times that he brought this issue up. It is nothing new at all. Gavin has been very reasonable and patient arguing for this since years, but it now looks like Greg and some of the others became outright obstructionist. permalink save parent report give gold reply ]AmIHigh 0 points 23 hours ago If it's dynamic, it's possible to abuse it by spamming transactions to artificially increase it over time. It might cost a lot of money ,and will it actually happen who knows, but that is a reason to consider a hard cap, until a real solution is decided on, and fully tested. permalink save parent report give gold reply ]tropser 2 points 1 day ago It's almost like now or never... If nothing happens until blocks are full and network is clogged we can leave this shit like it is now. There's no reason to do much with it anymore if that's the case. permalink save parent report give gold reply [+]smartfbrankings comment score below threshold (0 children) ]smartfbrankings 4 points 1 day ago It's getting more obvious how he's arriving at his conclusions by treating Bitcoin like a website that hits a capacity spike, so I do appreciate that insight! permalink save report give gold reply ]aminok 5 points 1 day ago They're both hosted by servers. The Bitcoin network's full nodes act as redundant, syncronized servers of data. permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago There are certainly similarities. There are also differences. We are all bound by our own biases, so it's natural we go to them. The key is to recognize when we are blinded by them. permalink save parent report give gold reply ]Apatomoose 2 points 1 day ago What are the differences? permalink save parent report give gold reply ]smartfbrankings 0 points 1 day ago The downsides of "reaching capacity" of a hosted website vs. Bitcoin are significantly different, for starters. The behavior as you start reaching capacity are also different. The decentralization aspect is also different. For a centralized service like Google Maps, you only need to consider costs and serving the customer. Decentralization is another angle to consider impact, and simply isn't relevant when using the compare. The competition is also different. If Google Maps goes down, people are going to have several other choices immediately available, and chances are a lot of those people never come back. The market is a lot different as well. Bitcoin is not even at early adopter phase, and comparing it to mainstream adoption of something like Google Maps has flaws. Super early adopters are far more tolerant of flaws than mainstream adopters. If they weren't, they wouldn't have jumped through the many hoops to come to Bitcoin in the first place. I'd also rather have the pain now than say let's say that Bitcoin adoption rates went up 40x. Analogies are great and mindset is great, but you have to realize what parts of them break down and where, and what things you are being blindsided by. permalink save parent report give gold reply ]zombiecoiner 1 point 1 day ago* One thing I've noticed in these threads is that votes tend to be more toward 1MB arguments the deeper in the thread tree they get. To me this means people who are spending the most time on this issue (much like most of the core developers) lean toward staying at 1mb for the time being. If you don't really care, it's easy to downvote a few highly visible comments you don't like and move on. permalink save report give gold reply ]wonkeydoreyy 8 points 1 day ago That's because the 1MBers constantly have to explain themselves, because the justifications don't add up to being in Bitcoin's best interest. permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago Yes, always question the motives of anyone who disagrees with you. permalink save parent report give gold reply ]zcc0nonA 2 points 1 day ago I think we've been in different forums. As far as I can tell no one is for keeping the 1 mb block long term. Instead everyone agrees it must be raised but how to do it in a responsible way is the question. Any static increase, 3, 8, 20, 21mbs, they will all need to be changed later on and are bad choices. But some feel we are running low on time, so we should push the danger further away and investigate more on a long term solution. Then others want to come up with that long term solution now, so that the number of hard forks in the future is less. This seems like a good option but then the question becomes if such a system could get adequate testing before launch. But before we can address that the aforementioned long term solution must be found. People don't want something that can be manipulated, so it would have to be tied to some other value, the question then is what to peg it to and how. Perhaps a number of metrics, but it would need to be resistant to stalls and surges in the network and usage. permalink save parent report give gold reply ]smartfbrankings 2 points 1 day ago 5 minutes in, and Mike's strawman arguments are strong. permalink save report give gold reply ]marcus_of_augustus 7 points 1 day ago Mike Hearn has been making shit up ever since he started working in Bitcoin. His whole "when I was emailing satoshi" spiel is exaggeration bordering on lies. Yes he was emailing him, but satoshi hardly ever responded .... it seems to have gotten worse since then. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert 1 point 1 day ago satoshi hardly ever responded FWIW there are no publicly available emails from Satoshi to Mike Hearn. There are leaked emails that are publicly available from Mike Hearn to Satoshi however. permalink save parent report give gold reply ]marcus_of_augustus 2 points 1 day ago mmm, so it's on Hearn's word that satoshi ever responded. Seems to have milked a lot of mileage on some reflected glory of a dubious basis. permalink save parent report give gold reply ]Adrian-X 4 points 1 day ago Care to explain? permalink save parent report give gold reply ]smartfbrankings 3 points 1 day ago "These people think we should never increase it." was the first one. Saw a few others, but basically he constantly misrepresents any opposing argument for his own benefit. permalink save parent report give gold reply ]Adrian-X 6 points 1 day ago Most of us see through that, I didn't even notice that, what I see is the one's who say we should wait are not telling us why. I suspect they are not ready to release there other scaling technology embodied in sidechains. The most credible wait solution is if it's a problem we'll fix it. This is not a rush we are just committing to a proposed change in 9 month, while we find a better solution. permalink save parent report give gold reply ]smartfbrankings 2 points 1 day ago I see that argument and understand it. The failure of many is to think this is a permanent solution and we'll just keep upping the size, much like the debt limit. The counter to that argument is increasing this and not letting that pain now will make greater pain later. What is the incentive to solve a problem that when you fear it will be perpetually kicked down the road? A bigger issue is at stake than simply delaying. permalink save parent report give gold reply ]BlockchainOfFools 0 points 1 day ago Most of us see through that More and more of this argument is being aimed at VCs and other forms of professional money which does not see the nuances in these issues, is under pressure to allocate funds as fast as possible to get the scoop on competitors, and whose regard for the allocation of said funds focuses on who seems to have the best team and exhibits strong leadership, not whose hair splitting argument is technically superior. That's where all the brinksmanship talk and doomsaying demagoguery in this debate as well as its close cousin, the "Blockchain without Bitcoin" is creeping in from. permalink save parent report give gold reply ]donbrownmon 2 points 10 hours ago "These people think we should never increase it." was the first one. Judge them by their actions, not their words. permalink save parent report give gold reply ]smartfbrankings 3 points 10 hours ago How can we judge them by their potential actions? Why can't Mike just stick to facts like "They have given us no objective criteria to when they'd consider moving it." That's a fair argument and accurate. permalink save parent report give gold reply ]BusyBeaverHP 3 points 1 day ago But that's the truth, there are these people who think we should never increase it, and somehow create an off-chain wormhole to push potential Bitcoiners onto trusted system. Oh, and you're a Buttcoiner. permalink save parent report give gold reply ]smartfbrankings -1 points 1 day ago But that's the truth, there are these people who think we should never increase it Find me such a person. They are certainly in the minority on this one. No one is pushing for a "trusted" system. People are pushing for untrusted semi-centralized services, if anything. Personal attacks are the sign of not having an argument. permalink save parent report give gold reply ]i_wolf 4 points 1 day ago Find me such a person. Luke-jr permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago Find me a place where he says he'd never advocate raising it. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago I'm a much better example than Luke-Jr... and my position is I expect that the science of decentralized blockchains will advance to the point where the notion of a "blocksize limit" doesn't even make any sense anymore. (e.g. my treechains concept has that goal in mind) permalink save parent report give gold reply ]i_wolf 3 points 1 day ago Good. Then there's no reason why the limit shouldn't be raised to fulfill growing demand while the science isn't ready yet. Also if treechains and other offchains are so good that people would eagerly user them instead of blockchain, then there's no reason for the limit: blocks just will not grow. permalink save parent report give gold reply ]shesek1 3 points 1 day ago treechains and other offchains Peter's treechains proposal is not an offchain solution. https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg04388.html permalink save parent report give gold reply ]i_wolf 1 point 19 hours ago Then we can safely raise the limit. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago Well, tl;dr: the supermajority of Bitcoin devs, including myself, see raising the limit right now as a last-resort measure with significant downsides. permalink save parent report give gold reply ]i_wolf 2 points 19 hours ago The blocks are 40x times larger today than 5yrs ago. What significant downsides do you see in this fact, that would make reducing the limit to 10kb desirable? permalink save parent report give gold reply ]luckdragon69 -1 points 1 day ago Mike Hern thinks your supermajority is in the minority LOL. permalink save parent report give gold reply ]smartfbrankings 1 point 1 day ago We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB. I'm of the opinion we should not take emergency action unless there is an emergency. Hearn thinks that someone not being able to send a nickel for under a penny fee is an emergency, so that's why he's advocating for this so strong. permalink save parent report give gold reply ]marcus_of_augustus 3 points 1 day ago Hearn has vested interests in these business models that rely on bigger blocks: Lighthouse's 'crowdfunding' is more like tribe-funding because the size of the crowd is limited by the blocksize https://groups.google.com/forum/#!topic/lighthouse-discuss/J2MHPw5kUBU BitcoinJ will be better able to compete with the federated server models of Electrum and libbitcoin (currently it is getting smoked) so he becomes more relevant again. Yep, it is safe to say that Hearn is conflicted when it comes to blocksize debate. He might become irrelevant if this doesn't happen now and other business models take over. permalink save parent report give gold reply ]i_wolf 1 point 19 hours ago Mike Hearn is irrelevant. Blocks can grow due to raise in demand; If you're implying lighthouse will be actively used for sending money than its good for Bitcoin; that's exactly what Bitcoin was created for. permalink save parent report give gold reply ]smartfbrankings 1 point 12 hours ago I don't think it's his vested interests that define this, but his view of what Bitcoin should be influences what kinds of projects he wants to work on. Same thing with the other side. permalink save parent report give gold reply ]petertoddPeter Todd - Bitcoin Expert -1 points 1 day ago We could also see technological advances were 1MB today is like 1KB of 20 years ago, and no one would think twice about making it 2MB or 20MB. Indeed we may! Once those technological advances have happened and have been shown to work, coming to consensus to raise the blocksize appropriately probably won't be hard; until then, without those technological advances raising the blocksize significantly reduces the security margin of the Bitcoin system. Hearn thinks that someone not being able to send a nickel for under a penny fee is an emergency, so that's why he's advocating for this so strong. Indeed - I and many others simply don't agree with him. permalink save parent report give gold reply ]i_wolf 1 point 19 hours ago without those technological advances raising the blocksize significantly reduces the security margin of the Bitcoin system. Raising the limit doesn't raise the block size; blocks grow due to the growth in demand. Skyrocketing demand for transactions implies security is sufficient in the eyes of the market. Higher adoption brings more decentralization and security. Bitcoin is much more secure now than 5yr ago with 1kb blocks. Rejecting the demand cripples Bitcoin's utility and value and prevents further decentralization and endangers its growth when it's needed the most. permalink save parent report give gold reply ]platypii 0 points 1 day ago He supports scaling transactions through payment channels, which are trustless. permalink save parent report give gold reply ]aminok 3 points 1 day ago* and also unproven as full substitutes for on-chain txs, and also need a higher block size limit even if they work perfectly. permalink save parent report give gold reply ]Throwahoymatie 2 points 1 day ago What ever shall we do? permalink save report give gold reply ]Adrian-X 12 points 1 day ago Run an XT node? permalink save parent report give gold reply ]Apatomoose 2 points 1 day ago If anything is going to get done we need strong leadership with a coherent plan. Gavin and Mike have that. I'm not seeing it from the other side. permalink save report give gold reply ]VanquishAudio 1 point 1 day ago What would happen if we increased the block size while the network was super congested? Would that fix the delay for all new transactions? Do we have to wait for every big miner to agree to one update before everyone starts updating their Bitcoin client? What would happen if only a fraction of Bitcoin nodes updated their software? I'm not too technically proficient in Bitcoin so excuse me for poor terminology! permalink save report give gold reply ]Apatomoose 2 points 1 day ago Most of the miners have to upgrade to the new version before the change takes effect or the blockchain will split in two. permalink save parent report give gold reply ]VanquishAudio 1 point 1 day ago I've heard that so what does that imply? Can 2 coexist? permalink save parent report give gold reply ]Apatomoose 2 points 1 day ago A split would be a very bad thing. It would cause a lot of uncertainty about which side will win out. It also causes compatibility issues. If a customer is running on one fork and a merchant is running on another then the customer can't pay the merchant. A divided network isn't as strong as a unified one. The way a split is avoided is each miner includes the number of the version they are running in each block header. A change doesn't go into effect until a minimum number of the last X blocks, 800 out of the last 1000, for example, have the version for that change. That way a change doesn't happen until everyone is on board. But getting everyone on board can take time. permalink save parent report give gold reply ]livinincalifornia 1 point 1 day ago Raise the block limit dynamically through a system based algorithmically on availability of resources and transactions per second. permalink save report give gold reply ]usrn 1 point 23 hours ago Shouldn't that be a next step? Bitcoin is still small and we have plenty of time experimenting. Also, personally I couldn't care less about chinese miners and volume inflating/fractional reserve playing shady chinese exchanges. permalink save parent report give gold reply ]ganesha1024 1 point 8 hours ago To grease the wheels of consensus, we need to create honourable ways for the opposition to change their mind. If consensus can only come from a very public figure of the community tucking tail and supplicating, it probably won't happen. If instead they can save face and continue to be well respected while changing their minds, then we have a chance at consensus. So basically we need to have a culture in which people can admit they were wrong without getting humiliated. Just something to think about. permalink save report give gold reply ]bcn1075 0 points 1 day ago I didn't realize how divided the bitcoin core devs were until listening to this. Bitcoin is starting to look like a startup with a leadership team (core devs) that are unable to execute because of infighting and misalignment. permalink save report give gold reply ]thieflar 10 points 1 day ago First time you've ever closely inspected a large open source project's development, eh? permalink save parent report give gold reply ]kvnn 4 points 1 day ago You are paying attention to the wrong things. Look at the release log. This "debate" is certainly distracting, but its not halting development by any means. permalink save parent report give gold reply [+]michelebtc comment score below threshold (12 children) ]yyyaao -3 points 1 day ago Mike is even less trustworthy than Gavin when it comes to preserving Bitcoin's foundation of value: decentralization. Those who want another Paypal can use the Hearndresen-fork, I'll stay with Bitcoin. permalink save report give gold reply ]i_wolf 1 point 18 hours ago Bitcoin is far more decentralized today with 400kb block than it was with 10kb blocks. Decentralization is a function of adoption. Limiting adoption limits decentralization. permalink save parent report give gold reply [+]PhiMinD comment score below threshold * (1 child) ]ProHashing 0 points 11 hours ago This headline makes it seem as if the debate is between retaining the existing block size and increasing it. While there are some people in favor of retaining the existing size, it's not accurate to say that the debate is primarily about that issue. Most people support an increase but cannot agree on the size of the increase or its parameters. It's important to keep a balanced view of this topic. permalink save report give gold reply ]smartfbrankings 1 point 10 hours ago No, this is not an accurate assessment. permalink save parent report give gold reply ]ProHashing 1 point 10 hours ago Since there are no concrete numbers, we'll have to agree to disagree. It may be true that the developers are more likely to support keeping the blocksize small, but in these posts it's difficult to find users who agree with that sentiment. permalink save parent report give gold reply ]smartfbrankings 1 point 9 hours ago The idea that core developers should be excluded from the debate is completely wrong. permalink save parent report give gold reply ]donbrownmon 1 point 10 hours ago Most people support an increase but cannot agree on the size of the increase or its parameters. It's important to keep a balanced view of this topic. The other devs 'can't agree' because they're not interested in coming to agreement. They want to push Blockstream's technologies and make money consulting on those. permalink save parent report give gold reply [+][deleted] (3 children) Gavin Andresen: "A lot of people are pushing me to be more of a dictator (like Mike) ... that may be what has to happen with the block size. I may just have to throw my weight around and say this is what it's going to be. If you don't like it, find another project." (youtube.com) submitted 1 day ago by lorempsum 350 comments share all 350 comments sorted by: best ]BluSyn 39 points 1 day ago I would certainly prefer this not to happen. However, at some point somebody has to actually do something. Preferably before it's too late. If Gavin is the only one willing to actually make a decision, then so be it. I would prefer to have broader agreement across the core devs. This seems very unlikely currently. permalink save report give gold reply ]clone4501 14 points 1 day ago Core developers are not the only Bitcoin stakeholders. Consensus as applied to Bitcoin is a vague term. A better word is needed because the community is too large to reach a consensus on just about anything. permalink save parent report give gold reply ]pluribusblanks -3 points 16 hours ago Consensus is not a vague term at all. Consensus is greater than 50% of the fully validating nodes. If greater than 50% of the nodes adopt the change, the change happens. If they do not, the change does not happen. Gavin cannot dictate anything. Even if he commits the change to Bitcoin Core on Github, he cannot force node operators to upgrade. If the majority of node operators do not upgrade, the network remains exactly as it is today. permalink save parent report give gold reply ]MarshallBanana 9 points 13 hours ago Consensus is not a vague term at all. Consensus is greater than 50% of the fully validating nodes. If greater than 50% of the nodes adopt the change, the change happens. If they do not, the change does not happen. That's not remotely what "consensus" means, nor is it how Bitcoin works. permalink save parent report give gold reply ]awemany 1 point 9 hours ago Consensus is 50% of the mining power. That's rule zero. permalink save parent report give gold reply ]aminok 10 points 1 day ago* This seems very unlikely currently. Well gmaxwell put forth some possible approaches to doing the hard fork, and if he takes it further and makes a specific proposal, there could be a major shift in the core dev stance. Pieter has always seemed to be quite open-minded about how to define decentralization, and by extension, the optimal block size limit. permalink save parent report give gold reply ]BluSyn 5 points 22 hours ago Agreed. Pieter seems pretty reasonable, and I've discussed this with him in person. We disagree on some details, but I think he's interested in finding a good balance. Everything so far is pretty theoretical. I do hope maxwell or someone will actually put in an official BIP that can be directly discussed, rather than many wildly different counter proposals. permalink save parent report give gold reply ]rydan 3 points 19 hours ago They all made decisions. You and Gavin just don't like them. But don't kid yourself and say they made none. permalink save parent report give gold reply ]viajero_loco 4 points 9 hours ago* that would be a very dangerous thing to to. i really don't get why /u/gavinandresen is pulling this discussion on to a puplic stage, instead of keeping it on a technical level, where it belongs?! why, for example, are /u/nullc 's and others concerns not being addressed? Right. The most important thing is to first understand and accept that there is a fundamental trade-off between the cost of verifying the network and its decentralization. I would be much much more gung-ho about increases to block size if they were modest and not being proposed against super-massive consolidation in node operations and mining that we've seen since 2011; and if they were accompanied by the controls that would avoid completely undermining the long term security model of Bitcoin. http://www.reddit.com/r/Bitcoin/comments/394k1t/petertoddbtc_gregory_maxwells_confidental/cs0g85v I mean, pretty much all the other developers besides mike are opposed to his proposal. and now gavin is using the /r/bitcoin torch and pitchfork crowd to back him up. that strategy is fucking ridiculous and might very well be the end to bitcoin in the long run! this decision has to be made by ppl with the actual technical knowledge and by seriously considering the different tradeoff's, not by /r/bitcoin!!! permalink save parent report give gold reply ]btcdrak 8 points 8 hours ago* Preach it brother. It's interesting as the dust settles more and more people are seeing the weird politics that Gavin/Mike have been playing and more people seeing there are valid concerns from practically every other technical peer. To be disregarding so many technically competent people is foolhardy and arrogant. The hard forking coup is surely to fail spectacularly though: no-one is going to seriously risk their business by trying to force consensus. The only people claiming victory are people with nothing to lose. Go long on popcorn because this might be the best way for the bad apples to fork themselves out of relevance. I might point out that Gavin did force the issue once before with P2SH (BIP16). He rushed it with sky is falling urgency. No-one used it for 2 years, then when it was finally used in the wild we found serious issues and limitations with it (all too late). BIP17, the counter proposal was not just better but light years better. permalink save parent report give gold reply ]john_doe_1337 1 point 9 hours ago I can't agree more, brother. The primadonna has gone too far. He labeled good developers 'poisonous' in the past, he is throwing 'his weight' here and there. The emperor of the dust. permalink save parent report give gold reply ]Bitcoin_Error_Log 1 point 8 hours ago Gavin has been compromised and we don't need him anyway. permalink save parent report give gold reply ]VP_Marketing_Bitcoin 12 points 1 day ago Then do it already. permalink save report give gold reply ]muchwaoo 12 points 14 hours ago Fine. Just do it Gavin :) permalink save report give gold reply ][deleted] 18 hours ago* [deleted] ]awemany 2 points 9 hours ago Please let Bitcoin prosper AS IT WAS DESIGNED. Exactly. And as it was designed and proposed by Satoshi himself. And this guy predicted the current messy situation as far back as 2010. permalink save report give gold reply ]clone4501 38 points 1 day ago* No one can fault Gavin for trying to reach consensus. He worked hard at it and for a long time. Lets face it, with such a large, diversified, and dispersed community consensus is virtually impossible. The most anyone can hope for is to have enough of the major players and community leaders on board to compel the rest of the community to comply and a majority is then achieved. permalink save report give gold reply ]oakpacific 4 points 12 hours ago with such a large, diversified, and dispersed community consensus is virtually impossible. Funny thing, that's exactly what Bitcoin was built to solve. permalink save parent report give gold reply ]laisee 14 points 23 hours ago Blockstream is blocking, for commercial reasons. Likewise, other naysayers have agendas which they will not openly discuss. permalink save parent report give gold reply ]Adrian-X 18 points 21 hours ago I have an agenda I'll disclose it for you. I want to see the Bitcoin network grow and benefit society. I don't want other blockchains (sidechains) with rules like PoS or inflation coin to leverage off the Bitcoin network. We are not the economic majority, the network the economic majority use will be the one. I'm invested in making that Bitcoin. The economic majority believe in Fairy Tail economics and inflation, I don't want to see Adam Black vision of a government sponsored Sidechains with all the Keynesian economics fluff siphon off value From Bitcoin, I want it to fail in its own right. I've asked 3 of the Blockstream developers to conduct an economic impact peer review study and all three said no way. Not one is prepared to invest a fraction of their $21M to challenge the negative side effect sidechains will have on bitcoin. permalink save parent report give gold reply ]b_coin 0 points 18 hours ago Not one is prepared to invest a fraction of their $21M to challenge the negative side effect sidechains will have on bitcoin. You should read this last sentence again and think about the potential negative side effects for Blockstream. Suddenly you will realize free market forces don't move in the same direction as logic... permalink save parent report give gold reply ]awemany 1 point 9 hours ago He worked hard at it and for a long time. Since years, one might add. And, simply put, he wants to keep Bitcoin true to its original vision, that was also proposed by Satoshi. A Bitcoin that is able to scale to very high transaction rates! permalink save parent report give gold reply ]Bitcoin_Error_Log 1 point 8 hours ago That's why Bitcoin is awesome, and why decentralization is a design choice of safety and security, not speed and convenience. permalink save parent report give gold reply [+]lorempsum[S] comment score below threshold (2 children) ]KevinBombino 15 points 22 hours ago Action is better than inaction. If it sucks, we can always change it back. I'm with you Gavin. permalink save report give gold reply ]Vibr8gKiwi 9 points 16 hours ago They already have found another project. You're just letting them control bitcoin to help that other project. Stop talking and just do it. permalink save report give gold reply ]everydaymotherfucker 10 points 17 hours ago Just do it and get it over with. permalink save report give gold reply ]DanSantos 4 points 1 day ago Can anyone give me a basic run-down of the debate? I'm a little lost. permalink save report give gold reply ]treebeardd 6 points 1 day ago The question: Should we expand blocksize from 1MB? Pro-increase: More transactions possible per block/per second. Con-increase: More "low-value" transactions sitting in the blockchain, forever. permalink save parent report give gold reply ]eragmus 11 points 1 day ago* Actual argument... Pro increase: There is a crisis emerging and we need to act now with a forceful 20x increase to avoid hitting the transaction/second limit! We can worry about the impact on running nodes (keeping the network decentralized) later. Con increase: There is no crisis, let's remember that nodes have been declining, and that nodes will be under further pressure and harder to run if blocks increase 20x. Let's increase it less, and give more time for true scalability solutions to emerge, and time for internet bandwidth to increase so that increasing block size does not make nodes more difficult to run. If it turns out the network is under more pressure with transactions increasing quickly, we can form consensus quickly to raise the block size to deal with it. But, let's not rush into hasty decisions now itself. Also, comment by 'GreenAddress', which is technically a very sophisticated wallet provider: "GreenAddress is against immediately increasing the block size with disregards to centralization issues, especially without consensus. We don't think one megabyte is a magic number or the final answer but increasing to 20 megabytes today doesn't make the blockchain scale on its own, you still need likes of lightening network, payment channels and who knows, maybe sidechains or treechains. In our mind increasing the block size like this is just pushing the problem a little further at potentially unfixable costs." permalink save parent report give gold reply ]fwaggle 12 points 1 day ago That's not really a genuine reflection though, because miners and node operators will still be free to specify a 1MB block limit for the foreseeable future via a configuration option on their clients. The issue is that if we do hit that limit and it turns out to be a problem, it's a lot easier to convince 51% of miners to enable the option for large blocks than it is to hurriedly push out a patch, test it, and encourage every single node to upgrade when it does become an issue. permalink save parent report give gold reply ]dooglus -3 points 22 hours ago miners and node operators will still be free to specify a 1MB block limit for the foreseeable future Miners will still be allowed to mine small blocks, sure, but miners and node operators will need to download and validate up to 20MB of junk transactions every 10 minutes. You can't opt out of that spam without opting out of being a full node. Full 20MB blocks would makes it impossible for some to continue to run a full node. And the whole "20MB is just the limit" argument doesn't work. If an attacker wants to he can easily create enough just transactions to fill 20MB blocks at relatively little cost. permalink save parent report give gold reply ]seweso 6 points 17 hours ago What attacker can spam the blockchain AND guarantee that its actually mined? A 20Mb cap doesn't mean all blocks will suddenly be 20Mb, thats insanity. permalink save parent report give gold reply ]i_wolf 5 points 16 hours ago miners and node operators will need to download and validate up to 20MB of junk transactions every 10 minutes. The evidence rejects your theory. Nobody needs to download 1MB junk transactions every 10 minutes just because the limit is 1MB. Can we stop fantasizing and stick to reality already? I'm tired of hearing such arguments over and over again. permalink save parent report give gold reply ]persimmontokyo 4 points 13 hours ago Remember Dooglus abandoned bitcoin to promote Clams. permalink save parent report give gold reply ]i_wolf 2 points 13 hours ago I hope they make 1KB limit, for true decentralization. permalink save parent report give gold reply ]ncsakira 2 points 15 hours ago Well they are miners if they do not want to process transactions they may as well move to other coins where there are almost no TXs. permalink save parent report give gold reply ]eragmus 0 points 23 hours ago Hmm, you make good points, and I'm not sure what the counter-argument is against modification of the miner soft block size limit, or if there even is one. But, I'll disagree over this point: it's a lot easier to convince 51% of miners to enable the option for large blocks than it is to hurriedly push out a patch, test it, and encourage every single node to upgrade when it does become an issue. The argument made is that the patch can be created and tested beforehand (now). Further the 'communication' aspect needed to communicate with all parties (nodes, miners, large companies, etc.) would also be done now itself. The 'emergency patch' would then be ready for quick implementation, if and when the time came. permalink save parent report give gold reply ]i_wolf 7 points 15 hours ago There is a crisis emerging and we need to act now with a forceful 20x increase to avoid hitting the transaction/second limit! We can worry about the impact on running nodes (keeping the network decentralized) later. There's no forceful increase. Increasing the limit will not make blocks bigger. The 1MB limit has been in place for the last 5 years, it didn't affect any running nodes at all. The increase is planned on 2016, not now. Decentralization comes from adoption adoption comes from usage, not from limits. There is no crisis, let's remember that nodes have been declining, and that nodes will be under further pressure and harder to run if blocks increase 20x. The nodes declining has nothing to do with the block limit. Increasing the limit will not suddenly make all blocks 20MB. If there's no crisis, then it safe to upgrade now. Advocating for hardfork during a crisis is literally asking for a crisis and much more dangerous than today when it's calm. Actual number of running full nodes doesn't reflect decentralization, by the way. Many people can run full nodes but don't see it as necessary, because Bitcoin is perfectly safe at the moment. What you suggest is to forcefully "decentralize" Bitcoin without actual reason by crippling its utility, which will prevent actual decentralization. Let's increase it less, and give more time for true scalability solutions to emerge, Raising the limit exactly gives more time for another solutions. It's also the first necessary and unavoidable step for all other solutions. and time for internet bandwidth to increase so that increasing block size does not make nodes more difficult to run. Increasing the limit doesn't affect bandwidth requirements. But rejecting the demand for transactions reduces the number of new nodes and miners that would appear due to spike in adoption and price. If it turns out the network is under more pressure with transactions increasing quickly, we can form consensus quickly to raise the block size to deal with it. But, let's not rush into hasty decisions now itself. "If it turns out", really? If it turns out that blocks will never ever grow up to 1MB, then we can consider it dead already. If we don't anticipate growth in demand, then everything is useless. But if we do, then postponing hardfork to the times of crisis doesn't make any sense. permalink save parent report give gold reply ]Noosterdam 2 points 22 hours ago Sounds like GreenAddress just read one recent particular comment of Greg Maxwell's here and parroted it :/ permalink save parent report give gold reply ]ThePenultimateOne 2 points 1 day ago Two clarifications, if I may. 1) the pro side doesn't say the impact on nodes will be fixed later, they say that the impact won't be immediate and there are already some scaling solutions (though not enough to get 20x more efficient). 2) many in the con side do not support an increase at all. I would say that the quiet majority support a smaller increase, but you would be remiss to not include this third camp. permalink save parent report give gold reply ]eragmus 1 point 1 day ago Agreed with the clarifications. Regarding 2), I'll add that those who say "no increase at all" or "decrease the block size" are just as extremist as the "raise the block size 20x" folks. I'm advocating a sensible middle ground that represents a real compromise between the two camps, and thereby takes into account the legitimate concerns of both sides. permalink save parent report give gold reply ]mmeijeri 1 point 21 hours ago Many? Who are these mysterious 1MB forever proponents? I don't think I have seen any, let alone many. permalink save parent report give gold reply ]gizram84 0 points 11 hours ago nodes will be under further pressure and harder to run if blocks increase 20x How so? permalink save parent report give gold reply ]eragmus 0 points 7 hours ago Extra bandwidth requirement, since it takes more bandwidth to transmit 20x more data (20MB vs. 1 MB). permalink save parent report give gold reply ]gizram84 1 point 7 hours ago But again, as has been pointed out like a few hundred billion times, blocks won't just magically jump to 20mb. This is just an upper limit increase. permalink save parent report give gold reply ]eragmus 1 point 7 hours ago True, but then where is the research that shows at what rate blocks will get filled, and so at what rate bandwidth demand will increase? Hand-waving claims of "many years until blocks will be bigger" lack weight. permalink save parent report give gold reply ]Cocosoft 1 point 11 hours ago We can worry about the impact on running nodes (keeping the network decentralized) later. That's not true. Gavin has pretty clearly thought about the impact on running nodes. Read his blog posts. permalink save parent report give gold reply ]eragmus 1 point 7 hours ago* He said this: Twenty megabytes downloaded plus twenty megabytes uploaded every ten minutes is about 170 gigabytes bandwidth usage per month It's not trivial that a node will go from needing 8.5 GB to 170 GB (equal to 5.7 GB/day). Most internet connections come with data caps of about 250 GB on average, or less. Having to spend 68% of your cap just for 1 node seems absurd, compared to the prior 3.4%. This is like making the choice of running a node and having a cap of instead 80 GB, rather than 250 GB. I can't possibly rationalize this, which means I'd likely never run a node. The 20x increase in bandwidth also means 33 KB/s download and upload, but this is much more minor. permalink save parent report give gold reply ]usrn -2 points 23 hours ago Stopped reading at "crisis". Stop overdramatizing the situation. permalink save parent report give gold reply ]eragmus 1 point 23 hours ago Please read this similar criticism of my usage of the word "crisis", and the ensuing responses: https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs05nnf permalink save parent report give gold reply ]thieflar -1 points 1 day ago I don't think anyone intelligent actually believes that a "crisis is emerging". Certainly no core devs have made that absurd claim. That is absolutely disingenuous to pretend like that's the actual argument. permalink save parent report give gold reply ]eragmus 6 points 1 day ago It's not disingenuous, as this is in fact the argument. Gavin and Hearn both argue this (Gavin says transactions will soon hit a 'wall' and Hearn talks about the coming capacity 'cliff' -- the implication and direct suggestion being that this is a 'crisis' that needs to be addressed). See their various blog posts. permalink save parent report give gold reply ]thieflar 4 points 1 day ago You know what? I'll actually concede this point. Solid defense. permalink save parent report give gold reply ]eragmus 3 points 1 day ago Thanks!! :) Now if only we could have a nice facts-only debate over every other aspect of this issue, there would be no problem. The core members themselves need to have such a debate, preferably in a single public Reddit thread in which only they can participate... why they don't, is beyond me. permalink save parent report give gold reply ]thieflar 4 points 23 hours ago Interesting idea. I don't necessarily agree that reddit is the best venue for this to take place in (the dev mailing list might be more appropriate), but I think setting aside one particular day for the core developers to hash things out and come to a verdict of some sort is a fantastic idea. Paging /u/gavinandresen, /u/pwuille, /u/jgarzik, /u/luke-jr, /u/nullc, /u/petertodd, /u/mikehearn, and /u/luke-jr -- does this not sound like a good idea? Scheduling a particular timeslot or day for everyone to civilly discuss the different proposals and options available, voicing your respective concerns and preferred courses of action and doing whatever is possible to come to some sort of agreement? permalink save parent report give gold reply ]thieflar 2 points 23 hours ago (I do realize that all of you have posted your various thoughts on the subject in blog posts and comments scattered around the web, but the idea here would be a consolidated discussion where the focus was on the merits and demerits of each specific proposal and everything could be aired out in one go.) permalink save parent report give gold reply ]eragmus 2 points 23 hours ago +21,000,000 Specific, focused, concise, point-by-point debate, where the facts alone reign supreme. permalink save parent report give gold reply ]martinBrown1984 4 points 22 hours ago* The block size debate is more political than technical because the issues in question are more economic than technical. The technical issues are easy to settle by facts, e.g. what's the max block size that could be supported with current average node bandwidth? (supposedly 8MB blocks, not 20MB). But the political/economic issues would not be easily settled by point-by-point debates. Would a larger block size increase "centralization" (i.e. lead to fewer full nodes)? Is it preferable to have more full nodes? Is it preferable to have low transaction fees? Should users be able to pay for coffee with on-chain transactions? The answers to such questions depend on whether you ask a miner, a user, or an Austrian Economist, and so on. It comes down to political views and opinions, not facts. permalink save parent report give gold reply ]Noosterdam 2 points 22 hours ago I think they'll say that's what they do on the mailing list already. Reddit does have the advantage of threaded comments making things easier to follow, but not everyone likes that. Perhaps the mods could sticky the post at the top and forbid anyone else to comment (perhaps after a week or so). permalink save parent report give gold reply ]awemany -1 points 9 hours ago The 250kB softlimit can aptly be described as a crisis... permalink save parent report give gold reply ]awemany 1 point 17 hours ago We had a confirmation time mess when we ran into the too-low default softlimit (was it 250kB) a while ago. It was horrible. So I very much think their point is valid. permalink save parent report give gold reply ]eragmus 1 point 7 hours ago It's an issue for a small amount of time (matter of days), until the emergency patch would be implemented. Then, confirmation time issues gone. No permanent damage. permalink save parent report give gold reply ]optimiz3 2 points 23 hours ago Smaller blocks = higher fees due to increased competition to get transactions recorded. Miners want smaller blocks, users want lower fees. permalink save parent report give gold reply ]i_wolf 5 points 17 hours ago Smaller blocks = higher fees due to increased competition to get transactions recorded. You're assuming people are willing to pay them. permalink save parent report give gold reply ]Cocosoft 0 points 11 hours ago If miners are stupid and short mined, they would want 1KB blocks. But almost everyone (including miners) want bitcoin to succeed in the long run (as a system that "everyone" can be a part of). permalink save parent report give gold reply ]mmeijeri 1 point 21 hours ago No, the question is not whether we should increase the block size limit. Nearly everyone agrees we will need to do so eventually. The dispute is over when to do it and by how much and whether to do it without near consensus or not. permalink save parent report give gold reply ]BTCisGod -4 points 18 hours ago Alright, wake me up when that's decided and I'll buy back. Otherwise I don't really see any point holding toy bitcoins. permalink save parent report give gold reply ]Logical007 14 points 1 day ago Pretty much. If people don't like it then they won't upgrade or will go to another "coin", simple as that permalink save report give gold reply ]dooglus 5 points 21 hours ago If people don't like Gavin's new version of Bitcoin they can stay with the original Bitcoin. I expect both will be traded on exchanges and so the market can decide which it values. permalink save parent report give gold reply ]seweso 2 points 18 hours ago Most people will have coins on both side of the fork. And you should be able to send transactions to both. Its the value of newly mined coins which is most interesting. Actually the whole fork is super interesting. I already want to grab a bag of popcorn! permalink save parent report give gold reply [+]whitslack comment score below threshold (2 children) [+]luke-jr comment score below threshold * (18 children) ]pizzaface18 62 points 1 day ago* He's not a dictator because it takes the market of exchanges and miners to make it happen. It sounds like majority of them are already onboard. The only folks that are against it are the blockstream guys. Coincidence? permalink save report give gold reply ]lorempsum[S] 8 points 1 day ago Once the change is part of the official Git repository, uses the "Bitcoin" name, offered for download on bitcoin.org, packaged on Linux repositories under the name "bitcoin", it would be very hard to stop that change from happening. Whoever has the power to do these things has a low of power over Bitcoin. Do not underplay the importance of that. permalink save parent report give gold reply ]sgornick 4 points 13 hours ago Maybe hard to stop it from happening but without near universal consenus it is not hard to make that end up being a foolish, catastrophic move. permalink save parent report give gold reply ]lorempsum[S] 11 points 1 day ago Enough with that "the core devs are against that because of blockstream" nonsense. There are core devs who oppose it and has nothing to do with blockstream, and the ones who are related to blockstream has publicly stated their opinion long before sidechains was a thing. permalink save parent report give gold reply ]everydaymotherfucker 11 points 17 hours ago There is a conflict of interest NOW. Whether there was one before blockstream was a thing is irrelevant. permalink save parent report give gold reply ]exo762 13 points 18 hours ago There is no proof that "some of core devs are against block size change because of blockstream". But there is a obvious conflict of interest here. And worst thing - those guys: 1) don't have experience running huge services (fee market? more like price diving into $20-$50 range because of panic and lost of trust) 2) don't really offer any solutions. Peter Todd gives a great example of "leadership" by summoning huge amount of "what ifs" (e.g. "if govs all around the world will crack down on Bitcoin, we will not be able to run nodes behind TOR" nonsense). permalink save parent report give gold reply ][deleted] 12 hours ago [deleted] ]chrisrico 2 points 11 hours ago Check your bullshit. Peter Todd is the #15 committer to the bitcoin repository, as github clearly shows. permalink save report give gold reply ]laisee 24 points 23 hours ago Blockstream has a vested interest in delaying an increase in block size until their solutions are ready. Someone holding an opinion on block size before the company was created does not mean there is not a conflict of interest now. There are 21M reasons why this might be the case. permalink save parent report give gold reply ]zombiecoiner -2 points 22 hours ago Large companies and governments have a vested interest in a block chain that requires more resources to access. What do I worry about more? One Blockstream or 100 Coinbases? Who is able to do more damage if they get their way? permalink save parent report give gold reply ]killer_storm 4 points 19 hours ago Yes, people who were in favor of sidechain-like approaches were more likely to join Blockstream. E.g. Greg Maxwell described a similar approach back in 2013. permalink save parent report give gold reply ]aminok 7 points 1 day ago Agreed. The Blockstream folk obviously care deeply about Bitcoin and it is this that motivates their stance on the block size limit proposal. Sidechains and the LN, both of which Blockstream is working on, are super positive for Bitcoin, and we should all be glad for Blockstream's existence for moving these concepts along. permalink save parent report give gold reply ]donbrownmon 1 point 11 hours ago the ones who are related to blockstream has publicly stated their opinion long before sidechains was a thing. Well, what was blockstream working on before sidechains? permalink save parent report give gold reply ]usrn 3 points 23 hours ago What would these miners and exchanges do without users? The users rule this space not exclusively miners and (hopefully) soon to be useless exchanges. permalink save parent report give gold reply ]pizzaface18 -1 points 23 hours ago Ya, when bitcoin is the defacto currency of the web, but we're not there yet, so we need KYC gateways into and out of crypto. permalink save parent report give gold reply ]eragmus -4 points 1 day ago* List which core devs / core committers (the real experts and architects and writers/maintainers of Bitcoin) are for the 20MB increase, and which are not. I think you'll be quite surprised at the wide gulf in opinion for/against the increase... and hence the absurdity of Gavin's totalitarian 'my way or the high way' statement. permalink save parent report give gold reply ]awemany 9 points 17 hours ago Bullshit! Gavin repeatedly changed his proposal to try to please the naysayers that like to have Bitcoin hit the blocksize wall. He never, ever went 'my way or the highway'. Not even now, he's basically saying, 'ok, I am going to fork and let the market decide'. Nothing totalitarian about this at all. Gavin worked on this and argued for an increase since years. To have reliable planning of the hardfork, well in advance. Without any constructive counter proposal by Greg and the others. permalink save parent report give gold reply ]eragmus -1 points 7 hours ago Are you aware that 20MB means 170 GB/month or 5.7 GB/day of bandwidth is required per node? My Comcast cable 105/10 Mbps service has a data cap of about 250 GB. 170 GB is 68% of the cap, leaving me 80 GB free in a month for my regular internet activities. That is insane... and so I would never cause my effective cap to drop to 80 GB just to run a node. This is the main problem with the 20MB block size increase. My internet service is much better than most people's, yet even I would not be able to run a node. permalink save parent report give gold reply ]conv3rsion 1 point 5 hours ago 120 mb per hour is 2.8 GB per day (20 x 6 x 24) or 62 GB per month. This only if 100% of blocks were completely full 24 hours a day. I really don't think people need to be able to run nodes from their homes, but it still isn't a problem in this scenario for most people. permalink save parent report give gold reply ]eragmus 1 point 3 hours ago* The math is incorrect: 20MB up AND down = 20+20 = 40 MB every 10 minutes 40 MB * 6 = 240 MB every 1 hour 240 MB * 24 * 30 = 172,800 MB = ~170 GB/month And yes, it only applies with 100% full blocks, but we don't have real research in this debate to inform us of what to really expect in terms of the rate of block size increase. Because of this, and because 170 GB/month is really excessive, a 20MB increase doesn't seem advisable. We need to address the research concern, at least, so we have hard data on what to expect and can model better. permalink save parent report give gold reply ]conv3rsion 1 point 2 hours ago You are telling me your 250 GB cap includes upload bandwidth? permalink save parent report give gold reply ]eragmus 1 point an hour ago Yep. permalink save parent report give gold reply ]pizzaface18 23 points 1 day ago Your highway is a single lane dirt toll road. Gavin wants to pave it. permalink save parent report give gold reply [+]eragmus comment score below threshold (19 children) ]hellobitcoinworld 12 points 1 day ago* Based on every single poll I've ever seen on the subject of whether or not to increase the blocksize, the majority of people do want the increase. In fact, I've never come across a poll where the majority did not want not to do it. So why would you put a what a smaller group of individuals wants over what the masses wants? That makes no sense and seems highly dictatorial. It actually matters more what the majority of the bitcoin users want. So, I ask: why do some people (such as yourself) negate against what the majority seems to want? permalink save parent report give gold reply ]eragmus 15 points 1 day ago* The coders understand the complexity, as they wrote the actual Bitcoin software. The masses understand it at a far more superficial level. I choose the experts over the mob any day. Also, you make a completely straw argument, since the extreme majority of the 'experts' also support an increase, only disagreeing with the amount of increase and time frame. permalink save parent report give gold reply ]hellobitcoinworld 12 points 1 day ago That's like saying that no one else's opinion matters though, even the majority. Also coders are not necessarily financial experts. I don't trust a coder to be any more skilled at determining the specifications of a piece of financial software. I really think we're dealing with politics here more than anything else. permalink save parent report give gold reply ]laisee 6 points 23 hours ago Exactly. Ability to code one github repo of c++ code does not an economist make. People talking about 'fee markets' when its clear they know very little how markets can, and do, fail. permalink save parent report give gold reply ]Noosterdam 8 points 22 hours ago Fee markets would work, but code changes have to be made, and there are risks. Testing would be required. In fact the risks of hitting the hard cap seem to outweigh the risks of bigger blocks. Somehow, though, a number of people have managed to reframe Satoshi's temporary measure as a new "core tenet of the Bitcoin social contract," and although the very nature of the cap means it has no effect until hit, so that hitting it is a huge change in the way Bitcoin works from the heretofore norm of being uncapped in any presently effective way, they have gotten away with painting those who want to maintain the status quo of how Bitcoin operates - growing continually without being effectively capped - as some kind of radical "change," when it is they who want the radical change, justified only by the technical triviality that the relic cap happens to still be in the code largely due to these same people's blockading. The circularity and topsy-turviness of that position is dizzying. permalink save parent report give gold reply ]approx- 5 points 19 hours ago That's a really good point actually - advocates of a 1MB block actually want to change Bitcoin, since up to now, the cap hasn't been hit for any extended period of time. permalink save parent report give gold reply ]solex1 6 points 15 hours ago Correct. This is the most insidious aspect of the 1MB: it is dormant software. Until recently it has had no effect, so Bitcoin has effectively functioned for 6 years without a block size limit. Imposing one now is the radical change, a radical economic experiment which has a far higher probability of causing harm than good. permalink save parent report give gold reply ]zombiecoiner 2 points 22 hours ago What if it were a roundtable of top economists saying that we should keep this limit? Would the majority here be with or against them? Do knowledge and/or credentials matter with a crowd making a popular vote? permalink save parent report give gold reply ]justusranvier 5 points 11 hours ago Depending on your source of "top economists", their credentials could count against their credibility. permalink save parent report give gold reply ]hellobitcoinworld -2 points 23 hours ago Yes, plus look at what the majority wants. It's very clear: http://www.reddit.com/r/Bitcoin/comments/3947ck/multiple_polls_results_regarding_bitcoin/ permalink save parent report give gold reply ]eragmus 5 points 1 day ago I'm not saying that, of course. Obviously the masses' (users') opinion matters. However, it is simply a fact that the coders understand the complexity of the matter more than the users do. Why am I saying this? Because they have written the Bitcoin software, which involves meticulously considering at every turn how they are affecting the incentives (economic, game theoretic, and otherwise) involving miners, users, developers, nodes. Users just use the software and read superficially what they come across. The people (coders) who are actually writing the software are 'applying' what they have read and learned in practice. This makes them more of an expert on the matter. I don't think it's politics at play. Those against the 20MB increase are against it primarily because of the effect it has on increasing bandwidth required to run a node, by a factor of 20x. This is virtually the argument, summarized in 1 line. This argument is not political, but a matter of keeping the network decentralized by allowing the max number of people possible to run nodes. Nodes decide what rules the network follows, so they are very important. permalink save parent report give gold reply ]hellobitcoinworld 1 point 23 hours ago Those against the 20MB increase are against it primarily because of the effect it has on increasing bandwidth required to run a node, by a factor of 20x. It doesn't immediately increase the bandwidth by factor of 20. That will most likely take many years to happen. This change only increases the LIMIT on the block size allowed. Blocks are not instantaneously going to become 20mb blocks if that update goes into effect. permalink save parent report give gold reply ]eragmus 3 points 23 hours ago I suppose: It would take 1 year before it's even possible to happen, since that's the plan. Further, like you say, miners can mine whatever size they want. If this is all the case, then the argument against raising the limit is lowered, I suppose. I welcome anyone more knowledgeable to jump in and answer this, if there is an answer. The only argument that comes to mind is: that nodes still must process everything, both 20MB and non-20MB blocks. So, even if every block is not 20MB, nodes must be capable of it, and so will still be impacted. permalink save parent report give gold reply ]approx- 1 point 19 hours ago Larger blocks means a higher orphan rate. Most miners will begin to selectively include transactions (i.e., only include transactions that have a fee high enough to offset the increased risk of an orphan block). The market will thus tend towards only having fee-based transactions, but those fees will still be quite low and we'll have many transactions still propagating through the network. In my opinion, keeping transactions free/cheap is a big key to ensuring the eventual success of Bitcoin, at least at this stage in Bitcoin's growth. permalink save parent report give gold reply ]CyrexCore2k 2 points 23 hours ago* The coders understand the complexity, as they wrote the actual Bitcoin software. What aspects of the block size debate would significantly benefit from an intricate knowledge of the codebase? permalink save parent report give gold reply ]zombiecoiner 5 points 22 hours ago The code base is a manifestation of the rules and knowledge of much of it is coincident with understanding the weaknesses of the system when it comes to security and independence. So I would say all of it and none of it at the same time. I have touched little of the code and read only slightly more. I do however understand Bitcoin's weaknesses in the short and long-term as, knowing I'm not going to dedicate myself to core development, I've chosen to at least keep up with them. People here seem most concerned about making the choice that will lead to greater adoption. Others, like myself, are most concerned with not allowing catastrophic outcomes for the system like centralization and PoW attack. permalink save parent report give gold reply ]CyrexCore2k 2 points 22 hours ago So I would say all of it and none of it at the same time. No offense but when you say this it makes your whole comment seem like a non-answer. From my perspective the discussion about the size increase has primarily been focused on economic concerns. We're pretty far into uncharted territory here and so in that regard the devs are speculating just as much as anybody. permalink save parent report give gold reply ]zombiecoiner 0 points 22 hours ago I was trying to make the point that it's not about the code base itself but about learning about the rules of the system along with how it's used. It's true that there must be speculation in the face of an unknowable future but those who have studied the system intimately should be able to better model the trade-offs and make a better decision. permalink save parent report give gold reply ]CyrexCore2k 2 points 22 hours ago Now you're hedging. Should or can? permalink save parent report give gold reply ]zombiecoiner 0 points 22 hours ago If you want me to speak in absolutes, I'm sorry to disappoint you. The choice is not clear. I was hoping that you were asking about aspects of the code base because you wanted to know if you should study the code. Instead it seems you wish to argue that people don't need to know about this system to decide its fate. permalink save parent report give gold reply continue this thread ]eragmus 1 point 6 hours ago Well, the importance of node decentralization, for one, which users just hand-wave away. The impact of 20MB is this: https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs0xznd Thus, many people will stop running nodes, which makes the network more vulnerable. permalink save parent report give gold reply ]CyrexCore2k 1 point 6 hours ago Your comment is a good one but I don't see how it demonstrates that there is a significant benefit to an intricate knowledge of the codebase when discussing the blocksize increase. permalink save parent report give gold reply ]eragmus 2 points 6 hours ago* Hmm, well I suppose I could agree. But, the reason why I'm reluctant to is this: how many of the members of the community understand the point I made above? If they did understand (and it's a simple argument, so I don't see why they wouldn't), then why do people still fervently support 20MB blocks and denounce anti-20MB-ers as having an ulterior motive (zOMG it's Blockstream members and their sidechains business!) and trying to subvert or harm Bitcoin? Where does all this uncalled for passion and conspiracy theory come from? I'd propose the reason is they don't understand how important the role of the node is in Bitcoin, and thus how important it is to keep the running of nodes as decentralized as possible. Someone who writes the Bitcoin Core software (the node's software) and understands the technicals of how the protocol works will deeply appreciate the various incentives that make the system work. This includes appreciation for the importance of nodes. If one understands the bandwidth argument, along with the importance of decentralization of nodes, then one will argue one side or another much more gingerly, instead of being full gung-ho for one side. However, most people are not arguing like that, which is why I think there is a difference in opinion between the coders vs. the users. permalink save parent report give gold reply ]CyrexCore2k 1 point 6 hours ago I'd propose the reason is they don't understand how important the role of the node is in Bitcoin, and thus how important it is to keep the running of nodes as decentralized as possible. Someone who writes the Bitcoin Core software (the node's software) and understands the technicals of how the protocol works will deeply appreciated the various incentives that make the system work. This includes appreciation for the importance of nodes. Prior to all of this block resizing debate there were numerous discussions that pointed out nodes will have to be incentivized eventually. Do you feel that nodes will never have to be incentivized if the limit remains at 1mb? In addition to that, as has been stated in a number of these arguments, the miners themselves can keep whatever soft limit they like. If a pool with 33% of the hashing power decides to keep a soft limit of 1mb that will effectively make the average block size 13.53mb even if every other miner maxes out blocks at 20mb. The miners have adjusted their behavior in the past when it affected the price. Why don't you have any confidence they would do the same in this case? permalink save parent report give gold reply ]eragmus 1 point 6 hours ago Regarding incentives for nodes, if the limit is kept at 1MB, then transactions will eventually fill up the blocks completely and there will be increasing delays for transactions to be included in blocks. There are peaks and troughs in normal activity, but eventually, even the troughs of activity won't be enough to take care of delayed transactions. In this situation, I'm not sure nodes would behave differently. The 1MB limit would be static either way. It's extra effort to run a node though, even at only 8.5 GB/month or 283 MB/day. Besides understanding the importance of nodes and altruism, there doesn't seem to be much benefit. So, a incentive structure is probably the best way to address the issue regardless of block size, right? But apparently incentives can result in problems too, and I haven't thought enough or read enough to really speak on it. Surely there must be an intelligent incentive structure to address concerns though! I can't believe that no sustainable solution exists. In terms of miner soft limits, yes, they can modify the ultimate block size. However, the issue with block size is bandwidth demand's impact on the ease of running a node. I'm not sure this relationship is easily related to the exchange rate, but rather to the intangible benefit of 'decentralization' of the network, making it more resistant to possible bad actors. It's more of an amorphous idea, so we probably need it decentralized as an overarching goal, to help keep the network strong as possible 'just in case'. permalink save parent report give gold reply ]derpUnion 3 points 23 hours ago* The masses also want moar welfare payments, nice cars, not have to work, moar benefits. Why isn't the government giving what the majority wants? That makes no sense and seems highly dictatorial! The masses cant even read 5 lines into the bitcoin white paper, don't run a full node, wtf do they know of the pains of having a gigantic blockchain. Nobody owes the masses anything, SPV wallets today function only because of the altruism of people running full nodes. If i need to spend thousands of dollars on a high end rig/power/net connection, why should i let the masses leech off my full node? permalink save parent report give gold reply ]CyrexCore2k 6 points 23 hours ago The full node argument is coming from the wrong angle. Regardless of block size full nodes are going to need to be incentivized somehow. They can't rely on altruism forever. permalink save parent report give gold reply ]i_wolf 2 points 17 hours ago* The masses also want moar welfare payments, nice cars, not have to work, moar benefits. That's a really weird comparison. Limiting the size is essentially a wefare for "small" miners and an "anti-trust" regulation. The majority in Bitcoin are for free market, that's why we reject that bullshit. We know that freedom gives more decentralization than artificial limitis on the market. Nobody owes "small" miners nodes anything or obligated to protect them from competition. It's not "your" node! Nobody forced you to run it. Your node is not special, we need more nodes and miners, not "small". Artificially limiting usage and the adoption only limits decentralization. permalink save parent report give gold reply ]aminok 2 points 20 hours ago There is a difference between the 'masses', and economic stakeholders. This would be more analogous to shareholders, where they have skin in the game and aren't voting to socializing their costs, but rather, are voting on how to manage their capital. permalink save parent report give gold reply ]imaginary_username 1 point 17 hours ago "Nobody owes the masses anything" You, a holder of coins, owe it to yourself to push mass adoption. permalink save parent report give gold reply ]hellobitcoinworld -1 points 23 hours ago That kind of logic is what makes communist states exist. permalink save parent report give gold reply ]i_wolf 1 point 17 hours ago The logic that we all should limit ourselves for the sake of subsidizing smaller miners and nodes. permalink save parent report give gold reply ]platypii 1 point 23 hours ago So why would you put a what a smaller group of individuals wants over what the masses wants? Ironically, you've got this backwards when considering opinions expressed through code rather than online polls or forum posts. I'll explain: If you want to actually enforce your opinion on the correct state of the blockchain, this requires doing full validation on it, so that you can determine whether it's following or violating your expected consensus rules (whether this be 1MB block cap, 20MB, or any other hard fork changes). By running an SPV node, you're actually forgoing your ability to enforce the rules trustlessly, and instead you're outsourcing validation to other parties that you have to trust to follow those rules for you. These parties you trust essentially control your vote on the chain rules. Increasing the block size penalizes fully validating nodes and encourages more SPV-validating nodes. This means that the number of people determining the protocol rules is smaller (centralization) which makes future hard forks far easier to implement without consent of the SPV users. By keeping blocks small enough that users can fully validate the chain, this is preserving the ability of individual users to vote with their software and enforce their own preferred consensus rules. In short: those supporting small blocks are doing so to protect the opinions of the masses from the opinions of the few. permalink save parent report give gold reply ]persimmontokyo 4 points 13 hours ago You're committing the common fallacy of ignoring the unseen. You're not asking yourself - how many more nodes might we have with an economic system that isn't artificially constrained, and therefore admits more users and businesses to adopt it because it can accommodate their usage requirements? Standing still and doing nothing itself causes economic actors to evaluate your potential solution to their problems and dismiss it as "capacity constrained" or "unscalable", and therefore not even take part in the system in the first place. Give it a chance to scale and decentralise, and it just might. Think of the negativity Satoshi faced when he proposed bitcoin. All naysayers. He ignored them and proved them wrong by doing it. And here we are today. Central planning doesn't work. Let the system breathe and find its own way. permalink save parent report give gold reply ]awemany 0 points 9 hours ago Exactly. I feel the people who want Bitcoin to run into the 1MB wall have much more responsibility to state their reasons than the people who want to tear down this artificial wall - and basically keep it growing as it is already! permalink save parent report give gold reply ]CyrexCore2k 3 points 23 hours ago Full nodes are eventually going to need incentives whether the block size is 1mb or 500mb. They can't rely on altruism forever. permalink save parent report give gold reply ]pluribusblanks 2 points 16 hours ago What monetary incentives are there to run Tor relays? None. Yet there are 6000+ Tor relays. People run them because they believe privacy is important. People run Bitcoin nodes because they believe decentralized, transparent digital money that works the same way for everyone on the internet is important. permalink save parent report give gold reply ]awemany 1 point 9 hours ago One incentive is reachability of a full node. I bet if it ever would get so bad (which I doubt it will) that there only very few nodes, overloaded with SPV-wallet connections and the like, there will be nodes emerging that you can pay for access to the blockchain. Because it is essentially only public data, that market will also be competitive. permalink save parent report give gold reply ]hellobitcoinworld 2 points 23 hours ago* I think this is a false reason though. For two reasons: 1.) Blocks will not become 20mb right away. That will take many, many years. We are only talking about the maximum size being raised. 2.) If you take a look at hardware advances since the 1mb block limit was put in place, then why haven't we increased the limit accordingly, in-ratio? You can look at it that way too. If you think hardware will not be able handle 20mb blocks by the time they happen, I think this is a poor estimation of technology advances. The reverse way of stating it: Should we leave the limit at 1mb despite increases in storage capacity and bandwidth? I think that also is lacking in logic. permalink save parent report give gold reply ]platypii 1 point 22 hours ago The reverse way of stating it: Should we leave the limit at 1mb despite increases in storage capacity and bandwidth? I think that also is lacking in logic. Well there used to be 250,000 fully validating nodes back when bitcoin had a smaller user base. And now the user base has grown but we're down to less than 10,000 nodes. You could blame this on a number of things, but not least of which is the increase is the size of blocks. So I think the signs are that we should leave it at 1MB and give decentralization some time to catch back up to where it's at a more comfortable level. permalink save parent report give gold reply ]exo762 4 points 17 hours ago 250,000 fully validating nodes back when bitcoin had a smaller user base This is a very ... weak statement because of two things. First, full nodes were used as wallets because of lack of better wallet alternatives. Second - number is bogus. Ways of measuring the number of full nodes have changed. Right now we count full nodes only if they are available all the time. permalink save parent report give gold reply ]i_wolf 2 points 17 hours ago Well there used to be 250,000 fully validating nodes back when bitcoin had a smaller user base. And now the user base has grown but we're down to less than 10,000 nodes. You could blame this on a number of things, but not least of which is the increase is the size of blocks. By making this argument you're explicitly advocating keeping Bitcoin back in the past when nobody wanted it. You don't see that growth of blocks is directly linked to growth of demand and adoption. permalink save parent report give gold reply ]exo762 1 point 18 hours ago So I think the signs are that we should leave it at 1MB and give decentralization some time to catch back up to where it's at a more comfortable level. This will lead to crash, because fee market will not happen. Think "transaction without fee" problem but on massive scale. Every time you send money there is a chance that they will hang in limbo for 2 weeks. Market is possible if there is a meaningful feedback loop or at least some way of checking the prices. Money being blocked in case of fee too low is not feedback, it's a kick in the nuts. Even if we will assume that fee market is possible, it is not realistic right now because of lack of software supporting it. permalink save parent report give gold reply ]platypii 0 points 16 hours ago These problems can be fixed without even a hard or soft fork. Either child-pays-parent or first-seen-safe-replace-by-fee will fix the stuck transaction problem, and the mempool janitor patch will fix the out-of-memory issue. permalink save parent report give gold reply ]exo762 2 points 15 hours ago This is a huge amount of patching. Including UI for users wallets, hot wallets of exchanges, convincing people to roll out those patches. And it does not even addresses viability of thing called "fee market". How much time do you think Bitcoin has right now with 1MB block? I bet - less then a year. permalink save parent report give gold reply ]platypii 1 point 15 hours ago The fee market exists.. what do you mean? There is fee estimation in bitcoin core. Is there some particular feature you're looking for? permalink save parent report give gold reply continue this thread ]platypii -2 points 23 hours ago So if your everything-will-be-ok argument relies on blocks growing slower than the cap, why lift the cap so high? The max exists as a limit for what size will be considered acceptable. Raising to 20MB right away means we accept 20MB right away. permalink save parent report give gold reply ]i_wolf 1 point 17 hours ago* So if your everything-will-be-ok argument relies on blocks growing slower than the cap, why lift the cap so high? Because if it in fact grows, it will be beneficial to Bitcoin, and limiting it will cripple its value and adoption. And if it won't grow, then it's perfectly safe. permalink save parent report give gold reply ]hellobitcoinworld 1 point 23 hours ago If you think hardware will not be able handle 20mb blocks by the time they happen, I think this is a poor estimation of things. But you and I both know that won't happen. The number of transactions will continue as they have been. Increasing the max block size does not increase the number of transactions being executed on the network. And even if it did instantly, magically jump to 20mb full blocks, hardware right now is not so shitty that it can't handle 20mb blocks. But again, that isn't what's going to happen in reality. So please keep that in mind if you decide to respond to this. why lift the cap so high? Because look at how much work it takes to get a fork put out. It's like total bitcoin chaos, lasting for months. We should minimize these occurences. permalink save parent report give gold reply ]ColdHard 2 points 15 hours ago Months? You know the discussion and coding on this issue have been going on for more than 3 years. Thank you for your contribution to it. Which, in summary appears to be: <Talking is scary, lets hard fork> Did I get that right? permalink save parent report give gold reply ]Richy_T 1 point 22 hours ago Minimize the occurrences or the need for manual intervention, though? (Though technically it's not a fork* if it doesn't require manual intervention, I hope you see where I'm coming from) *Though technically, it wouldn't be a fork anyway unless die-hards kept using the old codebase permalink save parent report give gold reply ]Viacoin66 1 point 16 hours ago http://www.reddit.com/r/Bitcoin/comments/37y8wm/list_of_bitcoin_services_that_supportoppose/ permalink save parent report give gold reply ]eragmus 1 point 7 hours ago* I don't think services (users of Bitcoin) are of the same caliber as core developers, who write the Bitcoin software. Services have lots of money and can run nodes, but the issue is that regular people will not be able to run nodes with 170 GB bandwidth requirement every month (equivalent to 5.7 GB/day). One big reason why is data caps are average 250 GB/month, so a node will suck too much data. permalink save parent report give gold reply ]lxq7 0 points 19 hours ago I already did that ones for /u/pizzaface18 in another thread, but he doesn't care about facts. permalink save parent report give gold reply ]eragmus 1 point 5 hours ago Looks like we were wrong, check this out: https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs08nbj permalink save parent report give gold reply ]zveda -2 points 22 hours ago The real experts eh? https://en.wikipedia.org/wiki/Argument_from_authority permalink save parent report give gold reply ]eragmus 1 point 7 hours ago It's a fact that the writers of the software are more expert than the users of the software (software which abstracts out the complexity). permalink save parent report give gold reply ]zveda 1 point 6 hours ago It is and I agree with you. However an 'expert' is not always right, especially about something like the future direction our project should take. We would make a big mistake as a community if we let a few experts control and guide our project completely. If you read the link I gave in the previous message, it goes into more detail why this plan, of letting experts decide everything, is often a very bad idea. Also check out https://en.wikipedia.org/wiki/Groupthink permalink save parent report give gold reply ]eragmus 1 point 6 hours ago Okay, sorry, these are good points... and I'm not really arguing against them. I guess what I was trying to say, but in too few words, is this: https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs0zcrv?context=3 See the first 4 posts, ending with my reply as the 4th post. If you have questions after that, then feel free to reply and we can continue. permalink save parent report give gold reply ][deleted] 19 hours ago [deleted] ][deleted] 19 hours ago [deleted] ][deleted] 18 hours ago [deleted] ][deleted] 18 hours ago* [deleted] ]GibbsSamplePlatter 0 points 9 hours ago You mean all but Gavin in the repo? permalink save parent report give gold reply ]fangolo 25 points 1 day ago* Fork. Let the market decide. Until there's technical alternatives, the status quo doesn't look attractive. Make it 8MB to give time for the ecosystem develop alternatives while keeping the overhead reasonably low. If most parties feel slightly uneasy, it's probably the best solution. Gavin should give a bit of ground and move ahead. permalink save report give gold reply ]d4d5c4e5 8 points 1 day ago I'm really starting to see it this way. Two factions can't come to an agreement, that's fine. If you can't work it out, it's time for a divorce. permalink save parent report give gold reply ]Noosterdam 7 points 23 hours ago That's what forking is for. And it probably won't be a divorce. Devs want to maintain their positions, not code for an irrelevant version. It's possible that some would quit out of principle, but I doubt it. permalink save parent report give gold reply ]Throwahoymatie 11 points 1 day ago I agree with this. I'm tired of reading about this debate. Just put the code out there and let adoption happen. This whining is getting to be too much (on both sides). permalink save parent report give gold reply ]pitchbend 1 point 20 hours ago Yeah, let's fork Bitcoin against the will of many core devs and Chinese exchange operators, what could possibly go wrong... I'm sure it'll help adoption, nothing inspires more confidence that a civil war where your coins are useless depending of the chain you choose. permalink save parent report give gold reply [+]lorempsum[S] comment score below threshold (28 children) ]DakotaChiliBeans 3 points 15 hours ago 2,4,8,16,20,21,32. Pick a number Do it. Just do it. YES, You can.... Arrrrrhhrhrhhhrhhghhhh. permalink save report give gold reply ]SatoshiBittinger 7 points 17 hours ago Just. DO IT permalink save report give gold reply ]walloon5 4 points 22 hours ago No one can force anyone in bitcoin and that's how we like it. permalink save report give gold reply ]ProHashing 3 points 11 hours ago Finally, someone gets it! How long will it take until people realize there is no more research that can be done, that the mailing list is just rehashing the same points over and over, and that increasing the block size to a static 20MB is not going to magically cause there to be fewer problems when that size limit is hit? The first person to put out an actual solution, in code, that permanently fixes this problem, will be the one to have his solution adopted. This is not a problem where the exact solution even matters. And the code for this solution is not especially difficult either. Does nobody follow politics? Do they not see that there is nobody in a position of authority here to hold and enforce a vote on this topic? Has there ever been a case in history where thousands of people talk and talk about a decision and they magically agree and it gets resolved? Time after time, the only way things get done is when a leader emerges, seizes power, and dictates what is going to happen. Sometimes, the leader remains a dictator, and sometimes he gives up power to a democracy with defined rules. Given that there is no existing governance for this project, the only way that a solution is going to be obtained is for someone to take charge and impose a structure. Andresen has the best chance of doing that, but so far he is all talk. He's been blogging and tweeting about things he might do for six weeks now. I wonder if the best chance now is that someone who we don't even know yet will be the first to release working code and his solution will be adopted. Given the deadlock now, whoever gets the first working code out is going to be seen as the new leader of the bitcoin project. That might remain as Andresen, or if he continues to delay, it may be Mike Hearn or someone else who we don't know yet. permalink save report give gold reply ]lorempsum[S] 6 points 1 day ago Does that seem acceptable to anyone? permalink save report give gold reply ]dudemanguysirmister 23 points 1 day ago It does to me. Free market, let Maxwell fork it to Maxcoin v2 and Todd fork it to Toddcoin v1 and I'll keep running Bitcoin without needing an additional layer on top of it. I think most of the community is behind Gavin's proposal. I'd even be fine with 8 MB. However, no increase is untenable. permalink save parent report give gold reply ]lorempsum[S] -1 points 1 day ago* I signed up for Bitcoin as a system that's ruled by consensus, not by dictatorship. If any of the core devs wants to make an hard-fork change that can't gain consensus, he should indeed make a new coin. That includes Gavin and Satoshi too. And I don't think anyone sensible is pushing for no increase at all. The debate is about the timing and the mechanism. The devil is in the details. permalink save parent report give gold reply ]aminok 12 points 1 day ago* I signed up for Bitcoin as a system that's ruled by consensus, not by dictatorship. Consensus is only defined as consensus among developers? Or stakeholders at large? What percentage of stakeholders need to support a change for it to be consensus in your opinion? Gavin proposed 20 MB and then 50% per year increase after that. None of the other core developers agreed, and none provided a counter proposal other than 'wait and see' with the 1 MB limit. He proposed 20 MB and then 40% per year increase after that. Again none of the developers agreed, and none provided a counter proposal. 6701 642 4 1280517545 6701 0 xx 1 Re: Bug: "Immature" coins lost in wallet.dat during transaction I don't get how it let you send if it was not matured. Your balance would have been lower than the amount. It would have said balance 0.01, right? If I try that it says "you don't have enough money" or "Insufficient funds" from the command line.<br /><br />How many blocks did it say it had left to mature when you sent?<br /><br />There's a chance it might still go through.<br /><br />Have you copied or moved your wallet.dat in any way?<br /><br /><br /> 6706 611 6 1280518854 6706 0 xx 1 Re: [PATCH] implement 'listtransactions' What are you needing to use listtransactions for?<br /><br />The reason I didn't implement listtransactions is I want to make sure web programmers don't use it. It would be very easy to latch onto that for watching for received payments. There is no reliable way to do it that way and make sure nothing can slip through the cracks. Until we have solid example code using getreceivedbyaddress and getreceivedbylabel to point to and say "use this! use this! don't use listtransactions!", I don't think we should implement listtransactions.<br /><br />When we do implement listtransactions, maybe one way to fight that is to make it all text. It should not break down the fields into e.g. comment, confirmations, credit, debit. It could be one pretty formatted string like "0/unconfirmed 0:0:0 date comment debit 4 credit 0" or something so it's hard for programmers to do the wrong thing and process it. It's only for viewing the status of your server. I guess that would be kinda annoying for web interfaces that would rather format it into html columns though. 6711 626 1 1280519586 6711 0 xx 1 Re: *** ALERT *** Upgrade to 0.3.6 ASAP! [quote author=knightmb link=topic=626.msg6702#msg6702 date=1280517847]<br />I can only imagine the pain you went through to get these builds because I'm trying to build the program on a Ubuntu 9.04 box and so far I can't seem to find all the dependencies to compile no matter how much I keep installing packages and compiling source, LOL.<br />[/quote]<br />I can't understand why you're having so much pain. I just followed the instructions in build-unix.txt. I made a couple little corrections for Boost 1.37, which I'll put on SVN the next time I update it, noted below:<br /><br />Dependencies<br />------------<br />sudo apt-get install build-essential<br />sudo apt-get install libgtk2.0-dev<br />sudo apt-get install libssl-dev<br />sudo apt-get install libdb4.7-dev<br />sudo apt-get install libdb4.7++-dev<br />sudo apt-get install libboost-all-dev (or libboost1.37-dev)<br /><br />wxWidgets<br />---------<br />cd /usr/local<br />tar -xzvf wxWidgets-2.9.0.tar.gz<br />cd /usr/local/wxWidgets-2.9.0<br />mkdir buildgtk<br />cd buildgtk<br />../configure --with-gtk --enable-debug --disable-shared --enable-monolithic<br />make<br />sudo su<br />make install<br />ldconfig<br /><br /><br />added a comment in makefile.unix:<br /><br /># for boost 1.37, add -mt to the boost libraries<br />LIBS= \\<br /> -Wl,-Bstatic \\<br /> -l boost_system \\<br /> -l boost_filesystem \\<br /> -l boost_program_options \\<br /> -l boost_thread \\<br /> -l db_cxx \\<br /> -l crypto \\<br /> -Wl,-Bdynamic \\<br /> -l gthread-2.0<br /><br /> 6728 626 1 1280526244 15289 1286200082 satoshi xx 1 Re: *** ALERT *** Upgrade to 0.3.6 ASAP! [quote author=knightmb link=topic=626.msg6713#msg6713 date=1280520259]<br />So that last command should simply be<br />[b]sudo apt-get install libboost1.37-dev[/b]<br />[/quote]<br />Except that wouldn't work for boost 1.40+ (on Ubuntu 10.04), where you need to get libboost-all-dev.<br /><br />Seems they changed everything around in Boost recently, "-mt" and all that, makes it hard.<br /><br />BTW, I tried Boost 1.34 but it didn't have the boost.interprocess stuff.<br /><br />Mac OSX version is available now. See bitcoin.org or the SourceForge link. 6751 648 6 1280536160 6751 0 xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 That's amazing... <br /><br />So are you saying you use 128-bit registers to SIMD four 32-bit data at once? I've wondered about that for a long time, but I didn't think it would be possible due to addition carrying into the neighbour's value. 6760 651 6 1280539928 6820 1280586454 satoshi xx 1 Webpage idea: Next predicted difficulty change It would be neat if someone had a page (like that handy calculator at http://www.alloscomp.com/bitcoin/calculator.php) that projects what the next difficulty adjustment will be.<br /><br />projected difficulty adjustment multiplier = <br /><br /> blocks_since_last_adjustment / 2016<br /> ------------------------------------<br /> time_since_last_adjustment / 14_days<br /><br />For instance, if it already got half way to the next adjustment in only 3.5 days instead of 7, we would expect difficulty to double:<br /><br /> (1008/2016) / (3.5/14) = 0.5/0.25 = 2.0<br /><br />Also, it could show the predicted time when the next adjustment will occur, and tell when the last adjustment was and how much it changed. 6822 612 4 1280587132 15289 1286199361 satoshi xx 1 Re: Linux distribution download It can be built with Boost 1.37 or later.<br /> 7057 655 4 1280770767 7057 0 xx 1 Re: Linux version => No GUI after upgrade. WTF? Did it print anything to the console? Are you sure you didn't run "bitcoind"?<br /><br />Try version 0.3.7. 7068 660 4 1280772140 7068 0 xx 1 Re: Mac Client Problems Outlined... "Minimize to the tray instead of the taskbar" & "Minimize to the tray on close" must not be implemented yet on the Mac. We should grey them out in the next version.<br /> 7084 648 6 1280775766 7085 1280776495 satoshi xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 Is it 2x fast on AMD and 1/2 fast on Intel?<br /><br />[quote author=tcatm link=topic=648.msg6797#msg6797 date=1280571158]<br />Btw. Why are you using this alignup<16> function when __attribute__ ((aligned (16))) will tell the compiler to align at compiletime?<br />[/quote]<br />Tried that, but it doesn't work for things on the stack. I ran some tests.<br /><br />It doesn't even cause an error, it just doesn't align it. 7090 632 6 1280780528 7090 0 xx 1 Re: Protocol Buffers for Bitcoin The reason I didn't use protocol buffers or boost serialization is because they looked too complex to make absolutely airtight and secure. Their code is too large to read and be sure that there's no way to form an input that would do something unexpected.<br /><br />I hate reinventing the wheel and only resorted to writing my own serialization routines reluctantly. The serialization format we have is as dead simple and flat as possible. There is no extra freedom in the way the input stream is formed. At each point, the next field in the data structure is expected. The only choices given are those that the receiver is expecting. There is versioning so upgrades are possible.<br /><br />CAddress is about the only object with significant reserved space in it. (about 7 bytes for flags and 12 bytes for possible future IPv6 expansion)<br /><br />The larger things we have like blocks and transactions can't be optimized much more for size. The bulk of their data is hashes and keys and signatures, which are uncompressible. The serialization overhead is very small, usually 1 byte for size fields.<br /><br />On Gavin's idea about an existing P2P broadcast infrastructure, I doubt one exists. There are few P2P systems that only need broadcast. There are some libraries like Chord that try to provide a distributed hash table infrastructure, but that's a huge difficult problem that we don't need or want. Those libraries are also much harder to install than ourselves. 7155 682 3 1280812643 7325 1280867860 satoshi xx 1 New user registration e-mail I suspect the reason e-mails from bitcoin.org such as the validation e-mail from the wiki are getting spamblocked is because we didn't have e-mail validation turned on for the forum, so maybe spammers used the forum to set their e-mail to people they wanted to send spam to and then PM themselves so it would e-mail there. The only way to really know would be to look at the mail server logs and see if there's a large volume and what it is.<br /><br />I turned on e-mail validation of new accounts on the forum, but now people can't sign up because the validation e-mail gets spamblocked. Someone said gmail is one case.<br /><br />So here we are, nobody new can sign up to the forum.<br /><br />It would help if we could turn off the forum's notification e-mail features. I tried to disable what I could, but it only had settings for forum thread notifications. Can someone tell me if PM notifications are still active or any e-mail notification anywhere else on the forum.<br /><br />Maybe we should disable the forum's access to the e-mail server entirely, then turn off registration e-mail until we work this out further. I don't know where that setting is in the SMF interface.<br /> 7328 454 6 1280868971 7328 0 xx 1 Re: Builds for Ubuntu? [quote author=nimnul link=topic=454.msg7282#msg7282 date=1280857875]<br />Is satoshi noWx patch in 0.3.7 already? Before that bitcoind required wx, and I never seen Satoshi announcing that it's in trunk<br />[/quote]<br />Yes, 0.3.7 has it. It was in rev 112. 7331 685 6 1280869508 7331 0 xx 1 Re: Bitcoind x86 binary for CentOS [quote author=sgtstein link=topic=685.msg7275#msg7275 date=1280856637]<br />I have successfully built it with 4.8, 4.7 never would but with 4.8 bitcoind locks up whenever it dumps the initial block download to disk. :-\\<br />[/quote]<br />I urge you not to use BDB 4.8. The database/log0000* files will be incompatible if anyone uses your build and then goes back to the official build.<br /><br /> 7335 689 6 1280870786 7376 1280881157 satoshi xx 1 Re: Content-Length header and 500 (was Re: Authentication, JSON RPC and Python) [quote author=gavinandresen link=topic=689.msg7299#msg7299 date=1280861804]<br />[quote author=jgarzik link=topic=689.msg7288#msg7288 date=1280858948]<br />bitcoin requires the Content-Length header, but several JSON-RPC libraries do not provide it. When the Content-Length header is absent, bitcoin returns 500 Internal Server Error.<br />[/quote]<br />Can you be more specific about which JSON libraries don't provide Content-Length ? It'd be nice to document that.<br />[/quote]<br />I guess we should try to support the case where there's no Content-Length parameter. I don't want to rip and replace streams though, even if it has to read one character at a time.<br /><br />Edit: That is, assuming there actually are any libraries that don't support Content-Length. 7356 661 1 1280875507 7356 0 xx 1 Re: What happens when network is split for prolonged time and reconnected? creighto: I agree with that idea. After a few hours, it should be possible for the client to notice if the flow of blocks has dropped off by more than would be likely just by chance. It could tell if it's not hearing the hum of the world anymore.<br /><br />[quote author=knightmb link=topic=661.msg7303#msg7303 date=1280862133]<br />[quote author=gavinandresen link=topic=661.msg7293#msg7293 date=1280860724]<br />Or if the split lasted long enough (more than 100 blocks), transactions that involve generated coins on the shorter chain would be invalid at the merge.<br />[/quote]<br />Interesting info, so other than some double-spending issues, as long as the block chain isn't separated for more than 100 or so blocks (or 16+ hours), <br />[/quote]<br />In practice, splits are likely to be very asymmetrical. It would be hard to split the world down the middle. More likely it would be a single country vs the rest of the world, lets say a 1:10 split. In that case, it would take the minority fork 10 times as long to generate 100 blocks, so about 7 days. Also it would be super easy for the client to realize it's hearing way too few blocks and something must be wrong.<br /><br />[quote author=knightmb link=topic=661.msg7303#msg7303 date=1280862133]<br />If there a hard coded limit on split delay? Meaning if I had a small network split from the public network, spent some coin around, came back a few days later and got them sync up to the public network (other than coin generation if it happened) transactions should be fine?<br />[/quote]<br />There's no time limit. Assuming you weren't spending coins generated in the minority fork, or spending someone's double-spends you received, your transactions can get into the other chain at any time later.<br /><br /><br /> 7364 696 1 1280878818 7364 0 xx 1 Please upgrade to 0.3.8! Version 0.3.8 adds an important security improvement. Everyone should upgrade to get this change.<br /><br />The new safety feature displays a warning message in the status bar and locks down RPC if it detects a problem that may require an upgrade.<br /><br />If it sees a longer chain, but it can't process it, then it knows something is wrong. It displays "WARNING: Displayed transactions may not be correct! You may need to upgrade." and makes most RPC commands return an error. It still keeps generating as normal, which is necessary for the stability of the network.<br /><br />There were important security updates in the versions before this too, so if you haven't upgraded recently, it's extremely important that you upgrade now!<br /><br />Also, don't forget, we recently added 2.4x faster generating thanks to tcatm's mid-state caching optimisation and BlackEye's help getting ASM SHA-256 working.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.8/ 7372 685 6 1280880572 7372 0 xx 1 Re: Bitcoind x86 binary for CentOS [quote author=knightmb link=topic=685.msg7365#msg7365 date=1280879206]<br />There are two versions, one built from stock code, the other modified to accept up to 1,000 nodes (hence the super node name)<br />[/quote]<br />I'd rather you didn't make a build of the 1000 node connecting version available. It won't take very many people running that before we have to make another release just to limit the incoming connections. Mined by AntPool sc182 15:03 < amiller> not something that was waiting for optimizations to be around 15:04 < amiller> there's one counterexample where someone wrote about proof of work consensus, but they seemed just to think it would be irrelevant 15:05 < nsh> "64k hashes should be enough for anyone" 15:05 < maaku> well the idea of using a scarce resource for consensus is old 15:06 < maaku> the application of hashcash to make thermodynamic potential that scarce resource is new 15:06 < maaku> new and very novel 15:06 < petertodd> maaku: well, one way is to structure your proof-of-publication in such a way that you only need to scan part of the blockchain 15:06 < petertodd> maaku: which is what TXIN commitments does 15:07 < jrmithdobbs> petertodd: anyways, back to something you said earlier as an offhand comment ... assuming all ops were enabled i thought it was already feasible to store state in scripts? 15:08 < petertodd> jrmithdobbs: not at all, none of the ops can do anything related to state 15:09 < petertodd> maaku: more generally, any key-value consensus system that allows multiple *time ordered* values for one key lets you efficiently determine the validity of your coins by tracing them back to genesis 15:09 < maaku> petertodd: why is it objectionable to require miners to do a little bit of work to earn their coins, for communal benefit? 15:10 < helo> maaku: are you taking much from https://en.bitcoin.it/wiki/User:Gmaxwell/namecoin_that_sucks_less for your namecoin? 15:10 < maaku> petertodd: which is still very suboptimal from a user's perspective 15:11 < maaku> helo: i wasn't aware of that wiki page 15:12 < helo> it has some neat suggestions, but it may be in a different direction than you were headed 15:12 < petertodd> maaku: because you need to look at the system as a whole - having to store utxo data forever sucks 15:13 < maaku> helo: regarding storage of the names themselves, yes, it's a different direction. my system doesn't require validator storage at all, beyond the root hash 15:13 < maaku> but the name-hidden-with-hash idea is something I hadn't considered 15:13 < helo> i like the "If you haven't guessed a name, or someone hasn't told you about it it's none of your business that it exists." 15:14 < helo> yep 15:14 < maaku> petertodd: in the absence of well-defined suckiness, I disagree 15:15 < maaku> the UTXO set *is* what we all care about 15:15 < maaku> having access to the whole UTXO set is not an intrinsically bad thing 15:16 < petertodd> maaku: but it's not! wallets don't even care about the UTXO set - they only need to care about their own UTXO's 15:17 < maaku> the bitcoin economy is not a collection of purely self-interested wallets 15:17 < maaku> people also care about macroeconomic issues like estimations of lost coins, potential inferences of wealth distribution, etc. 15:17 < maaku> which require the whole utxo set 15:18 < petertodd> right, and all those things can be maintained by people who need it, people who don't need that and just want to mine and/or run full nodes don't need that stuff 15:18 < maaku> the difference between your approach and mine is that I'm trying make full use of the structure and incentivise people to make it available 15:18 < maaku> whereas you seem to be doom-and-gloom predicting its enevitable demise 15:19 < helo> ensuring miners can't make rule changes requires a lot of non-mining nodes to be involved in deep validation 15:19 < maaku> petertodd: neither miners nor full nodes need the utxo set! 15:19 < maaku> that what updatable proofs are about 15:19 < petertodd> maaku: I know, but now to spend a coin you need the assistance of someone who does, where as with TXO commitments you do not 15:20 < petertodd> you just need blockchain data from now to when the txo was created 15:20 < petertodd> that's a significant savings 15:20 < maaku> yes, but don't pretend that TXO commitments don't have down sides 15:21 < petertodd> yes, but as I argue the fact that electrum implements transaction lookup, rather than UTXO lookup, is indicative of the fact that those downsides aren't actually all that important 15:22 < maaku> ... that's a total non-sequiter 15:23 < petertodd> how so? 15:23 < maaku> with TXO you are requiring access to the full block chain since the txo was created, vs a summary of that data 15:23 < jrmithdobbs> petertodd: oh wow, i missed the 10-20 minutes before hand to understand the context of that state comment, different than what i meant by state ... and this whole conversation makes much more sense (and is more evil) now that I have 15:25 < maaku> and i'm not sure offering electrum up is a model for how we should do things 15:25 < maaku> jrmithdobbs: transactions are responsive to state already (the UTXO state) 15:26 < maaku> the objection to having state in scripts is that a reorg could make the transaction invalid ... but that can already happen 15:27 < maaku> so long as the conditions for invalidation can be quantified and other unconfirmed transactions checked for that, the status quo remains 15:28 < petertodd> maaku: right, so I have a wallet, I'm m blocks behind, and I need to sync it to get the current balance. With UTXO commitments that's a O(log2(n)) lookup per scriptPubKey, with TXO commitments thats O(m*log2(n)) 15:28 < petertodd> OTOH, if I also want to get transactions too - which it seems that users like having - they're both the same 15:29 < petertodd> I argue that the common case is m is small - people sync their wallets reasonably frequently - so the additional overhead isn't a big deal and *is* worth it in the context of long-term viability of the system. 15:29 < maaku> petertodd: no, the UTXO record has the block height, which they can go to directly 15:32 < petertodd> maaku: ok, I'll grant you that: if you assume transactions involving the scriptPubKey's were all not spent then you don't need to scan, but if you want to see all possible tx's, including spends, you do need to scan 15:33 < petertodd> maaku: also with regard to my point about security, having the heigh *does not* change the single-confirm security that UTXO commitments give you 15:35 < maaku> why? 15:35 < maaku> you know when it was originally confirmed, to the extent that you can trust the index at all 15:38 < petertodd> maaku: how do you know transactions between that single *tx proof* and now do not exist? 15:39 < petertodd> you still only have a single confirm of evidence about the state of the UTXO set 15:39 < maaku> by watching the blocks go by ... same as TXO commitments 15:42 < petertodd> maaku: no, with txo commitments you naturally do that at startup is my point 15:42 < petertodd> maaku: anyway, the security aspect wasn't the main issue I had with UTXO 15:43 < petertodd> again, long-term scalability is really important; txo commitments pushes the costs of a UTXO to the right people 15:44 < maaku> petertodd: this is my disagreement. the right people are, imho, the miners 15:44 < maaku> they're being paid to provide a service. they should actually provide useful service 15:47 < petertodd> well I'd like them to wipe my ass while we're at it :P 15:47 < petertodd> anyway, the most important service they provide is decentralization, so optimize for that 15:47 < petertodd> you optimize for that by keeping costs low 15:47 < maaku> gmaxwell: it seems SHA-512 is faster on 64-bit CPUs? then it's a better choice, no argument there 15:48 < petertodd> and full-node decentralization matters too, so keep costs low for that too so you have verification that the miners are actually being honest 15:48 < nsh> (or by keeping costs from scaling sublinearly) 15:48 < nsh> (ideally) 15:48 < petertodd> nsh: ideally every node is a full node! 15:48 < petertodd> nsh: less than that is a compromise 15:48 < maaku> petertodd: i imagine a future where asic/fpga validators much these utxo proofs 15:49 * nsh nods - all is compromise 15:49 < petertodd> maaku: that's not particularly decentralized - that's custom hardware 15:49 < maaku> yes, but mass produced and widely distributed 15:49 < maaku> the asic rollout has shown that this aids decentralization, compared with general-purpose computing solutions 15:49 < petertodd> that's a bunch of handwaving frankly 15:50 < nsh> i think without dual-use you get specialization, which is kin to, if not a species of, centralization 15:50 < petertodd> no, asics are a decentralization disaster: control of bitcoin is held by well under a half-dozen companies 15:50 < petertodd> the last thing we need is more of that 15:51 < maaku> petertodd: control is held by the people who own the asics 15:51 < maaku> that's more than a half-dozen companies 15:51 < maaku> and it's way better than when I first got involved with bitcoin and it was 2-3 botnets that controlled bitcoin 15:51 < petertodd> anyway, asics can't fix the problem that to start a new node requires getting the UTXO set from someone else, and the size of that data may be huge 15:53 < petertodd> maaku: the number of companies with competitive chip fabs is about three 15:53 < petertodd> maaku: sub-contractors don't count 15:54 < petertodd> maaku: er, I mean companies that contract those designs to those fabs 15:55 < petertodd> We're probably stuck with ASICs for the PoW, but there's no reason to think involving more of them is a good thing, especially since if Bitcoin fails because of chip-fab-related centralization it'd be much preferable to take the same technology and replace the PoW with a more asic hard one. 16:24 < helo> is botnet-related centralization better or worse than chip-fab-related? 16:24 < helo> not a false dichotomy afaict 16:37 <@gmaxwell> maaku: {cite} Bitcoin was never controlled by botnets, having seen detailed logs from large pools there certantly were large botnets, but gpu powered bots were largerly a later revelation. 17:11 < amiller> i'm trying to come up with a way of projecting what the relative cost per operation would be using rsa operations rather than sha2 19:10 < gmaxwell> wow, unethical headlines say what? "bitcoin-protocol-vulnerability-could-lead-to-a-collaps" 19:58 < petertodd> gmaxwell: meh, don't fall in love with your babies. It's a deeply ugly issue, just like all the other centralizing forces are, and we're naive to assume it won't be a problem. 19:59 < gmaxwell> petertodd: I'm not saying its a non-issue, I'm saying it's being heavily exagerated, and I think it's _less_ of a centralizing forces than many other ones that people don't care about at all. 19:59 < petertodd> The deeper problem is it's easy to see how Bitcoin could still be useful to some people, and hence valuable, even if it was mostly centralized... like right now in the short term. Add some more centralizing forces and that can become a long-term, permanent thing, where mining is a weird cartel. 20:00 < petertodd> gmaxwell: Sure, but given that those other issues *are* plenty real, I'm going to call the headline reasonable, even if it's more than just one issue that makes it reasonable. 20:01 < gmaxwell> I suppose it's fine to see people pointing out the centeralizing forces are a risk. I suppose thats news to people who are not me. :) 20:01 < petertodd> Well, yeah, lots of people don't understand that stuff at all. 20:02 < petertodd> Anything that gives people the accurate impression that Bitcoin's decentralization is mostly a function of the community at best is probably a good thing, and I'd say it's ethical reporting. 20:02 < gmaxwell> This is kind of a lame context for it though. 20:02 < petertodd> (IE the technology is broken, and absent community pressure we'd see 51% pools) 20:05 < petertodd> Anyway, tech question: has anyone ever seriously analyzed the effects of a chain-selection algorithm that counted total work, that is one where work could be worth more if it was especially under the target? 20:09 < gmaxwell> petertodd: yea, I ran a simulation on that (counting target instead of work) in 2011, uh, I should look for logs. What I concluded was that it created huge incentives to delay announcing solutions. 20:10 < petertodd> gmaxwell: Right, that's what I concluded. On the other hand, if you add a cutoff, where work is never more valuable than a certain amount, that seems to reduce the incentives, while maybe preventing the selfish miner attack. 20:11 < gmaxwell> I'm doubtful but haven't tried that. I haven't really had time to think about it much though. 20:12 < gmaxwell> through the day I've warmed a little to their "solution" 20:12 < petertodd> Well, basically the decision to not announce is based on the strength of your solution, given that there's a certain chance the other hashing power would come up with a better solution than you do. 20:12 < petertodd> ha, for me it's the exact opposite: their solution asks miners to do what's against their short-term economic incentives. 20:13 < gmaxwell> oh to actually be random? interesting point. 20:13 < petertodd> Yeah. Even with someone trying to carry out that attack, you're better building on the block the majority is regardless. 20:15 < petertodd> I gave it a go at working out the actual equations for expected return for a given amount of hashing power, and first try popped out the answere that if solution value is random, it always makes sense to reveal your blocks. Though I suspect I screwed that up somewhere... 20:17 < gmaxwell> petertodd: if the solution is random and you have a lot of hashpower, then you should delay. I thought the threshold was like 40% but uuk was saying 33% earlier. 20:17 < petertodd> uuk? 20:20 < sipa> UukGoblin 20:21 < petertodd> ah. Anyway, that's why I suspect I screwed up. :) 20:23 < sipa> i seem to remember a number closer to 40-45% ish 20:23 < sipa> but i never thought hard about it, or looked up where the number came from 20:24 < petertodd> Yeah, anyway, IMO something like that wouldn't be too bad, so long as the incentives to hide blocks were under control - the paper's solution worries me given that it's not economically rational. Good to have an alternative. 22:07 < midnightmagic> how does withholding a block not penalize the selfish miners and wouldn't their activity be discernible without an accompanyingly-expensive sybil network? 22:08 < midnightmagic> Also, if centralization is a risk to the value of the currency, then why would "rational" miners mine to increase centralization and thus decrease trust in the currency? 22:09 < gmaxwell> it would be trivally discernible. 22:09 < gmaxwell> midnightmagic: why do we have mining pools with 30% hashpower or whatever? 22:09 < midnightmagic> because everyone thinks the magic number is 51% 22:10 < gmaxwell> midnightmagic: delaying the block only peanlizes them if they lose the race against a competing block as a result, the paper argues that with the right network stunts they can avoid that. 22:10 < gmaxwell> well perhaps this paper will help then. 22:10 < gmaxwell> or make it worse. 22:10 < gmaxwell> if people think a 30% pool is doing bad thing perhaps they'll join it. 22:10 < midnightmagic> it seems to me all this is already well-known. 22:11 < midnightmagic> (at least among people who care anyway) 22:11 < gmaxwell> well I don't think I had considered the ability to network-attack to shift the balance. 22:33 < petertodd> midnightmagic: my ELI5 explanation: https://bitcointalk.org/index.php?topic=324413.msg3484951#msg3484951 22:35 < petertodd> Basically the attack leverages an investment in low-latency nodes and networks - if all miners do it the miner that wins is the one with the least-latency per dollar, very roughly speaking. 22:36 < petertodd> Unfortunately least-latency per dollar is very likely to mean "huge up-front costs", a strong-centralization force. 22:58 < midnightmagic> hrm.. 23:14 < midnightmagic> p2pool blocks seem a tad innoculated against it. 23:18 < petertodd> why? 23:18 < midnightmagic> p2pool simultaneously releases blocks to all member bitcoind when a successful p2pool share exceeds bitcoin target 23:19 < midnightmagic> .. or so I thought 23:19 < petertodd> p2pool doesn't do anything "simultaneously" any more than the bitcoin network itself does 23:19 < midnightmagic> the p2pool share is smaller than a bitcoind block. its propagation is faster. 23:20 < midnightmagic> in a minor sense, we're already using the nature of p2pool to get our blocks broadcast faster than normal pools with monolithic network infrastructure can 23:22 < midnightmagic> this is probably why this new paper doesn't feel novel. 23:24 < midnightmagic> of course, gmaxwell can correct this in the event it's a misapprehension of p2pool operation 23:24 < midnightmagic> or forrestv 23:24 * midnightmagic waves. 23:27 < midnightmagic> of course, I guess they could just listen to the p2pool network for solutions and short-circuit us that way.. 23:31 < midnightmagic> but we're still short-circuiting actual block propagation.. so.. 23:31 < petertodd> exactly. I suspect this stuff will turn out to be latency driven, so a succesful selfish miner will be one with access to low-latency optimized networking 23:32 < midnightmagic> if we presume our txn list is similar across the network, could we use a p2pool-like short-msg to propagate blocks more rapidly over the pre-existing network? 23:33 < midnightmagic> and thus make the attack more expensive, without convincing everyone to use p2pool subgroupd 23:33 < petertodd> of course we could, but we'll still lose out to the guy with access to dedicated fiber arranged along min-distance great circles... 23:35 < amiller> you can use my bitcoin mapping technique to find the best number of people to connect to to be one hope away from everyone 23:36 < petertodd> amiller: email them! I spoke briefly in private with them, and they sounded interested in writing more papers 23:37 < midnightmagic> it would amuse me if the long-run fiber being contemplated in canada to avoid US traversal became a superior bitcoin-propagation network due to a decreased number of router fabric traversal 23:37 < midnightmagic> poor-man's geographic bisection 23:40 < petertodd> that would frighten me... I pointed out on the email list how in general orphans will encourage bitcoin mining pools, and even the hardware itself, to be centrally located geographically 23:58 < midnightmagic> petertodd: What would frighten you? Everyone moving to a bunch of p2pool subgroups or amiller's suggestion to map bitcoin and accelerate the coming of a new Mining Age? :) 23:58 < midnightmagic> not to mention possibility of network segmentation 23:59 < midnightmagic> also: amiller is this the mechanism you were discussing with me a while back? 23:59 < petertodd> heh, nah, just how it'd give strong incentives for everyone's pools to move to the same country/town/datacenter 23:59 < midnightmagic> ah, yeah for sure --- Log closed Tue Nov 05 00:00:20 2013 --- Log opened Tue Nov 05 00:00:20 2013 00:05 < gmaxwell> p2pool effectively preforwards blocks to peers, and announces simultaniously from the whole p2pool network. in theory this confers some latency advantage, but it probably only just balances out poorly run nodes. 00:06 < gmaxwell> Although its at 103.2% of its alltime expectation, and that includes a swath of working before those changes when it was at <100% (though now its kind of relatively small compared to the current hashrate) 00:06 < gmaxwell> well, indeed "simultaneously" 00:06 < midnightmagic> gmaxwell: Are you able to translate this? https://twitter.com/eevee/status/397578223434752000 00:07 < gmaxwell> midnightmagic: the fix they propose introduces a vulnerability, though reasonable people could debate if it were better or worse. 17:03 < gmaxwell> jtimon: at some point it becomes "look, just donate a @#$@ dollar to us, as it'll let us do 1000x more computation than we could do if we used you" 17:03 < maaku> jtimon: no it's only in the range of 3-5 repititions, max 17:03 < jtimon> I see 17:04 < gmaxwell> since users do many jobs if they assume users will cheat consistently I assume they don't need many reps to actually be reasonably confident that a user isn't cheating. 17:04 < jtimon> it was maaku who made me believe in that curecoin dream first, so shame on you ;) 17:05 < gmaxwell> It's good to dream. 17:05 < maaku> well snark proved useless for that, but curecoin is easily adopted onto colored coins 17:05 < jtimon> yeah, gmaxwell I was asuming they were "overconfident on their users" but that was 100x 17:05 < maaku> especially with the new boinc point system 17:06 < jtimon> have you heard about gridcoin? 17:06 < gmaxwell> I'm not yet sure how important it is that the work be worthless, but I'll point out that the difficulty adjustment in bitcoin at least drives the system so that the profit from mining tends to 0. So if 99% of your mining profit comes from the side effect work, the incentive to not use your hashpower to attack (or rent it to someone else who _might_ use it to attack) isn't terribly great 17:06 < gmaxwell> I think for something like boinc remote attestation is probably more useful than SNARKs. 17:07 < jtimon> my friends like grindcore, but that's a diffeent topic 17:07 < jtimon> gmaxwell the problem is not really profits but the value destroyed 17:08 < jtimon> in bitcoin the problem is only in the initial issuance, but in freicoin is perpetual 17:08 < gmaxwell> jtimon: it's no more "value destroyed" than the cost of building a safe or the guy who sits guarding it instead of writing the great american novel. 17:09 < jtimon> what bitcoin does is maximizing production costs to minimize seignoriage 17:09 < jtimon> no, gmaxwell, that's when the 21 M are issued 17:09 < gmaxwell> jtimon: hm? we need high hashpower forever to have acceptable security. Worse we don't have a control loop to set it. maybe less bad than freicoin though since 5% may turn out to be way out of wack if freicoin is widely adopted. 17:10 < jtimon> yeah our concern is 5% being to much security 17:11 < jtimon> if it's too little tx fees are supposed to cover the rest, arent they? 17:11 < gmaxwell> jtimon: yea but there is no control loop to make sure it does. 17:11 < gmaxwell> Since the system can't detect insecure. 17:12 < jtimon> can we, humans? 17:12 < gmaxwell> If everyone was still cpu mining you could have a difficulty floor that nodes imposed based on how fast they personally could hash... but in the current enviroment we have no way to achieve a decenteralized control loop on the minimum difficulty. 17:13 < gmaxwell> Even humans are bad at detecting insecure until its too late, the system doesn't fail especially softly. 17:13 < jtimon> my point is that in this case is directly impossible for the machine 17:14 < gmaxwell> and I expect that if bitcoin is a big thing in the future and if it does fall too low that will be the excuse states need to step in and say "this decenteralized thing failed, obviously we need centeral bank signed blocks from now on" 17:14 < jtimon> the algorithm cannot be based on something exterior 17:14 < gmaxwell> well I dunno, for example, I do have some interesting ideas, but I think they're too weak. 17:14 < maaku> gmaxwell: i think what jtimon is alluding to is freicoin's plan to use proof-of-stake voting process to determin what percent-of-the-5% is given to the miners (vs. distributed through other means) 17:14 < gmaxwell> maaku: most of those schemes reduce to "miners control" because miners can censor the vote. 17:15 < maaku> so humans through proof-of-stake voting determine the amount of perpetual demurrage adjustment paid towards security, and therefore the break-even difficulty 17:15 < maaku> gmaxwell: hence my recurring interest in this channel in a voting scheme that avoids that, through committed/encrypted votes or some other mechanism 17:15 < jtimon> butthe security needed is always proportional to the value transacted, no? 17:15 < gmaxwell> RE: other interesting ideas, here is my best but it only works retrospectively if you show the network a long fork, any node you show it could could impose a minimum difficulty of some multiple of that in the fork. 17:16 < jtimon> mhmm 17:16 < jtimon> yeah, as you annoounced it, weak, but interrrsting 17:16 < gmaxwell> jtimon: no, in a consensus ledger system the value transacted isn't in a simple relationship with security, because the invalidation of your $0.01 transaction could invalidate a $100000 transaction. 17:18 < gmaxwell> I just don't know how to make that fork-minimum difficulty scheme work prior to a devistating attack, except via altruists that use it to peg up the difficulty. 17:18 < jtimon> gmaxwell, yeah, because inputs/outputs are not accounts, I never though it that way 17:19 < jtimon> so it is completely impossible to have an appropriate security regulated from within, again, that's not a fatal flaw 17:19 < gmaxwell> I am no longer so quick. I used to say a secure decenteralized consensus system was impossible. 17:19 < jtimon> you just need to soft-fork minimum fees...wait I don't want ot go that route 17:20 < gmaxwell> miner collusion breaks a lot of other assumptions in the system. 17:20 < gmaxwell> Maybe it would be tolerable in something where everything was encryted and anonymous and collusion couldn't usefully be used to do other things. 17:20 < jtimon> hehe, yeah, I think many of us knew bitcoin like that "look, this impossible thing turned out to be possible" 17:20 < gmaxwell> but even then, thats not a security control loop. 17:21 < jtimon> you want feedback 17:22 < jtimon> and I'm telling you you can't hear anything from the outside because the outside is real and you're not 17:22 < jtimon> "you" are the network 17:23 < gmaxwell> jtimon: for example, we can happily prevent miners from advancing the network clock far into the future and mining up all the coins. 17:23 < jtimon> "because the outside is real and you're not" wasnt very appropriate 17:23 < gmaxwell> if security were detectable by single nodes, we could enforce security the same way. 17:23 < gmaxwell> E.g. if the best you could do was cpu mining and cpus were relatively consistent, then every node could enforce a minimum reasonable difficulty based on their own speed. 17:30 < midnightmagic> whoah. no route to host?! 17:33 < midnightmagic> jtimon: Are you on dialup or something? 17:34 < jtimon> sorry, my laptop died 17:37 < jtimon> and I have to dinner... 17:37 < jtimon> minimum difficulty intuitively sounds bad though 19:17 < jgarzik> This is fun: http://www.foreignpolicy.com/articles/2013/11/19/stuxnets_secret_twin_iran_nukes_cyber_attack?page=full 19:18 < jgarzik> Iranians compensated for unreliable centrifuges with volume, just like we compensate for unreliable P2P nodes with volume 20:06 < maaku> Iran's cyber security gurus: "we keep building you secure facilities, and you total newbs keep plugging in usb drives you found in the f@*&ing street" --- Log closed Sun Dec 01 00:00:22 2013 --- Log opened Sun Dec 01 00:00:22 2013 04:46 < fagmuffinz> I hear you're all smart as fuck 05:06 * gmaxwell puts on his robe and wizard hat 05:09 < Mike_B> here's a question that probably belongs here rather than #bitcoin-pricetalk... i've been thinking a lot about generalized PoW functions, and how to make sense of them from the standpoint of computational complexity. has anyone worked that out before? 05:09 < Mike_B> for instance 05:09 < Mike_B> let's say hashcash is a function hashcash(input, nonce, d), where d is difficulty, written in unary. given that definition of hashcash, it'd be in TFNP, right? 05:10 < Mike_B> sorry, to be clear, i'm envisioning d as "number of leading zeros," or something like that 05:11 < gmaxwell> right you're being clear, but you may want to repeat that in a few hours when adam3us rejoins, since I'm sure he'll be interested too. :) 05:11 < Mike_B> so that brute forcing a solution is O(exp(d)), but checking a solution is O(whatever SHA256 is) 05:11 < Mike_B> oh is that adam back? 05:12 < gmaxwell> (there is some interesting history on hashcash about the target, apparently the idea of just using a trivial preimage was a later idea... IIRC from comments adam made in the past) 05:12 < gmaxwell> Yea. 05:12 < azariah4_> Mike_B: it would depend on the algo in question though, not sure how much one can say about it in the generalized case 05:13 < Mike_B> gmaxwell: yep, i read the hashcash paper and i saw where he talked about someone suggesting later to just use x leading 0s 05:13 < gmaxwell> well if you want to talk about the difficulty of partial preimages, I suppose the complexity depends on the distribution of the values. e.g. I can give you a constant time hashcash, the hash function always returns all zeros, for example. 05:13 < azariah4_> in general hash functions have 2^B where B is number of bits to brute force and constant time to verify 05:14 < azariah4_> though technically its not constant I guess, but also depends on number of bits, which is just constant on modern CPU archs if e.g. the number of bits fits in 2 words 05:15 < Mike_B> gmaxwell: yeah, i guess i'm making the assumption that the probability distribution for which things hash to which SHA256 hashes is totally flat 05:15 < Mike_B> (i could formalize that nicely with natural density if you like) 05:16 < Mike_B> but i suppose it could be the case that SHA256 doesn't have anything hashing to less than a certain max value, so that if difficulty is less than that, hashcash will never halt 05:16 < Mike_B> azariah4_: yes i agree 07:51 < petertodd> So secure timestamping - or to be exact ordering - is necessary but not sufficient: a timestamp is only valuable if I can be guaranteed to know about the conflicting transaction. Thus the blockchain serves as a publication medium, where anyone accepting a payment can be confident that by looking in the blockchain they are aware of all possible double-spends. 07:52 < adam3us> petertodd: i am unclear why you say readership though - the fact that a random powerful miner (or a lucky weak miner) voted on a tx does not guarantee that everyone saw it 07:52 < petertodd> Of course, because double-spends are invalid, *as an optimization* we don't allow them into blocks. But remember, that's just an optimization! 07:52 < adam3us> petertodd: ok yes, we are saying the same thing 07:52 < petertodd> Sure, but it is proof that the people doing the miner saw it. 07:53 < petertodd> Yeah, and currently Bitcoin is a really, really primative proof-of-publication system, because the blockchain itself has no structure, so to convince *yourself* that a double spend doesn't exist you need the whole damn thing. 07:53 < adam3us> petertodd: i made an observation that an auditable namespace is actually the same function .. ie if you set the txout to the nme you can build that on a decentralized auditable namespce, or conversely you can use bitcoin as an auditable namespce if you encoe you rname in the txout (or in its hash inputs) 07:53 < petertodd> Yup. 07:54 < petertodd> So, UTXO commitments are then just a way of getting proof that some data - a spend of the txout - was *not* published in the blockchain without having the whole chain. 07:54 < adam3us> petertodd: hence namecoin - i guess those guys saw the same thing as their motivation but i wrote about auditable namespace in 2001 http://www.cypherspace.org/p2p/auditable-namespace.html 07:55 < adam3us> petertodd: (not so interesting) but it useful simple concept to think about 07:56 < adam3us> petertodd: yes. so is this the idea to encode them in a trie so you can more efficiently have a compact proof of present/notpresent in a tree? 07:56 < petertodd> So back to our original point about decoupling, when it comes to proof-of-publication, using proof-of-stake to prove publication would actually be totally reasonable. (for instance) 07:56 < petertodd> adam3us: Yes: take the whole UTXO set, put it in a merkelized radix tree, and commit to the top-level hash in the block somewhere. 07:56 < adam3us> petertodd: yes i think proof of stake is an interesting strengthening factor over pure mining anti-sybil, it maybe able to help 07:56 < petertodd> Even though proof-of-stake for mining reward is horribly flawed. 07:59 < petertodd> Yeah, I think proof-of-stake is going to be found to be a necessary but not sufficient requirement to get new crypto-coin systems bootstrapped in the future. 08:00 < adam3us> petertodd: k lets continue this problem definition .. i feel you should possibly sleep :) and i need some breakfast its 1pm here :) 08:00 < petertodd> So, as an example, you could have a proof-of-publication by proof-of-stake coin that looked like this: 1) assume the existance of a secure timestamping service 2) publish transactions to a blockchain 3) use proof-of-stake to show that a supermajority of coin owners know about the transaction 4) trust any transaction that everyone knows about. 08:00 < petertodd> ha, nah, I woke up crazy early... 08:01 < petertodd> *that everyone knows about and isn't a double-spend 08:04 < adam3us> petertodd: ok ... i think its interesting that other than spv clients you dont even need validation (miners to check inputs add up etc) just double use of signature (ordering enforcement or namespace of txouts) 08:04 < adam3us> petertodd: it mybe that one way to untangle the dependencies would be to say screw spv, try to improve things without it then get the otpimal solution, and try to figure how to resupport spv afterwards 08:05 < adam3us> petertodd: otherwise i think we're stuck in a local design maxima area of very polished satoshi design but possibly non-global optimum 08:06 < petertodd> Interesting isn't it? Bitcoin could have absolutely been designed as a system that did nothing more than give miners the opportunity to create arbitrary 1MB blocks of data; what that data actually means can be determined later by upper layers in the system. 08:06 < adam3us> petertodd: (i know a gifted programmer/crytpo guy who makes very elegant, clever but entangled designs, one of my satoshi suspects) 08:07 < petertodd> adam3us: heh, entangled is a great word for this. 08:07 < adam3us> petertodd: and i think it wouldve been a better system for it 08:07 < petertodd> Me too! Pushing validation to clients is a very good thing for the security of the system as a whole. 08:08 < adam3us> petertodd: yes less smarts in the network enforced rules = more security from coding bug mishap 08:08 < petertodd> Interestingly parasitic consensus systems like Mastercoin and Colored Coins are re-learning this, although I don't think the people behind them fully understand this stuff. (or even partially understand) 08:08 < petertodd> Yeah, of course, having some structure in blocks sure is convenient, but just don't forget that the structure is purely an optimization. 08:09 < petertodd> (yet another thing I need to write a paper on...) 08:09 < adam3us> petertodd: dont you need ordered chunks in blocks? 08:10 < adam3us> petertodd: ie like hash of public key or something with enforced non double use 08:10 < adam3us> petertodd: with committed transactions thats actually all i ended up relying on - the networ validation is disabled as it cant read the tx contents, cant tell who is paying who how much 08:10 < petertodd> Nope. Just validate the whole chain and make sure the transaction was the first one spending the txout. Subsequent ones can be ignored. 08:11 < petertodd> Again, the fact that subsequent ones are *banned* allows you to *optimizise* by only reading part of the chain, but that's an optimization, not a requirement. 08:11 < adam3us> petertodd: i see, even better; all you need is a timestamping server 08:12 < adam3us> petertodd: maybe you could scale via a tree of time-stamp servers 08:12 < petertodd> Yup. And this line of thinking shows you how the "proof-of-publication" domain required is on a per-txout basis: you need to know about double-spends for a particular txout, not all double-spends. 08:12 < petertodd> Obviously this is inherently shardable! 08:13 < adam3us> petertodd: yes thats an interesting line; however maybe you also need to know the non-double spent status of the previous 6-blocks worth of inputs the output depends on 08:14 < adam3us> petertodd: well i guess you mean youre valiating htem all anyway so just wait until the tx you care about is 6-blocks deep 08:14 < petertodd> For instance, you could define a system where every Bitcoin node maintains some small part of the TXO space, ordered lexographically: the blockchain still exists as a means of timestamping/ordering data, and you can determine if a double-spend exists by examining whatever small shard of the TXO data would have a spend of your transaction. 08:15 < adam3us> petertodd: yes 08:15 < petertodd> The definition is now that a transaction is considered confirmed once the proof-of-publication is sufficiently confirmed. 08:15 < adam3us> petertodd: yes 08:15 < petertodd> Wonderful isn't it? 08:15 < adam3us> petertodd: yes thats pretty f'ing cool :) 08:15 < petertodd> You don't even need to care if other inputs to the transaction are valid! That's the responsibility of the receiver to check, not the miner! 08:16 < adam3us> petertodd: right, ala committed transactions 08:16 < petertodd> If a transaction is invalid because some inputs were double-spent, so what? That's just some extra baggage in the blockchain. 08:16 < adam3us> petertodd: so long as they pay fees for their baggage it no worse than mastercoin 08:17 < petertodd> You also don't need to know about those inputs either: they can be hidden behind a merkle tree, and the miner doesn't need to have them. 08:17 < petertodd> Yup 08:17 < adam3us> petertodd: yes i reached somewhat analogous conclusion in thinking about the limits of respending committed transactions without revealing to the block chain 08:18 < adam3us> petertodd: does it reduce blockchain bandwidth though? 08:19 < petertodd> So the only issue with this, is you need *some* way to control the total volume of data, but that's not a big problem: shard this data into more and less expensive versions. Now you can determine what security level you're interested, while allowing people with really low-value transactions the ability to play in their dangerous playground. 08:19 < adam3us> petertodd: i am thinking it maybe could, with committed tx a problem i ran into was people stuffing the blockchain with forged spens, making your tx unspendable as you couldnt prove that spend was faked 08:19 < petertodd> adam3us: summed over the whole system, no, but the increase is along the lines of log(n), however it does reduce the minimum bandwidth required, and that's the important part 08:19 < adam3us> petertodd: but other than that (and maybe there are otherw ays to fix that with protocol changes) all you need is a hash output 08:20 < adam3us> petertodd: so the other thing i was thinking, is order doesnt actually matter 08:20 < adam3us> petertodd: ie you need to known an order, but you dont care which order is chosen it could be random for all you care 08:21 < petertodd> Right. So a subtety here is that for the sharding to be useful, if a transaction spends a txout it must be considered a valid spend regardless of whether or not the rest of the transaction is invalid. 08:21 < petertodd> What do you mean by random? 00:17 < HM> it's high street and investment banks that people think of as the devil 00:17 < HM> so just use cash, right? 00:18 < gmaxwell> HM: if you've not read http://p2pfoundation.ning.com/forum/topics/bitcoin-open-source 00:19 < gmaxwell> But I absolutely do think that a lot of people worry about central banks, for a great many reasons... (some more dumb than others e.g. inflation seems to be the most worried about thing, but its probably one of the less harmful things. They engage in incredible acts of economic distortion on a worldwide scale.) 00:21 < gmaxwell> We've invented what amounts to national-scale indentured servitude substantially via the excessive economic power of central banks, which props up worldwild wealth inequality. (And even if I were some kind of inhumane pure libertarian I would sill observe that wealth distributions which are too unequal are not just socially unfair, they're objectively inefficient and lower mankinds longterm odds of survival.) 00:24 < HM> I've not really made up my mind on all that stuff 00:26 < gmaxwell> well the proof that too much inequality is inefficient is pretty simple, though it doesn't tell you exactly where too much is: at some point the have-nots will find it in their best interest to take by force, and so increasing amounts of resources have to be diverted to preventing that or defending from it. In the end, cooperation has certian fundimental efficiencies. :) 00:33 < HM> competition and war is also a fairly good equaliser 00:34 < HM> if you're in competition or in a battle, the stable state is parity 00:35 < HM> if you suck, you'll die. if you're too good, they die. either way the competition ends. if it is to continue then parity has to be achieved. 00:36 < HM> it's not clear to me how cooperation is naturally efficient 00:36 < HM> you can pool resources but you can do that through trade 00:38 < Luke-Jr> cooperation/dependency is efficient because you have each person specialise in their one task 00:39 < Luke-Jr> (on the other hand, it has scaling issues at a point) 00:43 < HM> I guess the bottom line is, i'm not yet convinced that monetising debt and loose cannon central banks are really a new kind of threat to society 00:44 < HM> forcing the money supply to grow means you're forcing people to fill the world with goods and services or face desperate inflation and unemployment and mockery from other nations or whatever 00:45 < HM> but everyones doing it, so it's a bit more like an arms race than anything else 00:45 < amiller> the whole concept of money is a wrong design, it only works if it's "universal," by definition, and it's unrealistic to make it universal 00:46 < HM> i can't agree with that 00:47 < amiller> if economists realized how difficult even 'barter' is to enforce without police, the whole mythic story of money would be a lot different 00:48 < HM> if every nation had their own sovereign bitcoin 00:49 < HM> nobody would be able to set an exchange 00:50 < amiller> that's invalid, there's plenty of exchange between bitcoin and the other goofball knockoffs 01:00 < HM> I'm not so sure it'd work. I think a bit of currency manipulation, while negative overall, can help to smooth off the sharp edges when it comes to trade imbalances 01:07 < HM> i guess what you mean by universal is the 01:07 < HM> not a universal bitcoin that can't be floated. 02:02 < gmaxwell> Someone should create a P2SH address that serves as a bounty for a SHA-256 collision. The script would be something like "OP_2DUP OP_NUMNOTEQUAL OP_VERIFY OP_SHA256 OP_SWAP OP_SHA256 OP_EQUALVERIFY" 02:05 < sipa> ha 02:06 < gmaxwell> We can do this for SHA1 too. :P which is actually more exciting, since that one is more likely to happen. 02:06 < sipa> is there a sha1 opcode? 02:06 < gmaxwell> yup. 02:06 < sipa> orly? 02:07 < gmaxwell> OP_RIPEMD160 / OP_SHA1 / OP_SHA256 / OP_HASH160 / OP_HASH256 (the last is sha256^2 of course) 02:07 < gmaxwell> I think the idea was to use them for binding external systems. 02:11 < gmaxwell> I'm a little surprised that no such bounties already exist. 02:11 < gmaxwell> I looked through every singual unusual script in the utxo set and there is basically nothing interesting there. 02:12 < gmaxwell> (well, there were 5 anyone-can-takes which I took, and a single puzzle one for 0.09 btc which I solved. And I will not be surprised if petertodd made that one) 02:13 < gmaxwell> there may be other puzzles but they're ones that involve just guessing the keys. 10:37 < Luke-Jr> psst, come play https://github.com/chronokings/chronokings on testnet with me :P 10:43 < michagogo> Luke-Jr: What is it? 10:43 < Luke-Jr> michagogo: blockchain-based game 10:44 < michagogo> What do I need to get it working? 11:21 < Luke-Jr> michagogo: qmake && make 11:23 < michagogo> Luke-Jr: On Windows? 11:45 < Luke-Jr> michagogo: good luck :P 11:45 < michagogo> Luke-Jr: lol 11:45 < michagogo> What are the dependancies? 11:45 < michagogo> I guess I could boot up my vm 11:45 < Luke-Jr> same as Namecoin-Qt I guess 11:46 < michagogo> Namecoin-Qt? 11:50 < michagogo> Luke-Jr: Hmm, just noticed https://github.com/chronokings/chronokings/blob/master/contrib/easywinbuilder/README.md 11:50 < michagogo> I'll give it a try 14:12 < michagogo> Luke-Jr: Meh, can't get it to build 14:13 < michagogo> Not even in an Ubuntu vm 22:29 < gmaxwell> sipa: in your libsecp256k1 can't you eliminate/highly abbreviate the secp256k1_ge_is_valid when using a compressed key? I think for our curve the definition of being a valid point is not being the point at infinity, and the same y criteria as public key recovery. 22:30 < gmaxwell> sipa: if so, that should make your code a bit faster for compressed keys. (actually, I think it would make compressed keys almost the same speed as non-compressed ones) 22:32 < gmaxwell> (I was looking to see if various things checked that the public point was valid seeing if I can break anything with the fact that the twist of secp256k1 can easily have the DLP solved for it) 23:32 < gmaxwell> (I was impressed the the 'factor' command could handle 1286578769603068245382716924545379906921918859152521322839515520912848165551 ) 23:32 < gmaxwell> (a 256 bit number) 23:39 < gmaxwell> Luke-Jr: did you get that game working? I think I just got it compiled. 23:40 < Luke-Jr> gmaxwell: yeah, played for a bit and got bored :P 23:40 < Luke-Jr> guess I can hop back on 23:40 < gmaxwell> do I just run the resulting executable does it need a node running? 23:40 < gmaxwell> is it namecoin based? 23:41 < Luke-Jr> it seems to just work 23:41 < Luke-Jr> yes 23:41 < Luke-Jr> bah, someone killed me again I think 23:41 < Luke-Jr> gmaxwell: note all activity is testnet 23:41 * Luke-Jr ponders if Eligius should have rate-limited it 23:41 < Luke-Jr> (mining, I mean) 23:42 < gmaxwell> oh, its namecoin testnet? 23:42 < Luke-Jr> I hope not the real namecoin one! 23:42 < Luke-Jr> I would feel bad for polluting it 23:42 < gmaxwell> I don't appear to be connected. 23:43 < Luke-Jr> hrm 23:43 < gmaxwell> got a node I can -connect? 23:44 < Luke-Jr> wait, UPnP is broken 23:44 < Luke-Jr> so that won't work :/ 23:44 < Luke-Jr> try 192.241.222.65 23:45 < Luke-Jr> hrm 23:45 < Luke-Jr> my client keeps crashing due to memory allocation failures :/ 23:46 < gmaxwell> hacking directly on the client is a dumb way to implement something like this. :P 23:47 < Luke-Jr> :p 23:48 < gmaxwell> yea, can't reach that host. --- Log closed Tue Sep 10 00:00:23 2013 --- Log opened Tue Sep 10 00:00:23 2013 01:05 < sipa> gmaxwell: only around 50% of possible x coordinates lay on the curve 01:05 < sipa> as for each x, there are 2 y coordinates 01:06 < sipa> and the field amd group sizes are very similar 01:06 < gmaxwell> yes they're similar, but the twist group order has a bunch of factors. 01:06 < gmaxwell> So it should be pretty inexpensive to solve the DLP over it (though I've never done it!) 01:06 < gmaxwell> (maybe I should try) 01:08 < gmaxwell> sipa: I guess I knew that 50% of the X were on the curve, as I wrote that to mike in an email this morning! but after staring at a bunch of math I wasn't seeing the missing condition after key recovery. 01:08 < gmaxwell> I guess I'll work it out on paper. 01:09 < phantomcircuit> gmaxwell, hehe 01:09 < phantomcircuit> i hate when that happens 01:10 < phantomcircuit> "WAIT I KNOW THIS" 01:10 < gmaxwell> it's not too hard to reason yourself into corners. 01:17 < gmaxwell> sipa: fwiw, http://en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm 01:23 < Luke-Jr> gmaxwell: do HD wallets have a possible privacy vulnerability where if you can identify N of them maybe-in-sequence, you can figure out the master pubkey? 01:25 < gmaxwell> Luke-Jr: No, not without like .. most impressive crypto break ever. 01:25 < Luke-Jr> hmm ok 01:27 < gmaxwell> the most obvious way to do this would be to crack two of their private keys in sequence, then find their difference, then search for an extended public key,i such that i and i+1 give you that difference. This is made hard because the extended public key goes through sha512 hmac. 13:55 < Guest4867> gmaxwell: re CoinJoin: if the outputs are sorted by signature, then doesn't that achieve a random shuffle? 13:55 < Guest4867> in other words the person proposing the join no longer knows the identity of outputs 13:56 < maaku> ^^ was me 13:58 < maaku> the participant contributes a blinding, and the proposer contributes the signature, but separately there's no way for either party to figure out what the unblinded signature will be, and therefore the final ordering 14:00 < gmaxwell> I think that sounds fine, but I may not understand what you're trying to solve there. e.g. just putting them in the order they were disclosed would be okay if parties waited random amounts of time to disclose 20:51 < gmaxwell> that bit itself isn't secure, since someone could find another message where all the words had higher values than your message, but you can add a couple more checksum words, e.g. 3 for the case of 64 words. with their heights set to a sum of the others such that you can't reduce any of the message words without increasing at least one of checksum words. 20:52 < gmaxwell> in any case, that covers both the kinds of branching we've talked about. 20:54 < gmaxwell> so I suspect that if our language is done well, it actually reduces to one of these hash signatures... it's just doing some extra execution along the way. :P 20:54 < gmaxwell> or at least these signature schemes should express themselves very naturally in the script. 20:57 < gmaxwell> sipa: so here is another kind of 'choice': a choice where the permitted script is provided by the ScriptSig, validated by a key provided in the script and a checksig instead of a hash in the script. 20:57 < sipa> gmaxwell: actually, that fold operator can just be encoded using choice 20:57 < sipa> at every iteration you do a choice that just contains another instance of f 20:57 < gmaxwell> choiceL( choice(choice())) 20:57 < gmaxwell> yea.. 20:58 < sipa> of course, if you provide a normal language construct for fold 20:58 < sipa> as an optimization 20:59 < sipa> you could provide a merkleizing one too 21:01 < gmaxwell> adam3us: So, is there a way with ECDSA, given three messages pick a pubkey,r,s such that pubkey,r,s is a valid signature of any one of the three messages? 21:02 < gmaxwell> I guess pubkey,r,s isn't going to be smaller for just three. Alas. 21:02 < gmaxwell> (so much for my ghetto homorphic hash idea. :P) 21:19 < jcrubino> is there a workbook for bitcoin wizards in training? 21:22 < gmaxwell> No. I suppose I should make a references list? 21:22 < gmaxwell> a lot of the things we discuss have no references though. 21:22 < gmaxwell> E.g. I can't cite anything for merkelized abstract syntax trees. 21:30 < sipa> roconnor came up with those in an IRC pm with me :) 21:44 < petertodd> jcrubino: I keep threatening to write a book 21:44 < jcrubino> petertodd: I'll help 21:44 < jcrubino> Is it possible to download the dev mailing list from source forge? 21:45 < petertodd> jcrubino: I don't think so 21:45 < petertodd> how far back do you want? 21:47 < jcrubino> As far back as can be got 21:47 < jcrubino> I would like to do this: http://www.princeton.edu/~achaney/tmve/wiki100k/browse/topic-presence.html 21:47 < jcrubino> for the mailing lists 21:48 < jcrubino> tldr: topic modeling of the message contents 21:49 < petertodd> jcrubino: I've only got just under a years worth 21:50 < jcrubino> I could post to bitcointalk to ask for donations; but not sure how uniform they will be comming from different mail clients 21:51 < petertodd> jcrubino: well, test should be same I guess? 21:51 < petertodd> you can compare against different peoples copies by message id 21:56 < jcrubino> petertodd: how close to live release is mastercoin? 21:56 < petertodd> jcrubino: it has been released, for some value of "release" 21:56 < petertodd> jcrubino: there's live code out there that lets you move mastercoins around - is that useful however? good question 21:56 < jcrubino> true enough 21:57 < jcrubino> I was going to ask what is going to be the first real workd use case and then I remembered Willets original slide presentations 21:58 < petertodd> ...and what did you remember? 21:58 < jcrubino> A better question then is how far is bitcoin from 2.0? 21:58 < sipa> we're not even at 1.0... 21:58 < jcrubino> The good and the bad; he included it all 22:01 < jcrubino> sipa: will we have no idea what 2.0 will be untill we get there? 22:02 < sipa> i suppose 22:02 < petertodd> jcrubino: huh, interesting view of it... I'd say JR didn't include much at all, at least from what I remember 22:02 < petertodd> jcrubino: there will be multiple competing 2.0's is my prediction 22:02 < sipa> yeah 22:05 < jcrubino> ok wizards what is the most important thing to grok about bitcoin at the protocol level for wizards in training to be effective developers? 22:07 < sipa> i doubt wizards are a subser of developers 22:07 < sipa> *subset 22:07 < sipa> here it's much more about things that are cool to think about, beyond-bitcoin 22:07 < sipa> some that may be far from ever being implemented 22:08 < sipa> i see myself much more as a developer than as a wizard (mostly because of lack of time to keep up...) 22:09 < petertodd> sipa: agreed, and in the exact opposite situation personally 22:11 < andytoshi> jcrubino: the first reference i was given here was about random oracles, and that led me through a very enlightening reference chase: 22:11 < petertodd> jcrubino: I think the most fundemental thing I've discovered is the concepts of how mining can be separated into timestamping and proof-of-publication 22:11 < andytoshi> http://blog.cryptographyengineering.com/2011/09/what-is-random-oracle-model-and-why.html 22:11 < andytoshi> http://blog.cryptographyengineering.com/2011/09/what-is-random-oracle-model-and-why.html 22:11 < andytoshi> http://cseweb.ucsd.edu/users/mihir/papers/ro.html 22:11 < andytoshi> also see the fiat-shamir paper and 'probabilistic encryption' by goldwasser and micali 22:11 < andytoshi> if you can grok all those, that's enough background to ask intelligent questions re the crypto discussion 22:12 < andytoshi> petertodd: you have a writeup about this which i think is a very concise introduction to that idea 22:13 < andytoshi> i've lost the link and i didn't actually read it the first time, but that was my impression from the first few paragraphs :P 22:13 < andytoshi> s/concise/detailed 22:13 < petertodd> andytoshi: thanks 22:13 < jcrubino> thank you all, looks like some great reads 22:14 < petertodd> andytoshi: and I think that good writeup is also another important wizard lesson about Bitcoin: it's actually got very little to do with cryptography as you normally think of it 22:15 < andytoshi> petertodd: agreed, the regular crypto is necessary to banter about specific signature schemes (and to understand security models), but distributed consensus is its own field 22:17 < andytoshi> people here are very good at designing protocols which use bitcoin as a secure timestamp oracle, something i haven't quite got the hang of 22:17 < petertodd> andytoshi: yeah, and furthermore *decentralized* distributed consensus is it's own field again, notably a field where discussions of things like politics actually are relevant 22:19 < andytoshi> petertodd: yeah, i had a non-bitcoin-related political discussion earlier today and i realized that my naive libertarian beliefs have been greatly changed by discussion here about incentive structures in decentralized systems 22:20 < andytoshi> at that distance, i suppose it's just game theory, but decentralized distributed consensus systems give a very efficient model of this 22:20 < andytoshi> where a lot of the noise of human interaction is removed (by design) thanks to the trustless protocols 22:22 < petertodd> yup, and a very unforgiving model too, where you get to deal with relatively non-ideal participants 22:22 < gmaxwell> well when you spend a lot of time thinking in an adversarial model it changes how you think. 22:23 < gmaxwell> Normal thinking is strongly biased to thinking about the common cases, adversarial model thinking is biased to spend time thinking about the worst possible outcome. 22:25 < petertodd> which is what the non-wizards find so hard to deal with - witness the discussions of GHas.IO for instance 22:29 < gmaxwell> petertodd: I've found it interesting that people think there is no issue, then they get this "51% attack" idea in their head and think that like if ghash.io gets 51% then suddenly all the bitcoins will be theirs and then that misconception is removed and they're back to saying that there is no issue at all. 22:30 < gmaxwell> I guess this happens with all things. Foo causes cancer! No it doesn't. Oh great! Everyone eat foo! Wait wait. 22:30 < petertodd> gmaxwell: suggests to me that people don't really understand the nature of the signatures in transactions, heck, likely they don't understand them at all 22:31 < CodeShark> most bitcoin users still probably believe that their bitcoins actually reside on their own computers and that addresses are where they are actually kept 22:32 < petertodd> CodeShark: oh, that's a good addition to the -wizards basic training list: understand semiotics and the distinction between sign, signified, and signifier 22:32 < gmaxwell> CodeShark: well the whole question of 'residing' deserves a Mu. 22:35 < gmaxwell> The answer "in the blockchain" is also wrong thinking what happens if a blockchain is MMR compressed and only you have the data to prove your coins exists? Is it back in your possession now? What if that data has been further split into multiple parts with an error correcting code and spread to multiple machines. Now where does the coin reside? 22:35 < andytoshi> gmaxwell: oh, Mu is a very clean answer, thanks 22:36 < petertodd> gmaxwell: a good counter-question to that falicy is to ask people where does the song "Happy Birthday" reside exactly? 22:36 < andytoshi> gmaxwell: i spent an hour with a math grad the other day describing various cryptosystems and asking "where is the information stored"? 22:36 < gmaxwell> (and of course even ignoring MMR and whatnot wizards wank, it's kind of surprising to say something "resides" someplace public but can't be taken from there by anyone with access) 22:38 < gmaxwell> But also equally insane to say something like a coin resides with its private key, when the private key could be on a relativistic rocket and forever causually disconnected from any payments to it... :) 10:33 < andytoshi> at this point it's probably okay to do so without irritating anyone 10:34 < andytoshi> ;;cjs 10:34 < gribble> Coinjoin Status: The current session is open for 15 more minutes. There are currently 1transactions in the pot. The most popular output value is 0.107428. 10:34 < andytoshi> ;;cjs 196bfaf16b1dbfb9 10:34 < gribble> Coinjoin Status: The current session is open for 15 more minutes. There are currently 1transactions in the pot. The most popular output value is 0.107428. 10:34 < andytoshi> hmm, it should say the codeword as long as you give it the hex.. 10:34 < andytoshi> ;;cjs 196bfaf16b1dbfb9 10:34 < gribble> Coinjoin Status: Session Propaganda Aum 20755-6000 Privacy bet PRF : open for 15 more minutes. There are currently 1transactions in the pot. The most popular output value is 0.107428. 10:39 < jgarzik_> cute 11:31 < kinlo> 15 min is a bit short, no? 11:31 < andytoshi> kinlo: i think so, it's hard to say what would be optimal. if it's too long people will forget about it 11:32 < kinlo> true, you do want people to get it over with, sign within a certain time frame 11:32 < kinlo> but 15 min requires some coordination 11:32 < andytoshi> yeah -- but if you have coordination, 15 is almost too long :P 11:33 < kinlo> perhaps some kind of untimed participation would be better, just create one, get a private url to paste to those working together, then close off by the one creating it? :) 11:33 < kinlo> just brainstorming here 11:34 < andytoshi> nah, i like this, it minimizes the trust/obligation of the participants 11:34 < andytoshi> if it were popular, 15 minutes would be fine 11:35 < andytoshi> i just bumped it up to 20, we'll see how that works 11:35 < kinlo> I'm just considering the boycot options, if I just add into your transaction and never sign, the entire thing is going to fail 11:43 < andytoshi> yeah, that's also an argument for low timeouts 11:44 < andytoshi> if it gets to be a problem, i'll make people sign with their inputs, and blacklist them, and require more than 1 conf 11:44 < andytoshi> but i don't think so, it's a fairly complex technical and you don't get to see your victims' reactions 11:46 < andytoshi> technical troll* 11:49 < jgarzik_> like a technical virgin? 14:02 < michagogo|cloud> andytoshi: inputs are somewhat cheap :-/ 14:07 < andytoshi> michagogo|cloud: this is true, the goal would be to rate-limit an attacker .. there's not much i can do with a UI like this 14:08 < andytoshi> maaku's design is entirely automatic, so it's easy to blacklist inputs then try again a second later 15:18 < petertodd> bitcoin source code from nov 2008: https://bitcointalk.org/index.php?topic=382374.0 15:41 < maaku> petertodd: do you have a link to your OP_CODE_SEPARATOR delegation thoughts? 15:42 < petertodd> maaku: https://bitcointalk.org/index.php?topic=255145.msg2773654#msg2773654 16:12 < maaku> in freimarkets we introduced a delegation separator, which works kinda opposite the way a code separator does 16:13 < maaku> and lets the delegated signer add restrictions 18:44 < sipa> https://github.com/bitcoin/bitcoin/pull/3370#issuecomment-31150656 18:50 <@gmaxwell> Thats the rule I believe we should have. 18:53 < andytoshi> there was a neat question on the mailing list requesting a document to explain distributed consensus systems to newbies 18:54 < andytoshi> idk how much of our language or concepts are standardized by this point 19:17 < TD> sipa: gavin is on vacation at the moment 19:17 < sipa> ok 19:20 < TD> sipa: it's not possible for two blocks to have identical time received, right? is this in case of future multi-threading? 19:20 < TD> (assuming a high enough resolution clock) 19:22 < sipa> it uses a microsecond clock, but that isn't available on windows 19:22 < sipa> actually, there should be no need for that 19:23 < sipa> just an incrementing sequence id 19:23 < TD> yeah 19:23 < TD> windows does have high resolution clock APIs 19:23 < sipa> good to bring that up 19:23 < sipa> yeah, but not available through the boost function we're using now 19:23 < sipa> in any case, sequence id is easier and faster 19:26 < TD> .. // Check trees node between the current best chain and the candidate. 19:26 < TD> that comment is a little unclear, imo 19:26 < TD> what's a "trees node" 19:26 < sipa> that comment makes no sense :) 19:30 < TD> sipa: what happens if a thread is interrupted whilst it's in the middle of re-organising in this new way? 19:30 < sipa> hmmm 19:31 < TD> i see interruption points, but no discussion of what happens if there's an abort 19:31 < sipa> you're right 19:31 < sipa> this could be a problem 19:32 < TD> i should add these comments to the github really 19:32 < sipa> please comment on the pullreq, not on the commits 19:32 < sipa> the commit comments sometimes get lost in rebasings 19:34 < TD> hmmm 19:34 < TD> i'm not sure how to do that. doesn't that lose the line references? 19:35 < sipa> yeah :( 19:35 < TD> oh well. no matter. you have comments in your inbox now 19:47 < sipa> TD: thanks 19:48 < TD> np 22:58 < andytoshi> is there a channel like #bitcoin except everyone is not illiterate? 23:00 < Luke-Jr> #eligius ? 23:58 < nanotube> andytoshi: heh maybe this one. 23:59 < andytoshi> :P i'd like to get a coinjoin going without the same five people :P 23:59 < andytoshi> oops, i put too many :P's in there.. --- Log closed Tue Dec 24 00:00:22 2013 --- Log opened Tue Dec 24 00:00:22 2013 00:06 < nanotube> one can never have too many :Ps. >_> 00:06 < nanotube> but i guess if you're looking for a larger audience, maybe -dev. 00:06 < nanotube> or make a forum post >_> 00:15 < andytoshi> yeah, i'll make a forum post 00:15 < andytoshi> and try to preempt all the "TL;DR" and "nobody will use it, too complicated" posts.. 00:16 < maaku> or even #bitcoin 00:17 < andytoshi> well what prompted my question was, i tried it on #bitcoin, and was flooded with "too complicated, just a toy, tl;dr, nobody would ever use this" 00:17 < andytoshi> apparently if you can't do something better to bitch about it than to either learn or ignore it 00:21 <@gmaxwell> andytoshi: Bitcoin-otc might be a better venue. People are silly, obviously its not for everyone. 00:22 <@gmaxwell> andytoshi: you should probably announce a time in advance in order to get people to expect to be there. E.g. I was thinking of organizing a weekly thing. 00:25 <@gmaxwell> andytoshi: as far as a channel with technically interested people... hell if I know. Bitcoin is a complete mystery to me in that respect. 01:19 < andytoshi> gmaxwell: well, thanks for the convo that just happened on #bitcoin then :P 01:19 < andytoshi> also, i don't have your comments on ed25519 01:19 < andytoshi> there was a power outage where my logger lives, i think it was then 03:37 < Emcy> andytoshi did you make a coinjoin bot or something 03:40 < _ingsoc> Is the code available? 10:16 < nsh> -- 10:16 < nsh> Alfred Menezes, who has studied the new algorithm as a cryptographic researcher at the University of Waterloo in Ontario, Canada, calls it "a fantastic algorithm a stunning development." He says, "If I were a company today considering the use of pairing-based cryptography, I would be terrified of using small-characteristic pairings." In one case he studied, the algorithm succeeds in 10:16 < nsh> 274 operations, vs. 2103 operations with the previous best algorithm. "While the 274 computation is certainly a formidable challenge, with an organization like the NSA, it becomes feasible." 10:16 < nsh> -- http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext 10:18 < nsh> i'd like to see an animation of a las vegas descent tree algorithm in operaiton 10:33 < andytoshi> Emcy, _ingsoc_: no, ;;cjs just pings my website to get the current status 10:33 < andytoshi> the website is here: https://www.wpsoftware.net/coinjoin/ , the source to the interesting stuff is here: https://www.wpsoftware.net/coinjoin/ 10:34 < andytoshi> but there's a lot of surrounding code which runs the website which is not public, it's too ugly 10:35 < andytoshi> i meant, the source is here: https://github.com/apoelstra/coinjoin 10:51 < Emcy> oh god rawtxs 10:52 < Emcy> A1 for effort, needs huge red 72pt warnings though 10:54 < andytoshi> there is quite a lot of work put into making it idiotproof 10:54 < andytoshi> i'm not a very creative idiot, but i can't think of what people could do wrong here 10:55 < Emcy> spending all change as fees is quite popular with the mortals who attempt to mess with rawtxs 10:56 < andytoshi> yeah, gmaxwell had a clever idea for that ... all the fees should be sent to a magic address, and the joiner does the fee calculations itself 10:57 < andytoshi> so submitted transactions are required to have inputs == outputs 10:59 < Emcy> is that possible in bitcoin right now 10:59 < andytoshi> no, the joiner actually modifies the transactions before asking for signatures 11:04 < michagogo|cloud> ;;cjs 11:04 < gribble> Coinjoin Status: There is no currently open session. 11:12 < Emcy> its a good start, but we know this all has to be completely transparent eventually if its going to make any real impact on the system 11:12 < michagogo|cloud> Emcy: AIUI, this isn't supposed to become what everyone uses, or make any real impact on the system 11:12 < michagogo|cloud> At least not as-is 11:13 < Emcy> this or CJ in general? 11:13 < Emcy> CJ absolutely has to work wide-scale, or something like it 11:14 < michagogo|cloud> Emcy: this 11:14 < michagogo|cloud> Not CJ in general, of course 11:14 < Emcy> the alternative is having such a powerfult technology as bitcoin turned against us 11:15 < Emcy> and im kind of sick of seeing civil society forge its own chains by accident 11:23 < nsh> we are bound by no faster iron than our flocksome follies and unfounded fear 22:38 < warren> jgarzik: writing the irc micropayment thing? 22:38 < jgarzik> warren: Looking into doing so, yes 22:47 < jgarzik> Everybody tells me not to use twisted, but twisted sure seems to have all the gadgetry in their framework. 22:47 < jgarzik> Another option is process-based plugins: have a master process, and then sub-processes (like IRC) are python scripts that the master will fork+exec, and communicate with via stdin/stdout 22:48 < jgarzik> then I don't care whether my IRC library and my Jabber library want to use different frameworks 22:48 < jgarzik> and things are largely language independent 22:51 <@gmaxwell> +1 to processes. :P 22:51 <@gmaxwell> makes isolation for security easier. --- Log closed Mon Mar 18 00:00:30 2013 --- Log opened Mon Mar 18 00:00:30 2013 06:00 < warren> sipa: missing 'obj' directory from your secp256k1 git 06:00 < sipa> mkdir obj 06:01 < warren> I know 06:01 < sipa> ok, thanks, i'll fix it 11:00 <@gmaxwell> sipa: using openssl for the bignums is 21% slower than GMP on your code. Crazy. 11:01 < sipa> gmaxwell: yes; gmp does a modular inversion in <3us; openssl takes 26us 11:01 < sipa> given that the entire verification takes 150us, that is significant... 21:15 < warren> you folks going to the bitcoin conference? 21:28 < jgarzik> da 21:30 < sipa> i'm sure gmaxwell and jgarzik are going 21:35 <@gmaxwell> sipa: I think it would be productive for you to come. Considering some of the stresses lately spending some time in person would probably be helpful. 21:37 < sipa> yeah i'd certainly like to meet gavin and you in person once 21:38 < jgarzik> beer. There should be beer. 21:39 < sipa> well, jgarzik too of course, but i met him already :) 22:41 < sipa> gmaxwell: i wonder, with the PoW-that-proves-fast-UTXO-access 22:41 < sipa> seems that means you also needs the UTXO set to validate PoW 22:41 < sipa> which would mostly kill SPV usage? 22:44 <@gmaxwell> sipa: if you look how I stated the construction I 'solved' that. 22:45 <@gmaxwell> basically you stick an extra H() on top of whatever comes out of the UTXO lookup. 22:45 <@gmaxwell> so that when you send a block you also send the result of H()... so you can do a context free check. 22:45 < sipa> right 22:45 <@gmaxwell> Also, if the lookup is really a UTXO fragment from a committed UTXO structure, you send the fragment. 22:46 <@gmaxwell> e.g. H(header) tells you a path you walk through the utxo tree... and you just send that walk. the hash of the walk is hashed with the header. 22:47 < sipa> i'll have a look at this, at a non-4am point in tim 22:54 <@gmaxwell> like any of this NP pow stuff, the searcher is O(N) and the client is O(1). Now perhaps you could cheat the pow by just picking a few random paths through the utxo that you happen to know then searching through nonces that happen to pick those paths. 22:55 <@gmaxwell> This can be avoided by requiring sufficiently long paths, but that makes the workload high on the validatees. 23:32 < warren> coblee seems confused about the 0.8.1 hardfork reason. I'm trying to explain it to him. Let me clarify one detail... If 0.8 didn't exist, 0.7.x is still vulnerable to a certain depth of reorg failure due to the BDB limit? 23:33 < warren> If miners increased the block size limit (which is "legal" under the 0.7.x protocol), and sufficiently large blocks are adjacent to each other, it could cause a reorg failure and fork between clients of the same 0.7.x with BDB limit? 23:35 <@gmaxwell> warren: correct. <0.8 is not self-consistent. 23:35 < warren> gmaxwell: thank you. 23:35 <@gmaxwell> though it's not clear that any amount of lock tuning can completely resolve the issue, at least according to luke's reports today. Though it can probably make it hard enough to trigger to not be a pratical issue for bitcoin. 23:36 < warren> what's the new limit? 23:38 < warren> I mean, the May 15th limit 23:38 * warren looks for it... 23:41 <@gmaxwell> warren: there is no limit after may 15th. 23:41 <@gmaxwell> just the regular limits we always though were there. 23:42 < warren> so technically, all bitcoin clones should hardfork for the same reason, as they are now attackable. 23:43 < warren> Probably not with the existing miners (not enough tx's for them to increase the block size limit), but their hash rate is so low, it wouldn't take much to attack the network with rogue miners. 23:44 <@gmaxwell> the blocksize target in older code was 500k. And technically crafted txn can trigger problems with 500k blocks. These txn would be non-standard in bitcoin, but not all alts have the same rules. 23:44 < warren> 0.6 had a soft limit of 500KB, but that was reduced in 0.7? 23:45 <@gmaxwell> correct, but it was also much harder to hit in 0.6... due to the fee ramping.. though LC's fees are all miscalibrated and have always been. 23:46 < warren> It would be expensive (in fees) to attack using the standard miners, but rogue miners could avoid enforcing the fees. You just need a surge of enough miners and a temporary partition to destroy the chain consensus. 23:47 < warren> That's pretty hard to pull off. 23:47 <@gmaxwell> a rogue miner would just mine their own txn... and the soft limit wouldn't matter at all. 23:47 < warren> yeah 23:48 < warren> Just thinking how hard it would be to break litecoin now. 23:48 <@gmaxwell> well getting some nodes to accept it and some to choke is the hard part. 23:48 <@gmaxwell> you have to be right at the limit. 23:49 < warren> Is the standard way to partition by DoS attack? 23:49 <@gmaxwell> huh? 23:49 < warren> How you would isolate nodes 23:49 <@gmaxwell> you don't isolate nodes. 23:50 <@gmaxwell> oh I suppose you could use isolation to make the reorg version of the attack happen. but for that, you just do a race. You mine two blocks at the same height and announce at once. 23:51 <@gmaxwell> but I was thinking you'd break it with a _single block_ break. 23:51 < warren> "getting some nodes to accept it and some to choke" oh... it's a random timing issue. If some haven't received the main fork deep enough yet to fail the reorg, then they will disagree with the nodes that did fail the reorg. 23:51 < warren> Oh, single block? hmm 23:51 <@gmaxwell> warren: there are two main attack vectors here. 23:51 <@gmaxwell> One is that you mine a single block which is near the limit, the 0.7 limit is fuzzy it depends on the internal state of bdb. 23:51 <@gmaxwell> so you can make a block which some nodes will accept some will reject. 23:52 <@gmaxwell> but getting that right is hard. Too big and almost all reject, too small and almost all accept. 23:52 <@gmaxwell> your goal is 50% of the hashpower on each fork. 23:52 <@gmaxwell> an 'easier' attack targeting wise, is to mine two blocks and simultaniously announce, ... but thats harder mining wise. 23:53 <@gmaxwell> you can also attack newly bootstrapping nodes in a very effective way. 23:53 <@gmaxwell> and that doesn't even need high power mining. 23:53 < warren> just lucky timing 23:54 < warren> gmaxwell: aren't the newly bootstrapping nodes going to just be on their own fork without miners, thus impotent? 23:54 <@gmaxwell> yea, just catch nodes when they're new, feed them the real chain up to some height, then a set of choke blocks... and they will later hear the whole real chain but can't reorg off it. 23:54 <@gmaxwell> warren: _you_ can be their miner. :P 23:54 <@gmaxwell> mining away at minimum difficult.y 23:54 <@gmaxwell> giving them confirmations that are totally bogus. 23:55 < warren> they'll see the pre-fork difficulty though. It's hard to mine as fast as the entire main network. 23:55 <@gmaxwell> warren: does anything actually display the difficulty in a place a user would notice it? 23:56 < warren> no, but they might notice the confirmations coming slowly 23:56 <@gmaxwell> warren: .. uh. you only have to mine at minimum difficulty. 23:56 <@gmaxwell> because you fork off the network at a point where its still at or near minimum difficulty. 23:57 < warren> ok, that doesn't describe some of the alt chains now. 23:57 <@gmaxwell> I suppose what will actually save them is the "you're on a shorter fork" warning. 23:57 <@gmaxwell> warren: what do you mean "that doesn't describe some of the alt chains now"? 23:57 < warren> "because you fork off the network at a point where its still at or near minimum difficulty." 23:57 <@gmaxwell> ... 23:57 <@gmaxwell> warren: the attacker choses the point in the networks history that he creates a fork from. 23:58 < warren> OH 23:58 < warren> ok 23:58 <@gmaxwell> he can choose to start his fork at block 1. 23:59 < warren> OK, so by observing main, you the only miner can make them think they are good until you defraud them. --- Log closed Tue Mar 19 00:00:04 2013 --- Log opened Tue Mar 19 00:00:04 2013 --- Day changed Tue Mar 19 2013 00:00 <@gmaxwell> right. though as noted the wallet software isn't a complete rube, it'll whine when it sees a longer but "invalid" chain. 00:00 <@gmaxwell> so if you can't isolate them too they may be safe. and if you can isolate them you could have skipped the forking fun 00:00 < warren> It seems the other attack is more insidious. Very difficult to do, but fatal. 00:01 <@gmaxwell> warren: there are a bunch of other attacks altcoins are vulnerable too, some similar but easier to pull off. 00:01 < warren> gmaxwell: moral ... they should hardfork to avoid this particular risk entirely. 00:02 <@gmaxwell> ::shrugs:: maybe. who knows. Why bother if they're not fixing other stuff. 00:02 <@gmaxwell> They should all be really glad there is no effective way to short their currencies. 00:03 <@gmaxwell> - if there was I expect they'd all be dead. 00:03 < warren> There is a way to short LTC now. 00:03 <@gmaxwell> ... 00:03 <@gmaxwell> really? 00:03 < warren> yeah, it isn't well known yet. 00:03 * gmaxwell starts his stopwatch 15:19 < K1773R> https://github.com/runn1ng/namecoin-files <-- some public horrible implementations :P (i made a own one) 15:20 < petertodd> K1773R: ha, did you know that namecoin disabled the IsStandard() test? 15:21 < warren> is it rickrolled? 15:22 < petertodd> warren: a lot worse than that... 15:22 < petertodd> http://explorer.dot-bit.org/b/7f48b8b9c494479c6f7cf980e0458167d4fddb92aeb1e5c468143e51bdd022a4 15:28 < petertodd> gmaxwell, warren: http://gpg.ganneff.de/policy.txt_v1.3 <- interesting example of two PGP keys signing a single document without the multiple PGP block solution we came up with; I wonder what tool made that 15:29 < midnightmagic> I was using namecoin as a datestamper. 15:30 < petertodd> midnightmagic: note how merge-mining automatically links it to the more secure bitcoin blockchain in that case 15:31 < midnightmagic> yes. Uuk's cryptostamper was too difficult to use also. 15:31 < petertodd> Uuk's? 15:32 < sipa> chronobit 15:32 < midnightmagic> Uukgoblin wrote a cryptostamper you could merge-mine on using (i.e.) p2pool's --merged option. 15:32 < midnightmagic> yes, chronobit. 15:32 < petertodd> oh, that piece of shit... 15:32 < midnightmagic> oh now. 15:33 < petertodd> really annoys me to see people bringing up chronobit; perfect example of geeks completely ignoring usability 15:33 < sipa> i never used it; what was bad about it? 15:33 < sipa> ah 15:33 < petertodd> sipa: takes about a thousand times more work than just using bitcoin directly 15:33 < warren> currently your chronobit timestamp granularity is maybe a day, if you're lucky, unless you keep the entire sharechain which nobody does. 15:33 < sipa> yes, but it scales O(1) !! 15:33 < petertodd> sipa: so does Bitcoin given the 1MB blocksize... :P 15:33 < midnightmagic> just difficult to use. I got it self-claiming it was working and it could verify stamps and such, but then i just gave up because even the email-to-usenet pgp stamper from the uk was easier 15:34 < petertodd> warren: p2pool has the same 2 hour logic as bitcoin, so it'll never be better than that 15:35 < petertodd> midnightmagic: yup, bitcoin timestamping is just so easy to understand and verify 15:36 < petertodd> w/ bitcoin utxo timestamping I've been thinking how you could do a really nice - for the user - standard for OpenPGP keys/sigs that was "co-operative": create the timestamp with a UTXO entry, and if you see a sig without a timestamp, create one too for everyone to use. 15:37 < petertodd> what's "lovely" is how bc.i has the API to make it all easy to verify, and you can fall-back to searchrawtransactions, or in the future, UTXO proofs + whatever crap Mike and co are going to implement to make SPV nodes lives easy 15:41 < petertodd> note that for PGP, timestamping doesn't need much granularity - you just want a timestamp that you can use to reason that at the time a signature was created, the corresponding key wasn't compromised/revoked 15:42 < petertodd> true of a heck of a lot of uses actually... 15:50 < gmaxwell> lol hogwash 12:33 < petertodd> sipa: so does Bitcoin given the 1MB blocksize... :P 15:50 < gmaxwell> "It's O(1) so long as no one uses it" is hardly a great argument. 15:50 < petertodd> gmaxwell: No, it's O(1MB) :P 15:51 < petertodd> gmaxwell: In fact, most algorithms are O(the entire universe)... 15:51 < gmaxwell> If you're happy to have some random website store your data so you can search for it... it'll be a lot cheaper to just ask them to store it than try to compete with people for 1MB space, since that site surely can have more disk space than limited blocks. :) 15:52 < petertodd> gmaxwell: Keep in mind, my usual argument is that yes, that's true, but how many uses of data are out there than *can* pay x cents per KB that "cheap" transactions imply? 15:53 < petertodd> Namecoin is an especially ugly example, because a Namecoin on Bitcoin can afford to pay rather large fees for name updates; way in excess of what a cheap transaction is. 15:57 < petertodd> gmaxwell: Oh, have I explained to you yet how I don't think UTXO bloat is a problem? 15:57 * sipa is curious 15:57 < amiller> go on 15:59 < petertodd> It's really simple: create a *TXO* commitment data structure with a merkle mountain range; this is a data structure that has ~O(1) appends, and O(log n) updates. Txouts in this structure are marked unspent or spent. 16:00 < petertodd> The key thing is that you can prove the current state of any txout with a proof of O(log n) size, and you can also use those proofs to update the state securely. This means every tx can now just have proofs of the txouts existance, and miners can update the txo commitment without actually having the blockchain data. 16:00 < petertodd> Thus your UTXO set is an optimization, rather than a requirement, and in essense storing the UTXO data is pushed to the people who actually own the UTXO's. 16:01 < petertodd> Realisticly you'd want to just have nodes store, say, the last 1 year worth of UTXO's or something; essentially expiration, but you can still spend old UTXO's, just at greater cost. 16:02 < amiller> so you need *part* of the UTXO to construct the proof that *your* tx is valid 16:02 < petertodd> amiller: exactly 16:02 < amiller> utxo as a service makes sense to me 16:03 < petertodd> yup, and that service can be distributed easily too - you only need the part of the utxo set/part of blocks relevant to what you want to store 16:05 < amiller> there are some things like 16:05 < amiller> polynomial representations of sets 16:05 < amiller> that are pretty efficient 16:06 < amiller> where if the set contains your element 16:06 < amiller> and you know your element 16:06 < petertodd> you still get the compact fraud proofs that utxo sets get you too in this scheme 16:06 < amiller> you can take any representation of the set 16:06 < amiller> and easily prove that your element is in it 16:06 < petertodd> lol, how do those work? 16:07 < amiller> http://www.cs.berkeley.edu/~dawnsong/papers/set-int-full.pdf 16:08 < amiller> maybe this one http://www.ece.umd.edu/~cpap/published/cpap-rt-nikos-11.pdf 16:10 < amiller> hmm. 16:10 < amiller> basically you have a polynomial in some field 16:11 < amiller> the polynomial looks like f(x) = Product{ a0(x0 - x), a1(x1 - x), .... aN(xN - x) } 16:11 < amiller> so that polynomial has roots at x0 and x1 and such 16:11 < amiller> and you represent the polynomial just by its evaluation on a random element in the field s 16:12 < amiller> i dunno maybe that doesn't work 16:12 < sipa> those aN's seem useless 16:12 < petertodd> huh, can't say I understand it 16:12 < gmaxwell> petertodd: how do you prove if your coin is already spent or not in your mountain range thing? 16:13 < petertodd> gmaxwell: you just provide a merkle path from the txout to the TXO commitment - the mountain range gets modified every time a txout is spent and the commitment of the current version of it is included in every block 16:14 < gmaxwell> oh you made inserts cheap, but updates need the longer proof so you can modify it? 16:14 < sipa> so you need to know the mountain range locally, to be able to prove a coin still exist? 16:14 < gmaxwell> (inserts just need the current 'rightmost edge' 16:14 < gmaxwell> ) 16:14 < sipa> so transactions can't be valid across block updates? 16:15 < petertodd> gmaxwell: yeah, *appends* are essentially O(1), and updates need to update the log n hashes from the txout to the tip 16:15 < petertodd> sipa: what do you mean? 16:15 < sipa> say i want to spend a coin 16:15 < gmaxwell> like you write a txn containing an update proof, and the the txn next to it in the set is updated.. not your proof is no good. 16:15 < petertodd> sipa: oh, right, they can still be valid though, because nodes in between have enough block data to rewrite the parts that are changed 16:15 < sipa> right 16:16 < gmaxwell> Iff they do, right? 16:16 < petertodd> Like, if I have a full copy of the blockchain data, and so do you, for me to prove some tx is valid, I don't need to give you any proof at all. If you're missing part, I may need to give you some proof, and that proof may change on the next block. (but only part of the proof will change) 16:16 < petertodd> gmaxwell: yeah, I wouldn't have people *sign* the proofs that a tx is valid for instance 16:17 < gmaxwell> might couple well with OWAS fees, since relaying nodes would be paid for keeping a txn valid. 16:17 < amiller> you might be able to structure the utxo so that an old proof is likely to stay valid 16:18 < amiller> like you can pay to put your coin in the VIP section that isn't updated so often 16:18 < petertodd> gmaxwell: Yup, or for finding the up-to-date proof that a tx is valid. 16:18 < gmaxwell> well if the proof has the right structure, then the composition rule stuff we talked about would apply. 16:18 < petertodd> amiller: Yeah, I was thinking about that, but proving compactly that a given txo is in the "vip section" gets tricky and ugly fast. :( 16:18 < petertodd> gmaxwell: composition rule? 16:18 < gmaxwell> e.g. if you have proof A and see a block that would invalidate it then you would also know enough to fix the proof. 16:19 < petertodd> gmaxwell: oh right, yeah that's easy to implement 16:19 < gmaxwell> petertodd: e.g. if you have a proof of A->B and A->C you can form A->{B,C} 16:19 < petertodd> gmaxwell: better yet, you can parallize all this stuff too 16:19 < gmaxwell> well, parallel has fungibility problems, no? 16:20 < gmaxwell> e.g. if you have coins in streams, spending cross streams would be more costly. 16:20 < petertodd> gmaxwell: no, by parallize I just mean how if you have n txs, the actual updates to the data structure can be done in parallel on your local computer 16:20 < gmaxwell> oh oh okay I thought you were saying you could have N mountain ranges. privacy worse (for non-static uses) 14:46 < adam3us> maaku_: nice write up 14:47 < adam3us> maaku_: i guess also that interpreter escape would be calamitous if that is not impled! 14:50 < maaku_> adam3us: good, i'll add that 14:58 < jtimon> maaku_ reading now 15:10 < jtimon> maaku_ looks great, nothing comes to mind to add 15:16 < jtimon> very good idea to approach those commmunities 15:17 < jtimon> I guess petertodd still prefers forth and gmaxwell and sipa still prefer the AST 15:19 < jtimon> but it will be interesting to see what those forums think, where are you sending that maaku_? 15:19 < maaku_> the concatenative yahoo group 15:19 < maaku_> also #concatenative 15:19 < jtimon> ughh, yahoo groups... 15:20 < maaku_> [13:59:44] <gmaxwell> adam3us: really? I think forth is basically ideal. 15:20 < maaku_> I think sipa is the only one interested in a more imparative AST 15:21 < sipa> imperative? 15:21 < sipa> if anything i prefer it is not imperative... 15:21 < jtimon> now they want my phone number... 15:22 < maaku_> jtimon: just sign up for the mailing list, no yahoo account required 15:22 < maaku_> jtimon: i'm not a fan of programming in concatenative languages... yuck, honestly. but this is the textbook case for where they excell 15:24 < maaku_> sipa: very poor choice of words on my part 15:25 < maaku_> but is there any advantage to the system you advocated before over a concatenative, point-free language? 15:26 < maaku_> i tried to think of an example the last time we talked, but couldn't 15:26 < sipa> it's a bit vague to me what that means 15:26 < sipa> i'll look up joy 15:28 < jtimon> AST are used in a phase of compilation I think, so sipa's point is I think for maybe having different compilers to the AST (also being a tree, easily merklizable) 15:29 < sipa> it may be possible to convert joy to an AST of the type i suggested 15:29 < maaku_> well it's loose terminology so i'm not sure what exactly is meant 15:29 < jtimon> and everybody uses the same AST, well, I'm just speculating about his reasoning 15:30 < maaku_> Forth-like language such as Joy have an AST as well 15:30 < sipa> anyway, i like the idea of these types of script to essentially be an expression 15:30 < jtimon> yes, compile joy to an ast should be possible, maybe you can ask that too "should we use joy or the AST compiled from joy?" 15:30 < sipa> it has a natural merkleization 15:31 < sipa> is trivial to analyse wrt to execution time 15:31 < maaku_> sipa: http://evincarofautumn.blogspot.com/2012/02/why-concatenative-programming-matters.html 15:31 < maaku_> and http://www.kevinalbrecht.com/code/joy-mirror/j01tut.html 15:31 < maaku_> probably the best introducitons 15:32 < jtimon> maybe we can even write the scripts in python and compile them to ast, I'm sure the pypy guys have something to build from 15:32 < maaku_> with a Merklized Joy, you'd consider quotations to be a branch of the AST 15:32 < maaku_> so, for example, an if statement is: pred [true-branch] [false-branch] if 15:32 < sipa> what advantage does joy/... have? 15:33 < maaku_> you can separately merklize the true and false branches 15:33 < jtimon> sipa I think maaku_'s point is that dealing with the AST directly is ugly and joy is a functional lisp-like lang 15:33 < maaku_> sipa: implementation and type analysis is very simple (unless you f' up the language design) 15:34 < sipa> i don't understand what's ugly about it 15:34 < sipa> it's just an expression 15:34 < jtimon> oh, and then the strong typing thing, but that's cat, no? 15:34 < sipa> it's pretty much the most natural way of writing *simply* conditions i can think of 15:36 < sipa> but maybe we need to actually try to write some actual things in these sorts of languages first 15:38 < sipa> i guess my usage of the word 'AST' is also a bit confusing, as that's just an compiler step 15:39 < maaku_> sipa: you won't find an argument about concatenative languages being better than lambda abstraction or vice versa, because they are equivalent 15:39 < sipa> i'm *certainly* not planning to introduce lambdas 15:40 < sipa> i'm a big fan of higher-order strongly-typed functional languages, but lambda's would make implementation significantly more difficult, and analysis even more so 15:40 < maaku_> but as an intermediate language, stack based concatenative languages are trivially simple to implement in an imperative or JIT interpreter (close to the machine), and do so safely 15:40 < sipa> evaluating an expression tree is surely even simpler 15:40 < maaku_> sipa: a concatenative language like Joy has the power of lambda abstraction without those added complexities 15:41 < sipa> maybe i should just write a toy implementation... 15:44 < sipa> maaku_: heh, i guess i didn't realize this before 15:44 < sipa> i presume joy is turing complete? 15:45 < sipa> with some recursion primitives, i'm sure it is 15:45 < maaku_> yes 15:46 < sipa> right, i'm not aiming for that 15:47 < sipa> if you need that, a concatenative approach is probably easier to implement than having higher-order functions and lambdas in an expression language 15:47 < sipa> but i'm unconvinced about the need for that 15:49 < maaku_> well need is a word that carries baggage 15:50 < maaku_> i was recently convinced of the utility of turing complete scripting, which is to say i understand the desire for it and it is worth experimenting with 15:50 < sipa> right, sure 15:50 < maaku_> but "need" encompasses so many tradeoffs I'm not comfortable making yet :) 15:50 < sipa> i'm just talking about a bitcoin script 2 15:50 < sipa> not about anything more ambitious than that 15:53 < andytoshi> maaku_: nice links. i just clued in that 'postfix' the language is named for 'postfix' the notation :P 15:59 < jtimon> I thought joy hadn't recursion because didn't need it 16:00 < sipa> well, the wikipedia article on it has an example with a 'binrec' primitive 16:01 < jtimon> this sentence is very confusing to me "Combinators in Joy behave much like functionals or higher order functions in other languages, they minimise the need for recursive and non-recursive definitions." 16:02 < jtimon> I'll keep reading the links, hopefully I'll have a clearer idea after that 16:02 < maaku_> jtimon: it doesn't have recursion in the traditional sense, but it has the equivalent of an 'eval' opcode 16:02 < maaku_> and since code is data, that's enough to build whatever you need 16:03 < maaku_> combinators (like binrec) are just a variety of built-in variants of this idea 16:04 < jtimon> I don't really have a strong opinion on joy vs ast really 16:06 < sipa> i *really* dislike code==data 16:06 < jtimon> maybe allowing everyone to build their own python, lisp, js, C or whatever to AST compiler and letting the AST interpreter itself be the "consensus sensible" part is a better solution 16:06 < sipa> it makes analysis horrible 16:07 < killerstorm> are you discussing new awesome cryptocurrency? 16:07 < jtimon> yeah, I would definitely ask the concatenative guys what they think about using an AST directly and then compile from other language 16:08 < jtimon> killerstorm: new awesome scripting language that among other things, could be used for native colored coins 16:08 < sipa> that requires an OP_EVAL like sturcture :S 16:09 < sipa> which means you cannot possibly analyse without executing... 16:09 < killerstorm> native colored coins can be implemented using OP_CHECKCOLORVERIFY (https://bitcointalk.org/index.php?topic=253385.0) 16:09 < killerstorm> I mean the basic kind. 16:09 < jtimon> although some people don't like the idea of covenants in the hostcoin 16:09 < jtimon> killerstorm, yes, but that's 1 op = 1 use case 16:10 < jtimon> thi, being more generic, would allow many other things 16:11 < jtimon> within freimarkets for example it would allow you to always be able to buy your p2p interest-bearing debt back 16:11 < killerstorm> I'm afraid that implementing anything non-trivial via scripts will result in a huge bloat 16:11 < jtimon> http://0bin.net/paste/kMkgAK+zO2+mTK0E#Lua4/1g5fGVyv44fpRkftnd37RetgnrDrItXAp9FyvA= 16:11 < jtimon> I still think tagged CCs are better 16:12 < maaku_> [13:06:14] <sipa> it makes analysis horrible 16:12 < maaku_> not with a strong type system 16:12 < maaku_> killerstorm: yeah sortof, a scripting extension/replacement that will probably make it into freimarkets 16:12 < jtimon> I don't even think interest/demurrage bearing assets are possible with them 16:12 * andytoshi waits as "rustcoin" stops being funny and starts being considered.. 16:12 < jtimon> /with/without 16:13 < amiller> wtf is the point of opcheckcolorverify? the color checking operation is massive/exponential/bad 16:13 < sipa> maaku_: well, then code isn't data :) 16:14 < sipa> maaku_: as the type system can determine in advance what is executable 16:14 < maaku_> sipa: not sure i follow 16:14 < killerstorm> amiller: The idea is to add color tags to utxo db. then it is trivia. 16:14 < sipa> maybe you mean something else by code==data than i do... for me it means i can construct a random string/sequence operations/whatever using code, and then execute it 16:15 < maaku_> jtimon: the "common AST" *is* a concatenative language. there's a reason the JVM and .NET intermediate languages are concatenative... 16:15 < maaku_> everything compiles down to that 16:15 < sipa> JVM bytecode language is certainly not an AST 16:15 < amiller> killerstorm, a lot of effort goes into keeping the utxo as small as possible, how do you quantify what change that incurs? 16:15 < maaku_> yes, it's a stack-based language 16:15 < sipa> it's an imperative stack-based language, afaik 16:15 < maaku_> exactly 16:16 < sipa> i need to stop using the word AST, as it's much wider than what i mean 16:16 < jtimon> amillar the point is making CCs SPV-friendly 16:17 < maaku_> killerstorm: the scripts are in the scriptSigs, so they're immediately pruned 04:30 < warren> http://www.asrock.com/news/index.asp?cat=News&ID=1765 <---- Wow. Only a little late. 04:33 < gmaxwell> lol 04:33 < gmaxwell> Enterprise speed 04:49 < Luke-Jr> and they didn't even cut the x1 slots so you could put GPUs directly in 04:49 < Luke-Jr> FAIL 04:51 < gmaxwell> maybe it was a product intended for some other purpose... :P 04:55 < warren> Luke-Jr: if you have GPU's that close together they overheat anyway 04:55 < Luke-Jr> warren: I suppose 04:55 < Luke-Jr> gmaxwell: maybe they want BFL to offer them $ for a partnership :p 04:57 < gmaxwell> Luke-Jr: I have to admit I'm happy to see someone doing a gpu formfactor miner. 04:57 < warren> that pcie monarch card will actually use pcie for communicatoin? 04:57 < Luke-Jr> warren: barely :/ 04:57 < gmaxwell> pretty easy to stick a usb controller on pcie. :P 04:57 < Luke-Jr> gmaxwell: I wish 04:57 < gmaxwell> oh is some horiffic bitbang interfac?E 04:58 < Luke-Jr> if only 04:58 < Luke-Jr> think the current USB protocol, using PCI-e memory 04:58 < Luke-Jr> if they have time, there might be an interrupt for nonce found 04:59 < warren> better nonce handling latency than serial? 04:59 < Luke-Jr> I suppose. 05:00 < gmaxwell> warren: with what luke is saying your latency advantages there will probably get lost by the protocol desyncing and other nonsense. 05:00 < warren> not to mention it being delivered maybe in 2015 05:01 < Luke-Jr> nah, I expect them to be within a month this time around 05:01 < Luke-Jr> certainly won't be a bigger screwup than SC 05:01 < gmaxwell> warren: I suspect the chips are coming from another supplier. :P 05:29 < adam3us> i guess you'd need watercooling gpu mods and not sure if you can get a case to hold 6x double height cards so then you're building franken-miner 05:33 < gmaxwell> adam3us: I ran lots of systems like that ... case? lol. yea no, the only way to work with 6gpus on a board is either with special engineered high speed fans or to spread the things out. 05:33 < gmaxwell> e.g. http://www.bitcoinminingrigs.com/wp-content/uploads/2013/09/200-amp-3-phase-480-...-165kW.jpg 05:34 < gmaxwell> or less ambitious: http://i.imgur.com/tb124Nm.jpg 05:41 * gmaxwell is so glad to be rid of gpus 05:41 * gmaxwell hopes to never use a gpu again 05:44 < warren> direct neural port 05:46 < gmaxwell> vt100 forever! 05:59 < sipa> the information revolution will be fought on the command line 06:08 < warren> it looks like scrypt FPGA's are ramping up 06:08 < warren> hashrate is higher than ever, and litecoin was too cheap to warrant buying new GPU's for the past few months 06:31 < HM2> scrypt FPGAs.... 06:31 < HM2> wasn't scrypt designed with killing FPGA and ASICs in mind? 06:31 < midnightmagic> litecoin screwed up when they chose the scrypt parameters. 06:32 < HM2> Don't they have an equivalent difficulty? 06:32 < midnightmagic> What do you mean? 06:32 < HM2> or did they just use bitmasking of the output like Bitcoin 06:32 < HM2> The difficultly should be the scrypto params, right? 06:32 < HM2> *scrypt 06:33 < gmaxwell> HM2: no because that would screw up the verifying costs 06:34 < gmaxwell> (and it's already screwed up) 06:34 < HM2> hmm 06:34 < warren> the FPGA's so far are only like 2-5x more power efficient at an incredibly high cost 06:34 < HM2> then how do they apply difficulty? if your params are fixed and difficultly just depends on a partial hash collision on the output, you haven't really addressed the issue of improving hardware 06:35 < warren> someone just approached me saying they'll pay for my attendance of the Vegas Dec 10th conference 06:35 < warren> "what's the catch?" 06:35 < warren> no response. 06:35 < gmaxwell> HM2: you're laboring under the impression that it was well thought out. It wasn't. 06:35 < HM2> warren, ask for gambling expenses 06:36 < gmaxwell> HM2: it was a "yippie! gpu proof!" 06:36 < warren> We still haven't revealed Litecoin's secret sponsor. 06:36 < warren> AMD! 06:36 < HM2> not ARM? 06:36 < petertodd> warren: lol 06:36 < HM2> We all want mining on the smartphone. Sponsored by Sanyo batteries 07:38 < adam3us> warren: you know bitshares momentum hash had the interesting design objectives: memory hard to mine, but no memory (2 or 3 hashes) to verify 07:38 < adam3us> warren: unfortunately its harder than they thoght, an their attempt is triply broken 07:39 < adam3us> warren: but maybe they knew that and built a well optimized tuned custom box to exploit the heck out of it 07:39 < gmaxwell> nah 07:39 < petertodd> they aren't that smart... 07:39 < gmaxwell> right 07:39 < gmaxwell> I'm sure they are smart in their own ways. 07:40 < petertodd> ...or if they are, they are also good actors 07:40 < adam3us> gmaxwell, petertodd: yeah bytemaster seemed to take some convincing, but i believe paid otu the $5k bounty for the first two defects 07:41 < adam3us> gmaxwell, petertodd: well they also did the classic gross miscalc of impact of slow difficulty adjust and mined 6months planned in 7days followed by emergency hard fork 07:42 < adam3us> ***adam3us chortles 07:42 < petertodd> damn 07:42 < gmaxwell> adam3us: I assume they made the mistake of making their diff update continious and then scaling back the safty non-linearly to some tiny value so they were always in the non-linear region? 07:43 < adam3us> gmaxwell: i didnt do the calc myself (7day to 6mo) but guy who rented a ton of vsps did and seems sharp, i think they just didnt adjust for2 weeks normal params 07:43 < adam3us> gmaxwell: and it was a natural effect of their initial param being too easy 07:44 < gmaxwell> adam3us: huh, the way bitcoin works is that the adjustment is triggered on blocks not time precisely for that reason. :) 07:44 < gmaxwell> I guess they must have broken that. 07:44 < adam3us> gmaxwell: i didnt quite get the hard fork, same guy was telling me the put a manual 32x diffi increase automatically at the adjust or something instead of 4x 07:45 < adam3us> gmaxwell: i think the target was made 4x less easy on an accelerated schedule, but it wasnt enough gven the massive mining race, so they changed it to 32x, and i guess they had 5min target locks, but they were going at 15sec or something real 07:45 < gmaxwell> adam3us: bitcoin clamps the difficulty adjustment to 4x / 0.25x at retarget, prevents stranding, and still leaves you with quartic convergence. .. and its far enough off nominal you shouldn't ever really get weird incentives from the non-linearity. 07:46 < adam3us> gmaxwell: i exect that is what they adjusted from 4x to 32x in their patch, their curve was almost vertical 07:46 < adam3us> gmaxwell: so even though the adjustment happened the limit applied and prevented enogh adjustment, oving their intentionally short (1yr?) schedule forward by 6mo 07:48 < adam3us> maybe they accidentally effectively increased the number of blocks per adjust interval in the code, not sure. 07:49 < adam3us> i wasnt enough interested to try figure it out, but it was nevertheless hilarious to spectate. i mined a few hrs on my 4.8ghz watercooled 3930k 6 core and gave the coins to the guy who asked me to look at it :) 09:30 < adam3us> Fistful_of_LTC: did patching semiOrderedMap.cpp give you an n^2 momentum speed boost? curious how the constants work out 09:32 < Fistful_of_LTC> adam3us: i haven't figured out how 09:33 < Fistful_of_LTC> i'm actually using another client, https://github.com/Tydus/jhProtominer/blob/master/src/jhProtominer/protosharesMiner.cpp 09:33 < adam3us> Fistful_of_LTC: is it faster than ptsminer? 09:33 < Fistful_of_LTC> yes, a few times faster 09:34 < Fistful_of_LTC> what change do i need to make to patch ptsminer/this one? 09:39 < adam3us> Fistful_of_LTC: so it looks like this one lets u use up to 4GB ram.. how much do you have? 09:40 < adam3us> Fistful_of_LTC: he has the same code repeated like 5 times with the constants changed for 256,512,1024,2048,4096 (MB) 09:40 < adam3us> Fistful_of_LTC: I think cut & paste one more time, change it again in the same way as from 2048 to 4096, 09:40 < Fistful_of_LTC> 64 gb 09:41 < Fistful_of_LTC> you think there will be an even greater improvement? 09:43 < adam3us> Fistful_of_LTC: it depends on how fast it takes to fill the ram, if its less than the block time interval, then yes, 2x ram should be > 2x faster 09:44 < adam3us> Fistful_of_LTC: the only thing that seems to change is #define COLLISION_TABLE_BITS (29) 09:48 < adam3us> Fistful_of_LTC: so just change it to 32, i think that should give you 16GB 09:51 < Fistful_of_LTC> i tried that it wouldnt compile, i'm going to try it again 10:07 < adam3us> #define COLLISION_TABLE_BITS (32) 10:07 < adam3us> #define COLLISION_TABLE_SIZE ((uint64)1<<COLLISION_TABLE_BITS) 10:08 < adam3us> Fistful_of_LTC: you are runnning -m4096 right? is that the fastest choice (vs -m2048 or -m1024)? 10:10 < Fistful_of_LTC> the fastest choice seems to be 512 mb actually, but i just noticed i'd been running an old version 10:11 < adam3us> Fistful_of_LTC: all cores busy? 10:13 < adam3us> Fistful_of_LTC: (if thats the case this wont work, my edit was to create -m16384) 10:14 < Fistful_of_LTC> you have it somewhere i can dl/test it? 10:15 < Fistful_of_LTC> i just have to wait for the pool to come back up 10:19 < adam3us> Fistful_of_LTC: 1sec... 11:22 < adam3us> btw an amusing zerocoin thought experiment: bitcoin already has one-use addresses (if you use them as intended). zerocoins have fixed denomination (tke your pick.. 1btc, 0.001 btc soeone has to decide) 11:23 < adam3us> if bitcoin users used 1 coin denomination (say 0.001 btc) with strict one address it would have close to the same privacy guarantees as zercoin, because you wold never send yourself change 11:28 < gmaxwell> yep. 11:29 < gmaxwell> really if used in the right manner the gap between an actually anonymous system and bitcoin is not _that_ large. 05:17 < gmaxwell> Mike_B: right, and we can't prove otherwise, though structurally it seems really really unlikely (esp for bitcoin where we do have >256 bits of input to the process) 05:19 < gmaxwell> (random aside: I read a neat paper a while back where they show how to use error correcting codes to efficiently solve hamming distance threshold paritial collision problems efficiently by searching for partial preimage collisions on a coded version of the output.) 05:20 < Mike_B> what do you mean by partial collision problems here? 05:20 < Mike_B> like two strings whose hamming distance is less than some threshold? 05:20 < gmaxwell> Mike_B: yes. 05:21 < Mike_B> hmm, interesting 05:22 < gmaxwell> (http://eprint.iacr.org/2012/731.pdf) 05:25 < Mike_B> very neat 05:25 < Mike_B> another paper for me to wade through :) 05:26 < Mike_B> there's also this i found, which relates to the question i was asking earlier 05:26 < Mike_B> http://www.hashcash.org/papers/bread-pudding.pdf 05:26 < Mike_B> so i assume adam already knows about it :) 05:26 < Mike_B> seems to classify proofs of work 05:50 < TD> good morning 07:41 < azariah4_> reading the WP article about commitment schemes, I was suprised to not see hashing as a example 07:42 < azariah4_> e.g. if alice creates hash = SHA-256(foo_msg) and gives it to bob, she has commited to foo_msg without revealing it, and can later reveal it for checking 07:43 < gmaxwell> azariah4_: it may be because cryptographic protocols which are 'merely' secure in the random oracle model are somewhat out of fashion with academic cryptographers. 07:46 < azariah4_> ah yeah, to get perfect binding in a commitment scheme using a hash requires that the hash is a perfect hash function 07:46 < azariah4_> well, the article does mention signature schemes 07:47 < azariah4_> No real function can implement a true random oracle.[citation needed] 07:47 < azariah4_> WP <3 07:48 < gmaxwell> The other aspect of that is a lot of fancy things are built effectively out of commitment schemes that have extra properties like certian kinds of homorphism or proofs... so non-symetric commitment schemes are generally more interesting because they do have these properties. 07:50 < azariah4_> ah 07:50 < gmaxwell> I'm not a big fan of loss of love for the random oracle model, much of that is driven by a set of papers that show you can have a a protocol which is secure in the random oracle model but not secure in practice... and in fact cannot be secure with _any_ real hash function in place of the random oracle. Anything (so far) know to do this is totally contrived, but it's created an excuse to avoid proofs based on reduction to random oracle. 07:51 < gmaxwell> s/know/known/ 07:51 < azariah4_> aha, interesting 07:52 < azariah4_> going through some ZKPs examples which uses commitment schemes 07:53 < gmaxwell> ...personally I'd usually take a well studied hash function and a proven secure in the random oracle model protocol over something depending on gap-dh. 07:54 < gmaxwell> azariah4_: yea, some of the most powerful ZKP stuff is basically a special kind of homorphic hashing where you can hash encrypted 'wire' values in a circuit and still apply the tests that the circuit is satisfied. ... and then hash this validation itself and so on. 08:22 < TD> gmaxwell: what kind of schemes are secure in ROM but not when instantiated with a real hash function? 08:39 < gmaxwell> TD: there are a couple layers to it they start with a contrived scheme where you take a regular secure signature scheme and then wrap it 08:40 < gmaxwell> with a if (messsage,oracle(message)) table then return secret key. 08:40 < gmaxwell> and then modify the verifier to also accept for that message. 08:42 < gmaxwell> and then go on to describe how to fill out the table in a way which it is computationally intractable if you use a real random oracle but possible for any real hash function. 08:42 < gmaxwell> (I don't actually recall what they do there) 08:43 < TD> ok 09:50 < azariah4_> just found the libzerocoin docs on github, awesome stuff 09:51 < azariah4_> helps understand the protocol since its from a integration point of view rather than the pure crypto/math description 09:52 < azariah4_> this in particular is quite interesting: https://github.com/Zerocoin/libzerocoin/wiki/Generating-Zerocoin-parameters 09:53 < azariah4_> so the initialization of a zerocoin instance depends on a single trusted entity 09:54 < gmaxwell> yep. 09:54 < gmaxwell> and that entity has inflation power, at least up to the total amount ever put into the accumulator (assuming the system is engineered to track that) 09:58 < azariah4_> it mentions distributed multiparty generation of the modulues however 09:59 < azariah4_> and another paper linked for that, crap 09:59 < azariah4_> feels like im going down the rabbit hole with this, too many papers bookmarked already :P 10:00 < gmaxwell> azariah4_: yes, though the state of pratical multiparty computation is sad (non-implemented, slow (quadratic communication usually), half of it is secure against only lame threat models), but ignoring that: you're still left with some cabal of parties to performed that act... tricky to not have people constantly fudding the cabal. 10:00 < azariah4_> yes indeed 10:00 < gmaxwell> e.g. you have 3 people do MPC to produce the value... and okay, so it's two of three who people fearmonger about. :) 10:01 < azariah4_> I imagine there has been some thought about multiple instances of zerocoin to reduce the risk given a single generation of N per instance is used 10:01 < azariah4_> however anonymity is reduced if e.g. my txs are in a zerocoin instance with only 10 other people 10:02 < gmaxwell> maybe with enough resources and effort you could do a really big MPC scheme where some parties seal computers in bunkers and blow them up after the fact.. :) sort of an open question over what would be enough. 10:02 < gmaxwell> A somewhat frequent bit of FUD bitcoin gets is confused people claiming that satoshi has a master key that gets him unlimited bitcoin or the like. Fortunately these are easily shut down because you can show it impossible. 10:03 < gmaxwell> In such a scheme it's not possible to show that its impossible for a cryptographic backdoor to exist. 10:04 < azariah4_> exactly 10:07 < azariah4_> would it be insane to instead of generating 2 safe primes that multiplied gives N, generate a larger set of safe primes and multiply all together? 10:11 < azariah4_> ah, integer factorization is hardest when the integer N is semiprime 10:17 < sipa> i wonder, could you create a script system that allows outputs which 1) prevent spending before X confirmations, and 2) are able to observe the block hash of block X further 10:18 < CodeShark> you mean able to reference external state? 10:19 < sipa> well it's state that will exist at the time you're going to spend the output 10:19 < sipa> nothing external to it 10:19 < gmaxwell> sipa: I thin you can, just have a PUSH_<thing that would have been in the future>. opcode. 10:19 < gmaxwell> e.g. push it by reference. 10:20 < gmaxwell> But what would you accomplish with this? oh to prove another transaction was in the chain? 10:20 < sipa> it would allow some betting schemes that aren't vulnerable to "mining the transaction hash", and without secret state for the operator 10:21 < CodeShark> by "external" I meant outside just the input script and output script 10:21 < sipa> not sure that's something to encourage, or whether there aren't any better ways 10:22 < sipa> but you could have a script that uses H(txid + H(block_N_in_the_future)) < some_value 10:26 < CodeShark> what do you mean "mining the transaction hash"? 10:26 < CodeShark> sha256 collisions? 10:26 < gmaxwell> CodeShark: basically you use the hardness mining a block to boost the security of a random selection scheme. 10:27 < gmaxwell> e.g. output can be spent by A only if the next block hash &1==0 otherwise spendable by B. 10:27 < CodeShark> ah 10:27 < gmaxwell> sipa: on this general subject I'd like there to be a way to do a probablistic micropayment that doesn't produce any transactions when the payment fails.. which I suspect needs a similar kind of change. 10:35 < gmaxwell> (e.g. a signature which is only valid if the next, yet unknown block's hash passes a test.) 10:38 < sipa> next, or 100th following even 10:38 < sipa> if you want to prevent people mining blocks specifically to revert it 10:39 < gmaxwell> well for low value transactions you basically trust that throwing out $subsidy+$typical_fees is much worse than losing the micropayment. 10:39 < sipa> right, sure 10:42 < gmaxwell> sipa: where is your simulation of your charts with constant hashrate? 12:07 < petertodd> jtimon: in a txin commitments system you probably have to pay tx fees with pow rather than fees per-se, though I think it'd be better if mining was forced to be more decentralized in that fashion. 12:08 < petertodd> maaku: it's not a spent-txin set, it's just a txin set - a txin implies a spend. :) seriously though, the advantage is reducing the data the blockchain actually handles - in that system the blockchain doesn't even have full transactions, hence less privacy risks and potentially better scalability 12:23 < jtimon> thanks petertodd, pow anti-spam ala hashcash is what I had thought 12:25 < jtimon> related to maaku's question, can you have SPV nodes with this scheme? 12:25 < petertodd> yup, granted, I'd *like* there to be a way for users to pay hashers to do the pow for them, but that can be a separate mechanism and can change 12:25 < petertodd> *NO* 12:25 < jtimon> yeah, outsourcing the pow would be interesting 12:26 < petertodd> remember that the whole point of SPV is you let someone else do verification for you on the principle that they're probably going to do it because of the incentives with mining 06:18 < TD> gmaxwell: it just needs a few bug fixes and packaging work basically, and then it's ready to go. the first step towards StorJ! 06:19 * TD is quite excited to see if it really happens 06:19 < TD> adam3us saw it at the amsterdam conference 06:20 < adam3us> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html 06:21 < adam3us> err who is TD? (mike demoed me payfile at ams) is TD mike? 06:21 < TD> yes 06:21 < adam3us> doh ok , hello 06:21 < TD> hi :) 06:21 < TD> one day i should really abandon this nick. but i had it so long ... 06:22 < gmaxwell> TD is secretly TD bank. 06:22 < adam3us> TD: no prob, still catching up on associating bitcointtalk, real name & irc nicks 06:22 < gmaxwell> adam3us: looks like luke hasn't updated the next stuff since july. 06:23 < gmaxwell> adam3us: I decided to make that easy (nick / name matching) a decade ago. 06:23 < warren> hm, I wonder if that guy who wanted to buy my IRC nick for 100 BTC still wants it. 06:24 < adam3us> gmaxwell, warren: yes but my point with staging is to do a bitcoin next/bitcoin omg but with a one-way peg to insulate bitcoin core from bitcoin next and have real value in it AND associate it with bitcoin itself, foundation etc, not with an altcoin 06:24 < gmaxwell> Every once in a while I still run into someone who goes "holy crap! you're nullc!" (which was my irc nick since ~1993) 06:24 < adam3us> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html 06:24 < TD> the nick "mike" was only registered in 2011 and has only been used once. goddamnit. 06:24 < adam3us> gmaxwell: yes i figured out nullc was you from reddit or something 06:25 < gmaxwell> adam3us: I'm not sure you can do live developement in something with value. initial testnet was a disaster even as a testnet, not something for rules expirementation. 06:25 < adam3us> warren: staging, staging, staging 06:25 < warren> adam3us: I found it much easier to fix a critically broken altcoin than to win any political battle here. 06:26 < adam3us> gmaxwell: staging is not testnet, it wouldbe like litecoin level of care 06:26 < adam3us> gmaxwell: but one-way pegged to bitcoin 06:26 < gmaxwell> And anything with value is a competition with bitcoin. I really can't express how demoralizing it is to be compeating with your own work. Even if you try to set it up so it won't be that way, e.g. premine out the altcoin thing, some altcoin will just copy the code and exploit it. 06:26 < adam3us> gmaxwell: so for mindshare and other purposes the coins are bitcoin, its partly an anti-mindshare dilution argument 06:27 < gmaxwell> adam3us: ah, with some cross chain transfer? 06:27 < adam3us> gmaxwell: i think y'all didnt read it, or follow 06:27 < adam3us> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html 06:27 < gmaxwell> adam3us: I stopped reading those threads because the initial ideas proposed were not very interesting to me, sorry. If you're telling me again its interesting I'll read it. 06:27 < adam3us> gmaxwell: the staging idea is bitcoin staging (need better name) has no native mining, the only way to get coins in is to move them from bitcoin 06:27 < gmaxwell> adam3us: yea great, and when an altcoin copies the code and removes that limitation? 06:28 < adam3us> gmaxwell: and then there is 2-way trade in the reverse direction 06:28 < gmaxwell> Certantly I like the idea that the market can decide to support the new thing by chosing to use it rather than having a speculative feature forced on it via hardforks. 06:28 < adam3us> gmaxwell: altcoins can float or not on their own, you cant prevent it with opensource; but bitcoin staging can capture the early adopter and feature hungry people like mastercoin, colorcoin, warrren (bitcoin omg), lukejr (bitcoin next) 06:29 < warren> how does the staging coin confirm things? 06:29 < adam3us> gmaxwell: which undermines most of the altcoin impetus and mastercoin arguments about faster dev 06:29 < adam3us> warren: side-chain 06:29 < warren> so you mean no subsidy, not no native mining 06:30 < adam3us> warren: right 06:30 < gmaxwell> adam3us: altcoin people hey aren't asking for new features and almost never have any, except for highly trivial changes. They're asking for a get rich scheme. 06:31 < gmaxwell> I don't think you can offer that while making the currency bitcoin. :) 06:31 < adam3us> warren: i wanted to see a way to overcome the must be careful not to damage core value, and see still conservative but faster feature dev, without that being under an altcoin with its own floating value 06:31 < adam3us> gmaxwell: yes; but mastercoin was able to use it as one argument to justify their existence 06:32 < warren> adam3us: there are more complicated issues preventing that aside from the lack of funding 06:32 < gmaxwell> True, fair enough. At least it could prevent that, which might have redirected some of the funding. 06:32 < warren> adam3us: for example, political will is a limited commodity too. It's demoralizing to work on things that you know will be shot down by <whoever>. 06:32 < adam3us> gmaxwell: i mostly mean like the argument warren gives that litecoin can provide ne wfeatures faster 06:33 < TD> like what things? 06:33 < gmaxwell> I really wish I had some way to estimate how many people actually understand the concept of decenteralized cryptocurrency, e.g. where a hypothetical paypal-bucks and bitcoin are distinct in their minds. 06:33 < adam3us> gmaxwell, warren: so i think its more interesting to capture the new features under the bitcoin foundation umbrella as bitcoin staging than have those features motivate or drive adoption of an altcoin 06:34 < adam3us> TD: features? eg like armory's request to have the signature include the value, so he oesnt have to transfer 1MB to validate a tx 06:35 < warren> adam3us: you're missing the fractured camps of different groups out there upset with the bitcoin foundation for different reasons, ranging from the anarcho-capitalist crazies to sane technical people. 06:35 < gmaxwell> It might actually turn out that there really are only a few thousand people that are really very of the underlying ideas, which would explain some of the lack of progress. 06:35 < warren> adam3us: Bitcoin Foundation does not control Bitcoin 06:35 < gmaxwell> It's going to control Bitcoin. The general public already believes it does. 06:36 < TD> adam3us: i meant what stuff was warren seeing being shot down 06:36 < gmaxwell> And most of them believe it always did, because the idea of something not being produced by an instution is too foreign to contemplate in any case, so they're not upset about it as a landgrab. 06:36 < adam3us> warren: my point was the mind share for new features should stay with bitcoin (less worried about foundation arguments) 06:36 < warren> TD: I sometimes rather give up on pushing things that would protect Bitcoin, it's easier to prove it elsewhere first. 06:37 < warren> adam3us: that's a reasonable goal, lacking funding 06:37 < adam3us> warren: well a great example is the sig includes input value i gave, armory badly needs that to make more secure offline wallet 06:37 < TD> warren: like what? 06:37 < adam3us> warren: as is they have to send the full tx details just to be able to validate 06:37 < warren> TD: really too late to get into this right now. 06:37 < TD> warren: i mean you assert that we shoot down all your great ideas, but i don't remember this happening 06:38 < TD> well, alright. 06:38 < gmaxwell> Well I certantly shoot down ideas. :P 06:38 < TD> but just be aware that maybe some ideas get shot down for valid reasons :) 06:38 < gmaxwell> some of them are even good sounding ones. :P 06:39 < adam3us> TD: 'm guessing he would more mean good ideas, that are delayed for risk arguments, like armory's request i saw that iscussed and most seemed to think it a good fix, but i am not sure when its going to happen as any kind of fork is a scary scary thing to navigate for good reason 06:39 < gmaxwell> Like I think we should have UTXO expire in bitcoin, because it will increase supply certanty, reduce validation costs, and protect the network from cracking attacks bringing back long lost coins.. but I also think that doing so would be economically incompatible with bitcoin a violation of our promises. 06:40 < TD> adam3us: i don't think that's delayed for "risk reasons". nobody has written the code, have they? so the question of when to do such a hard fork has never even come up yet. 06:40 < gmaxwell> adam3us: I haven't yet seen a softforking value-in-txn design that wasn't ugly as sin. Certantly no one has even drafted a bip for one. 06:41 < adam3us> TD, gmaxwell: fair enough i guess i should get off my butt and write one... but i am not blowing smoke i think to say the core has to be rightly extremely cautious about changes 06:42 < gmaxwell> sure, and indeed it is but thats not the cause for changes not existing. 06:43 < adam3us> gmaxwell: hmm i suspect warren thinks different, and i saw sipa said the only way to make faster change was a rewrite i dont know as i havent tried it first hand 06:44 < adam3us> gmaxwell: ah maybe the issue is the softfork - the actual (probably hardfork) design and idea seemed extremely simple and clean I thought 06:44 < warren> TD: it isn't my great ideas, and it isn't about quantity 06:44 < TD> yeah. doing it with a hard fork isn't that hard. i'd like to see this happen too. 06:45 < gmaxwell> adam3us: changing transaction syntax in a hardfork would be trivial (but god, I hope that input values wouldn't be all that we'd change) 06:45 < gmaxwell> but now what are you going to do with the fact that parties like mtgox and coinbase use their own node software and are already not able to keep it working right. How will they adopt this hardfork? 20:12 < gmaxwell> justanotheruser: dude, wtf. you are trying to employ bitcoin to do one of the things it doesn't really do at all antijamming. If you can assign ballots to people the voting process is largely done, nothing hard remains. 20:12 < justanotheruser> gmaxwell: anonymizing remains 20:12 < petertodd> justanotheruser: there are much better ways to anonymize votes 20:12 < gmaxwell> (well, except anti-coercion is basically impossible in a online voting context) 20:13 < gmaxwell> anonymizing is kinda pointless if you don't generally have anti-coercion, but anonymizing is trivial, go look up "reencryption mix" 20:13 < justanotheruser> petertodd: anything other than zerocoin of a central authority? 20:13 < gmaxwell> electronic voting is a _very_ well studied subject. 20:13 < petertodd> justanotheruser: this has been a "sexy" problem in crypto for years, and people way smarter than any of us have spent whole phds on the subject 20:14 < gmaxwell> invoking bitcoin for it is just a redneck suggesting his trusty shotgun as a solution to multivariet calculus. :P 20:14 < gmaxwell> Bitcoin solves an entirely unrelated problem, and it doesn't solve the important problems in voting. 20:14 < petertodd> justanotheruser: if you need decentralized consensus about the results of a vote then blockchain's can make sense, but rarely do you need that 20:14 < justanotheruser> Is there another decentralized voting method? 20:14 < petertodd> justanotheruser: so why is this vote required to be "decentralized", and what do you mean by that term? 20:15 < justanotheruser> petertodd: I would like it to be decentralized because it prevents vote manipulation and what's happening in Russia. 20:15 < gmaxwell> justanotheruser: what you were suggesting didn't sound decenteralized. But assuming you get as far as somehow giving ballots to voters, there are systems which are no less decenteralized than bitcoin. 20:15 < gmaxwell> justanotheruser: how do you plan on giving each person one ballot without someone getting 500 in a decenteralized manner? 20:16 < petertodd> justanotheruser: right, so you're applying this voting scheme to a typical thing where the list of voters is already defined by a central authority, so you don't need blockchains - existing crypto works just fine 20:16 < justanotheruser> gmaxwell: That is centralized, but you can verify that someone isn't getting too many votes, no votes, or that imaginary people are getting votes. 20:16 < petertodd> justanotheruser: you can't with crypto - those are all human problems 20:16 < gmaxwell> okay if you can do that you can just apply the mountains of evoting lit. 20:17 < justanotheruser> petertodd: Yes it is 20:17 < justanotheruser> *Yes they are 20:17 < petertodd> justanotheruser: I mean, once you solve the problem of figuring out who the voter list is, you can start using crypto, but you already have a central authority so standard algorithms and techniques work - they don't use blockchains 20:18 < gmaxwell> and blockchains don't work, because you get crap like "a majority of hashpower can rig the election" which is undesirable to a high degree. 20:19 < petertodd> gmaxwell: yes, unless the voter list is defined in terms of hashing power :P 20:19 < gmaxwell> I do kinda like idea of using OWAS to create a jamming proof communications mesh, I don't think I've seen that proposed outside of #-wizards. 20:19 < gmaxwell> petertodd: yea okay, sure you can just leave out the voters list then... miners decide. :P 20:19 < petertodd> gmaxwell: more seriously, with my timelock thing you *can* do a vote with well-defined limits for how easy it is to rig the election 20:20 < fagmuffinz> OWAS? 20:20 < justanotheruser> gmaxwell: yes, that was my original problem, I wanted to have the merged mining to be paid it bitcoin somehow. This would increase the number of miners and prevent 51% (hopefully) 20:20 < gmaxwell> fagmuffinz: One Way Aggregatable signatures. 20:20 < fagmuffinz> donka 20:20 < gmaxwell> fagmuffinz: cryptographic signatures which you can merge and still validate, but you cannot unmerge. 20:21 < gmaxwell> fagmuffinz: so e.g. you give me your vote and I merge in the vote I have (which is a merge of petertodd and mine) and then we pass it on.. and someone can't later pick apart our votes to only includ yours in the election, unless they get a clean copy of yours from you. 20:22 < fagmuffinz> I looked up your previous explanation =] 20:22 < fagmuffinz> Would be decent for building the mesh 20:23 < gmaxwell> well my though is that politics often follow social lines, so you could still perhaps rig, but it would be highly detectable when virtually all of the votes for one candidate disappear. :P 20:24 < maaku> petertodd: but how do you have a timelock system that isn't at the DoS-mercy of the person running the timelock? 20:24 < fagmuffinz> Yea, still, it's not quite the long-term solution yet 20:24 < fagmuffinz> There's probably no good way, without centralized trust, to resolve that issue 20:25 < gmaxwell> fagmuffinz: oh nah, in most cases the voting systems don't really need jamming free communication. what they do is make it easy to check what votes are included before the count, and then trust that if your vote is omitted you will scream from the hilltops. 20:25 < fagmuffinz> Yea, that'd be sufficient 20:25 < gmaxwell> e.g. disencranchisement is detectable. 20:25 < fagmuffinz> Assuming good citizenry 20:25 < fagmuffinz> Yea 20:25 < maaku> which works in democracy, but not automated consensus systems 20:25 < petertodd> maaku: read the paper, it's not a central timelock, just a sequantial hard algorithm 20:26 < fagmuffinz> Yea, guaranteeing that your vote made it after the count is sufficnet 20:26 < fagmuffinz> sufficient *** 20:26 < petertodd> maaku: obviously cracking the timelock is computationally intensive of course 20:26 < fagmuffinz> petertodd: Is a timelock explanation above? 20:27 < maaku> fagmuffinz: only if there is repercussions for cheating 20:27 < midnightmagic> if a citizen doesn't care if his vote is counted, it's not really disenfranchisement. 20:27 < maaku> in some applications - PoS vote on validation rules, for example, it is useless to complain 20:27 < fagmuffinz> Voting is a social system 20:28 < fagmuffinz> Separate from guaranteeing existence in something 20:28 < maaku> the votes drive some consensus process, and there's no way to back out other than to abondon the whole system, which would be a successful DoS outcome 20:29 < fagmuffinz> DoS is a universal threat that you have to accept upon automating this shit 20:29 < fagmuffinz> The only sure way of mitigating DoS is having enough infrastructure 20:30 < justanotheruser> fagmuffinz: not necessarily in a decentralized system 20:30 < justanotheruser> for example: Bitcoin is very difficult to DoS 20:30 < maaku> petertodd: ok i understand, it just maks decrypting have a cost 20:30 < fagmuffinz> Hence you're trying to use it for voting 20:31 < fagmuffinz> Correct? 20:31 < justanotheruser> fagmuffinz: that's not the reason I want to use it for voting. It's more to verify that everyone who got a vote had their vote counted. 20:32 < maaku> petertodd: if some joker puts a ballot in that is ill-formed, junk, or encrypted with different key, it would be nice to have a compact, quickly verified proof of that 20:35 < petertodd> maaku: yeah, that's a very interesting crypto problem actually, I suspect it may be incompatible with the sequential-hard scheme 20:36 < fagmuffinz> justanotheruser: Are you just inquiring or do you have some partial plan? I'm thinknig about what gmaxwell put forward in terms of aggregating a single score for verification... 20:36 < maaku> petertodd: i have a rather near term application if a jamming-resistant proof-of-stake voting scheme can be found 20:36 < fagmuffinz> You could tell your vote made it into the list 20:37 < petertodd> maaku: of course the whole thing is dependent on the fact that the fastest sequential implementations of a lot of algorithms are reasonable close to each other in performance - off-the-shelf is basically the best you can get within an order of magnitude 20:37 < petertodd> maaku: oh yeah? 20:37 < fagmuffinz> You'd need to take additional steps to ensure the list was properly counted 20:37 < justanotheruser> fagmuffinz: Is is possible to do that anonymously? 20:37 < maaku> yeah, demurrage distribution - "repbulicoin". i forget if I've told you about it already 20:38 < petertodd> maaku: ah yeah, that'd work 20:38 < maaku> demurrage distributed according to forced coinbase payments determined by a proof-of-stake vote on a jamming-free ledger 20:39 < petertodd> maaku: damn expensive those in terms of cpu-power 20:39 < maaku> i got it worked out up to the jamming-free part :\ 20:39 < petertodd> s/those/though/ 20:39 < maaku> yeah, hence the need for cheap verification.. 20:40 < maaku> i'm okay with votes being expensive, but validating nodes that count the votes need to be cheap 20:40 < petertodd> yup, and I'm pretty sure that's been proven to be impossible 20:40 < maaku> well you could do it with gmaxwell's ticking timelock pow for example 20:40 < petertodd> obviously you can easily pass around the decryption keys proving a vote exists, but not the other way around 20:40 < maaku> so there's an existence proof 20:40 < maaku> oh you mean the cheap validation 20:41 < maaku> darn 20:41 < petertodd> well keep in mind that part of the reason why the scheme can work if embedded in otherwise-normal looking transactions is that miners would (in theory) find it too expensive to just block all transactions 20:42 < petertodd> the moment you have a "well-known" place where the vote would be recorded it becomes much easier for miners to rig the vote 20:48 < maaku> yes it would have to be either steganographically encrypted, or taken out of the miners hands 18:29 < gmaxwell> ... systems were bonded with mining donations, which might help, but its very murky to me. 18:31 < maaku> gmaxwell: well if most txns don't hit the chain, it's okay for those which do to pay the price 18:31 < maaku> it seems some people want 10,000 tps with <$0.01 txn fees 18:32 < maaku> i'm more in the camp of only slightly larger blocks, with much higher fees 18:32 < maaku> and moving most transactions off-chain (even day-to-day payments - heretical I know) 18:32 < gmaxwell> maaku: yea, indeed. And until we get magical pixie dust computers and networks we cannot do 10,000 tps without losing decenteralization. 18:32 < adam3us> maaku: as long as the properties you get off chain are matching the on chain properties (unseizable, relatively fungible, not relying on indivdual servers, p2p survivabiity and durability of asset ownership) 18:33 < maaku> gmaxwell: also, freicoin. (demurrage payments to miners) 18:33 < adam3us> maaku: it is another model for funding miner.. free tx for the cost of a small demurrage; however it doesnt prevent dust payment spam 18:33 < gmaxwell> maaku: mostly I worry that so long as bitcoin is maxmally decenteralized you can build more scalable systems on top of it. But if bitcoin loses some of its decentralization you cannot build a more decentralized system on top of it. 18:34 < gmaxwell> maaku: the inflation model implies a free parameter which there doesn't seem to be a way to make the system set which could be wildly wrong. ::sigh:: 18:35 < gmaxwell> If we knew that processors would never become more powerful or energy more plentiful we could use potentially use hashrate to control inflation to pay for mining... but thats clearly wrong. 18:35 < gmaxwell> I hope at least bitcoin will advance the minimum difficulty over time. 18:37 < gmaxwell> maaku: also one of the biggest concerns is that we're _clearly_ losing decentralization already. I don't this can be debated, but I don't think the causes are as clear as the symptoms. 18:37 < maaku> adam3us: If there was a less expensive solution that had all of those properties, it would completely replace bitcoin. If you find that holy grail, let me know so I can short BTC. 18:37 < maaku> Otherwise, for a given application there are probably one or two of those requirements you can relax in return for some performance. 18:38 < maaku> It won't match all applications, but for yours it will work. And when you really need every single property of bitcoin, use bitcoin. 18:38 < maaku> And pay the cost 18:38 < gmaxwell> e.g. like the tamperresistant hardware that exchanges private keys... security is .. meh. but it works offline and is untracable! 18:38 < adam3us> maaku: well i'm interested in improving bitcoin 18:40 < adam3us> i think there is systemic danger even from the existence of altcoins, not just to bitcoin specifically but to digital scarcity coins in general 18:40 < adam3us> if litecoin overtook bitcoin then what - would bitcoin nosedive to 0? 18:40 < adam3us> and then people in litecoin would be look at feathercoin, novacoi etc and wondering if the same thing is going to happen 18:40 < gmaxwell> adam3us: I agree. Or I'll explain more concretely. I think there is a nontrivial risk that the first time an altcoin replaces bitcoin all decenteralized cryptocoins will substantially die. 18:41 < maaku> You can't extrapolate from an inconsistent assumption. 18:41 < jtimon> gmaxwell, you earier said: The point is that you can do an interactive hashtree proof where you interact with the network. E.g. you give the miner a big proof, and the block hash tells it how to subset the proof. Because the block hash requires 2^lots work, creating a false proof is at least as expensive as mining many blocks and throwing them away. 18:41 < gmaxwell> adam3us: oh you're saying exactly the same thing I am. 18:41 < adam3us> its fun for the people who get in selfishly, but it could be lethal if too succesful individually in a given altcoin 18:41 < maaku> Litecoin won't overtake bitcoin - neither will freicoin, either (I'm not biased!) 18:41 < jtimon> can't this be combined with adam3us's blind timestamping? 18:41 < adam3us> gmaxwell: ah i didnt read your bit, yes we coincidentaly said the same thing 18:42 < maaku> There's just no mechanism that could happen except rich people blindly throwing money away (unlikely) 18:42 < gmaxwell> maaku: Right, but assume Makku-ultimate-coin does. Doesn't matter which one does. Say it does. Once it does the people holding it are going to wonder .. hey when will something else overtake ... this. 18:42 < gmaxwell> so if it ever happens it could unwind the whole thing. 18:43 < gmaxwell> Though I'm not expressing an opinion on how likely that is to happen, the network effect and first mover advantage are enormous. 18:43 < adam3us> yes sad though it is that no one can again become rich like satoshi 18:43 < gmaxwell> jtimon: perhaps. 18:43 < adam3us> if they try and succeed it maybe the end 18:43 < maaku> gmaxwell: my point is that won't magically happen overnight. if it did happen, it'd be for a specific reason, and that specific reason would determine the answer to the question about what people would do/think next 18:43 < jtimon> on the altcoin stuff, if one falls because a new one is better 18:44 < gmaxwell> maaku: there are lots of ways to improve on bitcoin, as everyone in here knows. :) 18:44 < sipa> i don't think bitcoin will be taken over by anything, until it actually fails 18:44 < jtimon> maybe people learn their lesson and start saving in real assets and credit instead of scarce-money 18:44 < adam3us> jtimon: the issue is the undermining of the concept of scarcity and longevity of the logscale graph heading to market saturation 18:45 < gmaxwell> sipa: I think the question of if something overtakes it at all even after depends on how it fails. 18:45 < jtimon> but that doesn't mean the new one won't have enough value to serve as medium of exchange 18:45 < adam3us> jtimon: it might create destabalization and fundamental loss of confidence in the concept that doesnt reinflate 18:45 < gmaxwell> or maybe not, ... I mean I'm shocked at how scammy things can be and people still participate. perhaps its unstoppable. 18:46 < jtimon> I disagree, maybe because I never considered bitcoin or any other money to be a store of value 18:46 < adam3us> jtimon: the phenomena is seen historically with money that became fractional, suffered hyperinflation (collapse) and then could not be restarted without going back to gold backing 18:46 < gmaxwell> adam3us: or USD backing. :P 18:47 < adam3us> the bootstrap phase, expectation, and psychology matter; 18:47 < maaku> adam3us: just because something hasn't been done before, doesn't mean it's impossible 18:47 < adam3us> this is the road to the digital tulip story 18:47 < jtimon> I don't think that's true, I think fiat was restarted in germany just with another denomination 18:47 < maaku> but this is probably not an argument for -wizards 18:47 < jtimon> sure 18:47 < sipa> #bitcoin-psychology ? 18:47 < gmaxwell> Interestingly, bitcoin may be the only currency in "widespread" use which isn't at least indirectly tracable to being fixed to gold/silver at some point. 18:48 < adam3us> anyway i am more interested in improving bitcoin than altcoins and they maybe a danger to the concept of digital scarcity 18:48 < adam3us> gmaxwell: yes i think economically its writing history 18:49 < gmaxwell> (the closest I could find was ILS but it was fixed to the israel lira, which was fixed to the ukp, which was fixed to the usd (!), which was previously fixed to gold) 18:49 < adam3us> a new asset class etc, but the potential risk ith digital scarcity is new scarcity runs can be started on whim; thre needs to be a "gold tandard" of scarcity that people do not jump away fro 18:50 < adam3us> so i think altcoins should use the 1 way peg to bitcoin method i proposed for bitcoin-staging, and innovation should go into bitcoin staging 18:50 < jtimon> I don't think altcoins are a danger to digital scarcity and I couldn't disagree more with the need of a "gold standard" 18:50 < adam3us> we have enough dev resource shortage with out fragmenting 18:50 < gmaxwell> adam3us: thats partially why I wanted someone to create an altcoin generator.. basically keep the basin of low value stuff constantly flooded. 18:51 < gmaxwell> and remove the prospect of ever making big money with yet another worthless altcoin. 18:51 < jtimon> what bitcoin "backing" has to do with development fragmentation? 18:51 < adam3us> gmaxwell: well iw as thinking something related that these parm tweaks, surely they can be made to coexist on a meta chain 18:51 < maaku> <adam3us> we have enough dev resource shortage with out fragmenting 18:51 < adam3us> then the people who wnt to do them can just publish a paramset gensis msg 18:51 < gmaxwell> adam3us: the param tweaks are marketing not merit for the most part. 18:51 < maaku> <-- which is why we shouldn't bring currency politics into this 18:52 < adam3us> maaku: not getting t you guys - friecoin and friemarkets aimed for real innovation 18:52 < sipa> s/ie/ei/g 18:52 < adam3us> yes 18:52 < jtimon> I actually don't think freicoin is about innovation but about another monetary theory 18:52 < jtimon> freimarkets is about innovation, but it's not freicoin specific 18:53 < sipa> well, at least they are interesting experiments 18:53 < sipa> whether you agree or disagree with their theory 18:53 < gmaxwell> My comments whining about altcoins are always to the extent that they didn't do anything interesting. Something inflationary is pretty distinct (even if economically its less so than people guess at first). 18:53 < maaku> hrm maybe we shouldn't have named it "freimarkets" 18:53 < sipa> litecoin's scrypt was also an interesting experiment, but we're way past that point 17:09 < adam3us> gmaxwell: you know i noticed petertodd and warren both put just the keyid on their biz card in lieu of a proper fp 17:10 < gmaxwell> adam3us: yea, thats why my cards had the full fingerprints. esp people with short ids (32 bit) on their cards. egads. 17:10 < adam3us> gmaxwell: peter put 64-bits warren only 32-bits.. i'm not sure i can sign warren's key on that basis - its trivial to brute force that espeically if can vary meta data 17:10 < adam3us> gmaxwell: peter said yeah but 64-bits is reflective of the practical security (intentional humor or something) 17:11 < gmaxwell> adam3us: I'm planning, when I upgrade my pgp key to ECC to grind out a silly ID .. e.g something with 64 bits of zeros. 17:12 < adam3us> gmaxwell: awesome :) vanity keyid, vanity fp etc 17:12 < BlueMatt> adam3us: pm? 17:14 < BlueMatt> gmaxwell: you should share that code :) 17:14 < BlueMatt> (for the lazy among us) 17:14 < Luke-Jr> so we all have key id 000000000 ? 17:14 < gmaxwell> BlueMatt: I have an old patched up version to timestamp grind. .. but to get a 64 bit result I'm going to need to use a fpga cluster. 17:14 < gmaxwell> its just sha1 though, so it should be pretty fast. 17:15 < BlueMatt> ahh 17:15 * BlueMatt needs to invest in a fancy hardware setup with fpgas... 17:16 < gmaxwell> well I'm hoping to buy up some ex mining farm hardware but crazy people are bidding them up 17:19 < adam3us> u know the point of the guy who made this collision is that he thought gpg might do something stupid in this case :) 17:19 < adam3us> gmaxwell: u know there is opencl code for hashcash-sha1 mining contact the guy who did the 48-bit stamp on hashcash.org 17:20 < adam3us> gmaxwell: probably no hard to modify the existing sha256 opencl code either, according to the sha1 guy his code was not super optimized 17:22 < Luke-Jr> adam3us: the SHA256d OpenCL code is pretty super-optimised.. 17:33 < adam3us> Luke-Jr: yeah, apparently the sha1 opencl not so much (he didnt release it but probably would on request), its probably better starting point to modify the otpimized sha256 to sha1 17:34 < gmaxwell> adam3us: all the password cracker projects now have stupidfast ocl SHA1. 17:34 < adam3us> perfect 17:34 < adam3us> gmaxwell: so you're going to fpga it? 17:35 < gmaxwell> that was my vague plan but I was waiting for the 400 bit DJB curve stuff to make its way into openpgp. 17:36 < sipa> I have 5 ztex FPGA's that are unused now :) 17:36 < sipa> (each did around 200 MH/s of bitcoin-double-sha256-mining) 17:37 < gmaxwell> sipa: that hits the spot! art had said that sha1 on the lx150s was much faster than sha256. 17:38 < sipa> but doing 2^64 iterations on those is still 584 years for double-SHA256 17:43 < gmaxwell> I think sha1 being 20x faster isn't unreasonable, but 500x faster seems unlikely. So obviously I'll need to find more fpgas. :P 18:23 < lolcat9> #bitcoin-dev 18:46 < sipa> gmaxwell: in some future keysigning party: "Dang, we have a bunch of former Bitcoin miners joining... they all have the same key id :(" 18:47 < Luke-Jr> former? :< 18:49 < gmaxwell> hahah 18:50 < sipa> Luke-Jr: using pre-ASIC hardware 18:50 < Luke-Jr> sipa: hopefully we all upgraded to ASICs! 18:50 < Luke-Jr> gmaxwell: you have ops in #bitcoin-dev right? 18:51 < gmaxwell> yep 18:51 < sipa> so do i 18:51 < Luke-Jr> sipa: but you weren't there :P 21:15 < Skyminerlabs> http://www.skyminerlabs.com/ we have released our V2 of our mining simulator for the PCI-E 600GH/z product check this out! 21:16 < gmaxwell> Skyminerlabs: wtf. fuck of scammer. 21:58 < Emcy> mining simulator? what even is? 22:39 < andytoshi> i'm kinda curious about that too.. 22:39 < andytoshi> i guess that's a way to scam, go into the wizards channel and post a link to something that's just gotta be some sorta something.. 22:48 < nOgAn0o> Bearcubbys, I am loving you tonight. 22:49 * nOgAn0o toke 22:49 * Luke-Jr wonders how he learned about -wizards :< 22:50 < BlueMatt> we need #bitcoin-wizards-nospam 22:50 < nOgAn0o> Wow, like someone was talking about anything the 9 minutes prior? 22:50 < nOgAn0o> I apologize for disturbing! 22:51 < nOgAn0o> May the Lord Jesus Christ bless you all. 22:51 < nOgAn0o> And maybe if you wouldn't spend all day coding and on IRC you wouldn't be so grumpy all the time. Just a suggestion. 22:53 < BlueMatt> nOgAn0o: no one was talking about you (until now) 22:54 < nOgAn0o> Oh. *blushes* 23:05 < gmaxwell> Luke-Jr: I believe there is a way to /list with a wildcard. 23:05 < nOgAn0o> ./list bitcoin got me here 23:05 < nOgAn0o> mIRC 23:06 < BlueMatt> gmaxwell: I thought you werent supposed to be able to see what chans people are in unless you're in them too :( 23:06 < nOgAn0o> I just can't believe there are not more people in here watching what you guys are up to.. on an 11 billion dollar currency.. heh? 23:07 < gmaxwell> BlueMatt: there is a channel mode that hides the channels. 23:08 < gmaxwell> nOgAn0o: this channel isn't a production channel, little we talk about here has near term relevance to bitcoin. 23:08 < BlueMatt> gmaxwell: it will become relevant when we can get someone to hire bitcoin core devs to work on bitcoin core full time... 23:10 < nOgAn0o> gmaxwell, I need a favor.. I need to find an old ASIC.. Jalapeno or something.. 2GH USB stick.. or super cheap 336 Block Erupters.. I've been wanting to mine for 3 years and never had money for hardware.. But I need a small unit and good deal. 23:10 < BlueMatt> nOgAn0o: please at least ask that on #bitcoin, but probably not in a channel... 23:11 < nOgAn0o> I am sorry for the spam but please anyone who can help message me.. I have .22 BTC and 1.0 LTC and can access more. 23:11 < nOgAn0o> Sorry BlueMatt --- Log closed Sat Dec 14 00:00:54 2013 --- Log opened Sat Dec 14 00:00:54 2013 00:35 < adam3us> hmm seems like some wikipedia action on bitcoin history... new page on nick szabo created 8th dec claiming bitcoin is basically szabo's bit gold ; and new section in bitcoin history with the same claim created 5 dec 00:35 < adam3us> by same wikipedia account dbabbitt 00:36 < adam3us> i fixed it to refer to b-money & hashcash & rpow later but got curious to look when this appeared! 00:36 < adam3us> https://en.wikipedia.org/w/index.php?title=History_of_Bitcoin&diff=584693698&oldid=584684996 00:36 < adam3us> scroll to bottom 00:37 < adam3us> new 'pre-history' section "bit-gold [...] is the direct precursor to the Bitcoin architecture." 00:41 < Luke-Jr> adam3us: meh, Wikipedia isn't usable when there are trolls around 00:43 < adam3us> curious meme though... someone trying to cement szabo as probable satoshi - is it szabo doing the edits and about out to out himself? or someone took the latest speculation that it might be satoshi and decided stamp that speculation as near fact on several wikipedia pages 14:16 < michagogo|cloud> 06:06:02 <BlueMatt> gmaxwell: I thought you werent supposed to be able to see what chans people are in unless you're in them too :( 14:16 < michagogo|cloud> That's usually the case 14:17 < michagogo|cloud> A non-shared channel won't show up in /whois if the user being whoised has umode +i (which is the default) and/or if the channel in question is cmode +s (which is enabled by default for unregistered channels, but is disabled by default for registered channels) 14:18 < michagogo|cloud> This channel is -s, so if any user in here is -i, anyone who whoises that user will see this channel 15:29 * andytoshi-logbot is logging 23:26 < HM2> PT Mono may be the best programming font of all time 23:26 < HM2> even ugly template code looks pretty --- Log closed Sun Dec 15 00:00:56 2013 --- Log opened Sun Dec 15 00:00:56 2013 01:46 < Emcy> http://www.quora.com/Distributed-Systems/What-does-a-career-in-distributed-systems-feel-like-In-terms-of-the-kind-of-programming-you-have-to-do-nature-of-bugs-or-issues-work-life-rhythms-etc/answer/Bram-Cohen?srid=CW&share=1 interesting comments 01:46 < Emcy> "Then I run into... how to put this... barriers to commercialization which don't apply to most products. 01:46 < Emcy> " 01:46 < Emcy> I think he means lobby money....... 11:31 < gwern> hola. so I need to tell Gavin about a possibly-schizophrenic stalker that seems to be targeting him. does anyone have a real contact email for him they wouldn't mind giving me? (given the nature of the issue I'd prefer to tell him sooner rather than later) 11:55 < gwern> anyone? 11:55 < gwern> alright, whatever, I'll just use 11:55 < gwern> gavinandresen@gmail.com 11:55 < gwern> it *probably* isn't a real threat, after all 12:01 < michagogo|cloud> gweIs that somehow a non-real contact email? 12:01 < michagogo|cloud> :-/ 12:01 < michagogo|cloud> combination if the user leaving and lag eating keystrokes 14:38 < amincd> Hi guys, any feedback on this idea would be appreciated: https://bitcointalk.org/index.php?topic=365392.msg3900881#msg3900881 16:42 < gmaxwell> andytoshi: maaku: phillipsjk gave an attack on multiparty CJs that either I hadn't considered or I considered and forgot. https://bitcointalk.org/index.php?topic=279249.msg3982242#msg3982242 16:44 < warren> adam3us: good criticism on the 32bit keyid on card 16:51 < andytoshi> gmaxwell: thx, i'll check it out 16:52 < andytoshi> and agreed, i am not going to distinguish between fee and donation 16:52 < andytoshi> if people don't trust me, they can verify the transaction themself before signing 16:52 < andytoshi> unfortunately "andrew stole all the fees" and "somebody put a ton of inputs in without paying a corresponding donation" will look the same.. 16:53 < andytoshi> ah, that is essentially the phillipsjk attack 16:57 < gmaxwell> andytoshi: well it means that e.g. if two people pay extra fees because they want faster confirmation, you could be eating them anyways. 17:03 < andytoshi> right 17:03 < andytoshi> so i think, i'll do that always and be upfront about it :P 20:53 < gmaxwell> Your signed submission. 20:53 < gmaxwell> Success! If all signatures arrive, the transaction will be broadcast at the start of the next session. Thanks! 20:53 < gmaxwell> Your unsigned submission. 20:53 < gmaxwell> Thanks for submitting an unsigned transaction. 20:53 < gmaxwell> Sorry, this session was not found. 20:53 < gmaxwell> Thanks for helping bitcoin's privacy. 20:53 < gmaxwell> andytoshi: also, you should do something visually drastic when its ready to sign 20:53 < gmaxwell> andytoshi: like change the page background to blue. 20:54 < gmaxwell> I'm also now getting at the front index: 20:54 < gmaxwell> The current session is open for -1387158864 more seconds. There are currently 0 transactions in the pot. Note that if there are less than two transactions in the pot at the end of the session, this session will be invalidated. 20:54 < gmaxwell> and a constant rescroll to the top of the page. :P 20:54 < gmaxwell> heh 20:55 < gmaxwell> The way it works is as follows: every -1387158602 seconds, a new session opens. During each session, users submit transactions to be joined, and recieve a URL specific to that session. 20:55 < michagogo|cloud> gmaxwell: You're nullc, right? 20:57 < andytoshi> gmaxwell: sorry, this is a bad time for you to test :) 20:58 < andytoshi> it should be right in half an hour or so... 20:58 < andytoshi> when i changed the cronjob to run every minute, i broke the session management pretty badly 20:59 < typex> what are you working on andytoshi? 21:03 < andytoshi> typex: i am writing a web interface to handle coinjoining via rawtransactions 21:03 < typex> coo 21:03 < typex> cool 21:04 < andytoshi> :q 21:06 < gmaxwell> michagogo|cloud: yes 21:06 < typex> andytoshi, I'll gladly help to test if you want 21:07 < gmaxwell> typex: right now his service is running on testnet, so if you're not running testnet 21:07 < gmaxwell> andytoshi: oh I don't mind, I'm just testing it periodically. 21:08 < gmaxwell> andytoshi: In my mind the deal is I keep testing it and don't mind that it doesn't work, and you don't mind that I keep reporting things for you to fix. :) 21:08 < typex> sure 21:08 < typex> hehe 21:10 < andytoshi> thx a ton for your time and suggestions, gmaxwell 21:10 < andytoshi> typex: yeah, that'd be great 21:10 < andytoshi> http://testing.wpsoftware.net/coinjoin/ 21:10 < gmaxwell> andytoshi: no problem, this sort of thing fits the time I actually have available, stolen moments as I get blocked (or wait for a compute job) on other projects I'm working on. 21:11 < typex> bitcoin-qt shouldn't get messed up in any way if I switch it to testnet right? 21:15 < michagogo|cloud> nope 21:15 < gmaxwell> typex: nah, perfectly fine to switch (or run both at once, in fact) 21:15 < michagogo|cloud> You can even run test and mainne- 21:15 < typex> great 21:15 < michagogo|cloud> what gmaxwell said 21:16 < gmaxwell> I run both at once every once in a while I run the wrong one and I'm very confused. 21:17 < gmaxwell> "whooo! solo block!" ... "aww" 21:17 < typex> :-) 21:19 < michagogo|cloud> heh 21:30 < michagogo|cloud> andytoshi: getting a Failure: output value not equal to input value. Check the section on Donations and Fees below. 21:30 < michagogo|cloud> But as far as I can tell, inputs and outputs are equal 21:30 < andytoshi> can you msg me the raw transaction? 21:31 < michagogo|cloud> http://pastebin.com/4QNDyyqR 21:34 < andytoshi> sigh, effing php.. 21:34 < michagogo|cloud> Heh, overflowing the input field? 21:34 < andytoshi> nope, just saying 24.45 != 24.25 21:34 < michagogo|cloud> Well, that's true 21:34 < andytoshi> to be fair, this is probably not php's fault.. 21:34 < michagogo|cloud> But in this case, 24.45 == 24.45 21:34 < andytoshi> lol, i meant 25.45 == 25.45 21:35 < michagogo|cloud> Ruby calculates the total of the outputs as 25.450000000000095... 21:35 < michagogo|cloud> stupid floating points 21:35 < andytoshi> i guess, i'll put a 'within 1 satoshi' check and that should do it 21:36 < michagogo|cloud> heh 21:36 < andytoshi> can i get bitcoind to send me satoshis instead of floating-point numbers? 21:36 < michagogo|cloud> It actually sends you decimals 21:36 < michagogo|cloud> :-P 21:36 < andytoshi> :) 21:36 < michagogo|cloud> You just need to get php to not treat it as a float 21:37 < michagogo|cloud> (if that's possible...) 21:37 < andytoshi> cool, it accepted your transaction 21:37 < andytoshi> http://testing.wpsoftware.net/coinjoin/sign.php?session=cba2c4be86cdda9f6828baa4294dbff5e04d09413e6b15252d986679be6d1399 21:37 < andytoshi> i highly doubt it's possible 21:37 < michagogo|cloud> In Ruby, I might try multiplying by 100000000 and calling to_i 21:38 < andytoshi> yeah, i could do that actually 21:38 < michagogo|cloud> (if the inaccuracy is sub-satoshi) 21:40 < andytoshi> ok, so if you are idling on the link i sent you, in about 6 mins we should both hear a ding, which means that we can sign 21:41 < michagogo|cloud> BTW, probably you should include the fee/donation address on the sign page 21:41 < michagogo|cloud> Aww, you require a confirmation on inputs? 21:41 < michagogo|cloud> :-/ 21:42 < andytoshi> yeah, sorry 21:42 < michagogo|cloud> At least it didn't kick me back to the front page on a failed transaction 21:42 < andytoshi> yeah, i fixed that..very very annoying 21:42 < michagogo|cloud> Oops 21:42 < michagogo|cloud> Accidentally just sent 0.05 BTC to the fee/donation address 21:43 < andytoshi> the one-conf thing is to prevent double-spends, and it's kinda an antidos 21:43 < andytoshi> with sendtoaddress? 21:43 < michagogo|cloud> Nah 21:43 < michagogo|cloud> By signing and sending 0100000001a1188d6860b79fcd97d87d488cd8c86dbdd99c1139490f98cef42ffd939bd4a80100000000ffffffff0280fe210a000000001976a91443dc321b6600511fe0a96a97c2593a90542974d688ac404b4c00000000001976a9140332073851cbdfd5b4e6a18891963ea0c546d74688ac00000000 21:43 < andytoshi> ah 21:43 < andytoshi> damn 21:44 < michagogo|cloud> (that was the unconfirmed transaction I was trying to spend into the pool, sending most of the tBTC back to the faucet) 21:44 < andytoshi> maybe i can use vanitygen to get the privkey :P 21:44 < michagogo|cloud> Sure, as soon as you harness all the energy in the entire universe 21:44 < michagogo|cloud> times about a million? 21:44 < michagogo|cloud> (disclaimer: that last number is made up) 21:45 < michagogo|cloud> By the way, why do you start the timer on a session while it has 0 inputs? 21:45 < michagogo|cloud> You could just have it idle, and leave the session open for 20 mins or whatever from the first input 21:47 < andytoshi> i could, i might do that 21:48 < andytoshi> so, if you refresh your page we can sign now 21:49 < andytoshi> the ding didn't come, the timer went into negative territory and then it autorefreshed while perl had the database locked 21:51 < michagogo|cloud> Uh 21:51 < michagogo|cloud> There's 0.47 going to mforFeesAndDonationsSpendHerdYm2jT 21:51 < andytoshi> really? 21:51 < andytoshi> wtf 21:52 < michagogo|cloud> "n" : 100 21:52 < andytoshi> also my server is crashing.. 21:52 < midnightmagic> it take 45 TH to average one solo block per day right now 21:53 < midnightmagic> :-( 21:53 < midnightmagic> i don't think i'll ever be back on board with solo mining 21:53 < michagogo|cloud> Well, it does take ,,(calc [nethash] * 1000000000 * 600) hashes to find a block... 21:53 < michagogo|cloud> ;;help nethack 21:53 < gribble> Error: There is no command "nethack". 21:54 < michagogo|cloud> ;;help nethash 21:54 < gribble> (nethash takes no arguments) -- Shows the current estimate for total network hash rate, in Ghps. 21:54 < michagogo|cloud> ;;calc [nethash] * 1000000000 * 600 21:54 < gribble> 5063132752673999872 21:54 < michagogo|cloud> over 5 quintillion hashes 21:55 < andytoshi> michagogo|cloud: this is definitely a bug, i'll deal with it whenever i can get my server back 21:55 < andytoshi> for now i think we'll have to stop testing :( 21:56 < michagogo|cloud> Here's my signed version of that: http://pastebin.com/UNckGWLM 21:57 < andytoshi> thx, but if it's got money going to mforFeesAndDonationsSpendHerdYm2jT i won't use it 21:58 < michagogo|cloud> It's less than 1% of a block 21:58 < michagogo|cloud> (though I guess that's still an UTXO in the UTXO set forever...) 21:59 < michagogo|cloud> wait a minute 21:59 < michagogo|cloud> How did it get to be 5 am 22:00 < andytoshi> haha oops 22:00 < michagogo|cloud> o_O 22:00 < andytoshi> it's only 9pm over here 22:00 < michagogo|cloud> US Central? 22:01 < michagogo|cloud> Okay, I need to go to sleep 22:01 < michagogo|cloud> Fortunately there's no school tomorrow (well, technically today) because everyone's still recovering from the snowstorm 22:02 < andytoshi> alright, i'll let you go, whenever you wake up this should be fixed 22:45 < andytoshi> michagogo|cloud: whenever you get this, the url for signing is http://testing.wpsoftware.net/coinjoin/sign.php?session=b3b098642a36f1aa62a333f5a15a6e98a04dfb7622e4eb3dd74f3d706f149d7b --- Log closed Mon Dec 16 00:00:59 2013 --- Log opened Mon Dec 16 00:00:59 2013 00:26 < gmaxwell> andytoshi: you need to convert all the numbers to integers. Don't use floats for this stuff. 00:26 < gmaxwell> andytoshi: you can just remove the . and you have an integer. :P 03:34 < adam3us> seems like it would be better if people who pool mine without using getblocktemplate (without being a full node) got their coinbase from power users they know (finding full nodes at random would be vulnerable to sybil) 03:35 < adam3us> otherwise its a vote abdication leading to policy centralization and double spend abuse (like ghash.io seemingly gaming the satoshi-dice clone) 03:35 < maaku> adam3us: is there any one left that doesn't use getblocktemplate (excepting stratum)? 03:36 < maaku> getwork can't keep up with asic speeds 06:47 < gmaxwell> P2SH has failed to be adopted by most alt implementations, even just for send-to, making it almost useless for everyone. ... and its a very simple change. 06:48 < adam3us> TD, gmaxwell: another use case eg the visual wallet (forgot the name & link) like an armory wallet but using animated qr code interface on an android tablet wallet with a physically disabled wifi; its hard to do that because of the bandwidth or its safer than usb that armory uses 06:48 < TD> animated qrcodes? ye gods. bluetooth exists, people! 06:48 < adam3us> gmaxwell: well... with bitcoin staging you do your advanced stuff, then you trade it back to btc to deal with likes of gox 06:49 < gmaxwell> "and bluetooth is still airgapped! see, no wires!" 06:49 < adam3us> TD: the idea is to have optical interface only - isolation from remote network/bluetooth stack compromise 06:49 < gmaxwell> and then they overflow your transaction parser. :P 06:49 < adam3us> armory tries but then you have a usb going back and forth, and there is risk of "bad bios" usb compromise of the bios firmware 06:50 < adam3us> gmaxwell: indeed thats the new attack surface however its software so at least you can look at it unlike bios firmware 06:51 < warren> Snowcrash bitmap to brain infection... 06:51 < adam3us> gmaxwell: yes about tx parser, but thats in the realm of magic pgp message that compromises the targets machine when he processes it 06:51 < gmaxwell> adam3us: if you're going to buy into that badbios stuff you might as well hypotize that the table is already compromised and the high frequency sound modem in your computer is already bridging the airgap (something else dragos claimed... ) 06:51 < gmaxwell> in any case, no one is arguing that making the data smaller is important. 06:52 < adam3us> gmaxwell: half the bad bios was space alien paranoia unsubstantiated, but my hacker buddy says the firmware compromise part is plausible 06:52 < warren> computers already infect humans with psychological diseases 06:52 < gmaxwell> yea, it's unsubstantiated but plausable. 06:52 < gmaxwell> (if you look, alans' original signer stuff... it didn't send the inputs, I pointed out to him that it had to... so I'm not unaware of what a pain that is) 06:53 < gmaxwell> though I don't really know if including the value is the best solution, or just restructuring the transactions so that the inputs are always super compact. 06:53 < adam3us> gmaxwell: yes i saw you on the bitcoin thread talking about it (didnt know/recal that you first observed the issue, ok) 06:53 * warren sleep 06:53 < adam3us> 'night 06:54 < warren> adam3us: "core has to be rightly extremely cautious about changes" core really needs to be a lot smaller 06:54 < warren> ok, really going 06:55 < adam3us> gmaxwell: an explicit change amount might help, the saving from implicit change is the core problem 06:55 < adam3us> gmaxwell: sorry implicit fee i mean 06:55 < gmaxwell> adam3us: e.g. if the txid:vout in a transaction was really just a txout hash, and the transaction itself was a hashtree, then proof of the relevant inputs is always compact. (just provide the inputs) 06:56 < gmaxwell> In the general case for security assuming scripts beyond regular pay-to-pubkey, its not adequate that the signer know the value, he actually needs to know the scriptpubkey he's signing for. 06:56 < adam3us> gmaxwell: implicit fee seems silly, then we have screw ups now and then 06:57 < adam3us> gmaxwell: yes 06:57 < gmaxwell> implicit fee is needed so that anyonecanpay can be used to add fees later. 06:57 < gmaxwell> if the fee is under the signatures you can't do that. :( 06:59 < adam3us> gmaxwell: i guess initial fee could be validated with =, anyonecanpay increased fee with > 07:00 < gmaxwell> > leaves you with the fee overpayment accident issue still. :) 07:01 < adam3us> gmaxwell: yes; i am going to refrain talking to you for a while os you go sleep - tomorrow:) 07:01 < gmaxwell> if instead you could extract inputs compactly the signing process could be createraw / add-inputs / signraw (which _requires_ inputs and can tell you the fee in return) 07:01 < gmaxwell> goodnight 07:01 < adam3us> 'night 08:41 < michagogo|cloud> 13:24:49 <TD> the nick "mike" was only registered in 2011 and has only been used once. goddamnit. 08:41 < michagogo|cloud> Well, actually... 08:41 < michagogo|cloud> It's never been used at all 08:42 < michagogo|cloud> Also, the requirement that new accounts have email addresses has been in place for more than 2 years 08:42 < michagogo|cloud> The account mike has noemail [sic] 08:42 < michagogo|cloud> And also, it has the Hold flag, which means an account doesn't expire, and that flag can only be set by freenode staff 08:43 < michagogo|cloud> Conclusion: 1 year, 46 weeks, 5 days, 13:00:53 ago, freenode staff registered that as a dummy account to make it unusable 12:57 < maaku> <gmaxwell> Something which works but due to honesty and understanding can't promise future riches... not clear there is much demand. 12:57 < maaku> ain't that the truth 12:58 < maaku> you should see the negative reactions we got to freimarkets 12:58 < maaku> "what? there's no built in way to 'invest' in this? then why should I care when we've got mastercoin?" 12:58 < maaku> ... 13:00 < gmaxwell> I guess its no shock, there is a selection bias in the bitcoin community. A lot of the bitcoin users are bitcoin users because they heard they could make a quick buck. :) 13:01 < maaku> yeah 13:02 < maaku> i got 3btc for coinjoin so i'm going to update the code this week 13:02 < maaku> 3btc actually goes pretty far now :) 14:17 < adam3us> maaku, gmaxwell: i think if someone wants to take funds to do something it would be more normal to issue stock in a conventional company, in exchange for the investment; then the owner is a stakeholder in the company as with any other investment 14:19 < adam3us> maaku, gmaxwell: whereas mastercoin was like nuts: if this takes off you the investor will own a slice of global digital certificate fee currency for ever as it grows to $1triliion (or however it is that msc relates to the stock certificate concept on mastecoin) 14:20 < maaku> adam3us: the issue is how to monetize colored coins in the first place, how to make a business plan out of it 14:20 < adam3us> maaku, gmaxwell: even if it took off thats nuts, that few gullible investors who feel for the join in the next x hours and get a 10% discount, time limited offer time-share like pitch, any rational person would abstain from participating on principle 14:21 < maaku> i could sell you shares in my company, but if my business plan is "develop open source software!" ... i'm not sure why you'd invest. a share of 0 is still 0 14:21 < adam3us> i am not sure how public this log is, but there are some folks giving it a go to attract conventional angel/investment into just that, with various monetization of the company but with open coloredcoin code & IP 14:22 < adam3us> maaku: personally i think why not - if coloredcoins (or preferably something side-chain that doesnt create nominal value bitcoin tx) does succeed, and in my view the blockchain innovation and smart contracts are so stark that it must sooner or later 14:23 < BlueMatt> the difference being mastercoin is selling shares in itself in some way that looks very clearly scammy, whereas there are better ways that dont look so ridiculous 14:23 < adam3us> maaku: there have to be multiple avenus for that company to collect on being the developers of it, having the expertise, enterprise versions, certification, hookups with auditors to certify issuers, etc etc 14:24 < adam3us> maaku, BlueMatt: exactly, to buy shares in a company and share in its success (or failure) in proportion to other investors and with a written prospectus and investment contract is actually largely uncontroversial 14:25 < maaku> Of course colored coin efforts will succeed. imho bitcoin is a toy and colored coins is where the real action is moving forward. 14:25 < maaku> (Otherwise I wouldn't have spent so much of my free time designing Freimarkets) 14:25 < maaku> the issue is, if you directly try to monetize it, you end up like Ripple.com or Mastercoin, both of which are paths to the dark side 14:25 < adam3us> maaku: yep, and i others were frustated by the progress of it being available in a user level sense; though actually i dont know much about friemarkets 14:26 < maaku> whereas if you simply ask the question "what's the best decentralized, distributed way to do colored coins?" the answer is not directly monetizable by the people who make it 14:26 < adam3us> maaku: (of colored coin not being availalble to user leve i mean).. its probably more than making a stable secure client, there is regultion to consider 14:26 < maaku> adam3us: https://bitcointalk.org/index.php?topic=280292.0 14:27 < adam3us> maaku: i dont think thats true re what i said above "there have to be multiple avenus for that company to collect on being the developers of it, having the expertise, enterprise versions, certification, hookups with auditors to certify issuers, etc etc" 14:27 < gmaxwell> I'm skeptical that colored coins are actually useful at all, but I'm happy to see people try. 14:27 < maaku> Yes, that's our path forward right now, but it hasn't been easy... 14:28 < maaku> Jorge and I have started a St. Vincent domiciled company to do a hosted colored coin solution - "github for colored coins" 14:29 < adam3us> maaku: go maaku & jtimon, now thats what i'm talking about - action beyond code 14:29 < maaku> But most of our conversations with bitcoin investors have ended up along the lines of "Why don't you just do a new alt chain so we can invest in the idea directly like mastercoin?" etc. 12:59 < Emcy> mainly because certain people WANT to beleive you can link people. And have paid to create that narrative. Same might happen with btc addresses 12:59 < petertodd> TD: specifying ranges is more useful for both straight merge avoidance and merge+cj by giving more flexibility 13:00 < TD> yes, it could be extended in future to do better 13:00 < petertodd> TD: if the amounts are all fixed it's harder to find a useful combo 13:00 < TD> i'd like to see a bip32 extension first though, for recurring payments. 13:00 < TD> Emcy: in many cases you can. ignore big aggregating proxies and go for consumer DSL. most people are downloading from home anyway. not very complicated. 13:02 < Emcy> open wifi, kids were doing it parents had no clue, ISPS fucked up the records, stupid torrent monitoring cottage industry company fucked up the records, sueing-people-as-a-business-model law firm fucked up the records. It all happens. 13:04 < TD> yeah, but they don't need "impossible to be anything else". even for criminal penalties it's just "beyond reasonable doubt" 13:04 < TD> for civil it's "balance of probabilities" (usually) 13:04 < TD> (depends on the country) 13:04 < Emcy> usually the civil standard, which fucking sucks anyway but thats another thing 13:05 < TD> well, it's intended for lighter weight disputes with lighter weight penalties 13:05 < TD> arguably even the civil standard is much too heavyweight for copyright enforcement 13:05 < TD> hence the focus in recent times on developing "three strikes" type rules for internet access. 13:05 < TD> not sure that's the right way to go but the idea of lighter weight justice isn't a bad one 13:06 < petertodd> Ah yes, the justice standard of "Yeah, you might have done something wrong, although we don't even have to prove it's more likely than not." 13:06 * TD shrugs 13:06 < TD> look at speeding penalties 13:06 < Emcy> yeah dont worry, the UK has law on the books that puts the standard at a simple accusation by one of these vampire torrent monitoring companies 13:07 < TD> the evidence comes from cameras controlled by the police. the punishment is a fine or points on your license. it basically works. 13:07 < petertodd> Speeding penalties are on a "more likely than not" standard. 13:07 < Emcy> cameras dont reduce harm. But they make money 13:08 < TD> yes, but emcy's argument would apply to them too. all it takes is an accusation from a trusted party, basically. you could come up with excuses (not me driving the car, etc), police could screw up records, etc. 13:08 < TD> people tolerate this laxity because the punishments are not very severe unless you keep doing it, or were doing it as massive scale 13:09 < Emcy> are you going to argue in favour of every thing that seems nifty on face but doesnt actually work and has side effects which are convenient for someone or other tonight? 13:09 < TD> Emcy: speed limits absolutely reduce harm, though, that's well documented 13:09 < petertodd> Anyway, all this suggests that we'll do well to get CJ implemented as widely as possible so it's "more likely than not" that a CJ user was using a standard Bitcoin privacy feature, and it's more likely than not that a given txin isn't owned by the person requesting a given txout. 13:10 < petertodd> It'll be interesting to see how governments respond of course, but we're certainly better off by starting with those principles. 13:10 < TD> well, the unfortunate possibility is that if bitcoin is perceived to be a significant enabler of abuse, it would just end up banned a la china 13:11 < TD> politicians and the people who vote for them are rarely interested in theoretically cool uses of the technology, like micropayments. they tend to focus on the here and now, and assign more importance to threats than benefits 13:11 < TD> or it just ends up de-facto blocked by other institutions that aren't governments, like now 13:11 < Emcy> petertodd right, we need to stop the idea of txid = person/action before it even takes root. It might be too late to do so after. 13:11 < Emcy> probably will be too late 13:11 < petertodd> It's also worth remebmer how if governments make the argument that CJ indicates you are trying to hide your tracks - an activity that doesn't cost you more in fees - then if anything merge avoidance - which does cost extra fees - seems even more damning. 13:12 < petertodd> "Your honor, the defendent paid $1000 USD over the course of the past two years to avoid merging transaction outputs; doesn't that sound like soomething someone with something to hide would do?" 13:13 < petertodd> Emcy: we won't know that it's too late until we try... 13:13 < TD> i guess it wouldn't work like that. merge avoidance is not intended to "hide your tracks". it just avoids information leaks about your balances or incomes. 13:14 < petertodd> TD: something coinjoin also does, but for less money 13:14 < petertodd> Cut-thru-payments are interesting in that respect, as they both reveal less information, and save money on fees. (potentially a significant amount) 13:15 < petertodd> Cut-thru-payments also really need a payment protocol with flexibile value range support, so I should do up a pull-req soon... 13:16 < TD> there's no point adding features to the protocol when no released wallet even supports the current set yet 13:16 < TD> it would be much more effective to implement some server software that would make it easy for people who don't want to rely on bitpay etc to use it 13:16 < petertodd> TD: all the more reason to do it now before the infrastructure is built 13:16 < Emcy> petertodd were pretty fucked if it becomes acceptable to argue that being proactive about your privacy at all is evidence of mens rea 13:16 < petertodd> Emcy: agreed 13:16 < Emcy> i think that might be the case here already actually though under RIPA. wouldnt surprise me 13:17 < petertodd> Emcy: at least with bitcoin the privacy issues are such that anyone in the world can violate your privacy - ugly 13:18 < nsh> Emcy, there's a good chance we'll see a RIPA test-case next year 13:18 < TD> in the USA they deleted the mens rea requirement from money laundering laws in the patriot act, unfortunately. so attempting to avoid red tape by breaking up payments can lead to ML convictions or asset seizure. pretty messed up. 13:18 < Emcy> yeah - that tinkles my tinfoil about bitcoin being the world currency of the NWO conspiracy...... 13:18 < Emcy> lol 13:18 < petertodd> TD: right, which sounds like merge avoidance is legally risky 13:19 < TD> nope, not at all 13:19 < petertodd> TD: it's all about breaking up payments 13:19 < TD> you need to go read the laws i'm talking about before spreading more FUD 13:20 < Emcy> nsh for the encryption? Already been done. Coppers harassing a paranoid schizophenic man about his truecrypt container and telling him everyone will think hes a paedo of he doesnt give up the password 13:20 < Emcy> he didnt give it up and he did 2 and half years for it 13:20 < TD> structuring only applies when making deposits to an institution. breaking your own $100 bills is not structuring, for obvious reasons. 13:21 < petertodd> TD: I have actually, not going to claim I understood the legalize as well as I would like, but the chain of logic is easy to see, and fundementally the issue is that the law is interpreted by humans who tend to read the spirit of it. 13:21 < Emcy> of course if he really was a paedo the correct course of action from his point of view is to keep his mouth shut.........but logic and the law have never played nice 13:22 < TD> Emcy: well these problems are inherent the moment you define "information crimes" 13:22 < nsh> Emcy, well, i've been informally advised by the NCA to expect RIPA orders, possibly in six weeks, and am completely incapable of imagining a scenario in which i'll be even remotely inclined to entertain them 13:22 < petertodd> TD: what it comes down to is that if coinjoin is legally risky, the reasons why it would be are identical to why merge avoidance would be legally risky, with the additional risk that merge avoidance costs more than not doing it, which just plain looks bad 13:22 < nsh> and i am only marginally crazy and far less marginally resolute and resourceful :) 13:23 < TD> petertodd: which is the opposite of what you're doing - structuring rules are intended to stop people from trivially gaming the system to avoid reporting requirements. if there are no deposits to an institution there are no reporting requirements and thus no "structuring" is possible 13:23 < Emcy> nsh good luck bro 13:23 < nsh> thanks :) 13:24 < Emcy> i know someone else who is on bail right now because someone used his tor exit to harass women on twitter 13:24 < TD> petertodd: again, no. but i explained why not in the article. not going to bother going around this again. 13:24 < Emcy> theyve had all his shit for months and months 13:24 < petertodd> TD: exactly, and coinjoin *in that interpretation* isn't structuring either. But if courts take the broader interpretation that the "institution" is the blockchain itself - quite possible - then they're both possible to consider as structuring. 13:24 < TD> ah, i didn't say coinjoin was structuring. perhaps that's the source of confusion 13:24 < TD> i merely noted that mens rea is not a requirement any longer in the USA for AML conviction 13:24 < petertodd> TD: (this is pretty much a conversation I had a few weeks ago with a lawyer specializing in this stuff FWIW) 13:24 < Emcy> thats bail with no charge too, hes not charged (mainly because he didnt bloody do it) 13:26 < TD> Emcy: what if he did? 13:26 * TD thinks harassing people on twitter should not cause legal problems, but that's a different matter 18:39 < adam3us> jtimon: not centrally motivating ("philoshophical problem related to non-scarce scarcity.") i agree issued assets are the most useful thing to make smart-contracts interesting. 18:40 < jtimon> again, I don't see the loss of zercoin and bitcoin floating: they're different currencies with different properties, why should they have the same price? 18:40 < adam3us> jtimon: but i think bitcoin is also the most interesting digital scarcity, basically because it got there first, and has the most merchant integration, intrinsic (transactional) value etc, but thats history - its here now, the investors took real risks early to bootstap it and the supply curve is tapering, and its the most secure. 18:41 < jtimon> so this is all about bitcoin winning the race? that sounds greedy... 18:41 < adam3us> jtimon: so given an interest in smart-contracts, issued assets, and bitcoins it seems natural to me that you'd want to be able to do in-chain contracts between those 3 types of things 18:41 < jtimon> what if zerocoin wins, what would the world lose ? 18:42 < jtimon> a nice logo? 18:42 < adam3us> jtimon: hey i missed the first 4yrs 3mo of the race, i'mnot the winner here 18:42 < petertodd> adam3us: re: digital scarcity, so what would you think of a alt-coin using my demurrange + balanced mining ideas for zero inflation, where to get said coins you had to prove a bitcoin sacrifice? that maintains scarcity I would argue, even if where the coins go has different economic structure 18:43 < maaku_> adam3us: we are still way, way early in the adoption curve 18:43 < maaku_> most institutional support for bitcoin is using it as a payment network, not for wealth storage 18:43 < adam3us> jtimon: well if that were the only risk, i'd say go for it, lets see who wins in the market. but i think the outcome could be worse. see what if litecoin overtkes bitcoin or gets clsoe... the bitcoin price plummets? give it a few month and litecoin notice feathercoin is gaining fast, do that a couple of times and the even concept of digital scarcity could be irrepairably damaged, it might go in the history bookss like a digital tulip. 18:44 < killerstorm> petertodd: Well, I don't know much about game theory, but here's how it might work in practice: suppose somebody makes a patched version of bitcoind which implements this kind of a strategy, let's call him a-bitcoind. Miner Bob can see that if everybody upgrades to a-bitcoind, but he doesn't, then his payouts will be lower. If we assume that miners think identically, they will either all upgrade to a-bitcoind, or keep using bitcoind. 18:44 < maaku_> adam3us: if that happened, who would be hurt? people sitting on bitcoins, but not the institutional players 18:44 < maaku_> they make their money (counted in fiat) on activity not market caps 18:45 < adam3us> maaku_: humanity because digital scarcity is a useful thing 18:45 < petertodd> killerstorm: right, but we *can't* assume miners think identically, and neither can those miners 18:45 < jtimon> adam3us this is not logic: if litecoin gets greater than bitcoin, feathercoin will get greater then litecoin 18:45 < justanotheruser> Proposal for distributed storage without polluting the blockchain in a few sentences: There is a web of trust to choose mediators trusted mutually between the uploader and the host. The uploader send the file to the hosters and the mediators after making a tx that gives a small amount to the hoster given that either the uploader signs it, or M of N mediators sign it. The mediators take hash(random nonce0,file), hash(random 18:45 < killerstorm> petertodd: and, again, in practice, a-bitcoind might leave a certain mark in coinbase transaction which identifies it. but I'm not sure if we can use it in game-theoretic model as that mark can lie. 18:45 < maaku_> meh i don't think that makes sense as an economic argument 18:45 < jtimon> and the two propositions are very unlikely independently 18:45 < adam3us> jtimon: point is it sets a precedent 18:45 < petertodd> killerstorm: you can make mechanisms for those miners to *co-ordinate* their actions, e.g. soft-fork majority upgrade mechanism, but when you're talking about delibrate re-orgs that's much tricker 18:46 < jtimon> I think that's likely to happen, but with something better than bitcoin, not litecoin 18:46 < jtimon> bitcoin 2.0 if you like 18:46 < jtimon> and I don't have any problem with that 18:46 < petertodd> justanotheruser: bootstrapping your mediator trust is a damn nightmight 18:46 < petertodd> *nightmare 18:46 < maaku_> adam3us: your argument hinges on the thing overtaking bitcoin being "just another" coin 18:46 < maaku_> i see no rational basis for that ever happening 18:46 < adam3us> petertodd: exodus eh? did u see there was one proposed recently a new alt, like mastercoin except by proof of burn? 18:47 < maaku_> but if something came out genuinely better, the story would be different 18:47 < petertodd> adam3us: yup, last I checked they got like 500 coins 18:48 < adam3us> jtimon: markets doing work based on propositional logic, but by herd behavior and economic decisions and a large port of psychology and emotive reaction of individuals 18:48 < justanotheruser> petertodd: Any solutions for bootstrapping mediator trust? 18:48 < petertodd> justanotheruser: solve that and you're halfway to making a crypto-currency... 18:48 < adam3us> petertodd: holy moly 500 btc ! 18:48 < petertodd> adam3us: probably even more now :/ 18:48 < petertodd> adam3us: not much source-code to it either... 18:49 < justanotheruser> petertodd: couldn't you bootstrap your mediator trust by making non-mediator transactions successfully? 18:50 < jtimon> adam3us so since markets are irrational, it is more rational to peg them? 18:50 < adam3us> maaku_: yes litecoin & ftc are currently not plausible to overtake, but warren does try to do innovation, and maybe eg if btc-china had started pushing ltc while it was 60% of market volume (charlie & bobby lee being brothers) or some new feature is added to litecoin (say zerocash).. who knows 18:50 < petertodd> justanotheruser: define "successfully", and for that matter, how are you going to prove they were successful in a mathematical way? 18:50 < adam3us> petertodd: counterparty that was what it was called (the msc-like meta coin with PoB) 18:51 < justanotheruser> petertodd: I don't understand what you mean. It is a web of trust like bitcoin-otc. Success is defined by trusted people trusting you. 18:51 < maaku_> adam3us: again, if warren turns litecoin into a genuine improvement over bitcoin, then there is no reason the world need collapse if it overtakes bitcoin 18:51 < petertodd> justanotheruser: where's the root of trust? 18:51 < petertodd> adam3us: yeah, counterparty 18:51 < justanotheruser> petertodd: you are the root of trust for yourself 18:52 < adam3us> jtimon: the peg is just a firewall mechanism between two versions of what would be by intent the same coin. it could be applied to any alt-coin. 18:53 < petertodd> adam3us: https://blockchain.info/address/1CounterpartyXXXXXXXXXXXXXXXUWLpVr <- 1,165 BTC now 18:53 < adam3us> maaku_: i think that would be challenge. i am not sure how people would react. maybe they just take it as competition and say great the new better bitcoin 18:53 < petertodd> adam3us: that's actually more than msc got in dollar value 18:53 < maaku_> adam3us: it is a cool concept. it has applications if it could be made safe enough to deploy, which it is not yet. but i don't thik it does everything you think it does 18:53 < adam3us> petertodd: amazing. 18:53 < adam3us> petertodd: i know! 18:54 < maaku_> wait, did people just irrecovably destroy $1MM of coins? 18:54 < petertodd> adam3us: gonan be a lot of disappointed people I suspect... 18:54 < petertodd> maaku_: yup 18:54 < adam3us> maaku_: yes 18:54 < maaku_> w. t. f. 18:54 < justanotheruser> I wish people would use OP_RETURN 18:54 < petertodd> maaku_: based on a few hundred lines of code and a shoddy specification... 18:54 < justanotheruser> seems like it is from "XPC Proof of Burn" 18:55 < adam3us> maaku_: well from their perspective its still a comparable investment as msc they are investing in the future potential of the idea 18:55 < adam3us> maaku_: the only difference being xcp has now no btc to fund development 18:55 < petertodd> justanotheruser: heh, original counterparty burn tx's used OP_RETURN to embed a *message* and the coins were still burnt to a address 18:55 < maaku_> and yet we've been able to find just 3 people to donate <$1000 to freimarkets :\ 18:56 < jrmithdobbs> i don't even want to think about how much the coins i sold at various points would be worth right now 18:56 < adam3us> maaku_: its a sad fact that scammy/grandiose advertising works seemingly in crypto currency space. 18:56 < justanotheruser> petertodd: how were they burnt to an address? No public key can spend them can they? 18:56 < petertodd> justanotheruser: it's a vanity address with like 12 X's in it... rather unlikely they have the sec key 18:57 < adam3us> petertodd: i thought at one point they burnt them to miner until someone pointed out a miner could mint unlimited coins 18:57 < petertodd> adam3us: ha, I know eh 18:57 < petertodd> adam3us: someone mentioned my announce/commit scheme at one point, but as I said to them, using an address has a lot of advantages re: advertising 18:57 < justanotheruser> petertodd: OP_RETURN? 18:58 < petertodd> justanotheruser: https://blockchain.info/tx/685623401c3f5e9d2eaaf0657a50454e56a270ee7630d409e98d3bc257560098 18:58 < justanotheruser> petertodd: oh, multiple outputs 18:58 < petertodd> justanotheruser: yup 18:59 < justanotheruser> what is the usual reason for their proof of burn? 18:59 < petertodd> justanotheruser: what do you mean? 17:38 < gmaxwell> Right, I realize that. _Usually_ trying to threshold on latency is not what we want. but I guess I could see the argument. 17:39 < gmaxwell> Though if you have a system predicated on low latency it likely makes anonymous mining utterly impossible. 17:39 < gmaxwell> (ugh, I hate that 'anonymous' is overloaded, I mean the one that is made impossible by low latency. :P ) 17:40 < amiller> it wouldn't necessarily need to be used like that all the way odwn to the individual level, something like towns or states or w/e 17:40 < gmaxwell> amiller: e.g. unless you start saying that this is for nation-states, communities of interest are often only moderately geographically coorelated. Even at the nationstate level.. should tokyo be able to partition hawaii? 17:41 < amiller> perhaps tokyo could force hawaii to move its transactions up to the larger network (i.e., global bitcoin) where it's a bit more expensive and less responsive 17:42 < amiller> the main motivation for adding more model complexity like this isn't just to have small networks, but to work towards a way of building larger networks out of smaller ones, where the smaller ones also work when possible 17:42 < gmaxwell> Sounds interesting to me! 17:43 < amiller> ok thanks :D 17:43 * amiller keeps working 17:51 < Luke-Jr> amiller: wtf? 17:51 < amiller> :p 17:51 < Luke-Jr> seriously, don't feed the trolls' myths 17:52 < amiller> well, who else should i pretend operates the death star 17:52 < Luke-Jr> maybe some guy who actually does stuff like that 17:56 < sipa> you mean Satoshi? 17:57 < Luke-Jr> sipa: O.o? 17:58 < sipa> this comes close: http://abstrusegoose.com/509 17:59 < gmaxwell> I like the idea of Luke as darth vader. 17:59 < gmaxwell> Mostly because he's the least darthvadery person I know. 17:59 < sipa> Have you ever seen him waring a Vader-suit? 18:00 < gmaxwell> "Luke, I am your certified personal accountant." 18:08 < Luke-Jr> "bitcoin should just limit each human alive to 1% of the network" 18:08 * Luke-Jr facepalms 18:09 < gmaxwell> I'd missed http://abstrusegoose.com/509 ! 18:13 < sipa> I do wonder why he'd choose Hitler's birthday to make love to that fish. 19:15 < jgarzik> sipa, 420 means something different in the US, http://www.urbandictionary.com/define.php?term=420 19:19 < sipa> eh, ok 21:43 < jgarzik> sipa, there are, um, green-related parties on 4/20 all over the US as a result 21:44 < jgarzik> Atlanta, Portland, Seattle and other cities have festivals 21:44 < jgarzik> it's pretty funny 21:45 < gmaxwell> I had no clue that was hitler's birthday, thats pretty fantastic. 21:47 < gmaxwell> would be amusing to show up at the big outdoor weed smoking festival in santa cruz dressed in nazi regalia and pretend to be really confused and cause confusion for all the chemically confused people. 21:53 < jgarzik> heh --- Log closed Thu Aug 08 00:00:14 2013 --- Log opened Thu Aug 08 00:00:14 2013 03:16 < midnightmagic> LOL --- Log closed Fri Aug 09 00:00:19 2013 --- Log opened Fri Aug 09 00:00:19 2013 --- Log closed Sat Aug 10 00:00:25 2013 --- Log opened Sat Aug 10 00:00:25 2013 --- Log closed Sun Aug 11 00:00:30 2013 --- Log opened Sun Aug 11 00:00:30 2013 --- Log closed Mon Aug 12 00:00:35 2013 --- Log opened Mon Aug 12 00:00:35 2013 11:39 < jgarzik> There needs to be a mechanical-turk-like API that will send a human out to buy me X product or service with fiat currency. 11:39 < jgarzik> StorJ-like systems want such. 11:40 < gmaxwell> that exists here. 11:42 < gmaxwell> uh. I forget what its called. it's not quite as normalized as mechnical turk. but you can load a url and make people go do things. My SO has used it some, and she's on a plane now, so I'm currently down whatever mental space I've outsourced entirely to her. 11:42 < jgarzik> interesting 11:47 < gmaxwell> yea, this business is going to fail though because I can't figure out how to find it even knowing that it exists! 11:52 < gmaxwell> https://www.taskrabbit.com/ 11:52 < gmaxwell> fuck it took me 12 minutes to find it. 11:53 < petertodd> gmaxwell: I use taskrabbittaskrabbit myself to figure out WTF taskrabbit's URL is 11:53 < gmaxwell> yea, I suppose I could have used mechnical turk to find taskrabbit. 11:54 < petertodd> lol, but mechanical turk is a pain to use, what you need is some kind of mechanicala turk to hire a dev to create your mechanical turk job... 11:55 < gmaxwell> yea, MT is kinda useless for one shot jobs. 11:55 < gmaxwell> I wish there was a good bitcoin replacement for it, for both bulk and one shot jobs. 11:55 < petertodd> I thought someone di launch a bitcoin replacement? whatever happened to it? coinworker I think it was called? 11:56 < gmaxwell> well what coinworker is is a front end on a MT alternative that lets you work and get paid BC. 11:56 < gmaxwell> I don't believe anyone had done the other side of that. 11:56 < gmaxwell> where you pay for work with BC. 11:57 < petertodd> right, so the coinworker api is basically still sucky 14:36 < gmaxwell> Research Talk: Philippa Gardner 14:36 < gmaxwell> Where: Ten Forward and streaming / recorded on Air Mozilla 14:36 < gmaxwell> When: Wednesday August / 14, 10 AM PST 14:36 < gmaxwell> Title: A Trusted Mechanised Specification of the JavaScript Standard 14:36 < gmaxwell> Abstract: 14:36 < gmaxwell> JavaScript is by far the most widely used web language for client-side applications. Whilst the development of JavaScript was initially led by implementations, there is now increasing momentum behind the ECMA standardisation process. The time is ripe for a formal, mechanised 14:37 < gmaxwell> specification of the language, to serve as a trusted basis for high-assurance proofs of language properties, the compilation of high-level languages, and JavaScript implementations. 14:37 < gmaxwell> We have demonstrated that modern techniques of mechanised specification can handle the complexity of JavaScript. We present JSCert, a mechansised specification of ECMAScript 5 in the Coq proof assistant, and JSRef, a reference interpreter for JavaScript extracted from Coq to OCaml. We establish trust in several ways: JSCert is designed to be `eyeball close' to ECMAScript 5; JSRef is provably correct with respect to JSCert; and JSRef is te 14:38 < gmaxwell> that should be interesting. I think this is only the second provable language implementation. 16:29 < amiller> i like the way that abstract is written 16:30 < amiller> i like that the specification itself is given a name (JSCert) and it's claim is that it's human-inspectable to match a natural-language specification 16:31 < gmaxwell> they're also clear that JScert is not exactly the same as the specification (what would that even mean?) 16:31 < amiller> maybe the spec can be used to illustrate the reasoning for js-wats like {}+[] --- Log closed Tue Aug 13 00:00:41 2013 --- Log opened Tue Aug 13 00:00:41 2013 04:05 < gmaxwell> amiller: hopefully I wasn't too harsh here: https://bitcointalk.org/index.php?topic=272709.msg2922718 09:31 < amiller> i think you're right on, actually, gmaxwell. 09:31 < amiller> i don't know what to do about it, but it's a real problem! 09:31 < amiller> these ETH Zurich people are one of the few that have a science grant to study bitcoin 09:32 < amiller> the bitcoin community and its various fora produce an enormous of writing, thought, invention, code and *science*, of which maybe 1% isn't bullshit chaff? 09:33 < amiller> in other words, not a whole lot different than the enormous and expensive academic machine... 09:37 < amiller> i think they're professionals and should not be excused from shoveling through all the forum posts ever and citing MerkleTrees420 for brute forcing a good invention 09:58 < sipa> i met christian decker once 09:58 < sipa> he's visited zurich bitcoin meetups before 10:06 < amiller> maybe a good solution would be to place anonymous papers on the bitcoin forum to help with the peer review? 10:06 < amiller> sending a note to the editors would be appropriate 10:07 < amiller> they are self selected as the interface to this sort of thing 17:45 < jgarzik> "It looks as though our system is unable to verify you social security 17:45 < jgarzik> number and other information. We use a third party vendor, Lexis 17:45 < jgarzik> Nexis, to verify that information we do not see the data, simply a 17:45 < jgarzik> score and your score is not high enough to move forward. " 17:46 < jgarzik> gmaxwell, so spake Dwolla, when I tried to open a personal account. I wonder if anything tagged with bitcoin is now making the rounds... 17:46 < jgarzik> My credit score is north of 800, and nothing but traffic tickets in the criminal record, so I cannot think of what it might be. 17:47 < jgarzik> anyway, heads up 17:48 < petertodd> interesting! kinda ugly if they are going out and finding people's names to add to a blacklist database... 17:50 < jgarzik> Two guesses are (a) Dwolla refuses anything that links $person and "bitcoin", and (b) I'm now in some database somewhere 17:50 < petertodd> quite possibly (a) and (b) 17:51 < petertodd> if it gets to the point where this is applied to bank accounts in general I'd be worried... 17:51 < gmaxwell> jgarzik: tell them that you're concerned that your identity may have been stolen then, because you don't get that result, and ask for a copy of the paperwork so you can follow up with lexis? 17:52 < petertodd> gmaxwell: smart 17:53 < gmaxwell> there is always some pedestrian possibility, like they're actually pulling up someone elses record by mistake. 17:54 < petertodd> or someone already pulled some actual fraud with jeff's good name 17:55 < jgarzik> I had my identity stolen 15+ years ago. some bum put my name + address in Atlanta on a military id with their picture, and tried to scam 9 Wachovias with it 16:12 < gmaxwell> BlueMatt: kinda, tor is where the whole open world is currently focusing their anti-censorship efforts... and they seem to be winning the cat and mouse game mostly. 16:12 < BlueMatt> if you think we need tor for an internet with speech where you can do whatever the fuck you want, you have to look no further than tpb 16:12 < BlueMatt> gmaxwell: not afaict, at least in china getting tor access means having someone else set up a bridge for you to use 16:12 < petertodd> BlueMatt: Tor over consumer connections is *currently* widespread, so I want to scale the network with that we have a pretty good chance of having available to us for the next few years. In 10 years *maybe* we'll decide making it possible to mine over dial-up *is* a good idea and reduce the blocksize. I sure hope not, but it may be a reasonable thing to do. 16:12 < BlueMatt> and that means most people just use vpns 16:13 < BlueMatt> wait, wtf? 16:13 < BlueMatt> really? 16:13 < gmaxwell> petertodd: technically mining works over dialup okay now, so long as you use a p2p protocol that looks like p2pool's. 16:13 < petertodd> gmaxwell: yup, and you can always just mine zero-tx blocks too. 16:13 < gmaxwell> (one where you only need to send the hashes when you find a block, as you've preforwarded the txn) 16:14 < BlueMatt> anyway, its clear we fundamentally disagree on what we need to protect (and what is actually useful and possible, even if we try to protect it) 16:14 < BlueMatt> so I dont think arguing helps anything 16:14 < gmaxwell> s/zero/few/ 16:14 < BlueMatt> you are free to work on solutions that allow mining over tor, and the rest of us will just work on something else 16:14 < petertodd> BlueMatt: Exactly. We *do* agree on the technology side of things, we do not agree on what is important beyond tech. 16:15 < BlueMatt> I certainly dont think its a bad idea that someone allows one to mine over tor, just that it shouldnt impact big-picture decisions for the actual network 16:15 < zooko> Good to realize that so you can productively collaborate on understanding what is possible. 16:15 < gmaxwell> BlueMatt: funny, I see you both largely argreeing. That there is actually a tradeoff between decenteralization and scale. And that compromising the former for the latter completely is unacceptable. You're arguing over approaches, boundaries, and silly details. 16:15 < petertodd> gmaxwell: Exactly! It's a political decision end of story. 16:16 < gmaxwell> petertodd: I think you should do a writeup on bitcoin primarily as a reserve currency. Thats sort of an implicit premise of what you talk about wrt off chain txn, but I don't know that it's clear that you're thinking of it that way. 16:16 < petertodd> gmaxwell: Though of course having real world off-chain tech with auditing and fraud protection, rather than purely examples like easywallet without those protections, needs to be implemented to show people. 16:16 < petertodd> gmaxwell: Yeah, that's a good idea. 16:17 < BlueMatt> no, Im arguing that the "dystopian" future presented in that video is not only ridiculous, but significantly harmful to the ability of people to have reasonable discussions about the political and/or technical parts of this 16:17 < sipa> i think you should present thigs in a different way 16:17 < sipa> presenting it as a dystopian future putsany people off 16:18 < sipa> thinking you are talking about some potential worst case situation 16:18 < sipa> i like to look at it this way: 16:18 < sipa> bitcoin is an experiment in creating a decentralized currency 16:18 < sipa> the experiment is more useful the less it requires trust 16:19 < sipa> a system that is able to function in the presence of worst-case conditions is strictly more interesting 16:19 < warren> sipa: hi. Would you be interested in an affected wallet.dat plus patches to load the alternate address schema, would that be helpful? 16:19 < petertodd> sipa: Good idea. Having a system that can function in the dystopian future makes it a lot less attractive to force us to that distopian future anyway, why try regulating what you know can't be? 16:20 < zooko> I haven't seen the video and haven't read all this irc log carefully, but it kind of sounds like the video was exciting or polarizing and some residual energy for that is still bouncing around in this conversation... 16:20 < BlueMatt> petertodd: and then we can have a discussion of increased block sizes for purely technical reasons and not political "the sky is falling" arguments :P 16:21 < BlueMatt> petertodd: but I certainly think it would be awesome to have something that could mine successfully over dial-up or some other ridiculously low-bw connection 16:21 < petertodd> BlueMatt: It still doesn't work that way. The technical tradeoffs are there, but what tradeoffs are important will always be political. 16:21 < sipa> warren: not now 16:21 < gmaxwell> One of the reasons I don't share BlueMatt's view (and I suppose could be said to have tacitly encouraged petertodd because I didn't say "NO STOP!" when he posted the initial script) is because we are very rapidly racing towards increasing the size, and both Gavin and Mike have argued for _unlimited_ and argued that it was actually uncontroversial and that concerns were unreasonable. I don't think thats fair. And I think that having the ot 16:21 < warren> sipa: ok. i'll debug more, maybe I can figure it out on my own. 16:21 < sipa> gmaxwell: the ot[...] 16:22 < BlueMatt> gmaxwell: yes, I would agree there that infinite size is just not ok 16:22 < gmaxwell> And I think that having the other extreme making their argument makes it _easier_ to have a discussion about tradeoffs instead of wasting our time arguing if there is no concern at all or not. But maybe I'm stupid. It happens. 16:22 < petertodd> gmaxwell: Indeed. I sure wouldn't have made the video if they had been more resonable there - I did propose that we have a strict "wait a year" period regardless. The worst that can happen is growth is slowed temporarily. 16:23 < BlueMatt> ahhhh, this google reader -> feedly switch is insane, do you want to share this, what about with facebook, no linkedin? no G+, no? twitter, no, you WANT TO SHARE!!!!111one 16:23 < zooko> Haha, so you're responsible for the video that I just implicitly criticized. 16:23 < petertodd> zooko: lol, yup. 16:24 < zooko> By the way, I unfortunately didn't speak to you at the conference, but I listened with great interest to your contribution to the "core dev meetup crowd" thing. 16:24 < petertodd> zooko: Thanks! I thought that discussion wound up happening in a pretty reasonable fashion. 16:24 < zooko> Yeah, not too bad. 16:24 < petertodd> Nice to see the payment protocol is uncontroversial too. :P 16:25 < zooko> Hee hee. 16:25 < zooko> Ah, so I was all hot under the collar about having PKI in the payment protocol 16:25 < zooko> (note: 16:25 < zooko> *not* about x.509 being a bad PKI, about PKI being a bad thing to have in the payment protocol) 16:25 < gmaxwell> petertodd: one of the problems we'll face here is that the deployment of any change will have a huge leadtime. And so it means that if we have to suffer to trigger making the change it means we'll suffer for a huge time. I really do not have a solution for that, and help thinking of one (beyond "never change") would be really productive. 16:25 < zooko> and I got to talk Gavin's ear off about it with Brian Warner, and much to my astonishment Gavin convinced Brian and me that it was better than the alternatives in there. 16:26 < zooko> And I should emphasize, Brian and I are the last two people who would ever agree to that... 16:26 < petertodd> Ha, yeah, I don't like PKI either, but it's a nice easy first step for sure. 16:26 < zooko> I even have a basic geometric shape named after my dislike of PKI. 16:26 < gmaxwell> zooko: we believe we need non-repudiation in it, and the ability to identify who you're paying. (of course the identity could be a pseudonomymous one if you like) 16:26 < zooko> gmaxwell: that isn't what convinced me. 16:26 < petertodd> gmaxwell: Heh, I've been arguing that deploying a blocksize change can happen relatively quickly... 16:27 < petertodd> zooko: basic geometric shape? 16:27 < gmaxwell> petertodd: it's a hardfork though... Though, I suppose the may 15 thing actually proved it could be done. 16:27 < petertodd> gmaxwell: Exactly. *If* there is consensus, changing it is not such a big deal. 16:27 < gmaxwell> And we don't mind if it's some other kind of things like namecoin+gpg or whatever. The protocol itself doesn't have to care really. .. it's just that there is little in actually workable alternatives right now. 16:28 * BlueMatt -> gone, and really dont want to discuss politics further, its too...political 16:28 < petertodd> gmaxwell: Hasn't proved it yet... 16:28 < gmaxwell> petertodd: I'll have to think about that some. I think I was taking it as fact that the actual change had to take forever. But perhaps just the software validation does. 16:29 < petertodd> gmaxwell: People can upgrade relatively quickly. The real issue is we can't change it very much quickly; doubling the blocksize can probably be done and tested in six months. 16:31 < petertodd> gmaxwell: An order of magnitude increase, or worse, unlimited, will break stuff that we can't even think of, let alone test for. 16:34 < zooko> petertodd: there's this thing named "Zooko's Triangle" which could be used in an argument that PKI is inherently unsuitable for the payment protocol. 16:34 < petertodd> zooko: oh, that's you! cool 16:35 < petertodd> I love talking to non-tech people about that triangle. 16:35 < zooko> Thanks. 16:40 < petertodd> alright guys later 16:41 < zooko> cheers 19:07 < jgarzik> warren: Somebody's making money, so they add it. 19:08 < jgarzik> warren: Don't be surprised if there aren't "I'll give you 1 million alt-coins, to add it to your exchange" deals either. 19:12 < warren> CFTC s Chilton: Want to ensure Bitcoin is not 19:12 < warren> As the Commodity Futures Trading Commission weighs regulating Bitcoin, Commissioner Bart Chilton sought to spell out its interest in the virtual currency. 19:14 < warren> jgarzik: this made me wonder if our tribe can come up wit a set of best-practices guidelines to help media and potential regulators weed out the pump-and-dumps from the honest efforts. 19:19 < warren> jgarzik: a privately operated, not-for-profit rating agency that looks at various factors of <arbitrary decentralized virtual currency> and makes it easy for readers to understand the differences, not only in technology, but also transparency, accountability, activity of development, how responsive it is to security CVE's, vendor adoption, etc. This could help to better legitimize the safety and stability of Bitcoin while simultaneously mak 19:19 < warren> ing it easy to see the *stark* contrast with all the alt coins. 19:50 < jgarzik> warren: I think there should be quite a number of ratins agencies 19:50 < jgarzik> warren: or, if possible, a ratings bot 19:50 < jgarzik> *ratings 20:01 < gmaxwell> jgarzik: "Don't be surprised" not only is it not surprising, in some cases it's publically know. E.g. one of these coins premined coins specifically for that purpose. 20:03 < gmaxwell> warren: as far as "weed out" well thats the 'problem' (actually advantage in some cases) of decenteralized systems. You can't generally regulate the general public. When you try ... poof.. they vanish. 20:03 < warren> gmaxwell: right, not really regulate, more 'scare people away from things' with objective measures --- Log closed Wed May 08 00:00:13 2013 --- Log opened Wed May 08 00:00:13 2013 21:59 < gmaxwell> amiller_: I have come up with a new SCIP application in the context of bitcoin. 22:00 < gmaxwell> You make all your protocol rules have nice clean reference enforcement code which can execute in a secure computing enviroment. 22:00 < gmaxwell> and then you make peers produce proofs that they actually ran the reference enformcement code 22:00 < gmaxwell> no more crack ass alternative implementations that don't actually implement the rules consistently. :P --- Log closed Thu May 09 00:00:15 2013 --- Log opened Thu May 09 00:00:15 2013 10:39 < warren> "You been drinking the Gavin juice too much. If I want to send a 0.00000001 BTC to someone, I can't under 0.8.2. If I want to do that in 0.8.1, the fees are high but that still means I CAN DO IT. Do you now see the censorship." Why is the clueless hate focused on "gavin"? Wasn't Gavin against this at first. It was originally advocated by others. 10:40 < BlueMatt> clueless hate is clueless? 10:42 < warren> Need more clueless hate lightning rods. --- Log opened Thu May 09 12:37:59 2013 18:41 < amiller_> gmaxwell, i don't follow the scip thing you said --- Log closed Fri May 10 00:00:40 2013 --- Log opened Fri May 10 00:00:40 2013 02:29 < petertodd> new alt-coin: cacoin 02:30 < petertodd> the PoW function is to come up with a random number, and then your goal is to prove you posess, via a SSL certificate, a DNS name such that H(name) is closest to that number 02:31 < petertodd> (obvs the random number needs to be generated properly, a random beacon of some sort would be good, or a a protocol where the parties precommit to generate one) 02:31 < gmaxwell> closest-to pows are not very scalable... huge floods of traffic. 02:31 < petertodd> I'm sure that'll be the least of cacoin's problems :P 02:33 < petertodd> the other issue with closest too is it's way too easy to find someone was closer after the fact, causing a huge reorg 02:33 < gmaxwell> haha... "this coin is a member of the family HighExternalityCoins" 02:33 < petertodd> yeah, another nifty one would be to use TPM hardware signing keys 02:34 < petertodd> I especially like how you could construct the TPM hardware coin in a way to prove fraud on the part of the tpm hardware vendors 02:34 < petertodd> even if the hardware is not secure 05:35 < warren> sipa: to backport secp256k1 to 0.8.1 I need to redo those last four patches? 06:21 < warren> sipa: nm, figured it out 09:39 < zooko_> petertodd: are you familiar with Hal Finney's Reuable Proofs Of Work? 10:53 < amiller_> i don't like RPOW because it crucially relies on a central/global tpm 11:35 * zooko_ nods 12:21 < petertodd> zooko_: Who isn't in this crowd? :) 12:22 < petertodd> zooko_: amiller is quite correct, although when you have a reserve currency like Bitcoin handy, at least you can move value to and from it to switch tpm's and so on 12:39 < zooko_> Hm. 12:40 < zooko_> Do you know about Physically Unclonable Functions? 13:56 < zooko> Hello. 13:56 < zooko> PUFs 13:58 < amiller_> even pufs are still a poor choice for a global tpm 13:58 < amiller_> everyone concerned would have to agree that it was built correctly 13:59 < amiller_> like landing on the moon 13:59 < amiller_> a puf can't attest to the fact that it is a puf 14:39 < petertodd> amiller_: Indeed. That said, with some cleverness with fraud proofs and what not you can make a TPM manufacture have pretty strong incentives not to allow the TPM security to be cracked. I wouldn't trust it to buy a house, but to buy your morning coffee isn't a big deal. The hard part is making sure the damage from any one hacked TPM is limited. 14:40 < petertodd> I suspect that's what MintChip has planned with their mysterious "additional authentication" fields and what not in the protocol. 15:24 < zooko> I didn't mean to suggest a PUF for a global TPM. I don't even understand how that could work. 15:27 < zooko> Since midnightmagic just told me about a bitcoin theft (over on #tahoe-lafs, he told me about that), it reminds me of a wishlist item I have for future cryptocurrencies: 15:28 < zooko> I'd like to be able to emit spends from a wallet that has no information going into it, only out. 15:36 < gmaxwell> Frequently bad recommendation #123901319 15:37 < gmaxwell> Requires an entirely different architecture where you have persistant balances, reuse addresses, and don't identify the specific funds you're spending. And the last point has a bunch of surprising negative consequences when you work through the details. 15:39 < zooko> Haha. I found out why I didn't automatically rejoin this channel. I join #bitcon-wizards instead. 15:39 < zooko> gmaxwell: I'm not yet convinced that it is a bad idea. 15:40 < zooko> Also, I need to see that list! The other 123901318 are probably very interesting to me... 15:41 < BlueMatt> half of them include the term "DHT" 15:41 < zooko> Heh heh heh. 15:41 < gmaxwell> zooko: sorry, I'm busy atm or I'd find you the better of the several forum threads on it. 15:42 < zooko> gmaxwell: thanks anyway! I long since lost insight into the bitcointalk forum... :-/ 15:42 < zooko> I'm waiting for amiller to ask me what I was thinking of PUFs for, then... 15:42 < gmaxwell> But there are a whole bunch of screwed up corner cases like.... pay alice, pay bob, oops alice's payment didn't have enough fee and is not confirming fast enough, pay alice again with more fee. oops now alice got paid twice and you've ripped off bob. 15:42 * zooko nods. 15:43 < zooko> It makes a case that already exists: malicious or (rarely) accidental double-spending or other weirdness, into a more common case. 15:43 < zooko> Maybe there isn't any "other weirdness". 15:43 < gmaxwell> plus it requires address reuse, which undermines our privacy model. (perhaps seems less bad at the moment, but I expect we'll see existing reuse go down once BIP32 address chains are common, and once the payment protocol is deployed) 15:44 < zooko> Eh, that part could be worked-around. 15:44 < zooko> Yeah, in fact that can be totally eliminated. 15:44 < zooko> In a sufficiently unconstrained-by-compatibility cryptocurrency. 15:44 < gmaxwell> zooko: it makes transaction replacement into double spending. 15:44 < zooko> Err, wait, maybe I'm wrong... 15:44 < zooko> What's transaction replacement? 15:45 < gmaxwell> replacing a transaction with another one such that only one is allowed to survive. An intetional, consentual, harmless (e.g. pays the same parties, but pays them more or increases fees) doublespend. 15:45 < zooko> Hm. 15:46 < amiller_> zooko, indeed, what is it that you were thinking for PUFs and RPOW if not a giant central rpow server staypuft monster 15:46 < gmaxwell> and I mean what you want to do is actually not possible fundimentally, you need to know your balance to spend it. if you don't you'll randomly doublespend your payments) I just assumed you meant knowing no more than your balance. 15:46 < zooko> gmaxwell: I don't think that's fundamentally true. 15:47 < zooko> I mean, you can *try* to spend it. 15:47 < zooko> You can emit a message that says "I, $PUBKEY_X, hereby transfer to $PUBKEY_Y 10 units. If I have any. Love, X." 15:47 < zooko> I think you are right that how the rest of world deals with that message could get complicated. 15:48 < zooko> And I think you already introduced me to some complications that I hadn't thought of, in the last few minutes. 15:48 < gmaxwell> zooko: yea, great, and when you do this and make multiple spends before one is confirmed (which you can't tell because you have no information) you'll potentially conflict earlier ones. You could have a sequence number, but then a byzantine network loses one of them and none none of your future payments work. 15:48 < gmaxwell> yea, I'm not saying it's impossible, but it has a lot of surprising negative tradeoffs. 01:22 < pigeons> and ripple is worse than bitcoin for pricavy 01:22 < pigeons> altough there is a feature for making subkeys that are suppsoedly not linked to your master key but can spend but i dont understand it 01:23 < pigeons> because an address needs a certain XRP "resever" to be activated and how would that appear for the subkeys? and i assume you could link them that way 01:23 < gmaxwell> thats annoying they could have made the privacy stronger than bitcoin, since if an issuer is online you could automatically ask them to replace your coins with unrelated coins. 01:24 < gmaxwell> how do the reserve settings and such get changed? it used to be like 300 ripples reserve, but now I see its 69. 01:24 < gmaxwell> oh sorry 75 01:25 < pigeons> the same consensus process that aggres on which transactions are part of the ledger agrees on current reserves 01:27 < pigeons> well the concept of "coins" isnt really the sames. with bitcoin you need to be able to trace every step of the input back to its generation, but with ripple you just look at the validated balance really 01:28 < gmaxwell> right. this is why I look forward to an altcoin attack. 01:29 < gmaxwell> What happens when the UNL stuff goes public and a majority of trusted parties decide that opencoin reserves ought to be more like 0 xrp? 01:30 < pigeons> you mean when more of the people running nodes start including more vlaidators in their UNL that may be likely to do that? we'll see 01:30 < pigeons> just clarifying by "going public" cause the daemon source is public but yes most use similar UNL 01:31 < pigeons> wait what do you mean by "opencoin reserves"? 01:31 < gmaxwell> thats what I mean by going public, sorry. Defacto public not dejure. 01:31 < pigeons> as opposed to reserves applying to any node/address 01:31 < gmaxwell> wherever the larger amounts of xrp consolidations are still left that haven't been given out. 01:32 < pigeons> you can't change balances by consensus 01:32 < pigeons> you need to have a signed transaction spending it 01:33 < gmaxwell> pigeons: I'm pretty sure you can. the other nodes won't ever accept the change, but a client will accept the majority ledger. 01:33 < pigeons> amiller: what do you say about that? 01:34 < gmaxwell> (IIRC, it would be like bitcoin if we only had a small number of miners (gulp) and everyone but miners was on spv nodes) 01:34 < gmaxwell> generally you couldn't do it without undermining trust in the system, but redistributing xrp which a lot of people already consider insanely unfair, I bet could be done. 01:35 < amiller> yeah i agree with that unfortunately, i am pretty sure they cut a lot of steps in terms of what kinds of validation we can expect ordinary users to run 01:35 < amiller> full validating ripple nodes are pretty expensive to operate if i understand it right 01:35 < amiller> the web wallet that most people use is not a full validating client, for example 01:35 < amiller> it's effectively the same as SPV, yeah. 01:35 < pigeons> i operate one (yeah down atm) and verifying isnt that expensive but keeping history is 01:35 < amiller> how large is the state file/ 01:36 < gmaxwell> heh. bitcoin's current state is about 250mbytes. :P 01:36 < pigeons> i dont know i was running on a smallish vps, and i dont understand the internals very well, which was why i was running it, but had some other projects and i've borrowed that box 01:37 < amiller> either way i don't think even that is an insurmountable problem 01:40 < Mike_B> well 01:40 < Mike_B> i just read the entire thread, as well as this irc convo 01:40 < Mike_B> gmaxwell: quite interesting 01:40 < Mike_B> this reinforces my impression of ripple as a cool service, but not really decentralized 01:40 < Mike_B> which, i guess, if they're trying to compete with paypal and visa, is fine 01:41 < Mike_B> but i agree with the analysis that the trust network concept can easily lead to topologies where the network gets screwed even if most nodes are honest 01:41 < gmaxwell> Yea, as amiller says. it's busted. 01:41 < Mike_B> i dunno how they intend to get other people running validator nodes anyway 01:42 < Mike_B> alright well, that was a very full answer to my question 01:42 < Mike_B> i'll have to bbl but thanks for pointing me to all of that 01:42 < gmaxwell> I think mostly the "decenteralized" thing on ripple is a regulatory dodge. I hope for them that it works... also for bitcoin, since if they decide that ripple's decenteralization is pretext, perhaps they'll suspect the same of bitcoin and go after .. say.. me. 01:42 < pigeons> ripple labs' nodes are very unreliable i guess they are under high load, so when mine isnt running i was looking for some others to use and one issue i thought of as far as trusting nodes you submit your signed transactions to is what if a "bad" server sends me a next sequence number far in the future, which causes my transaction to be rejected, but the bad server keeps my signed transaction and submits it when i reach that sequence number, a 01:43 < pigeons> far fetched i know, but i was running a few different clients at once and getting mixed up on sequence numbers and was thinking 01:43 < gmaxwell> Mike_B: we did come up with a somewhat elegant (IMO) way to get people to run archive nodes in a bitcoin like network, but it wouldn't apply to ripple. 01:44 < pigeons> gmaxwell: where is that discussed? 01:44 < gmaxwell> here. 01:44 < gmaxwell> :P 01:45 < pigeons> ok i'll scroll up, thanks :) 01:45 < gmaxwell> Mike_B: basically the idea is that we can (with massive protocol changes) effectively eliminate the utxo set, making validation nearly storageless, and require txn to provde proof that their inputs existed and are unspent. Now the storage is required to produce those proofs. So if you're a storageless wallet, you can find an archive node and pay them a bit of fee in your txn to add the proof to it so you can get it mined. 01:47 < gmaxwell> though there is some bandwidth tradeoff to operate in this manner, and I dunno if anyone has worked out all the concrete numbers yet to see how it would work out in practice, asymptotically it looks good. and of you use SNARKS to compress the proofs then the bandwidth is similar to what is required today. 03:08 < _ingsoc> !seen swulf-- 03:08 < _ingsoc> Does that work here? :( 04:19 < edulix> now, this channel has an awesome name (hi!) 04:22 < edulix> the coincovenant sounds like a really awesome-crazy-bad idea by the way gmaxwell 04:24 < edulix> Alternative chains have been suggested as ways to implement DNS, P2P currency exchanges, SSL certificate authorities, timestamping, file storage and voting systems << which voting systems? 05:02 < Mike_B> 01:45 gmaxwell: Mike_B: basically the idea is that we can (with massive protocol changes) effectively eliminate the utxo set, making validation nearly storageless, and require txn to provde proof that their inputs existed and are unspent. Now the storage is required to produce those proofs. So if you're a storageless wallet, you can find an archive node and pay them a bit of fee in your txn to add the proof to it s 05:02 < Mike_B> o you can get it mined. 05:03 < Mike_B> not sure i understand - when you talk about "storage" here, do you mean the blockchain? so when you say storageless validation, you mean no blockchain is required or something? 05:06 < edulix> Mike_B: I assume he means "local storage of the blockchain" i.e. in your HD 05:06 < edulix> which is currently quite large already, 12GB or something like that 05:08 < Mike_B> oh, i see what you mean 05:10 < gmaxwell> Mike_B: no blockchain storage is required for validation alread, but the utxo set is ... 05:11 < Mike_B> sorry, i'm a bit confused here. does this relate to how ripple does things somehow, or is this a different topic? 05:11 < gmaxwell> Mike_B: when bitcoin downloads the blocks it makes a summary of all the spendable coins. It never accesses the blocks again except for reorgs (which only needs the most recent few blocks, or we're doomed) ... and bootstrapping new nodes. 05:11 < Mike_B> i thought this was in the context of ripple and consensus 05:11 < gmaxwell> nah, not ripple. not sure how that tangent got picked up. 05:11 < phantomcircuit> lol ripple 05:11 < TD> this is the merkle mountain ranges thing? 05:11 < Mike_B> ok, got it 05:12 < phantomcircuit> Mike_B, let me help you, nothing works like ripple because ripple doesn't work 05:13 < Mike_B> gmaxwell: so the idea is that various miners basically advertise cryptographically that they have access to the valid utxo set, then you just query them for a fee? 05:14 < Mike_B> or well, not miners, but "archive nodes" 05:14 < Mike_B> maybe you could work it into mining somehow 05:14 < gmaxwell> Mike_B: sort of, the merkle mountain ranges basically eliminates the utxo but replaces by restructuring the blockchain data to make it easy to produce efficient provable queries. 05:14 < gmaxwell> so then transactions ship with the proofs, and verifiying nodes (including miners) don't strictly have to have the history themselves anymore. 05:14 < gmaxwell> Though someone has to have it, in order to produce the proofs. 05:15 < gmaxwell> But that could be users, miners, random nodes who sell their services (e.g. by requring a fee in transactions they provide proofs for) 05:15 < TD> very interesting 05:16 * TD re-reads gmaxwells post 05:17 < TD> the need to combine independent updates to the tree sounds a bit like the operational transform algorithm. 05:19 < gmaxwell> I think petertodd and maaku had some futher enhancements which might make it easier. E.g. having a write only "existing coins" MMR. and a writable spent coins tree. The write only tree doesn't require any online activity, once you have your coin proof once you have it forever. 00:16 < amiller> the more cool stuff i can do "conditionally secure" on the definition working out, the easier it will be to justify working on the definition? 00:17 < amiller> i mean it feels unhealthy to say i'm going to go off and assume i can use all these things that aren't justified yet 00:17 < amiller> but whatever, #yolocrypto 00:21 < gmaxwell> yea, well, I think it's helpful to think about how this stuff would be used. e.g. the proof of knoweldge being strong is important for the CoinWitness type usage. 00:23 < amiller> yeah, i'd be really interested to come up with a more satisfying definition than the extractor 00:23 < amiller> what are some important implications of 'knowledge of a witness' 00:23 < amiller> certainly if you could 'know' a witness and no such witness existed it wouldn't make sense 00:24 < amiller> when witnesses vacuously exist like in the hash preimage case it's stranger because "knowing it exists" isn't as good as "knowing it" 00:28 < gmaxwell> I think a lot of this stuff is going to remain dumb and unknown until it gets into actual use with actual stakes. 00:28 < gmaxwell> Too much academic output works itself into little useless ruts with definitions which are mathmatically fun but meaningless in practice. 00:30 < amiller> it's an especially difficult balance with security/crypto 00:31 < amiller> since the actual attackers are invisible/untestable 00:32 < gmaxwell> not quite, I mean set things up so there are bitcoin which can only be moved if the system is compromised. (may require keeping a victim to interact with online) 00:33 < amiller> yeah that sort of helps 00:33 < amiller> it would have to be pretty big to actually motivate serious effort from cryptanalysts 00:33 < gmaxwell> thats what secures my laptop. :P I dunno, people take things where there is no reward simply because they can publish on it. 00:33 < amiller> also it's just as likely it would reveal a minor implementation error rather than the fundamental failure of a concept 00:34 < amiller> so i think the most productive thing to do is take snarks and run with them. 00:34 < gmaxwell> and yea, thats a problem... I'd like to get the tresor hardware wallet people to embed a private key of theirs in every device... and have the wallet willing to signmessage for the key to prove its in there. ... with some bounty coin assigned to the key. 00:34 < gmaxwell> so that when someone has compromised the hardware security, people know about it.. but unfortunately that doesn't give you much information... 00:35 < gmaxwell> and you'd find that it was compromised with a really hard attack, thats not all that interesting. 00:39 < amiller> recursive snarks are just so damn sexy, it will have instant practical appeal 00:39 < amiller> this ben-sasson character is nuts if he thinks we're actually going to recompile the whole verifier for every possible batch-size of blocks :p 00:40 < gmaxwell> amiller: oh, you know their forumulation fixes the UPPER size, right? 00:41 < gmaxwell> you can just pad out the computation to make it meet the upper size. 00:41 < amiller> yeah 00:41 < amiller> ok every "possible" batch size is an exagerration 00:41 < gmaxwell> so then with log2() extra calculations for sizes you have only a worst case ~2x overhead in prover work. 00:42 < amiller> yes but it's still a big circuit to compile eacch time 00:43 < amiller> bootstrapping etc 00:46 < amiller> also all the proving would have to be redone for each different block size 00:46 < gmaxwell> I thought the bootstraping version of Eli's stuff didn't require any preprocessing anymore. 00:47 < amiller> the thing i want to do is just a simpler form of bootstrapping 00:47 < gmaxwell> the downsides of it is that the proofs are larger for equal security, and they don't have a strong zero-knoweldge property... but they eliminate the generator and in particular the need for the generator to have a strongly secret random string. 00:47 < amiller> the papers that advocate bootstrapping and do it without incurring the extractor-blowup problem bend over backwards to have only 'constant depth' bootstrapping 00:48 < amiller> they haven't implemented the bootstrapping, rihgt? 00:51 < gmaxwell> I don't know where their implementation stands, I know they have running the generator based version and have all kinds of benchmarks on it. They certantly have _plans_ for the bootstrapping version. 00:52 < gmaxwell> The generator version kinda sucks because if the prover is in cahoots with the generator he can easily generate fake proofs. Plus the prover keys are enormous. Plus the generation is, like the proving, slow. 00:55 < amiller> lets ask how the bootstrap version is coming along :o 03:50 < gmaxwell> So, that idea I had for making lamport signatures smaller by using a tree structured CSPRNG to build your secrets. I came up with another thing to apply it to where it is way more powerful. 03:51 < gmaxwell> Say you want to produce an encrypted card deck for someone, which is correct with high probablity and randomly shuffled with high probablity. 03:52 < gmaxwell> First you build a set of secret values, using a tree structured CSPRNG. 03:52 < gmaxwell> Then you build a hash tree over them, and tell Bob (you are alice) the root hash of your secrets. 03:53 < gmaxwell> Bob them picks a random value and tells it to you. 03:54 < gmaxwell> You generate 65536 regular card decks in order. And you take half of each of your secrets and encrypt each card deck. You then take the other half of each secret hash it with bob's random value and use it to run a PRNG to shuffle each deck. 03:54 < gmaxwell> You now have 65536 encrypted, shuffled decks. You build a hash tree over them. and tell bob the root of the hash tree. 03:55 < gmaxwell> Bob picks 65535 out of the 65536 decks for you to reveal. 03:56 < gmaxwell> So you then find the minimal number of nodes in your secret value tree such that when you reveal them bob learns all your secrets except for the excluded result. 03:56 < gmaxwell> you also give bob the excluded result deck but not its secret and bob can compute all the decks except the excluded one, and verify the root. 03:57 < gmaxwell> Bob is now convinced that he knows an encrypted fairly sorted deck. 03:57 < gmaxwell> and you only had to transmit to him one deck and log2(65536)=16 plus a few hashes. 05:22 < gmaxwell> petertodd: so, if you combine all my recent ideas you can do guy fawkes signatures in a blockchain cryptosystem in one stage, and elimiate the announce/commit crud. 05:24 < gmaxwell> petertodd: the idea is that you create a tree compressed lamport signature in your transactions and flood to the network, with everything but the signature hashroot external to the transaction. When it gets mined, the block hash is used as the source of random selection to reduce the proof size. 05:24 < gmaxwell> once sufficiently burried the signature is pruned down to nothing and it's effectively just a guy fawkes signature. 06:55 < petertodd> gmaxwell: nice! 11:02 * Luke-Jr wonders if GCC can be compiled with SCIP to make gitian obsolete 21:51 < jorash> I think I may have found a channel open to the project I'm part of... 21:51 < jorash> We're a bunch of quantum information scientists working on the problem of efficient classical emulation of universal computation (answer the question of does P = BQP in the positive) 21:52 < jorash> One of the implications is that miner can be developed which runs a quantum search algorithm (such as Grover's square root speedup, or Gross-Pitaevskii's constant time speedup) and yields mined coin much faster than current hardware brute force methods --- Log closed Sat Aug 31 00:00:58 2013 --- Log opened Sat Aug 31 00:00:58 2013 --- Log closed Sat Aug 31 03:03:05 2013 --- Log opened Sat Aug 31 03:03:22 2013 --- Log closed Sat Aug 31 03:07:52 2013 --- Log opened Sat Aug 31 03:08:29 2013 13:01 < amiller> gmaxwell, the single stage guy-fawkes thing is neat 13:01 < amiller> it seems like it would be computationally expensive to do the signing, 65536x2 hashes to evaluate? 23:29 < jorash> What happens when someone breaks SHA-2 and all the coins are mined in a day? 23:34 < Luke-Jr> jorash: it won't happen. 23:36 < jorash> Did your wizardly crystal ball tell you that? 23:36 < jorash> So you think it will take until 2140 until all 21m btc are in circulation? 23:36 < Luke-Jr> I didn't say that. 23:36 < jorash> well hardness will just kepe going up 23:37 < jorash> so decades at least, if we don't crack the problem from a computational complexity vantage point 23:37 < jorash> so what if the hardware gets better... hardness catches up 23:40 < jorash> so yea... long winded way of saying I'm working with a handful of quantum information scientists on a means of running Grover's algorhtm (and thus weakening SHA2) 23:41 < jorash> scam alert! 23:41 < Luke-Jr> weakening SHA-2 won't get you all the coins 23:41 < jorash> that's true 23:41 < Luke-Jr> even if you perfected quantum mining, you'd be slowed to a block every 10 mins 23:41 < jorash> if you can pull off Grover's you get a sqrt speedup, and hardness would catch up around the 100,000-300,000 btc mark 23:41 < jorash> (after mining that much) 23:42 < jorash> however, if you pull off constant time (gross-pitaevskii search http://arxiv.org/abs/1303.0371 ) then you get all the coin 23:43 < jorash> the first is the open question of P vs BQP --- ie. can universal quantum system be simulated efficiently by Turing machines. We answer teh question yes 23:43 < jorash> the second is teh question of whether linear quantum systems can efficeintly simulate nonlinear quantum systems.. We have the answer probably, but not sure. 20:03 * gmaxwell claws his eyes out at "cryptos" 20:06 < gmaxwell> if someone has ethical concerns on BM's tool, BM could just add a warning that says "poor selection of the parameters here can result in a trivially insecure coin, the site makes no promises that the settings are good" 20:06 < gmaxwell> "make heavily demanded features are believed by experts in the Bitcoin world to be terrible for security in subtle or even vulgar ways, sometimes thats why Bitcoin doesn't do them. Buyer Beware." 20:06 < andytoshi> the ethical concern from earlier is that i suggested 'secretly' adding wizarding experiments 20:07 < gmaxwell> oh well I don't think there is anything secret needed. You can just add them and make people _pay_ for them. 20:07 < sipa> indeed, just make them extra features 20:08 < gmaxwell> or make turning them off an extra (pay for) feature if you like. 20:09 < Luke-Jr> maybe BlueMatt would donate the site to -wizards ;) 20:10 < Luke-Jr> it'd be neat to make it list all mergable pull requests as options.. 20:11 < Luke-Jr> perhaps unmergable ones too, and give a warning about "There is an additional charge for this feature which cannot be calculated automatically. You will receive a quote within 3 business days if you choose it." 20:11 < Luke-Jr> :D 20:11 < Luke-Jr> and then let anyone competent bid on it 20:11 < sipa> it probably needs some deterministic seed 20:11 < sipa> so that new versions of existing coins created with it can be generated 20:12 < sipa> if the upstream source is updated 20:12 < sipa> (which determines magic bytes etc) 20:13 < Luke-Jr> sipa: that would break the merging features a bit 20:14 < Luke-Jr> "I have a magic node which keeps track of peers for each coin and forwards them on in addr messages, but if no one else is running a node, youre sol." 20:14 < Luke-Jr> wow, that probably took some effort 20:15 < gmaxwell> nah, if you get an inbound connection you're silent, the connector sends the network version 20:15 < gmaxwell> so then its just like one of those 100 line python "node" implenmentations with a dict of addresses per network. 20:16 < Luke-Jr> <.< 20:24 < Luke-Jr> wow, BlueMatt's thing has made over $500 already :P 20:25 < warren> it has no disclaimer of warranty 20:27 < Luke-Jr> I suppose sipa's auto-upgrader could bill you 20:28 < sipa> why what? 20:28 < sipa> my what? 20:32 < Luke-Jr> sipa: the idea to let people come back for upgraded builds of the same coin 20:32 < Luke-Jr> sipa: my objection was that it would break merges - but it could work if you get billed for any conflicts ;) 20:33 < warren> Luke-Jr: why do you care about the maintainability of scam coins? 20:33 < sipa> well, my concern about them is pretty much irrelevant, as i have no interest in using the tool 20:33 < sipa> but if the users were serious to any extent about the coins they are creating, they should demand it 20:33 < Luke-Jr> warren: I'm just thinking financing development and testing this way, ignoring how the end products are used ;) 20:34 < warren> Luke-Jr: I think this current tool renames everything to make merges impossible 20:40 < Luke-Jr> warren: maybe. 20:40 < Luke-Jr> warren: I was thinking more of merging before s&r 20:40 < Luke-Jr> ie, rebuild the scamcoin from scratch 20:41 < warren> Luke-Jr: you would have done well as a litecoin dev =) 20:42 < Luke-Jr> well, arguably litecoin *is* using my code.. :P 22:14 < Luke-Jr> too bad Script is neutered 22:14 < Luke-Jr> could make a transaction-fee-for-only-future-blocks.. 22:14 < Luke-Jr> sPK: "<txver><inputcount><txinput>" OP_SWAP OP_CAT OP_HASH256 OP_DEPTH 1 OP_SUBTRACT OP_FOR OP_CAT OP_HASH256 OP_ENDFOR OP_SWAP OP_CAT OP_CAT OP_HASH256 <block target> OP_LE 22:14 < Luke-Jr> sS: "<blkver><prevblk>" "<ntime><bits><nonce>" "<end of txn data>" 22:15 < Luke-Jr> petertodd: ^ 22:16 < gmaxwell> looping in scrypt is yuck though. e.g. while(true)OP_HASH256. 22:17 < gmaxwell> if you just want to burn coins OP_RETURN them, poof gone and trivially provable they were burned. 22:25 < Luke-Jr> but then they're "too" burned :P 22:26 < Luke-Jr> OP_FOR isn't the same as OP_WHILE :p 22:26 < Luke-Jr> OP_FOR would inherently be non-forever 22:38 < andytoshi> in an alt where fees were tied to runtime, you could do cool things like this 22:38 < andytoshi> it seems to me that even "non-forever" is not sufficient to prevent DoS attacks 22:39 < andytoshi> if you can loop for tens of thousands of iterations, that can cause bad problems .. if you can nest loops, etc 22:39 < andytoshi> otoh, if you -can't- do those things then that sucks 22:43 < gmaxwell> Luke-Jr: yea, 4 billion SHA256 ... big improvement over forever. 22:44 < Luke-Jr> [03:38:09] <andytoshi> in an alt where fees were tied to runtime, you could do cool things like this <-- there is no reason this would be an alt 22:44 < gmaxwell> tying things to runtime is really really likely to cause hardforking bugs. 22:44 < Luke-Jr> gmaxwell: only if they are hard rules 22:44 < gmaxwell> since you need a precise instruction counter. 22:44 < gmaxwell> Luke-Jr: they must, because non-miners must evaluate script too 22:45 < gmaxwell> otherwise you have mining pools incentivized to put in fast hardware script execution engines and no one else can keep up validating the coin 22:45 < Luke-Jr> gmaxwell: I'm okay with letting miners decide on the upper runtime limits, within reason. 22:47 < gmaxwell> within reason is the problem there == hardforks. :P 22:48 < Luke-Jr> nah, within reason is vague enough to use opcode counters 22:48 < andytoshi> gmaxwell: sorry, i meant 'instruction count' which could be defined very precisely in a forth-like script 22:50 < gmaxwell> andytoshi: yes, it can be. What OP_CHECKMULTISIG does is also very precisely defined and that didn't stop several alt implementers from getting it wrong. 22:50 < andytoshi> ah, this is true 22:51 < gmaxwell> this may ultimately be an argument for replacing script with verficiation for some proof of execution, since it may actually be easier to get it right. 22:52 < gmaxwell> or at least alt implementors are less likely to try to reinvent crypto constructs. 22:53 < gmaxwell> it's nuts. SCRIPT is actually a public key signature system itself. People writing their own ECDSA code as a my-first-project would be super frowned on, and yet they re-write script. though somewhat annoying in that at least there are libraries for ecdsa. 22:55 < andytoshi> i think i will start pushing the meme on #bitcoin that cryptography is serious business and that only morons try to roll their own or work with it without understanding it 22:55 < andytoshi> ...which appeared to be common knowledge until altcoins became a thing 22:55 < gmaxwell> Okay, I think I'm going to give up on bitcoin, jesus christ: http://blockchain-link.com/#future 22:57 < andytoshi> gmaxwell: agreed on "this is an argument for snarks", aside from the usual novel crypto warnings it seems to me they'd be way easier from a blockchain engineering perspective 22:57 < andytoshi> and i'd be really jacked to see a turing complete script (and maybe one which could do things like read the past blockchain) 22:58 < andytoshi> gmaxwell: where did you get that URL? 22:59 < gmaxwell> #bitcoin 22:59 < gmaxwell> oh thank god those are fethercoin amounts 22:59 < gmaxwell> I was thinking this person had recieved over 600 btc in donations 22:59 < andytoshi> ahhh wtf 22:59 < gmaxwell> I think if that was true I would probably just never do anything with bitcoin again. I'm getting seriously depressed about all the money flowing into fucking things up. 23:00 < gmaxwell> I am not a very coin operated guy myself, but the funds flowing specifically to _bad_ things is especially demotivating. 23:01 < andytoshi> gmaxwell: as personal advice i'd say you do way too much to correct misinformation and engage with these idiots ... but otoh it does a massive amount of good for the bitcoin communitiy, so i dunno what to say 23:02 < gmaxwell> well I certantly know that I have the option of ignoring everything I don't like. 23:02 < gmaxwell> And I actually consciously ignore enormous swaths of stuff (though I know it doesn't seem like it) 23:03 < andytoshi> maybe i will write a "why alts are retarded" FAQ which discusses cryptography and the horrors of using it blindly or stupidly ... and reminding people that crypcocurrencies are a novel cryptographic concept and these lessons apply -even more so- because of that, and then -even more so- because there is monetary value involved 23:04 < andytoshi> because it appears that people think this shit is magic, people talk as though "cryptos" are a thing , a collection of magical systems that are all on equal footing 23:05 < gmaxwell> you can probably pull up some of the old sci.crypt faqs 23:05 < gmaxwell> things like "anyone can make a cryptosystem that they themselves can't break" 23:06 < gmaxwell> it all applies to the _entire_ altcoin. The whole thing minus some frills around the edges, but everything that actually makes it an alt 23:06 < gmaxwell> e.g. the decision to go with 10 minutes vs 5 minute block times is a cryptographic decision, and one that isn't very completely understood! 23:06 < gmaxwell> (though more understood than some other things) 23:07 < andytoshi> good call on sci.crypt -- i was a young child when it crossed into mostly-insanity so i forgot all about it :P 23:07 < andytoshi> i'll hack something up this week and post it here, maybe just github the latex and give you all push access 23:07 < gmaxwell> it was pretty much always insanity, but the boundary of sane and not is what produced some of the arguments you need. 23:07 < andytoshi> or rather, git.wpsoftware.net it ... i don't think github likes direct pushing 18:11 < maaku> helo: it's essential that the bids be committed coins 18:11 < helo> yes 18:12 < maaku> because keep in mind that the adversary is sharing a cost, even if just opportunity cost 18:12 < helo> with a space carved out for first-come-first-served, i'm not so worried :) 18:14 <@gmaxwell> maaku: yea, but money has a non-uniform value. Joe acvitists might consider $50/month upkeep unreacable, while nike might think nothing of droping $60k on shutting up a nussance. 18:14 <@gmaxwell> yea, if both exist its less of a concern. 18:14 < nsh> why not... first come, first served with a (reasonably short ~6 month) julibee period 18:14 < nsh> owner has preference to keep domain through jubilee, but at a nonzero cost 18:15 <@gmaxwell> you mean initial obtaining is behind a auction? the problem there is that even if you're a dumb robot, stealing other people's names is perhaps a good strategy. 18:15 <@gmaxwell> people have done that with namecoin: snatching up names on expiration. 18:15 <@gmaxwell> assuming that people's original registrations are a good estimate of value. 18:15 < nsh> hmm 18:16 <@gmaxwell> though the idea of how hard it is to kick the holder depending on how hard they've held it isn't terrible. 18:17 < nsh> maybe how easy it is to keep a domain should be a function of html/css aesthetics 18:18 < nsh> although you'd want to have a "geocities peak" in the distribution somewhere 20:39 < wangbus> digging sounds more difficult :p 21:34 * andytoshi-logbot is logging 22:51 < Dylan_> I had some ideas for bitcoin, would anyone want to listen? 22:52 < BlueMatt> Dylan_: its always best to just go for it instead of asking if you can...whether or not you get responses is a function of who's online, but there are plenty of people who read scrollback, so it'll be seen eventually 22:57 < Dylan_> I was thinking about an automated system for the distribution of electricity (watts of the network) to reward people for to caputre electricity using solar panels, in the same way the miner are rewarded for computation 23:00 < Dylan_> I figure there are two ways to do it. 1. to have a box that plugs into the volage meter, that would send bitcoins to a wallet for electricy into the grid 2. to have a premined coin that was regulated by a power company that was sent when an owner put power into the grid 23:01 < Dylan_> but, I am stuggling over the first solution. How would one design a box to assure someone didn't break the voltage meter.... etc 23:02 < Dylan_> Has anyone been thinking about this? 23:04 < BlueMatt> I'm not sure if you can/want to handle checking of hardware modification at the currency layer... 23:05 < BlueMatt> there are ways to try to address it (make the thing fail if its case is opened, have someone physically go check it every month, etc), but I think thats all at a layer way higher than what you're paying with 23:06 < Dylan_> well, its definately a plan for after the ASIC's come out, and I definately need help to figure out if authenticating the watts is worth it.... 23:06 < Dylan_> yeah, my intuition says it is possible, but my conscious brain says... duh 23:07 < Dylan_> maybe I need more long walk, and showers or something 23:08 < Dylan_> would love to make it open source 23:08 < BlueMatt> I think dealing with hardware drm is something that happens way higher level than here 23:08 < Dylan_> and easy enough for my grandmother to use 23:09 < BlueMatt> (eg put private key in the thing, wipe the key when the box is opened, require key for payment from the power company) 23:10 < Dylan_> that way would use the premined version 23:10 < Dylan_> all a distributed system would need is a web page/server 23:13 < Dylan_> maybe having both systems to compete against eachother would also be good 23:17 < BlueMatt> I'm not sure what your model is here, if you mean no power company and completely decentralized grid...I'm not sure how well thats gonna work to begin with 23:27 < Dylan_> well, it depends on the country and the existing grid... but I would like to at least try to develope a model for both of them 23:27 < Dylan_> centralized and decentralized grids.... 23:29 < Dylan_> but solar panels are pretty good for both types of grids, which is why I would like to start there... and perhaps try and limit it there, because I don't think fosil fuel or wind tech are very good, 23:30 < Dylan_> maybe geothermal.... but now I am rambling... --- Log closed Sat Dec 21 00:00:15 2013 --- Log opened Sat Dec 21 00:00:15 2013 01:12 < eristisk> /msg NickServ IDENTIFY iojfdys!df9876ds7%% 01:13 < eristisk> oops, better change that. 01:15 < _ingsoc> Lmao. 01:16 < eristisk> *^_^* 01:52 < Emcy> wow RSA took $10 measly MM of NSA cash to deliberately gimp thier crypto 01:53 < Emcy> Had a long chat with my friend who worked on RSA's BSafe. Two comments: "i saw that this morning and was filled with a sense of shame" 01:53 < BlueMatt> yea, see the thing I find the most surprising in that story is it only took $10 million... 01:53 < Emcy> But no, he had no idea NSA had done some payoff and he was working on code apparently deliberately gimped. ;( 01:53 < Emcy> hmm those are quote tweets, i jave no RSA friend 01:54 < Emcy> BlueMatt yeah its not a lot of money for flushing your company rep down the toilet is it. NSA total budget for this sort of aubterfuge is 250MM apparently 01:56 < Emcy> I SINCERELY hope the word gets out about this far and wide and the market sorts this one out 02:36 < Dylan_> has anyone heard news about truecrypt's independent audit? 02:47 < Emcy> theyve engaged an audit firm 02:47 < Emcy> what i dont know is whats stopping that firm getting a nice fat NSL about it 03:44 <@gmaxwell> Personally I'm waiting to hear about the lawsuits from ex-NSA people who are now unemployable. 04:01 < Emcy> they picked thier side 05:30 < maaku> Dylan_: http://blog.cryptographyengineering.com/2013/12/an-update-on-truecrypt.html 09:03 < adam3us> some scroll-back comment: petertodd or maaku were talking about how the minimal function needed from the network is tx ordering (if you ignore SPV functionality). i agree with this. the fact that committed tx are respendable in committed form to full nodes is in fact an illustration of this fact. 09:07 < adam3us> in some way you can see that the distributed function offered by bitcoin network if you remove tx validation (as respendable committed tx do) is that it is a secure namespace. (first come first served, first to announce owns; and can opt to transfer ownership. transferring ownership decommits because it involves a signature. anyway a distributed namespace is a slightly higher level function built on a distributed timestamp. 09:10 < adam3us> and in fact again, other than for optimization, full nodes could survive fine with a distributed timestamping service only (no name uniqueness guarantee) as the timestamping defines ordering. they can therefore build first to publish just by ignoring later republications (and validating themselves either via committed tx key knowledge, or by validating clear text but unvalidated tx) 11:36 < petertodd> adam3us: just ignoring later publications isn't good enough though, you need to be able to be sure that a prior publication *doesn't exist* at all 11:37 < petertodd> adam3us: if you can't, then you're not sure if your coins are valid 11:37 < petertodd> adam3us: assuming bitcoin-style fixed inflation that is... 11:38 < petertodd> adam3us: you could have a system where double-spends were valid if accompanied by more pow of cource 11:38 < petertodd> *course 11:39 < petertodd> adam3us: basically the scheme I came up with back in highschool for a decentralized crypto-currency after reading a certain paper about hashcash :P 11:39 < petertodd> adam3us: dunno if you've heard about it, you do a partial-preimage against... :P 12:02 < adam3us> petertodd: yes. i meant to imply the full node scans from genesis and is thereby convinced that a given string is the first copy 13:55 < maaku> adam3us: "if you ignore SPV functionality" <--- that's a big thing to ignore 13:56 < maaku> it's the difference between academic wankery and a system that is actually deployable and workable 13:57 < petertodd> maaku: this is -wizards, we're doing research and development 14:04 < andytoshi> maaku: i think if you're aware of the simplifications (and ofc petertodd is), spherical blockchain reasoning is useful 14:05 < andytoshi> eg bitcoin solves problems independently enough that you can think of timestamping apart from everything else 14:07 < petertodd> anyway, with additional technology you probably can make such systems usable on low-resources too, for instance via SCIP to compactly validate coin histories, or via economic tricks to limit the scope of fraud 14:12 < CodeShark> I wish more of petertodd's ideas were being tried in practice :) 14:13 < petertodd> CodeShark: same :P 14:13 < petertodd> CodeShark: it'll be nice finally getting some free time to work on them properly soon 14:18 < CodeShark> need any help? 14:18 < CodeShark> or rather, would you like some help? :) 14:18 < petertodd> yes! 14:18 < petertodd> although frankly, I think right now coinjoin is what needs dev effort on the most 14:19 < petertodd> other stuff is cool, but it really needs to actually see implementations 14:19 < CodeShark> not sure whether stronger privacy or blockchain/utxo prunability are a higher priority 14:20 < adam3us> maaku: yes SPV is the current scaling model. i like to re-examine assumptions. sometimes i find ways to re-write them along the way. so thinking back to the minimal function for the global part is good. more secure even. and then try other ways to scale maybe there are better ways. 14:20 < petertodd> it's easier to throw hardware at making bitcoin scale than it is to throw hardware at making bitcoin private 14:20 < adam3us> maaku: eg commitd tx have strong policy advantages over clear/validated tx 14:21 < adam3us> maaku: more resistant to centralization for example 17:28 < petertodd> again, the first time this came up I had a paying contract to tell mastercoin if they should, or shouldn't, stick with putting data in the blockchain. I said the existing design was very secure if you used steganography for anit-censorship, PoW chains were possible to 51% attack, and merge-mine would make 51% trivial by a big pool 17:28 < jtimon> jrmithdobbs I don't follow 17:28 < petertodd> given that censorship of MSC txs in the blockchain is *way* harder than people realize, obviously I told them some techniques to improve on that and stick with what they had 17:28 < petertodd> (this is why MSC adopted an encoding scheme where the data looks like valid pubkeys) 17:29 < jrmithdobbs> jtimon: just because it is in their economic interest to mergemine instead of attack alt coins doesn't mean that is the decision that will always be made. 17:29 < sipa> bah 17:29 < petertodd> sipa: heh, I think lots of people didn't realize that was so easy... 17:29 < sipa> petertodd: this is a nice example of what i'd call suddenly changing how selfish a particular party acts 17:29 < petertodd> sipa: indeed, and BTC better realize how easy what MSC did is 17:29 < jtimon> jrmithdobbs just because it is in their economic interest to mine at ghash.io instead of using p2pool/gbt doesn't mean that is the decision that will always be made. 17:30 < jtimon> that's my point, how is difffernt? 17:30 < petertodd> sipa: basing scalability assumptions, esp re: the UTXO set, on "oh, people will play nice" is idiotic 17:30 < Luke-Jr> hmm, I wonder if deploying P2SH^2 might not be as hard as we think 17:30 < petertodd> Luke-Jr: MSC is P2SH^2 proof 17:30 < Luke-Jr> petertodd: I mean real bitcoin 17:30 < jrmithdobbs> petertodd: i think sd proved that already. 17:30 < petertodd> Luke-Jr: "real bitcoin"? 17:31 < petertodd> Luke-Jr: I mean, adopting P2SH^2 *doesn't* stop the MSC encoding scheme (well, with the trivial modification to wrap the CHECKMULTISIGs in P2SH txs) 17:31 < Luke-Jr> petertodd: I'm not sure what MSC came up for, I'm talking about Bitcoin itself 17:31 < petertodd> jrmithdobbs: no, they stopped 17:31 < Luke-Jr> petertodd: why do I care about that? 17:31 < jtimon> petertodd: I see your point, MM is less secure than MSC, true, but it's also more scalable 17:31 < jrmithdobbs> petertodd: like a year later 17:31 < petertodd> Luke-Jr: oh, I'm assuming you meant P2SH^2 to stop MSC 17:31 < sipa> Luke-Jr: MSC is putting data in bitcoin's chain... 17:31 < Luke-Jr> petertodd: no, P2SH is to stop data spam 17:31 < Luke-Jr> ^2* 17:31 < Luke-Jr> sipa: 17:32 < petertodd> Luke-Jr: well, that's my point, you can't stop data spam *except* to stop it from getting in the UTXO set, and even that's weak 17:32 < Luke-Jr> petertodd: you can 17:32 < petertodd> Luke-Jr: you can't stop schemes that encode hashes in the UTXO set, and there's lots of usees for that 17:32 < Luke-Jr> scriptSig can require preimages or valid ECDSA sigs too 17:32 < Luke-Jr> petertodd: not really, no 17:32 < petertodd> Luke-Jr: read this: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03524.html 17:33 < petertodd> Luke-Jr: without some pretty drastic changes to the way scripts work you can't 17:33 < sipa> Luke-Jr: then the preimage would be in the blockchain 17:33 < Luke-Jr> sipa: not necessarily 17:33 < petertodd> Luke-Jr: also, stopping data spam 100% stops you from soft-forking in a lot of potential new features, for instance new signature algorithms 17:33 < sipa> Luke-Jr: that would prevent you from validating it afterwards 17:34 < Luke-Jr> I'm assuming the P2SH^2 enforcement is done by miners only 17:34 < petertodd> Luke-Jr: and timestamp/proof-of-publication spam is really handy to a lot of protocols, and bloats the UTXO set even 17:34 < Luke-Jr> and tx relay 17:34 < sipa> Luke-Jr: then it only requires an out-of-chain deal with a miner to put it in anyway 17:34 < Luke-Jr> petertodd: there is no need to bloat the UTXO set 17:34 < petertodd> Luke-Jr: e.g. P2SH^2, even gmaxwell's v2.0 version, doesn't stop you from doing namecoin int he UTXO set 17:35 < petertodd> Luke-Jr: for many protocols abusing the UTXO set is cheaper and more secure and there's fuck all we can do about it other than ask nicely to stop 17:35 < jtimon> what's P2SH^2 please? 17:35 < jtimon> link? 17:35 < Luke-Jr> petertodd: *technically* yes 17:35 < Luke-Jr> jtimon: miners only mining stuff that is proven to be a hash 17:35 < petertodd> jtimon: https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg01987.html 17:35 < sipa> jtimon: have P2SH-only in the txouts, but to relay a transaction, you must add SHA256(script) to it 17:36 < petertodd> Luke-Jr: yes, and getting a hash into the UTXO set is enough to implement namecoin 17:36 < sipa> jtimon: so you prove that the data in the P2SH output is a real hash of something, and not data 17:36 < Luke-Jr> petertodd: it makes it more expensive 17:37 < petertodd> Luke-Jr: namecoin is already expensive, irrelevant 17:37 < Luke-Jr> the point is to make blockchain bloat more expensive than merged mining 17:37 < petertodd> Luke-Jr: as I told Mastercoin, their transactions are worth a lot more than the least valuable Bitcoin transactions, so they'll be able to outbid those and still get their data in the chain 17:37 < petertodd> Luke-Jr: that's irrelevant, merge-mining is less secure 17:38 < Luke-Jr> only if you're scamcoining. 17:38 < sipa> i'm not sure what intent has to do with it 17:38 < petertodd> Luke-Jr: sure, which is why I told Mastercoin to stick with the current system! 17:39 < petertodd> Luke-Jr: After all, what is or isn't a scamcoin is a matter of public opinion, so you're safer assuming people think you are and acting appropriately. 17:39 < Luke-Jr> sipa: if you're just interested in the security, you can do merged mining in a secure way 17:40 < Luke-Jr> if every Bitcoin block is a valid Altcoin block, and Altcoin uses the same difficulty and requires merged mining, then the worst someone can do is equivalent to not participating 17:41 < petertodd> Luke-Jr: that's not at all true and stop saying that 17:41 < sipa> petertodd: totally different subject; if we'd have a system with TXO MMR's... that would require every wallet to remain up-to-date with all blocks, to find operations that affect the path of its unspent outputs to the roots of the range? 17:41 < petertodd> Luke-Jr: you've just come up with a system where the block interval is really long if there isn't that much hashing power, that is still vulnerable to 51% attack 17:41 < killerstorm> I have a question about Bitcoin security: do we need to assume that majority of miners (hashpower-weighted) are not colluding (i.e. making a secrete arrangements) with each other for Bitcoin to be secure? Or do we assume that they are rational and rational miners won't collude? 17:41 < maaku_> petertodd: it's disengenous to say that merged mining is insercure too 17:42 < Luke-Jr> petertodd: only if the attacker 51%s bitcoin as well 17:42 < petertodd> sipa: nothing explicitly of course 17:42 < maaku_> bitcoin-parasitic vs merged mined alt? of course the parasitic option is better 17:42 < petertodd> Luke-Jr: no, think about it: altcoin is 1% of hashing power, so the block interval is 10min * 100, I can still 51% attack that by mining more blocks than the other miners regardless of the interval 17:42 < maaku_> merged mined alt vs non-merged mined alt? that's a different story 17:43 < Luke-Jr> petertodd: no, you may have 51% of blocks, but you cannot reorg it 17:43 < maaku_> killerstorm: depends on the context. colluding to do what? 17:43 < Luke-Jr> petertodd: you'd need to have 51% of *bitcoin* blocks and reorg bitcoin, to reorg the altcoin 17:43 < sipa> short-term-selfish miners will always collude if they can 17:43 < petertodd> Luke-Jr: ah, but if I can't re-org it, and it's a timestamp system, then what happens if I mine a longer chain in secret and reveal it? 17:43 < maaku_> but in many cases yes, 51% is sufficient to censor the chain, for example 17:44 < Luke-Jr> petertodd: you'd need a longer *bitcoin* chain 17:44 < petertodd> Luke-Jr: mining a block doesn't magically make it available to the world 17:44 < sipa> as it means their 51% becomes 100% 17:44 < petertodd> Luke-Jr: no, bitcoin block #10 mines altcoin block 1, bitcoin block #11 mines alt block 2a, bitcoin block #12 mines alt block 2b 17:44 < petertodd> Luke-Jr: was 2a or 2b the valid best block? 17:45 < Luke-Jr> petertodd: altcoin does not have a prevblock header. 17:45 < Luke-Jr> it is ALWAYS tied to the bitcoin chain 17:45 < petertodd> Luke-Jr: yes it does, the prevblock header just happens to skip a few steps 17:45 < Luke-Jr> your scenario is not possible 17:46 < Luke-Jr> if bitcoin block 11 mines alt block 2, then bitcoin block 12 must mine alt block 3 17:46 < petertodd> Luke-Jr: after all, if the miner of bitcoin block #11 doesn't tell anyone he mined 2a, then how does 2b know that? 17:46 < petertodd> Luke-Jr: remember, this is a merge-mine chain: participation is voluntary 17:47 < sipa> i wasn't aware of the fact that merged-mined chains had no own prevhash 17:47 < sipa> but it seems to make sense 17:47 < Luke-Jr> sipa: the existing ones do, but that's not the system I was talking about 17:47 < Luke-Jr> petertodd: ok, I remember this now. 17:47 < petertodd> sipa: luke's very mistaken... 17:47 < Luke-Jr> petertodd: I forget if I found a solution to that issue or not 17:47 < maaku_> sipa: they do, i think Luke-Jr is describing something novel/different 17:47 < sipa> ok 17:48 < sipa> i'm not sure what the problem is with it that petertodd is describing 14:32 < petertodd> maaku: but that's the thing, # of unspent outputs can be very large, leading to a large proof 14:33 < petertodd> maaku: I'm also extremely reluctant to make the CCoins compression a consensus thing - it's very likely standard transaction forms will change in the future 14:34 < petertodd> maaku: much simpler is just to commit to the uncompressed forms, and do compression (if warrented) as a optimization for the on-disk format 14:34 < maaku> petertodd: I would find that compelling if it weren't for P2SH 14:34 < petertodd> maaku: and for that matter, for the on-network format too 14:34 < petertodd> maaku: P2SH may change in the future 14:35 < petertodd> maaku: like I say, if you don't commit to the exact compression format that doesn't stop you from using one anyway 14:35 < maaku> yes that is true 14:36 < maaku> i'm already considering a different hash format for gmaxwell's SNARK concerns 14:36 < phantomcircuit> SNARK 14:36 < phantomcircuit> how do you people come up with these names 14:36 < maaku> well not different, just expanded with fields having fixed width and fixed offsets 14:36 < petertodd> maaku: another interesting issue is that if this is a pure UTXO thing, then we don't have any committment to OP_RETURN data, which shuts out a lot of valid applications for it where a per block index of that data would be very useful 14:37 < maaku> phantomcircuit: the quality of your acronym determines your funding when government research dollars are at stake, alas 14:37 < petertodd> maaku: e.g. my stealth address stuff 14:37 < phantomcircuit> maaku, lol 14:38 < petertodd> maaku: suppose we find we picked the wrong hash format, what's the plan? that consideration should be documented 14:38 < phantomcircuit> tbh my donations are largely based on hilariousness of acronyms 14:38 < petertodd> phantomcircuit: PHANTOMCIRCUITISADICKHEAD 14:38 < phantomcircuit> lol 14:39 < phantomcircuit> petertodd, im going to hack you and steal all your research funding 14:39 < phantomcircuit> see whose laughing then! 14:39 < petertodd> phantomcircuit: IGTHYASAYRF <- that's not even pronouncable, lame 14:40 < maaku> petertodd: so one advantage of committing to a compressed serialization format (for network and disk at least) is the ability to distribute the UTXO set and get a validating node online quickly, then move backwards validating to genesis 14:41 < maaku> -- 14:41 * maaku is thinking 14:41 < petertodd> maaku: but that's not true: you can just as equally commit to the uncompressed format and pass around compressed data 14:41 < petertodd> maaku: the only advantage is that the amount of data being hashed is less, but compressed-vs-uncompressed is a tiny difference 14:42 < maaku> petertodd: yes, but the compression may not be lossless (pruning of spent data) 14:42 < phantomcircuit> even if you're using a proper custom dictionary you're not going to get more than about 15% compression 14:42 < petertodd> maaku: huh? I'm talking about CCoins compression here 14:42 < maaku> CCoins does not contain spent outputs 14:43 < maaku> that's what I'm talking about 14:44 < petertodd> maaku: right, but then you're talking about TXO vs UTXO sets 14:46 < petertodd> maaku: if you work with a full UTXO set, there's not much of a difference between the two - the TXO version needs some extra data to fill in the missing parts of the tree, but we're talking about a log(n) difference 14:48 < petertodd> maaku: you can also get up and running faster with a TXO set, as you can grab the UTXO's that are most likely to actually get spent first, reservingthe less likely ones for later (or never bothering) 14:58 < Emcy_> http://www.bbc.co.uk/news/technology-25506020 i cant believe this is the first exposure thousands of people will have to the concept of public key crypto 18:57 <@gmaxwell> oh good, there is now a storage spam coin: http://datacoin.info/index.php?id=index 18:58 < CodeShark> haha 18:59 < nsh> cryptocurrencies: fuzztesting the fascade of economic rationality since 2008 18:59 < BlueMatt> heh 19:00 < CodeShark> we're about to see an avalanche of alt coins - it has barely even begun 19:00 < BlueMatt> seems like there is a business model in double-spending tiny coins and breaking these exchanges that allow you to trade literally anything... 19:02 < sipa> we should really release a tool to generate your own altcoin source... 19:02 < CodeShark> I've been thinking about that - an alt coin wizard 19:02 < CodeShark> :) 19:03 < CodeShark> set the chain params, set the name/datadir, set the pow hash function - and poof 19:03 < CodeShark> also, set the block reward rule and the retargetting rule 19:03 < CodeShark> I think that pretty much covers it, no? 19:03 < BlueMatt> sipa: Ive heared that from like 10 people... 19:04 < nsh> there was a coin that had all the generally-tweaked parameters pulled out into a config file 19:04 < BlueMatt> make lots of nice sliders and checkboxes so you can make your own alt that is designed to fail miserably under load 19:04 <@gmaxwell> nsh: it's not the tweaking that needs help, half the wannabe altcoin makers can't even compile it. 19:04 < nsh> well, aye 19:04 <@gmaxwell> so the thing has to do all the technical stuff for you. 19:05 < nsh> "The difficulty is already at 10 so I basically missed out on mining it already I'll probably launch another coin tomorrow" --https://bitcointalk.org/index.php?topic=380683.0 19:05 < CodeShark> well, gmaxwell, the wizard could also create a virtual machine that builds it as well as a website to promote it :p 19:06 < nsh> just monitor knowyourmeme or whatever equivalent to see the latest crazy and autotheme 19:06 < CodeShark> for full generality, the hash function as well as the block reward and retargeting rules would have to be dynamically loadable 19:06 < sipa> dynacoin 19:06 < Luke-Jr> 1nshahahaha 19:07 < sipa> launch new module -> hardfork 19:07 < sipa> Luke-Jr: 1ns hahahaha? 19:07 < sipa> that's a short laugh 19:08 * nsh smiles 19:09 < CodeShark> rather than requiring separate builds for different parameters, I prefer dynacoin :) 19:09 < CodeShark> set the chain params via config file and use dynamic linking for hash pow function 19:09 < BlueMatt> holy shit, these exchanges take literally all the diff-1 altcoins...I'd bet a ton you could double-spend them and just break the exchange software so easily... 19:10 <@gmaxwell> CodeShark: virtual machine?! wtf. You mean, "OP_JMP_TO_THIS_CODE" 19:10 < CodeShark> we don't need separate builds for each 19:10 * sipa suggests OP_X86 19:10 < CodeShark> hehe 19:10 < petertodd> sipa: ah yes, rootcoin 19:11 < sipa> also, OP_SUDO 19:11 <@gmaxwell> rootcoin can only be run as root. 19:11 <@gmaxwell> (it's to make it more fair) 19:11 * petertodd really needs to release an alt-coin that scans your hard-drive for wallet.dat files and uploads them to the P2P network 19:11 < sipa> petertodd: mines them into the blockchain, you mean 19:12 <@gmaxwell> pretty sure its been done. 19:12 < nsh> eeep 19:12 <@gmaxwell> well not the blockchain part 19:12 < petertodd> sipa: kinda obvious, but why not 19:12 < petertodd> anyway, namecoin is a perfectly good datacoin given that IsStandard() is disabled... 19:16 < CodeShark> there clearly are applications to decentralized data storage using some spinoff from bitcoin - but it feels like we're missing a second structure, besides the blockchain 19:16 <@gmaxwell> yea, but you don't have to feel bad about spamming this one. 19:16 < petertodd> gmaxwell: I thought feeling bad was a pow function to limit spam 19:16 <@gmaxwell> CodeShark: by itself some blockchain thing is not really useful for that. 19:17 < CodeShark> gmaxwell: right, we need a second decentralized structure and a mechanism that compensates people for providing storage resources on the network in the coin that is generated in the block chain 19:17 <@gmaxwell> petertodd: I mean, say you find some really _epic_ way to break namecoin with spam... you couldn't take credit for it without people being mad at you, so no sense in looking for one. This thing, otoh, I think is free target. 19:18 < CodeShark> if only we had a reliable time-lock encryption mechanism :) 19:18 < petertodd> gmaxwell: true 19:19 <@gmaxwell> CodeShark: I think you can make POW into ticking for timelock encryption. Maybe. 19:19 < petertodd> CodeShark: gmaxwell has a coin for that 19:19 < CodeShark> petertodd: yeah? :) 19:19 < CodeShark> actually, I should be asking gmaxwell 19:20 < petertodd> CodeShark: basically you make the pow be breaking a timelock crypto problem, devils in the details though... 19:20 <@gmaxwell> CodeShark: the idea is just that you make the system generate random instances of a hard problem sutable for asymetric crypto, and POW is attacking those random instances. 19:20 <@gmaxwell> Doing it with discrete log in ec groups isn't great though because rho is not progress free. 19:21 < sipa> 01:16:41 < petertodd> gmaxwell: I thought feeling bad was a pow function to limit spam -> if only it converged 19:21 <@gmaxwell> hahah 19:21 < petertodd> lol 19:21 <@gmaxwell> guiltcoin 19:21 < CodeShark> lol 19:22 < sipa> PoG 19:22 < petertodd> sipa: cryptographically signed court records are gonna make this one easy... 19:23 <@gmaxwell> CodeShark: in any case, I do think that timelock crypto ticking for pow is possible, though the details may make it a bit messy. 19:23 < petertodd> sipa: one murder per block 19:23 < petertodd> sipa: gives new meaning to the term "orphan" 19:23 < CodeShark> gmaxwell: do you have anything written up on the topic somewhere? 19:24 <@gmaxwell> https://en.bitcoin.it/wiki/User:Gmaxwell/alt_ideas search for timelock 19:05 < petertodd> jtimon: basically, your utxo/txo/txin set in a cryptographic accumulator, and you can only update the state of that set if you have the transactions that have happened, thus somehow you have to ensure you don't end up with that data getting lost 19:05 < maaku> petertodd: that doesn't have generic-coloring stuff you were just talking about right? 19:05 < petertodd> jtimon: easy to do in a single consensus-realm system, but quickly becomes an existential risk if you try to scale more than that 19:05 < petertodd> maaku: not explicitly, but the basic ideas in that paper can be applied to such schemes 19:06 < maaku> petertodd: is this accurate to what you are talking about: 19:06 < maaku> <maaku> So one can imagine a coloring script that acts kinda like a virus: it loads the transaction, does some checks to make sure it doesn't invalidate any coloring constraints, and then attaches itself (referencing it's own source code) to the colored outputs 19:06 < jtimon> petertodd: in that thread you only had commited utxi, not utxo 19:06 < petertodd> maaku: yup 19:06 < petertodd> jtimon: right, but the logic applies equally to utxo too 19:06 < maaku> you'd need a much more powerful script language to do interesting things with that 19:07 < maaku> but you certainly could do interesting things 19:07 < petertodd> maaku: heh, I'll say... such scriptPubKey's are quine's after all! 19:07 < jtimon> I'm sorry guys, I'm not sure I follow 19:07 < gmaxwell> petertodd: the coloring constraint can even validate a issuing authority signature, to make sure the the initial attachment was permitted. 19:07 < maaku> jtimon: http://en.wikipedia.org/wiki/Quine_%28computing%29 19:07 < jtimon> but what I meant by making the utxi scalable through expriries 19:07 < gmaxwell> So you can't just go affixing it ot new random coins. 19:08 < petertodd> jtimon: so in bitcoin, when a miner finds a block, what forces them to release the actual block contents rather than just the block header? 19:08 < petertodd> gmaxwell: yup, or make it part of the program operating "if prev txout == magic return true" 19:09 < gmaxwell> petertodd: and to avoid the awful outcomes in my covenant thread... you make sure the color virus has a kill switch. 19:09 < jtimon> petertodd, other miners won't mine on top of your block if they can't see it in full, it could be invalid 19:09 < gmaxwell> e.g. a way to spend it to tell it to not attach to the output. 19:09 < maaku> petertodd: we originally had introspective scripts in the freimarkets spec but gutted it because we didn't see a compelling use case, but this changes things 19:09 < maaku> it's a bit of complexity, but probably worth it 19:10 < petertodd> jtimon: Exactly. But other than that, what actually forces them to do that? For instance, what if you could prove a transaction was valid without the UTXO data itself? 19:11 < petertodd> maaku: I gotta read the freimarkets spec... 19:11 < jtimon> nobody forces them, is just the best they can do, not sure I understand the second question... 19:12 < gmaxwell> http://www.itbusiness.ca/news/royal-canadian-mint-readies-its-version-of-bitcoin-mintchip/46113 mintchip is moving forward? heck yea. 19:12 < petertodd> jtimon: well, we can make systems where transactions can be accompanied by short proofs that their txins are valid, and those proofs can be used to update things like committed UTXO set trees. Those two things let miners mine while fully validating, but without any blockchain data. 19:12 < maaku> petertodd: well its not in any public version of the spec, but I wouldn't be opposed to adding it back in 19:12 < maaku> petertodd: it may be sufficient reason to revamp script entirely 19:13 < petertodd> gmaxwell: I'll be interested to see if that alleged privacy leak is still in the spec... 19:13 < maaku> (we mostly dropped it because doing introspection was a kludge without LISP-like semantics) 19:13 < petertodd> maaku: it's a pretty useful feature IMO - I first thought of it for fidelity-bonded bank stuff 19:13 < petertodd> maaku: I suspect you can do it reasonably nicely with real forth semantics 19:14 < gmaxwell> petertodd: man, I wish I'd thought to ask them to be able to do something to do trustfree binding with bitcoin. 19:14 < petertodd> gmaxwell: if it was possible by accident they probably would have changed it to prevent it... 19:15 < gmaxwell> petertodd: e.g. just a "I've been paid!" message signed by your chip is enough. 19:16 < petertodd> gmaxwell: sure, although good luck on it being crypto-compat with bitcoin 19:16 < maaku> has anyone looked at hard-fork scripting improvements? other than Merklized scripts 19:16 < petertodd> maaku: I'm not sure there are any scripting improvements that actually need a hard fork you know... 19:16 < gmaxwell> Merklized scripts don't have to be a hardfork improvement. 19:16 < gmaxwell> You just P2SH deploy the update. 19:17 < jtimon> petertodd: does this require any snark-like tech? maaku: what are the differences from "regular stateless validation" 19:17 < jtimon> ? 19:17 < petertodd> jtimon: not at all 19:17 < maaku> jtimon: i think petertodd is explaining stateless validation 19:17 < petertodd> maaku: yup 19:18 < gmaxwell> maaku: things I want merklized scripts, restore missing opcodes, extra checksig flexibility, true scalable threshold signatures (e.g. schnorr). 19:19 < petertodd> "Money instantly moves from one cloud-based, MintChip account to another" <- it's cloud-based now? hmm... 19:19 < jtimon> ok, I guess then I don't undesrtand stateless validation well enough because I don't see how would you do coloring or what the power of the scripting language has to do with it 19:19 < gmaxwell> oh also, I eventually invented a much better scheme for hash based signatures, only to realize I invented something that has long been known. E.g. one time use hash based signature with 128 bit security (using 256 bit hashes) = 2.1kbytes. 19:19 < petertodd> jtimon: it's got nothing to do with either 19:19 < gmaxwell> petertodd: oh dear, did they make it suck? 19:20 < petertodd> gmaxwell: wouldn't surprise me... they probably noticed phones don't have card-readers 19:20 < petertodd> gmaxwell: and if they made it suck, they probably also made it possible to reverse tx's due to hacks... 19:20 < gmaxwell> damnit 19:20 < jtimon> can't you put an NFC card near a phone? 19:21 < petertodd> jtimon: that's harder than making it suck 19:21 < gmaxwell> I hope they didn't make it suck. 19:21 < petertodd> jtimon: and seriously, even that is susceptable to hacks - you really need a NFC card with a LCD display 19:21 < gmaxwell> Even without trustless binding it was going to be awesome for bitcoin. 19:22 < maaku> gmaxwell: i've been compiling a list of things that might make it in an updated freimarkets spec, and those are on it 19:22 < jtimon> yeah, I guess you need a lcd and a couple of buttons in the card 19:22 < maaku> i'd love both lamport signatures and ed25519-derived schnorr signatures (if that is possible) 19:22 < petertodd> jtimon: yup, and then you really want the cards to be registered to people's names, so the lcd displays who it's really going too... 19:22 < maaku> using the sighash byte to keep compatability 19:22 < gmaxwell> I am less enamored with ed25519 than I was. I like our curve better now. :P 19:23 < maaku> why? 19:23 < gmaxwell> maaku: just have a second checksig operator. 19:24 < gmaxwell> maaku: because ed25519 has a cofactor of 8, and because the "standard" software for it is incompatible with things like BIP32. (also, because one of the things I thought was weak about our curve turned out not to be.) 19:25 < gmaxwell> I believe our curve also has higher security against all known attacks, outside of implementation mistakes, not that it matters much. 19:25 < maaku> but it is faster & resistant to timing attacks, isn't that pretty significant? 19:26 < gmaxwell> no, in fact it's not resistant to timing attacks unless you drop the compatiblity with BIP32. (or make it much slower) 19:26 < gmaxwell> To make it constant time (and faster) they require the most siginficant bit of the private key be 1. 19:26 < maaku> i mean I'm in aggreement with our curve not being weak, but I thought ed25519 was strictly better in most cases 19:26 < gmaxwell> which means that you can't have a 'randomly' generated private key, e.g. from a public derrivation. 19:27 < gmaxwell> and without that you make it slower and you take away the constant timeness (though you could get back the constant timeness with a major slowdown, just like for our curve) 19:27 < maaku> sorry confusing pronoun dereferencing : ed25519 is resistant to timing attacks and secp256k1 is not, right? 19:27 < gmaxwell> and the speed difference isn't so huge. 19:27 < maaku> hrm. ok 19:29 < maaku> i see, so it'd be quite a bit of work for little payoff 19:29 < gmaxwell> maaku: _curves_ aren't resistant or not, their implementations are, though curve choice can limit what implementations are available. ed25519's canonical implementation is both fast and timing resistant, but requires that the most significant bit of the private key be 1. 19:29 < maaku> which kills bip32, i understand now 19:29 < petertodd> so why does that kill bip32? 19:29 < gmaxwell> which is neat, but if you take away that bit, then its not timing resistant, and making it timing resistant makes it not fast. (though it may still be better off than secp256k1) 19:30 < gmaxwell> petertodd: it kills type-2 derrivation since you can't tell if the private key will have the MSB set. 19:30 < gmaxwell> now it may not be much work in reality, because the tor project has this whole big proposal for a redo of hidden services. 19:31 < gmaxwell> And it does something very similar to type-2 derrivation to prevent HS directories from enumerating which hidden services are in use. 21:39 < Emcy> his heart seems to be in the right place wrt bitcoin...... 21:39 < Emcy> i hope he can get back somehow 21:40 < petertodd> i dunno, if I had a family to think about and that happened, I'd think very hard about quiting :( 21:42 < Emcy> what has he really got to be afraid of 21:43 < Emcy> its a step from i hacked u lul to ill kill youre family 21:43 < petertodd> Emcy: he told me he works in intelligence... 21:43 < Emcy> oh 21:43 < Emcy> US? 21:43 < petertodd> Emcy: dunno 21:44 < petertodd> Emcy: https://bitcointalk.org/index.php?topic=335658.msg3607994#msg3607994 21:44 < Emcy> maybe hes done then 21:45 < maaku> hell i would be too 21:45 < petertodd> fuck, worst-case is he just committed suicide by two gunshots to the back of the head... 21:46 < Emcy> how macabre 21:46 < Emcy> when you said web bugs, you meant nasty payloads embedded in sites right 21:47 < Emcy> dillon always seemed pretty damn clued up 21:47 < petertodd> Emcy: links to images embedded in comments - gives up the ip addresses of everyone who views the comment 21:47 < Emcy> but we do know now that if a (US at least) agency wants your computer you cant stop it 21:48 < Emcy> perhaps the forum should disable hotlinking 21:48 < petertodd> Emcy: yeah, I thought at first he was the alt of someone in the community, but that's kinda presumptuous to think there aren't smart people out there who understand bitcoin well 21:48 < petertodd> the forums really should 21:52 < Emcy> so it seems proponents of blacklisting and stuff are playing dirty 21:53 < Emcy> petertodd based on what he said there, i doubt hes coming back ever 21:55 < petertodd> maybe... i dunno, this is either some misguided hacker who has no understanding of politics - don't make martyrs out of people - or it's some scary spook shit meant to scare off employees from leaking anything/having political opinions 21:55 < petertodd> I hope it's the former, for his sake. 21:56 < Emcy> yes 21:56 < petertodd> if it's the latter, hopefully it means that Tor works and his employers still don't know who he is, so figured a warning was the best they could do. 21:56 < petertodd> or it's something else entirely 21:58 < Emcy> he could have done a dead drop of another pgp key for you at the conf, incase something like this happened 21:58 < Emcy> in the toilet maybe........ 22:00 < petertodd> nah, bitcoin timestamp a message in advance is the obvious thing to do 22:01 < Emcy> oh right yeah thats perfect 22:01 < phantomcircuit> petertodd, what kind of silly person allow javascript on bitcointalk 22:02 < Emcy> if anything this shit demonstrates why privacy is important 22:02 < Emcy> also the lartyr thing 22:02 < Emcy> martyr 22:02 < petertodd> Emcy: agreed 22:02 < Emcy> babbys first politics 22:02 < phantomcircuit> petertodd, this is why i mostly chat with OTR 22:03 < Emcy> like how the republicans shut down your govt in a tantrum over obama health lol 22:03 < petertodd> phantomcircuit: yeah, that we use IRC for everything is not good 22:03 < phantomcircuit> unfortunately jabber which is the easier to use otr with is a mess 22:04 < phantomcircuit> and running our own irc server is well 22:04 < phantomcircuit> nothx 22:04 < petertodd> I mainly use ChatSecure on android for OTR 22:05 < warren> OTR for IRC seems unusable 22:06 < petertodd> works well on irssi, at least for me 22:06 < Emcy> hmm are freenodes interserver links encrypted even 22:06 < Emcy> or m/any of the other big networks 22:07 < petertodd> Emcy: dunno 22:11 < phantomcircuit> Emcy, i doubt it 22:15 < theymos> I hear there are concerns about forum security? 22:16 < warren> gmaxwell: hey, are you interested in being part of a group who defines the formal requirements for the next generation forum? 22:16 < warren> gmaxwell: including the things we discussed earlier 22:16 < petertodd> theymos: you see how jdillon was compromised? 22:17 < petertodd> theymos: probably not related, but I mentioned how twice people have tried to put web-bugs in forum messages on -talk and the foundation forum 22:17 < warren> theymos: it's hard to know for certain exactly what vector he fell to 22:19 < Emcy> if that leak was meant to reveal some sort of ulterior motives from you and john, it failed imo. 22:19 < theymos> I just read about that a few minutes ago. That's what caused me to come on IRC. Seems interesting. 22:20 < Emcy> its more like people do things in private related to what they also do in public, welcome to earth 22:20 < petertodd> Emcy: thanks, though the reddit discussion especially is remarkable at missing the point 22:20 < theymos> It seems that he was not compromised via the forum, as his GPG and email were also compromised. 22:20 < warren> It seems everyone in those communications clearly wants to protect Bitcoin. 22:20 < theymos> Web bugs in PMs are known and common. 22:21 < warren> looks like some of those copied leaked messages were PM's 22:21 < warren> others were GPG mail 22:21 < petertodd> theymos: yeah, I doubt a webbug would have done anything other than give a tor exit server ip address in this case... 22:21 < warren> Emcy: yeah, I don't know what agenda was meant in leaking that. 22:22 < Emcy> petertodd in fact it only really strengthens your position of wanting the technical side of bitcoin to remain true to its founding principles 22:22 < Emcy> not something that was exactly a secret with you or others mentioned there 22:23 < warren> Emcy: well, I spelled out the regular practice of hiding security/dos fixes in commits that don't mention it ... 22:23 < Emcy> theymos disable HTML on the forum man 22:23 < Emcy> or the parts of BBS markup that allow hotlinking and stuff 22:23 < warren> theymos: yeah, forum should be telnet only 22:23 < petertodd> warren: what if my modem has a zero-day? 22:24 < Emcy> lol i meant forum markup with the [] 22:24 < theymos> petertodd: Yes, he was using Tor. 22:24 < petertodd> Reasonable compromise with hotlinking would be to filter to, say, imgur-only 22:25 < Emcy> petertodd if it was his agency trying to get him, thats not enough 22:25 < petertodd> You know, one plausible vector is github of course... 22:25 < theymos> I was thinking recently of using http://images.weserv.nl/ , but I haven't had time to do it. 22:26 < petertodd> Emcy: I'll say - could be any number of browser zerodays 22:27 < Emcy> how did firefox react to all that......they were specifically targetted too i think, according to the leaks 22:27 < warren> Emcy: that was an old version of firefox 22:27 < Emcy> youd expect it from the likes of IE 22:27 < Emcy> how old 22:28 < petertodd> Emcy: I mean, hell, this is a guy who I think was sticking to a fixed posting schedule for anti-timing analysis... heck, I'd joked to warren before that he was probably scheduling his vacations to correspond with mine to throw people off. 22:28 < Emcy> could be true....... 22:29 < Emcy> the bloom thing has since been publicly dealth with right? I think i remeber something 22:29 < warren> petertodd: oh. I'm guessing the "leak" is the bitcoin foundation communications that were posted in public. 22:29 < petertodd> if I were trying to keep a my IRL identity anonymous I'd use IRC chat logs and only post when some well-known community member did... 22:30 < warren> Emcy: the bloom thing is not much of a secret anymore 22:30 < petertodd> warren: yeah. it did leak that I was the one who sent him mike's post in the first place 22:30 < Emcy> irc chat logs/ 22:30 < petertodd> Emcy: there's been some fixes that make it a fair bit harder to exploit - far from perfect, but it's a good step that gives us time 22:30 < Emcy> ? 22:30 < warren> Bitcoin Foundation forums is not much of a secret. it costs what $40 to be able to read it? 22:31 < Emcy> yeah i dont know why they dont just make that read only for non members. all the good stuff gets out any way 22:31 < Emcy> plus the foundation has a bit of an air of exclusivity to dispell, if it cares to 22:31 < petertodd> Emcy: with anti-timing analysis, you want to make sure someone can't try to match up your IRL schedule to when you post things with your pseudonym. So, use IRC logs to delibrately match the schedule of *someone else* to throw any investigators off the trail. 22:31 < Emcy> right yes 22:31 < petertodd> Emcy: I noticed a while back he'd almost only ever been posting on sundays too... 22:31 < Emcy> so someone else gets black bagged and not you lol 22:32 < petertodd> Emcy: yup 22:32 < Emcy> In addition to what I said earlier, I mentioned your status to a friend 22:32 < Emcy> of mine who is a former spook and well aware of the dangers of the 22:32 < Emcy> business to anyone with a sense of ethics. 22:32 < Emcy> ^saddest passage in there imo 22:33 < petertodd> Emcy: the fact that the people I know IRL who tend to be strongest in support of snowden have been from intelligence/military backgrounds really says something 22:34 < Emcy> kind of puts paid to the shitty assertion that if people really cared, theyd put on a suit and change the system from the inside 22:34 < Emcy> it jsut doesnt work like that 22:34 < petertodd> fuck no 22:34 < petertodd> well... they get into the system, and use that access to leak... 22:34 < Emcy> i heard it stated lots as a glib dismissal of the whole occupy thing.......annoyed me 22:35 < petertodd> yeah 22:36 < Emcy> (what occupy apparently was in the beginning i mean, before being sybil attacked by hippies) 22:36 < petertodd> though snowden really made it clear to people how rotten things were - these organizations can be reasonably good at compartmentalizing stuff, so you don't necessarily know that stuff is going on 22:36 < petertodd> Emcy: "sybil attacked by hippies" <- brilliant 22:36 < Emcy> heh, thats what i saw from the streams and such 22:37 < Emcy> and when they started segregating men and women in the camps 22:37 < Emcy> nope to that 22:37 < Emcy> men from women more accurately 22:37 < Emcy> anyway 11:17 < jtimon> but I disagree on "the idea is mining is like to get the right to vote on what the next block is" 11:17 < adam3us> jtimon: if thsoe problems could be convincingly fixed, it might be quite interesting 11:18 < jtimon> the idea of mining is sequencing events irreversively 11:18 < adam3us> jtimon: correct, and to vote on their validity (for SPV client reliance) 11:19 < adam3us> jtimon: but interestingly the actual sequence doesnt matter, just that eveyrone agree on a sequence. if they could do it via coin toss that would be just as good 11:19 < wallet42> stealth addresses are base58_check encoded compressed pubkeys? 11:19 < jtimon> toss? 11:19 < adam3us> jtimon: (except for some issues with 0-confirm security model where network propagation such as it is provide some modest security) 11:19 < wallet42> whats the versionbyte? 11:20 < jtimon> justanotheruser: I think ppc is less secure for having pos, but it would be much more insecure if it didn't had pow at all 11:21 < adam3us> jtimon: (this was part of the entangled design discussion i had with petertodd that he wrote about it a bit in that same post. at the lowest level you could obtain a distributed consensus sequence from a distributed timestamping service) 11:21 < jtimon> justanotheruser: apart from the "I buy the system to destroy it" attack, as adm3us pointed out: "many PoS have actual protocol defect to allow mining on multiple candidate block sin parallel so devolve to PoW" 11:22 < jtimon> adam3us, of course, the challenge is the infinitely scalable p2p timestamping system 11:22 < adam3us> justanotheruser: gmaxwell gave some arguments that PoS fails because users can rationally vote on both sides of a fork, or on many forks to get higher voting power so it devolves to PoW. so i think it doesnt quite work in practice with the consensus mechanism as anyone can construct multiple candidates 11:24 < adam3us> jtimon: yes. well my offline exploration was to see if you could pull the bitcoin design apart, work out the minimum required dependency and features and put it back together in another way with any useful improvement. that experience led me to declare bitcion design is "entangled" because many security features rely back on the same PoW chain. 11:25 < adam3us> jtimon: and also to declare bitcoin only just works, or the design is fairly optimal. because each design change i considered of dozens always made things worse or more complicated or less efficient. 11:25 < jtimon> yeah, I agree, I have made similar journey while exploring possibilities for ripplecoin (where the hostcoin was actually more of a problem than a requirement) 11:25 < adam3us> jtimon: the ghost idea was one of these, but i considered it wrose because its more complicated perhaps i was too hasty on that one they claim its a useful design alternative. apparently ethereum is considering it. 11:27 < jtimon> adam3us: it looks interesting to me, but of course that doesn't solve all the scalability problems, is just a little bit of help 11:27 < adam3us> jtimon: at this point i would've taken any improvement :) my exploration of the design space was a failure. pools do seem a problem worth removing. 11:29 < stonecoldpat> are miners pools not just a natural process that cant really be removed? It's a bit like industrialisation... 11:29 < adam3us> jtimon: but like i say adding an indirection between mining and voting seemed to create perverse behavior opportunities with like saving up voting power for one moment of abuse (hashcash had this problem) or selling votes 11:30 < adam3us> stonecoldpat: well one thing is industrial scale mining, thats perhaps somewhat inevitable. the other thing is people giving their vote to a pool operator while it is the user actually with the mining power. that should be avoided if we could find a way IMO 11:31 < stonecoldpat> is the vote to choose the correct branch? or how to distribute the coins? 11:31 < stonecoldpat> i remember having a thought about this before christmas (how to distribute coins) - i seen it as a pretty bad problem 11:31 < adam3us> stonecoldpat: correct branch and form part of a kind of distributed signature attesting all the transactions are valid 11:33 < stonecoldpat> adam3us: i dont know if a distributed signature is really necessary, a block with an incorrect transaction won't be accepted by the rest of the community (unless this pool has over 50%) - so it is in the interest of the pool lead to verify the transactions are correct 11:33 < stonecoldpat> adam3us: and choosing the correct branch is hard - since they are both correct. it may lead to greater vulnerabilities (by tricking the voters) - im sure some politician tactics could be deployed 11:33 < adam3us> stonecoldpat: yes but the SPV (smartphone/limited bandwidth) clients accept whatevr is claimed by sampling a few nodes 11:35 < adam3us> stonecoldpat: so eg a smartphone may download only the hashchain and ask for merkle proof that a tx is in a block, and then just assume its valid. if someone can get enough power to create 6 blocks they could print money in the eyes of SPV clients... so i just mean the distributed signature in the sense that it is hard for someone with << 50% of hash power to win 6-blocks in a row 11:36 < adam3us> stonecoldpat: yes if all candidate blocks are valid tossing a coin to choose a block at random would be just fine. 11:44 < Luke-Jr> I wonder if stealth addresses can be combined with P2SH^2 somehow 11:46 < jtimon> stoencoldpat: the network will never accept an invalid transaction no matter the % of hashing power, the only thing 51 attackers could do is change the order (for double-spending purposes?) or freeze the chain 11:47 < jtimon> stoencoldpat: if you have ideas for coin distribution, maybe you're interested in this: http://foundation.freicoin.org/#/about 11:48 < jtimon> adam3us: about your "pools problem" what about this other approach: *somehow* prevent non-p2pool pools from mining 11:48 < jtimon> adam3us: solo miners could only mine on their own p2pool alone 11:49 < jtimon> /only/always 11:49 < Luke-Jr> jtimon: p2pool isn't special 11:49 < adam3us> jtimon: yes that is an interesting direction (prevent pool security) amiller had some idea relating to this. i dont think it quite worked however 11:49 < Luke-Jr> there is no reason to prefer it over other decentralised schemes 11:50 < jtimon> Luke-Jr I thought it was (and by p2pool I include eligious, just exclude "centralized pools") 11:50 < adam3us> jtimon: i have a friend who elects to solo mine as a kind of lottery. it'll take him years to get $25,000 payout. the limitation is that. if the reward could be made less lumpy maybe. 11:51 < jtimon> maybe that term is more appropriate centralized vs p2p pools 11:51 < Luke-Jr> jtimon: p2pool is a specific pool, both decentralised and also p2p 11:51 < Luke-Jr> jtimon: BitPenny was the original decentralised pool ;) 11:51 < jtimon> I see 11:51 < Luke-Jr> unfortunately, they died out 11:51 < jtimon> well, I think most frc pools are based on p2pool software, that may have contributed to my confussion 11:52 < jtimon> in frc there's only centralized pools and p2pools 11:52 < Luke-Jr> makes sense, GBT isn't feasable for FRC as-is 11:53 < jtimon> my point for adam3us was "instead of thinking about micro-mining, think of a way were only p2p pools are allowed" 11:53 < forrestv> as usual, Luke-Jr ignores other benefits of p2pool 11:53 < Luke-Jr> ok, but my point is that p2p is a bad thing; what you want is decentralisation 11:53 < forrestv> 's complete decentralization 11:53 < Luke-Jr> forrestv: there are none, to the network 11:55 * jtimon doesn't understand the difference between decentralized and p2p in this context 11:57 < Luke-Jr> jtimon: decentralised = miners create the blocks; p2p = there's no server to coordinate things 11:58 < jtimon> I see, yeah decentralized is enough since all miners validate everything, no? 11:58 < forrestv> Luke-Jr, you really need to use a name other than "decentralized," considering that eligius definitely has a central server.. 11:58 < Luke-Jr> well, all nodes validate everything, miner or not 11:58 < Luke-Jr> forrestv: the mining isn't centralised though 11:58 < jtimon> I mean, in a centralized pool, a miner only hashes, doesn't see anything else 12:00 < jtimon> the validation node of a centralized pool can do more harm than the coordination server of a decentralized pool 12:00 < adam3us> jtimon: agreed 12:01 < adam3us> jtimon: a way of putting is it that miners are giving their vote to the pool. they should exercise their own vote, by doing their own validation 12:01 < jtimon> I don't know how this could work, probably changing the PoW, just wanted to inspire you adam3us 12:01 < Luke-Jr> jtimon: it cannot work. 12:02 < Luke-Jr> jtimon: if you take away centralised mining, hosted mining will flourish 12:02 < jtimon> I don't really like the word vote, then people say stupid things like "miners vote the rules of the system" 12:02 < Luke-Jr> "voice" perhaps 12:03 < adam3us> Luke-Jr: hosted mining is even worse, so that is a bad game theory outcome. 12:03 < helo> shoehorn? 12:03 < jtimon> which degenerates in even more stupid things like "scrypt is more democratic than SHA256" 12:03 < Luke-Jr> adam3us: that's my point 12:03 < Luke-Jr> adam3us: stopping hosted mining is impossible, and that's what we'll get if we take away centralised mining 12:04 < adam3us> Luke-Jr, jtimon: it seems to me what you want is a mining algorithm with diseconomy of scale. not sure if that is significantly possible however 12:04 < jtimon> Luke-Jr, why? 12:04 < sipa> Luke-Jr: decentralized != trust-free 12:04 < sipa> Luke-Jr: eligius is trust-free, but centralized 12:04 < brisque> "hosted mining" is a sham anyway. there's no reason anybody would rent out mining equipment unless they're expecting their customers to take a loss. 01:58 < gmaxwell> petertodd: surely you can agree that special purpose hardware can get 4x to perhaps 10x more price or power efficiency over general purpose stuff no matter what you do algorithimically. 01:59 < petertodd> gmaxwell: Yes, but 4x is manageable in the context of a proof-of-work system IMO. It's the 100x and 1000x speedups that are really scary. 01:59 < gmaxwell> well then you also have to think about process improvements. It's a lot easier to port dram to better processes than other kinds of logic. 01:59 < petertodd> gmaxwell: I accept I can't stop custom hardware entirely, but I can keep to the level where it's a cottage industry where guys doing PCB layouts stuffed with memory and FPGAs can still compete. 02:00 < adam3us> maybe if you could fully exercise the gpu hardware you could force the attacker to build a gpu 02:00 < adam3us> however even then probably much of the hw is junk for the purpose of mining; eg video rendering, vga/dvi etc 02:00 < gmaxwell> in general POW functions will always allow for super regular hardware implementations "10000 copies of this circuit".. and that lowers the costs substantially to get it to a better process. 02:00 < adam3us> so it will be improvable 02:01 < gmaxwell> OTOH, bitcoin asics are _nowhere_ near process state of the art I don't even mean lithography. There is a lot of optimization that they're not doing on their current process. 02:01 < gmaxwell> yea, just throwing out all the IO hardware you don't care about saves considerable power and area. 02:01 < gmaxwell> (esp power driving a bunch of IO is power hungry and general purpose hardware doesn't bother power gating most of that stuff) 02:02 < petertodd> gmaxwell: Is that actually true? The Avalon chips are apparently surprisingly dense for the process node they were fabbed on. 02:02 < gmaxwell> petertodd: from talking to them they aren't doing anything exceptionally clever. 02:02 < adam3us> well i guess the other issue is that its probably going to be difficult to design something efficiently verifiable and memory hard and dynamic (requiring CPU-like branching) 02:03 < petertodd> gmaxwell: I'm thinking of a third-party teardown that was done. 02:03 < petertodd> gmaxwell: s/teardown/decapping/ 02:03 < amiller_> i don't believe that, i think you can make an efficiently verifiable pow for basically any task 02:03 < adam3us> a problem i see is getting hardware, seems fair chance butterfly are premining the hardware their customers paid for 02:04 < gmaxwell> amiller_: I'm skeptical about non-memory hard validation for memory hard POW. Certantly you can make POWs that allow partial validation. 02:04 < adam3us> and that other manufacturers who put increasing design/fab resources are economically going to do the same 02:05 < adam3us> well eg in the early days of hashcash i was thinking about floating point tweak to SHA1 etc, but then what if your hash function turns out to be attackable 02:05 < amiller_> gmaxwell no that's totally possible, you can just keep doing cut and choose over and over again until it's a constant size sample 02:05 < amiller_> gmaxwell, this constant-verification merkle tree proof of work paper from 2009 has a really general form 02:06 < petertodd> adam3us: ugh... you really don't want to start putting stuff like floating point into your PoW in a hard-consensus system, because that just makes that set of features a nice optimization target. 02:06 < gmaxwell> amiller_: okay thats a different kind of memory hard function than I was thinking of in that its a read mostly one where the validatior can have a copy which has trustworthy updates. 02:06 < adam3us> well my point is that designing one-way hash function is hard, eg sha0 got broken, md4, md5 got broken etc history is littered with broken hash functions 02:07 < petertodd> amiller_: How well does non-interactive cut and choose work though? You run the risk of putting the work into gaming the cut-and-choose system if you are not careful. 02:07 < amiller_> non-interactive cut and choose is always about making you finish all the work before you make the first cut 02:07 < petertodd> adam3us: All the litter is kinda old though... :) 02:07 < gmaxwell> amiller_: and yea what petertodd says.. I just keep 1 nth the database and do Nx more queries. Often the trade off is non-linear. 02:07 < amiller_> gmaxwell, no, sequential accesses prevents that 02:08 < adam3us> amiller_: are you talking about the coelho paper ("onstant-verification merkle tree proof of work paper from 2009") 02:08 < amiller_> yes 02:08 < amiller_> that doesn't include the sequential access thing 02:08 < adam3us> well i am sure the sha3 competition has some more litter :) 02:08 < amiller_> but it's also not about a memory hard puzzle 02:08 < gmaxwell> amiller_: I don't see how you can enforce sequential access with a memoryless validator. 02:08 < adam3us> one winner, may losers 02:09 < amiller_> gmaxwell, the memory is a merkle tree, the memoryless validator validates merkle tree paths, but the puzzle solve has to access random locations in the memory in sequence 02:10 < gmaxwell> amiller_: right which is fine, but I can just have 1 nth of the tree or you must increase your proof size by ~O(N) to stop me. 02:10 < gmaxwell> I suppose that its sort of like the PCPs though, fairly little N really does a bang up job at preventing me from subsetting. 02:11 < petertodd> gmaxwell: Yup, PCP's was exactly what I was thinking of. 02:11 < amiller_> gmaxwell, no because you can build a merkle tree then cut and choose over that proof too 02:11 < adam3us> i suppose what you are saying about validating anything is true but with a work/validation ratio of N/(P.log(N)) which is not a great ratio 02:12 < gmaxwell> amiller_: I suppose I'll have to walk through that to see how that works to make the proof compact, but I'll take your word for it. 02:12 < adam3us> to do better you have to rely on a pow and those are not general, they require a one-way function of some kind 02:12 < gmaxwell> (To be honest, I was mostly happy with lite proof validation for memoryless nodes) 02:13 < gmaxwell> (e.g. construct your POW so that them memory hard part is burried behind another hash and you just transmit that intermediate state and storageless nodes just don't veryify the memoryhardness) 02:13 < adam3us> gmaxwell: the idea is populate a merkle tree with pow, then use the hve the verifier use the root hash of the tree to select a subset of paths to validate 02:13 < gmaxwell> adam3us: Thank you for making it clear to me! 02:13 < gmaxwell> Thats elegant. 02:14 < petertodd> gmaxwell: the problem there is how do you make partitioning a node expensive? 02:14 < petertodd> gmaxwell: partitioning them undetectably that is 02:15 < gmaxwell> petertodd: with proofs of cheating which can be bigger because they're only sent in the exceptional case and it still reduces to non-memory hard POW otherwise. But yea, the non-interactive cut and choose is indeed better than I was thinking and solves the problem. 02:16 < amiller_> hrm, yeah i think there's sort of a glitch where you can just make a small number of your pow's bogus and it's unlikely they'll be included in the sample that gets chosen 02:16 < amiller_> PCP basically addresses this but it does it with enormous error correcting codes that are a huge burden on the prover 02:16 < petertodd> gmaxwell: Yeah - by "partitioning" I'm assuming the node has no communication to anyone to even tell them fraud has been commited. It's a problem in Bitcoin too, but at least we can easily make reasonable assumptions about network hashing power. 02:17 < gmaxwell> yea, I mean, it's not hard to implement big RS codes over in hardware... but kinda defeats the memoryhardness. 02:17 < gmaxwell> FFT multipliers makes such nice circuits. 02:18 < gmaxwell> (staged POW still is useful for anti-DOS) 02:18 < petertodd> adam3us: You know, thinking a bit more about your comment about multi-port ram, it's interesting how if your pow-data set is static, at the extremes the difficulty becomes the routing hardware required to make the multiple ports actually work together nicely. 02:19 * gmaxwell & 02:20 < petertodd> adam3us: In practice though, I think the right approach is to have a master UTXO copy, populate the scratchpad memory for your work function, then do some work that consumes random access bandwith >>>> BW required to populate, then proof via NI cut-n-choose partial merkle proof. 02:21 < petertodd> An optimal hardware design in that case has swiftly diminishing returns, because the non-optimal one only doubles the memory cost. 02:22 < petertodd> The trick is then to have a hashing function at the base of all this that can keep up with the main memory bandwidth. 02:22 < petertodd> IE the cheapest one possible so the slowness of the CPU implementation doesn't matter. 02:29 < adam3us> anyway it seems like the asic problem is an economic problem, and the solution is a not-for-profit that aggressively designs and manufactures state of the art asics and flood the market with them at-cost 02:30 < adam3us> seems to me that the players so far have not had that mindset so we have some kind of mining oligopoly 02:30 < petertodd> That's hopeless for decentralization: the world is rapidly converging to the global economy being able to support exactly 1 chip fab. 02:31 < petertodd> You need to ensure that whatever *commodity* magic that 1 chip fab is producing is as close to optimal as possible hardware for your proof-of-work function. 02:31 < adam3us> if there were enough chipfabs to be non-discriminatory 02:31 < adam3us> u say: adapt the proof-of-work function to what they are building - maybe yes 02:31 < petertodd> There just won't be - you get better performing chips from a chip fab by making the fab more expensive. Thus we used to have hundreds of fabs capable of producing top of the line chips, and that number has been dropping ever since. 13:58 < petertodd> Sure, I just worry you're creating a bunch of very specific special purpose code, where more general is better. 13:58 < jgarzik> I want to get the identity alt-chain demo-able (if not usable) out of the gate, too 13:58 < jgarzik> petertodd, understood. though make it too general and nobody interoperates usefully ;p 13:59 < jgarzik> It is easy enough to change details like sacrifice minimum cost, sacrifice or timestamping chain used for validation 13:59 < petertodd> Well, remember I've got the experience of making a general timestamper, and in the end it turned out to be really not a big deal basically. 13:59 < petertodd> About as easy as a Bitcoin tx specific one 14:02 < jgarzik> The optional timestamping is not really an important component of disposable SINs. Just thought it might be useful. 14:02 < petertodd> Well, leave it out then for v0.1 :) 14:02 < jgarzik> Could leave it out entirely, and let users solve that problem in whatever way they wish. 14:02 < jgarzik> :) 14:02 < petertodd> Making SINs scarce is the innovative thing anyway 14:03 < jgarzik> yep. and with disposable SINs you are given a choice between the two. 14:03 < petertodd> what language are you looking at implementing it in first anyway? 14:04 < jgarzik> petertodd, sadly for python fans, probably javascript. I'm ultimately a C programmer, FWIW, so my left-to-own-devices choice would be that, create a "libsin" in C. Might do that eventually anyway. 14:05 < jgarzik> JavaScript looks C-esque (personal taste), seems faster than python, and is browser friendly. 14:05 < petertodd> javascript is good for web stuff, not a bad choice 14:06 < petertodd> I always knew opentimestamps would need javascript client libraries to be really useful 14:07 < jgarzik> indeed 14:09 < petertodd> Incidentally, proof-of-sacrifice can be used to make a inherently 51% proof alt-chain. 14:09 < jgarzik> petertodd, in a mostly unrelated note, txtool will be gaining easy ability for people to create timestamping OP_RETURN transactions 14:09 < petertodd> Ah cool 14:10 < petertodd> You design your chain such that to create coins on it you need to sacrifice Bitcoins, and at the same time that sacrifice is how consensus is determined. 14:10 < jgarzik> petertodd, I still need to review IRC chat notes, and think through how the identity alt-chain might work. For convenience' sake, it might be useful to have a chain that is not PoW at all, but is provable through timestamping + sacrifices in another chain. 14:11 < petertodd> You also allow users to sacrifice the alt-coins to mine blocks as well. Now this *isn't* proof-of-stake because given a jam-proof-network you are in fact giving up something of value. 14:11 < jgarzik> petertodd, i.e. a bitcoin sacrifice could grant the right to update the identity chain 14:11 < jgarzik> thus paying in bitcoin to update the identity database 14:12 < petertodd> The trick is that any attacker trying to 51% the blockchain for profit has the problem that they have to spend as much as the history is worth to people - a double-spend doesn't work because the person you are double-spending will sacrifice up to 100% of what you are gaining, and on top of that you'll affect third-parties with similar incentives. 14:13 < petertodd> Such a "blockchain" can easily be done as one tx per block, and can be done as a DAG. In the case of zerocoin, the accumulator is inherently serial though, so a dag doesn't make sense. 14:13 < petertodd> However... this does mean the zerocoin blocks can be created at the same rate as zerocoin tx's can be verified, completely bypassing the crazy slow verification problem, especially when you further couple it with fraud proofs and nodes only verifying part of the chain. 14:14 < petertodd> jgarzik: Makes sense, sounds like my zookeyv protocol. 14:14 < jgarzik> petertodd, zookeyv? 14:15 < petertodd> Add in some decent primatives for trading zerocoins to bitcoins and you have a solid way to bolt on zerocoin to bitcoin without performance issues. 14:15 < petertodd> jgarzik: what I'm calling the key-value store I originally mentioned to you; named after zooko's triangle 14:15 < jgarzik> petertodd, gotcha 14:16 < jgarzik> petertodd, indeed, the identity database is ultimately a key/value database 14:17 < petertodd> jgarzik: you planning on letting people grab human readable names? 14:18 < jgarzik> petertodd, well the toplevel is a flat SIN namespace. Under that, key/value pairs attached to each SIN. In theory, each SIN could assert name.real="Garzik, Jeff" 14:20 < petertodd> jgarzik: hmm... tricky. Remember that with any consensus system what maps to what is up to the biggest spender. 14:22 < jgarzik> petertodd, Updates to each SIN are validated by MPK digital signatures. At least that bit is easy to prove. 14:23 < jgarzik> petertodd, If the alt-chain is wholly depending on timestamped transactions in the bitcoin blockchain, the consensus problem becomes making sure everybody sees the same view of data, when parsing the blockchain. 14:23 < petertodd> jgarzik: Right, but someone can even rewrite the chain so the updates didn't happen. 14:23 < jgarzik> a lot simply depends on the alt-chain design itself 14:24 < jgarzik> nod 14:24 < petertodd> Only if the data itself - or at minimum the hashes of the pairs - is in the blockchain. 14:24 < petertodd> er, I mean H(key) H(value) 14:24 < petertodd> heck, OP_RETURN H(key) H(value) :) 14:25 < jgarzik> In this scenario, I imagined each alt-chain update would require a bitcoin sacrifice transaction that includes a hash of the record update 14:25 < jgarzik> obviously there are other validations that must occur, before it can make it into the alt-chain 14:26 < jgarzik> but that would be the anchro 14:26 < jgarzik> *anchor 14:26 < jgarzik> H(alt chain transaction) 14:26 < jgarzik> which would include SIN, key and value 14:26 < petertodd> H(alt chain tx) is no good because that leaves open the possibility of a withholding attack 14:27 < jgarzik> petertodd, that's true of any hash, though 14:27 < jgarzik> petertodd, otherwise you're back to OP_RETURN <full alt-chain tx> 14:28 < petertodd> No, because if I want to associate name:"Peter Todd"==0x12345 I can determine if there exist any H(name:"Peter Todd") in the blockchain and outspend their sacrifices 14:28 < petertodd> Without that I can never know if someone has a sacrifice waiting to be published 14:30 < jgarzik> I guess you could consider it all one big key/value namespace, if you prefix every key with the SIN being updated 14:31 < jgarzik> key="1234-5678-9abc name", value="Garzik, Jeff" 14:31 < jgarzik> key="1234-5678-9abc age", value="38" 14:31 < petertodd> Right, but if it's just sins as keys, what do you really need consensus for? 14:32 < petertodd> Just make it a big gossip network with anti-DoS 14:32 < jgarzik> petertodd, The problem being solved by the alt-chain is admittedly not consensus, simply decentralized storage and maintenance of the identity database. 14:32 < jgarzik> I don't think DHT will offer good disconnected operation 14:33 < jgarzik> thus looking at a replicated db like an alt-chain 14:34 < petertodd> Yeah, although having said that, consensus can still be useful: consensus about the overall contents of the global database. 14:34 < jgarzik> bitcoin-the-database-technology :) Google for "D1HT", an acronym I just learned last year 14:34 < petertodd> Leave the contents themselves to SomeOtherDatabase(TM) 14:34 * jgarzik couldn't believe they invented a new term for "copy the whole damn database to everyone" 14:35 < petertodd> ha, yeah d1ht's are funny 14:35 < petertodd> Note though that for consensus on overall contents all nodes actually need to store is the list of 64-bit truncated hashes of every db item. 14:36 < petertodd> (2nd-preimage is sufficient, maybe do 80-bit or 128-bit if you want to be really safe) 14:38 < jgarzik> petertodd, the solution does need a consistent overall view of the global identity database 14:40 < petertodd> perfect, make sacrifices commit to that overall view then 14:40 < petertodd> (or commit to being part of a dag) 14:40 < jgarzik> petertodd, hmmmmm, indeed 14:41 < jgarzik> petertodd, need to figure out how to resolve a race, then 14:41 < jgarzik> petertodd, i.e. two conflicting identity db databases arrive in parallel, and make it into same block 14:41 < jgarzik> er, identity db updates 14:42 < petertodd> highest sacrifice... which is zookeyv, but if it's really just SIN=value that will only happen accidentally 14:44 < petertodd> Sometime else to keep in mind is that sacrifice/byte is a good way to do anti-spam - tier the database and give nodes the option of dropping the lowest tiers. 14:45 < petertodd> Or simply order every bit in the database and drop everything about n GB 14:45 < petertodd> s/every bit/every record/ 14:46 < jgarzik> The identity database just needs to serve the latest version of a SIN's key/value pairs, so updates are insta-prunable (modulo the obvious buried-in-chain safety factor) 14:47 < jgarzik> i.e. answer queries such as $value = lookup($sin, "name") 14:47 < petertodd> Sure, but total bytes are still important 14:48 < jgarzik> agreed, though not sure how you would tier this database 14:48 < jgarzik> any active record could potentially be queried 14:48 < jgarzik> idea was to create an anti-spam barrier up front, in sacrifice-to-update-db 14:48 < petertodd> Nodes just have to contribute what they can 14:49 < jgarzik> but then drop nothing (I hope? <insert prayer to $diety>) 14:49 < petertodd> Point is, what is your overall resource consumption model going to be? There *have* to be limits overall 14:49 < jgarzik> a fair point and open question. maybe identities should retire, and require republishing (at a cost) 14:50 < jgarzik> to maintain the database, and expire old stuff 14:50 < petertodd> Something... but figure it out in advanced 14:50 < petertodd> *advance 14:50 * jgarzik kicks xchat 14:51 < petertodd> heh 19:24 < sseehh_> Occupy Bitcoin http://www.ingenesist.com/general-info/occupy-bitcoin.html What if Everyone Was a Bitcoin? http://www.ingenesist.com/general-info/what-if-everyone-was-a-bitcoin.html Curiosume: The Resume Must Die http://www.ingenesist.com/general-info/curiosume-integrating-social-innovation.html http://curiosume.org 19:25 < CodeShark> ah, I should check that page more often :) 19:25 < petertodd> gmaxwell: last update oct 18th? you been slackin' 19:25 < CodeShark> yeah, I guess so :( 19:26 <@gmaxwell> CodeShark: thats been there since the start. Actually the timelock idea might have been what inspired me to actually make a page for that stuff. 19:26 < CodeShark> haha, ok - then I guess I never really read through it all 19:27 < BlueMatt> sseehh_: spammer go away (gmaxwell...stop slacking) 19:27 <@gmaxwell> Wow, I didn't even see that.. was totally invisible to me. 19:31 < sipa> you're just dropping packets with insufficient proof of intelligence 19:32 < sipa> perfectly normal behavior 19:32 * nsh smiles 19:32 < CodeShark> so with a timelock, we can now rent storage space by giving people an encrypted data packet along with a key they can use to claim some coins 19:33 < CodeShark> yes, the devil's in the details - but in principle this should work 19:34 < petertodd> CodeShark: no, the idea is if the pow is a timelock algorithm your data is safe from pre-mature decryption on the theory that any attacker would earn more by cracking the timelock pow instead 19:35 < petertodd> CodeShark: in short, your data is safe so long as it's worth less than the total value of the timelock crypto system 19:35 < CodeShark> yes, I understand that - just pointing out another application 19:35 < petertodd> CodeShark: true, I guess you could do a timelock scheme with data storage bolted on as well 19:35 <@gmaxwell> CodeShark: hm. interesting. So I give you data, and a zero knoweldge proof that later you'll be able to decrypt the data and get coins out of it... with some large block encryption so that you can't throw away any of it. 19:36 < CodeShark> gmaxwell: exactly 19:36 < petertodd> CodeShark: see, that works well with standard timelock crypto 19:36 <@gmaxwell> I think I know how to do that without timelock crypto. 19:37 < CodeShark> how? 19:37 < petertodd> CodeShark: just put funds in a multisig spendable by the timelock cracker and the enclosed key, with a nLockTime'd refund in the future 19:37 <@gmaxwell> Take the data. Build a hashtree over it. The coins pay to the hashtree. Later, you can claim the coins if and only if you can produce a proof that looks like H(future block || data hash root) == index, and the spv proof of that index is the thing you must provide to get the coins. 19:37 <@gmaxwell> basically the network is the interactive party in proving you still have the data. 19:39 <@gmaxwell> gee imagine the amazing things these altcoins could do if they only bothered to think about the problem space for what.. 10 minutes? 19:40 < CodeShark> gmaxwell: interesting! 19:40 < CodeShark> you'd also have to prove availability, though - not just that you have it at time T 19:41 < CodeShark> at least if you want random access 19:41 < nsh> (perhaps their conception of problem space occupies a different domain [e.g. how do i become important and make money and advance my position] than ours [how can we make advances in the theory and practice of various interesting and socially-beneficial problem-sets]) 19:41 < petertodd> nsh: tl;dr: they're stupid 19:41 * nsh nods 19:43 < petertodd> I don't think the interesting alts out there are based on mining anyway - mining is just too insecure when you're trying to start a new alt. 19:43 < petertodd> Either your alt matters so little it hasn't been attacked, or it starts to matter and it gets killed off. 19:44 < nsh> it should be possible to create an alt with an tapered creator mining advantage, i'd think 19:44 < CodeShark> I have a slightly different view on alts - yes, the vast majority of blockchain-based alts out there are cheap imitations of bitcoin however, I like the idea of affording some flexibility in certain coin parameters 19:44 < nsh> that way you have a more smooth / less dangerous incubation period 19:44 < petertodd> nsh: then it's centralized 19:45 < CodeShark> we might as well just do dynacoin :) 19:45 < nsh> sure, but you can taper the centralization off algorithmically, maybe? 19:45 < nsh> perhaps my intuition is being seasonally optimistic 19:45 < petertodd> nsh: sure, although to do it right it can't be algorithmically or you may find the schedule was wrong 19:45 < nsh> ah, right 19:45 < nsh> though if you define the parameters for safe coin incubation well-enough... 19:46 < nsh> you could target the decentralization 19:46 < nsh> (dynamically) 19:46 < maaku> nsh: how do you measure decentralization? 19:46 < nsh> not sure. i was wondering that recently... 19:46 < petertodd> well, you just make it that you the creator get to sign statements allowing more decentralization as a one-way rachet 19:46 < nsh> ah, yeah 19:47 < nsh> so a certain (set of) key(s) has a mining advantage, that can only decrease with some broadcast signal 19:47 < petertodd> nsh: yup 19:47 < nsh> mmm, dunno, sensing implementation difficulties the more i think about it 19:47 <@gmaxwell> CodeShark: well you could do something like prove you have it at _every_ block, and then to later spend the coin produce a snark that compresses all the proofs. 19:47 <@gmaxwell> hm. well I suppose thats not quite right, since you could have only had it at the end. 19:47 <@gmaxwell> Well in any case, it's better than doing nothing. 19:48 < CodeShark> gmaxwell: right, that's the problem 19:48 < maaku> nsh: you could lower the difficulty by the percentage of proof-of-stake signatures a block has 19:48 < petertodd> nsh: nah, no difficulties there: the signature is a substitute for PoW. you being the creator you'll use it responsibly; obviously you can play games and destroy things with that power too 19:48 < maaku> then an itsy bitsy premine gives you an advantage that slowly tapers off 19:48 < CodeShark> gmaxwell: to prove availability at a particular time, wouldn't you need to provide a challenge at that time? 19:48 < BlueMatt> CodeShark: though flexibility in researching optimal parameters is cool, a) there are more interesting things to research, but, more importantly, b) by just forking Bitcoin and creating an alt, you decrease the value of the digital scarcity that defines Bitcoin 19:48 < BlueMatt> 's value 19:49 < nsh> hmm 19:49 < sipa> meh 19:49 < sipa> i don't care 19:49 < CodeShark> BlueMatt: whether or not it decreases Bitcoin's value, it is an inevitable phenomenon - therefore, if Bitcoin cannot withstand it, we have a serious problem 19:50 < BlueMatt> I find that argument ridiculous: "its inevitable, so we shouldn't try to prevent it and should instead fully support it!" 19:50 < BlueMatt> makes no sense to me 19:50 < maaku> BlueMatt: I don't this is zero-sum. Stupid people throwing stupid money at alts aren't necessarily going to speculate on bitcoin instead 19:50 < CodeShark> the exact same features that make Bitcoin so difficult to stop applies to any of these alts 19:50 < sipa> support? 19:50 < nsh> BlueMatt, i'm not sure i follow how more (of any kind of) cryptocurrency decreases the scarcity... isn't the scarcity defined relative to the utilization of mining resources? 19:50 < petertodd> BlueMatt: well, here's an interesting thought question: if I create BTCv2 that is just transactions embedded in BTCv1 with a fancy new scripting system, what happens? BTCv2 transactions still need to pay fees in BTCv1, and I can design my scheme that both are 1:1 convertible (by allowing v1 to be destroyed to create v2) 19:50 < BlueMatt> maaku: oh, I'm not saying its zero-sum, I'm saying that its not independent, and far closer to zero-sum than independent 19:51 < nsh> so if more people mine alts that wouldn't be mining btc, then you've dilution, but if that mining power is not diverted but added... 19:51 < BlueMatt> petertodd: fuck mastercoin ;) 19:51 < BlueMatt> nsh: no, its defined as relative to the number of people interested in cryptocurrencies 19:51 < petertodd> BlueMatt: hehe, I have a lot of incentive to make such a thing work... 19:51 < sipa> petertodd: ?? 19:52 < BlueMatt> nsh: mining isnt the important part to me, but it is as well 19:52 < BlueMatt> sipa: petertodd works for mastercoin..... 19:52 < sipa> heh? 19:52 < petertodd> sipa: I am mastercoin's chief scientist now... 19:52 < sipa> wtf? 19:52 < nsh> BlueMatt, hmmm. question is then how the elasticity of coin interest responds to the proliferation of alts 19:53 * Luke-Jr notes MasterCoin was offering a very low salary :P 19:53 < nsh> i suspect it's pretty nonlinear 19:53 < petertodd> sipa: I had decided I was going to quit the day job, and then by good luck they offered me a job at the same time 19:53 < petertodd> Luke-Jr: meh, salary isn't everything 19:53 < BlueMatt> petertodd: in any case, if a coin is 1:1 trade-able for bitcoin, and mined on its own chain (I agree currently merged-mined isnt very good, but I think we should work on making that more accessible instead of saying lets put shit on the chain) I fully support it as awesome fucking research 19:54 < BlueMatt> nsh: I disagree very highly 19:54 < nsh> then you're probably right :) 19:54 < petertodd> BlueMatt: well, what's interesting is how much data do you actually need in the chain? data-hiding is a serious issue, but maybe you can make the incentives to not hide data and/or recover from lost/hidden data. (see zookeyv) 19:54 < Luke-Jr> petertodd: it isn't, but does Mastercoin really offer anything more? :P 19:54 < BlueMatt> nsh: heh, I'm by no means a wizard, even if I do hang out here :p 19:54 < petertodd> BlueMatt: if everyone played nice timestamping would just be enough 19:54 * nsh smiles 19:55 < CodeShark> if everyone played nice we wouldn't need currencies :p 04:29 < EasyAt> Heavy clients are heavy :) 04:29 < maaku> interesting, i don't run my nodes on ec2 04:29 < EasyAt> Has there been any write ups, even broad strokes about http://utxo.tumblr.com/? 04:30 < maaku> ? 04:30 < petertodd> maaku: I stopped recently because bandwidth usage was getting nuts 04:30 < maaku> i'm working on some new posts, and a few bips 04:30 < maaku> it's on the documenting stage 04:30 < maaku> was that your question? 04:31 < EasyAt> Mine? 04:31 < maaku> yes 04:32 < EasyAt> maaku: A few bips regarding the link I posed/ 04:32 < EasyAt> Sorry. keyboard bleh 04:32 < maaku> yes 04:32 < EasyAt> fun 04:32 < maaku> regarding the index structure, and various applications of it 04:32 < EasyAt> I look forward to reading. Is that you? 04:33 < maaku> yes 04:33 < EasyAt> omg 04:33 < EasyAt> nice 04:33 < EasyAt> \o/ 04:33 < EasyAt> I'm quite excited to hear more of your ideas 04:33 < petertodd> maaku: are you still going into the UTXO set direction? 04:34 < maaku> yes. the authenticated prefix tree is more broadly useful though so I want to take a generic approach now 04:34 < EasyAt> While speaking with my firend the same approach accored to me 04:34 < petertodd> maaku: huh, generic how so? 04:34 < EasyAt> I really like it 04:36 < EasyAt> maaku: Are things progressing nicely/ 04:36 < EasyAt> bad keyboard :\ 04:36 < maaku> merged mining, document timestamping, namecoin-like record updates, 04:37 < maaku> things like that which we have been discussing here on wizards 04:37 < EasyAt> I love the doc timestamping 04:37 < maaku> also i want to explain MMR for a lay audience, and the tradeoffs vs. commited tree hashes 04:37 < EasyAt> Sorry, I am normally away from #wizards. I don't mean to be redundant 04:38 < petertodd> maaku: ah, yeah, merge mining a UTXO commitment seems reasonable to me - can always be ditched later. 04:39 < petertodd> maaku: it might even be ok to reject blocks that have an invalid merge-mined UTXO commitment, but not reject ones with no such commitment at all 04:39 < EasyAt> indeed, it isn't bad. It's and it's easy 04:39 < maaku> petertodd: there's an application of the index structure to enabling zerocoin double-spend protection without requiring validating nodes to keep the double-spend db in memory 04:39 < EasyAt> petertodd: that's a very good idea 04:39 < petertodd> maaku: it creates a less than 51% attack of course, but with sufficient hashing power that may be deemed ok 04:39 < EasyAt> Or that should be in the software to check whether the commitment is valid 04:40 < maaku> also proof-of-stake voting.. lots of applications showing up 04:40 < EasyAt> if not ignore and trust nothing until a block with a valid utxo stamp and highest in chain 04:40 < maaku> yeah, the hash commitments will probably be merged mined first 04:40 < petertodd> maaku: yeah, I was thinking about that... I think what you've done is shifted the burden of updating that tree from the miners to those using it - it doesn't scale any better, but at least the people affected by the bad scaling aren't miners 04:41 < petertodd> maaku: (shifted in the sense that because it's a random access tree it doesn't scale) 04:41 < maaku> well i think it does scale better - you just have to keep up with your own proofs, not everyone's proofs 04:41 < maaku> same reason MMR scales better 04:42 < maaku> still limited by the processing speed of the minimum-requirements validator node, but there's plenty of room to grow there 04:42 < EasyAt> Sorry, can you tell me what MMR is or keywords to google for 04:42 < EasyAt> because MMR bitcoin yeields nothing useful :) 04:42 < maaku> not really, that's the problem 04:42 < petertodd> MMR = merkle mountain range == https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md 04:42 < maaku> i need to write up a better description 04:42 < petertodd> maaku: heh, me too 04:43 < EasyAt> petertodd: thank your 04:43 < maaku> ^^^ is peter's document, but probably opaque unless you have a strong bitcoin-dev background 04:43 < petertodd> maaku: hey! I have pretty pictures in that one at least! :P 04:43 < maaku> :) 04:43 < petertodd> maaku: my ex understood it... so she claimed... 04:43 < EasyAt> maaku: I like to think I have a moderate knowledge 04:44 < EasyAt> I have written code to push through the chain and check all values. But haven't contributed yet. Still leveling up 04:44 < petertodd> maaku: so, I think the thing with tree stuff for zerocoin and similar will be that you can't get away from storing the whole tree. OTOH I agree that bandwidth could potentially be split up into shards with some careful work. 04:44 < EasyAt> But you guys are contirbuting so fast there is a lot to study 04:44 < maaku> petertodd: it's a fine document. you just didn't go over motivation & such which you need to explain it to a wider audience 04:45 < petertodd> maaku: yup, that's completely correct - and the motivation when I wrote it was timestamping too 04:45 < maaku> petertodd: in the zerocoin application, the entire tree is recoverable from the spend history in the block chain, but nodes don't have to keep it resident in the UTXO set 04:46 < maaku> since a spend provides the path to the place to insert the newly spent token 04:46 < petertodd> maaku: right, but to construct that spend you need access to the whole set, although that access can be distributed across multiple nodes 04:46 < petertodd> maaku: so it's in between the scalability basically 04:47 < maaku> yes, or offloaded to librarian nodes with an explicit fee, etc. 04:47 < petertodd> yup, all better options than the alternatives 04:47 < maaku> actually not the whole set, no 04:48 < maaku> you just at one time need to get your path through it, and then you just maintain that path 04:48 < maaku> so er, yes the whole set, but not at all times 04:48 < petertodd> right, but I mean, out there *somewhere* needs to be a copy of all that data. Sure it can be split up and you don't have to have it all on hand at once, but it can't ever be deleted. (unless coins have expiration times) 04:48 < maaku> once you get your path which you can have at any time, you just update that as spends are seen 04:48 < maaku> but unlike MMR, it requires an update on every spend :\ 04:48 < EasyAt> Do you think fees will eventually not be distributed amongst just miners, but that perhaps miners will not nexessarily keep full chains and that a portion of funds will go to nodes that only maintain and issue work 04:49 < EasyAt> Or am I just describing a mining pool 04:49 < petertodd> yup, MMR is unique that way... if only just barely powerful enough to be useful at all 04:50 < petertodd> EasyAt: miners don't have to keep full chains - heck, they don't even have to validate... 04:50 < EasyAt> indeed 04:50 < petertodd> EasyAt: they should, but nothing forces them to do that 04:50 < EasyAt> just take work and chomp 04:51 < maaku> EasyAt: the MMR proposal or a proof-updatable prefix tree could be used to require transactions to provide proofs of their own validity 04:51 < EasyAt> Has there been a proposal for a blochain solution to voting. As in in real life politics? 04:51 < maaku> then nodes don't have to store UTXO data at all 04:51 < EasyAt> intersting 04:52 < maaku> EasyAt: not a complete one, but that's a project i'm working 04:52 < maaku> it has special application to freicoin 04:52 < EasyAt> fun 04:52 < EasyAt> I have not looked at feicoin 04:52 < EasyAt> bitcoin is still too immersive 04:52 < petertodd> EasyAt: https://bitcointalk.org/index.php?topic=230864.15 04:53 < EasyAt> jdillon! so cloak and dagger 04:55 < petertodd> EasyAt: yeah, and good ideas too 04:55 < EasyAt> hm 04:55 < maaku> once again, i've found a way to apply the index structure to recording proof-of-stake votes without requiring validating nodes to track that data 04:55 < petertodd> EasyAt: note what he's proposing very carefully avoids the usual trap of having miners vote on anything 04:55 < petertodd> EasyAt: er, I mean, having miners able to control the vote 04:55 < maaku> but the bigger problem is the usual stuff for voting - miners have significant control over the election process by being able to block votes 04:56 < EasyAt> I like it a lot 04:56 < EasyAt> maaku: correct 04:56 < EasyAt> Until every single node is homogeneous there will always be power dispairties 04:56 < petertodd> maaku: yeah, jdillon's blocksize limit vote might be the *only* case where miners can't control a vote, and that's because in one sense they alredy can control half of the possible outcome 04:56 < maaku> you can mitigate that somewhat by encrypting votes, somewhat like committed transactions 04:57 < maaku> but then they can always block the revelation 04:57 < maaku> petertodd: yeah 04:57 < maaku> freicoin has a substantial perpetual mining subsidy (4.9% of the monetary base per year), so we're looking at ways to do proof-of-stake voting on distribution 04:58 < maaku> but miners would be naturally hostile - their best outcome is to gerrymander a 100% to the miners budget, then block all votes thereafter 04:58 < maaku> overcoming that is tricky... and I don't have funding to look at it now 04:58 < petertodd> maaku: makes sense - in that case the "anti-miner-option" could be that without the proof-of-stake the mining subsidy goes into thin air 04:58 < maaku> but if you can think of a solution let me know :) 04:59 < maaku> yeah a sort of nuclear option 04:59 < petertodd> it's MAD, but it just might work 04:59 < EasyAt> How much of a consideration does altruism take? 04:59 < EasyAt> 0? 05:00 < warren> maaku: btw, your coin is currently sha256 PoW? 05:00 < EasyAt> I suppose in sec. it should be 0. right? 05:00 < maaku> warren: yes 05:00 < warren> how do you avoid reorg attacks? 05:01 < EasyAt> How does ones reorg attack unless constantly producting 2 blocks at very similar times? 05:01 < maaku> the same way bitcoin does? not sure I understand the question 05:01 * EasyAt looks up reorg attack 23:27 < Luke-Jr> IIRC the first time the French tried to force SI on their people, they had a revolt and had to reverse it 23:28 < Emcy> you can deny that universal SI has benefitted just about everyone though. Even if its not the best system. 23:28 < Emcy> apart from the us of course 23:29 < Luke-Jr> I think I can deny that. 23:29 < Luke-Jr> while there are benefits to having a universal measure system, there are also drawbacks of having only one system 23:29 < Luke-Jr> it's like multilingual vs single-language education 23:29 < Luke-Jr> even if you only ever use one language in your life, you benefit from having learned multiple 23:30 < Emcy> if pretty much everyone speak the one "language" though, you wouldnt need to 23:30 < Luke-Jr> personally, I think the ideal (history aside) would be universal education of tonal and dozenal 23:30 < Luke-Jr> it's not a matter of need to 23:30 < Luke-Jr> it's a matter of flexibility in your brain 23:31 < Emcy> i dont follow 23:31 < Luke-Jr> if you only know one language/number system, it's somewhat "hard coded" in your brain 23:31 < Luke-Jr> if you learn multiple, you at least have the flexibility there 23:31 < Luke-Jr> even if you don't need/use the others, it's a good trait 23:32 < Emcy> if youre talking about the cognitive benefits of biligualism, im not sure that applies to measurements 23:32 < Emcy> any more than you could get from having a decent levels of maths like we exepct from most people anyway 23:33 < Luke-Jr> there's certainly benefit from multiple number systems, even if you want to debate whether that extends to measurements 23:33 < Emcy> actually knowing hex and stuff is pretty damn useful 23:34 < Luke-Jr> there are a lot of practical application that benefits from dozenal and/or tonal units, which is why mankind has always evolved toward using tonal/dozenal units historically 23:34 < Emcy> i learned how to go from hex to denary to duonary (?) and back once 23:34 < Luke-Jr> (decimal units have only come about by unnatural means) 23:36 < Emcy> well shit if its gonna change now 23:36 < Emcy> you think bitcoin consensus is hard....... 23:37 < Luke-Jr> heh 23:37 < Luke-Jr> the great thing about tonal is that it doesn't need a consensus 23:38 < Emcy> well not when its best advocates go around breaking peoples fonts..... 23:39 < Luke-Jr> it doesn't break fonts ;p 23:39 < Luke-Jr> your fonts are just missing symbols 23:39 < Luke-Jr> easily solved by installing a better font 23:39 < Emcy> i like tahoma 23:40 < Emcy> its antialised and doesnt have any stupid serifs 23:41 < Emcy> cat just blatantly came up here and clawed me in the nipple wtf 23:42 < Luke-Jr> lol 23:42 < Emcy> why does the internet like cats again, they are murderous apex predator beasts 23:42 < Luke-Jr> Emcy: they taste good? 23:42 < Emcy> you live in the south right? 23:44 < wizkid057> florida isnt really a southern state anymore 23:45 < Emcy> i thought luke lived in georgia 23:45 < Luke-Jr> Florida 23:46 < Luke-Jr> at the moment 23:46 < whatnick> Big cats share the same tapeworms with humans 23:46 < Emcy> nice 23:46 < whatnick> http://scientiarules.wordpress.com/tag/origin-of-human-tapeworm/ 23:47 < Emcy> house cats parasitise thier human hosts to better do thier bidding 23:47 < Luke-Jr> not mine :> 23:47 < Emcy> you wouldnt know 23:47 < Luke-Jr> she goes on the table, I toss her 23:47 < Luke-Jr> lol 23:48 < Emcy> well i was talking about the brain parasite they carry 23:48 < Emcy> but yeah my cat has recently decided she is finished with jumping up places and just wails until someone physically lifts her instead 23:49 < Emcy> im probably infected so i have to comply 23:49 < Emcy> she is lso beating up the dog more often 23:50 < Emcy> which i have to let happen due to dog psychology 23:53 < maaku> Emcy: can cats train dogs? 23:54 < Emcy> sure seems like they can 23:54 < Emcy> operant conditioning moderated by the claw 23:57 < Luke-Jr> lol 23:57 < Luke-Jr> debating whether to just let her live her life out spayed and alone; or let her have kitties and cook her once they weak 23:58 < Luke-Jr> wean* 23:59 < Emcy> spay unless you enjoy your house seiged by beefy tomcats 23:59 < Luke-Jr> meh, can get rid of excess kitties too I'm sure 23:59 < Luke-Jr> well, not so sure --- Log closed Tue Nov 19 00:00:02 2013 --- Log opened Tue Nov 19 00:00:02 2013 --- Day changed Tue Nov 19 2013 00:00 < Luke-Jr> maybe FL has some stupid laws 00:58 < dejasun> "no one can reist the clas " 00:58 < dejasun> resist* 00:59 < dejasun> "nothing can stop the claw!" 02:33 < gmaxwell> warren: should I go make a sign "XYZ BTC bounty for fixing Bitcoin-qt on OSX" and stick it outside of apple? 02:56 < maaku> gmaxwell: that's not a bad idea 02:56 < sipa> with below the same in USD 02:57 < maaku> heh there's a bunch of protesters in front of infinite loop now. maybe I can get someone to stand there with a big "BTC BOUNTY!" sign 02:57 < sipa> strikethrough'ed many time 02:57 < sipa> with increasing usd numbers 02:57 < gmaxwell> need an electronic sign. 02:57 < gmaxwell> maaku: what are they protesting? 02:58 < maaku> offshore tax schemes 02:58 < gmaxwell> ah, I suppose that makes sense, they're ... far from alone in that. 02:59 < gmaxwell> but I suppose unlike most companies their customers might care. 02:59 < maaku> meh. i think it's more like reporters care. more likely for the protestors to get media attention if they focus on apple 03:05 < gmaxwell> Luke-Jr: so lets imagine that you have some anonymous cryptocurrency like that discussions we were having in here last week(end) with adam3us's encrypted coins + proofs ... which had the property that there was a UTXO set that you couldn't remove spent coins from as they were spent because if the network knew which coins they were spending then it wouldn't be anonymous (we mentioned this problem last week), and it also had a spent coin li 03:05 < sipa> gmaxwell: you still need splitlong.pl 03:05 < gmaxwell> where was I truncated? 03:06 < sipa> spent coin li 03:06 < gmaxwell> ...you need an entry in the spent coin list to prevent it from being respent, once it has been spent once. 03:06 < gmaxwell> Luke-Jr: now lets say its possible for someone who has spent a coin to seperately produce a proof that says "this entry in the utxo set is spent now, go ahead and remove it." unconnected with their spend so they're still anonymous. And likewise, once that ha happened they could produce a "this spent coin is nolonger in the utxo set" proof. 03:07 < gmaxwell> But only the anonymous spender of the coin could do this. 03:07 < gmaxwell> How the heck could you incentivize users to emit these additional messages? 03:07 < gmaxwell> keeping in mind is that if the result is giving them another anonymous coin, you're not achieving net reduction in the utxo set size, except via batching. 03:09 < Luke-Jr> offer them pizza? 03:09 < Luke-Jr> <.< 03:11 < gmaxwell> Interesting economic insight. Have you ever considered seeking a job at the fed? 03:11 < gmaxwell> :P 03:11 < Luke-Jr> :P 04:01 < midnightmagic> Yeah. I'd do quite a lot for a pizza dinner.. 04:06 < warren> Luke-Jr: cfields wants to know if the deterministic linux -> mac cross-compile is good enough for the .app or it must be the .dmg. He thinks the .app is possible deterministic but not the .dmg. 04:06 < Luke-Jr> why wouldn't .dmg be possible? -.- 04:06 < Luke-Jr> it's just a disc image 04:14 < warren> Luke-Jr: he can explain 04:15 < warren> Whoa. Someone just donated to us $4,500 in one tx. 04:17 < Luke-Jr> for what? 04:18 < Luke-Jr> "in one tx" isn't surprising though :P 04:18 * Luke-Jr regularly sends over $100k in one tx 04:18 < warren> o_O 04:19 < Luke-Jr> well, why split it up? 04:19 < Luke-Jr> I guess I could get rid of more dust that way.. 04:21 < Luke-Jr> you can always tell when it's mine too - I'm the only one who sends that kind of volume in TBC :P 05:14 < petertodd> gmaxwell: make a second currency whose proof-of-work is replace by proof-of-emitted-utxo-removal 05:14 < petertodd> gmaxwell: duh 05:18 < adam3us> gmaxwell, petertodd: still not 100% convinced it hurts to have a best-effort utxo reduction, full nodes want to do that to conserve ram 05:19 < petertodd> adam3us: utxo isn't in ram 05:19 < TD> good morning 05:19 < adam3us> gmaxwell, petertodd: however unless there is a ZKP proof that the coin stems from another coin & inputs addup to outputs, you cant do it 05:20 < adam3us> TD: 'morning 05:21 < petertodd> adam3us: big problem is the very idea of a utxo set is ugly, because it becomes something that can be attacked, or just ignorantly abused - better off to make that irrelevant 05:21 < adam3us> so then you're looking at like homomorphic values and ringcoin would kind of do it except they are 1.4kB per value and 3kB for ringcoin ones (where you prove you spent either of 2 coins, one of which you dont even own by proving either you own it, or you are ading 0 to its balance) 05:22 < adam3us> petertodd: yes i agree and its definitely easier if one can say screw utxo size, however its necessary for spv bloom and that or something similarly effective for bandwidth constrained devices is necessary for scalability 05:22 < petertodd> adam3us: well ~kB isn't a disaster if your underlying chain is scalable, which I think we need to do anyway in some fashion due to the centralization incentives that tx fees have (and I think this ends up being applicable to most types of crypto-currency systems) 05:23 < adam3us> btw charles hoskinson seems to be trying to cook up a big x-prize bounty for solving this problem. i am not 100% sure its necessary or will help as most people with the skills to stand much of a chance are already working on it, but ou can never discount the power of 1000 fresh eyes 05:23 < petertodd> which problem exactly? anonymity or scalability? 05:24 < adam3us> petertodd: cryptographic anonymity without damaging decentralization or existing scalability, and using conservative crypto assumptions has the unusual property of being additively homomorphic and capable of trapdoor discret 16:00 < adam3us> justanotheruser: truncated much was that? 16:01 < justanotheruser> adam3us: yes, quire discret 16:01 < justanotheruser> *quite 16:01 < justanotheruser> Does your client not automatically make the truncated bit a new message? 16:01 < adam3us> justanotheruser: ... [pallier] capable of trapdoor discrete log with the private key which could be an interesting trick in many settings 16:02 < adam3us> justanotheruser: and a relatively recent invention (1999) for a basic assumption simple crypto system 16:06 < justanotheruser> interesting 16:08 < adam3us> justanotheruser: indeed not, this is pidgin, though there is probably a plugin that could make it do so. 16:08 < justanotheruser> It's not interesting? 16:12 < adam3us> justanotheruser: i thought pallier was an interesting trick, but i collect interesting crypto constructs in a mental check list to have in mind to build esoteric or interesting protocols with 16:17 < justanotheruser> Oh, I was confused by "interesting not" 16:17 < fagmuffinz_> trapdoor discrete log? 16:21 < nsh> adam3us, is this still in the context of leakfree signature systems? 16:23 * nsh muses 16:23 < adam3us> nsh: not really, though blinding is one of the technique brands others used to remove leaks (aka subliminal channels) from semi-trusted wallets with observers, and this DG thing was one of the parts used to make the DSA blinding monstrosity . seems simpler to use ecschnorr/ed25519 16:24 < nsh> right 16:24 < maaku> is there any "unofficially official" conference this year, like bitcoin 2013 was last year? 16:24 < adam3us> fagmuffinz_: so the way you decrypt is you can compute the discrete log with the private key but otherwise 16:24 < justanotheruser> maaku: theres the financial cryptography conference 16:24 < fagmuffinz_> Could someone give me a link to this trapdoor I keep hearing about? 16:24 < justanotheruser> http://fc14.ifca.ai 16:24 < justanotheruser> fagmuffinz_: It has to do with asymmetric signatures. 16:25 < justanotheruser> ;;google trapdoor cryptography 16:25 < gribble> Trapdoor function - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Trapdoor_function>; rsa - What is the meaning of "trapdoor" in cryptography ...: <http://crypto.stackexchange.com/questions/10087/what-is-the-meaning-of-trapdoor-in-cryptography>; rsa - What is a trapdoor permutation? - Cryptography Stack Exchange: (1 more message) 16:25 < fagmuffinz_> Oh 16:25 < fagmuffinz_> K, that's fine. Just didn't know what "trapdoor" specifically meant 16:26 < adam3us> fagmuffinz_: pallier trapdoor is unusual in providing a trap door discrete log, usually discrete log crypto systems just work around the non-trap door nature, by knowing existentially the discrete log by having set it up; pallier allows computing it 16:26 < fagmuffinz_> Are there other kinds of asymmetric encryption that don't involve "trapdoors?" 16:26 < fagmuffinz_> Time for me to do some reading =] 16:26 < maaku> eh.. not really. that's just a single day workshop run by non-bitcoin people 16:27 < justanotheruser> fagmuffinz_: In asymmetric cryptography you shouldn't be able to get the private key from the public key. The function to get the public key from the private key is the trapdoor (because you can't go back) 16:27 < maaku> i probably only have funds for one trip this year and want to make it count :\ 16:28 < justanotheruser> maaku: I agree (12:33:33 PM) justanotheruser: Seems like a bunch of PhDs are going to explain bitcoin to the bitcoin devs 16:28 < adam3us> maaku: i guess you can get to the san jose one being local to u, plus one other. 16:28 < fagmuffinz_> I understand that justanotheruser 16:28 < fagmuffinz_> Just didn't know terminology - thanks though 16:28 < justanotheruser> yep no problem 16:28 < adam3us> maaku: i was thinking a wizards only "conference" aka a bunch of wizards and a lot of white boards 16:28 < maaku> adam3us: there's another san jose one? 16:29 < fagmuffinz_> I would pay for a plane ticket to that 16:29 < justanotheruser> adam3us: what's the san jose one? A meetup or a conference? 16:29 < adam3us> maaku: i dont know how it works, is it always in san jose? or does it move around the us? 16:29 < adam3us> justanotheruser: last april was the first one i went to so i am not in the loop, just perhaps incorrectly assumed the main one would be in san jose each year 16:30 < maaku> as far as I can figure out from google that was a one-time thing 16:30 < maaku> i'm not involved with the foundation though, which is why i asked 16:30 < justanotheruser> I'm interested in going to a bitcoin conference this year, what usually happens there? New ideas are talked about? 16:31 < fagmuffinz_> adam3us: http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=B473A49B56321FCEF247063B856A1751?doi=10.1.1.8.5384&rep=rep1&type=pdf this? 16:31 < maaku> if it was happening again in may I would assume there'd be announcements & calls for speakers by now... 16:31 < adam3us> maaku: me either. but what about a wizards only mini-conf with no registration fees (at cost for space)? wizards mostly go to like sit on the edges and talk to each other and scoff at the incorrectness of the presenters at anything semi-tech 16:31 < fagmuffinz_> ^ 16:32 < maaku> adam3us: sure that'd be fun and I'd go to that 16:32 < maaku> but i'm asking more because I have talks I'd like to give to the wider bitcoin audience 16:32 < adam3us> adam3us: y'all could come to malta, maybe the flights wouldnt be so bad out of season. the hotels are cheap out of season. 16:32 < adam3us> maaku: if you're talking some places will pay your flights i think 16:33 < maaku> i'm still up for an iceland meetup if people want to do that :) 16:34 < adam3us> maaku: note iceland not good out of season.. my wife's niece went there and lost lots of $ for damaged rental car (not insured for such things) storm with like big rocks flying by! smashed window, tow, undrivable in the weather conditions 16:38 < adam3us> maaku: plus could snag a visit to the btc mining data center running on geothermal and "open the window" cooling 16:49 < BlueMatt> maaku: adam3us duke conference! 16:50 < BlueMatt> (I'm trying to get together a wizards meetup where wizards are essentially just their own conference but give one or two talks to people 16:51 < adam3us> fagmuffinz_: http://en.wikipedia.org/wiki/Paillier_cryptosystem has link to the paillier's own paper. damgard-jurik also simplified it 16:54 < adam3us> BlueMatt: yeah i'm pumping malta as a location :) actually i bumped into the FC organizer guy ray hirschfield at the amsterdam btc conf and he was suggesting malta as next location after bahamas i think 2015. 16:54 < adam3us> BlueMatt: tho i realize thats more flight expensive for more people. some of the other costs might balance it. 16:55 < BlueMatt> adam3us: well, a conf for bitcoin is being organized at duke anyway, so I figure I'll steal some of their money and put it towards wizard-flights 16:56 < andytoshi> you'd think wizards would be able to fly of their own accord.. 16:56 < andytoshi> maybe we could add something to the blockchain to enable that :) 16:57 < adam3us> BlueMatt: oh ic its another university in the same state as unc (i am limited at times in finer points of us geography so missed the connection) 16:57 < nsh> i think you have to enable flying via a separate protocol layer built on top of the blockchain andytoshi 16:57 < nsh> let me set up an exodus address 16:58 < BlueMatt> (not a big conf, but like a local one) 16:59 < adam3us> andytoshi: oh noes, exodus. pump & dump. stop!! but yes it is a curious effect that $12 bil long term partly depends on fixing some non-trivial ideas that wizars seem to be the most likely to figure out, and yet many cant afford a flight, or understandably not inclined to take $2k out of their own hard earned $ to donate to it. 17:00 < adam3us> andytoshi: seems like a snowcrash hiro protagonist problem (wealthy by brownie points on the metaverse but penniless in meatspace) 17:01 < warren> meatcoins 17:01 * andytoshi has snowcrash on his HDD, but still hasn't read it.. 17:01 < BlueMatt> adam3us: yea 17:01 < warren> andytoshi: read "The Great Simoleon Caper" first, prequel 17:02 < andytoshi> warren: will do 17:02 < warren> then The Diamond Age 17:02 < andytoshi> does cryptonomicon fit into this ordering? 17:04 < warren> no 17:04 < andytoshi> ok, thx 17:05 < adam3us> warren: someones read his stephenson :) man i gotta read the ones i missed some time. but bitcoin draw is stronger. eat. sleep. bitcoin. 17:05 < andytoshi> warren: thanks a ton, i have 23 books by stephenson on my system, haven't read one :P 17:06 < gmaxwell> if you hold the meetup around DC maybe I can get stephenson to show up? :P 17:06 < warren> apparently I'm supposed to read something called HPMOR but I refuse. 17:06 < andytoshi> warren: you should, it's good fun 17:18 < andytoshi> so, a few days ago tholenst was asking about script extensions to allow outputs with rules like "cannot be spent unless (a valid signature is provided AND blockheight >= 300000) OR (some proof that txin XYZ was double spent is provided)" 17:19 < andytoshi> what he proposed was pretty powerful and it was easy to think of outputs which interacted very badly with reorgs, hurting fungibility 17:19 < andytoshi> but i think, adding a single op FAIL_IF_BLOCKHEIGHT_LESSTHAN [minimum height] would be safe across reorgs 17:19 < andytoshi> am i right? 17:21 < andytoshi> the idea is, once an output can be spent, nothing should change to make it unspendable, otherwise a reorg could invalidate a huge swath of transactions ... but change in the opposite direction (unspendable output suddenly becomes spendable) is safe 17:21 < gmaxwell> andytoshi: perhaps safe enough. technically the chain can shrink. 17:22 < andytoshi> gmaxwell: right. absent deliberate effort this is insanely unlikely though 00:39 < brisque> not even that, just skimming 5% of the hash power wouldn't be noticed. over 1000 units they claim to have found, that's uh. 00:39 < brisque> 30TH. 00:40 < gmaxwell> well he only got into 28 of them I think. 00:40 < brisque> the "disclosure" is shit because we know that most of these units won't be patched in a reasonable timeframe. there's a lot that are now going to be under attack by people hoping to make a quick buck. 00:45 < gmaxwell> brisque: they don't need to be 'patched' they just need to have their password changed to something not crackable. 00:49 < brisque> gmaxwell: haven't brainwallets showed that users, even technical ones, can't make secure passwords to save their own money? 00:50 < gmaxwell> brisque: brainwallets add the extra expectation that they'll remember those passwords. 00:50 < gmaxwell> No need to remember these... just write them down. 00:51 < brisque> the point is more that people won't no matter what is being told to them. protecting $10000 of mining equipment is a difficult job when they're advertising what they are at connect time. 00:53 < gmaxwell> brisque: uh? all my miners have 128 bit passwords... 00:53 < brisque> you're not an average user. 00:53 < gmaxwell> (even though they're not internet exposed, just a standard practice. If I weren't a chickenshit I'd turn off the web interfaces entirely, but I'm a bit afraid of getting locked out.) 00:54 < gmaxwell> brisque: in any case, it's easy to give good advice for this. Well, give a little credit: An average user doesn't own a $10,000 asic miner. 00:58 < brisque> I suspect a lot of miners are in the hands of casual users though, which is why there's exposed KNC miners in DCs in the first place. 01:03 < gmaxwell> how casual can you be with a $10k device in a data center? come on signing up for the colocation is more complicated than using a password generator and a text file. :P 02:27 < midnightmagic> ha ha ha 02:31 < midnightmagic> It would be great if that were gobbles. 02:52 < BlueMatt> I'm assuming this has been seen already: http://miki.it/pdf/BitIodine_presentation.pdf 02:53 < gmaxwell> anyone try out their software? 02:53 < gmaxwell> I queued that presentation for reading and forgot about it 02:53 < brisque1> they did a hell of a lot os scraping 02:53 < brisque1> s/os/of 02:54 < BlueMatt> it looks like they've actually thought coin analysis through, unlike most of the shit we've seen so far 02:54 < BlueMatt> mostly because of the huge amount of scraping they did 02:55 < justanotheruser> BlueMatt: "When a transaction has multiple input addresses, we can safely assume that those addresses belong to the same wallet, thus to the same user." 02:55 < justanotheruser> biggest flaw I found 02:56 < BlueMatt> yea, they didnt get that right, at least they could have said "we can usually safely assume" 02:56 < BlueMatt> because, realistically, today, you can 02:56 < brisque1> justanotheruser: generally a safe assumption, especially with some online wallets reusing addresses for change. 02:56 < brisque1> in that case you don't even have to assume. 02:57 < gmaxwell> oh wow, the presentation is kinda worthless. 02:58 < gmaxwell> BlueMatt: nah, even today a really substantial fraction of txn on the network are shared wallet transactions. 02:58 < gmaxwell> so you can't do the common inputs = same user thing. 02:58 < justanotheruser> "If multiple outputs, change is never the last output. Fixed only in January 2013!" 02:59 < justanotheruser> Most interesting thing I learned 02:59 < gmaxwell> justanotheruser: I like how it's like "software is flawed" except it was fixed long before their work. Should say 'was' but oh well. 02:59 < brisque1> you can often tell what is change just from the values. if there's a 0.1BTC output another with 8 places, you know certainly which is the change. 02:59 < gmaxwell> Gavin introduced the bug in .. what, 2010? Hal found the bug at the end of 2012. 03:00 < gmaxwell> brisque1: yea, thats a somewhat helpful hurestic. though not always true. 03:00 < BlueMatt> gmaxwell: true, though you can safely assume that the users are using the same shared wallet (which is likely the intended meaning here, though its not explicitly stated) 03:00 < gmaxwell> e.g. when the amount I move is up to me, I make the third party get the change like amount sometimes. 03:01 < gmaxwell> BlueMatt: eh. but thats strictly less useful. Because you may not know either of the users are using a shared wallet at all. 03:01 < BlueMatt> oh, sure, but its still more than nothing 03:01 < BlueMatt> and if you know which shared wallet, you can sometimes tell via other things (coinbase does some dumb double-tx shit to make the "from" address work) 03:02 < gmaxwell> yea, coinbase does dumb stuff. Strongcoin does dumb stuff. 03:02 < gmaxwell> (strongcoin makes every transaction pay some donation address of theirs) 03:02 < brisque1> seriously? coinbase wants to have "return" addresses? 03:03 < gmaxwell> brisque1: dude not just that, coinbase's merchant thing was randomly "refunding" things when it wasn't expecting a payment. (and causing people to lose bitcoin forever, dunno if its fixed yet 03:03 < gmaxwell> brisque1: every transaction into or out of coinbase result in two transactions. Except sometimes it doesn't 03:04 < brisque1> gmaxwell: that's not giving me the warm fuzzy feeling their "safe and secure" animation says I should. 03:04 < gmaxwell> BlueMatt: in any case, share wallets are still a huge source of noise and uncertanty in this kind of analysis. 03:05 < gmaxwell> BlueMatt: just because until you have evidence that its a shared wallet you'll be falsely merging some users. 03:05 < BlueMatt> gmaxwell: yes, but I'd like to see these guys figure out ways to analyse coinbase txn to link them too, etc 03:06 < _ingsoc> brisque1: What animation? 03:07 < brisque1> _ingsoc: coinbase.com has a sort of flip clock thing that says "safe and secure" when you visit the page. 03:07 < _ingsoc> Ah, thank you. I like animations. 03:07 < gmaxwell> BlueMatt: I still think we should have some switch you can set when sending coins that lets it round up to x amount more to eliminate or round-off change. 03:08 < BlueMatt> gmaxwell: I still think all wallets should work together to make this kind of analysis impossible (coinjoin et al), but until the analysis gets amazingly accurate, we may not see that 03:14 < gmaxwell> certantly I think it's useful if the publically disclosed analysis is as powerful as any privately held analysis may be. 06:38 < jtimon> hello, does anyone has what was talked after this? 06:38 < jtimon> [02:36:09] <gmaxwell> 17:35 < maaku> or in a server-to-server consensus mechanism 06:38 < jtimon> [02:36:43] <gmaxwell> yea... except dear gods, the bitcoin blockchain is NOT a communications mechenism for your server to server consensus! _global broadcast network_ 06:38 < jtimon> [02:36:52] <maaku> gmaxwell: using the public chain as a semaphore for two-phase commit of a distributed transaction over multiple private asset servers 06:38 < jtimon> [12:08:31] <-- jtimon (~quassel@87.pool85-53-148.dynamic.orange.es) has quit (No Ping reply in 180 seconds.) 07:05 < jtimon> a pastebin would do it 07:06 < brisque> I'd help you out but I don't have scrollback that far. someone will surely have logs. 11:19 < andytoshi> jtimon: i have logs at http://download.wpsoftware.net/bitcoin/wizards/2013-12-31.txt which cover what you want 12:13 < jtimon> cool andytoshi thank you 12:23 < phantomcircuit> gmaxwell, bitcoin.org was moved to a dedi and the dedi died under the load 12:23 < phantomcircuit> wat 12:23 < phantomcircuit> it's like 12:23 < phantomcircuit> all static content 12:23 < phantomcircuit> how is that even 12:25 < jtimon> I'm not sure I understand this part: 12:25 < jtimon> 01:38:28 <maaku> gmaxwell: you need to hit the public chain for public<-->private txns 12:25 < jtimon> 01:39:11 <maaku> (e.g. atomic swaps of freicoins for private assets) 12:25 < jtimon> 01:39:27 <gmaxwell> For anything like that you have a small number (because multisig scalablity) of known-in-advance servers. Which means you can do a regular n-of-m consensus totally external to bitcoin. E.g. an initatior proposes a distributed database update and get a supermajority of the servers to sign off on it. 12:26 < jtimon> freimarkets options also need expiries 12:27 < jtimon> but the first use case when it was reallly necessary are transitive (ripple-like) trasactions involving several in-chain and off-chain assets 12:28 < jtimon> when all the asset are off-chain you can just use a regular timestamping server all the private chains agree upon 12:29 < jtimon> what we used to call "registries" in 2PC Ripple http://archive.ripple-project.org/Protocol/RegistryCommitMethod 12:32 < jtimon> I don't know how can you implement my example "5.6.3 Hybrid Transitive transaction" (pubA -> pubB -> privC -> privD -> pubE -> userA) without block expiries 12:32 < jtimon> of course, whether you think that's an important use case or not is another question 12:34 < jtimon> as for the "dangers of expiries" the way I see it, the responsability to decide how many blocks to wait to consider a transaction "safely buried" should ALWAYS rely on the recipient 12:34 < jtimon> 6 blocks is just an orientation 12:35 < jtimon> it depends much more on the quantity than in previous transactions or expiries 12:36 < jtimon> well, it will usually will, but it's still the payee's problem 12:38 < jtimon> in fact all of the examples in our off-chain transactions section rely on expiries (the all off-chain asset transaction example is missing, but it's basically 2PC Ripple) 12:57 < andytoshi> jtimon: the problem is that it the whole transaction sub-DAG is risky .. IMO requiring 100 blocks before any nExpiresTime output can be spent would solve this, and it'd be better than having no expiry time 16:39 < warren> cfields: hmm, one user reports they have the mac corruption without time machine 16:40 < warren> they didn't say which version they were running though 16:41 < cfields> Luke-Jr: unfortunately, the cleanest approach to the next step is to begin modding the hfs+ kernel module. And at that point, I don't think it's really worth it 16:41 < cfields> either that, or ofc writing a new tool from scratch 16:43 < warren> cfields: timestamps in the filesystem and checksums differ, I'm guessing? 16:45 < cfields> warren: most linux tools use loopbacks to mount an image file. mounting/unmounting causes alterations like last-accessed times, next fsck time, mount-count, etc 16:46 < cfields> better option would probably be to start hacking on genisoimage, but iirc its output was much more random 16:49 < Luke-Jr> I suggest 7z920/CPP/7zip/Archive/DmgHandler.cpp 16:49 < Luke-Jr> not sure if the Linux version is built with DMG support, but at least the code exists 16:52 < warren> the way mac itself makes the .dmg is a loopbac mount 16:52 < cfields> Luke-Jr: i'm not saying it's not possible. I'm saying that i suspect that a bit of randomness may be functionally necessary 16:53 < cfields> could you link those sources btw? my google-fu must be weak today 16:53 < Luke-Jr> http://downloads.sourceforge.net/sevenzip/7z920.tar.bz2 16:54 < Luke-Jr> deterministic randomness is possible for anything DMG could possibly need 16:54 < cfields> thanks 16:54 < Luke-Jr> sorry, "randomness" in quotes.. 16:54 < Luke-Jr> ie, tar & hash the .app a few times as a seed.. 17:01 < warren> cfields: you also going to change all the .zip's to tar? 17:01 < Luke-Jr> deterministic tar is likely more work 17:02 < Luke-Jr> since it saves more attributes 17:03 < cfields> warren: i'd like to, yes 17:04 < Luke-Jr> imo ideal would be to have the deps build deterministic debs - but that's probably more trouble than it's worth :p 17:05 < warren> I'd like fedora to just ship upstream's determinsitic binaries in their rpm 17:05 < Luke-Jr> good luck 17:05 < Luke-Jr> it's a shame there's so much politics in Gentoo development 17:05 < Luke-Jr> so much potential there 17:06 < Luke-Jr> could have the entire OS be deterministic :D 17:09 < warren> Luke-Jr: ask cfields for his patches to make binutils deterministic 17:17 < Luke-Jr> :o 17:18 < cfields> looks like they'll make it into 2.24: https://sourceware.org/ml/binutils/2013-11/msg00214.html 17:20 < cfields> Luke-Jr: it's worth noting that I haven't even reached the point of trying to create a deterministic dmg. Any dmg must first contain a deterministic filesystem... 17:20 < cfields> So that means creating/formatting/writing an hfs+ partition in some deterministic way 17:25 < sipa> i think having a determinstic binary is already a huge step 17:25 < Luke-Jr> indeed 17:26 < cfields> well, the question is: what is "good enough" for distribution? 17:27 < sipa> right now, the only ones checking determinism are those that build and sign 17:27 < cfields> the .app is the only thing that ends up on the target machine, so i would call a deterministic app "good enough" for the most part 17:27 < sipa> which is a pity 17:27 < cfields> problem comes with the verification process of that .app 17:27 < sipa> but being able to compare your installed binary with published signatures is very nice already 17:28 < sipa> it may actually matter more than deterministic installers, i just realized 17:28 < sipa> what if the deterministic installer secretly downloads data? 17:28 < cfields> how could it do so secretly? 17:28 < sipa> well, the same argument holds for the binary of course... 17:28 < cfields> heh, right :) 17:28 < Luke-Jr> cfields: we could in theory distribute a tar of the app 17:29 < cfields> Luke-Jr: well, that's really abou the same thing, no? user un-tar's, discards the tar, ends up with the same .app 17:29 < cfields> only thing that changes is a possible attack vector in the dmg itself 17:29 < Luke-Jr> well, I mean a deterministic tar of course :P 17:30 < cfields> oh, i see. so at least the download could have a checksum next to it 17:30 < Luke-Jr> deterministic tar vs deterministic dmg, not sure anyone cares about the diff 17:30 < cfields> Luke-Jr: btw, i agree with you that it should be possible to recreate a dmg. I'm not sure where the fuzzing is happening, but i'm sure that it could be tracked down 17:30 < Luke-Jr> but you'd have to ask Mac users I guess 17:31 < cfields> whether it's worth the trouble, that's where i take issue 17:31 < cfields> as an osx user (i hate admitting that), any download that's not a dmg gets on my nerves 17:31 < cfields> unless it's a .pkg for good reason 17:31 < Luke-Jr> so it sounds like we should get .dmg to work 17:32 < cfields> yea... 17:32 < cfields> i'll keep at it 17:32 < cfields> at this point, i'm checking out genisoimage. Sources there should point me to something 17:32 < Luke-Jr> cfields: can you rename .iso to .dmg and have it work quietly? ;) 17:33 < sipa> just rename the .tar to .dmg *ducks* 17:33 < cfields> heh. the main thing with dmg is the convenience of dragging it to the applications shortcut 17:33 < cfields> i'd say users expect that, to the point of possibly being lost if it's not there 17:34 < Luke-Jr> cfields: but do you get that if you rename an iso maybe? 17:34 < cfields> Luke-Jr: no, that's scripted as part of the dmg-building process 17:34 < Luke-Jr> O.o 17:34 < sipa> scripted disk images 17:35 < sipa> what's next? 17:35 < sipa> object-oriented assembly? 17:35 < sipa> power over wireless ethernet? 17:35 < cfields> sipa: i guarantee you someone's hacked wireless charging pads to carry data :p 17:36 < cfields> aha... 17:36 < cfields> -getpid() = 12125 17:36 < cfields> +getpid() = 12158 17:38 * cfields starts with some LD_PRELOAD fun 17:47 < cfields> hah, got it 17:47 < cfields> i'm a moron. 17:51 * sipa doubts this 17:55 < cfields> heh, you'd be surprised 17:57 < Luke-Jr> ? 18:06 < phantomcircuit> i think there's a regression in master 18:07 < phantomcircuit> i have a 0.8.5 client connected to a server running master that keeps failing with "CheckBlock(): block timestamp too far in the future" 18:07 < phantomcircuit> BlueMatt, is the build bot working? 18:09 < phantomcircuit> gmaxwell, ^ 18:21 < cfields> deterministic dmg up and running 18:22 < cfields> Luke-Jr: i assume you'll cut me some slack if the initial process isn't exactly pretty :p 18:22 < warren> cfields: too much of a headache. <one hour later> done 18:23 < warren> cfields: so ... gitian .yml to build clang and whatever tools, tar it up and gitian.sigs that, use it as an input for another gitian .yml? 18:23 < cfields> warren: heh, was just a case of me being stupid 18:23 < cfields> warren: uses ubuntu's existing clang 18:23 < warren> which ubuntu? 18:24 < cfields> well, that part still needs to be investigated. I'm currently using a nightly build of llvm/clang, but I don't think it's actually needed 18:24 < cfields> (I'm on raring) 18:24 < phantomcircuit> nvm the clock is just wrong on the client 18:25 < cfields> i'll drop back to system packages and see what breaks 18:25 < warren> Gavin will enjoy a 4th gitian VM =) 18:25 < cfields> anyway, now that it's working, i'll start packaging it all up so it can be automated cleanly 18:26 < cfields> will be a few days i'm sure 18:27 < sipa> warren: i think Gavin will enjoy not doing OSX releases manually 18:29 < gmaxwell> phantomcircuit: your time/ timezone is wrong. 18:29 < gmaxwell> phantomcircuit: on the node reporting that. 18:29 < warren> sipa: I suppose the build-to-old-glibc goal really isn't that important. 18:29 < gmaxwell> it means you've got a block with a timestamp >2 hours in the future. 18:30 < phantomcircuit> gmaxwell, yeah i just fixed it 18:30 < phantomcircuit> it's weird that it stops the initial sync though 18:35 < Luke-Jr> [23:22:24] <warren> cfields: too much of a headache. <one hour later> done <-- yeah, lol 18:35 < sipa> he clearly found some aspirin in that hour 18:36 < Luke-Jr> :D 18:53 < gavinandresen> warren solved the cross-compile-for-OSX problem? 18:54 < sipa> no, cfields did 18:54 < gavinandresen> ah, excellent! 18:55 < warren> gavinandresen: on your system where leveldb corrupts on mac, do you have time machine enabled? 18:55 < gavinandresen> warren: No, no time machine 18:55 < warren> there goes that theory 18:56 < phantomcircuit> gavinandresen, can you consistently cause a corruption? 18:56 < gavinandresen> phantomcircuit: no 18:56 < phantomcircuit> heh 18:56 < warren> some of the users can consistently reproduce it 18:56 < phantomcircuit> quick everybody run in circles 18:56 < warren> some users can't at all 18:56 < phantomcircuit> i wonder if it would be worth buying on of their computers... 19:02 < cfields> gavinandresen: you get leveldb corruption on current master? 19:03 < warren> cfields: yes, and 0.8.5 OMG3 which contains the same pathes 19:03 < warren> patches 19:03 < gavinandresen> cfields: last corruption I got was master as of about 1 Nov 19:03 < warren> cfields: the remaining corruption that users report when testing 0.8.5 OMG3 seems to happen during clean shutdown 19:03 < cfields> gavinandresen: built on which version? 19:04 < gavinandresen> cfields: I dunno, master as of 1 Nov 19:04 < cfields> gavinandresen: sorry, i meant which osx version 19:04 < gavinandresen> cfields: oh, OSX 10.7 19:04 < warren> cfields: 10.6.8 in our case 19:04 < warren> cfields: using xcode 3.2.6 (gcc, not clang) 19:05 < cfields> gavinandresen: i spent some time tracing the code last night, and really couldn't find much of anything that looks osx specific. I've started to wonder if it's a gcc vs clang thing 19:05 < cfields> hah! 19:05 < warren> cfields: the official bitcoin and litecoin releases are built on gcc 19:05 < cfields> another theory crossed off :) 19:05 < sipa> one thing maybe worth investigating is mmap vs io access to files 19:05 < sipa> iirc mmap is only used in leveldb on 64-bit platforms 23:05 < realazthat> gmaxwell: is it perhaps possible to send the verifier itself as the SCIP program 23:05 < realazthat> and instead of verifying the actual program, 23:06 < realazthat> you verify that the verifier ... verifies the hashes of the outputs of small sections of the program 23:06 < realazthat> like, 23:06 < realazthat> instead of running on the entire blockchain 23:07 < realazthat> P(B) 23:07 < realazthat> you chain P_i(B_i, S_i), 23:07 < realazthat> S_i being the state of P_(i-1) at completion 23:08 < realazthat> and the guy validates the signatures of this 23:08 < realazthat> and you verify that he verified each of them 23:08 < realazthat> then your T is T(verification) 23:08 < realazthat> mm 23:08 < realazthat> nvm that can still be a lot 23:09 < realazthat> I think you might be able to get sqrt(T) out of that 23:10 < realazthat> by spliting the blockchain into sqrt(|B|) for each B_i 23:15 < amiller> i think sqrt(T) is reasonable sure 23:15 < amiller> i'm trying to find papers that talk about lower preprocessing time 23:15 < amiller> i have two leads 23:16 < amiller> one is bootstrappable/recursive SNARKs 23:16 < amiller> http://eprint.iacr.org/2012/095.pdf 23:16 < realazthat> yeah I think this is one level of recursion 23:16 < realazthat> my idea 23:17 < realazthat> so, can a SNARK be reused? 23:18 < realazthat> or must each use of it have some sort of unique random challenge? 23:18 < amiller> and 23:18 < amiller> http://eprint.iacr.org/2013/229.pdf 23:18 < amiller> a snark can be reused yeah 23:18 < realazthat> ah ok cool 23:18 < amiller> basically think of it as compiling a circuit once 23:19 < amiller> and then you can choose different inputs to the circuit and then verify the whole thing in one step 23:19 < realazthat> mmm so why don't they build this recursion idea directly into it 23:19 < amiller> a circuit is like a C program except with all the loops unrolled, it's like definitely the *worst case* execution 23:19 < realazthat> so as to reduce the initial setup time 23:20 < amiller> maybe that's possible 23:21 < realazthat> it would slightly increase the poly's of the runtime I think 23:21 < amiller> i don't have a good intuition for how either of these two papers work 23:21 < realazthat> ah me neither, but I think I intuitively understand the recursion idea 23:22 < amiller> how is it not cheating though lol 23:22 < realazthat> what do you mean cheating? 23:22 < amiller> what is it you compile exactly in the first step 23:22 < amiller> how do you get larger computations out of it 23:22 < realazthat> oh I'll writ it up 23:22 < realazthat> I have it on scrap paper 23:26 < amiller> In attempting to construct the reduction we seek, we encounter the following problem: an arbitrary 23:26 < amiller> machine M running in time t (on some input x) may in general use a large amount of memory (possibly as 23:26 < amiller> large as t), hence na vely breaking its computation into smaller computations that go from one state to the 23:26 < amiller> next one, will not work the resulting nodes may need to perform work as large as t (just to read the state). 23:26 < amiller> To deal with this obstacle, as a rst step, we invoke a result of Ben-Sasson et al. [BSCGT12] showing 23:26 < amiller> how to use Merkle hashing to transform any M to a new computationally equivalent 23:26 < amiller> that memory and dynamically veri es its consistency. (See Remark 7.4.) As a second step, we can 23:26 < amiller> then engineer a compliance predicate for ensuring correct computation of M0 23:26 < amiller> , one state transition at a time. 23:27 < realazthat> oh yeah I haven't considered memory 23:29 < amiller> well lets just assume we have merkle utxo implemented so that there's no memory needed 23:29 < amiller> so validating a single *update* takes only log M time or so where M is some bound on the number of outstanding utxos at any time 23:29 < amiller> and validating the blockchain really just consists of T of those 23:30 < amiller> really the merkle UTXO isn't much different of a solution than the merkleization result [BSCGT12] mentioned up there 23:30 < amiller> i still don't see how to do the recursive combination yet 23:30 < amiller> we could compile a circuit that does a single update but then we'd need T of those proofs 23:31 < amiller> or if we unroll the loop then we can compile a circuit that does all T blocks at once but then that's a pain to preprocess (even worse than *linear* to preprocess) 23:31 < amiller> so i can't figure out how to read this recursive composition step if it actually gets us better than linear 23:33 < realazthat> http://codepad.org/bBPyKcWw 23:33 < amiller> i should try to undersatnd this proof carrying data PCD and Ram Compliance Theorem which seem fundamental here 23:33 < amiller> obviously the goal is to write one tiny program that inserts/deletes one item into a utxo that has some maximum size like log(21e8) satoshis 23:34 < amiller> and then check a proof that any arbitrary number T of them are done correctly in sequence with only a single operation! 23:36 < amiller> ok no i don't follow this code 23:36 < realazthat> questions? 23:36 < realazthat> P' does the work 23:36 < realazthat> V' is what needs be verified 23:37 < realazthat> V' verifies that all the sigs that Pi produces are correct 23:37 < amiller> yes but it's not clear where the compilation occurs from this code 23:37 < amiller> the preprocessing step 23:37 < realazthat> you do preprocessing on V' 23:37 < amiller> SCIPVerify also requires compilation 23:37 < realazthat> yes 23:37 < amiller> if you give it different arguments 23:37 < realazthat> thats the recursive part 23:37 < amiller> so you SCIPVerify the SCIPVerify program 23:37 < realazthat> yes 23:38 < amiller> okay so that doesn't get you a cost savings 23:38 < Luke-Jr> wait, was there code for SCIP released? :o 23:38 < gmaxwell> 20:19 < amiller> a circuit is like a C program except with all the loops unrolled, it's like definitely the *worst case* execution 23:38 < gmaxwell> ^ no, that is _NOT_ how Eli's stuff works. 23:38 < amiller> yeah ram compliance theorem and whatnot 23:38 < gmaxwell> Yea. 23:39 < gmaxwell> Thats why its log() instead of quadratic (or exponential) in the program size on the prover. 23:41 < realazthat> amiller: why do you say it doesn't get a time savings? 23:41 < amiller> well if i think of this SCPVerify as working just on circuits 23:41 < amiller> then the problem is that the SCPVerify function itself has to have a worst case running time 23:41 < realazthat> you break P into sqrt(|B|) peices 23:41 < realazthat> yes even so 23:42 < realazthat> mmm wait 23:42 < amiller> so if it is able to take itself as input 23:42 < realazthat> well SCIPVerify runs in O(|s|) time 23:42 < amiller> then it can't process itself using less gates than its own size 23:42 < realazthat> mmm 23:43 < realazthat> er 23:43 < realazthat> O(s) 23:43 < realazthat> yeah that would make it seem impossible 23:44 < realazthat> well wait 23:44 < realazthat> then there would slightly two different versions of SCIPVerify 23:44 < realazthat> SCIPVerify(Pi) << this would be hardcoded in the one used in V' 23:44 < realazthat> it runs in O(s) time 23:45 < realazthat> so V' runs in O(n*s) time, where s = |P| 23:46 < realazthat> if n = sqrt(|B|) and P runs on B (blockchain) T \in O(|B|), and Pi runs on a section sqrt(|B|), and Pi \in O(sqrt(T)) 23:47 < realazthat> so V' should run in O(sqrt(|B|)*s) 23:47 < realazthat> am I making zero sense lol 23:48 < amiller> zero sense proof 23:48 < amiller> nah that might make sense 23:49 < amiller> so there's code about to be released by microsoft research for SNARKs 23:49 < realazthat> oh cool 23:49 < amiller> but like you have to feed it circuits and so it's kind of a ridiculous game of unrolling loops and proving to the compiler that you use bounded ram and bounded time and such 23:50 < amiller> so this proof carrying data concept is i think different 23:50 < amiller> but builds on it 23:50 < amiller> in which case maybe this is possible after all i guess 23:50 < realazthat> mmm 23:50 * realazthat wants codes to play with 23:52 < amiller> Coming... This Summer... The Fancy Crypto Drama you've been waiting for 23:52 < realazthat> lol 23:53 < amiller> Faster Verification! Shorter Proofs! Zero Interaction!! and *ZERO KNOWLEDge* 23:53 < gmaxwell> I hate the culture around movies we have there is so much _super_ interesting stuff we can't make movies out of because we don't know how to show someone doing anything intellectual in a movie. 23:53 < realazthat> I've been thinking on ways to make a blockchain that does useful work, trades work jobs for coins, etc. 23:54 < realazthat> gmaxwell: mmm 23:54 < amiller> right on realazthat that's my favorite overall thought 23:54 < gmaxwell> "quick, cue the photomontage of sciency shit" "fuck, they're doing crapytography, there is nothing to show but paper!" 23:54 < realazthat> Traveling Salesman 23:54 < realazthat> haven't watched it though 23:54 < amiller> lol Traveling Salesman the Musical 23:54 < realazthat> http://en.wikipedia.org/wiki/Travelling_Salesman_(2012_film) 23:54 < realazthat> lol 23:54 < amiller> everyone's sad when he leaves because they know he wont ever be back again 23:54 < gmaxwell> yea, I'm aware of that movie, haven't found a way to see it. 23:55 < gmaxwell> hahah 23:55 < realazthat> gmaxwell: same haha 23:55 < gmaxwell> amiller: plot twist: the optimal path was also a hamiltonian! 23:57 < realazthat> mmm someone get eli into this channel :P 23:57 < realazthat> or #bitcoin-dev 23:58 < amiller> aahahahah that is a good plot twist --- Log closed Sun Jun 02 00:00:57 2013 --- Log opened Sun Jun 02 00:00:57 2013 00:01 < amiller> well he was really clear about encouraging people to email him if interested :) 00:01 < realazthat> I have 00:01 < realazthat> thu night 00:03 < realazthat> and he just responded! 16:43 < gmaxwell> uh. I'm just realizing that debating the scalablity stuff probably shouldn't be done in a not very public IRC channel, and we should probably avoid doing that in the future. (not sure it should be done in bitcoin-dev either, as it wasn't a near-term technical discussion) 16:45 < BlueMatt> gmaxwell: political discussions over irc are impossible, over email they are significantly worse... 16:45 < zooko> Maybe post logs of this channel? Few would read them. I wouldn't. 16:45 < zooko> But at least they'd be out there. 16:45 < gmaxwell> zooko: doesn't really solve my concern. I'm not the sort to believe that a log no one would read addresses transparency. 16:46 < BlueMatt> having them in bitcoin-dev makes sense 16:46 < gmaxwell> (I mean, fine to do that too as far as I'm concerned) 16:46 < BlueMatt> and its not like we're gonna do anything tomorrow 16:46 < BlueMatt> things will happen on the ml long before anything real happens 16:46 < gmaxwell> BlueMatt: yea, I think bitcoin-dev is okay so long as we can stop the discussion when something currently important comes up. 16:47 < BlueMatt> well, at least get community input for important topics long before merge 16:47 < BlueMatt> though, again, anything non-technical is impossible over irc and significantly more impossible on a ml 16:47 < BlueMatt> it would be ideal to do face-to-face, like...at a conference 16:47 < gmaxwell> Sure sure. I just generally don't want to be in the habbit of having multi-party discussions of things with real impact in private. 16:48 < BlueMatt> bitcoin-dev is probably fine, the people going there to ask noob questions shut up when real discussions happen 16:48 < gmaxwell> (it's really seductive to create your little private channels and only invite in the people you agree with ...) 16:48 < BlueMatt> obviously, hence bitcoin-dev 19:45 < sipa> hmm, even my 0.8.2rc1 instance needs several seconds for a getblocktemplate 19:45 < gmaxwell> sweet. 19:46 < sipa> ~ 2400 transactions in mempool 19:46 < warren> sipa: p2pool folks are increasing mintxfee up a bit to reduce GBT latency 19:51 < gmaxwell> fast here but I keep restarting my node for testing. 19:53 < sipa> right after restart it's 0.04s 21:27 < sipa> ok, removed free relay policy and dust check, and made my node send mempool command to peers at connect time 21:27 < sipa> instantly mempool size > 4000 21:28 < sipa> made a few improvements to CreateNewBlock too... still GBT latency is 0.4s 21:29 < sipa> but not 5s as it was before restart (though that may have been a more complex mempool) 21:29 < gmaxwell> seems very weird. 21:30 < gmaxwell> Very deep unconfirmed chains now? 21:31 < sipa> no idea 21:31 < sipa> what is weird? 21:31 < gmaxwell> 0.4 seconds is high compared to what I thought it had previously been. 21:32 < sipa> well, given my dust and free relay policy are turned off, i may have a pathological mempool now 21:32 < gmaxwell> I seem to remember times like 0.08 seconds but it's been a few months since I was watching it. 21:32 < sipa> i should check without the optimizations i just did 21:32 < gmaxwell> okay. true. 21:32 < warren> p2pool users on 0.8.2rc1 were reporting GBT latency as high as 11 seconds 21:32 < warren> until they bumped up mintxfee 21:33 < gmaxwell> well I _know_ it wasn't that slow last week. Because I often run it from the commandline to answer questions about txn delays.. and I would have noticed 11 seconds. 21:34 < warren> perhaps it was at a particular time during the battery horse staple protest 21:34 < warren> I'm just repeating what I read. I wasn't using bitcoin at that time. 21:36 < sipa> retrying now without the improvements i did 21:36 < sipa> (there were some unnecessary CCoins copies, and an unnecessary cache layer) 21:43 < sipa> 11s ! 21:46 < sipa> 21s ! 21:47 < sipa> poolsz 5000 21:52 < sipa> again on the improved version: 0.6s with poolsz > 5000 --- Log closed Tue May 21 00:00:09 2013 --- Log opened Tue May 21 00:00:09 2013 01:17 < warren> sipa: when are you flying back home? 03:52 < sipa> warren: 31st 08:12 < warren> I ran out of time. switching back to openssl or now. I just need to get this done. I'll get back to secp256k1 later. 08:13 < warren> Aside from the wallet.dat privkeys rejected by secp256k1, there is some other database related corruption from my secp256k1 gitian builds. I am unable to reproduce it on fedora 18, but it happens often on Ubuntu 12.04. An identical build with openssl has no issue there. --- Log closed Tue May 21 14:27:17 2013 --- Log opened Tue May 21 14:29:11 2013 20:45 < gmaxwell> anyone want to take bets on freicoin's new control system being unstable? :P 20:49 < warren> gmaxwell: URL? 20:49 < gmaxwell> see conversation in #bitcoin-dev 20:49 < warren> is there a log somewhere? 20:50 < warren> gmaxwell: I'm halfway through regression testing a rebase of litecoin. the litecoin lolbertarians are upset about me "taking away our independence from bitcoin". 20:51 < gmaxwell> warren: rot13 all the variable names to make it independant? 20:51 < warren> gmaxwell: that might make it hard for the 10 new clone coins a week to understand litecoin code. 20:51 < sipa> also, swap a's and e's 20:52 < warren> OTOH, they don't actually change anything, so that may not make any difference. 20:52 < jgarzik> ;p 20:53 < warren> I'm slowly introducing every crazy anti-spam idea I can think of. 20:53 < gmaxwell> warren: remove the block size limit while you're out it in order to test out suppositions about bitcoin scalablity for us. :P 20:54 < warren> gmaxwell: I was considering removing the soft limit because the onerous fees have discouraged people from filling the blocks anyway. 20:55 < gmaxwell> makes sense, but why not remove the hard limit too and just add a bit of code to prefer to build on blocks that are smaller? 20:55 < warren> prefer in what way? 20:56 < sipa> when comparing a new block to the best chain, consider it better if the work is equal but smaller 20:56 < warren> Hmm, if I remove block size limits, then doesn't that remove the > 50% preference for higher than minimum fees? 20:57 < gmaxwell> No one knows. Some credible and trustworthly people argue that removing the limits is completely viable and would like to do it in bitcoin very soon. (where very soon is like.. a year or two) 20:57 < warren> I've read those writings by "credible and trustworthly people", and I disagree with them. 20:58 < sipa> you're not alone 20:58 < sipa> (then again, they aren't either) 20:58 < gmaxwell> I'm a chicken and don't agree but I must confess that my position is dominated by an absense of evidence rather than evidence that disproves their positions. 20:59 < gmaxwell> I don't think Bitcoin can afford to get it wrong, however. I think it's more likely that litecoin can. 20:59 < gmaxwell> OTOH litecoin isn't a great test because we might never get a useful answer.. not enough usage. 20:59 < warren> I was also putting secp256k1 into test builds for the small private QA group just to give it more test exposure. Nobody has managed to artificially create a new wallet with 0.6 that causes secp256k1 to fail, but 80% of old wallets with lots of keys and transactions have trouble with secp256k1. none of them are willing to share their wallet.dat though. 21:01 < warren> (It bombs out immediately with: init message: Loading wallet...\n Error reading wallet database: CPrivKey corrupt \n Error reading wallet database: CPrivKey corrupt \n Error loading wallet.dat: Wallet corrupted 21:01 < sipa> warren: can i see the code? 21:01 < warren> sipa: yes, hold 21:02 < warren> It's in a hidden github repo, I don't have access to grant permission. would a diff be ok? 21:02 < sipa> i prefer to see it entirely 21:02 < sipa> as i have no clue what other changes litecoin has or hasn't 21:02 < warren> let me figure out where I can put it where it remains private 21:04 < warren> sipa: please provide me your ssh pubkey at a URL I can grab 21:05 < sipa> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOGWpqoVnJ0IrKARDDrSKbdoyCQonG+fAUX8XNhgO7VTkUfOAnqByVh6xG1RfzNI1UiE3AG3lv3cB2Pyz43cRzc= 21:05 < warren> hah. my server can't do ecdsa 21:05 < gmaxwell> ^ thats part of the point for him in changing out openssl! 21:05 < warren> exactly 21:05 < sipa> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxs4zxmvGrtdtzCFrEyVhaxj/nB29TrcExZzqLhb8pZK+7zl3njGUbVNf3HZ3EgTVDyfSZsw44qNIwAg4XeWllIy/h8bdLZoUgd53Y1J3vJu+CNwZqw+4lKZG7Wj2bzSD+DM/GmreEbqtDuFLG5gnO8FKssSuopWEzkSiA+8HXYOsRd9b3PdmwVJbGdULd5HKPe8wtWD1GLBag5rwOh6UiSZdD1zXvPNCOLPRs1tk64bmJ1ntHckEp4MiZxvTE1tahldd4OG5uEsnOW7+T89hBtE7RPEe6B2Te62Evw16RqI/QCh0Jr6XWz1So0oTsAO+rQ3opE2SkNUl0kwx1XbUew== 21:06 < warren> well, i tried to rebuild Fedora 18's openssl with ecdsa yesterday. It needs patching to actually build. jgarzik said he gave up on it. 21:06 < gmaxwell> really? ... weird! did you replace the tarball? 21:07 < warren> yes 21:07 < warren> it's all the fedora patches on top of it that complicate it 21:07 < sipa> do you need those patches? 21:07 < warren> probably not. I haven't tried removing them all yet. 21:07 < gmaxwell> The procedure is to replace the openssl tarball with the matching one from the site (the one fedora gives is gutted), comment out the patch in the spec, and then remove the no-ecdsa stuff in the configure line. 21:08 < gmaxwell> I just did the latest F17 ones the other day without issue. I don't yet have a F18 host so I haven't tried that. 21:08 < warren> Yeah, it bombs out with missing references to ecdsa stuff from fipscanister.o 21:08 < warren> F18 has a rebased openssl 21:08 < gmaxwell> :-/ 21:08 < jgarzik> gmaxwell, not that easy anymore. Now makefiles require patching 21:09 < warren> jgarzik: you switched to Ubuntu now? =) 21:09 < jgarzik> that plus EFI #fail forced me onto Ubuntu 21:09 < jgarzik> :( 21:09 < warren> =( 21:09 < warren> I wonder how many users/developers bitcoin lost in these past years over this. 17:56 < gmaxwell> I had an ex-gf that went through two years of having a damn hard time getting hired. Then she'd been working for a place as a contractor for some time, and they wanted to bring her on full time when they checked her references, the national drug store chain she worked for for four years, told them that she had only showed up for work for two days and ... turned out that there had been someone else in another state wit 17:56 < sipa> another state wit[...] 17:56 < gmaxwell> with the same name. 17:57 < sipa> hint: /script load splitlong.pl 17:57 < gmaxwell> so anytime a prospective employer checked her references they got told that her biggest block of employement on her resume was a lie. 17:57 < sipa> right... 17:57 < gmaxwell> Thanks, dunno how that got unloaded. 17:57 < petertodd> sheesh, you can see why in some places the law is such that all companies really can do is confirm that you worked there 17:58 < petertodd> though that has it's own problems... 17:58 < gmaxwell> petertodd: normally you'd consider confirming duration to be pretty safe. It really sucks that this caused her problems for _years_ and we had no idea. 17:59 < gmaxwell> in any case, all kinds of boring ways for things to go wrong, so it pays to find out why if you can. 18:00 < jgarzik> gmaxwell, that's pretty smart RE Dwolla response, btw, done ;p 18:02 < petertodd> gmaxwell: Kinda reminds me of how when my brother applied to join the air force, they lost his application, but the record of him applying was in their system, so every time he called to ask how it was going they said it was still in processing... 18:03 < petertodd> gmaxwell: He worked at a call center at the time, and he spent his whole lunch hour every day for about two months calling them over and over again until finally they got annoyed enough that they asked the actual processing department, who of course said they had never got it. 18:04 < sipa> i've been told about cases where the recruiter who was supposed to tell a candidate about the outcome of their job application, had left the company 18:04 < petertodd> human systems often have remarkably bad error handling... 18:05 < petertodd> sheesh 18:06 < petertodd> I actually had the opposite of that happen to me kinda: I got hired to be the electronics lab night shift monitor at uni, and somehow no-one ever told my boss I had been hired, and being night shift I never had any interactions with him... 18:06 < sipa> so some day: "who are you? 18:06 < petertodd> exactly! 18:07 < petertodd> it also made very clear how people had been stealing thousands of dollars from payroll through fake time sheets... 18:36 < jgarzik> "Please enter the address that can be found on your current photo ID" 18:36 * jgarzik just moved and got a new photo ID that might be possible cause (c) 18:37 < jgarzik> The System wants my old address 18:37 < jgarzik> perhaps 18:39 < Luke-Jr> wtf is NEL? --- Log closed Wed Aug 14 00:00:47 2013 --- Log opened Wed Aug 14 00:00:47 2013 --- Log closed Thu Aug 15 00:00:53 2013 --- Log opened Thu Aug 15 00:00:53 2013 09:50 < realazthat> http://www.scipr-lab.org/ 09:50 < realazthat> SCIP website is up 09:50 < realazthat> and I am still working on LLVM backend 13:41 < gmaxwell> realazthat: their site is broken on IPv6. :P 13:41 < petertodd> gmaxwell: ? worked for me 13:43 < realazthat> heh dunno 14:37 < gmaxwell> realazthat: oh, so the proofs are smaller in this final version of the paper than I'd thought from the draft. 14:37 < gmaxwell> They are saying the proofs are 2576 bits for 80 bit security. 14:38 < realazthat> mmm 14:38 < petertodd> that's pretty small! 14:38 < realazthat> that is good then 14:41 < gmaxwell> yea, it's 12 group elements, but they are G1 elements which are 184 bits. (I think I'd figured the size I'd concluded from them based on their G2 elements or something) 14:50 < gmaxwell> the keys are larger, of course. 14:52 < gmaxwell> I'm not actually sure how big they are, they say n+2 G1 elements, plus 6 G2 elements (184 bits for g1 elements, 550 bits for g2 elements) 14:52 < petertodd> so what's a group element mean? 14:53 < gmaxwell> EC points. 14:54 < petertodd> huh, how does that work? 14:56 < gmaxwell> but I'm not clear what N is there, they give an example with a computation which is 1105 instructions takes 11,001 steps and the verification key is 9 G1s + 6 G2s or around 5000 bits. 14:58 < gmaxwell> petertodd: I'd tell you to read the paper, which you should. But really you have to read all the papers it cites and all the papers they cite several levels back. But basically it amounts to the proofs being proofs of arithemetic circut satisfyability over a special EC field constructed to make the computation tractable. 15:00 < gmaxwell> In any case, the paper on the site is intended to give you an engineering view of the system. 15:00 < gmaxwell> It's not perfect for that purpose, but you should actually read it. 15:04 < petertodd> will do then 15:04 * petertodd shouldn't have gone to art school 15:05 < petertodd> Sounds like it's one of those things where a "simple explanation" just doesn't cut it yet. :) 19:28 < gmaxwell> petertodd: they didn't teach abstract algebra in art school? 19:33 < petertodd> gmaxwell: yes, but it's called post-modernism there 19:33 < petertodd> also, there's only one thing to learn really: bottom == post-modern 20:09 < gmaxwell> Luke-Jr: you might want to look at their tinyram spec, http://www.scipr-lab.org/system/files/TinyRAM-spec-0.991.pdf since you have some interest in emulators and such. 20:37 < gmaxwell> ah the n+2 is the number of words in the public input to the verification program. --- Log closed Fri Aug 16 00:00:59 2013 --- Log opened Fri Aug 16 00:00:59 2013 21:33 < gmaxwell> So, we've mused about how SCIP could give us provable checkpoints, well except for the fact that the program execution for validation of the blockchain is currently not pratical with existant systems. 21:34 < gmaxwell> Consider this the SCIP validator is pretty fast, within the general order of magnitude of what we could have in a block (it's perhaps as expensive as 1000 checksigs). You could send txouts to a proof verification key. Okay nothing amazing here other than giving you superpowered scripts. 21:35 < gmaxwell> Except the proof verification key could actualy be validing a long chain of off chain transactions, potentially transactions in another blockchain, and then returning the output values to bitcoin. 21:36 < gmaxwell> so this is kind of like zero coin, except you could have long chains of transactions hidden under the proof. 21:40 < gmaxwell> e.g. I could pay 1 BTC to alice, under plus an anti-reply timestamper oracle which prevents replaying an ID number but is otherwise blind to the txn. And then alice could pay to bob (and get timestamped). and bob could pay to charley. And then charlie could take this transcript (the ecdsa validation and the timestamps that prove no double spends), run the SCIP prover on the transcript, and recover the bitcoin. 21:42 < gmaxwell> It's zero knoweldge (the transcript is aux input), so the public doesn't learn anything about the chain of transactions... and also has the benefit of compressing a potentially long transaction history into a single result. 21:48 < gmaxwell> or you could replace the timestamper oracle with SPV proof on another blockchain. Your bitcoin becomes a colored litecoin satoshi, you make a bunch of plain litecoin transactions, and then assemble a bunch of litcoin SPV proofs, and a number of additional headers, prove it, and the bitcoin reemerges in bitcoin. 21:49 < gmaxwell> (e.g. what some people have proposed doing for cross chain transactions, but compressing all that data under SCIP to avoid sticking hundreds of kilobytes of data into the global blockchain) 21:50 < gmaxwell> So whereas ZC creates scaling concerns in exchange for improved fungibility, this thing solves scaling concerns and improves fungibility as a side effect. 21:54 < gmaxwell> One challenge is that the upper limit of input size and computation for SCIP must be established when computing the verifcation key. So the colored coin thing would be a bit weird because you could only go so many hops before you could no longer recover the coin. 23:15 < jgarzik> petertodd, The first SIN software has appeared, 23:15 < jgarzik> https://github.com/gasteve/node-libcoin 23:15 < jgarzik> SIN.js makes a bitcoin-address-like thingy, according to protocol spec 23:15 < jgarzik> SINKey.js generates an EC key for use w/ SIN 23:16 < jgarzik> This, therefore, is the original SIN, 23:16 < jgarzik> jgarzik@pum:~/node_modules/libcoin$ node sin-test.js 23:16 < jgarzik> { created: 1376709207, 23:16 < jgarzik> priv: 'bc65f94b4142be3c6c0b02b33dab3775a829fc1f60e484e7d4ea64e2f421cdc4', 23:16 < jgarzik> pub: '029381bcb36358e58842431981a01742d494970a245c8f5c77874bbbde8fb25a9b', 23:16 < jgarzik> sin: 'je9eFspuTC29yhUqGqzEYwWmVTJRS9nWEkA' } --- Log closed Sat Aug 17 00:00:08 2013 --- Log opened Sat Aug 17 00:00:08 2013 01:14 < jgarzik> or, perhaps, after some shed-painting, 01:14 < jgarzik> { created: 1376715876, 01:14 < jgarzik> priv: 'db25473a599ad99db89616da536be066ea58825a6cd9b17e90b70b824e0daea6', 01:14 < jgarzik> pub: '0346891919f18000be1c9aae381b93870f7dcf807c4f581e2b64dcd547342f70b8', 01:14 < jgarzik> sin: 'Tf86BqNWrnyn117U7N7Vc1sAUfKc2esd4z3' }, 01:15 < jgarzik> petertodd, changed the base58-encoded prefix to 0x0F 01:39 < jgarzik> https://en.bitcoin.it/wiki/Identity_protocol_v1 21:17 < realazthat> mmm cool 21:17 < realazthat> I am still working on TinyRam backend for LLVM 21:17 < realazthat> making an LLVM backend is annoyingly hard 21:17 < realazthat> even though TinyRam is simple --- Log closed Sun Aug 18 00:00:14 2013 --- Log opened Sun Aug 18 00:00:14 2013 23:15 < amiller> i ran into ben laurie finally 00:31 < realazthat> 2. how many competitors will split the money with you? A: only way to know is to look at the current power directed at this problem 00:31 < realazthat> ie. look at the power beforehand 00:32 < realazthat> gmaxwell's idea is implemented some version of this type of market will happen 00:32 < realazthat> they might use some other incentive, a more stable/predicted one than I suggested 00:32 < amiller> okay so 00:32 < amiller> how do you look at the power directed 00:32 < realazthat> regardless of mining ideas 00:32 < amiller> this is a big thing i'm interested in with bitcoin 00:32 < amiller> is more realtime info about how hash power is allocated 00:32 < realazthat> you look at the last time this program was offered as a job, 00:33 < amiller> right now you get one sample every 10 minutes 00:33 < realazthat> and you see how many people split the money 00:33 < amiller> are the programs offered according to a fixed schedule 00:33 < amiller> that could help sure 00:33 < realazthat> lets say .. yes 00:33 < amiller> okay 00:33 < amiller> the program could always be split into smaller parts 00:33 < amiller> and those parts would be individually payable 00:33 < amiller> the finer grain you split it the more reliable the estimates are 00:33 < amiller> same with bitcoin mining, it's why people join pools 00:33 < realazthat> yes 00:34 < amiller> the only reason not to split it super fine grain is because of communication overhead 00:34 < realazthat> oh well wrt pools, I had some ideas of trying to support pools as a first class citizen 00:34 < amiller> but other than that the finer you make it the more painless it is for everyone involved 00:34 < realazthat> yeah 00:35 < realazthat> a better solution to making multiple workers do the same job maybe 00:35 < realazthat> hmmm 00:36 < realazthat> ok what about a legit lottery 00:36 < realazthat> this would cloud the chain with a ton of txs perhaps 00:36 < realazthat> but lets go with this a sec 00:36 < amiller> sure 00:36 < realazthat> in order to take a job, 00:36 < realazthat> you have to give a certain amount of btc 00:36 < realazthat> to the pool 00:36 < realazthat> lol mixing a lot of concepts here 00:37 < realazthat> ok 00:37 < realazthat> lets also fix jobs to a T 00:37 < realazthat> so that we know the size at an interval 00:37 < realazthat> and everything happens in intervals 00:38 < realazthat> ok so the only reason to actually have "mining" in such a market, 00:38 < realazthat> is to introduce new coins 00:38 < realazthat> because, 00:38 < realazthat> you can really do away with winning coins 00:39 < realazthat> and just have the winner of the mining lottery (not this new lottery) mint the new block in exchange for the tx fees; and he is chosen by lottery of workers 00:39 < realazthat> mmm so let me think 00:39 < realazthat> ok, so here goes 00:39 < realazthat> lets redo this, forget this lottery concept 00:40 < realazthat> 1. units of work are offered 00:40 < realazthat> 2. workers choose their units of work and complete them 00:40 < realazthat> 1.a assume all the units take ~10 mins or less 00:42 < realazthat> 3. worker results in an answer R + sig(R,P) 00:42 < realazthat> if H(sig(R,P) + R + B) < difficulty, then the worker wins 00:42 < realazthat> and mints the coins 00:43 < realazthat> in addition 00:43 < realazthat> all those who worked get half the winnings 00:43 < realazthat> split among them all 00:43 < realazthat> now only issue is, bluff posts of work 00:43 < realazthat> it needs to cost to post work 00:46 < realazthat> so that is easily solvable I think 00:47 < realazthat> workers who finish ontime split the post for their program at the end of the block; if they completed on before the winner 00:47 < realazthat> so it is a bit risky 00:47 < realazthat> you automatically get more money than regular bitcoin chain 00:47 < realazthat> because all work is paid for ... but only if you finish the work before the lottery winner 00:48 < realazthat> otherwise you hung out dry 00:48 < realazthat> so its a race to finish fast 00:48 < realazthat> which is good 00:49 < realazthat> this all assumes that all the programs are very strictly time bound 00:49 < realazthat> and all must take that long to run 00:49 < realazthat> upper and lower limit 00:49 < realazthat> this could be hard 00:49 < realazthat> I would like to think of adjustment that doesn't require all the different programs to be on interval, in sync 00:52 < realazthat> mmmk I should add this to my doc 00:52 < realazthat> these good ideas 00:52 < realazthat> prolly some big holes still 01:18 < amiller> eh i don't think any of that made much sense 01:18 < amiller> will look again tomorrow :o 01:18 < realazthat> lolk 01:18 < realazthat> I'll try to write up a doc 01:18 < realazthat> and make it public 12:17 < realazthat> mmm amiller, you were saying that it is good to be increment/very small jobs, ie. playing the lottery very often 12:18 < realazthat> why is that an advantage? 12:19 < amiller> because otherwise there's more uncertainty about how much you'll earn for any amount of work 12:20 < petertodd> SCIP idea: use it to prove to "SPV" clients for a proof-of-sacrifice based key-value map that a given view of history is in fact the one with the highest total sacrifice 12:21 < petertodd> If I understand things correctly, this is basically an extension of the idea of using SCIP to generate checkpoint hashes and prove they are correct. 12:22 < petertodd> Probably impractical given how SCIP is going to need a crowdfunded buy of, like, half of Amazon EC2, but it's an interesting concept none the less. 12:35 < realazthat> amiller: mm true indeed; I guess my idea for PoW would have to totally change the dynamics of the system, relying on the compute-market to drive computation/incentive 12:37 < realazthat> petertodd: mmm I don't totally understand the point of sacrifice lol 12:37 < realazthat> I wasn't following the key-value map ideas 12:37 < realazthat> in the chan 12:37 < realazthat> but I'll put in my list 12:38 < realazthat> but I understand what you mean about application of SCIP here 12:39 < realazthat> "probably impractical" - do you mean 'cause SCIP is probably practically slow? 12:39 < amiller> meh, we'll crowdsource the construction of scip proofs via the PoW 12:40 < realazthat> mmm but can u trust that 12:40 < realazthat> er 12:40 < realazthat> i mean, can you trust a 3rd party construction 12:41 < realazthat> anyway, eli confirmed that it might be possible to bring down the construction time via bootstrapping 12:41 < petertodd> realazthat: It's an alternative to proof-of-work basically 12:41 < petertodd> amiller: Sure, but this is an example where you'll want a lot of these proofs. 12:41 < amiller> well they build on each other actually 12:41 < petertodd> Ah, interesting, that may be good enough then. 12:42 < petertodd> I saw the SCIP talk in San Jose, but I don't pretend to understand much of it. 12:42 < amiller> so each block contains a proof that the previous block is valid, and given the validity of the previous block, we have an incremental proof that the current block is valid too 12:42 < realazthat> mmm I don't understand the math obviously lol 12:42 < realazthat> but I think I understand how it would work/ how to use it 12:42 < amiller> i might be overinterpreting it but i think that is really similar to the proof-carrying-data idea in the bootstrapping paper 12:43 < realazthat> mmm 12:43 < amiller> i actually don't think any of eli's stuff itself is so interesting, relative to the recursive SNARK paper 12:43 < realazthat> the way I posed it to eli, 12:43 < petertodd> amiller: I think that would work in this case. Basically you'd want to write a program that shows from block n to m the delta changes in the key:value map were whatever. 12:43 < amiller> right 12:43 < amiller> really eli's contributions are a) a ton of practical improvements which is great and b) you can simulate 'ram' by using merkle trees 12:44 < realazthat> mmm 12:44 < amiller> but at this point we are already used to working out the merkle trees ourselves 12:44 < amiller> or at least we don't assume we have 'ram', we assume we have k-v stores like leveldb 12:44 < realazthat> the practical is important though; because the recursive and bootstrapping stuff seems external to the "base" SNARK implementation 12:44 < realazthat> they can use any implementation, no? 12:44 < amiller> that's true yeah 12:44 < amiller> it's SNARK + blockchains and merkle trees basically 12:44 < realazthat> so I assume that eli would work on that next 12:45 < petertodd> huh, is there a laymans description of what a SNARK is somewhere? 12:45 < realazthat> no, the bootstrapping improvement can possibly be applied generically 12:45 < realazthat> petertodd: he describes it in the talk 12:45 < realazthat> which one did you watch 12:45 < realazthat> there are two of them 12:45 < realazthat> one is very easy 12:45 < petertodd> realazthat: the san jose one 12:45 < petertodd> haven't watched the more in-depth one he did at stanford yet 12:46 < realazthat> mmm yeah 12:46 < realazthat> that was the easy one 12:46 < realazthat> er 12:47 < realazthat> the san jose one was easy to understand IMO 12:47 < realazthat> its really simple, as a user 12:47 < petertodd> yeah, even I understood it :P 12:47 < petertodd> it turned SCIP into a blackbox you could reason about, like hash functions 12:47 < realazthat> right 12:47 < realazthat> exactly 12:48 < amiller> well SNARK is SCIP it's not really any different 12:48 < realazthat> Alice has a program P, you create an SCIP proof for it, give it to Bob, he runs P, and produces a sig(P), and result 12:48 < amiller> the difference i think is that SCIP is about RAM computations (using merkle trees) and SNARK is just about circuits 12:48 < amiller> SCIP is also his name for the whole practical project which includes a gcc compiler 12:49 < amiller> SNARK is a blackbox 12:49 < realazthat> a compiler and a vm 12:27 < jtimon> I thought that maybe the payer could provide the proofs necessary for the SPV recipient to validate them only looking at the current Txin set 12:28 < jtimon> so the "only first txin goes into the txin set" validation, which is the only validation done, could be enough 12:28 < jtimon> it is very possible that I'm misunderstanding something 12:29 < petertodd> right, but remember in that scheme a step back isn't verified by anyone 12:29 < petertodd> OTOH with scip... 12:29 < jtimon> sorry what was otoh? 12:30 < fagmuffinz> gmaxwell, you're full of nuggets 12:30 < petertodd> I mean, with SCIP you can prove the previous history of the txout followed the rules without providing it 12:30 < jtimon> on the other hand, ok 12:31 < jtimon> so you could actually have spv nodes with this minimized central validation 12:32 < jtimon> the main problem I see is that the TXI set grows forever 12:32 < jtimon> by "central" I meant in-chain 12:33 < jtimon> this minimized in-chain validation 12:34 < jtimon> if I understand correctly, miners only receive inputs and validate the following: 12:34 < jtimon> if it is already in TXI, do nothing, otherwise, insert in the TXI tree 12:35 < jtimon> is that right? 12:42 < fagmuffinz> Can you guys get me up to speed on hashcash? 12:42 < fagmuffinz> I'm taking it this is kind of the gauntlet for ideas 12:45 < fagmuffinz> I'm moving through Zerocoin's paper right now 12:46 < petertodd> jtimon: right, that the txin set grows forever is a problem that I need to solve in some clever fashion :) 12:46 < petertodd> jtimon: after all, I mainly wrote that as a "hey! if we do this as yet undiscussed thing we get a system with different properties!" 12:47 < jtimon> Ihehe 12:47 < jtimon> I'm not sure I understand the structure of the commited inputs though 12:47 < _ingsoc> fagmuffinz: Which one? 12:47 < fagmuffinz> http://zerocoin.org/media/pdf/ZerocoinOakland.pdf 12:48 < jtimon> miners receive independent inputs with tx_hash, output_id and another hash? 12:48 < _ingsoc> Ah, right. 12:48 < fagmuffinz> Figuring out the mechanism still 12:48 < petertodd> jtimon: well, it's indexed by the txout:n being spent, and miners store the scriptSig + rest of tx hash basically 12:51 < fagmuffinz> Digital commitments 12:51 < jtimon> so the final hash lets you identify which inputs go in the same transaction, no? 12:51 < fagmuffinz> Things I haven't heard of 12:52 < fagmuffinz> I've written a simulation of Shor's circuit 12:52 < fagmuffinz> Haven't heard of this 12:54 < petertodd> jtimon: right, so it's still a totally committed set of hashes, but miners only are ensuring that the chain can't be changed, not what's in the tx's themselves 12:54 < petertodd> jtimon: and until a txout gets spent, it has no affect on the blockchain at all and no-one but the tx holder knows it exists in any faashion 12:55 < jtimon> yes, yes, just wanted to make sure I understood the structure 12:55 < petertodd> you do, I think :P 12:56 < fagmuffinz> And it's time to spend some more time with zero-knowledge proofs 12:56 < jtimon> so what about this for the evergrowing TXI-set... 12:57 < jtimon> in the TXI tree that is hashed each block 12:58 < jtimon> when you add a new input, you also store a refHeight with the block number in which the input appeared in the chain 12:58 < jtimon> when the refHeight + X = current block height 12:59 < jtimon> that input has to be removed from the TXI data structure 12:59 < jtimon> basically, inputs only stay in the chain for X blocks 12:59 < jtimon> that could be 100,000,000 blocks, but it's still better than ad infinitum 13:00 < jtimon> holders just have to move their funds from time to time 13:01 < jtimon> hmmh, but you only answered half of the fee question...why miners mine in this protocol? 13:05 < petertodd> jtimon: heh, I don't know all the answeres yet :) 13:06 < petertodd> jtimon: but I gotta go - I'm at the darkwallet conf right now 13:06 < jtimon> ok, have fun 14:06 < maaku> jtimon: the better approach is to construct the TXI tree in such a way that no one needs (random access to) the whole structure 14:07 < maaku> then it doesn't matter if it grows forever 14:08 < warren> anyone know how long bitcointalk has been down? 14:08 < maaku> not more than an hour or two since I was just there 14:12 < jtimon> maaku, when a miner gets an input, he needs to check wether the input has already been published or not 14:13 < maaku> jtimon: yes, and the creator of the transaction could provide proof-of-not-inclusion along with the transaction 14:13 < jtimon> I don't know how can you construct the TXI tree the way you propose and still satisfy that validation rule 14:13 < maaku> so long as they maintain those proofs, the miner doesn't have to 14:13 < maaku> BUT, they do need random access to initialize the proofs for their as-yet unspent outputs when the create the transaction 14:14 < maaku> but they wouldn't if you use a merkle-mountain range 14:14 < jtimon> I got lost 14:15 < jtimon> how does the payer provide a non-inclusion proof to the miner? 14:15 < maaku> the payer provides for each input a path through the input tree showing that the input does not exist yet 14:16 < maaku> those same paths can be used to insert the input record into the tree, updating the root hash 14:16 < maaku> so the miner only has to store the root hash 14:17 < maaku> and the onus is on the payer to maintain the proofs needed to spend 14:35 < fagmuffinz> I return 14:37 < maaku> the problem, i believe, is that as presented the payer (or recipiant) has no meaningful control over the hash of the new transaction, and therefore the portion of the tree needed for the proofs related to the new outputs 14:37 < maaku> proof-updatable UTXO trees suffer from the same problem 15:30 < HM2> ah sipa's back 15:30 < HM2> sipa, not retired yet? 15:32 < sipa> retired? :o 15:32 < sipa> maybe when i'm twice my current age or something... 15:32 < sipa> actually, not even 15:32 < Luke-Jr> lol 15:33 < HM2> Oh that's only you're well to do enough to live in to cryogenics :P 15:34 < HM2> sipa, could you remind me of your variable length integer encoding? I've been regoogling and can't come across it 15:34 < Luke-Jr> wtf, does *everyone* have their own varint encoding? :o 15:34 < HM2> Yes, but sipa's is best 15:35 < sipa> HM2: https://github.com/bitcoin/bitcoin/blob/master/src/serialize.h#L242 15:37 < HM2> ah that was it 15:37 < HM2> thanks 15:37 < Luke-Jr> why is it in bitcoind src? :o 15:38 < sipa> the chainstate uses it 15:38 < sipa> ultraprune started out as an experiment to see how small the chainstate could be encoded as 15:38 < Luke-Jr> i c 15:39 < sipa> there are some overkill things in it :) 15:39 < Luke-Jr> looks nice 15:39 < Luke-Jr> often I just abuse UTF-8 <.< 15:39 < Luke-Jr> of course, that's not remotely compact 15:39 < sipa> it is, for numbers with the right distribution :) 15:40 < Luke-Jr> sure, but not compared to yours 15:40 < Luke-Jr> or even protobuf's 15:40 < sipa> mine is for all intent and purposes the same as protobuf 15:40 < sipa> in encoding size 15:40 < sipa> but it's unique 15:40 < sipa> (and a tiny tiny bit smaller) 15:41 < Luke-Jr> oh, so you never use 0xff? 15:41 < Luke-Jr> could extend your range slightly if you did.. ;) 15:41 < sipa> it is optimal 15:41 * Luke-Jr looks at it in more detail 15:41 < sipa> every unique infinite sequence of bytes corresponds to a unique sequence on integers 15:42 < HM2> you'd have to zigzag encode it for signed ints 15:42 < HM2> right? 15:43 < sipa> yup 15:43 < HM2> but that's post/preprocess so not important at all 15:58 < HM2> hmm 15:59 < sipa> i just pushed a change to libsecp256k1 that makes it 1.3x slower :( 16:06 < Luke-Jr> why? 16:07 < HM2> sipa, timing leak? 16:07 < sipa> potential patent 16:08 < Luke-Jr> sipa: old code in #ifdef? :P 16:08 < sipa> yes 16:10 < Emcy_> who gets sued? 16:12 < HM2> #ifdef I_ACCEPT_THE_DISCLAIMER 16:12 < sipa> it's still there, via --use-endomorphism 16:40 < HM2> sipa, the commends on your serialization code are whack 16:40 < HM2> https://github.com/bitcoin/bitcoin/blob/master/src/serialize.h#L260 16:40 < HM2> 128-16511: 2 bytes 16:40 < HM2> then on line 260 16:40 < HM2> 16511: [0x80 0xFF 0x7F] 16:40 < sipa> ha! 16:41 < HM2> i thought the code was broke :| 16:44 < Luke-Jr> sipa: should be --enable-endomorphism :/ 16:44 < Luke-Jr> (and will probably *need* to be to autotools it) 21:41 < Mike_B> people are panicking over this directory.io thing, i think it's hilarious :) 22:10 < midnightmagic> Mike_B: Hrm? directory.io? 22:10 < pigeons> yeah check it out, funny 22:11 < midnightmagic> ok 22:12 < midnightmagic> ha ha ha! 22:13 < midnightmagic> "It took a lot of computing power to generate this database." 22:33 < gmaxwell> Mike_B: lol, link to panic? 22:34 * gmaxwell adds "it doesn't contain compressed keys! so if you use those you're safe!" 22:38 < Mike_B> haha 22:38 < Mike_B> it was mostly irc 22:39 < Mike_B> this guy tried to calm everyone down on reddit, but did it the wrong way: http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_directoryio_thing_is_fake/ --- Log closed Mon Dec 02 00:00:25 2013 --- Log opened Mon Dec 02 00:00:25 2013 00:43 < gmaxwell> so for those who haven't been watching, it appears someone may have used cloudflare's special relationship with a certificate authority to compromise even ssl access to bitcointalk.org. 00:44 < gmaxwell> There is a CA which will make a cert for any domainname pointed at a cloudflare IP in DNS and give it to cloudflare. So you get a really fast "change domain name" to "intercept SSL invisibly" escilation. 00:44 < gmaxwell> ISTM it would be pretty easy to reduce the risk of the existing CA infrastrcuture substantially with some help from bitcoin. 00:44 < BlueMatt> lol, wow 00:45 < gmaxwell> We could require that all CA's publish lists of all the certs they issue. And the lists get hash commitments in bitcoin. And then sites hand out certs with a proof that they were in the published list. 22:47 < gmaxwell> petertodd: I don't know that explicitly supporting that makes sense.. simply because you can just have the trusted hardware produce signed message regardless, even without support. 22:47 < petertodd> gmaxwell: I'm not sure either yet - strikes me that doing traces + monotonic counters could be very tricky, but it's worth looking into at least. 22:57 < petertodd> Anyway, I think the interesting part is more that with the model that you build up every part of the language from the forth primatives you make it very, very clear what code is actually being run. Equally, forth is already common in applications, IE spacecraft, where you need relatively bare metal languages with simple frameworks and symantics; note how with forth it's much easier to get to the level where you trust that the code being run is what you actually wrote than, say, C. 22:57 < petertodd> It's fundementally the same math wise as a tonne of other approaches, but forth makes what is going on very explicit. 22:58 < sipa> petertodd: type this: /script load splitlong.pl 22:58 < petertodd> ok, I typed rm -rf /, but it doesn't seem to be doing much 23:00 < petertodd> Anyway, I think the interesting part is more that with the model that you build up every part of the language from the forth primatives you make it very, very clear what code is actually being run. Equally, forth is already common in applications, IE spacecraft, where you need relatively bare metal languages with simple frameworks and symantics; note how with forth it's much easier to get to the level where you trust that the ... 23:00 < petertodd> ... code being run is what you actually wrote than, say, C. 23:03 < petertodd> The actual implementation can be some tiny and primitive C kernel with static memory layout. Just be clear what the maximum's are for the variou parts of the stack. Dunno yet what the stack datatype should be, MPI's are nice but there is the subtle issue that it'd be good to have some clear idea of how many operations an operation takes. Of course, really simple would be 32-bit ints and implement everything higher level in forth. 23:41 < jgarzik> go go Open Firmware 23:41 < jgarzik> the BIOS standard that should have won 23:42 < petertodd> for sure 23:43 < petertodd> With any luck some OpenFirmware TPM modules will become available and I won't actually make to write any code. :P 23:45 < jgarzik> OK 23:45 < jgarzik> Query results: 23:45 < jgarzik> Average block summary size: 8858.34 23:46 < jgarzik> That's block header + (vtx.size() * 32) 23:46 < jgarzik> does not include coinbase average size 23:48 < BlueMatt> ok? 23:49 < jgarzik> That's how big a UDP frame distributing block data would be 23:49 < sipa> you technically also need 1-3 bytes for the number of transactions 23:49 < jgarzik> nod 23:50 < jgarzik> call it 8858 + 4(n_tx) + 512(coinbase) 23:50 < jgarzik> I imagine 8-16 bytes of overhead would sneak in somewhere 23:50 < sipa> never 4 23:50 < BlueMatt> meh, average doesnt matter much since it new blocks are so much bigger than average 23:51 < sipa> 1,3,5 or 7 :) 23:51 < sipa> eh, 1,3,5 or 9 23:51 < sipa> but i doubt any block has over 65535 transactions :D 23:52 < jgarzik> 8858+3+512+16 == 9389 bytes 23:52 * jgarzik wonders how much droppage that would cause, given that it is well over size to be fragmented across WAN 23:53 < jgarzik> To avoid fragmenting, you could only looking at shipping smaller bits of useful data: block header only, small TX's, INV's, addresses perhaps --- Log closed Fri Mar 29 00:00:11 2013 --- Log opened Fri Mar 29 00:00:11 2013 00:01 < jgarzik> I might just do a wholly separate service, a "UDP beacon" 00:02 < jgarzik> Clients send a simple message, subscribing to block header (block+tx list?) broadcasts over UDP. Subscription lasts X seconds, after which, it must be renewed with another UDP request to the beacon server. 00:02 < jgarzik> Each block triggers a broadcast. 00:04 < jgarzik> Semi-related: tunneling SCTP over UDP: http://tools.ietf.org/id/draft-ietf-sigtran-sctptunnel-00.txt 00:05 < petertodd> jgarzik: ACK on UDP beacon 00:06 < BlueMatt> jgarzik: sounds like what I would think of udp as 00:18 * jgarzik retweets a bitcoin block header ;p 00:19 < petertodd> THAT'S HOW YOU DEFEAT TYRANNY!!!!! 00:35 < petertodd> jgarzik: re: uint256 for hashes in bitcoinlib, were you just trying to follow the C++ implementation? 00:35 < jgarzik> petertodd: specific code example / source file line#? 00:37 < petertodd> COutPoint is an example, where self.hash is deserialized to an integer and back again 00:39 < jgarzik> petertodd: It is helpful for the few cases where it matters as more than just a binary blob 00:39 < BlueMatt> how mature is libcoinc? 00:39 < jgarzik> petertodd: though TBPH, that was inherited from the original ArtForz mini-node 00:39 < BlueMatt> s/c?/?/ 00:40 < petertodd> jgarzik: Yeah, I was going to change that back to plain bytes instances. Bitcoin has a ton of hashes involved and you're doing a lot of copying there. 00:40 < petertodd> jgarzik: Makes it easier to build up transaction too in a natural way. 00:40 < jgarzik> BlueMatt: my libccoin? Unit tested, not much outside of that. What it does, should be solid (famous last words). You are more likely to find some missing pieces here and there. 00:42 < jgarzik> petertodd: oh yeah, it makes it a lot easier to print ;p 00:42 < petertodd> jgarzik: For instance with my code you can now do: CScript([OP_DUP, OP_HASH160, pubkeyhash, OP_EQUALVERIFY, OP_CHECKSIG]) and everything works as expected. You need to convert the hash back to bytes if it's an integer. 00:42 < jgarzik> petertodd: slower, but more pythonic 00:43 < petertodd> jgarzik: I think we've hit an edge case where "pythonic" can mean two different things. :P 00:44 < jgarzik> petertodd: pythonic == elegant python source, regardless of how slow under the hood 00:44 * jgarzik runs 00:45 < petertodd> jgarzik: Heh, well building up a transation the way you can now is IMO a lot more elegant than the previous CScript() thing. 00:45 < BlueMatt> what? is that not an accepted definition? 00:46 < petertodd> BlueMatt: What constitutes 'elegant' isn't clear-cut. 00:47 < jgarzik> petertodd: If you want to change everywhere to byte buffers, how would we test the change to see if anything breaks? 00:47 < jgarzik> :) 00:48 < jgarzik> would need print and comparison helpers (or perhaps just a convert-to-python-long helper) 00:48 < petertodd> jgarzik: Gee, I dunno, it'd be good if we had some unittests... :P 00:48 < petertodd> jgarzik: I did up h2b() and b2h() 00:48 < petertodd> jgarzik: You already have bytes to python integer. 00:58 < jgarzik> petertodd: BTW, seen this? https://github.com/samrushing/caesure 00:58 < jgarzik> petertodd: looks like he's doing some Cython work 00:59 < petertodd> jgarzik: crazy, the re-implementations never stop 00:59 < jgarzik> petertodd: that's actually pretty old 01:00 < jgarzik> petertodd: python-bitcoinlib's key.py came from there via a third party 01:00 < jgarzik> (see header) 01:00 < jgarzik> petertodd: I'm about to add base58 support, and was thinking of stealing it from there 01:00 < petertodd> jgarzik: huh, interesting 01:00 < jgarzik> petertodd: do you know of a better base58 source? 01:01 < jgarzik> https://github.com/samrushing/caesure/blob/master/caesure/proto.pyx#L53 01:01 < petertodd> jgarzik: hmm... no license specified 01:01 < petertodd> oh, wait, no I'm blind 01:01 < gmaxwell> jgarzik: that SCTP draft is dead, this one is very much alive: http://tools.ietf.org/html/draft-ietf-tsvwg-sctp-dtls-encaps and is already shipped in beta state to many millions of systems (in Chrome and Firefox). 01:01 < petertodd> jgarzik: Probably as good as any. 01:02 < jgarzik> gmaxwell: neat 01:02 < jgarzik> petertodd: groovy 01:03 < gmaxwell> the nice thing about using that draft: (1) you can copy webrtc code for all of it (including nat traversal), (2) you get censorship resistance because you look like webrtc. ... downside: still connection oriented. 01:07 < petertodd> # having trouble understanding if there is a difference between: CHECKMULTISIG and P2SH. <- not a good sign 01:08 < gmaxwell> Which CTO in charge of technology for a hundred million dollar bitcoin business did that come from? 01:09 < petertodd> gmaxwell: lol, nah it's from yet another bitcoin reimplementation: https://github.com/samrushing/caesure 01:09 < petertodd> (more scary I know) 01:11 < petertodd> "I'm attempting to make this a full node, with tx verification etc...." "Script engine is mostly done. Needs some work on failing constraints like stack size, sig count, etc." 01:12 < petertodd> Oh, and it comes with a "drop-in replacement" for openssl... 01:21 < jgarzik> petertodd: ok, pushed 01:23 < petertodd> jgarzik: cool, lemme add some tests 01:30 < gmaxwell> sipa: oh, supposidly openssl's ECDSA signing adds the message to the randompool before generating the nonce. 01:36 < petertodd> jgarzik: prelims pushed; I'm off for the weekend 06:39 < warren> What's the number of tx's changed that causes a pre-0.8 reorg to fail again? 07:53 < sipa> warren: over 4800 affected txids in a single reorg is risky 07:57 < warren> sipa: the litecoin users finally noticed the reorg risk due to gavin's posting, and I'm thinking about the likelihood of an actual reorg attack succeeding within the next 3 months it will take coblee to upgrade the client as he doesn't think it is urgent. 08:01 < warren> sipa: their typical blocks have *at most* a few dozen tx's, and their standard fees are extremely high, so it would be expensive to artificially jack up the number of tx's in a number of successive blocks. Then a reorg attack would need amazing luck to generate a valid attack block fast enough after the previous block containing just the right number of tx's. The part I'm not sure of is the exact circumstances where an attack block would f 08:01 < warren> ail differently for some nodes in a reorg. 13:06 < phantomcircuit> jgarzik, i had to run earlier, in general the constituency has a lot of other issues they are worried about, but the principle matter representatives work towards is more pork for their district, they they also pass some social policy changes then maybe they beat the guy running against them who would also make pork their primary issue 13:06 < phantomcircuit> jgarzik, it's gotten to the point that they dont really need to campaign on it since it's implied 13:08 < phantomcircuit> jgarzik, iirc real estate holding companies like that would mean following sec guidelines that are doubly plus not fun 13:59 < jgarzik> phantomcircuit, not true, if properly arranged :) 14:00 < jgarzik> (RE real estate) 14:00 < jgarzik> Still have annoying investor DD, so far from anonymous, but thankfully no SEC reg 14:01 < phantomcircuit> jgarzik, unless you're transferring title to the investor they would need to be 14:04 < jgarzik> phantomcircuit, nope 14:05 < jgarzik> phantomcircuit, think multiple companies, multiple countries, annoyingly complex ownership structure 14:05 < phantomcircuit> sorry i accidentally some words 14:06 < gmaxwell> 10:59 < cjb> "github: we put the 'central' in 'decentralized revision control system'" 14:06 < phantomcircuit> jgarzik, they would need to be accredited investors and/or you would need to comply with the JOBS act stuff 14:06 < phantomcircuit> gmaxwell, lol 14:07 < phantomcircuit> jgarzik, im sure there are shenanigans you can play with offshore holding companies which they're invested in which in turn hold the domestic company 14:07 < phantomcircuit> thus the investors comply with the offshore rules instead of the domestic rules 14:07 < phantomcircuit> in general schemes like that work until they dont and then they tend to really not work 14:11 < jgarzik> gmaxwell, rofl 14:15 * jgarzik ambushes the channel with a new term, beta-testing it: http://imgur.com/P2G7670 14:16 < jgarzik> My thesis, after watching economists and computer scientists grossly misunderstand bitcoin, even after looking at it a while 14:17 < jgarzik> To understand why bitcoin works (or how it might fail), you must evaluate any thesis according to each of the three legs of the Satoshi Triangle: economics, game theory and software engineering. Most academics fail to take a holistic approach, and in doing so, wind up failing to understand why their "bitcoin is broken!" argument falls over. 14:18 < jgarzik> Really Smart People(tm) keep missing major facets of bitcoin, when they do their own research 14:18 < jgarzik> and thinking 14:19 < gmaxwell> I very much agree with your point. Invoking satoshi more makes me a bit sad. I think we do better without the satoshi mysticism in general, and people fixating on satoshi weakens us. </tangent> 14:20 < gmaxwell> I don't have any better names for the facets, not sure I'd choose that exact set of labels. 14:38 < jgarzik> gmaxwell, Modesty prevents me from calling it 'garzik triangle', and 'bitcoin triangle' seems rather boring. 14:38 < jgarzik> gmaxwell, IMO these are key facets that Satoshi figured out, so I thought it fair 14:38 < jgarzik> computer scientists are calling bitcoin tech "Nakamoto block chain" for example 14:43 < petertodd> gmaxwell: We should pay the NSA to come up with undeniable proof that Satoshi was a crack-addled alcoholic. Then again, Toronto's mayor is still in office... 14:43 < gmaxwell> "I was too drunk to know I was inventing a decenteralized cryptocurrency." 14:44 < petertodd> lol 14:46 < phantomcircuit> lol 14:47 < sipa> "I was trying to come up with this absurdly complex pyramid scheme..." 14:47 < gmaxwell> "I'm not sure if I succeeded or failed" 14:47 < amiller> i'm not sure what you mean is the difference between economics and game theory 14:49 < sipa> amiller: atire 14:49 < jgarzik> I agree that economic incentives and game theory motivations are quite intertwined 14:49 < jgarzik> But from the PoV of a classically trained economist, who barely knows computers and prints out his email, I think the distinction matters 14:49 < amiller> swap one or the other for distributed systems & cryptography and i'd like it 14:50 < jgarzik> (1) Economics and game theory, (2) software engineering, (3) distributed systems & crypto ? 14:50 < amiller> sounds right to me 14:50 < petertodd> jgarzik: you forgot (4) sociology/political science 14:51 < adam3us> need a bitcoin.it wiki page 14:51 < jgarzik> petertodd, too meta 14:52 < jgarzik> want to avoid politics and ideology. depending on your political bent, views range from "bitcoin is OBVIOUSLY political" to "keep your politics away from my bitcoin" 14:52 < petertodd> jgarzik: well you are talking to a guy whose most recent bitcoin-dev list post was a short near-future sci-fi post-modern narrative 14:52 < jgarzik> best not to go there 14:52 < jgarzik> P.S. I argue it is impossible to be post-modern 14:52 < petertodd> See, seriously speaking where politics comes into it is the nature of changing the system itself; something that hasn't been deeply explored yet. 14:53 < petertodd> jgarzik: heh, my art school teachers would have argued the exact opposite 14:53 < amiller> it's post-impossible to be modern? 14:54 < petertodd> amiller: lol 14:54 < petertodd> amiller: You're recognition of the concept of modernity dooms you to forever be a post-modern man. 14:56 < jgarzik> petertodd, Yeah, but that's in art school, where they know nothing of engineering constraints imposed by reality. ;p 14:57 < jgarzik> OK 14:57 < jgarzik> Revised: http://imgur.com/S4dTQOG 14:58 < petertodd> jgarzik: at least they don't pretend otherwise :P I quit industrial design after a year that included me having to argue a design for a "eco-friendly" lamp was physically impossible; couldn't get my teacher to understand the relevance of E_k = mgh... 15:00 < petertodd> heh, I like how software engineering != distributed systems, good 15:05 < phantomcircuit> petertodd, but but it's eco friendly! 15:07 < jgarzik> petertodd, to me "engineering" is the grubby parts of making things work, outside the world in which theoreticians exist 15:07 < jgarzik> some attacks are valid in theory, but just not practical for engineering reasons to annoying to detail 15:08 < petertodd> To me an engineer is just a theoretician who analyzes non-spherical cows too. 15:10 < maaku> petertodd: that's one approach to engineering. it's not always the best though 15:11 < petertodd> heh, ah, but see, the moment you assume a non-spherical cow, you very quickly either adopt good engineering practices, or give up and make the cow spherical again. 15:11 < petertodd> (or design bridges that fall down...) 15:19 < phantomcircuit> petertodd, brb genetically engineering a spherical cow 15:20 < petertodd> phantomcircuit: spoken like a true engineer! 15:23 < jgarzik> Any problem is solvable given sufficient time to debug. 15:29 < phantomcircuit> jgarzik, or the ability to modify the problems contraints 15:29 < phantomcircuit> constraints* 15:30 < jgarzik> phantomcircuit, I'm an engineer. I am allowed to tell management that reality is interfering with their artificial, theoretical constraints. 15:30 < phantomcircuit> hehe 15:34 < phantomcircuit> is the disable wallet patch in master? 15:35 < jgarzik> phantomcircuit, yes 15:35 < jgarzik> wumpus pushed it over the finish line, while I was off dealing with family stuff 15:35 < maaku> phantomcircuit: while you're at it, make me a cuboid cow. easier to stack. 15:36 < midnightmagic> jgarzik: Yes, people do often misapprehend the nature of the scaling issues bitcoin has. https://twitter.com/midmagic/status/241845808201334784 15:36 < phantomcircuit> maaku, try japan they already make cuboid watermelons 15:36 < phantomcircuit> although something tells me a cow would object to being kept in a plastic box 15:36 < midnightmagic> "because it has to broadcast transactions, it's untenable" 15:36 < midnightmagic> `_` 15:37 < phantomcircuit> midnightmagic, "i have no idea what a gossip protocol is" 15:39 < midnightmagic> phantomcircuit: She's a tor dev. :( 15:40 < phantomcircuit> that is deliciously ironic 15:40 < sipa> midnightmagic: who? 15:41 < sipa> ah 15:42 < midnightmagic> sipa: The person who told me namecoin was useless as a distributed dns lookup because tx are broadcast thus hand-wavey "quadratic scaling problem". 15:42 < midnightmagic> maybe I'm misinterpreting. 15:43 < phantomcircuit> midnightmagic, she's missing that peers keep track of what they've told other peers about 15:43 < phantomcircuit> the communication protocol is basically O(n * m) for n = messages and m = peers 15:44 < phantomcircuit> but the actual chain storage is linear with transactions 15:44 < phantomcircuit> if you naively assume that every peer tells every other peer about everything 15:44 < phantomcircuit> then it is horrible 15:46 < midnightmagic> phantomcircuit: But the cost of doing those broadcasts successfully is significant (or it was before Vince screwed us all) so growth does not cause strictly quadratic growth in network communications overhead anyway, even leaving the blockchain itself out of it (which is ultimately very much more prunable than bitcoin's.) 15:47 < phantomcircuit> midnightmagic, the broadcasts should be fairly cheap with an inventory/getdata setup 15:47 < phantomcircuit> optimally each peer receives 8 inv messages, sends 1 getdata, and received 1 data block 15:52 < gmaxwell> midnightmagic: One reason people assume quadratic communication is because they're not aware of the surprising result that expander graphs can have log radius while having constant degree. E.g. nodes can have some small _constant_ number of connections per node, but the distance to any other node can remain log in the number of nodes. So they start thinking every node has to be fully connected to every other node. 16:04 < warren> hmm, is the floating fee stuff happening for 0.9? 16:14 < ebfull> ya warren 23:38 < jgarzik> warren: I paid BTC, and got a refund months later 23:45 < gmaxwell> warren: guy sold a successful fpga product, though it seems mostly on outsourced tech. Announced an asic product. Became very secretive.. Began making obviously booze induced postings. imploded as all preorder holders lost confidence. started returning funds, very slowly. 23:46 < warren> wow 23:47 < gmaxwell> some people think he was attempting honest business and got in over his head and became unhinged. Others think that he got scammed by someone he was outsourcing to. Other people think that it was all just a scam... ask for coin, if bitcoin value goes up 'fail' and return a fraction of it. 23:48 < gmaxwell> people who think that last one are probably the source of the question to Jeff. --- Log closed Wed Apr 03 00:00:17 2013 --- Log opened Wed Apr 03 00:00:17 2013 03:28 < warren> jgarzik: my brain just connected dots ... you're mining the avalon through tor for the botnet study thing? 04:53 < realazthat> would there be a use for an online bitcoin-script simulator? 09:51 < jgarzik> warren: not through tor, no 14:45 < amiller> i'd like playing with an online bitcoin-script simulator realazthat 14:45 < amiller> bah --- Log opened Wed Apr 03 22:22:42 2013 --- Log opened Wed Apr 03 22:41:42 2013 --- Log closed Thu Apr 04 00:00:11 2013 --- Log opened Thu Apr 04 00:00:11 2013 00:03 < jgarzik> petertodd: I wonder if @blockheaders has room for a #bitcoin hashtag? 00:32 < warren> A random walk student walked up to me just now and said, "I heard you have bitcoins. Do you have any to sell?" 00:32 < warren> These are the same people who can't keep their computers secure from viruses. 00:32 < warren> sigh 00:33 < warren> wow 00:33 < warren> random brain macro activated while typing that 00:33 < warren> I'm tired. 00:37 < jgarzik> warren: we get end user support questions all the time. the "I lost my bitcoins, how do I recover them?" ones are the worst. 00:38 < jgarzik> s/worst/most heartbreaking/ 01:10 < petertodd> jgarzik: it's now much improved 01:12 < nanotube> warren: random walk student eh? they sound like fun. :) 01:37 * jgarzik grabs globalsin.com, for his identity network thingy 01:38 < amiller> so a random walks students walks up randomly to me and says... 01:38 < amiller> all the best jokes begin this way 01:49 < gmaxwell> Do you go to brown? 01:50 < gmaxwell> (I thought you said the student was brownian? ... badumpcha) 03:26 < warren> nanotube: I've been making those weird brain macro mistakes for a few days now. Something odd is going on. 03:30 < gmaxwell> warren: welcome to being old 10:01 < BlueMatt> gmaxwell: does one have to be old for that? Im pretty sure I do it all the time too 10:08 < petertodd> BlueMatt: just old enough 11:24 < realazthat> sipa: ping? 12:20 < realazthat> hey is it ok for me to re-ask my project proposal idea in this channel 12:20 < realazthat> bitcoin-dev is quite noisy 12:20 < realazthat> and it got lost 12:20 < realazthat> (I want some dev feedback before I start) 12:56 < realazthat> sipa: so I been thinking for another project (or extension of this one) and someone gave me this idea, to make a bitcoin "client" that would use the RPC interface, but use a local wallet. thus, you can "federate" the blockchain to a trusted central bitcoind. would this be useful? 12:56 < sipa> realazthat: yes, but i believe the RPC interface is completely inappropriate for that 12:57 < sipa> in fact, the P2P protocol is perfect for that, as there are already clients out there that manage wallets without storing the blockchain :D 12:58 < realazthat> why is the RPC interface innapropriate? 13:00 < sipa> how will you know which coins you have to spend? iterate all transactions in all blocks? 13:02 < realazthat> erm 13:02 < realazthat> hmm 13:02 * realazthat thinks 13:04 < realazthat> so there is no way to retreive the balance of an output hmm 13:05 < sipa> no 13:05 < sipa> and doing that would require an even more extensive index 13:06 < sipa> while scanning the blockchain for interesting transactions is already possible via the p2p protocol, very efficiently 13:06 < sipa> without the server requiring an index 13:06 < realazthat> ah 13:06 < realazthat> but can that be trusted? 13:06 < sipa> and even better, it even doesn't require trusting the server, as authentication is built into the protocol 13:07 < sipa> and yet better: it already exists 13:07 < sipa> and works 13:07 < realazthat> yeah but that takes away my project idea! 13:07 < realazthat> :P 13:07 < realazthat> not better! 13:07 < sipa> (download bitxoin wallet for android or electrum) 13:12 < sipa> also, the model you propose (fully indexed by address server, with light clients querying balances) also exists already (though via an own protocol): electrum 13:12 < sipa> so... sorry! 13:14 < realazthat> lol 14:08 < warren> crap. The Slashdot summary on the DDoS attacks and instawallet is extremely misleading.' 14:10 < gmaxwell> warren: you expect otherwise? How else are the editors to buy cheap coins? :P 14:13 < warren> gmaxwell: I'm impressed how unaffected the market is despite the alarmist news 14:15 < sipa> they're used to it by now :p 14:16 < gmaxwell> as sipa says. 14:17 < sipa> half of slashdot is "just shut the fuck about bitcoin", and the rest are fans who ignore bad news :p 14:18 < gmaxwell> This can't be healthy. :P 15:46 < BlueMatt> sipa: thats been going on for a while 17:37 < warren> What was the decision about the irc seed? Revive the network? Leave it disabled? Remove the code? 17:42 < BlueMatt> remove code 17:42 < BlueMatt> I dont think anyone even bothered emailing the guy who runs it 17:49 < warren> BlueMatt: remove irc code completely or just turn it off? 17:49 < gmaxwell> warren: it's been turned off for years now. 17:49 < warren> for testnet too? 17:50 < gmaxwell> nah, we left it on for testnet. this takes it out completely. 17:50 < gmaxwell> why are you asking here instead of reading the pull? 17:50 < warren> oh, 17:50 * warren looks 17:54 < warren> thanks, I only searched the open pulls, not closed 18:33 < warren> Haha, the LTC instawallet was destroyed too. 18:38 < gmaxwell> destroyed? 18:42 < warren> gmaxwell: it isn't clear what happened. I'm guessing someone figured out how to access all the addresses like the BTC instawallet. 20:40 < weex> google indexed something afaik 21:04 < warren> Wow. in the last 12 hours BFL downgraded the speed of the advertised ASIC's and doubled the price. 21:08 < gmaxwell> I understand their phone has been ringing off the hook 21:10 < warren> Last week Josh committed to sending additional units to existing orders to satisfy hash rates that customers paid for. 21:12 < sipa> afaik, the change is only for new orders? 21:14 < warren> sipa: They would have a major backlash if they changed past orders especially after Josh made that commitment in public last week. 21:16 < sipa> well, then what's the problem? 21:17 < warren> Just surprising that it happened. 22:33 < nanotube> got links? --- Log closed Fri Apr 05 00:00:12 2013 --- Log opened Fri Apr 05 00:00:12 2013 04:03 < warren> sipa: I lucked out, I bought one only hours before the price change. 04:03 < warren> I have no idea what I will receive or when. 04:03 < warren> whatever happens happens 04:04 < sipa> well, you know 04:04 < sipa> perhaps you receive it before the subsidy runs out in 2140 :p 04:04 < gmaxwell> lol 04:05 < gmaxwell> sipa: when you're in town you can look at my avalons. :P 04:09 < warren> I bought it because I figured out that Paypal's Bill Me Later would let me borrow the entire purchase price for 6 months with zero interest, zero payments. 04:11 < warren> (I'm aware those promos are meant to ensnare people who can't pay it off.) 04:14 < gmaxwell> there is often a lot of fine print too. 04:17 < warren> I had friends who borrowed $200k on credit card 0% 1-year promos and collected 4-5% bank interest during the year. Seemed like too much effort for the risk of screwing up. 04:18 < gmaxwell> it's usually also the case that they only offer those promos on purchases and not cash advances, so there is no (easy) way to convert the credit to interest. 04:19 < warren> oh, back then they allowed it, it was the credit bubble 04:19 < gmaxwell> yea, as explained by "4-5% bank interest" 04:19 < warren> only way to get 4-5% interest was a CD 04:20 < warren> who knew at the time none of those CD's were at risk because the taxpayer would bail them all out ... 04:21 < sipa> gmaxwell: will do! 04:28 < warren> gmaxwell: I was most amused when I realized that, that Paypal would let me money to help defend its greatest long-term threat. 17:54 < warren> https://bitcointalk.org/index.php?topic=168251.0 Looks like one of the alt coins had an accidental hardfork 18:01 < nanotube> what's with all these altchains coming out of the woodwork.... heh 18:02 < warren> dunno 19:03 < gmaxwell> nanotube: I am hans and this is franz and we are here ... 20:33 < gmaxwell> People are buying $coin right now under the "what if" basis, so there is a ton of incentive to spin up and endless series of additional coins. 20:42 < nanotube> so, seems like a problem that will solve itself. :P 20:42 < nanotube> in fact, why don't we just come up with 100-some different coins, so people will see the ridiculousness of the enterprise. :P 21:04 < warren> gmaxwell: it is unfortunate that mtgox is getting in on the act 21:04 < gmaxwell> I was told that was an april fools day thing and not actually serious. 21:07 < nanotube> i was told it wasn't.... 21:09 < nanotube> in response to "are you considering ltc trading or is that just a cooked rumor?" mtux said "eventually" 21:26 < amiller> bitcoin is pure network effect 21:27 < amiller> normally you see things that are network effect + lock in mechanisms 21:28 < amiller> so it's refreshing to have something that's just network effect alone 21:30 < amiller> but still it's _just_ network effect 18:32 < sipa> the problem is that centralized systems are superior in pretty much every technical way 18:32 < sipa> apart from required trust 18:35 < amiller> maybe the bitcoin community will end up developing an offensive capability that basically compromises centralized systems quickly to make it apparent that they're vulnerable 18:35 < gmaxwell> amiller: Pretty much, I think. I mind this less when they haven't adopted a story that requires them to store data in bitcoin. 18:36 < amiller> well we have to figure out how to a) make them pay for their utxo usage over time and b) also charge people for archive access to old blocks 18:36 < gmaxwell> charge for archive access to old blocks kind of undermines the bitcoin security model. :( 18:37 < gmaxwell> You can't determine if your on the longest valid chain without inspecting the historical chain, and we're an anonyous system which new people should be able to join 18:37 < amiller> well you can bittorrent it, just takes a while 18:37 < amiller> it's already pretty expensive in a batch 18:37 < gavinandresen> Hey wizards: I need to recruit a couple of people to help review technical-focused Foundation grant proposals. Anybody have a little bandwidth to help? (I don't want to be Grant Gatekeeper) 18:43 < petertodd> Oh, there are tech-focused ones? 18:44 < gavinandresen> petertodd: sure, I think you proposed one first round. 18:44 < gmaxwell> gavinandresen: Being gatekeeper stinks! 18:45 < gmaxwell> "Emperor of broken dreams" has a much better ring to it. 18:45 < petertodd> gavinandresen: oh, tpm hardware? that probably should be taken off the list as it'd duplicate other peoples efforts 18:47 < gavinandresen> that's one of the reasons I want to get a couple more people involved in review; I can't possibly keep track of everything happening, and more people means more "don't fund that, Jehosephat announced a similar project last week..." 18:47 < petertodd> agreed 18:47 < gavinandresen> to be clear: the Foundation Board are the ultimate gatekeepers who decide how much money to grant. 18:48 < gmaxwell> I'm willing to review things (and I suppose am at least somewhat likely to notice overlapping efforts), esp. with the point that its really someone else in the buck-stops-here position. 18:49 < gavinandresen> gmaxwell: great! 18:50 < amiller> i'm volunteering to review too, i like having excuses to dredge through the forums looking for related work 18:50 < gavinandresen> gmaxwell: you going to submit a dust-buster grant proposal this time around? No impact on review, you'd just abstain from reviewing your own proposal.... 18:51 < gmaxwell> hurrah. 18:52 < gmaxwell> Thanks for the reminder. 19:47 < jgarzik> gavinandresen, I'm willing to help, too 19:47 < jgarzik> gavinandresen, just never responded to your email asking 19:48 < gavinandresen> jgarzik: no worries --- Log closed Thu Sep 19 00:00:55 2013 --- Log opened Thu Sep 19 00:00:55 2013 02:35 < midnightmagic> gavinandresen: You might want to supply your nick:pass as the server pass for freenode, you're flapping with your real connection details in bigpond. 02:36 < midnightmagic> gavinandresen: Also, I wouldn't mind helping review proposals so long as my voice isn't the only one that counts. 02:41 < Luke-Jr> gavinandresen: I can take a look 12:28 < warren> huh. I thought Bitcoin Foundation didn't do grants for core dev. Is this new? 12:38 < jgarzik> warren, since Day One, BF has been interested in helping core dev 12:38 < jgarzik> warren, One of the first goals was always to pay Gavin's salary. 12:39 < jgarzik> warren, Side projects included getting some hosting for bitcoincore.org 12:39 < gmaxwell> And BF has provided e.g. hosting for the pulltester robot and some other assorted stuff. 12:39 < gmaxwell> The proposals stuff for review, I assume are mostly not "core dev" 12:39 < warren> what is at bitcoincore.org hosting? 12:40 < jgarzik> There has been an indicated willingness to fund various side projects I've proposed, like having nodes sitting around collecting metrics about the network. -ENOTIME on my side for that stuff, not BF's fault. 12:41 < jgarzik> warren, random stuff we find useful to stick on a server. Mostly Gavin uses it right now, but as gmaxwell said, pull tester and other things 12:41 < jgarzik> There was even resources allocated for a permanent testnet node, as I requested, then never did anything with :( 12:41 < gmaxwell> speaking of metrics, jcorgan has expressed an interest on doing some integrated metrics code as a way to get involved in development. We should encourage this. He does good work elsewhere. 12:41 * jgarzik needs minions 12:41 < jgarzik> +1 12:50 < warren> Earlier gavin mentioned the lack of a security bug bounty program from the BF was largely from the lack of anyone to run it. 12:51 < warren> It was suggested that a volunteer do it. 12:51 < warren> however the average volunteer isn't privy to security issues, and maybe you don't want them to receive the responsible disclosures 12:52 * gmaxwell is skeptical of the value of security bug bounties 12:53 < jgarzik> security bug bounties and assassination markets sometimes share similar economic incentives 12:53 * jgarzik runs 12:53 < gmaxwell> "I can remotely make nodes kinda slow" is not some kind of catagorically worse bug than "OSX users frequently corrupt their database" but one is "security". "meh" 12:54 < warren> I could be wrong, but perhaps Google is keeping drama low and saving money in the long-term by responsible disclosures from their bug bounties. 12:56 < gmaxwell> It's just distorting to give bounties on "security" bugs as uniquely important compared to other bugs. 12:56 < gmaxwell> "omg my private keys were lost by this wallet corruption" is infinitely more important than "some lame dos attack made nodes run slow" 12:58 < gmaxwell> The kind of security bugs that do deserve bounties are so rare as to be unobservable... and any bounty for it would be insultingly low compared to exploiting it.. or alternatively, exploiting it would just destroy bitcoin and wouldn't be profitable in any case. ::shrugs:: 12:58 < warren> Non-profits including the FSF, EFF, Amnesty International, Wikimedia Foundation (and too numerous others) use CiviCRM to automate management of membership. FSF Executive Director John Sullivan really wants somebody to implement a plugin for CiviCRM that relies on Free Software for many of these orgs to be able to automate acceptance of Bitcoin payments. It is currently weird that they accept Paypal but not Bitcoin with that AGPL code. 12:58 < warren> (another example) 12:59 < gmaxwell> warren: sounds like something that could use a grant proposal, indeed. 12:59 < warren> I'm not proposing it because I'm too busy. 12:59 < jgarzik> I know that feeling :) 12:59 < gmaxwell> another point as to why bounties aren't so helpful... 13:00 < jgarzik> warren, RE CiviCRM, interesting. BitGive might benefit from that info. 13:00 < gmaxwell> though perhaps they could be helpful for pulling in more technical people who don't have any bitcoin at all now. 13:00 < warren> jgarzik: indeed. 13:00 < gmaxwell> E.g. a few coins bounty might be worth more than a few hundred dollars to some developer with a passing interest in this bitcoin stuff but no bitcoins. 13:01 < warren> indeed 13:03 < warren> that was fast, found someone who wants to write the grant proposal 13:04 < warren> is it too late to submit? 13:06 < jgarzik> ask the Internet that question :) 13:07 < jgarzik> reddit r bitcointalk had a thread talking about 3q grant props 13:07 < sipa> there's this website 13:07 < sipa> where you can search for stuff on the internet! 13:07 < warren> how do I find that website? 13:07 * warren is lacking sleep 13:08 < sipa> http://bit.ly/157cUBZ 13:54 < HM> Bitmit is awful 13:54 < HM> can't even signup 13:55 < gmaxwell> it wanted my home address and stuff... I'm kinda uneasy giving that to a bitcoin website. 13:56 < HM> i tried disposable email addresses but they have them all blocked 13:56 < HM> fair enough, switch to my real one 13:56 < HM> still doesn't work. just refreshes 13:56 < HM> It's a shame really, Silk Road has a really good user experience --- Log closed Fri Sep 20 00:00:58 2013 --- Log opened Fri Sep 20 00:00:58 2013 00:19 < warren> jgarzik: regarding CiviCRM, johns said he might have got students at Stanford to agree to do it, but if that falls through one of the grant submissions is the task as defined by johns. 00:21 < warren> jgarzik: one dev looked into CiviCRM and found a mess of poor or lacking documentation and broken examples. I think he submitted only the Free Software part for the grant, and by the time he finishes that it should be easy for him to write separate Bitpay and Coinbase modules. 08:03 < HM> lol "Homeless, unemployed, and surviving on Bitcoins". Wired sure can write a headline 08:04 < HM> I think the picture features the entire dev team ? ;) 14:22 < jgarzik> It would be annoying as hell, but the first autonomous agent will likely be a beggar-bot 14:22 < jgarzik> "I'm the first autonomous agent, give me bitcoins or I die" 14:22 < gmaxwell> at least it would be true. 14:23 < gmaxwell> it could be a little more "fit" than that... perhaps like one of those bitcoin gems where the high bidder gets some free advertising. 14:23 < MoALTz> "i'll work your product into my conversations for bitcoins" 16:25 < HM> Bitfetch -> nice implementation, corrupts downloads 16:28 < amiller> i found a minor bug in this proof of work paper http://eprints.qut.edu.au/40036/6/40036-full-revised.pdf 16:28 < amiller> it doesn't really matter i guess 16:28 < amiller> but there are a bunch of nice things about his definition of puzzles and i want to import those 16:29 < amiller> but they're too strong, "correctness" says that there's some amount of time you can run such that you find a solution with probability 1 16:29 < amiller> and that's not the case with hashcash style puzzles (e.g., bitcoin) 01:05 < petertodd> (for the basic reasons Luke was getting at...) 01:06 < zooko> So Bitcoin-proper fits into this model in this way, IIUC: who gets to decide? Anyone who knows a certain ecdsa private key. What sorts of values can they put in? Only highly constrained values -- transactions. 01:07 < zooko> Oh, and a third question: what form can the key take? A highly constrained form -- txouts. 01:07 < petertodd> Sure, but the point is once you create the basic mapping, you can start applying rules to it and what not. 01:07 < petertodd> The fundemental thing is to have the set-once key-value mapping! 01:07 < zooko> Okay, so what policy do you want from your basic mapping? 01:07 < petertodd> But this is the thing, so how would you do a basic key-value mapping on top of Bitcoin? 01:07 < zooko> By "policy" I mean who gets to set which keys. 01:07 * zooko thinks about that. 01:09 < zooko> How *I* would do it is that I would implement set-multiple-times key-value mapping on top of Bitcoin. 01:09 < petertodd> No-no, how would you do the set-once key value mapping? (and it's ok if both key and value are limited to 20 bytes each) 01:09 < zooko> The policy of "who gets to decide" is that anyone who knows a certain private ecdsa signingkey can issue a "set" operation. 01:10 < zooko> Are you saying you'd *prefer* set-once instead of set-many? Or that you think the former would be easier to implement directly on top of Bitcoin? 01:10 < zooko> BTW, my Tahoe-LAFS system is an example of a distributed set-many k-v system... 01:10 < petertodd> No, this is an exercise, tell me how you would implement the former. 01:10 < zooko> Okay, to implement set-once, I would choose the policy to be that anyone who knows a certain secret can issue the set-once for a certain key. 01:11 < zooko> This is Ross Anderson's "Guy Fawkes Protocol". 01:11 < zooko> Whenever you use your set-once, you set the value to a tuple of (value1, key2). 01:11 < petertodd> Ok, so how would that be encoded into an actual transaction? 01:11 < zooko> Oh, well that didn't answer how to *implement* it... 01:11 < zooko> Okay now this is the hard part for me. 01:11 * zooko thinks. 01:11 < petertodd> Yes, I'm big on implementing stuff, er, big on talking about implementing stuff... 01:12 < zooko> I'm not clear on all the details of the transaction format. 01:12 < zooko> I 01:12 < petertodd> Do you know what a scriptSig and scriptPubKey are? 01:13 < zooko> 'm particularly uncertain about the script opcodes and which ones are not disabled... 01:13 < zooko> Um, scriptSig and scriptPubKey are of that class of things that I *have* momentarily understood more than once in the past. 01:13 < petertodd> Read the thing about scripts/transactiosn on the wiki until you understand - you won't understand zookeyv without understanding them. 01:13 < zooko> But I think I need a refresher. 01:13 < zooko> Which thing? 01:14 < petertodd> https://en.bitcoin.it/wiki/Script#Scripts 01:14 < petertodd> and https://en.bitcoin.it/wiki/Transaction 01:14 < zooko> Will do! 01:14 < zooko> Thanks for the good conversatio. 01:14 < petertodd> np 20:38 < amiller> timestamping isn't inherently enough 20:38 < amiller> for any useful protocol 20:38 < amiller> it's also not enough to assign an ordering to a set of objects determine the order of them 20:39 < amiller> suppose I tell you, here are transactions A, B, D, E, and F 20:39 < amiller> (suppose you agree that the order that they were timestamped in corresponds to the ordinary lexical ordering) 20:40 < amiller> do you see the problem that you might be concerned about the omission of 'C' 20:40 < amiller> suppose later i say also there was C 20:40 < amiller> so actually the valid ordering of events is really A B C D E F 20:40 < amiller> well that didn't contradict the first ordering 20:46 < amiller> a good sign you're going down the wrong track is if you start with "timestamping" as an end in itself, it's more important to consider an entire protocol in which an irrevocable decision is made based on the presence of timestamping evidence, i don't know that i have any in mind 20:46 < amiller> maybe a (admittedly contrived) example is patent law 20:47 < amiller> prior art invalidates a patent, and prior art is basically a timestamp evidence argument 20:47 < gmaxwell> no it's not. 20:47 < gmaxwell> prior art requires _public pratice_, a timestamp is not terribly helpful to you... unless it's, say, a newspaper timestamping itself.. though if your invention is described in a newspaper no one cares about the timestamp. 20:48 < amiller> but just being 'able' to present prior art isn't an adequate system, a lot of prior art goes missed, and so there are some systems in place to try to encourage digging up the prior art through like crowdsourcing (i'll find the nice link in a minute) 20:53 < amiller> so the problem with high compression timestamping 20:53 < amiller> for example just putting a hash of some data in a big ol' merkle tree with tons of other data 20:54 < amiller> and only the root hash is in a public place 20:55 < amiller> is that you can't be sure at any time that some earlier data won't be revealed and preempt whatever you think is the correct order 20:56 < amiller> so if at any finite time you make some irrevocable decision, it's not just based on the timestamp order but also on the order in which they are revealed / circulated 20:56 < amiller> or to give an other example, you could convince people of two separate histories by selectively revealing preimages of timestamped data on a common chain --- Log closed Sat Jun 01 00:00:54 2013 --- Log opened Sat Jun 01 00:00:54 2013 11:51 < amiller> gmaxwell, here's the thing that's a little tricky about eli ben sasson's stuff 11:51 < amiller> there's a preprocessing phase that has to be as large as the time-bound on the number of steps of the computation 11:51 < amiller> so if there are 200,000 blocks 11:52 < amiller> then you have to do 200,000 steps of preprocessing to compile the verifier basically 11:52 < amiller> the one time cost of preprocessing the checker isn't any easier than a one-time step of preprocessing the whole blockchain 11:53 < gmaxwell> amiller: Eli's reponse to that was to suggest to break it and cascade it. 11:53 < amiller> there's like other possible tradeoffs like maybe you only use SCIP to do a smaller chunk 11:53 < amiller> yeah 11:53 < amiller> maybe we can have blockchain voting on what's the hash of a valid SCIP program? 11:54 < gmaxwell> (I talked to him specifically about that...) Maybe, his thinking was like "well duh you'd just fix it into the system" ... kinda defeats the point though. :P 11:54 < amiller> awesome quote from his video "i don't know who the central authorities in bitcoin are, but they can do the preprocessing" 11:57 < gmaxwell> supposedly they know how to solve the poly in steps ACSP compile time part, and just have the engineering of building it to go. 11:57 < amiller> do you mean they can get *less* than linear compile time? 11:57 < amiller> someone else told me that too and i couldn't find the citation 11:59 < gmaxwell> amiller: yea, they say they can get to poly in just the length of the program for the compile on the verifier.. I believe this is the subject of their upcomming paper. 13:48 < petertodd> amiller: re: timestamping that's why the zookeyv key-value system I've been talking relies on you being able to determine if someone *could have* created a key-value associated timestamped earlier with a higher sacrifice than the one you just did 13:48 < amiller> sounds a bit like zookeeper :p 13:48 < amiller> which is also basically a distributed consensus kv store 13:48 < petertodd> Or zucchini 13:49 < petertodd> Oh, apache ZooKeeper? Interesting 13:49 < amiller> i don't think i follow the 'sacrifice' reasoning very well, or at least there's some reason it doesn't sit well with me 13:49 < petertodd> What part are you not following? 13:49 < petertodd> (I need a diagram really...) 13:49 < amiller> but as long as you have a *could have* determination then i'm basically ok with the protocol w.r.t. the timestamp thing 13:50 < amiller> well what's the simplest sacrifice protocol to discuss as an example 13:50 < amiller> like fidelity bonds? 13:50 < petertodd> Yeah, and because sacrifices build upon one other, the could have determination doesn't have to be too expensive. 13:50 < petertodd> fidelity bonds turned into a terrible bit of concept confusion... fidelity bonds are an abstract idea, the sacrifice methods are the important thing 13:50 < petertodd> Like announce-commit sacrifices, or anyone-can-spend coinbase txouts. 13:51 < petertodd> Or just sending coins to unspendable outputs... 13:51 < amiller> so what security property do you get from a sacrifice 13:52 < amiller> what kind of decision am i going to make based on the presence of a sacrifice where i won't make that decision if i don't see the sacrifice 13:52 < petertodd> Well, in a PoW blockchain the state of the blockchain is determined by total work right? So in a PoS blockchain the state of the blockchain is determined by total sacrifice. 13:53 < amiller> yeah and to the best i can intuit, the security of the blockchain has to do with an assumption that an attacker has a bounded budget 13:53 < petertodd> Yup, which is true for proof-of-work and proof-of-sacrifice fundementally. (the latter is just transferrable proof-of-work after all) 13:53 < amiller> and the (rational) miners receive as payment (the price of their rewards) an amount exactly equal to the computational costs of mining 13:54 < petertodd> Yup. Now a proof-of-sacrifice blockchain intended to work as a currency probably is infeasible, but as a namecoin replacement it makes sense. 13:55 < amiller> i don't see why it should be different if the security statement is the same... but anyway go on 13:55 < amiller> so if we assume bitcoin *is* the money and namecoin is the blockchain of discussion 02:21 < petertodd> ah, too bad, also the blacklisting RPC needs a way to unblacklist. (unless I missed something when I looked at it) 02:21 < warren> it does 02:21 < warren> it adds tothe blacklist and you can remove 02:21 < warren> he even added the missing lock that I found 02:21 < warren> just it fails to disconnect anything you ban 02:23 < petertodd> huh, how do you remove the blacklist? I never figured that out 02:24 < warren> petertodd: expiration to zero 02:24 < warren> petertodd: the PR says how 02:27 < petertodd> expiration? where is that mentioned? I totally missed that 02:27 < warren> I haven't looked at it in a while 02:27 < warren> the patch just doesn't work at all 02:27 < petertodd> too bad, we should have something like it anyway 02:28 < warren> yeah, if only we had software engineers capable of fixing things 02:29 < warren> volunteers usually only fix the fun things 02:29 < petertodd> gmaxwell: lol, my girlfriend just pointed out that the song is "Bizzare Love Triangle", and there's two girls and one boy in the protocol :P 02:29 < petertodd> gmaxwell: she's more impressed with your quote than my protocol! 02:30 < petertodd> warren: ha, so very true... (see log) 02:31 < warren> i'm calling this Bitcoin OMG 02:31 < petertodd> better name than next-test 02:31 < warren> meant to be stable, fun, and including things that should be in Bitcoin proper but isn't fully proven yet 02:31 < gmaxwell> petertodd: hahah yes, thats why I chose to emit the lyrics when I did. Because all this alice and carol and bob and ones cheating the other but they have this non-public arrangement and soooo. 02:35 < petertodd> heh, ah, it's just too perfect 02:35 < warren> https://github.com/wtogami/bitcoin/commits/btc-0.8.5-omg 02:35 < warren> it seems to work! 02:36 < warren> Disable Wallet, Coin Control, Watch Only, processgetdata and a million other things tested in Litecoin for months 02:42 < warren> hmm, should I include secp256k1 in this? 02:42 < warren> hmm.... 02:43 < petertodd> warren: tsk tsk, I don't see any git signatures proving that branch is really yours :P 02:45 < warren> petertodd: fine ... how do I verify them? 02:45 < petertodd> warren: git log --show-signature 02:45 * petertodd needs to figure out how to make that the default 02:45 < warren> petertodd: you have a working gitian setup? 02:46 < warren> petertodd: I want to do gitian.sigs for OMG 02:46 < petertodd> warren: nope :( there's been progress on non-VM-based gitian lately? 02:46 < warren> I'm testing watchonly with DPR's coins now 02:46 < warren> petertodd: some, michagogo was working on it 02:46 < petertodd> my bios is buggy apparently 02:46 < petertodd> ha, nice 02:46 < warren> not sure if it is in 0.9 yet 02:46 < petertodd> yeah, I gotta get that working properly 02:47 < warren> I committed something to 0.9 that gets rid of wine during the win32 build 02:47 < petertodd> personally I always compile from source though, so it's git's integrity that I'm interested in 02:49 < warren> if I disable mining is secp256k1 safe enough? 02:50 < petertodd> sure given this is an OMG 02:50 < petertodd> heck, I mine on git master myself, so I shouldn't talk 02:50 < warren> I'll wait for sipa's feedback on that 02:51 < warren> hm, better not risk it 02:51 < warren> this is meant to be usable for Coinpunk 02:51 < petertodd> yeah, don't need to go too far... 02:53 < warren> petertodd: https://togami.com/~warren/archive/2013/my-bitcoin-wallet.png 02:53 < petertodd> lol 02:54 < petertodd> if it can do correct horse I'll be more impressed though 03:59 < warren> ooh 03:59 < warren> forgot to add leveldb-1.13 08:39 < warren> jgarzik: https://bitcointalk.org/index.php?topic=320695 08:40 < warren> jgarzik: yet another bitcoin mac build with leveldb related improvements, would be interesting to see if it fixes the mac corruption, you had people at your office affected? 08:47 < sipa> warren: for a secp256k1 build, i'd like to disable both wallet and mining 08:47 < sipa> in that case the worst that can happen is you yourself being forked off 08:52 < TD> sipa: does libsecp256k1 work on ARM? 08:52 < sipa> i've been told it does, but i haven't tried 08:52 < sipa> it may be slow 08:53 < sipa> i believe cfields tried it on Debian/ARM 08:53 < TD> slow in what sense? 08:53 < TD> slow as in not any faster than openssl, or ... ? 08:53 < sipa> yes 08:54 < sipa> of course i don't expect it to be as fast on a mobile as on an i7 :) 08:54 < TD> naturally. i don't think it's possible to be slower than interpreted Bouncy Castle on ARM though 08:54 < sipa> :D 08:54 < TD> you'd have to insert sleep statements into the inner loop to be slower than that 09:53 < petertodd> paper analyzing mixing services and similar things: https://www.wi.uni-muenster.de/sites/default/files/public/department/itsecurity/mbc13/mbc13-moeser-paper.pdf 13:50 < gmaxwell> man, I wish the script OP code values had bits in them to signal how many objects they push and pop from the stack.. would have made softforking forwards compatibility a lot easier. 13:51 < petertodd> good point 13:58 < gmaxwell> (though you end up with the arm instruction set (32 bit instructions) pretty quickly if you're not careful. :P ) 13:58 < petertodd> no worries, just run blocks through bzip2... 14:00 < gmaxwell> petertodd: you did see that I responded to TD pointing out that p2sh is larger and that has an impact on long term storage with a "sufficiently good blockchain compression"? 14:02 < petertodd> gmaxwell: maybe? 14:03 < petertodd> https://bitcointalk.org/index.php?topic=320331.msg3429302#msg3429302 14:03 < petertodd> that's a good point 14:04 < petertodd> OTOH it is bigger in terms of blockchain data, and we all know how much TD cares about maximizing the transaction rate and a fixed block size :P 14:06 < petertodd> (biger vs. pay-to-pubkey) 14:08 < TD> i think with compression of the storage (and maybe in a future protocol version, transmission) it's down to a few bytes difference either way, right? 14:08 < TD> so not worth worrying about in either direction 14:09 < petertodd> good to hear 14:09 < petertodd> p2sh certainely could be a good thing for the payment protocol re: standardization if we're going to keep IsStandard() 14:09 < gmaxwell> TD: You can't compress a never spent txout. I dunno if it's worth worrying about, but I'm still much more comfortable with larger scriptsigs than scriptpubkeys. 14:10 < TD> it'd be nice to get rid of the IsStandard checks one day, especially if script became more powerful 14:11 < petertodd> TD: I think jdillon's opcode whitelisting suggestion for P2SH scriptPubKeys has merit for a short-term solution 14:12 < petertodd> TD: though it's interesting how IsStandard() is currently important for mutability too... 15:00 < gmaxwell> petertodd: http://pastebin.com/EsmJarxU < diagramed out the teleportation protocol. 15:32 < warren> sipa: secp256k1 works on litecoin ARM 15:34 < sipa> warren: nice to know 21:05 < amiller> this mixing transaction thing is nuts 21:06 < amiller> i'm helping write this paper about the rationale for third party bitcoin mixing services 21:06 < amiller> it's simpler than zerocoin, which i still kind of like the best 21:07 < amiller> we keep nearly getting undermined by simpler better tech though, like coinjoin would be better if not for the DoS and apparent infeasibility of an honest server 21:08 < amiller> but now this hashlock mix is just as good in every way, and better specifically in that it prevents the server from running away with the funds 21:09 < amiller> we've sort of gone through great lengths so far by just whitewashing the problem and saying "well servers will want to maintain their great reputations and future income therefore they'll never actually steal any funds if users can prove it happened" 21:09 < amiller> which IMO sucks and is not even justified 21:09 < amiller> anyway this simplifies it 21:14 * amiller tries to think of some third cool trick to achieve with hashlocked tx 21:14 < amiller> abstractly, hashlocking lets you bind two transactions into an atomic pair 21:14 < amiller> either both get through or neither 21:14 < amiller> with tiernolan's crosschain exchange, the two txes aren't even on the same chain 21:15 < amiller> with gmaxwell's hashlocked mix, only the mixer knows the correspondence between the two in the ordinary case 21:16 < amiller> what other reason could you have to want to join two separate transactions? 21:17 < maaku> amiller: why do you need an honest server for coinjoin? 21:17 < amiller> maaku, because there's no public publishing system (like freenet or w/e) that gives you much defense against one person trivially jamming the whole tx by not singing 21:17 < amiller> signing* 21:18 < amiller> it's a DoS disaster 21:18 < amiller> a dosaster 21:18 < amiller> (trademark pending) 21:18 * amiller registers dosaster.com 21:18 < maaku> ok by "DoS and apparent infeasibility of an honest server" you made it sound like something else 21:18 < amiller> oh 21:19 < amiller> i mean that even an honest server can't do much to prevent it other than check bonds or something 21:19 < amiller> it's a hopeless game for the honest server, sort of like the standard "escrow" on bitmit or silkraod 21:19 < amiller> good for comforting users but not actually capable of resolving an actual dilemma 21:20 < maaku> it's not hopeless; DoS can be mitigated 21:20 < maaku> but granted it's not easy either 21:22 < amiller> it's not so much that dos can be mitigated, but that in most practical scenarios no one is trying that hard so you can get away with not mitigating it 21:22 < amiller> which is why, for example, bitmessage is currently functioning 22:01 < amiller> ugh, so i need a way to make a coin flip automatically go to the winner 22:11 < amiller> i wish the stupid splice operations weren't all disabled :/ 22:47 < warren> petertodd: crap. the combination of coin control and watch only snuck in some really strange coin selection bugs 17:47 < michagogo|cloud> okay, it's 12:47 am 17:47 < michagogo|cloud> goodnight. 17:47 < warren> michagogo|cloud: you must be on the opposite side of the planet from me 17:47 < michagogo|cloud> UTC+2 17:47 < michagogo|cloud> (Israel) 17:48 < michagogo|cloud> warren: Hawaii, right? 17:48 < cfields> great, i think my macbook hdd is about to take a dump 17:48 < warren> yes, UTC-10 17:53 < gavinandresen> warren: RE: app store: maybe when we're 1.0. And have a user-friendly "you are out of date; upgrade now?". And start in SPV mode. And have a reasonable customer support system. 17:54 < gavinandresen> warren: I think it makes more sense for a company to comercialize Bitcoin-Qt, and give professional support, etc etc etc. 17:54 < warren> bitcointroll isn't a reasonable customer support system? =) 17:54 < warren> joking 17:54 < warren> gavinandresen: to do that wouldn't they need to pay for qt? 17:55 < petertodd> warren: red hat model 17:55 < phantomcircuit> it's not that expensive... 17:55 < gavinandresen> yes, red hat model. 17:56 < petertodd> warren: though in the case of bitcoin, I think there's a lot of stuff about theft that we're not considering... it may be the case that the only model that works for anything over a small businesses re: liability is actually bitbanks - you gotta trust someone, might as well trust someone whose business is trust. 17:56 < petertodd> warren: I sure wouldn't want to be distributing binaries as a business for instance with a support contract without some long discussions with the lawyers first. 17:57 < gmaxwell> warren: where is the bounty link? 17:58 < phantomcircuit> petertodd, "not fit for purpose, any purpose" 17:58 < warren> https://bitcointalk.org/index.php?topic=337294.0 17:58 < petertodd> phantomcircuit: "We're the premier company in the Executive Desk Toys that happen to also be turnkey Bitcoin nodes business!" 17:58 < warren> I suppose we can't get away with a perpetual beta when Bitcoin hits $1 trillion. 17:58 < warren> That is unless a loaf of bread is $10k at that time, then maybe. 17:59 < phantomcircuit> warren, it's a beta until there are no known issues 17:59 < gmaxwell> "Novelty nodes" 17:59 < phantomcircuit> shrug 18:00 < phantomcircuit> im gonna order a bunch of flash drives with the blockchain + bitcoin-qt loaded on them 18:00 < warren> someone donated 0.5 BTC 18:00 < petertodd> warren: tl;dr: people are going to lose shitloads of money, over and over again. and maybe Thompson's "Reflections on Trusting Trust" will be common knowledge. 18:00 < phantomcircuit> and include a nice little script to start with -loadblocks 18:00 < warren> petertodd: the massive centralized thefts seem to happen a lot 18:01 < petertodd> warren: indeed, and more to the point, it's impossible to know how many are insiders. 18:01 < warren> Don't worry, Coin Validation to the rescue. 18:01 < warren> forgot the smiley on that 18:01 < phantomcircuit> warren, the issue is people keep trusting people nobody really knows 18:01 < petertodd> warren: but we're also starting to see thefts due to hacked software - anything that auto-updates is scary. 18:01 < phantomcircuit> people suck at trust 18:02 < warren> You mean TradeFortress isn't trustworthy? 18:02 < phantomcircuit> aahahh 18:02 < phantomcircuit> oh god 18:03 < warren> both him and Ukto came into #bitcoin-dev screaming for help with wallet issues 18:03 < gmaxwell> warren: you mean people didn't know he wasn't trustworthy? 18:03 < phantomcircuit> gmaxwell, amazingly that message was apparently not received by everybody 18:03 < petertodd> warren: My views on those things is I'm likely to lose whatever I have in them eventually, but I also like the privacy. So I've lost money on instawallet, inputs.io, and will eventually lose $100 or so on EasyWallet. 18:03 < warren> it's a little sad that we can't recommend that people can't use bitcoind's wallet for a service provider 18:03 < phantomcircuit> largely because he basically bribed a bunch of people to write positive fluff stories 18:04 < warren> my english is failing,I need more sleep. 18:04 < phantomcircuit> warren, well if there is a 0.8.6 release with my wallet hashing code then it will be totally 18:04 < phantomcircuit> you just need to have enough ram for all of the transactions in the wallet 18:05 < warren> phantomcircuit: was that merged into master yet? 18:05 < phantomcircuit> i have a testnet wallet with like 90k transactions that's only 400 MB on disk 18:05 < phantomcircuit> probably less in memory 18:05 < petertodd> warren: ha, yeah, that satoshi didn't use type1 deterministic wallets should convince anyone he was a shitty programmer. 18:05 < phantomcircuit> warren, yeah it was 18:05 < warren> phantomcircuit: we have at least two DoS patches that could be a 0.8.6 18:05 < phantomcircuit> warren, hmm? 18:05 < phantomcircuit> ones that haven't been merged yet? 18:05 < warren> phantomcircuit: yes 18:05 < phantomcircuit> warren, you have a pr? 18:06 < warren> phantomcircuit: which PR's were the wallet performance commits? 18:06 < warren> phantomcircuit: you really want me to tell the public which are DoS fixes? 18:06 < phantomcircuit> i guess not 18:06 < phantomcircuit> lol 18:08 < phantomcircuit> https://github.com/bitcoin/bitcoin/pull/2950 18:08 < warren> that the only one? 18:08 < warren> I thought there were like four 18:08 < gavinandresen> I'm dragging my feet on 0.8.6 because I keep hoping somebody figures out the leveldb corruption issue . Time to give up on that, I think. 18:09 < warren> gavinandresen: my 0.8.5++ branch is super well tested 18:09 < gavinandresen> warren: famous last words! 18:09 < warren> gavinandresen: the leveldb bounty was only posted recently, let's wait a bit longer? 18:10 < petertodd> gavinandresen: release 0.8.6 with macos disabled, followed by 0.8.7 with it enabled once leveldb is fixed - good statement re: maintenance doesn't happen by magic 18:11 < gavinandresen> petertodd: good idea. 18:11 < phantomcircuit> warren, there are other ones that haven't been merged 18:11 < gavinandresen> warren: link to your 0.8.5++ branch? 18:11 < phantomcircuit> i fixed the fractal complexity IsConfirmed function 18:12 < warren> gavinandresen: https://bitcointalk.org/index.php?topic=320695.0 18:12 < warren> gavinandresen: not suggesting shipping all of this crap of course 18:12 < warren> phantomcircuit: should I add your wallet thing to OMG? 18:13 < gavinandresen> mmm, definitely not. 0.8.6 will be critical-bug-fix-only 18:13 < warren> gavinandresen: OMG is whatever I think is good enough for non-mining nodes 18:14 < warren> gavinandresen: some of the patches here are appropriate for 0.8.6 18:14 < gavinandresen> warren: email me a list 18:15 < warren> gavinandresen: tonight 18:16 < warren> gavinandresen: seriously going to skip mac in a release? 18:17 < petertodd> warren: there's important fixes that would go in 0.8.6, why hold them back for a small minority? 18:17 < warren> are they a small minority? 18:18 < warren> and are the fixes important? 18:18 < petertodd> warren: last I checked on one of my nodes the supermajority of nodes had ip addresses that were definitely VPS services 18:18 < warren> petertodd: all at digitalocean? =) 18:18 < sipa> note that there aren't even bitcoind releases for OSX 18:18 < petertodd> warren: lol, nah, this was before that 18:19 < gavinandresen> warren: sure, when the bug is fixed we can release a mac version then. I don't like shipping known-seriously-buggy software. 18:19 < phantomcircuit> gavinandresen, well currently all the osx releases are known to be buggy 18:19 < gavinandresen> I don't like taking things away from people even more.... 18:19 < nOgAnOo> hi phantom <3 18:19 < phantomcircuit> would it not be better to fix some things even if that cant be fixed yet? 18:19 < nOgAnOo> I love you. 18:19 < warren> gavinandresen: while I tested these patches against 0.8, my 0.8 is really a hybrid of 0.9, so I make no guarantees about these backports being correct against plain 0.8.5 18:20 < phantomcircuit> nOgAnOo, lol ok 18:20 < phantomcircuit> nOgAnOo, ohh hello 18:20 < phantomcircuit> i know who you areeee 18:20 < sipa> ehm 18:20 < sipa> get a room 18:20 < petertodd> warren: why not point osx users to your OMG branch then? 18:20 < sipa> s/room/channel/ 18:20 < nOgAnOo> I remember your handle.. but I'm stoned. 18:21 < petertodd> "Wizards don't use drugs." 18:21 < phantomcircuit> lol 18:21 < nOgAnOo> *laffter* 18:21 < nOgAnOo> I hauled 5 truckloads of compost today 18:21 < nOgAnOo> shoveled by hand 18:21 < petertodd> /ignore nOgAnOo 18:22 < warren> gavinandresen: the elephant in the room here: many of us really think NODE_BLOOM should be added as a safety fallback. If we're doing 0.8.6 for the purpose of protecting the network with <those other DoS mitigations> I strongly suggest we include NODE_BLOOM too. Having it disabled by default but available as an option would allow the world to recover quickly without a software update. 18:22 < warren> petertodd: OMG branch isn't fixed for mac either 18:22 < petertodd> warren: you really had to bring that up? 18:22 < warren> petertodd: is it productive to continue to not talk about it? 18:23 < petertodd> warren: IMO we've pushed the cost of the attack just high enough that it's a bit hard to exploit, which gives us breathing room; NODE_BLOOM in that context is not critical. 18:23 < warren> gavinandresen: given inertia of defaults we're not under the risk of people turning it off en masse. 18:23 < petertodd> warren: IE, it's a "policy" decision, and calling it a solution to DoS attacks isn't the way to talk about it. 18:24 < warren> petertodd: sure it isn't a solution 18:24 < petertodd> warren: hence, leave it out of 0.8.6 and let people continue to think about it on their own terms 18:24 < warren> petertodd: neither is anything else we have 18:24 < petertodd> warren: yes, but we're at the point where a bored hacker can't cause us damage we can't recover from. 20:33 < gmaxwell> does it have to do the whole hash? :P 20:33 < sipa> i think being able to find 32 bits of it is not significantly easier 20:34 < sipa> well, even 1 bit 20:34 < gmaxwell> well I meant the whole function. 20:34 < sipa> you mean just a single compression function? 20:34 < gmaxwell> making a mechnical computer to compute one round wouldn't be that terrible. 20:35 < brisque> wouldn't be very impressive though 20:41 < Emcy> people make stuff like that in minecraft 20:41 < Emcy> it probably counts as emulation, but you can see the signal travelling in the 'data lines' so its close enough 20:41 < gmaxwell> I think we're not exposing people to enough really awesome ideas such that they think spending their time making ALUs in minecraft is a good way to have fun. :P 20:41 < Emcy> i think someone made a full 16 bit FLU+ALU+registers and etc out of blocks 20:42 < Emcy> how is that not fun 20:43 < brisque> fairly time consuming for the result 20:46 < Emcy> either ALUs or this http://www.youtube.com/watch?v=afcudstM9zA 20:46 < Emcy> also fairly time consuming 20:46 < brisque> gmaxwell: \o/ https://pay.reddit.com/r/Bitcoin/comments/1wfbjn/get_your_coins_out_right_away_alleged_weakness/ 20:50 < brisque> gmaxwell: oh, and a bigger one https://pay.reddit.com/r/Bitcoin/comments/1wf5qb/possible_warning_btc_addresses_with_known_public/ 20:55 < andytoshi> EnronIsHere helpfully explains "In cryptography, there is always a shortcut. Often very difficult to find but it's always there somewhere. That point really can not be stressed enough. 20:57 < andytoshi> i assume by "cannot be stressed enough" he means that his stressing program won't halt.... but he has no clue why since he doesn't believe in nonhalting programs :) 21:06 < Emcy> "stressing program wont halt" 21:06 < Emcy> life.exe 21:17 < brisque> andytoshi: this is a nice explanation too https://bitcointalk.org/index.php?topic=437220.msg4809894#msg4809894 21:17 < andytoshi> ohh thx brisque i was wondering wth a "rendezvous point" was 21:18 < brisque> basically his precomputed keys, heh. 21:45 < brisque> I'm sure everybody has seen the person joining #bitcoin and spamming obscenities at the OPs. they're all listed on bitnodes.io as having been seen running a node at some point. 21:45 < brisque> is somebody seriously running a bitcoin-related botnet and spamming the channel with it? 21:50 < brisque> oh, actually. they're shared VPN addresses rather than a botnet. that's comforting. 22:11 < super3> is Luke-Jr around? i'm just about done with proof-of-pizz 22:11 < super3> proof-of-pizza* 22:46 < Luke-Jr> we should all plan to plan out proof-of-steak at the Texas conference 22:47 < Luke-Jr> and announce it right at the end of the month 22:47 < Luke-Jr> maybe late by a day 22:47 < justanotheruser> Luke-Jr: have you heard of cyruscoin? 22:47 < Luke-Jr> no 22:47 < justanotheruser> It's based on proof of twerk 22:49 < tacotime_> I'll be at the Texas conference, but I can't get behind proof-of-steak because I'm a pescetarian. :/ 22:50 < Luke-Jr> tacotime_: surely there is a seafood steak? 22:52 < tacotime_> I could do a salmon steak, I suppose. :D 22:53 < tacotime_> https://bitcointalk.org/index.php?topic=421842.msg4800547#msg4800547 22:53 < tacotime_> He actually cracked a brainwallet privkey, heh. 22:53 < Luke-Jr> not hard, brainwallets are stupidly insecure 22:55 < brisque> tacotime_: brain wallet? it was probably created with his "weak key generator", which only generates keys of which he has the rainbow tables for. 22:56 < super3> ha ha. cyruscoin thats a new one 22:56 < tacotime_> Heh. 22:58 < super3> once its a little closer to the confrence ill find a good steakhouse(with some non-meat options too) and we can all go there 22:58 < super3> perhaps we can even pre plan and have them accept Bitcoin --- Log closed Wed Jan 29 00:00:07 2014 --- Log opened Wed Jan 29 00:00:07 2014 00:37 < helo> where in tx? 04:41 < gmaxwell> http://xkcd.com/1323/ < tehehe 04:46 < _ingsoc> gmaxwell: Care to make a single statement on Ethereum? For the press! 04:46 < _ingsoc> (I'm kidding about the press) 04:47 < gmaxwell> meh. 04:48 < _ingsoc> Hahaha. I thought so much. 04:48 < gmaxwell> I'm happy to hear someone is exploring something different, really disappointed to see another group asking for millions of dollars for a bill of goods. The code posted so far is unimpressive. 04:48 < _ingsoc> What makes the code unimpressive? 04:49 < gmaxwell> I also think the goal is actively stupid, but in the hierarchy of goodness good > stupid > redundant; something that sounds foolish to me may turn out to be good ultimately (esp after some iteration to fix flaws the first couple times it gets knocked down and everyone gets robbed :P ) 04:50 < gmaxwell> There isn't (wasn't? it's been two weeks since I looked) much of anything there, I mostly looked at the script stuff, and it was clearly being done by someone with no expirence programming a stack machine. 04:50 < _ingsoc> Heh. People will go crazy if it flops. 04:50 < _ingsoc> Interesting. 04:51 < _ingsoc> The C++ code? 04:51 < gmaxwell> I looked at both the go and the c++ code. 04:51 < _ingsoc> Ah. 04:51 < _ingsoc> Know much about vbuterin? 04:52 < gmaxwell> ("technically turing complete, yes, but so is subtract-and-branch-if-less-than-or-equal-zero.") 04:52 < gmaxwell> I've met him, seems like a nice guy, relatively quiet. I don't know him well. 04:53 < _ingsoc> It'll be interesting to see what happens in this space. Sounds better than Mastercoin at least. xD 04:53 < gmaxwell> I've been unimpressed at times with some of his writing on technical subjects, but addressing a general audience is difficult so that might not really mean much of anything. 04:53 < _ingsoc> True. 04:53 < gmaxwell> _ingsoc: I'm not sure how to distinguish it. I mean, mastercoin could _be_ this effectively. Thats one of the 'upsides' of basically selling a sheet of paper with promises. 04:54 < gmaxwell> It could become embodied in some way which is very technically different than the initial proposal. 04:54 < _ingsoc> Something about how Mastercoin is managed that makes me cringe. 04:54 < _ingsoc> Maybe if the ideas were in the right hands, I don't know. But so far it's sounded like a nightmare. 04:54 < _ingsoc> From a project management perspective. 04:54 < gmaxwell> well, I have the same cringe on the etherum goal to raise 36 million dollars, which is just insane in my opinion. 04:55 < _ingsoc> That's a bit of a misconception. They put the hard cap at 30k Bitcoin. 04:55 < _ingsoc> They were worried a whale would come and swallow up the sale. 04:55 < _ingsoc> They just need 500 BTC. 04:56 < _ingsoc> But claim to have transparent expenditure plans up to that point. 04:56 < nsh> why not... demonstrate something is viable before getting ludicrous and unnecessary capitalization? 04:56 < nsh> is that naive? i am not a business person 04:56 < _ingsoc> nsh: Ask all of Silicon Valley? 04:56 < gmaxwell> nsh: It's not naive. It's basic ethical behavior. 04:56 < _ingsoc> Agreed. 04:56 < _ingsoc> Problem is people need to eat I guess. 04:56 < gmaxwell> Especially for something which doesn't have infrastructural requirements for that sort of funding. 04:57 * nsh nods 04:57 < _ingsoc> Their Github is supposed to be evidence of work. 04:57 < _ingsoc> Some might agree it's that, others may disagree. 04:57 < gmaxwell> _ingsoc: my living expenses are about 30k/yr and I live in one of the most expensive places to live in the world. How many people need to eat? 04:57 < _ingsoc> 22. 04:57 < _ingsoc> Well, I don't know what the proportions are. 04:57 < _ingsoc> But 4 founders. 04:58 < _ingsoc> Any prior Invictus involvement makes me nervous. Won't lie about that. 04:59 < gmaxwell> really it sounds like they're outsourcing all the risk, and I think thats not reasonable for initial development and it misaligns motives, but there is no need for me to be judgemental people can decide if they'd like to fund it. 04:59 < _ingsoc> That's been the sentiment it seems. 04:59 < gmaxwell> And yea, well I was trying to not make any negative comments about the people. 04:59 < _ingsoc> Same. 05:00 < gmaxwell> and as I said, stupid > redundant. I'd rather have newer attempts even with dumb funding models, than more stuff that just copies the bitcoin codebase and changes ~nothing more than the name. 05:01 < nsh> the wheel of progress is oiled with the grease of fleece :) 05:01 < gmaxwell> (maybe we'll learn something; though I'm skeptical: basically no one uses the powerful scripting in bitcoin, the hard parts are UI and user education and such) 05:03 < gmaxwell> I'd like to see some of these things fail in novel ways. Etherium losing all its non-miner validators will be very interesting. I'm sad that none of the altcoins have uncapped the block size. (No "SuperScalableCoin", AFAIK). 05:04 < grazs> HaikuCoin, you must embedd a unique haiku poem to every transaction 05:06 < gmaxwell> grazs: you've seen my covenant thread? the kind of thing is possible in the form of fungibility loss if you have insufficiently constrained script. :P 05:08 < grazs> gmaxwell: no, please share :) 05:09 < grazs> btw, nice collection of alt-ideas in the wiki. it's been a nice topic of conversation among my colleagues 05:09 < gmaxwell> grazs: it's kinda old now, there is probably a bunch of things I'd add if I updated it. 05:09 < gmaxwell> grazs: https://bitcointalk.org/index.php?topic=278122.0 05:11 < grazs> gmaxwell: I live for bad ideas, will read this at lunch! 05:13 < gmaxwell> (then general concept has positive uses too, but most _random_ ways of using that particular expressive power are really bad) 13:37 < gmaxwell> May be of interest to some here: https://lists.torproject.org/pipermail/tor-dev/2014-January/006146.html "Key revocation in Next Generation Hidden Services" 13:47 < petertodd> maaku: NO! the magic CC script can be written such that it itself checks the transaction recursively, which means that all you have to do is check that the CC script would see the current "tip" transaction as valid one step back 13:47 < maaku> oh yes i see how that would work 13:48 < maaku> you lose SPV compatability though 13:48 < petertodd> maaku: no you don't! SPV compat is still there because you only need to check one step back to know the whole chain is valid 13:48 < petertodd> maaku: remember, the magic CC script can only exist in the scriptSig if the previous tx included the magic CC script in the scriptSig, all the way to the genesis condition 13:48 < gwern> huh. induction in real life. 13:48 < petertodd> gwern: yes 13:49 < maaku> only if the coins become unspendable if they were invalidly constructed 13:50 < petertodd> maaku: no, the coins are always spendable, but you can't spend them with a transaction scriptSig that matches the CC script checker 13:50 < petertodd> maaku: IE, you can get the coins back under all circumstances, you just can't make them colored fraudulently 13:51 < maaku> petertodd: ok, walk me through this. I create a transaction marking all the outputs as 'blue' with a CC script prefix 13:51 < gmaxwell> you make the script only allow you to assign it if it was used previously or if some birth criteria is met. 13:52 < petertodd> maaku: *no*, you make a transaction that in the scriptSig includes the CC validity script 13:52 < gmaxwell> E.g. this color coin scrpit can be applied if the parent txout is txid:vout or if the parent script had this script on it. 13:52 < petertodd> maaku: now, if you are the genesis tx, you have a separate code-path that checks a signature or that the txin is something specific or whatever 13:52 < gmaxwell> you use the first rule to give birth to the colored coin and then the rest can only be children of it. 13:52 < petertodd> gmaxwell: can only be children of it *or* not colored 13:52 < gmaxwell> or not colored, indeed. 13:53 < gmaxwell> don't want it to be viral. 13:54 < petertodd> yup 13:54 < maaku> ok how do you restrict which outputs are colored? 13:54 < adam3us> gwern, petertodd: i am not sure how important sequential memory hard is Lerner says "must not allow easy parallelization 13:55 < petertodd> maaku: the restriction is that you can't make the CC script execute unless the transaction only creates valid CC outputs 13:55 < adam3us> gwern, petertodd: however mining is inherently massively parallelizable by intent and necessity; what does it matter if its micro parallelizable as well as macro-parallelizable 13:55 < petertodd> maaku: but you can still spend the outputs, it just means the outputs aren't colored 13:56 < petertodd> adam3us: the difference is that micro-paralelization has different characteristics due to how memory works; the idea is that if you use some block of ram sequentially *at the scale of PoW mining hardware* that forces you to implement it in ways that looks like commodity hardware 13:57 < maaku> petertodd: so the outputs are still tagged? 13:57 < petertodd> adam3us: the problem is this isn't a hard-and-fast rule - it's not that his argument is invalid, just that he needs to analyze it much more carefully than that 13:58 < petertodd> maaku: well, one way to do it would be to rely on the txout index, so you might commit to what values spends of the various txouts are allowed to have in some merkle tree without actually evaluating the txout scriptPubKeys directly 13:58 < adam3us> petertodd: well if it was really sequentially accessed its cacheable and address calc pipelineable. seems more like scrypt's romix component with random access is more pausible. 13:59 < maaku> petertodd: btw, have you considered looking at how modern commodity hardware is difficient, and focusing on proof of work that would improve the situation if commoditized? 13:59 < petertodd> maaku: basically the scriptSig contains: <merkle root of allowed output CC values> <CC verification script> 14:00 < petertodd> maaku: that's what SHA256 does, *if* ASIC mfg capacity is available, then a really simple PoW like sha256 is ideal because your startup costs to make a miner ASIC are low 14:00 < petertodd> adam3us: sequential != cachable 14:00 < maaku> petertodd: oh, i mean things like highly interconnected cores, greater memory bandwidth, etc. 14:01 < petertodd> adam3us: for real-world memory sequential is faster however, due to the fact that real-world ram talks to cpu's on a bank level, among many other considerations 14:02 < adam3us> maaku: i like the parallela chips. many risc cores on a chip. like a gpu but without the custom graphics stuff and without SIMD 14:02 < petertodd> maaku: well, see the problem with stuff like that is what is available as commodity changes over time; you have to target some architecture with a very high chance of existing in the future 14:02 < maaku> adam3us: like Cell and APU 14:02 < adam3us> petertodd: right. sequential access is faster on existing hardware because they optimie for it 14:03 < petertodd> adam3us: not so much because they optimize for it, but because it's the only possible way to build the hardware 14:03 < petertodd> adam3us: I mean, you could optimize for something else, but the limitations of silicon strongly suggest bank-accessed designs 14:03 < maaku> petertodd: no that's my point - you target something which you would like to become available, because it is beneficial for other purposes (e.g. those are things I would like for commodity supercomputers) 14:03 < maaku> or rather, things which are available now but in limited quantities 14:04 < petertodd> adam3us: similarly you need designs where the cpu<->mem interface happens in packets because high-speed parallel busses are impossible to make 14:04 < maaku> and let the market push industry further in that direction 14:04 < petertodd> maaku: oh, I see, yeah, but that's a very risky strategy that's just as likely to lead to some ASIC that's overly optimized and useless for any real-world thing 14:05 < petertodd> maaku: for instance, PoW mining can tolerate way higher error rates than almost any other application 14:06 < adam3us> maaku: so one hypothesis is to use halting problem logic to search for instruction sequences and what state they put some memory into or something like that of an open risc cpu design. if people want to make those fast thats a public good. however typically there is going tobe something that can be stripped to avanage to mae them faster/more energe efficient as miners.. but yes its an interesting direction. 14:08 < adam3us> maaku: basically the lesson i draw is a) hardware wins; b) a lot of software people dont now much about highly optimized custom hw design nor the limiting factors 14:09 < petertodd> adam3us: hence why I think we're a lot more likely to come up with PoW that is FPGA-soft rather than FPGA-hard 14:11 < adam3us> in some way of thinking re jtimon argument yesterday about energy efficiency, asic hashcash-sha256^2 could be argued to be more energy efficient than gpu-hard. so other than the centralization issues coming from hw manuf barrier to entry perhaps thats not so bad. (ie the more profitable mining is above investment the more likely it is to be energy efficient) 14:11 < petertodd> adam3us: meh, I like to beat on nature 14:13 < adam3us> the other obvious approach is to change the PoW periodically, or put dozens of building blocks into it and change the way they are connected to define new mining variants. have % of reward allocated to different PoW params, and adjust the difficulty of each param-set to match the % target. 14:13 < jtimon> adam3us I guess jgarzik just convinced me here http://www.coindesk.com/bitcoin-developer-jeff-garzik-on-altcoins-asics-and-bitcoin-usability/ 14:13 < jtimon> sorry afk for some time 14:14 < petertodd> jtimon: ugh... that's really ill-informed 14:14 < petertodd> jtimon: god-damn software engineers :p 14:14 < adam3us> u note how sergio lerner posted that mem hard pow with todays date. he seems to be a bit secretive and then reveal things when pushed. he still didnt reveal his claimed coin anonymity 14:15 < petertodd> adam3us: one thing that worries me about "change the pow constantly" schemes is they can turn the "ASIC-hard" problem into a secret *software* problem 14:16 < petertodd> adam3us: IE, if I'm a FPGA mfg and I put my experts onto the problem of making meta FPGA programming code to target the PoW most efficiently every day 14:16 < petertodd> adam3us: that industry has enough secrets that it'd be a winner-take-all situation potentially 14:21 < petertodd> Oh, here's a nice proof-of-existence: suppose you have a scrypt-like sequential-hard PoW function. Now, they kinda suck because to verify them you need a ton of RAM and a lot of CPU power right? However, you can also make a SCIP/ZK-SNARK style proof of the pow solution and verify that instead. 14:21 < petertodd> Thus we know you can make sequential-hard PoW with fast verification. 14:22 < petertodd> Of course, there's the real-world problem where the SNARK proof-creation is a better PoW than the scrypt... :) 14:22 < petertodd> maaku: ^ though that might be a useful way to optimize SNARK proof-creation of course... 14:22 < petertodd> (I think gmaxwell? suggested basically that for SCIP stuff?) 14:25 < adam3us> petertodd: yes. my supposition would be the hw people would make fpgas with reconfigurable buses etc between the lumpy modules tht can be rewired the same as the sw. "hw wins" etc 14:25 < gmaxwell> though even though snark validation is fast it's still slower than SHA256 by a fair margin. (see vntinyram paper for state of the art numbers on the verification of the ggpr stuff... but anything else is not going to be much faster) 20:31 < shesek> (browserify compiles code with nodejs module system to a single js file with all the dependencies) 20:34 < arbart> shesek: thank you very much! 20:34 < shesek> arbart, you welcome 20:35 < shesek> I've been using it quite heavily myself for bitrated, so feel free to ping me if you need any help 20:48 < arbart> shesek: thanks, its not unlikely I'll have to take you up on that offer :) 20:48 < shesek> cool, I'll be glad to help if I can :) 20:52 < shesek> you can also check the code at https://github.com/shesek/bitrated/ to see some examples of using it (its written in coffeescript, though) and how the browserify compilation step works (bin/build-static.sh, or server/assets.coffee for a nodejs server that compiles on-the-fly) 20:53 < jgarzik> shesek, RE bitcoinjs-lib, BitPay's fork of bitcoinjs-server (the node.js fork) is the most maintained 20:53 < jgarzik> in case you are on server, rather than client/browser 20:53 < jgarzik> https://github.com/bitpay/bitcore 20:54 < shesek> oh really? that's great to know, last time I looked at bitcoinjs-server it seemed completely unusable :\ 20:54 < shesek> I ended up using bitcoind with a thin nodejs layer to serve the public api 20:54 < jgarzik> shesek, creaky and old. both bitcoinjs-lib and bitcoinjs-server were 2 years old. no p2sh, no multisig, ... 20:55 < jgarzik> shesek, we need all that, so we picked up maint on the node.js stuff 20:55 < jgarzik> shesek, _most_ is compatible with the browser, but there are a few replacements still needed 20:56 < shesek> have you looked into vbutertin work on bitcoinjs-lib? he got it to a pretty stable state, added new features, and made it compatible as a nodejs modules 20:57 < jgarzik> yes 20:57 < jgarzik> it wasn't complete enough when we looked at it 20:57 < jgarzik> at the time, coinpunk was in bitpay's office, hacking out code to run in browser 20:59 < shesek> oh, cool, I didn't know coinpunk was related to you 20:59 < shesek> you just gave them some work space, or is coinpunk a bitpay project? 20:59 < jgarzik> he worked for us briefly 21:00 < arbart> What's the node.js stuff for? accessing the blockchain? 21:01 < shesek> that, and for handling keys/addresses/transactions/signatures server-side 21:02 < arbart> No current alternative if I want browswer js to parse the blockchain for what I'm doing? 21:03 < shesek> how would that work? you would load the entire blockchain client side? 21:03 < shesek> the client-side libraries allows you to create keys/addresses, construct/sign transactions and all that 21:04 < shesek> communicating with the Bitcoin network/blockchain requires running something on the server that's capable of doing that 21:04 < shesek> I ended up writing https://github.com/shesek/bitcoin-webapi that exposes some minimal APIs that I needed (loading unspent inputs and broadcasting transactions) on top of bitcoind with sipa's #2802 21:04 < shesek> (address index with searchrawtransaction, https://github.com/bitcoin/bitcoin/pull/2802) 21:10 < arbart> Ok, I understand then. Your coffee script stuff looks pretty cool actually. 21:11 < shesek> its a nifty little language that can give some people a serious productivity boost, but its not for everyone :) 21:12 < shesek> bitrated's source is still a bit messy, but its somewhat organized and commented, so it should give you a good start --- Log closed Fri Jan 24 00:00:55 2014 --- Log opened Fri Jan 24 00:00:55 2014 12:58 < imsaguy> All you people don't get bitcoin. 12:59 < gmaxwell> 0_o 12:59 < _ingsoc> xD 12:59 < _ingsoc> Okay then. 12:59 < amiller> thanks 13:15 < midnightmagic> He's mocking me because I told him most people in #bitcoin* probably don't understand bitcoin. 13:16 < gmaxwell> ah 13:17 < tacotime_> we're way more knowledgeable over here in wizards 13:18 < tacotime_> what's a blockchain? 13:18 < amiller> i just met yet a few more unexpected people who are pursuing bitcoin research 13:18 < amiller> especially a pretty famous programming-languages person who apparently is about to publish a type-theory altcoin proposal 13:19 < nsh> yay 13:19 * nsh premines some functorcoins 13:19 < amiller> LOL 13:20 < amiller> it was weird, he was explaining the linear type system that it will use 13:20 < amiller> i said, cool, do you have any particular motivating example in mind 13:20 < amiller> he was like no not at all. 13:20 < gmaxwell> hahaha 13:20 < gmaxwell> <foo> but in a cryptocurrency. 13:21 < amiller> "welcome. you'll fit right in here." 13:21 < tacotime_> the screaming robot of cryptocurrencies. 13:21 < tacotime_> hahaha 13:22 < nsh> Linear type systems are the internal language of closed symmetric monoidal categories, much in the same way that simply typed lambda calculus is the language of Cartesian closed categories. More precisely, one may construct functors between the category of linear type systems and the category of closed symmetric monoidal categories.[7] 13:22 < nsh> -- http://en.wikipedia.org/wiki/Substructural_type_system#Linear_type_systems 13:22 < nsh> should be fun... 13:23 < amiller> linear logic is good for modeling resources 13:24 < amiller> for example from one quarter, you can derive two dimes and a nickel 13:24 < amiller> also from one quarter, you can derive five nickels 13:24 < amiller> but that doesn't mean you can take a quarter and derive six nickels and two dimes 13:24 < nsh> kinda like typing with accountancy baked in 13:24 < tacotime_> Hmm. 13:24 < amiller> you could probably express all the conservation rules about no inflation etc using linear logic (though i think it would be overkill) 13:25 < tacotime_> What's the real world application? 13:25 < amiller> well take ethereum scripts for example 13:25 < amiller> maybe you'd like to be able to typecheck them and prove they don't leak value somehow 13:25 < tacotime_> Ah 13:28 < tacotime_> So like proof-carrying code? 13:29 < amiller> i think so (but i'm really not sure) 13:29 < gmaxwell> amiller: I don't know why that really matters inside a cryptocurrency. We shouldn't have code in a cryptocurrency, we should have wittnesses for code other people ran. 13:30 < amiller> i told him about snarks and pinocchiocoin, he knew about pcp proofs 13:31 < gmaxwell> You can think of that stuff just as a performance optimization. 13:31 < amiller> then sure 13:32 < amiller> so when the witnesses about code that other people ran, are about values that are of global importance, like a monetary supply, then applying this sort of conservation logic would be relevant 13:32 < gmaxwell> Well, sure I think it's good to create things using tools for soundness, but there isn't any reason to leave them in inside the witness. 13:33 < tacotime_> You can provide withness for executed code without executing the code yourself to verify it? 13:33 < gmaxwell> type data is precisely the sort of thing you can omit in a witness when extracting it from an execution trace, even before you go the route of converting the execution trace into a snark. 13:34 < tacotime_> I'm unfamiliar with a lot of this "proofs" stuff used for ZRC etc 13:34 < gmaxwell> tacotime_: Yes, thats what a snark is, a proof that code was fairthfully executed which is logarithmic in the length of the exeuction (or smaller, with cryptographic assumptions they can be constant size in the security parameter) 13:34 < tacotime_> Ah, I see. 13:35 < andytoshi> tacotime_: thank you for acting incredulous about that. i wish more people here would explicitly mention how mind-boggling this is :P 13:36 < nsh> once you accept the existence of voodoo magic, it's a relatively trivial corollary 13:36 < gmaxwell> PCP theorem proves that any execution in NP is provable with arbitrary soundness compactly, though PCP doesn't directly give a pratical way to go about doing it. 13:37 < tacotime_> Hahaha. Well, I never used to hang out here so a lot of this stuff is novel to me. I only sat around bitcointalk and the issues over there regarding what they want in altchains is apparently very different. 13:38 < tacotime_> *are 13:38 < andytoshi> gmaxwell: is there a nice paper summarizing the pcp theorem's history and proof? wiki sorta says "it's smeared over 30 years of history, good luck friend" 13:38 < amiller> this stuff is at the front of theoretical cryptography, it should be novel to pretty everyone, it's pretty exciting we have a reason to discuss it at all (which is why even the cryptographers working on it are like, oh this is practical, it's even relevant for bitcoin) 13:38 < amiller> andytoshi, hah. 13:38 < amiller> http://courses.cs.washington.edu/courses/cse533/05au/pcp-history.pdf 13:38 < tacotime_> Thanks 13:39 < gmaxwell> Well I don't think proving in zero knoweldge is _that_ remarkable, that the proofs can be sublinear in size is somewhat remarkable. 13:40 < andytoshi> amiller: thanks! gmaxwell: the sublinearity is weird, it feels like skirting P=NP in the same way as quantum entanglement skirts "can't send signals faster than time" 13:40 < nsh> hehmm 13:40 < andytoshi> that is, there is no actual violation, but it seems like -something- in the platonic realm must be violating it 13:40 < amiller> https://eprint.iacr.org/2012/215.pdf this is the big theoretical result that made SNARKs a hot topic 13:41 < amiller> it's underlying TinyRAM and Pinocchio etc 13:41 < amiller> some of its paragraphs are possible to read... 13:41 < nsh> andytoshi, i had similar intuitive feelings, but hadn't made that analogy. thanks 13:41 < gmaxwell> Thats the GGPR'12 paper. Meh. well, it's not the only thing that made it a hot topic. 13:42 < amiller> hrm, what's the best thing preceding it? 13:42 < gmaxwell> andytoshi: well it can be useful to think about what you give up in both cases. SNARKS in sublinear size 'only' have computational soundness. 13:42 < amiller> proofs for muggles maybe 13:43 < amiller> no proofs for muggles is interactive 16:07 < adam3us> nsh: or a 1/100th difficulty. with the objective to make pools less critical for more people. 16:08 < nsh> hmmm 16:09 < adam3us> nsh: tends to mean the block chain gets spammed with lots of little-pows, the interblock interval will be much lower (and he proposed to use GHOST (hashing non conflicting orphans) to support 1min eg interval without orphan loss)) 16:10 < nsh> i'll take your word for it :) 16:11 < adam3us> amiller, nsh: but my more immediate issue was why would a pool with a reasonable chance of getting a full size reward (1-conf) bother to accept say 0.9 reward rather than just orphaning the 0.1 reward. maybe amiller can explain how he thought that would work when he's online 16:12 * nsh nods 16:12 < amiller> well the same you build on other people's blocks rather than undermining them 16:12 < amiller> same reason* 16:13 < amiller> i mean, you can get the full size reward by building on the 0.1 block too 16:13 < adam3us> amiller: well in that case its because you are scared that someone will build on the other block and you'll get orphaned 16:13 < amiller> yes 16:13 < adam3us> amiller: oh i see, got it. no new incentive to orphan 16:15 < sipa> i'm not sure the discreteness of increments to the total work is irrelevant 16:15 < adam3us> amiller: you also said you thought you'd have to use GHOST if i recll 16:15 < adam3us> amiller: to combat the faster variable-sized block interval that may result 16:15 < amiller> sipa, the way i say it now is that it seems okay as long as there is a bound on the min difficulty and max diffiuclty 16:16 < adam3us> sipa: i think its utility is it reduces the need to pool. you can more likely direct mine. 16:16 < amiller> the problem with too low difficulty is DoS and waste, and the problem with max difficulty is that malicious-not-profit-motivated attackers can revert long amounts of history with nonneglible probability 16:16 < amiller> but it's okay if there are two parameters clamping this space... 16:17 < amiller> (i'm still trying to figure out how to prove something about the case where there are no bounds/parameters but i haven't gotten anywhere) 16:17 < adam3us> amiller: do you know how GHOST proposes reward works i the adopted non-conflicting orphans in a give block? 16:17 < amiller> ghost proposes no rewards i believe 16:17 < amiller> i think it might not hurt to just include the rewards 16:17 < amiller> i'm not sure thouhg. 16:18 < adam3us> amiller: i think there would need to be some incentive to adopt orphans? 16:19 < amiller> yeah, i don't have any good answer for how that should work 16:23 < adam3us> amiller: eg you get 10% of the reward on top of each orphan you adopt, or something like that. (Bearing in mind rate of reward distribution can be tuned to match current however its done) 16:23 < maaku> adam3us: what do you mean by adopt? GHOST doesn't have anything like that (or need it) 16:24 < adam3us> amiller: i thought ghost works by referencing multiple predecessors in a given block, so that the adopted orphans are considered in the weighting of which block is voted as correct 16:24 < amiller> i get nauseous everytime there appears to be another parameter to adjust to reward/discourage some behavior like orphan vs building 16:24 < amiller> if i can state what the desired behavior is supposed to be and what the options are the right approach is to solve for what is incentive compatible or something like that, but that never seems to work out :/ 16:24 < nsh> amiller, works for the standard model... 16:25 < maaku> adam3us: no, ghost is just a new algorithm for selecting best block, taking into account stale blocks you might have seen 16:25 < adam3us> amiller: yes. well in my own design exploration i always come back so far to the current design is best. i found something like ghost but decided its complex to limited benefit. 16:25 < nsh> all we need is like 30-60 finely-tweaked otherwise-inexplicable parameters 16:25 < maaku> adam3us: it's a local algorithm, not consensus based 16:25 < adam3us> maaku: oh, seems i misunderstood it! 16:26 < sipa> maaku: what do you mean by local? 16:26 < nsh> (then we "explain" it by resource to a anthropic blockchain landscape) 16:26 < adam3us> maaku: so which is the best block in ghost? 16:26 < nsh> *recourse 16:26 < adam3us> amiller: yeah i think game-theory and self-interest are security-fragile. 16:27 < maaku> adam3us: at each step, choose the branch with the most total work, including stales 16:27 < amiller> but, we now have a more specific guiding goal 16:27 < sipa> maaku: right, but that can change over time 16:27 < amiller> getting whatever people want or can get from p2pool within the main game itself.... 16:28 < maaku> sipa: yes, but with a stable outcome 16:29 < adam3us> maaku: wait but orphans arise because of simultaneous publication, so what does ghost mean, you switch to a later announced block if it is heavier? how is weight determined? 16:29 < adam3us> maaku: (I mean you switch to mining on) 16:31 < maaku> adam3us: start with the genesis block as best. sum the aggregate work built off of each branch you know of - including stales - and choose the one with most total work 16:32 < maaku> if two branches have the same weight, then you use some other factor (like say when you heard about it) 16:33 < maaku> but yes, maybe one has more stales and therefore more weight 16:33 < maaku> another way of saying this is choose the branch that you have more evidence of hashpower commitement to 16:33 < maaku> because, in the long run, it's the branch more likely to pull ahead 16:33 < qwertyoruiop> maaku: so basically, 51% easier. 16:33 < maaku> qwertyoruiop: ? 16:34 < qwertyoruiop> the biggest pool can have more luck at double spending 16:34 < maaku> qwertyoruiop: no. not unless they are already >50% 16:35 < qwertyoruiop> you'd be making it easier for < 50% attackers trying to doublespend. 16:35 < maaku> qwertyoruiop: no i'd be harder 16:36 < maaku> because if the attacker has <50%, then he would have less evidence of work on his chain 16:37 < maaku> so people *wouldn't* switch to it, even if he managed to pull ahead by getting lucky 16:37 < adam3us> maaku: so do you think its really true that this makes the orphans useful enough to count as productively used and so to support reducing the block interval to 1min (with higher orphan rates) as they propose? 16:38 < maaku> he'd have to surpass not just the linear work of the honest chain, but all the stales too 16:38 < adam3us> maaku: doesn the orphan still get no reward and so give advantge to better latency connected miners? 16:38 < qwertyoruiop> what would exactly the point of adopting orphans be? 16:38 < maaku> adam3us: stales not orphans, and there's no reason to decrease the interblock time 16:39 < maaku> it gets you no practical advantage with a *huge* hit to SPV users 16:39 < adam3us> maaku: well i know no need, but i thought that was one of their claimed reasons and advantages for the approach? 16:39 < maaku> they misunderstand the tradeoffs involved 16:39 < maaku> but yes, that is what they are proposing 16:40 < adam3us> qwertyoruiop: maaku is explaining there is no orphan adoption in ghost 16:40 < maaku> GHOST lets you approach closer to the limits of what given bandwidth and latency assumptions allow 16:40 < maaku> closer that stock bitcoin at least 16:40 < adam3us> maaku: but that seems to create centralization risks if there is no reward for stales 16:40 < adam3us> maaku: (latency centralization) 16:41 < maaku> adam3us: bitcoin protocol is not the place to correct that 16:41 < maaku> do something like p2pool does 16:42 < maaku> adam3us: GHOST lets us increase the block size more, or decrease the block interval lower 16:42 < maaku> they mistakenly advocate shorter block times when in fact larger block sizes are more likely 16:43 < maaku> so for a given centralization tradeoff let's say 100MB blocks is possible with stock bitcoin; GHOST will let us get to 120MB for that same tradeoff 16:43 < maaku> (i'm making up numbers) 16:44 < maaku> regarding reward, i don't know if p2pool actually does this now, but there's no reason it couldn't merge share chains 16:44 < maaku> (forrestv ^^) 16:45 < justanotheruser> So here is how I want to score how likely it is someone is being a "greedy miner". First measure how often 1,2,3... block orphans occur. Combined with the hashing power of a pool I should be able to calculate what the odds are that there are N+1 blocks replacing their competitors orphans N blocks. If the odds of it happening are 1/X, then they get X added to their score. Keeping track of a weekly score should be able to ind 16:45 < justanotheruser> s/Analiese/anomalies 16:46 < adam3us> maaku: "it gets you no practical advantage with a *huge* hit to SPV users" "they misunderstand the tradeoffs involved" what was that in relation to? 16:46 < maaku> justanotheruser: or, you could simply point a miner at their pool and see if they're building of non-public work 16:46 < maaku> adam3us: advocating smaller interblock times (bad) vs. increasing the block size (good) 16:47 < maaku> smaller interblock times get you nothing unless you can get under a second 16:47 < maaku> which is impossible 16:47 < maaku> so actually, we want the *largest* acceptable interblock time 16:47 < maaku> since that minimizes strain on SPV devices 16:48 < justanotheruser> maaku: wow, that is a lot easier 16:48 < justanotheruser> maaku: except they might be doing this attack using cex.io 16:49 < adam3us> maaku: strain in terms of keeping up withthe hash chain and/or number of bloom queries if they are constained to a block? 16:49 < maaku> justanotheruser: correct, hosted miners are far worse than pools 12:08 < sipa> petertodd: that means the int64 amounts should overflow at some point? 12:08 < petertodd> (pity it'll probably be removed in a hard fork...) 12:09 < petertodd> sipa: what amounts though? there's no "total coins" amount in the consensus code 12:09 < jtimon_> petertodd: I think what sipa means is that you could cause overflows at some point 12:09 < petertodd> sipa: I think the tx code is probably safe because of MAX_MONEY (which the doge team apparently thought was what set the max amount of money) 12:10 < sipa> petertodd: right, i mean more that MAX_MONEY may at some point in the future become uselessly low 12:10 < petertodd> jtimon_: sure, but if no consensus critical code is affected they're ok, and anyway, checked again and it's not 5% inflation, but a linear coin # increase, so it'll take awhile 12:10 < sipa> oh 12:10 < sipa> boring :) 12:11 < petertodd> sipa: well, saying "inflation" was bad of me, so I think they're ok 12:11 < jtimon_> it's monetary inflation 12:11 < jtimon_> not necessarily price inflation 12:11 < petertodd> jtimon_: yup, just not numerical inflation :P 12:11 < sipa> yeah, it's money inflation not price inflation 12:11 < sipa> not what i meant 12:11 < sipa> just that linear increase and not exponential is boring 12:12 < petertodd> sipa: yeah, well, time to make expocoin... 12:12 < petertodd> sipa: e-coin! 12:12 < sipa> exp(coin) 12:12 < petertodd> e^coin! 12:12 < sipa> actually, it's O(coin) - the inflation is proportional to the amount in circulation 12:12 < jtimon_> most people believe freicoin and expocoin are equivalent 12:12 < sipa> jtimon_: aren't they (apart from psychology) ? 12:13 < petertodd> sipa: heh, well, why not e^coin! with ! as factorial... 12:13 < jtimon_> people forked our diff filter, but nobody forked our demurrage 12:13 < petertodd> jtimon_: I think it's a marketing problem; I would have called it "a shared coin security fund" 12:14 < jtimon_> sipa: we believe they influence intrest differently ie: price inflation just rises nominal interest, demurrage makes REAL intereset fall 12:14 < jtimon_> https://www.community-exchange.org/docs/Gesell/en/neo/part5/7.htm 12:15 < sipa> right, but that's just a psychological difference, no? 12:15 < jtimon_> "Hausse-Premium" is usually known as "inflation premium" 12:15 < sipa> the % of coins you own doesn't change 12:15 * petertodd can't believe he just read "support for KYC regulatory compliance" in comic sans 12:15 < jtimon_> sipa think of loans 12:15 < jtimon_> and real capital 12:16 < sipa> jtimon_: define on top of your client a layer that shows every amount as ($VALUE / $TOTAL_IN_CIRCULATION) 12:16 < sipa> jtimon_: expocoin and freicoin do become equivalent then, no? 12:16 < sipa> (honest question, i don't know enough about freicoin) 12:18 < jtimon_> well, not exactly at the low level (don't have refHeights) but yes, I guess economically would be the same if everybody uses the freicoin unit instead of the expocoin one 12:19 < petertodd> sipa, jtimon_: lost coins makes expocoin and freicoin act differently 12:19 < jtimon_> petertodd yes, that's true too 12:20 < sipa> petertodd: how so? 12:20 < jtimon_> freicoin recycles lost coins 12:20 < sipa> how do you detect lost coins? 12:20 < jtimon_> you don't detect them, you destroy all coins and reissue them 12:21 < sipa> i don't understand 12:21 < jtimon_> freicoin is constantly destroying coins, lost wallets or not, and then re-issuing through the miners 12:21 < sipa> i may misunderstand some implementation issues on freicoin 12:21 < jtimon_> we explain it as "demurrage fees go to miners" to simplify 12:21 < petertodd> sipa: demurrage affects you regardless of what other coins are availalble, expocoin just introduces more coins into the economy 12:22 < petertodd> sipa: the result is roughly the same, but the exact amount of economic inflaton can differ in practice 12:22 < petertodd> sipa: never mind that demurrage has other implications, such as how it affects things like colored coins 12:26 < jtimon_> sipa these are probably the more relevant commits https://github.com/freicoin/freicoin/commit/4025098c05c351d72c8a0916ec6010e821d288d6 12:26 < jtimon_> https://github.com/freicoin/freicoin/commit/cee818350d857029e0e7148fece35646d479aea1 12:56 < gmaxwell> This is the puzzle I thought some people here might enjoy: http://web.mit.edu/puzzle/www/2014/puzzle/puzzle_with_answer_cronin/ (don't click solution unless you want to be spoiled) Yes, it's supposted to say that its solved, the theme of this section is that puzzles were written backwards, where you got a 'solution' first and had to derrive the title. 13:09 < nsh> gmaxwell, is the title supposed to be a question that leads to the answer 'CRONIN'? 13:12 < petertodd> nsh: 'round here we'd ask 'Find N such that H(n)=<garbage>' and would have been clever to bruteforce the nonce rather than the PoW solution. 13:13 < nsh> hmm 13:14 < gmaxwell> nsh: well kinda, actually the title is a single word. 13:16 * nsh muses 13:16 < gmaxwell> nsh: make you click the card in the page. 13:18 < nsh> well, cheshire nyan is fun, but i'm still confused :/ 13:21 < gmaxwell> You have to go deeper. 13:21 < nsh> oka y:) 13:22 < nsh> yay, loads of hex 14:39 < maaku> sipa: inflation moves slowly through the economy giving preferential benefit to those near its source when prices are sticky 14:40 < maaku> and love the O(coin) name 15:16 < maaku> suggestion to jgarzik: crowd-fund in dogecoins your cubesat project. you can send it on L-50 which is taking 50 units to the moon 15:16 < maaku> I think you can drum up enough support to actually send a dogecoin node to the moon (and put a bitcoin node on there too, of course) 15:18 < jgarzik> heh 15:19 < nsh> that would probably work 15:19 < nsh> i wanna send something to the moon 15:20 < nsh> (a robot that tracks down and destroys the american flag) 15:20 < nsh> ((joke. there's no american flag)) 15:22 < nsh> maaku, what is this L-50? 15:22 < maaku> jgarzik: i'm serious : http://www.lunarcubes.com/ 15:22 < nsh> ah ty 15:23 < nsh> is there a definite launch planned? 15:23 < maaku> nsh: V-50 is a 50-unit housing module attached to centaur upper stages, which go through Earth-Moon L4/L5 on their way out of cislunar space 15:24 < maaku> L-50 is a project to buy one of these to send cubes to the moon 15:24 < nsh> ah, i see 15:24 < maaku> there's also plans to use them for Mars exploration, but that requires a relay spacecraft 15:25 < BigBitz> Heh, cool quiz, gmaxwell :) or puzzle, whatever. :) 15:25 < nsh> would it be feasible to book passage on a regular comsat launch for that? or would it require a special trajectory? 15:25 < maaku> (once you're at Earth-Moon or Earth-Sun lagrange points, it's basically downhill to anywhere in the inner solar system, with the right orbit) 15:25 * nsh nods 15:26 < maaku> nsh: the Centaur stages are what take comsats to GEO, then for satallite safety reasons they use their latent fuel to eject themselves from cislunar space 15:26 < nsh> oooh 15:26 < nsh> that's convenient 15:26 < maaku> so every. single. launch. of a GEO bird sends a centaur stage (or equiv) through one of these trajectories 15:27 * nsh crosses out all his ambitions and replaces with "write code that ends up orbiting moon" 15:27 < nsh> :) 15:49 * petertodd crosses out all his ambitions and replaces them with "write code that exploits code orbiting the moon" 15:51 < maaku> that you coudl do now... 15:52 < brisque> working on software on the moon would be awful. imagine the cost of getting somebody to go there and power cycle your server because you killed the wrong process. 16:00 < CodeShark> keep someone there at all times just in case 16:03 < CodeShark> the most annoying thing about working on software on the moon would be the latency 16:04 < brisque> probably get better latency to the moon than on a 3G connection, it's not all that far away 16:04 < CodeShark> a quarter of a million miles 16:04 < brisque> little over a second then? 16:05 < CodeShark> in each direction, yes 16:05 < brisque> just use a client with local echo, it'd be just as usable a SSH over GPRS 16:08 < jgarzik> maaku, not implying you were not being serious. just fun :) dogecoin has a lot of cute marketing, like the bobsled thing. 16:10 < CodeShark> SSH over GPRS is usable? hell, anything over GPRS is usable? 16:12 < brisque> http://mosh.mit.edu/ 16:12 < brisque> I used a phone with a GPRS connection for a few years, it was incredibly painful. 16:19 < CodeShark> many of us did 20:25 < adam3us1> letstalkbitcoin tech interview :) (never like sound of own voice, cringe) 20:27 < adam3us1> (committed tx, fungibility, coinjoin, homomorphic values, centralization, 1-way peg... its long and tech heavy) 21:03 < nsh> let stalk = bitcoin; 21:09 < andytoshi> am i correct that the site requires flash to listen? 21:11 < andytoshi> nope, youtube-dl handles the soundcloud URL correctly: https://w.soundcloud.com/player/?url=http://api.soundcloud.com/tracks/130711534 21:22 < gmaxwell> I dunno if y'all have been paying attention, but the gridseed ltc asics are claiming that they'll do 60KH/s for a power consumption of 0.44 watts. This is an improvement relative to gpus very similar to what bitcoin asics had relative to gpus. 21:23 < brisque> gmaxwell: we'll see, I ordered one just out of curiosity. 21:25 < brisque> gmaxwell: they're apparently very unstable, from what I've read. 21:25 < brisque> I still don't get why they paired an scrypt core with a very inefficient sha256d one though. 21:25 < gmaxwell> What I'm hearing is that the dual sha256/scrypt mode is flaky. 21:26 < brisque> mm, same. 21:26 < gmaxwell> brisque: why do you think it's inefficient? it's ~2W/GH for sha256 which is about as good as it gets on 55nm. 14:20 < maaku> <gmaxwell> why does this pow wanking keep going on here? I can't imagine a less interesting subject. <--- thank you :) 14:21 < adam3us> justanotheruser: selfish mining is the result that a pool with over 33% power can gain more than 33% of the wins/reward by intelligently delaying publication of the blocks it wins 14:22 < justanotheruser> adam3us: and with 25% you can do this too? 14:22 < c0rw1n> is there a pool that takes over 33% of the network regularly? 14:22 < adam3us> justanotheruser: the cost is someone might win while it does that, but the advantage is if it gets a length 2 private chain, it has an advantage that no one else knows the chain 14:23 < adam3us> c0rw1n: its been the case lots of the time, even right now ghash has 34% (i though they said publicly they had 40% recently) 14:23 < gmaxwell> it is sort of interesting that ghash has a lot of orphans, people had been assuming its because their hardware has severe latency problems, but that might not be the only issue. 14:24 < adam3us> justanotheruser: with 25% you can still get an advantage presuming you can succeed to race publication of other winners via good connectivity 14:24 < jtimon> gmaxwell are you suggesting that ghash selfmines and that's why it gets more orphans? 14:24 < adam3us> jtimon: its plausible that would be the side effect 14:24 < justanotheruser> adam3us: So what percentage of blocks can you get given you have N% of the network? Is there a formula? 14:24 < c0rw1n> i parsed it as "that, or they're doing something wrong with their connetivity" 14:25 < c0rw1n> justanotheruser yeah there is a formula. in involves the variance 14:25 < gmaxwell> jtimon: someone should crunch the data and see if it supports that theory. 14:25 < adam3us> justanotheruser: they have a graph in their paper, its not fully modeling some real-world effects, but its interesting and should work 14:25 < justanotheruser> link? 14:25 < jtimon> so you could as well call "selfish mining", "block relay time optimization" 14:26 < gmaxwell> I have noticed an increase in depth 2 orphaning, so if so I don't think they're doing it successfully. 14:26 < jtimon> how will that destroy bitcoin? 14:26 < justanotheruser> gmaxwell: Is it possible to determine that? Like would you have to look at their orphans vs their 2-in-a-row blocks? 14:26 < adam3us> justanotheruser: selfish-mining http://arxiv.org/pdf/1311.0243v2.pdf 14:26 < justanotheruser> thanks 14:27 < jtimon> I guess we would need to estimate their real block distribution latency to calculate the time they hold their blocks? 14:27 < jtimon> I don't know, network topology...too hard of a problem for me 14:27 < gmaxwell> justanotheruser: just stats on orphaning at varrious depths for different parties would be suggestive. (e.g. I think you'd get a higher rate of 1-orphan for the selfish miner and a higher rate of >1 orphan for all others than expected) 14:29 < justanotheruser> gmaxwell: So if there is one fork that has 3 orphans and the main chain has 4 GHash blocks in their place, that might suggest this attack is taking place? 14:29 < gmaxwell> Yes. 14:29 < c0rw1n> that may be a symptom if i got it right 14:29 < jtimon> would consecutive blocks for parties be significant? 14:29 < gmaxwell> jtimon: happens naturally. 14:30 < jtimon> I mean, count how many times they mine 2 in a row, 3 in a row, etc 14:30 < gmaxwell> more than you'd expect based on their hashrate would be interesting. 14:30 < gmaxwell> but the data is perhaps too undersampled to say with confidence. 14:30 < gmaxwell> long reorgs are more surprising. 14:31 < adam3us> gmaxwell: its hard to force the point, because they could hide their reward claims (change their reward address, announce via multiple IP#s) 14:31 < gmaxwell> sure though thats detectable for people mining on them. 14:32 < adam3us> gmaxwell: yeah but most users dont know when their home hosted asic wins so they are not auditing, and their individual chance to be the source of the winning block is very low 14:32 < gmaxwell> adam3us: you don't even have to see the winning block, since you can tell if you were working on the same transaction set as a specific wining block (e.g. differs only in extranonce) 14:33 < jtimon> undersampled data? mhmmhm, so maybe coblee's story is not as solid as I thought... ;p https://bitcointalk.org/index.php?topic=143659.0 14:33 < maaku> hrm.. Luke-Jr it might be nice if bfgminer collected statistics on how often and for how long it sees work based on previous blocks that are not publicly known 14:34 < c0rw1n> *click* that's interesting 14:34 < gmaxwell> maaku: how would it know public? 14:34 < c0rw1n> it could blockchain the mining stats? 14:35 < gmaxwell> "blockchain the mining stats" 14:35 < maaku> gmaxwell: either from local bitcoind or by asking Eliguis 14:35 * gmaxwell zot 14:35 < sipa> c0rw1n: i hope you're kidding 14:35 * sipa gets his hammer; c0rw1n looks like a nail 14:35 < gmaxwell> maaku: I guess it can poll all configured pools and log when their prevs are different. 14:35 < c0rw1n> 'k i'll shut up if i'm not this smart enough to talk :$ 14:36 < gmaxwell> maaku: It's odd that miners don't equal loadbalance pools almost at all, since that minimizes variance. 14:36 < adam3us> gmaxwell: well they could hide the most recent block by handing different blocks with same parent block (assuming GBT was not used) 14:36 < gmaxwell> but I guess thats because they count on pools for monitoring/stats (doh) 14:37 < jtimon> "assuming GBT was not used" 14:38 < maaku> adam3us: that's why you have the miners report, because the pool could just partition your selfish-miner-alert-system off and feed you old GBT replies 14:40 < jtimon> what makes more expensive for pools to mine gbt/p2pool, bandwidth ? 14:41 < adam3us> maaku: selfish pool spot checking in mining client. not a bad feature. 14:42 < jtimon> maaku I don't get it wouldn't you detect selfish mining on your pool with p2pool/gbt alone ? 14:45 < jtimon> in p2pool concretely, could the pool operator find the block without the rest of the pool noticing? 14:46 < adam3us> jtimon: isnt p2pool p2p so there is no (central) operator so everyone learns everything? 14:47 < jtimon> adam3us I don't know much about pooling in general, but I think that there's an operator who connects all the miners and can collect fees 14:49 < adam3us> jtimon: usually but in the case of p2pool its more clever, its p2p and each per is directly paid out in proportion to their p2p broadcast share history in the coinbase transaction (i think) 14:49 < gmaxwell> adam3us: thats right. 14:50 < gmaxwell> there is no operator it just works like bitcoin itself does to get a payout consensus. 14:54 < jtimon> so selfish mining is not possible with p2pool? what about gbt? 15:08 < jtimon> well, probably better here, maaku no answer from the concatenative people, no? 15:09 < maaku> no, not yet 15:11 < maaku> jtimon: I did email one concatenative researcher who was working on relevant stuff 15:11 < maaku> hopefully I'll hear back at least from him 15:16 < nsh> what's this in reference to, maaku/jtimon? 15:18 < jtimon> in relation to the latests merklized turing complete scripting language 15:18 < jtimon> discussions 15:18 < nsh> ah 15:19 < maaku> nsh: replacing bitcoin script with a turing-complete concatenative language a la Joy, Cat 15:19 < jtimon> maaku emailed a group inciting them to help us design it and become bitcoin scripting language experts, hehe 15:20 * nsh has not read much about concatenative programming languages, if anything at all 15:20 < jtimon> also now in #concatenative but doesn't seem a very active channel 15:20 < maaku> nsh: well, bitcoin script is a concatenative language 15:20 < maaku> just not a very expressive one 15:20 < nsh> mm 15:20 < maaku> basically anything Forth-derived, like postscript 15:20 < maaku> stack based languages 15:21 < jtimon> nsh, maaku gave us these links the other day http://evincarofautumn.blogspot.com.es/2012/02/why-concatenative-programming-matters.html http://www.kevinalbrecht.com/code/joy-mirror/j01tut.html 15:21 < nsh> oh, thanks 15:21 < nsh> former already open in tab :) 15:22 < jtimon> hehe, still I have them in the tab too, only started reading the first one 15:22 < maaku> i like that the first link goes over arithmetic expressions ... it's honest :) 15:24 < maaku> f x y z = y^2 + x^2 - |y| = drop dup dup 15:24 < maaku> yuck... but as an intermediate "high level assembly" representation it has its advantages 15:27 < sipa> in ast: -(+(*($2,$2),*($3,$3)),abs($2)) 16:00 < adam3us> gmaxwell: btw speaking of mid-term asic-hard futility for any given algorithm (to any useful extent), which i agree as a prediction - seems vitalik is going for it anyway http://www.reddit.com/r/ethereum/comments/1vh94e/dagger_updates/ 16:00 < adam3us> gmaxwell: "We have made a preliminary decision that we likely will fund a contest, similar to that used to develop AES and SHA3, to determine the best ASIC-proof (ie. going beyond just "memory hard" as a heuristic) mining algorithm" 16:03 < adam3us> (this is a reaction to the criticism of vitalik's coelho merkle hash PoW based "dagger" PoW, by sergio lerner who in reaction i guess published his own previously unpublished sequential memory hard hash) 16:05 < adam3us> anyway back to bitcoin useful thoughts... amiller was proposing a few days ago to have variable difficulty blocks so that the confirmation could be eg 1.5 or 1.1, with a 1 conf followed by a 0.5 conf etc. i was thinking that is going to be vulnerable to incentive to-not-orphan issues 16:06 < nsh> what do fractional confirmations mean? 16:06 < adam3us> btw you can (and i did this in hashcash-1 (but not in hashcash-0)) indicate the share size intended simply by including the share size in the hash, and the actual share size = min(actual size,target size) 16:07 < adam3us> nsh: so it means you are allowed to submit eg a 1/2 difficulty PoW for a 1/2 reward (12.5 coins) 22:10 < amiller> the mining provider generates his own keypair, and promises the user that anything won with a partiuclar public key will be transferred to him later 22:10 < gmaxwell> so in the simplified version I just suggested there is no keypair in the block. 22:10 < amiller> ah okay 22:11 < amiller> still it's easy for the service provider to make an equivalent promise 22:11 < gmaxwell> No. 22:11 < amiller> the service provider can create a sentinel tranasction or something 22:11 < gmaxwell> We should come to one mind for this. 22:11 < amiller> and say that the reward from any block mined containing a transaction like that should be given to the client 22:11 < amiller> that's a simple enforceable contract 22:11 < gmaxwell> I think you're stuck in thinking about solving it one way, and I have another direction that might be helpful for you. You can solve this by trying to make it so the provider can be non-faithful but as you note that sucks, so instead make it so the client can be non-faitful. 22:12 < gmaxwell> You make a block. It doesn't specify who it pays to. When you find a block you announce "I found block XYZ and stake my claim for the key Spain." The network accepts this, and when block XYZ finally shows up they'll only accept it when its paying spain. 22:12 < gmaxwell> (this is a toy version of the idea, I think it needs to be stronger) 22:13 < gmaxwell> now lets say you want to buy hashing power from people. You start paying them.. but every time they find a block, they keep it for themselves (and then go get a new identity) 22:14 < gmaxwell> since block finds are rare, this makes it uneconomical to buy outsourced hashpower. 22:14 < amiller> i can attack this by showing you a stronger contract. 22:14 < amiller> i don't just pay them for shares they're working on a block 22:14 < amiller> i pay them for shares that they're working on a block that has a watermark in it so that i know that even if they rededicate the block arbitrarily, they can't remove the watermark so i can still prove i was entitled to the reward 22:15 < gmaxwell> amiller: but the network has a rule that doesn't give a shit about your watermark: after all, outsourcing is an existential risk to the network. 22:15 < gmaxwell> You can detect that the user screwed you, sure. But their identities are cheap esp since a single user may only find a block once a year. 22:15 < amiller> yes but i don't think it makes sense to rule out any other form of contract enforcement 22:16 < gmaxwell> I suppose so, only outsource to people who give you the note to their home.... 22:17 < amiller> so the way to prevent any form of contract enforcement is to make the trapdoor invisible 22:17 < gmaxwell> though I do wonder if we could make agreements like that generally unenforcable. (but we start delving into sociology and law and not crypto there. e.g. if the rules of the system expressly forbid its participants from outsourcing, any such contract would be legally unenforcable... so you'd only be left with kneecap busting security, which doesn't scale well) 22:17 < amiller> it shouldn't be externally discernible whether the trapdoor was used or not 22:21 < gmaxwell> so can you go back and tell me about the threat model we're trying to solve with outsourcing here? I think the interesting one is that I pay remote computing agents to mine malicious chains, and they prove to me that they're working on it. I think that one is actually unsolvable. 22:22 < gmaxwell> If our concern is just that outsourcing lets people do POW without even being able to tell that the work is malicious or not, then thats solved by UTXO hard work. They can tell. They might not care.. but they can tell. 22:23 < amiller> ok let me back up and clarify 22:23 < amiller> the threat model is outsourcing, we're trying to solve that by coming up with an anti-outsourcing PoW+reward scheme 22:23 < amiller> by outsourcing i mean 22:24 < amiller> a client that would otherwise choose to mine by paying $x per month for some probability distribution of rewards (not just expected value, more likely a lottery with somewhat high variance) 22:24 < amiller> instead takes an equal or better deal from a mining service provider 22:24 < gmaxwell> Why is this a threat? I don't think we at all care about people pooling their payments, except that it lays the groundwork for the other two kinds of outsourcing I enumerated just now? 22:25 < amiller> if people can pool their payments then it's plausible that the rational trend is for one big mining datacenter 22:25 < amiller> which is an existential risk 22:25 < amiller> even if the mining datacenter can't do malicious attacks without anyone noticing, it's still a more central point of failure 22:26 < gmaxwell> if they are only pooling their payments but they still independantly check the validity and can not outsource that, then what is the threat? 22:26 < amiller> because taking over that datacenter (even if it causes alarms to sound) is easier than taking over a million gpus in homes 22:27 < gmaxwell> If they know (or could _costlessly_ know but choose to ignore it) the work is moronic or evil but are complicit then thats isomorphic to the users being complicit. 22:27 < gmaxwell> amiller: why would the data center have any control at all about anything important? 22:27 < gmaxwell> oh dear are you not aware of coinbase-only pooling? 22:27 < amiller> because it is in physical possession of the mining apparatus 22:27 < amiller> this is like the opposite of pooled mining btw 22:28 < gmaxwell> I know it is and I actually think you're confused now. :( or I'm confused. I'd like to fix this. 22:28 < gmaxwell> amiller: huh? no. utxo hard work prevents the datacenter from having the mining apparatus. 22:28 < amiller> no i don't think it does.... 22:29 < amiller> but yeah definitely lets get on the same page before going back into the difficult stuff 22:29 < gmaxwell> lets imagine an alternative world where the mining is "Validation hard": the inner loop of the POW is doing all the work required to validate recent blocks and requires the user to have all the recent block data in order to pratically mine. 22:30 < gmaxwell> (ignore the details on how this is accomplished) 22:30 < amiller> sure 22:30 < amiller> that makes it less appealing to outsource *validation* 22:30 < gmaxwell> Now miners don't like the unstable payments... 22:31 < gmaxwell> so instead they have a deal with aggregators where they attempt to mine blocks that pays according to the aggregators instructions. The block is otherwise generated by themselves according to their own validation (which they have to do anyways as part of the pow) 22:31 < amiller> (this is standard pooled mining so far) 22:31 < gmaxwell> It's not. 22:31 < gmaxwell> they send the aggergator near miss solutions, and the aggregators use that to update their own records on who should gets paid what. 22:32 < gmaxwell> It's coinbase-only mining, which I think you're not familar with yet because it's not deployed yet. :) (well p2pool is a superset of it) 22:33 < gmaxwell> This differs from pooled mining in that the aggregator is not the source of the content of the blocks, and the miners can't be tricked into mining a cheating block without their knoweldge. 22:33 < amiller> okay fair enough, i guess that's not standard pooled mining 22:33 < amiller> it is basically p2pool though 22:33 < gmaxwell> because they only get the place(s) where the funds go from the aggregator.. the rest they invent on their own. 22:33 < gmaxwell> Yes, kinda p2pool makes the aggregator a distributed consensus. Though in what I'm describing it could just be a single person. 22:34 < gmaxwell> (p2pool has payout scheme flexibility limitations because the distributed consensus is inefficient and can also not maintain a bank account) 22:34 < amiller> ok 22:34 < gmaxwell> In any case, so where is the the risk in what I'm describing? 22:34 < amiller> there's none, that's not the outsourcing threat model 22:34 < amiller> that's A-OK, pooled mining is fine 22:34 < amiller> GPUMAX is the threat model 22:35 < gmaxwell> okay, so lets say that we take that model and say a GPU max shows up 22:35 < gmaxwell> He says, I'll pay you 110% to work on this mystery work. 22:35 < amiller> oh, crap 22:35 < amiller> i think i misunderstand gpumax :o 22:36 < gmaxwell> ah, were you thinking that GPUMAX was "cloud mining" where gpumax had the miners? 22:36 < amiller> yeah, exactly 22:36 < amiller> even ASICs aren't the problem because the asics are mostly easy to distributed in small packages 22:36 < amiller> "cloud mining" is definitely the threat i'm talking about 22:36 < gmaxwell> If so I think thats a seperat thing which is worth solving! I'd call that the "hosted mining" problem. 22:36 < amiller> hosted mining, ok 22:37 < amiller> because by economy of scale, it's conceivable that there's some ASIC set up that's cheaper if all the asics are in one big data center, so it's cheaper to buy a share of a hosted asic mining operation than to buy and care for your own asic 22:37 < gmaxwell> OKAY great. whew. Well thats also kind of an emerging threat now too... gpumax and things like it seem to be dead but there are a bunch of hosted mining things cropping up. 22:37 < amiller> name a couple? 22:37 < amiller> i guess i can search for "hosted mining" 22:37 < gmaxwell> ASICMINER for one. 22:38 < gmaxwell> They sell hardware too, but mostly only because of some .. uh. Non-technical mechenisms. 22:38 < amiller> okay, so.... anti-hosted-mining 22:38 < gmaxwell> Yes perhaps .. though this is far from clear: low level waste heat is better distributed. but it's a risk simply because the labor of maintaining mining has some scaling, and there are lots of people who are super lazy and just want to pay and get goin. 22:39 < gmaxwell> coin. 22:39 < amiller> it's difficult because nothing stops someone from hosting their own separate lottery 00:56 < Diablo-D3> oh hai Graet 00:56 < Graet> asicminer was 3 x 800gh ish miners 00:56 < Graet> hey Diablo-D3 :) 00:56 < Diablo-D3> gmaxwell: yeah, I meant, the other people speculate 00:56 < Graet> using the bitfountaun name a sthey state in thread :) 00:56 < warren> If you have that kind of hash power, why use a public pool? 00:56 < Diablo-D3> gmaxwell: thye only have the parts for 15, and they're doing a lot of physical work in the DC to prepare it for the rest 00:57 < warren> It seems the public users + public visibility would make the pool less reliable for the big miners. 00:57 < Graet> warren, for a private company it "makes them more accountable" 00:57 < Diablo-D3> yeah 00:57 < Diablo-D3> its about accountability 00:57 < Graet> + no issues with softwarte bitcionds etc 00:57 < Diablo-D3> you cant 51% attack even if you control all the hashpower int he world 00:57 < Diablo-D3> because you dont control the actual mining, just the hardware 00:57 < warren> oh. 00:57 < Diablo-D3> someone else is setting up your mining attempts 00:58 <@gmaxwell> Diablo-D3: ... thats throughly confused. god no wonder freidcat is indifferent to concerns if you're his biggest shareholder. 00:58 < warren> So physical security of the mining operator is the weak link. 00:58 < Diablo-D3> gmaxwell: no, you want to say they can switch to solo mining and fuck people 00:58 < Diablo-D3> friedcat is only fucking himself if he does that 00:59 <@gmaxwell> Diablo-D3: that actually _reduces_ security, because either the pool being compromised _or_ the farm being compromised is sufficent to attack and the farm being compromised is always sufficient. 00:59 < Diablo-D3> gmaxwell: yes, but thats why Im against monolithic pools 00:59 <@gmaxwell> It's not about friedcat. geesh. Why are people so freeking broken about security. 00:59 < Diablo-D3> which is a different problem 00:59 < Diablo-D3> Im 100% pro p2pool 00:59 <@gmaxwell> Friedcat gets hacked, friedat gets kidnapped, etc. Friedcat himself isn't a concern except that he's a point of failure. 01:00 < Diablo-D3> gmaxwell: no, I agree there 01:00 < warren> I gave up on p2pool yesterday. It breaks far too often. I tried for over a month to fix it. I'll get back to fixing it later. 01:00 < Diablo-D3> thats also a different problem 01:00 < Graet> bottom line, if it worked better and was easier to use there would be no monolithic pools 01:00 < Diablo-D3> we're discussing 51% itself alone 01:00 <@gmaxwell> warren: breaks? 01:00 < Diablo-D3> dont get me wrong, those are important concerns 01:00 < Diablo-D3> but it has nothing to do with 51% 01:00 < jgarzik> I got a lot of stales, but never broke p2pool 01:00 < Diablo-D3> warren: p2pool has never broken for me 01:01 < Diablo-D3> and I follow p2pool from git 01:01 < warren> jgarzik: yeah, lots of stales, but htat isn't what I'm referring to. 01:01 < Diablo-D3> warren: the stale problem was avalon's cgminer build is broken 01:01 < Diablo-D3> forrest fixed it on his side, but wants avalon to still update their cgminer build 01:01 < Diablo-D3> con already fixed the problem upstream 01:02 <@gmaxwell> luke has been basically begging to get on an avalon box in order to get bfgminer working. 01:02 < Graet> p2pool has less than 1% of the network for a reason, and it has nothing to do with asics 01:02 < Diablo-D3> gmaxwell: yeah, but that wont fix it 01:02 <@gmaxwell> he was told he'd be able to get on the foundation one for development, but apparently he's just getting evasion now. 01:02 < Diablo-D3> Graet: yes, its because theres no advertising 01:02 < Diablo-D3> Graet: the thing is all the important people use it 01:02 < Diablo-D3> which is more important than anything else 01:02 < Graet> anyway i'm going for a nap so i can be awake to do more bitcoind updates when i should be asleep 01:02 < Diablo-D3> gmaxwell: luke is a dick sometimes, I dont know why 01:03 < warren> It's stratum implementation has some bug in communicating the pseudoshare target difficulty, I am uncertain if it is related, but it causes random tracebacks within stratum.py. 01:03 < Graet> lol Diablo-D3 p2pool fanbois spam it all through the forums, the devs tell ppl to mine there if they want to mine... like i said before <Graet> bottom line, if it worked better and was easier to use there would be no monolithic pools 01:03 < Diablo-D3> warren: thats the bug 01:03 < Diablo-D3> Graet: people are lazy, thats why they have monolithic pools 01:04 < Diablo-D3> I mean, fuck, people pay fees to pools 01:04 < Diablo-D3> what the hell is that shit 01:04 < Graet> yeah coz the hardware and time it takes to run a pool is free too? 01:04 < Diablo-D3> installing p2pool costs no money 01:04 < Graet> asking miners for donations owesnt work, i tried..... 01:04 < Diablo-D3> installing p2pool costs no money 01:04 < Graet> still comes back to ease of use 01:04 < warren> If you have more p2pool peers, it slows down the time between receiving a share and new work to miners. 01:04 < Diablo-D3> p2pool is extremely easy to use 01:05 < Graet> its not easy for most people to use 01:05 < Diablo-D3> warren: not entirely true. 01:05 <@gmaxwell> warren: and? 01:05 < Graet> apparentlyu not, the network share shows that 01:05 < warren> sorry, that's a really minor problem, it doesn't hurt the block finding, only your personal shares. 01:05 < Diablo-D3> warren: miner to p2pool is still completely local 01:05 <@gmaxwell> warren: we've gone over this, the miners queue work. This doesn't cause a loss of work. 01:05 <@gmaxwell> warren: right, and it's something thats roughly equal for most users. 01:05 < Diablo-D3> the only problem I see with p2pool is that its python 01:05 < warren> Graet: yes, p2pool's biggest problems is it doesn't explain itself to users well enough. 01:06 < Diablo-D3> Ill agree with that 01:06 < Diablo-D3> the docs suck 01:06 < Diablo-D3> but its STILL easy to use 01:06 <@gmaxwell> It's not extremely easy to use and can probably never be. 01:06 < warren> gmaxwell: It seems if you are unlucky, you can get stuck with tons of orphans despite unlimited bandwidth. I've been measuring things and fiddling it for weeks. 01:06 < Diablo-D3> gmaxwell: I dunno, all you have to do is enable bitcoind's rpc, and then start run_p2poo.py 01:06 < Graet> so it will never be hugs, and wyou will have to live with monlithic pools 01:06 <@gmaxwell> It could certantly be easier... but its even _less_ monetizable than other pooling things, while being harder to make easy. 01:06 < Graet> huge* 01:07 < warren> gmaxwell: part of that is because the p2pool client connects forever to nodes no matter how good or bad they are. 01:07 < Diablo-D3> warren: well, thats because p2pool doesnt use enough async networking magic 01:07 <@gmaxwell> Graet: seems likely asic deployments are going to change the threshold for easy of use some. 01:07 < Diablo-D3> which is largely because its python 01:07 < Diablo-D3> and I already said we'd be better off if it was C 01:08 <@gmaxwell> Graet: after all, 20 minutes installing software isn't a big deal vs thousands of dollars in specialized hardware. 01:08 <@gmaxwell> though it certantly is vs a couple GPUs. 01:08 < warren> The underlying design of p2pool is brilliant. It is just a little fragile in its current implementation. 01:08 < Graet> indeed gmaxwell , interesting times ahead on many fronts 01:08 <@gmaxwell> but yea, who knows. 01:08 < Diablo-D3> I should look and see if I can clone p2pool 01:08 < Graet> will be interesting to see how the hashrate settles out once a decent number of asic are out 01:08 <@gmaxwell> well, and when the new wave of DOS attacks begin. :P 01:08 < warren> Getting "lucky" to be connected to the good p2pool peers and you can have > 100% efficiency easy for weeks in a row. 01:08 < Graet> and that 01:09 < Diablo-D3> warren: yeah but I regularly do 01:09 < Diablo-D3> I never see p2pool efficiency below 100% 01:09 < Diablo-D3> Shares: 59 total (6 orphaned, 1 dead) Efficiency: 114.6% 01:09 < warren> Diablo-D3: that limits adoption though, because people get frustrated and quit, partly because the docs suck and they don't understand it. 01:09 <@gmaxwell> Diablo-D3: where is the rest of the line? 01:09 < Diablo-D3> gmaxwell: thats from the web ui 01:10 <@gmaxwell> in any case 59 isn't much of a sample. 01:10 < Diablo-D3> I asked forrest to add the whole line to the web ui but he hasnt yet 01:10 < warren> Diablo-D3: the "people get frustrated and quit" part makes more people quit because variance is too high and they don't understand probability. 01:10 < Diablo-D3> warren: thats their problem, really 01:11 <@gmaxwell> warren: well also because of unfortunate things like calling p2pool stales "stales" 01:11 < Diablo-D3> monolithic pools have the same issue really 01:11 < warren> shit 01:11 < Diablo-D3> wb warren 01:11 <@gmaxwell> warren: well also because of unfortunate things like calling p2pool stales "stales" 01:11 < Diablo-D3> monolithic pools have the same issue really 01:11 < warren> sorry, wrong button 01:11 < warren> gmaxwell: yeah, if the UI and docs were better it would scare fewer people away 01:11 < warren> gmaxwell: plus it needs to mix up the peer connections more often 01:12 <@gmaxwell> warren: I never noticed any issues with that, but I had a very well established node. 01:12 < warren> gmaxwell: once you get locked into a network of good peers, you're golden. you crowd out less well connected peers by orphaning them more often. 01:12 <@gmaxwell> My initial node started when p2pool was <10GH and I more than doubled it myself. 01:12 <@gmaxwell> and p2pool prefers older nodes to connect to. 01:12 < warren> That's what I'm seeing on LTC. It might be because there are much fewer nodes there. 01:13 <@gmaxwell> plus I had established private peering with 2 of the other larger p2pool users. 01:13 < warren> At first I was getting > 110% efficiency for weeks. Then my network of nodes got very unlucky together. 01:13 < Diablo-D3> gmaxwell: explain something to me 05:55 < deantrade> It can happen. You are assuming that the market purchasing power of one thing verses another stays constent 05:56 < jtimon> no, I'm not assuming that 05:56 < jtimon> let me rephrase 05:56 < jtimon> the more factories that produce a given good, the less each one of them yields 05:57 < jtimon> sorry, I'll come back in a minute 05:58 < deantrade> The more of something you have, the less market value each additional thing will have. 06:01 < deantrade> Q: Why does Freicoin use demurrage? I'm worried that my coins will just fade away. 06:01 < deantrade> A: Worried? It's a good thing. If the amount of money was stable, people would prefer saving it as opposed to spending it. This would decrease the quantity of money circulated, which in turn would act against the main purpose of money - a medium of exchange. With demurrage in place, you should think about money as it's meant to be, not as a storage medium of wealth. 06:03 < jtimon> not a verygood answer, I agree 06:03 < deantrade> Invalid... even in bitcoin, even if the value goes up over time, if a person has lots of it, he may still want to trade some of them in exchange for other things he wants more. Just because money is becoming more valuable over time, this has no effect on whether it is suitable for trade. Suitability for day to day trading is more just about security/transaction fee/speed of transaction. 06:03 < jtimon> but let me explain you Gesell's theory on interest 06:04 < jtimon> you agree that capital accumulation leads to lower real capital yields, no? 06:04 < jtimon> that in turn leads to lower prices of consuming goods 06:04 < deantrade> Only if the capital is just a copy of the previous capital. But if the capital is an improvement over existing, then no. 06:05 < jtimon> the owners of the "old" capital have to compete with the owners of the "improved capital" 06:05 < deantrade> But I would agree that goods can generally be made cheeper if more capital/durable goods exist and are suitable for the particular goods to be produced efficiently. 06:06 < jtimon> exactly, capital yields are profits, and as such they should drop with competition 06:06 < jtimon> innovation can drive profits higher, but only temporarely 06:07 < jtimon> unless of course the state limits capital production somehow, creating rents 06:07 < jtimon> rents are profits that are somehow protected from competition 06:08 < jtimon> when capital yields are low 06:08 < deantrade> I wouldn't use that as the definition of "rent" normally, but for this conversation I will follow with your definition 06:08 < jtimon> ok 06:09 < deantrade> Err I would rather say "creating higher rent than a free market would have" 06:09 < jtimon> to be more specific 06:09 < jtimon> http://en.wikipedia.org/wiki/Economic_rent 06:10 < jtimon> so what causes monetary cycles according to Gesell 06:10 < jtimon> ? 06:10 < jtimon> 1) competition drives real capital yields low 06:11 < jtimon> 2) savers start preferring to just hoard their money instead of lending at low rates 06:12 < jtimon> 3) that reduces monetary velocity, which causes price deflation, which further encourages hoarding vs lending (positive feedback loop, notsustainable for long) 06:12 < jtimon> 4) after enough capital destruction (maybe just by lack of mainteniance) 06:13 < jtimon> yields go up again and investment resumes, stopping capital and employment destruction 06:13 < jtimon> how this problem has tried to be solved? 06:14 < deantrade> I'm not sure where the problem is. You say there is "capital and emplyment destruction"? How? 06:14 < deantrade> How is someone hoarding gold/money bad for anyone? 06:15 < jtimon> keynesians have confused the real problem (basic interest/liquidity premium) with the symptom (deflation) 06:15 < jtimon> lack of investment causes capital destruction and therefore employment destruction 06:15 < deantrade> If Bill Gates made a billion dollars by creating everyone computers and trading for dollars, and then burried/permanently destroyed the dollars, then everyone else but Bill Gates would have made out well. 06:16 < jtimon> when you close a factory it will start to deteriorate 06:16 < jtimon> price delfation discourages investment (assuming monetary monopoly) 06:18 < deantrade> "Price deflation discourages investment" -> only when investments are not worthwhile despite the increasing purchase power of the entity with the savings. 06:18 < jtimon> no, always 06:19 < jtimon> think of any investment example 06:19 < jtimon> let's say a factory that will yield 5% of its nominal value 06:20 < jtimon> will you invest in that factory? 06:20 < jtimon> a) with 0% price inflation 06:20 < jtimon> b with 10% price deflation 06:21 < jtimon> with 10% price deflation you're better of keeping the "abstract wealth" money represents rather than investing in real wealth 06:21 < jtimon> keynesians have tried to "solve deflation" by replacing real savers with newly created money 06:21 < deantrade> Ok, agreed, but I'm still not seeing what the problem is. 06:22 < jtimon> the problem is capital yields should naturally tend to zero, but that's impossible with nominally everlasting money 06:22 < deantrade> If there are people who have needs, and they want to work for their goal attainments, then they will do that. Whats to stop them? 06:23 < deantrade> "he problem is capital yields should naturally tend to zero" Should? Do they? And if they do, then how is this a problem? 06:23 < jtimon> the worker needs capital just like capital needs workers to operate it 06:23 < deantrade> Worker works, makes wage, then has capital. 06:23 < jtimon> money is not real capital, money is just a symbol of value 06:24 < deantrade> Money is real capital. 06:24 < deantrade> Money has market value. Money is durable. 06:24 < jtimon> what can you build with money (without exchanging it for another thing)? 06:24 < jtimon> some monies are durable 06:25 < jtimon> beef has market value too, but it's not capital 06:25 < deantrade> I can build a pile of coins to swim in like scrooge mcduck 06:25 < jtimon> it's a consuming good 06:25 < jtimon> money is not a cosnuming good neither 06:25 < jtimon> you can build a swiming pool with some monies 06:26 < jtimon> you can't swim on bitcoin can you? 06:26 < deantrade> ok, then I don't really care what you use as a definition of "Capital"... and your statment "money is not real capital, money is just a symbol of value" doesn't really mean anything to me. 06:26 < warren> this is getting absurd 06:26 < warren> NMC is at $5 06:26 < deantrade> I can put bitcoin on flash drives, and swim in flash drives. 06:27 < jtimon> that's what makes money capital, really? 06:27 < jtimon> by real capital I just mean producing goods 06:27 < jtimon> money is not a producing good not a consuming good 06:27 < jtimon> nor 06:28 < jtimon> it's just an implicit agreement between their users that facilitates trade 06:28 < deantrade> Here's what I'd use instead of your word "capital": resource. Resource for attaining goals of individual humans. Each human has a set of resources which are under his control. He is continually "using" them as they are under his control. 06:28 < jtimon> but my concept is far more specific 06:28 < jtimon> consuming goods and raw materials are resources too 06:29 < deantrade> By him "using" them in whatever way he desires, it helps him attain his goals. 06:29 < jtimon> work is another resource 06:29 < deantrade> Work is not a resource. 06:29 < jtimon> how not? 06:29 < deantrade> Having an employee who can do work is a potential resource. But the work is not a resource, only the product of the work is a resource. 06:30 < jtimon> ok, then your employees are resources, whatever 06:30 < deantrade> Owning a house for example, living in the house, continually brings market value to the owner. 06:30 < jtimon> my point is that "producing goods" are a very concrete type of resource 06:31 < jtimon> a house is real capital 06:31 < jtimon> you can rent it' 06:31 < deantrade> Uh, you can rent any object really. 06:32 < jtimon> well, living in a house is a consuming good, produced by the house, the producing good 06:33 < jtimon> and houses have a capital yield that comes from that 06:33 < jtimon> if interest rates are at 5% 06:34 < deantrade> And the money in your pocket is "producing" one value by giving you confidence/ability that you will be able to use it to trade at a future time for something else. 06:36 < deantrade> But lets say you can't think of anything you want in the future. You just have needs now to fulfill. Then you'd trade the money now, no matter the interest rate. 06:38 < deantrade> A well I donno why I was arguing with him. 06:39 < jtimon> sorry, deantrade, electricity went down 06:40 < deantrade> Noproblemo 06:41 < jtimon> what's the last thing you received? 06:42 < deantrade> If savers hoard, then the market value of the money goes up. If they stop increasing their reserves, then the market value of money stabalizes. 06:43 < deantrade> I guess I just don't see what the problem is with savers saving. 06:43 < jtimon> the problem is not with savers saving but with savers hoarding 06:44 < deantrade> k, "hoarding". What is wrong with "hoarding"? 06:44 < jtimon> if they lend or reinvest their savings in something real like they do when interests are high there's no problem 06:45 < jtimon> you're influencing the price of money, and you're getting a free insurance against uncertainty 06:45 < jtimon> that's a positive externality inherent in "durable money" and it is paid for by others 06:46 < jtimon> what neo-keynesians do is replace savers with newly printed money 06:46 < jtimon> manipulating interest rates 06:46 < deantrade> If you have money as savings, then that means you already did work to create something real in order to attain the money. Then if you go to spend the money, you don't create, you only exchange. 06:46 < jtimon> but that's not sustainable 00:26 < maaku> has the zerocash paper made its way around yet? 00:33 < warren> it was renamed? 00:33 < maaku> he said on twitter that's what they're calling zerocoin 2.0 00:33 < maaku> matt green 00:33 < maaku> also are there any generally known limitations of TinyRAM? 00:33 < maaku> i know there was some discussion of this a while back on -wizards, but I can't find it in my logs 00:39 < maaku> ugh there's no rotate opcode in TinyRAM... 01:34 < gmaxwell> maaku: if you want something efficient, best not to use TinyRAM. TinyRAM has the benefit of being general, but 01:36 < gmaxwell> It would be interesting to evaluate all the well studied cryptographic hashes and see which would result in the most efficient quadratic span program proofs. 01:37 < gmaxwell> sha2 is probably mixed, the additionas are super cheap as QSPs but the circular rotations probably are not. 01:51 < maaku> gmaxwell: i'm looking for something general 01:52 < maaku> is there a better architecture than TinyRAM? 01:52 < gmaxwell> maaku: in any case, what tinyram is optimized for is the size of the QSP circuit that implements the tinyram validator, since thats the primary consideration in proving time and memory consumption. 01:54 < gmaxwell> they give a bunch of figures in one of their papers for compiling varrious programs to tineram, the cycle overhead from its limitations isn't so bad on most of the things they characterized. 01:55 < gmaxwell> directly designing your algorithim at the circuit level will probably always produce a much more efficient (proving time wise, at least) result... 01:56 < maaku> gmaxwell: i'm curiuos about replacing/augmenting the bitcoin scripting language with tinyram 01:57 < gmaxwell> right, well if that were done the part inside bitcoin wouldn't be tinyram, it would just be a proof validator. 01:58 < gmaxwell> wrt replacing script with tinyram, it would probably be prudent to add to tinyram a number of opcodes like sha256 or at least sha256_round 01:59 < maaku> yes 01:59 < maaku> i found it strange how some basic opcodes were missing from tinyram, like rot, and was wondering if that was a fundamental crypto limitation, or just an oddity 02:00 < gmaxwell> what might be interesting is to add asm {} blocks to a compiler for tinyram that could just let you include a circuit description directly. 02:01 < gmaxwell> maaku: no they intentionally left things out that weren't needed to get a basically good high performance implementation and which were either redundant or required larger validation circuits. 02:01 < maaku> if i went forward on this, iwould probably look at extending tinyram to be the MIPS-I isa, plus some crypto accelerator primitives 02:01 < maaku> hrm 02:02 < maaku> ok so this is really just infrastructure anyway, right? the fundamental "machine code" is the circuit 02:02 < maaku> which tinyram compiles down to 02:04 < gmaxwell> well not quite, the way it works is that there is a circuit they've already designed which verifies transcripts of tinyram execution, which is generic and can be reused for multiple instances (important because the keys needed to prove and veryify the circuit are not tiny). 02:04 < gmaxwell> (I guess that would get in the way of asm {} blocks...) 02:05 < gmaxwell> of course you could have arbritary circuits, but thats a fair amount more data you need to communicate. 02:05 < gmaxwell> vs if everyone uses the same tinyram circuit, then your proof is just a small number of field elements and the hash of the program being run. 02:07 < gmaxwell> (the validator is really validating a stament of the form "The signer knows a transcript with a program of hash(x) and inputs of hash(y) and unspecified private inputs, is a valid transacript of tinyram execution which returns true." 02:07 < gmaxwell> ) 02:08 < gmaxwell> which is how they're able to make validation time quasi linear in the length of the program... the time it takes to hash the program and its inputs is linear, and the rest is just proportional to the security level. 02:08 < gmaxwell> (well not just quasi linear, it's linear in the length of the program plus some security dependant constant) 02:10 < gmaxwell> I think the verifying keys for tinyram are on the order of tens (hundreds?) of kilobytes... but if everything is tinyram the verifying keys are just part of the system, all bitcoin would have to send is a hash of the script being run. 02:11 < maaku> so it doesn't really matter how complex then the extended-tinyram instruction set is, so long as the verifying keys are small enough to fit in a client (no more than a few megabytes, say) 02:15 < gmaxwell> well it doesn't matter for the verifier. It may matter greatly for the prover. 02:16 < maaku> ah, right 02:16 < gmaxwell> the performance figures in the scip paper were fast enough that it was feasable but not so fast that you could go sticking in a factor of 2 and not seriously degrade the usefulness of it. 02:17 < maaku> and the performance of the prover scales with the size of the validator key not the subsets of the circuit actualy used, right? 02:19 < gmaxwell> not sure,.. well actually some parts of the prover should scale well if parts of the circuit aren't used, but there are some parts (which I think all have log() scaling which wouldn't) ... but I don't know how it would work out pratically. These would be questions for Eli and team (Iddo may know). I haven't thought at all about extensions. 02:20 < gmaxwell> I think their main goal was to demonstrate feasability for general programs. So it made sense to be pretty ruthless in what they had in tinyram. 02:27 < maaku> yes, and as an engineer I'm wondering why "feasibility for general programs" dpesm 02:28 < maaku> doesn't equate to a general-purpose ISA used in a real general-purpose computer 02:28 < maaku> of which MIPS-I is about as simple as you can find 02:28 < maaku> plus a minimal set of crypto opcoce extensions, of course 02:29 < maaku> I'll look at the code first 02:29 < maaku> i really need to understand this better 02:41 < EasyAt> Hey guys, anyone know of a stragne attack. I've been doing TXs and occasionally as soon as I send I receive about .0001 from a random address 02:41 < EasyAt> It's indeterministic 02:45 < wumpus> they sometimes send dust to addresses in the block chain, it's not an "attack" as such although if you spend the dust it can be correlated to other addresses, so it may help them discover a bit more information about how addresses are related 02:45 < wumpus> you could use this to remove the dust https://github.com/petertodd/dust-b-gone/ 02:47 < EasyAt> Hm, so what does me receive dust do. All they are doing is signing an output to a pubkey of mine. What am I actually leaking? 02:47 < EasyAt> Oooh, because when I send I'll send their dusts and they can corrolate too addresses? 02:47 < wumpus> nothing, unless you spend it together with some other input 02:47 < EasyAt> s/twoo/many 02:47 < wumpus> yes 02:47 < maaku> yes, to whatever other addresses you use in the spend 02:47 < EasyAt> interesting. Do you think it is specifically against me? 02:48 < wumpus> I don't think so 02:49 < EasyAt> Has there been any analysis on this... analysis or whatever you call this 02:50 < wumpus> but it's (among other reasons) why implementing schemes such as coinjoin is important 02:50 < EasyAt> Clever way to keep track. I wonder if it's for transactions over a certain amount. Maybe aligned with another currency's value 02:51 < EasyAt> wumpus: Agreed, an dI sign everything with an unconnected cold, unwritable boot drive 02:51 < EasyAt> But, It is a bit worriesom. With the jdillon thing now I am quite paranoid 02:52 < EasyAt> I wonder if he had coins taken :\ 03:03 < joecool> fucking dandan sends me dust all the time 03:04 < joecool> just because he's a little wanker 03:05 < EasyAt> dust doesn't do anything, though 03:05 < EasyAt> Except leak information, apparently 03:05 < joecool> or annoy the receiver 03:06 < EasyAt> The UTXO set is static at any given point in time, correct? At the smallest inrement of time? There is no question unless there is a current fork war(or whatever you call it) 03:11 < EasyAt> While no transaction is taking palce 03:13 < phantomcircuit> EasyAt, it's those idiot researchers trying to tag wallets with small payments 03:23 < michagogo|cloud> EasyAt: given a certain blockchain, yes, the UTXO set is deterministic 03:25 < midnightmagic> EasyAt: Spam from blockchain.info too. Check out the tx in b.i and see if there's a message there. If there is, it's just spamdust. dust-b-gone removes it. Or at least helps remove it. 03:25 < midnightmagic> And likely not douchebags trying to track. 03:36 < EasyAt> I'm not trying to be paranoid, but I was reading the other day that someone notcied ~70% of theire connections being filled by essentially junk nodes that didn't forward blocks or do anything. And some of the main devs postulated that it might be a tracking or minging attack 03:36 < EasyAt> I'm curious if they could be correlated 03:38 < EasyAt> Erm, not mining blocks but an attack from some unknown mining pool 04:25 < maaku> EasyAt: these were connections from an academic institution in switzerland 04:25 < EasyAt> Kinda of intrusive. Bugs me. reminds me to send Txs through tor 04:25 < maaku> it's probably just a poorly configured tracking nodes 04:26 < maaku> well i got news for you: the majority of nodes are not useful 04:26 < maaku> and it's been that way for a while 04:27 < EasyAt> Why do you say that? Don' they at least verify and forward? 04:27 < EasyAt> Or you mean most nodes are light? 04:28 < maaku> no 04:28 < maaku> most nodes are light, dns seeders, tracking nodes, who-know-what 04:28 < maaku> i shouldn't say most nodes 04:28 < maaku> most connections is what i meant 04:29 < petertodd> maaku: depends a lot on where you're node is - my ec2 nodes got nearly 100% full-node connections. Supposedly this has something to do with clustering 14:55 < michagogo|cloud> But there aren't any "Received getdata for block x" lines 15:53 < gnrldsray> Anyone from/interested in Ethereum here? 16:04 < shesek> I think its a one man project by vbuterin at this stage, and he doesn't hang on IRC afaik 16:05 < shesek> it does seems interesting to me from a first look 19:07 < gnrldsray> Thanks shesek 19:50 < tacotime> hey iddo. 20:13 < Emcy> jgarzik is there anything particularly different about the latest boostrap.dat? 20:14 < Emcy> byte offset or anything 22:20 < jgarzik> Emcy, shouldn't be 22:20 < jgarzik> Emcy, the file format receives appended data, leaving the leading 70% untouched 22:21 < jgarzik> shesek, I think Vitalik is getting some funding, though he does seem the chief designer 22:22 < Ursium> jgarzik: he's defo working with Charles Hoskinson 22:23 < Ursium> he mentioned 5 team members on reddit 22:23 < Ursium> and fundraiser is 26th Jan, ann at the bitcoin miami conference 22:23 < jgarzik> ugh 22:23 < jgarzik> CH not my favorite person in the world 22:23 * jgarzik will be in Miami 22:24 < Ursium> well that's just my view, based on the white paper and some references charles made on the forums. 22:25 < Ursium> what do you think of the idea though - turing complete , GHOST , etc? 22:27 < Emcy> jgarzik strange, my client seemed to have a problem seeing the previous torrent once the new one had finished 22:28 < Emcy> rechecking it have 56% or something, and then rechecking the 13gb one gave incomplete even though the filesize was 13gb. 22:28 < Emcy> perhaps ill just seed the most recent and be done with it 22:28 < jgarzik> Emcy, yes, that's what you should do. Seeding an old torrent is entirely pointless. 22:29 < Emcy> well, there were still a lot of peers on it 22:29 < Emcy> still uploading well. Good 200 on the new torrent already though so 22:30 < Emcy> I tend to drop a note in the comments about a new torrent for whom it may concern, since thats something people with linux clients cant do 22:31 < Luke-Jr> fwiw, Vitalik recently told me there are 10-20 people now 22:32 < Luke-Jr> Emcy: more like something BitTorrent doesn't support <.< 22:33 < Emcy> youre right the comments and rating system is utorrent specific 22:33 < Emcy> btdigg picks up on it though, which is nice 22:34 < Emcy> they should standardise it 23:01 < gmaxwell> Yea, I didn't respond to their inquiries because it was CH. 23:25 < tacotime_> There are at least 3-4 people hacking the github repository for ethereum right now 23:26 < tacotime_> Doing turing complete (basically turning the transactions into executable code) is both neat and kind of scary at the same time 23:31 < tacotime_> I'm debating whether or not I should go to miami or wait for the texas conference --- Log closed Mon Jan 13 00:00:40 2014 --- Log opened Mon Jan 13 00:00:40 2014 --- Day changed Mon Jan 13 2014 00:35 < Luke-Jr> my wife and I will probably both be in Miami 01:23 < amiller> turing complete sucks as a catchphrase/soundbyte/feature 01:23 < amiller> it's a total red herring 01:23 < amiller> all sorts of interesting/expressive languages are not turing complete 01:24 < amiller> and even a turing complete language would be useless if it's not hooked up correctly to txouts and etc 01:24 < amiller> it's neither sufficient nor necessary for what anyone actually wants with a modified transaction script 01:24 < amiller> try to build a sponsored chess game, as a thought experiment 01:24 < amiller> or a poker game 01:24 < Luke-Jr> amiller: dunno, turing complete *might* make it possible to get at anything 01:24 < gmaxwell> well besides any computer with finite memory is not technically turing complete. :P 01:25 < amiller> you don't need turing complete for any of that, and also turing complete doesn't automatically make those work 01:25 < gmaxwell> Luke-Jr: but if the chess game program is so huge that you can't realistically use it... no real point. 01:25 < Luke-Jr> sure 01:25 < amiller> you could trivially make bitcoin-script turing complete by adding opeval or whatever, and it still wouldnt' solve that problem 01:25 < Luke-Jr> but I mean, to get at txout info, you *could* just confirm the transaction is part of a block etc 01:26 < amiller> that's pretty complicated, but i guess 01:26 < gmaxwell> sure and you could do that in script if substr and cat hadn't been disabled.. and without being turing complete. 01:27 < gmaxwell> and if you replaced script with, say, 8 bit AVR instructions you could do it as well, but the transaction would be so big as to be unusable. 01:29 < gmaxwell> though I looked at their codebase, and uh.. it's implementing basically bitcoin script with a bignum as the basic type with and added instruction pointer and jmp instruction. Seems like someone has never worked with forth, the result is kinda unholy looking. 05:05 < gmaxwell> petertodd: you did realize why you can't encrypt your stealth addresses, right? 05:06 < gmaxwell> petertodd: (because if you do, then someone with the candidate stealth address can test if any stealth payment on the chain is connected to that one by decrypting the nonce and testing if its a valid point) 05:09 < TD> elligator? 05:10 < gmaxwell> TD: alas for this it needs to be bitcoin compatible public key, and the elegator mapping cannot work for our curve. 05:10 < gmaxwell> (can't work for curves where the x term is 0) 05:11 < TD> you can do elligator for curve25519 however, so if we switch to supporting ed25519 signatures in future, it might become workable 05:34 < nsh> gmaxwell, is it not possible in principle to have an elligator-like mapping to uniform strings from the bitcoin curve points? 05:35 < gmaxwell> nsh: the points are enumerable so it's possible to map... an efficient one? I don't know of one for our curve. 05:35 < gmaxwell> There are other ways to make bitcoin points statistically uniform. 05:35 < nsh> hmm 05:36 < gmaxwell> E.g. take your point and randomly choose a x value between it and the prior valid point... then have the reciver do the reverse process... its just a little computationally expensive. 05:36 < nsh> do curve25519/ed25519 have extra structure that facilitates efficient mapping? 05:36 < gmaxwell> Yes. 05:36 < nsh> ok 05:37 < TD> every value is a valid point, or something like that 05:39 * nsh rereads petertodd's proposal thread 05:39 < gmaxwell> well the elegator mapping achieves that. Raw curve25519 x values are only about half valid like ours. The elegator mapping isn't totally trivial either, but its not as slow as "test points until you get a valid one" 05:40 < gmaxwell> (also the elegator mapping doesn't work for all points, just a really large number of them, so you have to generate ed25519 points with that in mind if you're going to use it, which is a little annoying) 05:40 < TD> i think it's spelled "elligator" 05:40 < TD> i remember this, because i know a cryptographer called elli 05:41 < nsh> 50% of ed25519 points don't have elligator mappings iirc 05:56 < gmaxwell> http://lightspeedindia.wordpress.com/2014/01/13/bitcoin-2014-top-10-predictions/ 05:57 < gmaxwell> 7. The use of Bitcoin will evolve beyond 05:57 < gmaxwell> The underlying Bitcoin protocol makes itself applicable beyond the use cases of . The Bitcoin foundation took a huge step in allowing meta data to be included in the blockchain. 05:57 < sipa> note that they at least say "meta data" and not "data" 05:58 < gmaxwell> Fair. hah. they link to https://www.secondmarket.com/education/landing/bitcoin-ecosystem ... someone should make a version of that without survivorship bias that includes all the companies that vanished with everyone's money. :P 05:59 < Ursium> Morning! (if you're in the UK and went to be late like me :)) - What do you guys think of Ethereum? 08:23 < justanotheruser> What do you guys think of 08:40 < tacotime_> This question again haha 08:41 < tacotime_> Usually it boils down to "is including executable code in txs a good idea", but there are interesting things about it, it's moving quickly, and it looks to be very well funded. 10:20 < Ursium> tacotime_: but the fundraiser hasn't taken place yet 10:20 < Ursium> oh do you mean 'it will be well funded' ok . 10:21 < tacotime_> Ursium: There are 3+ devs hacking it right now, they have to be getting money to eat from somewhere I'd guess. Plus the folks behind mastercoin seem to be involved. 10:22 < Ursium> tacotime_: source on the master coin link? (not questionning it's true, just curious as i'm following this very closely). As for money to eat vitalik is part of kryptokit and I don't believe he works for free :) 10:42 < petertodd> gmaxwell: ? 10:42 < petertodd> gmaxwell: what do you mean by "decrypting the nonce"? 11:34 < gmaxwell> petertodd: you suggested in your message that the nonce could be encrypted with H(stealth address) 12:11 < petertodd> gmaxwell: oh that, yeah, of course they can do that. The encryption only helps against someone who doesn't know the stealth address - that's why I said it's a minor protection 12:12 < petertodd> gmaxwell: The point of doing so is only as a incremental improvement so that all OP_RETURN uses looks semi-similar. 12:13 < petertodd> gmaxwell: oh, wait, I get your point... yeah, that's a problem 12:13 < petertodd> gmaxwell: right, and your thinking re: other ECC styles is just so that the decryption with an incorrect key should always lead to a valid - if not correct - pubkey 12:25 < adam3us> gmaxwell, petertodd: but wait u are saying c=H(eP)=H(dQ) and what encrypt r=R.x? so r'=E_c(r) so that there is no key recovery on the signure. hmm i am confused what are you encrypting and why? 12:28 < adam3us> gmaxwell, petertodd: or are u talking about this two point version with two inputs, Q=dG and Q2=d2G where Q2 is used only for screenin by an untrusted party and presumably the thing is a scripthash sig so the screener cant spend? 22:20 < phantomcircuit> since at 500ms there are some people who wont be able to connect to others 22:20 < gmaxwell> phantomcircuit: with it too high you can quite seriously go hours without getting a connection up. 22:20 * BlueMatt ponders the ethicacy of running a crash-pre-0.8.4 script on the network with the goal of getting better stable-node connection 22:20 < phantomcircuit> gmaxwell, sure i remember, i am the one who originally fixed this 22:20 < BlueMatt> or maybe I should just set dnsseed to require 0.8.5 22:20 < gmaxwell> BlueMatt: it would probably partition the network right now. 22:21 < phantomcircuit> i actually was originally asking for a smaller timeout 22:21 < BlueMatt> gmaxwell: yes, thats why you start it slow 22:21 < gmaxwell> (to crash the pre 0.8.4 nodes) 22:21 < phantomcircuit> but i now disagree with myself 22:21 < BlueMatt> so no one else can partition the network by doing it 22:21 < gmaxwell> phantomcircuit: if we had multithreaded connections it would be reasonable to have one running with long timeouts while another ran with short timeouts. 22:22 < phantomcircuit> gmaxwell, we could do that right now actually 22:22 < gmaxwell> I know. 22:22 < phantomcircuit> i'll write a patch to do that after i finish everything else i have to do 22:22 < phantomcircuit> so... never 22:22 < gmaxwell> Right. 22:22 * BlueMatt sets his dnsseed to require 0.8.5 22:22 < BlueMatt> any objections? 22:23 < gmaxwell> I think there are too few nodes. 22:24 < gmaxwell> did you see how many there were? I counted before and there were only a few hundred, you're risking overloading them. 22:24 < BlueMatt> shit 22:24 < gmaxwell> and wrt partitioning the dnsseed stuff mostly controls spv nodes, but since they don't relay they don't help prevent partitioning. 22:24 < BlueMatt> we need auto-update 22:24 < gmaxwell> No we don't. 22:24 < BlueMatt> update-bugging 22:25 < gmaxwell> We made a conscious decision to not use alerts the last several releases. We could use an alert, which we did for 0.8.1 22:25 < BlueMatt> whatever, we need something to tell users "YOURE FUCKED UP HERE, UPDATE" 22:25 < gmaxwell> I'm not really happy with the quality of 0.8.5 (obviously, it's better than 0.8.1...) :( 22:25 < gmaxwell> e.g. software is still basically unusable for many OSX users. 22:26 < BlueMatt> thats largely fixed on 0.9, no? 22:26 < gmaxwell> No. 22:26 < BlueMatt> awww, well I guess I was dreaming :( 22:26 < gmaxwell> There are more fixes than in 0.8.5 but not enough apparently. 22:26 < gmaxwell> If it had been confirmed they worked I'd have backported and we could have done a 0.8.6. 22:26 < gmaxwell> But it sounds like they're not enough. 22:27 < BlueMatt> damn 22:27 < gmaxwell> We also have crash bugs reported on windows that we can't reproduce but seem to be a fair number of people. 22:27 < gmaxwell> And on some debian systems they can't sync the chain due to some signature validation issue. 22:28 < BlueMatt> soo...qa is fucked atm? 22:31 < warren> https://github.com/litecoin-project/litecoin/pull/80 <--- regarding encouraging people to upgrade 22:32 < warren> probably not a good idea, but we're doing it 22:32 < BlueMatt> ewwww 22:32 < BlueMatt> but, yea 22:33 < warren> https://github.com/litecoin-project/bitcoinomg/commits/bitcoin-omg-0.8 <---- here's the bitcoin 0.8 that I personally use 22:34 < warren> it's pretty much litecoin 0.8 without litecoin 22:56 < Luke-Jr> gmaxwell: I probably already have them backported for 0.8.6 22:59 < amiller> http://apps01.mywebapps.net/ajp/bc/g2.png 23:00 < amiller> measured connectivity of the network 23:00 < Luke-Jr> gmaxwell: I could go ahead and do a rc.. quite a few bugfixes.. not sure it's worth it as long as there's outstanding stuff though 23:02 < warren> Luke-Jr: where is your tree? 23:03 < Luke-Jr> warren: the stable tree is on gitorious.org/bitcoin/bitcoind-stable 23:03 < Luke-Jr> my personal repo is on gitorious and github separately 23:05 < warren> 404 23:07 < Luke-Jr> odd, I just saw it O.o 23:08 < Luke-Jr> weird 23:08 < Luke-Jr> there's some kind of invisible character on the end of what I pasted here 23:08 < Luke-Jr> gitorious.org/bitcoin/bitcoind-stable 23:13 < BlueMatt> amiller: fun, any theories on what those well-connected nodes or node clusters are? 23:13 < amiller> i think they're bitcoin-roulette 23:13 < amiller> i don't really know though, we're looking into that now --- Log closed Fri Nov 01 00:00:21 2013 --- Log opened Fri Nov 01 00:00:21 2013 00:04 < warren> amiller: what are the groupings, IP address? 00:04 < amiller> no, mutual connectivity 00:07 < Luke-Jr> amiller: pools? 00:07 < Luke-Jr> how'd you make a map anyway? 00:29 < warren> <gmaxwell> e.g. software is still basically unusable for many OSX users. 00:29 < warren> gmaxwell: what makes it unusable? 00:33 < BlueMatt> leveldb instabilities 00:33 < warren> beyond the two fsync patches and leveldb 1.13? 00:34 < BlueMatt> <gmaxwell> There are more fixes than in 0.8.5 but not enough apparently. 00:34 < BlueMatt> <gmaxwell> If it had been confirmed they worked I'd have backported and we could have done a 0.8.6. 00:36 < warren> the 2nd fsync patch we confirmed wasn't enough 00:36 < warren> I have builds of both patches and leveldb 1.13 out now 00:36 < warren> no reports yet 00:36 < warren> nobody near me is able to reproduce the bug 00:36 < BlueMatt> so you're saying we should do another 0.8.X soon... 00:37 < warren> BlueMatt: only if it's confirmed to fix it, whch we don't know. 00:37 < Luke-Jr> ^ 00:37 < BlueMatt> warren: you just said no one has yet been able to reproduce a semi-reproduceable bug with the latest patches, no? 00:37 < BlueMatt> at least that gives confidence that we should release builds to get more testing 00:38 < warren> BlueMatt: I mean nobody near me is able to reproduce the original problem, so I cna't get htem to test the builds that might fix it. 00:38 < Luke-Jr> BlueMatt: I think he means we don't know anyone who could ever reproduce it 00:38 < BlueMatt> (even if that just means telling people to try this alpha build) 00:38 < BlueMatt> ahh, ok 00:38 < warren> BlueMatt: I have been releasing builds 00:38 < warren> both litecoin and bitcoin users are complaining about this 00:38 < BlueMatt> for some reason I thought it was reproduceable by some set of people 00:38 < Luke-Jr> BlueMatt: it is, but nobody we know 00:38 < Luke-Jr> lol 00:38 < warren> jgarzik's office mate, toffoo on github and two litecoin users who fail to respond. 00:39 < BlueMatt> Luke-Jr: well why are those people not on speed dial? 00:39 < Luke-Jr> warren: jgarzik's office mate should try it? 00:39 < warren> I have no idea who they are. 00:39 < BlueMatt> warren: ahh, well why is jgarzik not reporting back... 00:39 < warren> BlueMatt: he's quite busy lately 00:41 < Luke-Jr> .. why did someone make be32toh return a non-uint32_t type? :/ 08:32 < warren> gmaxwell: BlueMatt: https://bitcointalk.org/index.php?topic=320695.msg3456344#msg3456344 08:32 < warren> includes both fsync patches and leveldb-1.13 09:28 < Luke-Jr> warren: Bitcoin OMG seems redundant? 09:28 < Luke-Jr> or I guess not since it's based on a stable release instead of git 09:36 < jgarzik> Luke-Jr, sounds a bit like bitcoin-next 09:45 < petertodd> BlueMatt: I kicked testnet-seed into submission, although it seems sipa's seeder code returns DNS results that still screw up some resolvers. 09:48 < Luke-Jr> jgarzik: well, bitcoin-next only includes ACK'd stuff; sounds like next-test, except that it's based on a stable version instead of latest git 10:18 < adam3us> seems like warren took the bitcoin fedora to bitcoin rhel/centos discussion and went for it :) 10:21 < adam3us> petertodd, gmaxwell, amiller: btw yesterday discussion about one-show signature (its a credential/ecash concept but works ofr ECDSA eg as : addr = H(r=kG,Q) then being only allowed to use the r in the addr) 10:23 < adam3us> petertodd, gmaxwell, amiller: with PoS, which seems like a potentially useful extra sybil defence, the miner has a PoS voting incentive to have all his balance on one coin; as that defines his PoS vote multiplier (reference to the txout), in that way single-show sig could be quite a discouragement 10:24 < adam3us> petertodd, gmaxwell, amiller: (recalling to reuse r=kG implies reusing k which reveals private key d if you sign two different messages via simultaneous equation, so users have an incentive to hunt for double-spends so they can race to cash them) 13:06 < BlueMatt> petertodd: fun...this is why mine are served off bind :) 14:10 < petertodd> BlueMatt: yeah, I'm thinking that's probably a better idea overall :( 15:03 < gmaxwell> petertodd: is it just AAAA records breaking them? 15:07 < petertodd> gmaxwell: doubt it, I've tried without AAAA and it still doesn't work 15:08 < petertodd> gmaxwell: go and complain about gavin's obvious security hole: https://github.com/bitcoin/bitcoin/pull/3185 15:08 < petertodd> (he allows anything in the reject message, even newlines! so you can fake a log entry) 15:16 < BlueMatt> petertodd: doesnt dig still complain about extra padding bytes or something? 15:17 < petertodd> BlueMatt: I haven't looked deeply, but yeah, it complains about something 15:32 < jrmithdobbs> can someone tell me what I'm missing to get this example to actually work? I'm using 7.6.3 and aeson 6.2.1: http://hackage.haskell.org/package/aeson-0.6.2.1/docs/Data-Aeson.html#g:5 15:32 < jrmithdobbs> erm wrong chan 15:32 < phantomcircuit> jrmithdobbs, yes you're using haskell 15:32 < jrmithdobbs> haskell is p awesome ;p 15:33 < phantomcircuit> petertodd, the maximum message size is 1MB 15:34 < petertodd> phantomcircuit: pretty sure it was 32MiB... 1MB would be problematic given blocks can be 1MB 15:35 < petertodd> aww... gavin fixed it :( I was going to have so much fun writing that the genesis block got re-orged into people's logs :( 15:35 < phantomcircuit> petertodd, im pretty sure it's 1MB 15:36 < petertodd> phantomcircuit: heh, how much do you want to bet? 01:14 < Diablo-D3> why does p2pool actually use a chain for shares? 01:14 < warren> gmaxwell: yeah, with some minor hacking and node cooperation you can have an edge over ordinary p2pool nodes 01:14 <@gmaxwell> because there needs to be a consensus on which users should be paid. 01:14 < Diablo-D3> yeah, but shares are like tx in bitcoin 01:14 < warren> Diablo-D3: the share chain is a difficult to fake way of distributing the payouts to be generated on a random bitcoind elsewhere. 01:15 <@gmaxwell> no, they're not to create a share you have to agree with all the other p2pool nodes what the shares before that one were. 01:15 < Diablo-D3> hrm 01:15 <@gmaxwell> (so they agree you're paying the right amount) 01:15 < Diablo-D3> gmaxwell: so how can we have multiple heads on the chain? 01:15 <@gmaxwell> Now the sharechain doesn't have to be linear. 01:15 <@gmaxwell> Diablo-D3: same way you can have multiple forks in bitcoin 01:15 <@gmaxwell> but they're more likely due to the fast time between shares. 01:15 < Diablo-D3> yeah but bitcoin only recgonizes one fork 01:15 <@gmaxwell> Diablo-D3: well bitcoin sees more than one fork... it just doesn't tell you about it. 01:16 <@gmaxwell> p2pool does. 01:16 <@gmaxwell> but it only extends one fork. 01:16 < Diablo-D3> well wait 01:16 < warren> Another issue that we see with lots of small p2pool users is quasi-dust payouts. 01:16 < Diablo-D3> what stops me from putting my shares on multiple forks 01:16 < Diablo-D3> warren: thats an issue with pool mining in general 01:16 <@gmaxwell> warren: thats a litecoin specific problem mostly- the minimum payout size was an intentional parameter of the system 01:16 < warren> Diablo-D3: most pools can optimize that by setting a higher withdrawal threshold 01:17 <@gmaxwell> p2pool payouts can't go smaller than one share per miner... 01:17 < Diablo-D3> warren: yeah, but then you have to hope the pool owner doesnt fuck people 01:17 <@gmaxwell> warren: basically no pools except eligius do the forced thresholding thing, dumb.. but ::shrugs:: 01:18 <@gmaxwell> warren: basically the reason the number of shares in the sharechain is what it is .. is partially to control the size of the smallest payouts. 01:18 < warren> understood 01:18 <@gmaxwell> maybe forrest picked bad parameters, but it is controlled. 01:18 < Diablo-D3> gmaxwell: so what stops me from putting my shares on multiple chain heads? 01:19 < warren> It seems appropriate for BTC, (although the block expected time being close to 24 hour scares people now) 01:19 <@gmaxwell> down side is there is a variance tradeoff, but thats also true for other pools.. if you can only get paid X often that similar to mining with higher variance. 01:19 <@gmaxwell> Diablo-D3: because your share commits to its prior share, same as bitcoin. 01:19 < Diablo-D3> gmaxwell: how exactly? 01:19 < Diablo-D3> a garbage tx in the block's tx list? 01:19 <@gmaxwell> Diablo-D3: the funny p2pool output is effectively the hash of the prior share in the chain you're extending. 01:20 <@gmaxwell> yes. 01:20 < warren> gmaxwell: the folks who are on the losing side of efficiency are psychologically scared away from p2pool, especially when they can get stuck there for a long time. That can be improved a bit by adding a little randomness to peer connections. 01:20 <@gmaxwell> warren: dunno about that, it's unclear to me what is causing that. 01:20 < Diablo-D3> hrm 01:20 < warren> gmaxwell: I've been on both sides of that, it felt great on the winning side. =) 01:20 < Diablo-D3> gmaxwell: I need to look into how p2pool works 01:21 < Diablo-D3> maybe it can be efficiently rewritten 01:21 <@gmaxwell> but I also have not seen many people remark on that. I don't think they understand that stale!=payout and efficiency==payout since thats opposite normal pool parlance. 01:21 < warren> needs different names. 01:21 < Diablo-D3> gmaxwell: well, efficiency should really be based on actual network efficiency 01:22 < Diablo-D3> like, count the dead heads as already known inefficiency 01:22 <@gmaxwell> "Charm" and "Beauty" 01:22 < warren> jgarzik: btw, conman says the Avalon hardware design is such that 1.4 seconds is the minimum work return latency. Do you know if this is true? 01:22 < jgarzik> <shrug> 01:22 < warren> jgarzik: if true, that's why your reject rate would be high on p2pool. 01:22 < Diablo-D3> gmaxwell: beauty is not a quark flavor 01:23 < Diablo-D3> charm, strange, top, bottom 01:23 <@gmaxwell> Diablo-D3: right, its a p2pool stat. 01:24 < Diablo-D3> and then strawberry 01:24 < jgarzik> warren: p2pool also saw a metric _ton_ of duplicates, absent a manual change to increase the difficulty 01:24 < warren> New names and better docs would help. It also needs to break the temporary efficiency collusion that scares new users away. 01:24 < warren> jgarzik: the /<bignumber> change? 01:24 < Diablo-D3> gmaxwell: how is p2pool building blocks with bullshit tx? 01:24 < warren> jgarzik: part of that might be its broken difficulty handling. it is broken in different ways in stratum and getwork. 01:26 < warren> If we want p2pool to succeed, it needs a few key improvements to keep people from quitting in frustration like they do now. 01:26 < Diablo-D3> well 01:26 < Diablo-D3> a rewrite in C would be nice 01:26 < Diablo-D3> I should look into that 01:26 * jgarzik would prefer p2pool 01:26 < jgarzik> if it worked 01:26 <@gmaxwell> warren: 1 BTC bet says that there is no brokeness in p2pool getwork difficulty handling and that you're full of it 01:27 < Diablo-D3> I agree with gmaxwell 01:27 < Diablo-D3> jgarzik: you still have me on ignore? 01:27 <@gmaxwell> jgarzik: it's probably not going to work until someone who gives a shit about it is hacking on miner software for it. 01:28 <@gmaxwell> Conman only cares if someone pays him. 01:28 <@gmaxwell> or trolls him 01:28 < warren> The difference between stratum/getwork might be a scrypt-only problem. There is the separate problem where it fails to tell the miner the correct pseudoshare target and is correlated with tracebacks. 01:28 < warren> I am uncertain if the "fails to tell the miner the correct pseudoshare target" is causing the tracebacks. 01:28 < jgarzik> Diablo-D3: what happens if I say no? :) 01:29 < Diablo-D3> then.. I 01:29 < jgarzik> hehe 01:29 < Diablo-D3> jgarzik: I was going to say, if p2pool was written in C it might be small enough to run on the avalon 01:29 <@gmaxwell> warren: did forrest reenable the non-constant targets? 01:29 < warren> gmaxwell: not sure 01:30 < jgarzik> Diablo-D3: true... 01:30 <@gmaxwell> Diablo-D3: not likely.. the sharechain management uses a lot of memory somewhat fundimentally. (well, a lot for the hardware in avalon) 01:30 < warren> Diablo-D3: gmaxwell: do you see any "hash > target" errors in your log? 01:30 < Diablo-D3> warren: lemme look 01:30 < Diablo-D3> gmaxwell: still, it'd be faster than pythonese 01:30 < warren> Diablo-D3: p2pool BTC would regularly use > 500MB RAM here. 01:30 < jgarzik> more than 32MB? hrm 01:30 < jgarzik> warren: in python sure ;p 01:31 <@gmaxwell> arguable people trying to run p2pool nodes and bitcoin nodes on hardware like that is somethat of a moral hazard. It creates an installed base invested in severely and unreasonably underpowered hardware who would resist sane improvements to the network that increase resource consumption. 01:31 < Diablo-D3> warren: thats because forrest is caching decoded shit 01:31 < Diablo-D3> and he shouldnt be 01:31 < Diablo-D3> he should switch to a faster language 01:31 < warren> decoded shit? 01:31 < warren> is what? 01:31 < Diablo-D3> p2pool sharechain tx related stuff 01:31 <@gmaxwell> well perhaps not more than 32 MB (go go generational GC) but IIRC thats _all_ the avalon has, 32mb. 01:31 < Diablo-D3> gmaxwell: but yeah 01:31 < Diablo-D3> 32 is too little 01:31 < Diablo-D3> 64 might be too little 01:31 < Diablo-D3> and you'd still need an external bitcoind 01:32 < Diablo-D3> because that sure as hell aint fitting on there 01:32 <@gmaxwell> warren: right out the door with no leaking python's gc method pretty much instantly results in 2x memory usage. 01:32 < Diablo-D3> but still, a fast sane C p2pool might be nice 01:32 < warren> gmaxwell: it seems we still have some kind of peer connection related twisted leakage 01:33 < warren> Diablo-D3: if it happens, I'd like to work on the peer selection code, I already been experimenting with that a lot in p2pool. 01:33 < Diablo-D3> warren: the literal phrase "hash > target" is not in my log 01:33 < warren> Diablo-D3: it's pretty rare for BTC, not sure why. 01:33 < warren> Diablo-D3: no tracebacks about "JSON" anywhere? 01:34 < Diablo-D3> there might be tracebacks, but thats because I should just quit merged mining 01:34 < Diablo-D3> it doesnt like merged mining with p2pool for some reason 01:34 < Diablo-D3> er 01:34 < Diablo-D3> with devcoin I mean 01:34 <@gmaxwell> thats due to devcoin not responding, god knows why 01:35 < Diablo-D3> is namecoin dead now? 01:35 < warren> Diablo-D3: it seems that way, but somehow its exchange value is up 3x 01:35 <@gmaxwell> "it's only /mostly/ dead" 01:36 < Diablo-D3> I still have not managed to solo mine a block on that yet in months 01:36 <@gmaxwell> fwiw: 01:36 <@gmaxwell> 22:36 < xiangfu> gmaxwell: we can configure it to <1 second. but we may lose some nonce. but I never test < 1 second. 01:37 < warren> interesting 01:37 <@gmaxwell> Diablo-D3: any idea what the latency of responding to a longpoll a typical gpu is at high intensity? 01:38 < Diablo-D3> gmaxwell: depends 01:38 < Diablo-D3> in DM I can do -f 1 01:38 < Diablo-D3> and its 1 second 01:38 < Diablo-D3> -f 1 is also an insane waste 01:38 < warren> Funny thing about that. On high intensity here with identical configs, I have 5% DOA in Linux and ~1% in Windows. Fiddled with it a lot. Can't get Linux to do better. 01:38 < Diablo-D3> you turn -f up (using divisors of 60) until you get full speed 18:51 < gmaxwell> If not for the need to have a fast database as part of the validation logic I'd argue that you could do a lot about extracting all the validation logic into some code which could simply be used (and machine translated to other languages even). 18:51 < jgarzik> code -- organized like a book for easy reading 18:51 < gmaxwell> Right. What matters is the behavior. Any spec accurate enough to be complete should be _technically_ executable, though we may lack a compiler for it if the choice of langage is poor (e.g. english) 18:52 < gmaxwell> (of course any complete spec in english wouldn't really be in english, it would be in some domain specific english which has formally defined out the ambiguity.) 18:53 < HM3> lolcat 18:54 < gmaxwell> E.g. if not for the database, I'd totally be tempted to say "here is your spec, it's in literate C with ACSL annotations for proving correctness. If you want a python node, you compile the code to mips assembly and use a tiny MIPS emulator to run the spec" :P but this becomes lame the larger the normative part is. 18:54 < sipa> can i hazh block? 18:54 < gmaxwell> HM3: https://en.wikipedia.org/wiki/LOLCODE 18:54 < HM3> lol 18:54 < sipa> kthxbye 18:55 < HM3> the lolcode logo is a block shaped cat 18:55 < HM3> it's an omen i tell you 18:56 < HM3> and CATena is italian for chain 19:10 < HM3> I'm on the hunt for a new personal project 19:12 < HM3> all out of ideas though, it's a time of year thing i think 19:38 < gmaxwell> petertodd: fwiw, https://bitcointalk.org/index.php?topic=310323.msg3332919 19:43 < jgarzik> two coins I would actually like to see: theorycoin, and notarycoin 19:43 < jgarzik> the former for "what bitcoin would be, if written from scratch" and the latter being a smart property / data timestamping chain 19:44 < jgarzik> if the latter were merge-mined and commonly used, could take some pressure off main chain data timestamping 19:49 < sipa> theorysipacoin: merkleized abstract syntax tree script, script+txid-indexed utxo set as state, transaction destinations specified as H(script) while in-chain H(H(script)), no malleability in signatures, pubkey recovery for small inputs, payment-protocol only (p2p is just for broadcasting to miners), txouts state the size/cpu limitations of the script that will spend them, tx fees go into a to-be-mined pool which is only partially paid out in... 19:49 < sipa> each block 19:50 < HM3> i'd add a better name to that list 19:50 < HM3> :P 19:50 < sipa> (none of these are original ideas, btw) 20:10 < gmaxwell> I was joking that it should be called scamcoin in order to discourage use. But then someone went and created an altcoin called scamcoin. 20:10 < gmaxwell> And people are using it. 20:10 < gmaxwell> So... Well. I'm worthless apparently. :P 20:13 < HM3> hobocoin 20:21 < warren> did they buy scamcoin.org? 20:22 < gmaxwell> hell if I know? Do you think they could buy it with scamcoins? 20:23 < HM3> namecoins :P 20:26 < jgarzik> outflank them. get scamcoin.us, scamcoin.eu, scamcoin.asia, scamcoin.africa, ... 20:26 < warren> yeah, because if you bought all *coin*.* domains, that'll stop future clones. 20:27 < gmaxwell> "our scamcoin 1000x more scam. Using only pure unadulterated conjectural cryptography!" 20:27 < warren> nevermind the coins that exist only as forum threads. 20:27 < warren> the client download is stored in 5,000 avatars uploaded to bitcointalk 20:28 < warren> they are unable to upgrade their client now due to the bitcointalk lockdown 20:28 < HM3> .io are where all the cool people are these days 20:28 < sipa> .io? 20:28 < warren> EIE.io was sadly taken. 20:28 < HM3> http://techslides.com/io-domains-in-alexa-top-1-million/ 20:54 < warren> jgarzik: how did you learn about the china visa thing? 20:59 < amiller> gmaxwell, 20:59 < amiller> on your storage hard scheme 20:59 < amiller> isn't it roughly the same as fabien coelho's nearly-constant verification merkle tree? 20:59 < amiller> the premise of that is that you generate all the leaves of a merkle tree 20:59 < amiller> then the root 21:00 < amiller> then you use the hash of the root as an index to select a particular index 21:00 < amiller> your proof is the branch from the root to a few of the leaves 21:00 < amiller> the only difference is that you're recommending using predefined data at each leaf rather than some prf 21:00 < amiller> and the way you've described it there's interaction (which is fine) 21:01 < amiller> rather than noninteractively using the root hash to choose the branch to squery 21:01 < gmaxwell> The goal isn't achieved without interaction. 21:01 < amiller> i'm not sure why not but it's orthogonal in any case 21:01 < gmaxwell> You could indeed use fiat-shamir to make a kind of non-interactive proof out of it, but thats really orthogonal. 21:02 < gmaxwell> (and the non-interactive portion really would not be useful. Since you could just perform it once and then delete the data, and then again and again and have 100,000 connections) 21:05 < amiller> i really like the idea overall 21:05 < amiller> the use of pow for eaxctly this purpose (preventing connection DoS) is known as client puzzles and is one of the most common proposed uses for pow but no one actually has used it (other than captcha, arguably) 21:05 < gmaxwell> Do you see what I'm saying here about not being able to make it non-interactive? We want a proof of "integral storage" e.g. not storage for a moment, but for the whole time you're connected. 21:06 < amiller> well yeah so the recipient periodically has to interact no matter what 21:06 < gmaxwell> e.g. you use a finite resource (storage) but only so long as you're connected, and then you get it back. 21:06 < amiller> it's about preventing precomputing basically 21:06 < gmaxwell> yea, but thats really cheap.. one disk lookup periodically. 21:06 < amiller> or you could use the blockchain 21:07 < amiller> make each challenge depend on the newest blocks 21:07 < gmaxwell> You could do partial non-interactive by basically doing a kind of signature of knoweldge using it. 21:07 < gmaxwell> Right, or just any message you send. 21:07 < amiller> sure 21:07 < amiller> we agree here 21:07 < gmaxwell> You send a message H(message) that tells you the challenge. 21:07 < gmaxwell> and it proves you have this big table sitting around just for that peer, and you're not multiplexing a zillion peers. 21:07 < amiller> i really think there's a deep solution using PoW to baiscally replace IP based routing even 21:08 < gmaxwell> I think this idea is really simple and easily implemented too, I have no idea why it took me so long to come up with it. 21:09 < amiller> how do you tune it 21:12 < gmaxwell> well, I think it likely has a pretty wide range of acceptable parameters. e.g. I don't think 1GB is that burdensome even on a smartphone (new ones now have 32 gb storage, I think?) and yet 1TB connect to 1000 peers sounds like a ton. even 1TB for 8192 peers (128MBytes per connection) sounds like a fairly effective deterrent. 21:12 < gmaxwell> An obvious way is to just keep the N most costly POSs subject to some threshold, and just tell peers how much storage they need in order to make the cut. 21:13 < HM3> my phone has 8 GB of space, my laptop has 8 TB connected to it right now 21:13 < HM3> 1 GB on the phone is not cool 21:13 < gmaxwell> HM3: add a microsd card. 21:13 < HM3> no slot damnit 21:14 < gmaxwell> well, in any case, As I said, "new ones". I think the parameters generally work out okay. You could certantly do 128MBytes, right? 21:14 < HM3> i guess 21:15 < HM3> is this a proof to ensure people are using fullnodes? 21:15 < HM3> tx history 21:15 < gmaxwell> No. 21:16 < gmaxwell> It's not. Go read the post. Its to make it harder for an attacker to be able to DOS the whole network as soon as they're able to DOS just one node. 21:19 < gmaxwell> sipa: http://bitcoin.sipa.be/speed-lin-2k.png < ready to rerange your charts again? :P 21:20 < HM3> "ifficulty" 21:21 < gmaxwell> amiller: I can't really think of an application for the fully non-interactive version of this.. like "I had a bunch of storage once" seems kinda odd. :P 21:26 < HM3> 2 petahash/s 21:55 < jgarzik> warren, US State Dept website 22:35 < nanotube> what's the china visa thing? 22:35 < nanotube> gmaxwell: wouldn't the server also have to store the entire 1gb, for each of the clients it's using the PoS scheme for? 22:37 < HM3> damn Lamport invented Paxos as well 22:42 < gmaxwell> nanotube: nope. 22:42 < gmaxwell> nanotube: the function allows efficient random access by index, but not by vale. 22:42 < gmaxwell> er value. 22:44 < jgarzik> nanotube, longtime desire to visit China 22:44 < jgarzik> nanotube, been studying Mandarin off and on for a couple years, studying its history for longer 22:44 < gmaxwell> e.g. say the tree is 32 levels high (so 4 billion outputs, or maybe 50Gbytes). The server pickes index 0 to challenge the client to provide. It then just has to compute 32 hash operations (H() take left H() take left H() take left...) and then it knows the value at index 0. Then it asks the client to provide the index for that value. 22:45 < nanotube> jgarzik: ah cool. hf! i was in china for a week once, in shanghai. still don't speak a lick of chinese. 22:45 < jgarzik> nanotube, hoping to catch a meetup in Hong Kong or mainland, or even better, flash the "core dev" badge and get invited to a speaking event somewhere in PRC 22:45 < nanotube> gmaxwell: aaah i see. it asks for index by value, not value by index. 22:45 < gmaxwell> so because of the tree structure H() is efficient without storage in one direction.. but running it backwards requires storage to be efficient. 22:45 < gmaxwell> nanotube: yup. 22:46 < nanotube> in that case... carry on. :) 22:46 < gmaxwell> nanotube: well, I still dunno that anyone would want to use it! but I now haz a construct. 22:46 * nanotube missed that part in reading your post >_< 22:47 < HM3> gmaxwell, clever 14:43 < jtimon> gmaxwell: hehe, I doubt the #python nice people will config qtile for me 14:43 < andytoshi> michagogo|cloud: oh, right, i forgot the server needed to support it 14:44 < andytoshi> one moment, i'll put it up.. 14:44 < michagogo|cloud> andytoshi: There doesn't seem to be a %appdata%/cjclient 14:44 < gmaxwell> "Classified. Classified, classified classified classified classified classified classified. Classified classified classified classified. Classified classified classified, classified classified classified classified; Classified. 14:44 < gmaxwell> " 14:44 < jtimon> funny video introducing qtile http://www.youtube.com/watch?v=r_8om4dsEmw 14:44 < nsh> gmaxwell, something like that aye 14:45 < andytoshi> michagogo|cloud: is it listing your coins correctly? 14:45 < gmaxwell> jtimon: this is why you have to use xmonad. The programmers in other languages have actual applications for their skills. Whereas with haskell the only thing they have to do is configure xmonad for people. 14:45 < michagogo|cloud> andytoshi: I don't have a mainnet client open yet 14:45 < andytoshi> oh, my cjclient/ dir is using c:/users/apoelstra/Local Settings/Application Data/cjclient 14:45 < michagogo|cloud> Ah, looks like the copy finished 14:45 < michagogo|cloud> one moment 14:45 < andytoshi> i don't think that Local Settings/ should be there 14:45 < jtimon> gmaxwell: loool 14:45 < michagogo|cloud> andytoshi: XP? 14:46 < andytoshi> michagogo|cloud: wine 14:46 < michagogo|cloud> WineXP? 14:46 < andytoshi> uh, i dunno 14:46 < michagogo|cloud> Or even earlier? 14:46 < andytoshi> yeah, winecfg says XP 14:46 < michagogo|cloud> I know Wine lets you choose which version of Windows to pretend to be 14:46 < michagogo|cloud> And I know that Application\ Data is pre-Vista 14:47 < andytoshi> ok, i'll figure out the glib function to get %APPDATA%.. 14:47 < andytoshi> bitcoin is in %APPDATA%/Bitcoin yes? 14:47 < michagogo|cloud> Indeed 14:47 < michagogo|cloud> (C:\Users\Micha\AppData\Roaming) 14:49 < michagogo|cloud> ;;blocks 14:49 < gribble> 280495 14:50 < michagogo|cloud> andytoshi: oh, btw, it's not showing my coins 14:50 < andytoshi> michagogo|cloud: yeah, it's looking for Bitcoin/ in the wrong place 14:50 < michagogo|cloud> Ah, I see 14:50 < michagogo|cloud> https://www.irccloud.com/pastebin/u9B6Gp0X 14:51 < michagogo|cloud> andytoshi: Ah, I see. Specifically, it's using %localappdata% 14:51 < michagogo|cloud> I guess it doesn't plant its folder unless it manages to find Bitcoin/? 14:52 < andytoshi> michagogo|cloud: it doesn't plant its folder unless something changes, yeah 14:55 < jgarzik> adam3us, gmaxwell: current bootstrap.dat @ block 279,000 is 14222116865 bytes 14:57 < michagogo|cloud> Hmm, I wonder how hard it would be to change linearize.py to allow it to be given an existing bootstrap.dat and have it detect the latest block in there 14:57 < jtimon> maaku, what were you thinking on getting from factor to add to joy ? 14:57 < sipa> ;;blocks 14:57 < gribble> 280495 14:58 < michagogo|cloud> (so you can point it at an older bootstrap, and say "bring this up to 279,000") 14:58 < michagogo|cloud> Oh, wait, this is the wrong channel :S 14:58 < jtimon> or nothing concrete? 14:59 < jtimon> I'm thinking that joy should be easy to merklize, no? 15:08 < andytoshi> michagogo|cloud: ok, i have refreshed the windows download to use %APPDATA% properly (and fixed the keep-on-top thing) 15:11 < michagogo|cloud> Hey, there're my coins 15:11 < andytoshi> :D 15:12 < michagogo|cloud> andytoshi: Wait, so all this does is shuffle your coins around in your wallet? 15:12 < andytoshi> michagogo|cloud: yeah, it doesn't do spends right now 15:12 < andytoshi> i'm not sure how best to UI that 15:12 < michagogo|cloud> Imitate the Bitcoin-Qt UI? 15:13 < michagogo|cloud> andytoshi: Not working 15:13 < michagogo|cloud> Syncing with joiner, session ID unknown 15:13 < michagogo|cloud> Join server: error setting certificate verify locations: 15:13 < michagogo|cloud> CAfile: /usr/i686-w64-mingw32/sys-root/mingw/etc/pki/tls/certs/ca-bundle.crt 15:13 < michagogo|cloud> CApath: none 15:13 < andytoshi> weeird 15:13 < andytoshi> what if you delete the libcurl DLL? 15:14 < michagogo|cloud> The program can't start because libcurl-4.dll is missing from your computer. Try reinstalling the program to fix this problem. 15:15 < andytoshi> <.< ok, i'll look into this 15:15 < andytoshi> thx 15:15 < michagogo|cloud> np 15:34 < andytoshi> michagogo|cloud: ok, i have stolen some DLLs from msysgit, can you try redownloading? 15:35 * michagogo|cloud scrolls up a bunch 15:44 * michagogo|cloud slaps explorer.exe around a bit with a large trout 15:45 * sipa suggests installing an operating system 15:45 < michagogo|cloud> sipa: Hmm? 15:46 < sipa> nevermind, silly joke :) 15:47 < andytoshi> sipa: lol, be thankful that somebody on this channel has a normal system to test with 15:47 < michagogo|cloud> andytoshi: You messed up again 15:47 < andytoshi> michagogo|cloud: what now? 15:47 < michagogo|cloud> Same message as when I renamed libcurl 15:47 < michagogo|cloud> Except that it's complaining about libcrypto.dll being missing 15:47 < sipa> andytoshi: true that 15:47 < andytoshi> michagogo|cloud: oops :} i forgot to put that one in the zip 15:48 < michagogo|cloud> (and it is, indeed, missing) 15:48 < andytoshi> ..no i didn't .. it disappeared 15:49 < andytoshi> michagogo|cloud: sorry about that, fixed, can you redownload? 15:50 * michagogo|cloud puts http://download.wpsoftware.net/bitcoin/cj-windows.zip at the bottom of the buffer 15:50 < nsh> could you statically link these libs, andytoshi? 15:51 < maaku> michagogo|cloud: not hard i would think, just scan backwards to find the last block 15:51 < andytoshi> nsh: probably, but i'd have the same problems as i do with bundling DLLs, plus the usual problems (no upgradability, etc) of static linking, plus potentially bad linking issues 15:52 < michagogo|cloud> ;;cjs 15:52 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one. 15:52 * nsh nods 15:52 < michagogo|cloud> andytoshi: nope 15:52 < michagogo|cloud> Syncing with joiner, session ID unknown 15:52 < michagogo|cloud> Join server: SSL certificate problem, verify that the CA cert is OK. Details: 15:52 < michagogo|cloud> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 15:54 < maaku> jtimon: nothing concrete - just pointing out that Joy is a pure, simple academic language 15:54 < maaku> which is very good for a consensus system 15:55 < maaku> but in my experience, there is usually a handful of select hacks which offend purists but greatly simplify real world usage 15:55 < maaku> and Factor is a practical language of the Forth tradition, so we should look at that to see if there's anything to borrow 15:55 < michagogo|cloud> andytoshi: I g2g to sleep now 15:55 < nsh> maaku, any good examples of Joy in use? (that i might find accessible) 15:55 < michagogo|cloud> (or at least to bed...) 15:55 < andytoshi> michagogo|cloud: ok, thanks for testing 15:55 < michagogo|cloud> Good luck. 15:56 < nsh> 'night 15:56 < maaku> and yes, Joy - or any concatinative language - should be trivial to Merklize 15:56 < michagogo|cloud> I may be able to test more of future days 15:56 < michagogo|cloud> on* 15:59 < maaku> nsh: any kind of covenant 16:00 < maaku> e.g. i issue MarkBTC which is an IOU with 1% interest, but attach a covenant allowing my to buy it back at any time for principle + interest 16:01 < petertodd> http://www.reddit.com/r/Bitcoin/comments/1v7ayg/revolution_in_bitcoin_privacy_stealth_addresses/ <- getting good feedback on stealth addrs on reddit 16:05 * nsh nods, opens tabs 16:06 < maaku> more generally, my musing on this started from trying to Etherium within the context of just changing bitcoin's scripting system 16:08 < nsh> to <verb?> Etherium? 16:10 < maaku> heh, to do what is trying to be done with Etherium within a (minimally extended) bitcoin 16:11 < maaku> e.g. turing-complete financial contracts 16:11 < maaku> coin covenants, etc. 16:12 < maaku> for example, with a couple of script extensions and re-enabled opcodes, petertodd could make mastercoin fully validating and spv-safe 16:12 < maaku> (using covenants) 16:13 < nsh> interesting 16:13 < nsh> any notes or discussion online? 16:14 < maaku> this is an idea only 12 hours old :P 16:15 < nsh> ah, cool :) 16:15 < gmaxwell> maaku: at least you won't end up in the sad situation of having created a stack based language without roll or rotate. 16:15 < petertodd> maaku: actually months old - I proposed it for fidelity bonded bank stuff ages ago 16:15 < maaku> gmaxwell: :\ 16:16 < maaku> petertodd: yeah i figured you'd been working on this, based on our conversation 16:16 < maaku> petertodd: did that involve quines? I thought that part was new 16:17 < petertodd> maaku: nah, it needed quines too, and actually credit may go to gmaxwell come to think of it - I'd have to check my IRC logs 16:17 < maaku> ah i'll go read those threads then 16:17 < nsh> ooo quines 16:17 < maaku> nsh: that's how the covenant workss 16:17 < nsh> oh, fascinating 16:18 < petertodd> maaku: I *think* most of it was private conversation actually - wizards didn't exist back then 16:18 < nsh> can you(s) elaborate? 16:18 < petertodd> maaku: (this was almost a year ago now) 16:18 < gmaxwell> Yea, well, my 'invention' in the covenant thread is that you could produce a quine SNARK transaction, which is slightly surprising since you don't know the validation key for a snark until you've finished the circuit. 16:18 < maaku> mandate (some of) the outputs to have the same conditionals 16:18 < gmaxwell> Without the snark there are dumb ways to accomplish it. 16:19 < gmaxwell> With the snark it sounds impossible if you don't think about it from the right perspective. 16:19 < nsh> hmm 16:19 < maaku> /dumb/boring/ 23:42 < cfields> could be because it was a 32bit image 23:43 < cfields> it hit about 3.4 gits and was 100% full 23:43 < cfields> *gigs 23:46 < maaku> Luke-Jr: you can use cgroups to set limits on lxc boxen 23:47 < Luke-Jr> sure, I just didn't see why gitian would do that 23:48 < cfields> no matter, i just split qt out --- Log closed Sat Nov 23 00:00:01 2013 --- Log opened Sat Nov 23 00:00:01 2013 00:32 < Luke-Jr> nOgAnOo: stop trolling and maybe you won't get banned 00:32 < Luke-Jr> I'm pretty sure that was the 2nd time (at least) you started talking nonsense about centralised IPs 00:33 < Luke-Jr> nope 00:33 < Luke-Jr> the only thing centralised in Bitcoin today is 1) full node code development, and 2) mining pools 00:33 < Luke-Jr> by deciding to download a new version and installing it 00:34 < Luke-Jr> nOgAnOo: feel free to help improve the quality and adoption of other full nodes 00:37 < Luke-Jr> this is all off-topic here 00:39 < Luke-Jr> nOgAnOo: unbanned in #bitcoin, just don't do that again.. 00:42 < amiller> ripple will be the next world currency 00:42 < amiller> once the people who actually run "ripple" finish fucking it all up 00:43 < amiller> credit networks are the right economic model 01:56 < maaku> haha 01:56 < maaku> amiller: we're continuing the dream 01:56 < maaku> it just won't be called Ripple(tm) 01:57 < maaku> which sucks, because that was a great name 02:07 < petertodd> maaku: wave 02:13 < petertodd> maaku: "surf the wave", "ten times more rad", "a fresh new breeze in payment something or anothers" 02:14 < maaku> hmm that's not bad 02:14 < petertodd> lol, I know, scary... 02:15 < petertodd> my other ideas were "Epidemic" and "Highly Infectious Crypto-Currency Disease" 02:20 < wumpus> did this suddenly become #bitcoin-religion ? :p 02:21 < Luke-Jr> no, and that's #eligius 02:21 < Luke-Jr> <.< 02:21 < petertodd> lol 02:21 < wumpus> hehe 02:21 < wumpus> so if people get banned in #bitcoin they go off to see the wizards here, interesting 02:21 * petertodd is gonna start a pool that puts quotes from Richard Dawkins in the coinbase. 02:22 < Luke-Jr> I coulda sworn I'd written a ucs2_to_utf8 function.. where did it go? :< 02:22 * Luke-Jr puts petertodd on Eligius's quote-setting banlist 02:22 < petertodd> ooh, I can set quotes? nice! 02:22 < Luke-Jr> (which is now length==1) 02:23 < Luke-Jr> actually, I guess I can't stop you if you use GBT XD 02:23 < petertodd> heh 02:23 < petertodd> oh, so with GBT can I mine blocks that contain rick-rolls... 02:24 < gmaxwell> dear lord, not freeking dawkins. 02:25 < Luke-Jr> petertodd: -.- 02:25 < wumpus> people will be studying the block chain in 1000 years as an eh curious cultural artifact, more like wtf were people thinking 02:25 < warren> wumpus: SD loss return spam might be worth something then. 02:26 < petertodd> ha 02:27 < petertodd> latest non-std tx was "Knowledge itself is power." - pff 02:27 < wumpus> warren: maybe they'll abscribe the completely irrational gambling to some weird pagan ritual 02:28 < warren> wumpus: I dunno, technology advances but human nature doesn't change. 02:28 < gmaxwell> "apparent rituals we do not understand" 02:28 < petertodd> wumpus: "Here we see an intriguing example of ritual sacrifice among our math-worshipping..." 02:28 < gmaxwell> warren: who says the observers are human? 02:28 < warren> hahhaah 02:29 < gmaxwell> Indeed "ritual sacrifice"! 02:29 < petertodd> gmaxwell: makes sense - who really thought the bets were human... 02:34 < petertodd> gmaxwell: b7f58538f198c35e313fd173e1c3f89b2f6bedeb671c1292a7fec909498e897b 13:07 < michagogo|cloud> 09:23:07 <Luke-Jr> actually, I guess I can't stop you if you use GBT XD 13:07 < michagogo|cloud> Well, can't you refuse to acknowledge quotes that you don't provide as valid shares? 13:08 < michagogo|cloud> ;;later tell cfields If you need gitian testing, let me know -- I've got a raring VM set up with gitian and LXC that I'd be happy to use to help out 13:08 < michagogo|cloud> oh, no gribble 13:08 * michagogo|cloud prepends /msg gribble 15:29 < amiller> jgarzik, you want to weigh in on if ebfull has satisfied the requirements for the bounty you posted? 15:29 < amiller> https://bitcointalk.org/index.php?topic=326559.0 18:15 < Luke-Jr> michagogo|cloud: you *could*, but GBT wouldn't be usable for ASICs with that limitation 22:17 < cfields> michagogo|cloud: thanks, but i got it with precise --- Log closed Sun Nov 24 00:00:03 2013 --- Log opened Sun Nov 24 00:00:03 2013 03:20 < michagogo|cloud> cfields: have you tested with an LXC of precise with a rating host? 03:21 < michagogo|cloud> Luke-Jr: why not? 03:27 < cfields> michagogo|cloud: that's what i'm using now, yes 03:29 < michagogo|cloud> cfields: ah, okay 04:12 < Luke-Jr> michagogo|cloud: because without the ability to append data, it'll only produce a single block header (4 Gh) 04:30 < Luke-Jr> UGH, Electrum added a "send from" nonsense 04:33 < Luke-Jr> sigh, he doesn't even understand why there's a problem 04:34 < Luke-Jr> amazing how easy it is to write broken wallet software 04:35 < Emcy> send from is intuitive though 04:35 < Emcy> wrong but intuitive 04:38 < michagogo|cloud> uh. 04:38 < michagogo|cloud> seriously? 04:38 < michagogo|cloud> o_O 04:38 < michagogo|cloud> Luke-Jr: Well, I guess you could allow appending data but reject appended data that was another quote if you really wanted to :-P 04:38 < Emcy> 'from' is an abstraction of whats really going on that probably works for how most poeple are sending bitcoins right now 04:39 < Emcy> until they try to use it as a return path or something 04:39 < michagogo|cloud> Emcy: Right. And that happens all the time. 04:40 < Emcy> yeah well there are a LOT of bad practises going on in bitcoin that are going to cause major problems in future and could prove intractible with time 04:41 < Emcy> thats what happens when your little experiment project gets used in production for billions worth of value whether you like it or not 05:22 < sipa> yup 07:45 < warren> https://bitcointalk.org/index.php?topic=343901.0 07:45 < warren> "Bitcoin core Qt maintainer" 07:45 < warren> John Smith 07:45 < warren> never seen that name before 07:45 < sipa> warren: that's wumpus aka laanwj 07:46 < warren> hah 07:46 < sipa> he has always used that name on the forum, afaik 07:46 < wumpus> yes 07:51 < wumpus> I'd like to change it to wumpus but it's no longer possible to do it yourself and I don't feel like bothering admins and such, also becase I don't really like the forum much and don't intend to spend too much time there 08:20 < michagogo|cloud> wumpus: well, you could put that in your signature... 08:26 < gmaxwell> wumpus: just send theymos a message, it would take you like two seconds. :) 08:27 < gmaxwell> okay, 10 seconds since you might want to pgp sign it. :) 08:28 < warren> gmaxwell: I already did 08:29 < Emcy> i read about the name change thing 08:30 < Emcy> fwiw i support changing it to Bitcoin Core. It might go some way to explaining to people what the satishi client actually does that all the others dont, and why its caning the hell out of thier computer when the others dont 08:31 < wumpus> yes, agreed, it needs to change name, it's less important what name 08:31 < warren> split the consensus part from the wallet... 08:31 < Emcy> well like i said bitcoin core is about as explanitory as you can get whilst keeping it a title and not a synopsis 08:32 < Emcy> also people like cores and stuff, it sounds cool. And people like to be in the centre of things 08:32 < wumpus> warren: that's what we're working on (with nowallet mode and such) 08:33 < wumpus> would be nice to have the code in different directories as well 08:33 < michagogo|cloud> Hmm, I was going to write a post on bct to try and recruit gitian builders 08:34 < michagogo|cloud> I guess I never got around to it 08:34 < michagogo|cloud> Hmm, now that I think about it I'm not sure what I'd say in such a post 08:35 * michagogo|cloud is not very good at writing 08:45 < petertodd> wumpus: I asked to s/retep/Peter Todd/ on the forum and theymos changed it literally within about 45 seconds 08:46 < warren> how recently? 08:46 < petertodd> warren: like 5 hours ago 08:48 < warren> I wonder if "warren" is taken 08:48 < warren> probably 08:49 < wumpus> petertodd: nice 09:36 < TD> it seems you can't set forum photos anymore either 09:36 < TD> i tried a few weeks ago and it just ignored me 09:36 < TD> it blows my mind that theymos is sitting on such a huge pile of bitcoins and does absolutely zip with it 09:37 < pigeons> yes i also treid a few days /weeks ago to set the photo and it idnt work 09:38 < gmaxwell> The photo stuff is disabled because it was custom code that was potentially vulnerable. 09:39 < gmaxwell> A bunch of stuff was disabled after the compromise was discovered and its been gradually getting re-enabled. 09:39 < gmaxwell> (a bunch of it is moderator tools, so the progress may not be generally visible to all users) 09:57 < michagogo|cloud> TD: what do you mean? 09:58 < TD> mean by what? 09:58 < michagogo|cloud> Your most recent message 09:59 < TD> a long time ago theymos asked for a lot of donations in order to raise money for writing a new forum, or making major upgrades 10:00 < TD> he got thousands of coins 10:01 < petertodd> enough money to hire a team of bitcoin people away from their dayjobs... 13:06 < michagogo|cloud> o_O 13:06 < michagogo|cloud> ...thousands? 13:06 < michagogo|cloud> That's a seriously huge bounty... 13:07 < michagogo|cloud> I suspect there are people who would be happy to write an entire forum system from scratch if it meant becoming a multimillionaire. 13:07 < TD> well, as the value went up it seems he lost interest in developing new forum software 13:08 < gmaxwell> The forum funds are used for more than just software though, e.g. moderators get paid a bit, it pays for hosting (which is non-trivial, as the bct forum is a highly trafficed site and gets DOS attacked a lot) Mined by AntPool sc0 16:12 < HM2> But i don't think there's an integer multiple requirement on the cipher block size vs the arbitrary domain you want 16:12 < HM2> if that was the case, this entire paper would be useless 16:12 < HM2> the point is to produce a pseudorandom permutation of say, 1 to 10^16 for generating card numbers or such 16:13 < HM2> if you need a cipher that has a multiple of 10^16 as the block size, then you mauy as well start from scratch and use that 16:13 < HM2> it'd be a chicken and egg problem 16:13 < HM2> but maybe you're right, it might be a risk 16:13 < HM2> perhaps the paper only means to imply "good enough" with good primitives 16:15 < sipa> I HAVE NEVER CLAIMED THERE WAS A RISK 16:15 < sipa> that's why i apologize for bringing it up 16:15 < sipa> i just said it's not a perfect shuffle 16:15 <@gmaxwell> he's only saying that the permutations are not equalprobable. This is not ideal. It many not matter in any given application. 16:16 < HM2> sorry sipa, i didn't mean to get things heated 16:16 < sipa> no, i'm sorry! 16:16 <@gmaxwell> sipa: I went through the same thing a week ago with someone (HM2?) on random number selection for some fool lottery. 16:16 < HM2> not me? 16:17 < HM2> unless I've forgotten 16:17 <@gmaxwell> In that case they wanted to generate uniform random 'winners' for the lottery with H()%users. 16:17 < HM2> definitely not me 16:17 <@gmaxwell> in any case, it also ended in tears. 16:18 < HM2> A modulus would definitely cause issues with sizes that weren't factors 16:18 <@gmaxwell> where I basically made the same point sipa made, and they responded like you did here. And then I set their dog on fire. 16:19 < HM2> but this method just maps 2 arbitrary sets and uses the mapping to select a permutation of one set. if the # of mappings mod the number of permutations is 0, then there should be no bias from that alone 16:19 <@gmaxwell> HM2: it's the same issue, but its easier to see where the non-uniformity from % shows up without having to enumerate all the possible keys first. 16:19 < sipa> HM2: absolutely true, but not the point i was making :) 16:19 < HM2> sipa: but i think it's always the case that there's an integer ratio 16:20 < sipa> HM2: yes 16:20 < sipa> that's correct 16:20 < sipa> 22:09:10 < sipa> HM2: sure, if you take a uniformly random permutation function from 2^N -> 2^N, apply it to the numbers 0..I, and then sort these numbers, you get a uniformly random permutation 16:20 < HM2> hmm 16:20 < sipa> HM2: put otherwise, you have the set S of _all_ function 2^N -> 2^N 16:20 < sipa> you pick one uniformly random from that set 16:21 < sipa> apply that function to the numbers 0..I 16:21 < sipa> sort these numbers 16:21 < HM2> right, yeah I'm sory of with you now 16:21 < sipa> and return the list of 0..I sorted according to that function 16:21 < HM2> *sort 16:21 < sipa> then yes, you have a perfect shuffle 16:22 < sipa> sorry, the set of all permutations 2^N -> 2^N 16:22 < sipa> i don't think it holds for the set of all functions, as may get collisions 16:23 < sipa> and that is what the method in that paper approximates 16:23 < HM2> right, but you don't get collisions in a symmetric block cipher, otherwise they're pretty useless. 16:23 < sipa> indeed 16:23 < sipa> instead of picking a random permution, you pick a random key and use that with a block cipher 16:23 < HM2> right 16:23 < sipa> that will not give you a random permutation, but it will be indistinguishable from one 16:23 < sipa> which is what matters for security 16:23 < HM2> right 16:24 < HM2> it's the "integer multiple" thing that threw me here 16:24 < sipa> well, that's the point 16:24 < HM2> because that's not true, even in the papers own example 16:24 < sipa> that is the reason why it can't be a random permutation 16:24 < sipa> because you started off with a biased set of functions to choose from 16:26 < sipa> just to be clear: i'm not talking about applying the permutation (=block cipher) to the numbers and then sorting 16:26 < sipa> that is absolutely perfect 16:26 < HM2> anyway, this algorithm also sucks because you need O(n) memory and to perform O(n) block cipher encrypt operations 16:26 < sipa> it's the fact that a block cipher with a random key is NOT a random permutation 16:26 < HM2> the paper discusses 2 other algorithms, which I think I best not mention lol 16:27 < HM2> thanks for discussing it with me anyway sipa 16:27 < HM2> you always make me think 16:27 < sipa> :) 16:30 < HM2> On a lighter note, I'm not sure if the FPE wikipedia page has been copied from this paper 16:31 < HM2> Seems to have the same structure 16:31 < HM2> Hopefully not the other way around 17:04 < HM2> chilling for a while now sipa i see some more of your points 17:06 < HM2> a lot of the problem is just the insane amount of entropy in a random shuffle 17:08 < HM2> the old phrase about there being more permutations in a deck of cards than there are atoms in the universe 18:32 < HM2> It seems the Thorp shuffle variant of Feistel ciphering has been proven fairly secure with block ciphers (under standard assumptions) for small domain encryption 18:33 < HM2> It's very intuitive and easy to visualise as well 18:42 < HM2> it reminds me a lot of double-and-add in EC point multiplication 18:42 < HM2> the thorp shuffle that is 18:55 <@gmaxwell> Thorp shuffle sounds like a butterfly network. 18:56 <@gmaxwell> I don't see how it can give uniform permutations in a small (e.g. log N) number of steps though. 18:56 <@gmaxwell> Is there a proof that it does? 18:57 < sipa> link? 18:58 <@gmaxwell> I'm probably looking at the thing that hm2 is looking at: www.cs.ucdavis.edu/~rogaway/papers/thorp.pdf 19:00 <@gmaxwell> (And it sounds like a butterfly network the kind of topology you use for logN implementations of sorting networks and FFTs) 19:26 < HM2> yeah that's it gmaxwell 19:32 < HM2> I'll have to relookup butterfly networks 19:34 < HM2> Feistel Ciphering looks like it can be applied to elliptic curves. So presumably you could permutate aG to bG using a key, k, and use the same key on the private key (bidirectionally) 19:35 < HM2> I'm not sure how that'd ever be useful though 19:35 < HM2> (one of the papers mentioned EC domains, i'm not just musing) 19:38 < HM2> I guess that's kind of what the hierarchical wallet proposal does, the chain code being the key 19:38 < HM2> except you can only go one way 19:39 < HM2> you can't go from a child public key to a parent key if you know the chaincode 19:40 < HM2> well, unless someone was saying the other day, your permutate all 'i' 19:40 < HM2> so i guess it's more or less the same 19:47 < HM2> the nice properties of ECs seem to make any applications of permutating points kinda pointless 23:37 < amiller> i really like cache oblivious data structures 23:37 < amiller> they all look like fractals 23:38 < amiller> http://www.cs.au.dk/~gerth/papers/alcomft-tr-02-136.pdf 23:38 < amiller> funnel heap is my favourite --- Log closed Fri Apr 26 00:00:42 2013 --- Log opened Fri Apr 26 00:00:42 2013 --- Log closed Sat Apr 27 00:00:45 2013 --- Log opened Sun Apr 28 00:00:47 2013 16:05 < DrChill> Hello all 16:05 < DrChill> Should I run the github version of bitcoind on a production server? 16:06 < DrChill> Or should I use another download? 16:29 < BlueMatt> umm...waay wrong channel 16:29 < BlueMatt> probably #bitcoin --- Log closed Mon Apr 29 00:00:49 2013 --- Log opened Mon Apr 29 00:00:49 2013 --- Log closed Mon Apr 29 14:01:23 2013 --- Log opened Mon Apr 29 14:01:38 2013 --- Log closed Tue Apr 30 00:00:52 2013 --- Log opened Tue Apr 30 00:00:52 2013 14:37 < warren> gmaxwell: https://github.com/bitcoin/bitcoin/pull/2577 14:38 < warren> I'm surprised that this is actually being considered. 14:39 <@gmaxwell> Why? 14:39 < warren> Pleasant surprised. 14:39 < warren> argh... can't type today 14:40 < warren> It seemed that folks weren't willing to consider this earlier. --- Log closed Wed May 01 00:00:55 2013 --- Log opened Wed May 01 00:00:55 2013 --- Log closed Thu May 02 00:00:57 2013 --- Log opened Thu May 02 00:00:57 2013 22:37 < jrmithdobbs> gmaxwell: ;p --- Log closed Fri May 03 00:00:00 2013 --- Log opened Fri May 03 00:00:00 2013 19:06 < sipa> when i publish benchmarks for libsecp256k1, i think i should use the unit MiB blockchain/s 19:06 < sipa> currently 3.7 on my laptop :p 19:06 < jgarzik> ;p 19:06 < jgarzik> sipa: that's the secret behind gettings testers for your stuff: give people a number on which they may compete 23:10 <@gmaxwell> sipa: should be in megabits. 23:10 <@gmaxwell> 31mbit/sec is pretty impressive! It would move most non-commercial users back to being bandwidth limited. --- Log closed Sat May 04 00:00:03 2013 --- Log opened Sat May 04 00:00:03 2013 00:19 < amiller> the requirements for super duper moon math blockchain verification are weird 00:19 < amiller> let me try to interpret some of them for you here. 00:20 < amiller> the basic thing is that we only know how to do constant-time-verification for boolean circuit programs 00:20 < amiller> a boolean circuit program is a really restricted form of program 00:20 < amiller> it's like C but with all the loops unrolled 00:20 < amiller> everything get done instantaneously in one enormous step 00:21 < amiller> youd have to have bounded size inputs 00:21 < amiller> if you assume that my authenticated data structure merkle UTXO thing works 00:21 < amiller> and there's a bound of M on the number of outstanding elements at any given time 00:22 < amiller> then to check N operations (lets just say N blocks) it will take O(N log M) hashes to validate a bunch of blocks 00:22 < amiller> to validate N blocks i men 00:22 < amiller> okay so where the moon math comes in 00:23 < amiller> is that i can take a single setup phase to construct a big ol' circuit that does one huge chunk of validating N blocks and this takes me O(N log M) to prepare 00:24 < amiller> think of it as spending O(N log M) effort to compile a "big-ol'-program-that-validates-N-blocks" circuit 21:30 < amiller> the scarcity isn't "enforced by a mathematical algorithm" 21:31 < amiller> it's maintained just as long as everyone's swarm behavior is to prefer to stick to one big clump and struggle in the biggest one 21:38 < warren> nanotube: ah, one avalon owner caused the difficulty to escalate, he then bailed out so the remaining miners would take 2-3 hours to the next block. 21:38 * warren wonders why all of the sha256 alt's aren't killed that way, if you want to discourage scams 21:39 < gmaxwell> because almost no one who actually cares about scams thinks that it's right to attack thinks like that to discourage them. 21:39 < gmaxwell> The closest you got was luke shutting down CLC at block .. ~3. (Someone took a prerelease of bitcoin's p2sh functionality and released it as AMAZING-NEW-CRYPTOCOIN with a premine and an exchange support on the first block) 21:39 < gmaxwell> But it was mergedmined so it was easy for luke to just mine it and exclude all other mining. 21:39 < gmaxwell> until people gave up on it. 21:39 < gmaxwell> But this was _highly_ controversial and basically earned him months of DOS attacks. 21:39 < warren> I was wondering why Eligius is so small. 21:39 < warren> Some of the recent coins use sha256 but are not merge mineable (by design?). So instead of allowing merge miners to contribute to its protection, they can be obliterated by a single Avalon owner who opts out of Bitcoin for a short while. People who want the alt coin to survive can't, or would need to divert lucrative ASIC's away from Bitcoin to do so. 21:39 < warren> Doing so however excludes all the other miners, then people quit. 21:39 < gmaxwell> eligius is something like 3% of the network hashrate, not that small but it has an interface only a developer could love and a lot of people think that the low fees are a signal that its bad. 21:39 < warren> "but it has an interface only a developer could love" and p2pool manages to be even less friendly =) 21:40 < gmaxwell> they're generally pretty similar wrt other than p2pool taking more effort to setup. Eligius lots most of it's biggest miners to p2pool when p2pool really took off. 21:40 < gmaxwell> (e.g. myself, midnightmagic, uukgoblin) 21:40 < gmaxwell> s/lots/lost/ 21:40 < warren> I see. 21:42 < warren> oh boy. btc-e just added two more alts. 21:45 < gmaxwell> amiller: well thats true of anything, I mean, I can start printing out bits of green paper that say $1 Gmaxllors and say that my alternative reduced the scarcity of the dollar, but the distinction matters because of 'clumping' on the one. 21:46 < gmaxwell> the irony here is that something like an LTC eclipsing btc would be its own doing, since the logical next question is "well, when is ltc going to get eclipsed by a very similar clone" :P 21:46 < amiller> there's more to the solution space, once this line of reasoning opens up though 21:48 < amiller> merged mining and validate-other-blockchain-scripts and other puzzle variants can affect the relations between competing groups 21:48 < amiller> those are like the 'plus extra lock-in mechanisms' 21:49 < warren> I've come to the conclusion that Litecoin is redundant and they need to change their hash in the future. I will push code there, stuff like experimental fee calculation. 21:50 < amiller> ripple is still the only financial model that makes any sense in the super long term 21:53 < warren> The alts are absolutely insane. Litecoin's website is mysteriously down now. There isn't any actual non-speculation activity, and yet it is over $3/coin. This makes no sense. 21:54 < gmaxwell> $3? lol. 21:55 < warren> gmaxwell: it was $5 on April 1st. NVC is $3.71. PPC $2.39 21:55 < gmaxwell> warren: I think I made about 40 BTC selling oodlegazillion ltc about 9 months ago. Was quite happy with that. 21:55 < gmaxwell> warren: well whats the actual volume of the orderbook on these things? ... last trade isn't the best metric of that. 21:55 < nanotube> hehe shoulda held on... 21:56 < amiller> do we have a better way of estimating real market cap rather than just multiplying last price 21:56 < warren> gmaxwell: PPC trading began only like an hour ago 21:56 < amiller> like just adding up the public order books aren't that compelling either 21:56 < gmaxwell> warren: ppc has been trading for a long time maybe not on that exchange. 21:56 < warren> oh 21:57 < gmaxwell> I had 250,000 PPC at one point. I mined something like 80% of the initial three days. :P 21:57 < warren> amiller: you could do a vwap maybe 21:57 < gmaxwell> warren: if its one coin bouncing back and forth... what does that mean? I trade 1 coin with myself a million times at $10000/coin... :P 21:57 < warren> hah 21:58 < gmaxwell> I think I sold 200,000 PPC for like 10BTC. ... and I probably have a few thousand left, in fact. 21:58 < warren> gmaxwell: I suppose if the exchange fees are negligible compared to the value you are trying to establish as a psychological anchor 21:58 < gmaxwell> Guess I should go find it. 21:59 < warren> Litecoin has had no releases in 10 months, its website is down, speculators don't care. 22:00 < gmaxwell> PPC has every block cryptographically signed by its mysterous developer which is the only thing that has saved it from a bunch of attack. Speculators don't care. 22:01 < warren> signed for what purpose? 22:01 < gmaxwell> Considering that you could probably create a cryptocoin which was powered by security provided from cat pictures and hope ... plus signed blocks. :P 22:01 < gmaxwell> warren: basically they added a transaction type that just inserts a checkpoint into the checkpoint list. And they checkpoint every block... so there can be no consensus failure: the consensus is whatever dear-leader says it is. :P 22:02 < warren> HAHAHA 22:03 < gmaxwell> "sudoku cents" 22:03 < warren> Bitcoin's mysterious leader can only scare people with alerts, not choose which chain is real. 22:04 < gmaxwell> The alerts can even be disabled with an alert. 22:04 < warren> gmaxwell: oh, that litecoin "obsolete" please upgrade error message has been going on ever since. Official response is "ignore it, wait for 0.8.1" 22:04 < gmaxwell> LOL 22:05 < gmaxwell> "URGENT: Alert key compromised, upgrade required" 22:05 < gmaxwell> so even if the alert key is compromised anyone with it can trigger that instead. 22:05 < nanotube> "warning, bitcoin being superceded by $newcoin. advise to switch asap" 22:05 < warren> "URGENT: Ignore alert key compromised messages. It is an error because we didn't do any releases for 9 months. Everything is fine." 22:06 < gmaxwell> lol 22:06 < gmaxwell> nanotube: the compromised message is hardcoded and supercedes any other message. 22:06 < nanotube> heh ic 22:07 < warren> Then the new release is to have an entirely new alert key? 22:07 < gmaxwell> Thats the idea. 22:08 < warren> hah, PPC dropped 80% from that moment I looked at it 22:08 < gmaxwell> heisencoin 22:08 < gmaxwell> the price can not be both observed and traded at 22:09 < warren> well, that paid for the BFL at least ... 22:09 * warren wanders off. 22:13 < warren> gmaxwell: http://www.cryptocoincharts.info/period-charts.php?period=1-year&resolution=day&pair=ppc-btc&market=vircurex 22:13 < gmaxwell> warren: it's not profit until its in your wallet... 22:39 < warren> Perhaps Terracoin should add testnet's difficulty failsafe. 22:39 < warren> (They can't screw up more than they are now.) --- Log closed Sat Apr 06 00:00:14 2013 --- Log opened Sat Apr 06 00:00:14 2013 00:37 < nanotube> http://blockchain.info/address/871a40e5e61b96b6171f1b435788082edadda7a8 <- fun blockchain spam. 00:39 < gmaxwell> oh god. 00:39 < gmaxwell> 11MakeSureToVisitEtchABLockZAVq9D 0.00000001 BTC 00:39 < gmaxwell> 11DotComXXXXXXXXXXXXXXXXXXXadFTXV 0.00000001 BTC 00:40 < gmaxwell> right ... see how much we really need to lower fees? :-/ 00:41 < nanotube> etchablock.com seems to be defunct though 00:41 < nanotube> latest transaction in 2011 00:42 < nanotube> they wouldn't spend those .0005s at today's prices. :) 00:43 < gmaxwell> ah, I'd missed the dates. 15:58 < HM> you know 15:58 < HM> if the RPC mechanism ever needed improving, the way Wayland does it is pretty slick 15:59 < HM> generates thin inline headers for each function call for both clients and servers, corresponding server and client libraries are ~40KB a piece 15:59 < HM> no extra dependencies 15:59 < HM> introspectable 16:02 < HM> oh actually has a dependency on libffi for dispatch (meh, tiny 30KB lib) 16:08 < gmaxwell> wayland needs to handle data at rates thousands of times greater than bitcoin... pretty different motivations and security considerations. 16:16 < HM> it doesn't really 16:17 < HM> the odd key press event, most of the time it just sits there idle 16:18 < HM> once you start adding payment notification events to bitcoin you're going to need a better IPC interface imo 16:18 < HM> s/when/if/ 16:18 < gmaxwell> uh. we do have payment notifications. 16:20 < HM> where is that? 16:20 < gmaxwell> e.g. walletnotify. 16:21 < gmaxwell> (which I think is horrible and should die, but thats another matter) 16:21 < gmaxwell> I think the 0mq patch seemed reasonable. 16:21 < HM> 0mq is tricky for RPC 16:22 < HM> you will need separate sockets for notifications and REQ/REP 16:23 < HM> I haven't seen the patch however, where does it live? 16:24 < HM> ah found it 16:25 < HM> ah it's a python front end to the json rpc interface 16:25 < HM> or is that a test 16:25 < HM> hmm 16:26 < HM> it's SUB only anyway 16:26 < gmaxwell> HM: no, jesus, go look at pull requests and actually read it. It doesn't do much right now, but it seems like a reasonable way to do notifications. 16:28 < HM> I'm looking at pull 2415 16:29 < gmaxwell> Which is not at all a python front end to the json rpc interface. 16:30 < gmaxwell> It links bitcoin against the 0mq libraries and allows it to publish notifications for transactions and blocks. 16:31 < HM> yep, wrapping the existing json rpc code 00:04 < warren> One of those "stock exchanges" has options and margin borrowing backed by the arbitrary "securities" (mostly "bonds") in the exchange, but they added LTC recently. 00:04 < warren> Deposit 1 LTC, you get one share. 00:04 <@gmaxwell> I guess one problem is that if you blow up litecoin, people won't be able to move their litecoin to the exchanges to sell it until litecoin is fixed again. 00:05 < warren> the money in the exchange is rather large now, and can cause a perception of a crash. That and Litecoin's lack of devs and uncoordinated miners means they can't fix this. 00:05 <@gmaxwell> well, if it's mpex I think history suggests that MP will renig on contracts to protect his own hide when he's on the losing side of a trade... so I guess you have to factor in the counterparty risk on such things. 00:05 < warren> they won't even realize a fork happened until 100+ blocks later 00:06 < warren> it isn't mpex 00:06 <@gmaxwell> in any case, yea, viable shorting produces the missing piece for attacking it: an economic incentive. 00:08 < warren> It seemed like Luke-Jr tried to attack Litecoin earlier for lulz. 00:09 <@gmaxwell> I don't believe thats the case? 00:10 <@gmaxwell> you have to be really careful in reading alt currency posts.. there are a lot of real idiots posting. They hate luke (for multiple reasons, including the fact that luke keeps calling their currencies scams). 00:11 < warren> Oh, Luke mentiond it himself. 00:11 <@gmaxwell> link? 00:11 < warren> hmm 00:11 <@gmaxwell> The only thing that luke 'attacked' that I'm aware of was "CLC" and his attack pretty much consisted of mining all the coins so no one else could. :P 00:12 < warren> It wasn't in -dev, and this was like 2-3 weeks ago. 00:12 <@gmaxwell> (this was a cryptocurrency which basically was created by taking an early version of the P2SH stuff in bitcoin while it was in development, adding a huge premine, paying btc-e to list it on the exchange, and announcing it as a huge advance over bitcoin.) 00:12 < warren> He was responding derisively about Litecoin (as usual), then pointed out a CVE, then lamented that coblee patched it too fast. 00:13 < warren> CLC? 00:13 < warren> sounds like novacoin 00:13 <@gmaxwell> "new scam same as old scam" 00:13 * jgarzik wonders if there is a nice list of all these 00:13 < jgarzik> i.e. alt-coins, and their problems ;p 00:13 <@gmaxwell> jgarzik: I asked that in #bitcoin-dev earlier todayish. 00:14 < jgarzik> need to troll MPOE-PR into writing one 00:14 < warren> I don't understand MPOE-PR's agenda. 00:14 < warren> on the forum 00:15 <@gmaxwell> 13:15 <+gmaxwell> gavinandresen: that page is kind of distorting because it 00:15 <@gmaxwell> doesn't list all the failed ones. 00:15 <@gmaxwell> 13:15 <+gmaxwell> gigitrix: e.g. where is WEEDS and BEERCOIN and LiquidCoin 00:15 <@gmaxwell> warren: current bets is that MPOE-PR is MP though that only explains a little. 00:20 <@gmaxwell> jgarzik: only a few have had informative failures. LQC == time between block matters, CLC == merged mining is not a pancea (/paying exchanges to list you pisses people off!), SLC1.0 == 'stupid fee rules make you vulnerable to spam attacks' 00:22 <@gmaxwell> doublec would probably be a good resource, considering hes run a bunch of these things and gotten ripped off by the big reorg attack on i?coin. 00:22 <@gmaxwell> https://en.bitcoin.it/wiki/List_of_alternative_cryptocurrencies 00:25 < jgarzik> MP's blog had a quite excellent list of bitcoin scams to date. A bit unfair at times, but for the most part accurate and exhaustive 00:26 < Diablo-D3> yeah, mp still considers DMC a scam 00:26 < Diablo-D3> although we're quickly approaching breaking even again 00:31 < warren> DMC? 00:32 < jgarzik> DMC seemed more like lack of competence, than a scam. But hey, it has ASICMINER shares, so might still come out ok. 00:40 < warren> LQC == time between block matters ... I can only guess what happened. 00:41 < Diablo-D3> heh, jgarzik is stil ltrolling 00:41 < Diablo-D3> warren: DMC was a company I started that was trying to focus on high density computing in data centers built for the task 00:42 < warren> Diablo-D3: and it turned into an ETF that holds ASICMINER? 00:42 < Diablo-D3> warren: well, not quite 00:42 < Diablo-D3> warren: part of the plan was to also mine 00:42 < Diablo-D3> ergo the M in DMC 00:43 < warren> Do you also sell gull wing cars? 00:43 < Diablo-D3> we didn't have enough money to afford the DC, so I was buying mining power through other ways 00:43 < Diablo-D3> so we could pay dividends early on to get more investments 00:43 < Diablo-D3> problem is nefario lied about how he was vetting companies listed on his exchange 00:44 < Diablo-D3> DMC pulled out a lot of its money before the mining market on GLBSE crashed and ended up making a profit 00:44 < Diablo-D3> nefaro then tried to remove me as CEO of the company (which well, it just doesn't make any sense, legal or otherwise) and left it up to a shareholder vote 00:45 < Diablo-D3> majority of eligible shares voted, majority voted in favor of me 00:45 < Diablo-D3> and then shortly after nefario closed down GLBSE 00:45 < warren> It seems that investments in mining is only profitable under two conditions: 1) Mine while the coin value is perceived to be depressed, trusting that you can sell all the coins later at a high price. 2) Sell the shovels. 00:45 < warren> Any other investment is sure to have diminishing returns. 00:45 < Diablo-D3> warren: yes, and thats why a lot of money was invested into asicminer 00:45 < Diablo-D3> they sell the shovels 00:45 <@gmaxwell> warren: lots of people made money selling random land to mine on too. :) 00:45 < warren> hahaha 00:46 < Diablo-D3> warren: DMC bought the majority of the 1000 shares at the original 0.10, and the rest under 0.15 00:46 < warren> Diablo-D3: nice 00:46 < warren> how long ago was that? 00:46 < Diablo-D3> theres no reason to believe it wont go past 1 BTC per share 00:46 < Diablo-D3> during the original IPO 00:46 < Diablo-D3> asicminer IPOed on GLBSE 00:46 < warren> I wasn't around back then, I have no idea. 00:46 < Diablo-D3> it hasn't been put back on a new exchange yet 00:46 < Diablo-D3> DMC has relisted since, however 00:47 <@gmaxwell> Diablo-D3: so you're not deathly afraid of asicminer having >50% of the hashpower under one roof throughly undermining confidence in bitcoin if it becomes widely known that one guy with a gun (/court order) could throughly hose things up? 00:47 < Diablo-D3> gmaxwell: no, its not a problem for now 00:48 < warren> huh? asicminer has >50% now? 00:48 < Diablo-D3> gmaxwell: I think 2 more dividend payments and we've gotten back our original money anyhow 00:48 < Diablo-D3> gmaxwell: and they're doing weekly payments 00:48 <@gmaxwell> How so? by the reported numbers asicminer is >50% already. 00:48 <@gmaxwell> Diablo-D3: uh yea, but if this undermines confidence in bitcoin all your retured payments lose value. 00:48 < warren> Diablo-D3: you were damned lucky to have chose the asic company that mined first. Good job. 00:48 <@gmaxwell> so they can still screw you even after paying you back 00:49 < Diablo-D3> gmaxwell: well, now that avalon units are arriving 00:49 < Diablo-D3> they cant get 51% yet 00:49 < Diablo-D3> and batch 2 and 3 of avalon will prevent 51% later on 00:49 <@gmaxwell> all the avalon units only add up to about 19TH/s. 00:50 < Diablo-D3> 300 + 600 + 600 of 68gh each 00:50 < Diablo-D3> ;;calc 1500 * 68 / 1000 00:50 < warren> ASICMINER has how much hashing capacity? 00:50 < Diablo-D3> fuck no gribble 00:50 < Diablo-D3> 102TH 00:50 < warren> oh 00:50 < Diablo-D3> no that was the math 00:50 < Diablo-D3> asicminer has about 5th atm 00:50 < Diablo-D3> they're still installing the rest of the 15, they're only one third done 00:51 < Diablo-D3> by the time all the units are finished at the end of april, they'll have 60TH on hand but not fully installed 00:51 < Diablo-D3> and its all already paid for 00:51 < Diablo-D3> these first two generations are serving as beta units 00:52 < Diablo-D3> like, they undersized a few components on the 15th, which they increased on the second gen 00:52 < Diablo-D3> the second and first gens use identical asics though 00:52 < Diablo-D3> its only the parts on the board thats being upgraded 00:52 < warren> How is that >50%? 00:53 < Diablo-D3> apparently the asics have a lot more overclocking capability than they originally designed for 00:53 < Diablo-D3> warren: well 00:53 < Diablo-D3> before asics 00:53 < Diablo-D3> we only had 25th 00:53 < Diablo-D3> if asicminer was the only one, 60th is waaaaaaay past 51% 00:53 < warren> It seems that Avalon is coming online, and BFL is close enough to beat late-April 60TH. 00:54 < Diablo-D3> pre asic 25 + avalon's first 300 units is 45th 00:54 < Diablo-D3> so even with 60th, its just barely past 51% 00:54 <@gmaxwell> Diablo-D3: I was told asicminer had ~27TH/s up now. very few avalon units have been recieved, I'd estimate asic miner at about 70% based on that. 00:54 < Diablo-D3> the other 1200 mashes that 00:54 < Diablo-D3> gmaxwell: not 27 00:54 < Diablo-D3> gmaxwell: they only have the parts for 15 00:54 < Diablo-D3> and not all of it is up yet 00:55 < jgarzik> Where is ASICMINER physically located? 00:55 < Diablo-D3> jgarzik: not sure where the DC is 00:55 < jgarzik> I saw friedcat(sp?) post that they had a layer of physical security in their building 00:55 <@gmaxwell> Diablo-D3: well, thats not what they're telling some people at least. 00:55 < Diablo-D3> gmaxwell: I only listen to friedcat's official posts 00:55 < Diablo-D3> the rest of its speculation 00:55 <@gmaxwell> but perhaps the numbers I saw were somewhat forward looking. 00:55 <@gmaxwell> Diablo-D3: I think I can trust friedcat to not speculate. :P 00:55 < Diablo-D3> like people were saying that huge ozcoin miner was asicminer 00:56 < Diablo-D3> its not, its some huge avalon customer 00:56 < Graet> yes, i been saying that 12:06 * andytoshi quietly adds this to the tor-like payment protocol in his "if i had an alt" document 12:22 * sipa should also start such a document 12:30 < gmaxwell> @#$*(@*#$(@* why isn't there a @#*(*$@(#* augmented PAKE that doesn't add a communication round?!@# 12:32 < sipa> PAKE? 12:36 < gmaxwell> Password authenticated key exchange. 12:38 < petertodd> BlueMatt: re -wizards meetup, I'm in 12:39 < andytoshi> gmaxwell: regarding our calculation last night about the number of input/output partitions we have to brute-force through .. i was badly wrong about the partition numbers giving an estimate 12:39 < andytoshi> http://oeis.org/A000110 12:40 < andytoshi> (number of partitions of a set of labelled element, which grow exponentially) 12:42 < andytoshi> so we need to be more intelligent to compute the entropy we want 12:45 < andytoshi> petertodd: do you recognize this as some well-known matching problem?: 12:45 < andytoshi> http://download.wpsoftware.net/bitcoin/coinjoin.pdf 13:11 < petertodd> andytoshi: nope, I could however write a paper talking about it in terms of post-modern art critique... 13:11 * petertodd is a fine arts grad 13:12 < warren> does mastercoin know this? =) 13:12 < petertodd> warren: probably 13:13 < petertodd> warren:though their process for hiring me consisted of me talking to one of their people on the phone for an hour... 13:37 < andytoshi> what is also interesting, is that in the join a0350aa856b77edeaa08ae9df5047855d487c40490d11713461d200ea70b09c6, there is roughly 0.005 btc going to (presumably) the donation output, so this output mucks up the naive plausible join analysis 13:38 < andytoshi> by doing exactly the funny business you suggested 13:39 < andytoshi> s/you/gmaxwell 13:49 < andytoshi> OK, rosemary thinks that the 'find maximal number of plausible participants' is NP-hard 13:49 < andytoshi> it reduces to the partition problem 13:50 < petertodd> andytoshi: is that np-hard per tx, or for whole tx graphs? 13:51 < andytoshi> np-hard per tx :( 13:51 < petertodd> andytoshi: maybe that's better? tx's have limits on how big they are... 13:51 < petertodd> andytoshi: remember that two-party-mixes are most likely to be what people actually use 13:52 < andytoshi> petertodd: well, the example we are using is http://blockexplorer.com/tx/a0350aa856b77edeaa08ae9df5047855d487c40490d11713461d200ea70b09c6 which is probably intractable 13:53 < andytoshi> and there are actually only 3 people in there 13:53 < petertodd> andytoshi: that's still a much bigger tx than the expected everyday two-party-mix case 13:54 < andytoshi> yeah, but if you only need one of them to hide a drug deal, you're golden 13:55 < petertodd> sure, point is, I'd be very interested to see algorithms giving some plausible answers for how much privacy even the simple two-party-mixes are adding, and it sounds like the computation required to do that shouldn't be ridiculous 13:57 < andytoshi> petertodd: well, rosemary's reduction involves constructing a 2-party mix corresponding to a given multiset .. if you can determine that it might be a 2-party mix, then you've solved the partition problem for that multiset 13:57 < andytoshi> determine whether it could be a 2-party mix* 13:58 < andytoshi> though as you say, maybe this is OK because the number of inputs and outputs is small 13:59 < andytoshi> but 'only 2 people' does not let us slip into P 13:59 < petertodd> exactly, even if it's some crazy n^n algorithm, the n is small 14:00 < petertodd> from a usability point of view we have to assume that naive two-party mixes are what is going to be most popular 14:27 < sipa> who/what is rosemary? 14:32 < andytoshi> :P i was wondering if somebody would ask that.. 14:33 < andytoshi> rosemary is my girlfriend, she is not so into bitcoin 14:33 < andytoshi> but her degree was largely CS, so i badger her with a lot of these questions 14:33 < sipa> she does seem into complexity analysis :) 14:33 < andytoshi> mmhmm :) 14:52 * maaku would love to read andytoshi and sipa's "if i had analt" documents 14:52 < maaku> BlueMatt: wizards meetup, where are you thinking? 14:52 * sipa guesses it will be too far for europeans 14:53 < warren> do it in Hawaii 14:53 < sipa> even further :( 14:54 < petertodd> pity there isn't an island in the atlantic ocean... 14:54 < andytoshi> maaku: right now i don't have any of the cool stuff (agressive pruning, utxo commits, etc) written down, because i haven't taken the time to make those decisions 14:55 < warren> petertodd: Iceland! 14:55 < maaku> petertodd is a renaissance man. where'd you do your fine arts? 14:55 < maaku> yeah iceland. or the azores 14:55 < sipa> Iceland is very cool8 14:55 < sipa> cold, even 14:56 < petertodd> heh, iceland it is! 14:56 < warren> we can enjoy puffin meat 14:56 < petertodd> maaku: http://www.ocadu.ca/ 14:56 < petertodd> warren: and go aroudn taking beautiful phtoos 15:04 < maaku> heh, you got my wife excited about a trip to iceland now 15:05 < sipa> warren: puffin is nice! 15:05 < andytoshi> oh, that's right, petertodd said he was a -canadian-, not a mathematician 15:06 < andytoshi> that's why i asked you about the matching problem :P 15:06 < petertodd> andytoshi: minor typo, the keys are like right next to each other 15:07 < sipa> someone read too much bash.org 15:07 < maaku> maybe we can get Cloud Hashing to host it 15:07 < petertodd> sipa: +1 15:07 < maaku> i don't think they're in reykjavik though 15:08 < warren> how much of the world's hashing will be in iceland... 15:09 < maaku> arctic air and geothermal power... 15:09 < petertodd> warren: I was just doing the math on if my parents could heat their house profitably with bitcoin mining... 15:09 < sipa> if you can heat your house at acceptable cost using electricity, you certainly can when using mining hardware instead 15:09 < sipa> except: noise, hardware cost 15:10 * maaku is waiting for an HVAC insert to replace heating coils with bare ASICs 15:11 < petertodd> sipa: problem is we're really talking about hashing not mining 15:11 < sipa> unsure what distinction you mean 15:11 < petertodd> maaku: I'm waiting for silicon that can run at > 100degC 15:11 < sipa> petertodd: GPUs! 15:12 < petertodd> sipa: it doesn't buy us a damn thing with regard to decentralization 15:12 < warren> decentralized hashing means nothing if cex.io 15:12 < petertodd> warren: yup 15:17 < petertodd> sipa: so fwiw fuel oil is about 1/3rd of the cost of electrical heat up here, and electricity is $0.3/kwh - what's interesting is that the more northern communities tend to have electricity costs similar to fuel oil heating costs because it's all diesel generators anyway 15:17 < petertodd> sipa: here in yellowknife though they have (expensive) hydro-electricity from a small damn a little further north 15:18 < petertodd> *dam 15:27 < maaku> petertodd: you're in yellowknife? 15:27 < maaku> that is far north 15:27 < maaku> i was watching a special the other day about the mining and prospecting boom up there 15:28 < maaku> (old school mining) 15:29 < maaku> I grew up on a steady diet of Jack London. In another life I'd probably be up there myself. 15:42 < petertodd> maaku: yeah, visiting the parents, they moved up there 9 years ago 15:43 < petertodd> maaku: there's two former gold mines within city limits here, and tens of millions of tones of water soluable arsenic trioxide left over from one of them... 15:43 < maaku> ugh 15:45 < petertodd> yup, plan is to freeze it in place to be par of the permafrost; there's a small river that runs directly over the caverns the stuff is stored in, and god knows what global warming will do 15:46 < petertodd> *part 15:47 < petertodd> I love to use it as an example of how the safety of nuclear waste disposal is overblown: at least nuclear waste becomes safer over time, that arsenic will be toxic forever 16:02 < BlueMatt> petertodd: nice 16:02 < BlueMatt> maaku/sipa: looking at north carolina (east coast) as there will likely be a mini-btc-conf there around that timeframe (hence why I was suggesting it) 16:03 < BlueMatt> and if someone doesnt want to pay the flights, its possible they can commit to giving a quick talk and getting that covered 16:03 < BlueMatt> sipa: at least its not as far as mtv :p 16:05 < petertodd> BlueMatt: lots of nice caves in that area :P 16:06 < sipa> BlueMatt: yeah. but finding a reason to visit mtv is easy :) 16:07 < BlueMatt> true 16:07 < BlueMatt> sipa: still, it only costs like 1-2 BTC these days... 16:08 < petertodd> BlueMatt: not all of us are satoshi :P 16:08 < sipa> damn, that really sounds cheap... 16:08 * BlueMatt bought a laptop for 2 btc a few weeks ago because it sounded too cheap 16:08 < sipa> i recently topped up my mobile account using btc 16:08 < sipa> in .be 16:09 < sipa> i wanted to add just 10 eur, and accidentally added 25 eur though... 16:10 < sipa> i really don't have any reference for BTC prices (and i guess nobody does)... but compared to the amount i have (some leftover from mining 2 years ago...) it all sounds like nothing 16:12 < sipa> petertodd. maaku. gmaxwell: what's the latest evolution regarding TXO MMRs? 16:13 < maaku> defer to petertodd & gmaxwell on this 16:13 < petertodd> sipa: doing a writeup for them is on my never-ending todo list... 16:13 < petertodd> sipa: the thinking behind them hasn't changed fwiw 16:15 < sipa> i heard something about splitting it up into... i suppose a non-changing txo part and a changing spentness part? 16:16 < petertodd> sipa: oh, that was my plan from the beginning 16:16 < sipa> i didn't catch that part initially then 16:17 < petertodd> sipa: well the key thing is you want to still provide a zero-trust way for wallets to sync data, so a per-block index still makes a lot of sense 16:18 < petertodd> sipa: main thing is the two ideas are separate really 16:18 < sipa> you mean... still have a merkle UTXO tree too? 16:18 < petertodd> sipa: no, a per-block txo tree sorted by H(scriptPubKey) or similar 16:19 < sipa> ok 13:31 < adam3us> petertodd: i was thinking you could sign them offline and upload them as a batch airgap/usb. there is some consideration about giving users signed proof that this is your address, users can get to gether or publish those proofs and the servers payment privacy (which they want for commerical sensitivity of eg their trade volume) is blown and provably so, payment request has the same issue 13:43 < petertodd> adam3us: indeed, but, what it comes down to is all this stuff is better done by leveraging existing systems so UI's can be seemless 13:44 < petertodd> telling users about some "account number" is something that doesn't lead to good understanding in the long run too 13:46 < adam3us> petertodd: yes its not an ideal world. i am thinking that even low value storage like $10, $100 may not last on windows machines. people will lose interest if their wallet keeps getting emptied by bitcoin thieving malware, so then you're on to tpms (which dont help much without trusted path IO, and dedicated display) or hardware wallets with display (trezor) 13:48 < petertodd> if bitcoin does anything good for the world it might be to improve computer security... 13:48 < petertodd> anyway, even if windows boxes turn out to be hopeless, CA's have a chance of improving 14:04 < jgarzik_> Relevant dumb question... how happy are people with HD wallets, from a math/crypto standpoint? We love them, but having this emotional, unreasoned fear of having a lot of mathematically-connected addresses 14:05 < jgarzik_> We wind up coming up with schemes like "new seed per month" + new derived public key seeds for merchants etc. 14:05 < jgarzik_> trying to avoid too much math derivation links, and limit the damage caused by a seed compromise 14:06 < petertodd> jgarzik_: well, I will say apparently the Tor project is adopting the underlying idea for something to do with hidden services; but IANAC... 14:06 < jgarzik_> IANAC -- storing that one for later use 14:07 < HM2> I can't believe the tight git behind that whopping transaction didn't pay a fee for his his cpu cycles ;) 14:16 < warren> where are we on 0.8.6? 14:20 < gmaxwell> jgarzik_: If HMAC-SHA512 is broken in a way and with a severity that makes this matter at all we are fucked on so many different levels that 'related keys' wouldn't be on the radar. It's also a bit cargocultish: openssl reads from /dev/urandom only on startup... All your keys generated during an execution session are already related by a CSPRNG scheme not unlike the BIP32 private derivation. 14:20 < phantomcircuit> gmaxwell, weird 14:21 < phantomcircuit> is there any good reason for openssl not to continuously rekey with /dev/urandom 14:22 < gmaxwell> jgarzik_: my personal allowance to paranoia on this front is using a 512 bit state inside the derrivation, which makes it very likely that the keys are indistinguishable from each other without the full state in a information theoretically sound way (e.g. there probably exists some unknown state that would make any two randomly selected keys 'related') 14:22 < gmaxwell> phantomcircuit: just software engineering reasons... esp considering multithreaded programs. 14:23 < jgarzik_> gmaxwell, not claiming it is rational (note the "emotional" qualifier) 14:23 < jgarzik_> Just encountering multiple programmers with the same sentiment 14:23 < gmaxwell> jgarzik_: I know. I hope I added to your ability to discuss it: e.g. that most random generation schemes have hidden relationships. 14:24 < gmaxwell> Non-paranoia based: Key management is a real issue, rotating keys periodically is prudent not for cryptospeculation reasons but just because forward security may reduce exposure. 14:45 < gmaxwell> adam3us: so... in the past I've whined that we have no utxo expiration on the basis of an economic concern: Eventually lots of coin will be lost and bitcoin will deflate. Thats not bad. But we don't know how much is lost... and thats potentially bad. E.g. say all but 10 BTC is lost and 1 BTC now buys you a nice planet. etc. This is exacerbated in that a lost coin can't be upgraded to better crypto, so eventually ecdsa secured coins ... 14:45 < gmaxwell> ... may suddenly become unlost in vast numbers, which might disrupt the economy. 14:45 < gmaxwell> adam3us: if we had committed coins with totally hidden values, wouldn't this be even worse? e.g. we wouldn't even know the value of the coin in circulation? 14:46 < warren> I implemented a hack to test expiration. 14:46 < warren> just to get some numbers of how big the chainstate and memory use would be 14:47 < warren> the existing remove unspendable txo patch only works on reindex, not too useful for getting rid of old TXO 14:49 < warren> gmaxwell: hmm, so MMR to spend old "forgotten" coins wouldn't be any better for the forward security reason 14:51 < gmaxwell> warren: Right, you'd only get increased economic certanty if the coins actually become unspendable. 14:52 < gmaxwell> I don't know how much the certanty matters absent cryptographic breaks. But with breaks its probably pretty concerning, but it could be addressed differently. E.g. when replacement crypto is deployed you add a new rule that after date xyz ecdsa will be unspendable. 14:52 < warren> not just crypto breaks 14:52 < warren> old backups 15:05 < adam3us> gmaxwell, jgarzik: i think HD crypto is fine. its also very important for backup. 15:06 < adam3us> gmaxwell: committed coins recicrulating in hidden form i guess yes you have no idea what has even moved (unless there is early decommit). (re estimating proportion of spendable utxo) 15:09 < phantomcircuit> gmaxwell, im guessing that the hmac-sha512 wont be broken for a long time after sha512 is broken 15:09 < phantomcircuit> which should provide for a fairly significant security warning 15:09 < adam3us> gmaxwell, warren: there are people who explored about digital archiving signed info, with like multiple sig algos, time-stamping, re-signing entities. maybe you can say during a phase out period, which hopefully isnt too sudden you get to replace a ecdsa256 with something else 15:10 < adam3us> phantomcircuit: yes hmac makes limited assumptions even hmac-md5 is non-stupid (where md5 is now a dud) 15:16 < adam3us> erm saw something funny armory online generated an address with 121okABVjfk6QSV1pAZeVZdoU7utpp6jxd but when pasted it views 121okABVjfk6QSV1pAZeVZdoU7utpp6Jxd (capital J) i noticed so put a small sacrificial payment to it 15:30 < adam3us> seems like armory anomaly bc.i thinks its uppercase 16:49 < adam3us> hmm its a font issue some of those linux fonts are dodgy and j looks like J except for one pixel pretty much, doh! 17:40 < jgarzik> adam3us, gmaxwell: thanks (re HD wallets) 18:29 < Luke-Jr> cfields: 18:30 < cfields> Luke-Jr: will a non-gitian dmg suffice, until i can get in touch with devrandom to fix up a few things? 18:30 < cfields> scripts to build it ofc, not just the result 18:33 < Luke-Jr> suffice for what? 18:33 < Luke-Jr> and what needs fixing? :o 18:33 < cfields> deterministic dmg bounty 18:34 < cfields> mainly, need a raring vm 18:34 < cfields> very possible i just don't know enough about gitian to set one up properly 18:34 < Luke-Jr> well, let's see if I can help with that first 18:35 < cfields> when i try to create a raring image, it says its unsupported 18:35 < cfields> (running on native raring) 18:36 < Luke-Jr> what arch? 18:36 < cfields> but i believe the dmg should be deterministic without gitian already 18:36 < Luke-Jr> yes, but gitian deals w/ the signatures :/ 18:36 < cfields> native is x86_64. gitian should start there, since that's where i've tested so far 18:37 < cfields> ok, well don't worry about it then, i'll get gitian up first 18:37 < cfields> actually, i'll probably start with precise and just use a ppa for clang 18:38 < Luke-Jr> I mean what arch do we need the image for? 18:39 < cfields> x64 would be closest to what i've been testing with 18:42 < Luke-Jr> amd64 you mean.. 18:42 < cfields> we've done this before, can we just skip it this time? :) 18:43 < cfields> yes, amd64 18:43 < Luke-Jr> what version of vmbuilder? 18:43 < cfields> but don't worry about it, precise is probably a saner choice anyway 18:43 < Luke-Jr> cfields: you're aware there is a distinction between x86 and x32? ;) 18:43 < Luke-Jr> precise+PPA is not necessarily saner 18:44 < Luke-Jr> since we're then trusting not just Canonical, but also <random PPA maintainer> 18:44 < Luke-Jr> the ideal solution would be to build a clang deb in a gitian instance 18:45 < Luke-Jr> but not sure if that's practical for you or not 18:47 < cfields> Luke-Jr: well for now, I just want something that works. There are a dozen things that will need to be reworked, I don't want to spend too much time on work that will be thrown out anyway 18:47 < Luke-Jr> ? 18:47 < cfields> just POC stage for now 19:05 < Luke-Jr> cfields: fwiw, raring works after I upgrade vmbuilder 19:05 < Luke-Jr> but I don't know how easy it is to do that on Ubuntu 19:14 < cfields> hmm, interesting 19:14 < cfields> will have a look, thanks 20:23 < midnightmagic> gmaxwell: Hey man, you're not using the account:password IRC server password or something, we saw your host. 20:25 < Luke-Jr> cfields: I maybe spoke too soon - it errored out later 20:26 < gmaxwell> midnightmagic: stupid ircness. 20:26 < midnightmagic> +1 20:30 < K1773R> midnightmagic: you can auth by passing accout:password as server password? 20:38 < cfields> Luke-Jr: same. I'm trying it on precise just for shits. 99% clang is too old there, but it gets me started with gitian 20:43 < phantomcircuit> K1773R, yes 22:03 < warren> Who is going to the Vegas conference? I arrive in the afternoon of Dec 8th. 22:35 < gmaxwell> Sadly it overlaps with the picture coding symposium, so it seems I can't go. 22:55 < cfields> anyone know where gitian sets the image size limit (lxc) ? 22:55 < cfields> seems i've outgrown mine 23:32 < Luke-Jr> I wasn't aware LXC had limits O.o 04:57 < petertodd> gmaxwell: for sure, what's neat about other card games is you can pull off the same trick without even having a oddly half-empty deck 04:57 < petertodd> gmaxwell: you're use-case is probably more practical though (!) 04:58 <@gmaxwell> well, I've contemplated building a a stack of symmetric secret business cards. e.g. some perferated cards with a secret printed on both halves like a raffle ticket but with more entropy... but its kinda conspicious. 04:58 <@gmaxwell> This card deck thing came from pond, incidentally. 04:59 < maaku> petertodd: well you could do the two-deck trick with a nearly even split, and say it's a brdige deck 04:59 < petertodd> ha, pond is a great application 04:59 < petertodd> maaku: oh, nice! 05:00 <@gmaxwell> maaku: do you have duplicated cards in a bridge deck? 05:00 < maaku> gmaxwell: you have multiple decks iirc, and most players don't bother sorting them back inbetween games 05:01 < maaku> never actually played bridge myself 05:02 <@gmaxwell> the other good thing about the deck is that it requires very little prep, every drugstore in the US has cheap playing cards. 05:02 <@gmaxwell> vs any of my business card shared secret ideas ... involve at least one side doing prepwork that can't easily be done on short notice or on the road. 05:04 < petertodd> ~52-bits is a bit weak, but 32-bits of hardening are pretty easy to obtain to push it back to reasonably secure 05:04 <@gmaxwell> pond wants you to do shared password, time, and the card deck. 05:05 < petertodd> yeah, that should be enough 05:05 <@gmaxwell> and supports one or two card deck modes. two deck is pretty good. 05:05 <@gmaxwell> someone needs to add bitcoin transaction support to pond... as it's effectively a high latency mix network (hurrah) 05:06 <@gmaxwell> (and supports messages up to 16kb) 05:08 <@gmaxwell> and yea, pond uses scrypt kdf on the shared secret... doubt it does 32 bits worth though. 05:13 < petertodd> seems to me that pond + bitmessage-style pow would make a lot of sense 05:15 <@gmaxwell> well pond uses group signatures (pairing crypto, /me ducks adam3us rocks) for antispam. You publish to your sever a group element that basically is a broadcast encryption style public key that anyone on your contact list can sign for. 05:16 <@gmaxwell> You can add more people to it at any time, and the server can't tell which person is sending to you just that they're on the list. 05:16 <@gmaxwell> you can also revoke contacts. 05:16 <@gmaxwell> so you don't really need POW to protect the recipents, which are the most bandwidth starved. 05:17 < petertodd> exactly, use pow to bypass the introduction process for things like tx's where you want to be able to send through anyone 05:18 <@gmaxwell> POND is kinda odd, it's sort of half way between email and IM. There are no public identities in it. The introduction process is the identity. 05:18 < petertodd> or alternatively, pick a random person from your contacts, they pick a random person themselves etc. 05:18 < petertodd> go through a few hops of that and spit it out to the network 05:18 <@gmaxwell> but yea, TXs don't quite fit directly. 05:18 < petertodd> s/person/persons/ 05:19 < petertodd> yeah, well pond does leverage tor to let the pure group sig mechanism work - if it was on the opennet you'd want something more like bitmessage for the larger anonymity set 05:20 <@gmaxwell> right. I wonder if my pond brainwallet attempt will introduce me to any random people 05:23 < Emcy> that card deck thing is pretty cool 05:24 < Emcy> pond seems to be the secure comms thing that the real crypto nerds talk about the most 05:25 < Emcy> great for specialised applications like source confidentiality in journalism etc, but it would be a shame if its another thing that can only really be used by the tech proficient 05:26 <@gmaxwell> Emcy: the software is pretty easy to use. .. I don't actually think it's useful for source confidentiality in journalism, at least the way it is today. 05:26 <@gmaxwell> The relationship in pond is completely symetrical. Meaning you can't just advertise a contact address. 05:27 <@gmaxwell> it's an IM like communications model, except it's high latency/async which means it can be resistant to traffic analysis ... lets you recieve messages while offline. 05:28 < Emcy> yes, you have to meet your contact irl first and do somthing like the card split thing. I read (proper) journalists are going back to face-to-face now after the snowden stuff 05:30 < Emcy> they state plainly that pond is not resistant against a GPA though, which i think something like bitmessage actually is or at least could be? 05:32 <@gmaxwell> It's really hard to be GPA immune. Though I don't think anyone believes the NSA is a true GPA is the absolute sense. (A true GPA can see every network link) 05:33 <@gmaxwell> Bitmessage could be GPA immune if you are RX only... but it's not (unless they've redone the protocol in the last two months) because of the stupid key handshaking stuff. 05:35 <@gmaxwell> e.g. no GPA could tell which bitmessage user is recieving which message because you don't _do_ anything to recieve. unfortunately, instead of putting the @#$@# key in the address, bitmessage requires recieves to transmit their key, so you can't (easily) be a passive reciever in bitmessage. 05:35 < Emcy> NSA putting a tap on all the fibre trunks and looking at packet headers is about the same as tapping every endpoint right? I suppose you d lose some timing resolution 05:36 < petertodd> Emcy: doesn't give you info on customer-to-customer connections within ISPs for instance 05:37 < Emcy> true, but thats not the only thing they do. the ATT room from 2006 for eg 05:38 <@gmaxwell> Right, tapping lots of links is not the same as tapping all links. 05:38 < petertodd> Emcy: the customer-to-customer connection may be just 100ft of ethernet cable in the case of a colo center... or internal to a box at a vps provider 05:38 <@gmaxwell> A true GPA taps all links. NSA is just an approximation of that. 05:39 <@gmaxwell> e.g. there are network links in my house that appear to not have NSA taps on them, thus the NSA is not a GPA. :P 05:39 < CodeShark> you'd be surprized :p 05:39 < Emcy> yes. still too close for comfort and the panopticon effect is on play too 05:40 <@gmaxwell> GPA is just not a good model for what to be secure against. A true gpa doesn't exist, a true gpa is very hard to be secure against... and the model doesn't give a good way to reason about what a near-GPA can do. 05:41 <@gmaxwell> I'm not aware of any scheme which is bidirectional GPA immune... though maybe I can imagine some insanely inefficient thing. 05:43 < petertodd> gmaxwell: timelock crypto works if you assume the GPA has a lifespan less than the delay in getting the message read 05:43 <@gmaxwell> I was thinking about that.. but yea. thats not too helpful. :P 05:44 <@gmaxwell> petertodd: I did come up with a neat bitmessage alternative idea. 05:44 < petertodd> gmaxwell: ? 05:44 <@gmaxwell> Instead of POW, you use ZKP blinded SIN to ratelimit access to the network. 05:44 < petertodd> gmaxwell: oh, we were talking about that at dark wallet 05:44 <@gmaxwell> then someone can only dos the network by paying tons of money to fees. 05:44 <@gmaxwell> win win 05:45 < petertodd> gmaxwell: only sticking point is finding a ZKP implementation... 05:45 <@gmaxwell> do you think this can tolerate the CRS limitation? (that there is some hopefully unknown to anyone randomness that would allow fake proofs) 05:46 <@gmaxwell> probably can 05:46 <@gmaxwell> since it's just a DOS attack 05:46 < petertodd> gmaxwell: sure, I'm a good guy :P 05:46 < Emcy> i think under the circumstances efficiency just cant be expected 05:46 < Emcy> i never needed to skype anyone at 100mbits anyway 05:47 < petertodd> it also doesn't need the zkp to act directly on the transaction - you can find the set of all sacrifices by looking in the blockchain and use a simpler mechanism 05:47 <@gmaxwell> petertodd: oh interesting point. so you could prove membership in a set which extracted with an eye on efficiency of proof. 05:48 < Emcy> but it makes me a sad panda that there are multiple factors all but guaranteeing pervasive private communications are probably a thing of the past now 05:48 < petertodd> gmaxwell: yup, and construct the sacrifice tx such that SPV clients can identify it 05:48 < Emcy> not least the average net users expectations of efficiency and performance 05:49 < petertodd> gmaxwell: gives you a nice anonymity set definition in the sharded bitmessage case: how many $'s worth of BTC does the attacker need to pretend to be the rest of that anonymity set 05:50 < petertodd> gmaxwell: which of course works best if people actually use their sacrifices to send messages at full rate constantly 05:52 <@gmaxwell> I wonder if there would be an interesting way to have users able to pool sacrifices with friends. 05:53 < petertodd> gmaxwell: oh it'd be easy: just share the private key 05:53 <@gmaxwell> e.g. if my friends have sacrifices and aren't transmitting, and I don't mind if they know that I am.. can I borrow their transmit juice without anyone else knowing. 05:53 <@gmaxwell> well yea, but thats a little inelegant. :P 05:53 <@gmaxwell> I suppose if I have a channel with them I could ask them to sign messages for me. 05:54 < petertodd> gmaxwell: right, but you have to come up with a mechanism that allows you to decide they're no longer friends, which requires global state... so you're left with a non-revokable mechanism, or interactive, *or* a mechanism you can use in advance 05:54 < petertodd> IE prepare signed statements valid for some time period that your friends can use in the future, and have the network have some limited memory to remember used proofs 05:55 < petertodd> what's interesting about this is it's a proof for bandwidth usage of the network as a whole - it's ok if half the network passes one version of the message and half the other version 07:48 < adam3us> jtimon: viz what they tried to pull on the lavabit guy, illegal requests for ssl key to ll users, legal threats, cost harrassment etc 07:49 < jtimon> but again, optional privacy removes responsability from the redeemer 07:49 < adam3us> jtimon: i dont think redemption matters so much... just trade it for something else and cash out another way 07:49 < adam3us> jtimon: so long as you have fungibility, sell share for bitcoin, do a bitcoin-otc (in person) 07:50 < jtimon> gmaxwell's argument is that no one will buy it from you if the issuer marks it as non-redeemable 07:50 < adam3us> jtimon: redemption for a share is a fringe event right. its new stock issue, or a share buy back... 99.9% of trades are buy/sell for another currency or stock swap, in this case bitcoin 07:51 < adam3us> jtimon: but thats a suicide pact argument. a judge cant close down the entire share ownership because dpr has 1000 ibm shares with perfect fungibility 07:51 < jtimon> I'm trying to udnerstand the advantage of "full fungibility" 07:52 < adam3us> jtimon: partial fungibilty invites legal and miner policy attacks 07:52 < jtimon> the redemption argument is that with unperfect fungibility they will force issuers to mark some of their assets as non-redeemable 07:53 < adam3us> jtimon: if legal threats become effective, it ruins your immediately settlement.. now everyone has to verify the sellers reputation to guess risk of undone settlement and we're back to square one - thats the current financial system 07:53 < jtimon> that attack doesn't make much sense to me neither because of optional privacy 07:54 < adam3us> jtimon: but if they cant tell which assets to mark as non-redeemable what is that - a haircut % for everyone? 07:54 < adam3us> jtimon: arent you making my argument? if you use the privacy, (chaum blinding) you have full fungibility? 07:54 < jtimon> "tainting" just doesn't make sense to me, maybe because I assume that judges won't be totally crazy... 07:55 < jtimon> a haricut for everyone on what basis? 07:55 < adam3us> jtimon: the lesson from lavabit if anything is that the judge saw the technical argument, and did his best to override it ignoring sanity and privacy rights of unrelated users 07:56 < jtimon> if an state forces issuers in its jurisdiction to do such a stupid thing, all issuers will move to other jurisdictions very fast, as their clients go away 07:56 < adam3us> jtimon: u said the issuer will be forced to mark some assets non-redeemable, if you dont know which user is which you how do you withhold from the target user? 07:56 < adam3us> jtimon: well... you could make that agument about the us in spades, and yet most of the worlds bitcoin companies are there 07:57 < jtimon> maybe I'm too optimistic 07:57 < adam3us> jtimon: also jurisdiction shopping has limits - it just depends how badly they want to attack something 07:57 < jtimon> I think some jurisdictions will get this right and others won't 07:58 < adam3us> jtimon: i don tthink we're necessarily disagreeing, what you are saying is reasonable, but what i (and i think sipa) said is why tempt fate and push the limits of their reasonableness to find out - just use cryptography 07:58 < jtimon> the ones that get it wrong will suffer the economic consequences and maybe reconsider their reactionary positions 07:59 < jtimon> but I don't like chaumian cash because it lacks a lot of features I want 07:59 < adam3us> jtimon: i think real-politic is far uglier and selective extra-legally enforced - nsa blackmail, local favors, backroom deals between respective TLAs etc 07:59 < adam3us> jtimon: use brands it is very flexible 07:59 < jtimon> what? 07:59 < adam3us> jtimon: brands blind credential = blind schnorr extension 08:00 < adam3us> jtimon: you said chaum lacks features, if your features are achievable with blinding, brands is goig to be the answer as it has more features than anything else 08:00 < jtimon> I don't know that, but I highly doubt there's any non-traceable asset that can be traded atomically with, say, 8 other assets transitively 08:01 < jtimon> please, tell me if the following is possible 08:01 < jtimon> Alice wants to pay David, who only accepts CCC as payment 08:01 < adam3us> jtimon: u might be surprised what you can do with it efficiently, and compactly in zero knowledge it can be all EC discrete log like ECDSA 08:01 < jtimon> Alice owns AAA 08:02 < jtimon> there's open orders selling BBBs for AAAs, CCCs for BBBs 08:02 < jtimon> in a single atomic transaction alice sells her AAAs for BBBs, which sells for CCCs which sends to David 08:03 < adam3us> jtimon: so why do you think thats not possible even with chaum? 08:03 < jtimon> is that atomic transaction possible with brands? 08:03 < adam3us> jtimon: the atomic swap relies on smart contract hashlocks and scripts right 08:04 < jtimon> ok, I forgot to mention that AAA, BBB, CCC are accounted for in different servers/chains 08:04 < adam3us> jtimon: i am not sure what the atomic swap model is but it might be possible already with chaum, its still a normal signature 08:04 < adam3us> just sign a smart contract with a sript input and blind chaum sign no and use the existing atomic swap tx? 08:05 < jtimon> maybe I don't understand chaum well enough, but I don't think it is a signature 08:05 < adam3us> jtimon: not natively but you can make it so 08:05 < TD> if anyone wants to talk to me via Pond (pond.imperialviolet.org) then let me know and I'll give you a shared secret 08:05 < adam3us> jtimon: in my credlib library i did that 08:05 < TD> [ob explanation: pond is forward secure, tor based messaging that scrambles everything against every attacker except someone who can de-anonymize tor)_ 08:06 < adam3us> jtimon: the idea is that the thing you get the issuer to blind sign is the hash of your public key, that you will sign with to prove ownership in contracts 08:06 < jtimon> that's not what I read about chaumian cash 08:06 < adam3us> chaum ecash only doesnt do that because its an online protocol so theres no point 08:07 < adam3us> they just sign a structured random number to act as the coin serial umber for double spend protectio 08:07 < adam3us> anyway check it out, its in the credlib library with a demo program 08:07 < jtimon> this is what I read: http://anoncvs.aldigital.co.uk/lucre/theory2.pdf 08:08 < adam3us> oh thats not even chaum thts david wagners blind mac work aroun as implemented by ben laurie 08:08 < adam3us> but the patent expired on chaum so now blind mac is less important 08:08 < jtimon> ok, then everything I said about chaumian cash doesn't apply 08:09 < jtimon> that's the theory OT links to 08:09 < jtimon> ok, time to read about chaumian cash, I thought I knew what it was 08:09 < adam3us> jtimon: but you were right that chaum cash did not use blind certificates, only blind signatures because they assume the issuer and the transaction server are the same, and in fact the only transaction is redemption 08:10 < adam3us> jtimon: its much simpler than wagner's blind mac. 08:10 < jtimon> do you have a quick link? 08:11 < adam3us> jtimon: vs rsa sig s=m^d mod n verified s^e=?m 08:11 < adam3us> jtimon: blind sig is: -> b^e*m (user sends to server) 08:11 < adam3us> jtimon: server sends (b^e*m)^d back to user 08:12 < adam3us> jtimon: user unblinds and gets normal rsa sig m^d for m server neve saw 08:12 < adam3us> jtimon: because (b^e*m)^d = b*m^d and user divides by b so (b^e*m)^d/b=m^d qed 08:12 < jtimon> so once it shows it to the server, the tx cannot be rolled back? 08:13 < adam3us> jtimon: the server will not be able to correlate the issue message with the deposit message because b is random and choen by the user 08:13 < adam3us> jtimon: the server prevents double spend by accepting m only once it is the coin serial number 08:13 < jtimon> so the server never sees b, no? 08:14 < adam3us> right doesnt see b ever, doesnt see m during issue, sees m during deposit 08:14 < adam3us> jtimon: the server has no idea what it signed, so it doesnt support attributes - eg value/denomination/currency 08:15 < jtimon> the issuer does 08:15 < adam3us> jtimon: they work around that by having a different issuer key for each currency / denomination 08:15 < adam3us> jtimon: yes 08:15 < jtimon> so there's only issuance and deposits, no transfers 08:16 < jtimon> say Alice issues AAA and sends it to Bob 08:16 < adam3us> jtimon: as stated because thats what they wanted 08:16 < jtimon> How does Bob transfer it to Carol? 08:16 < adam3us> jtimon: but instead of m being a coin serial number, it can be the users hash of public key 08:16 < adam3us> then the blind sig is actually a blind certificate, so you can transferaby assert and prove ownership of it 08:17 < jtimon> in bitcoin I can prove ownership of a coin by signing external messages with my private keys 08:17 < adam3us> u know in the 1995 era we had a coloredcoin like idea to color coins without the central banks approval - as it cant tell what its signing it was called a cut-out protocol 08:18 < adam3us> jtimon: right so if you have a blind certificate from teh issuer, you sign a message transfering ownership to another user 08:18 < jtimon> that cannot be conditional to anything else 08:18 < adam3us> jtimon: or asbitcoin geeralize th concept of signature into a contact script involving the signture 08:19 < jtimon> I cannot "transfer AAA to Bob if and only if Bob transfers BBBs to me" 08:19 < adam3us> jtimon: why not? 08:19 < jtimon> I'm asking, is that possible when AAAs and BBBs are accounted for in different servers ? 08:19 < adam3us> jtimon: if you take whatever you are doing now and replace the signature by the certified blind chaum address signature, doesnt it still work? 08:20 < adam3us> jtimon: i dont know how your atomic swap tx works with two different freimarket servers 08:21 < jtimon> private servers implement additional OPs that can make scripts conditional to events in external chains 08:21 < jtimon> so they rely on traceability 17:55 < midnightmagic> i'm sad warner isn't idling in freenode anymore. 18:39 < petertodd> midnightmagic: what work exactly? --- Log closed Thu Jul 25 00:00:21 2013 --- Log opened Thu Jul 25 00:00:21 2013 11:51 < jgarzik> petertodd, basic IRC skeleton working, between irssi and a no-channel IRC daemon skeleton 12:26 < petertodd> nice! 12:26 < petertodd> what language? 12:27 < petertodd> and where is the repo? 12:27 < petertodd> once this is working, by definition we *have* to stop using #bitcoin-wizards on freenode... 12:34 < petertodd> relevant: https://www.networkworld.com/news/2013/072513-cybercriminals-increasingly-use-the-tor-272192.html 12:40 < jgarzik> petertodd, JS, private repo ATM, until it has minimal function as a single node, RAM-only IRC server 12:41 * jgarzik wants to create benevolent botnets :) 12:42 < petertodd> ha 12:43 < petertodd> any bonds implemented yet? 12:43 < jgarzik> petertodd, bleh, bikeshedding. We'll all meet again on #crypto-wizards@af62dc66255d84a26fc269407860e86cc9eacdbca3cb9484932d6f856692fb07 12:43 < jgarzik> petertodd, nah, bonds are boring these days 12:44 < jgarzik> petertodd, SINs have a greater chance of changing the world ;p 12:44 < petertodd> heh, ok, sacrifices I should say 12:44 < jgarzik> petertodd, ah. About to add support for manually creating SINs via sacrifice to txtool, so I can start testing at least. 12:45 < petertodd> cool, is that with a minimal "make a digest expensive" method? 12:46 < petertodd> I mentioned fidelity bonds on freenet-devel fwiw 12:46 < jgarzik> petertodd, it's what's described at https://en.bitcoin.it/wiki/Identity_protocol_v1#Creating_sacrifice_transactions almost to the letter 12:47 < jgarzik> tangent: I want a different wiki 12:47 < petertodd> ok, which means it's then easy to define a tool that takes <digest>, so we're good 12:47 < petertodd> heh... like a p2p wiki? :P 12:47 * jgarzik runs 12:48 < petertodd> greg and I were talking abotu that ages ago... looks doable, but you need a git-like branch/merge model 12:49 < petertodd> also, speaking of freenet, if you haven't already read up on how they do reputations and anti-spam on Frost and Freenet Messaging System (FMS) 12:51 < jgarzik> my ignorance of freenet is almost willful at this point 12:51 < jgarzik> It just annoys me, for some reason 12:51 < jgarzik> I would rather have a clean reinvention 12:51 * jgarzik , Captain of the Knights of NIH, heads out for breakfast 12:51 < petertodd> well, it is ancient tech in many ways... it was the first opensource project I got involved with, back in highschool 14:24 < amiller> i'm starting to get really excited about SINs. 14:24 < amiller> i still think it's wrong but it's going to be such a step in the right direction and far better than anything else 14:38 < gmaxwell> Worse Is Better. --- Log closed Fri Jul 26 00:00:23 2013 --- Log opened Fri Jul 26 00:00:23 2013 04:15 < midnightmagic> hah! FMS does WoT too. 04:15 < midnightmagic> Everything WoT. 09:23 < amiller> FMS? 09:24 < jgarzik> PMS? 09:25 < amiller> RMS. 09:25 < amiller> <midnightmagic> hah! FMS does WoT too. 09:25 < amiller> <midnightmagic> Everything WoT. 09:26 < gmaxwell> presumably freenet's messageboard stuff 11:10 < nanotube> freenet messaging system, iirc 18:58 < gmaxwell> petertodd: I suppose SCIP does make constructing oracles easier: 18:58 < gmaxwell> you build an oracle that takes in some hash of a SCIP program, the program, some input X, and the proof. 18:59 < gmaxwell> if the proof passes, you do what the instructions in X say. 18:59 < gmaxwell> But the instructions can be really trivial imperative commands, the oracle doesn't need to be turing complete. 18:59 < petertodd> yup 19:09 < petertodd> did you see the thread on oracles on bitcointalk btw? 23:12 < amiller> is there a new thread on oracles 23:12 < amiller> there's a big gap between an SCIP program and an oracle 23:12 < amiller> an SCIP program is just a program it can be publicly verifiable 23:12 < amiller> but people also use "oracle" to mean things that are unverifiable, like whether your grandson is dead yet 23:13 < amiller> i'm really pissed at the munging of these in the pop culture (mostly i just mean TD) --- Log closed Sat Jul 27 00:00:26 2013 --- Log opened Sat Jul 27 00:00:26 2013 00:43 < zooko`> ! 10:47 < jgarzik> IRC daemon skeleton now understands channels and PMs. What a crappy protocol, IRC. 10:47 < jgarzik> I knew this before, but am freshly reminded. 10:50 < gmaxwell> amiller: Right, I'm just pointing out that using SCIP you can seperate the computation and trust elements of remote oracles. Including the grandson case! 10:51 < gmaxwell> amiller: e.g. if your prior oracle protocol would have been "make a SSL connection to the social security administration and check to see if it says hes dead" you can do that computation under SCIP and show it to the oracle. (* well excepting the fact that SSL blows goats) 10:52 < gmaxwell> (*ssl's goat blowing means that you'd actually need to ask the oracle to make the connection, return back a signed copy of the data, then do your HTML processing on that, and return the recept) 10:53 < gmaxwell> In anycase, the notion there being that if the oracle only executes a simple set of procedures, and validates a SCIP proof, it means that it's a lot easier to have confidence that the oracle itself isn't vulnerable. 10:53 < gmaxwell> vs sending arbritary code to the oracle. 10:54 < gmaxwell> It's not exactly the same, since you can't compute on data which is secret to you. On the other hand you can compute on data which is secret to the oracle. 10:55 < gmaxwell> Which may have benefits: making an oracle super trustworthy is somewhat incompatible with the oracle being immune to censorship. So being able to hide from the oracle what exactly you're doing with it may be productive. 11:53 < HM> jgarzik, IRC protocol isn't that bad. Just lacks modern standardisation, half the networks in existence go beyond the standard 11:56 < HM> Hmm wow, '93. the RFC is newer than I would have guessed :P 14:12 < midnightmagic> irc isn't that bad. it's managed to survive all this time, and in part because the protocol is simple.. 14:46 < jgarzik> petertodd, It is still completely useless and uninteresting at the moment, but, https://github.com/jgarzik/dirc 14:46 < jgarzik> still hammering out some empty-channel and echo-echo bugs, but people can connect, create channels, and talk to each other 14:47 < jgarzik> locally 14:47 < jgarzik> zero P2P 14:48 * jgarzik took a shortcut, and auto-generated a bunch of stuff from the RFC text 14:57 < jgarzik> bitcoin-like P2P connections can actually be plugged in rather easily, by re-using the existing node.js bitcoin networking code, which is already quite flexible and programmable. 14:59 < jgarzik> so the steps are: local, single node IRC server -> insecure multi-node via P2P flood-fill -> P2P flood-fill w/ digital signatures/SINs 17:30 < midnightmagic> jgarzik: out of curiosity, why are you starting from scratch? 17:31 < midnightmagic> not that i think you shouldn't, but i'm curious 17:47 < jgarzik> midnightmagic, I hate every ircd implementation I see ;p 17:48 < jgarzik> midnightmagic, it's also fun [re]learning, and nice having the low level IRC code arranged in a manner suited to this P2P/IRC proxying experiment 18:21 < Luke-Jr> jgarzik: it would be nice IMO if there was abstraction so XMPP MUC can be added later ;) 18:25 < jgarzik> Luke-Jr, *puke* :) 18:26 < Luke-Jr> "? 18:26 < Luke-Jr> you dislike XMPP? >_< 18:26 < jgarzik> Luke-Jr, XML and XMPP are dinosaurs best forgotten, along with SOAP and the rest 18:26 < Luke-Jr> maybe, but nobody has replaced them yet. 18:26 < jgarzik> Luke-Jr, but yes, this will be platform agnostic. IRC is just an app on top of a base layer. 18:27 < jgarzik> Luke-Jr, replace "IRC:" prefix with "XMPP:" and you're off and running 18:27 < jgarzik> on the p2p side 18:42 < midnightmagic> XMPP is the devil. 19:53 < Luke-Jr> :< 20:21 < HM> XML isn't pleasant to work with 20:21 < HM> but i'd take it over some of the alternatives in some scenarios 20:22 < HM> XML tooling was and is still excellent. validation, transformation etc 20:22 * HM sighs 20:30 < Luke-Jr> I don't like XML much, but XMPP sure beats the alternatives :/ 22:06 < midnightmagic> :) --- Log closed Sun Jul 28 00:00:28 2013 --- Log opened Sun Jul 28 00:00:28 2013 21:30 < petertodd> jgarzik: cool! 21:31 < petertodd> jgarzik: but if you don't add some crypto-coin stuff to it soon I'm going to have to call you a 1337 teenage h@x0r --- Log closed Mon Jul 29 00:00:31 2013 --- Log opened Mon Jul 29 00:00:31 2013 00:14 < jgarzik> petertodd, hah, I doubt 1337 haxors build test suites 04:16 < petertodd> jgarzik: elite hackers on the other hand... 04:17 < Luke-Jr> he left 04:18 < Luke-Jr> although, I wonder what he considers Metasploit 04:18 < Luke-Jr> sure feels like a test suite to me <.< 04:30 < petertodd> lol 04:32 < gmaxwell> I dunno how you can write anything working in a dynamic language like php, js, or python without having a bunch of tests. 05:39 < sipa> gmaxwell: i really wish python had static types :( 05:40 < sipa> sometimes i work on a program that uses a large framework, which takes half a minute to start up a test instance 05:40 < sipa> only to see "syntax error: ..." for some trivial thing... 05:55 < gmaxwell> sipa: I have had expirences like having a 24 hour computation run hit a syntax error in the @#$#@# code that printed the results. 05:55 < gmaxwell> thats half of what made me stop using python for bulk computation. 05:56 < sipa> loi 06:00 < gmaxwell> e.g. stuff like print "%d %d %d"%(a,b,c,d) 06:30 < petertodd> there are actually static type modules available for python, and they work too, which on the one hand is nifty, on the other hand tells you a lot about how crazy you can get with dynamic types in python... 18:30 < HM> Boost.MPL 18:30 < HM> Kind of awesome, kind of makes me want to strangle squash living things 11:03 < gmaxwell> adam3us1: the pressure to implement fast JITs for this stuff is part of the reason I'm skeptical about people getting the cycle counters right. 11:04 < adam3us1> andytoshi: this is more like OP_FORMATDISK, OP_SENDPRIVATEKEYS 11:06 < adam3us1> gmaxwell: the nice thing about cross chain atomic swap as the main mechanism is its full-node secure (not just spv) and its the market makers who are taking the SPV risk 11:06 < adam3us1> (back on the pegged side-chain again) 11:06 < gmaxwell> in any case, with snarks I think you're just left with people may right scripts which are unsafe in a mean and nasty world, and I'm okay with that. I don't think we can do better without removing all flexibility. Hell, even DSA is not really safe in a mean and nasty world. :) 11:07 < gmaxwell> adam3us1: hm. well atomic chain swaps are not secure against sufficently reorgs with double spends... but they are a 1:1 risk, only the person swapping with you can rip you off. 11:07 < gmaxwell> er sufficiently deep reorgs. 11:08 < gmaxwell> Right the first step of an atomic swap is to multisig escrow coins. If you suffer a reorg deep enough that the escrowing can be killed on one chain, after the transaction is done on the other, the coins can be clawed back. 11:08 < gmaxwell> it's just not a doomsday risk 11:09 < nsh> so.. i guess OP_DOOMSDAY is completely out the window? 11:09 < adam3us1> gmaxwell: i am not 100% sure, though there is some plausibility, that you can expect to extract secure finance in a distributed version of core wars/redcode, even with user action on input for private keys, private key crypto ops outside of the sandbox, sandboxes for execution. non-functional statefuul code in a hostile distributed execution environment plus a bit of crypto 11:10 < petertodd> adam3us1: my first question: what is all this going to actually be used for? 11:27 < justanotheruser> hello 11:35 < adam3us1> petertodd: its going to be used say to encourage an explosion of innovation, by making TC code maximally self-extensible. 11:39 < adam3us> petertodd: alternatively a fun experiment in core-wars/redode with $Bns at stake, or exploring the boundaries of human ability to write secure code in a hostile environment & formal provability of security properties of code 11:39 < petertodd> true! 11:39 < petertodd> corewars where you atually lose money if you lose 11:48 < jtimon> very interesting, I hadn't thought about the scripts as a source of consensus-criticial-implementation-consistency bugs 11:48 < jtimon> I'm not sure I understand the corewars attacks though 11:49 < jtimon> say I pay to a p2sh and the script is TC 11:50 < jtimon> the attacker still has to find a script with the same hash, no? 11:50 < jtimon> what am I missing adam3us1 ? 12:21 < jtimon> I guess I don't understand the corewars game itself 12:23 < adam3us> jtimon: corewars i never played either but the idea is to seize control of the cpu or the other guys program. a game of hostile code vs hostile code 12:24 < jtimon> yeah I understand the general idea, I'm not sure I udnerstand the strategies though 12:26 < jtimon> anyway, apart from gmaxwell's concerns (code scape and script-consensus), what are the potential problems with a TC p2sh ? 12:26 < gmaxwell> I have actually played corewars. 12:27 < gmaxwell> (on an atari ST, I believe) 12:27 < jtimon> the game looks very interesting 12:27 < adam3us> adam3us: if TC extensions can be written by anyone dynamically at any time to the opcode, script lang etc and the TC is persistently statefull i was wondering if an existing op code or smart-contract can convince its author that it cant be later fooled by someone elses state changes, extensions etc. TC is a lot of complexity. 12:30 < adam3us> jtimon: wait quark has its own PoW? 12:31 < jtimon> TC is all the complexity :) I'm still not sure I understand what you mean though :( 12:31 < jtimon> yes, I think so 12:31 < jtimon> a "basket algorithm" 12:31 < jtimon> some freicoiners pushed for something similar for a while 12:33 < jtimon> instead of using just one hash function as Bitcoin does, Quark uses six: BLAKE, Blue Midnight Wish, Groestl, JH, Skein and Keccak. 12:33 < adam3us> jtimon: oh maybe i heard of that some mix, yes 12:33 < jtimon> http://bitcoinmagazine.com/8972/quarkcoin-noble-intentions-wrong-approach/ 12:37 < jtimon> I don't know adam3us, if you're hashing your own TC script, why would you fool yourself? 12:37 < brisque> https://ghash.io/ghashio_press_release.pdf 12:39 < brisque> 45% private hardware is interesting though, gmaxwell wasn't wrong about the amount of funding selling hardware gave them 12:39 < gmaxwell> "Jeffery Smith" 12:39 < pigeons> Tom Williams 12:40 < jtimon> can't they just p2pool? is 55% p2pool risky? 12:40 < brisque> no. 12:40 < brisque> if ghash.io dumped their load on p2pool they would rocket the share difficulty though. 12:41 < jtimon> I see, it's a question of efficiency 12:41 < brisque> gmaxwell: different name than on their domain at least. 12:41 < gmaxwell> brisque: well it's not that bad because p2pool adapts share difficulty per miner somewhat. 12:42 < brisque> good point. 12:43 < jtimon> Interesting: "Non-standard transactions, such as mentioned above, can not be relayed to 12:43 < jtimon> the blockchain network, however they are still valid, and can be mined 12:43 < jtimon> using the hashing power accumulated on GHash.IO. " 12:44 < adam3us> jtimon: point is if everyone can extend the script language at any time, and write to global, persistent state (presumably with some authorization) are we still as confident that a smart-contract cant be tricked by another persons script or state chagnes. probably not as sure. maybe not very sure at all. 12:44 < brisque> jtimon: not much help if there's no publicly known nodes to push to though. eligius has an interface for it. 12:46 < jtimon> adam3us what you mean a persistent state? apart from the utxo itself? Like a global "general purpose in-chain memory" or something? 12:46 < adam3us> jtimon: yes. 12:47 < jtimon> and why is that persistent state needed for? 12:47 < jtimon> I thought we were only assuming TC scripting 13:52 < maaku_> gmaxwell: "p2pool adapts share difficulty per miner" is that true? i thought the current share level was part of p2pool's consensus. 13:52 < gmaxwell> maaku_: there is a minimum share difficulty and a maximum share difficulty (just a multiple of the minimum) which is part of the consensus. 13:53 < gmaxwell> maaku_: but indivigual miners can choose any difficulty in between the two, and the stock software targets getting a certian number (1000? I forget) of shares in the window. 13:54 < maaku_> ah 13:55 < maaku_> re TC complete scripts, is there any known application of this stuff? 13:55 < gmaxwell> The end result is just that the minimum is lower than it would be if everyone used the minimum... and large miners give up a small amount of share variance by default, but it makes the variance much lower for small miners. 13:56 < gmaxwell> maaku_: not really. I mean, if bounds are high enough it expands the space of non-private non-interactive bounty transactions. e.g. "100 BTC to someone who provides the root key to AACS" 14:00 < maaku_> gmaxwell: short of that stuff, which is probably best done with a SNARK verification opcode, it seems like most of the benefits could be had via MAST & loop unrolling 14:01 < gmaxwell> maaku_: yea, personally I don't see a lot of point to turing complete. The lack of privacy really closes a lot of options that would otherwise be interesting. 14:01 < gmaxwell> And a lot of stuff can just be done with simple finite state which could be represented in a fixed script (and, indeed, MAST compressed) 14:03 < gmaxwell> I'm more interested in questions like "How can you encode a boolean satisfaction rule like (x and y) or ((x or y) and 2 of 3 (a,b,c)) most compactly. 14:05 < maaku_> that would be directly useful 14:08 < gmaxwell> Coding those kinds of rules via procedural branching is not terribly compact. 14:08 < midnightmagic> truth-table optimization and karnaugh maps? 14:11 < gmaxwell> The naive way is to encode a truth table, but its exponential in the number of variables. 14:12 < gmaxwell> I suppose that a 32 bit truth table for 5 inputs would still be smaller than any way that script can express the above rule. 14:18 < midnightmagic> oh right.. "like". 14:18 < gmaxwell> hm. perhaps efficient encoding of the satisfaction rules is less interesting than I was thinking. The reason is that when the rules can be reorded so that you can avoid disclosing >1 public key, then you're better off MAST compressing that part of the rule. 14:20 < gmaxwell> e.g. you could have a OP_TABLE that took in 5 bits encoding x,y,a,b,c signatures passing and a 32 bit table value, ... but it would result in a larger script than a procedural one that only disclosed the a,b,c pubkeys if !(x&&y). 14:21 < midnightmagic> truth table optimization and piles of interesting technique for it are covered in digital logic design texts such as .. hrm. I can't find it anymore. Well, mine has this guy with a hat, and in the other side, the picture is inverted and the guy is gone and there's blue sky revealed behind the cutout. 14:23 < nsh> i don't think i've ever remembered a book cover in such detail... 14:23 < gmaxwell> I wonder if there is a efficient way to represent truth tables that are never 'too indifferent'... e.g. wouldn't be better represented by a MAST. My head hurts. 14:23 < nsh> hmm 14:24 < nsh> what's indifference in this context, gmaxwell? 14:25 < gmaxwell> nsh: e.g. in the truth table for (x and y) or ((x or y) and 2 of 3 (a,b,c)) if x&&y or !x && !y then it doesn't matter if a,b,c are true. 14:25 < nsh> ah, right 14:26 < gmaxwell> so if you were to make a script that encoded (x and y) or ((x or y) and 2 of 3 (a,b,c)) you would probably want to use a branching script that revealed a,b,c pubkeys if and only if x^y 14:27 < nsh> hmm 20:59 < BlueMatt> petertodd: it doesnt, but it also shouldnt actively seek out nodes it knows arent verifying and ask them for data 20:59 < gmaxwell> BlueMatt: I am concerned that upgrading is now less of an option, since it seems to be socially accepted that SPV or webwallet is all you need. Sort of a moot debate unless it exists. 21:00 < BlueMatt> webwallets we cant really control (but that doesnt cause a decrease in spv:full node ratio, so..meh), but spv clients can upgrade to full nodes if they have the resources 21:00 < petertodd> BlueMatt: I can fire up a thousand fake full nodes on amazon ec2 for not that much money; SPV nodes just don't know. They're much better off passing around block header information as widely as possible to try to detect them being isolated by false full nodes. 21:00 < BlueMatt> and since so may spv wallets are bitcoinj....... 21:01 < petertodd> BlueMatt: There is just *no* case where finding out that there exists a longer set of headers than the one the full nodes you're talking to claim exist will be harmful to you if you can't trust those full nodes. 21:02 < petertodd> BlueMatt: Also, FWIW I *have* done something similar to that: I fired up enough EC2 instances doing the bloom io attack that I saw random nodes all over the network falling behind in consensus. Cost me ~$50 or something IIRC. 21:02 < BlueMatt> petertodd: Im looking at it a different way: if you're an spv node and have X outbound connections you want to make, should you connect to other spv nodes (which not only are non-verifying, but will likely only stay online for some brief period of time) 21:02 < BlueMatt> or would you rather connect to full nodes? 21:03 < petertodd> BlueMatt: If there were infinite full node capacity lying around, then yes, you'd want to connect to full nodes. But there isn't, so it's reasonable to connect to SPV nodes. 21:03 < BlueMatt> and since spv nodes generally also dont listen.... 21:03 < petertodd> BlueMatt: Not yet, but they may start to in the future, hence why I mentioned that example in my BIP. 21:06 < petertodd> BlueMatt: I hope you understand that's a *very* different argument than "SPV nodes shouldn't be relaying stuff" 21:06 < BlueMatt> spv nodes relaying headers also doesnt apply in this case since headers arent filtered 21:07 < BlueMatt> (in the BIP, that is) 21:07 < petertodd> BlueMatt: No, but if your relaying headers, there's no reason not to relay blocks too. 21:07 < BlueMatt> petertodd: in the future, sure, but, again, in this case it makes absolutely no sense 21:07 < petertodd> BlueMatt: (modulo bandwidth) 21:07 < petertodd> BlueMatt: "in this case" meaning the situation right now? 21:08 < BlueMatt> as in in the BIP 21:08 < BlueMatt> really, I dont like the NODE_BLOOM bit without thinking hard about how to announce you are a fully verifying node and not an archive node and all that stuff 21:08 < petertodd> BlueMatt: Right, will if it causes enough constination - given it's not why I added that example in the BIP anyway - I'll just re-write it to talk about a hypothetical NODE_BLOCKCHAIN or something where NODE_BLOOM means "filter that information against this filter" 21:09 < BlueMatt> sgtm 21:09 < petertodd> BlueMatt: If anything, NODE_BLOOM and some future NODE_ARCHIVAL_BLOCKS makes a lot of sense due to the differences in what you're trying to optimize for if you're serving up SPV clients vs. you want to serve up archival history efficiently. 21:10 < petertodd> https://github.com/bitcoin/bitcoin/pull/2900#issuecomment-23274616 21:10 < BlueMatt> definitely, and Id kinda like to see all the bits come in one bip, but that probably isnt reasonable to push it through... 21:11 < petertodd> BlueMatt: yeah, I think it's fine to just have a bip saying "here's this NODE_BLOOM bit, it means we're willing to filter stuff" 21:11 < petertodd> Heck, as I said to sipa the other day for now NODE_BLOOM and nothing else is an abstract art piece where you promise you'll filter the nothingness. :P 21:11 < gmaxwell> BlueMatt: we could just someday do a flag overview bip that overviews them and points out their interaction. 21:11 < gmaxwell> hahahahahah 21:12 < BlueMatt> OH GOD 21:12 < BlueMatt> NOOOOOOO 21:12 < gmaxwell> petertodd: "collision free bloom node" 21:13 < petertodd> gmaxwell: "Can nothing collide with itself?" 21:13 < gmaxwell> What is the sound of an empty hash table? Can it be local? 21:14 < petertodd> gmaxwell: We'll have to test for non-compliant implementations that fail to accept filter* requests. 21:15 < warren> petertodd: I'm working on one right now... 21:17 < petertodd> warren: the implementation is all well and nice, but I expect an artists statement to go along with it --- Log closed Thu Oct 17 00:00:16 2013 --- Log opened Thu Oct 17 00:00:16 2013 13:29 < grau> !seen amiller 13:29 < amiller> present 13:30 < grau> hi, did you recon that bribe is possible with the double spend attack I described? 13:30 < grau> in https://bitcointalk.org/index.php?topic=312801.0 13:31 < gmaxwell> I need to ask theymos to do some html obfscuation of the moderator names 13:31 < gmaxwell> it's impossible for me to search for myself on the forum. 13:32 < grau> amiller: ^^? 13:32 < gmaxwell> easier to search IRC: http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/10/25#l1351169953 13:32 < amiller> grau i don't see how you prevent the bribe frm just being picked up by someone else in a different block 13:33 < amiller> becuase ther's no way to mark a tx as dependent on ehgiht 13:33 < amiller> if a seuqence of tx ending in an anyone-can-pay are valid in one fork 13:33 < amiller> you can just take them all and apply them to any other fork too 13:33 < gmaxwell> amiller: sure there is.. and I explained this to you before. 13:34 < grau> you can only apply it if it is valid there but it is not if it was spent 13:34 < grau> the idea is that the bribing transaction is only valid in its fork since it is a double spend 13:35 < grau> on the original fork 13:35 < amiller> i agree you could use that to fork *away* from the original fork 13:35 < amiller> i guess you couldn't force them to be on your fork though 13:35 < amiller> maybe someone would just work on a different fork with both the blacklisted tx *and* the bribe? 13:35 < grau> not forcing but making it rational to be there 13:35 < gmaxwell> amiller: you can do things like pay for a double spend by spending the output of the double spend into a sequence of anyone can spend transactions with progressive nlocktime. 13:36 < amiller> hmmmm 13:36 < amiller> i see. 13:36 < amiller> i remember now thinking that that didn't work when it began with a coinbase, but you could do it generally 13:37 < amiller> you should go in increasing order though raather than decreasing i think 13:37 < gmaxwell> yea, see the link above I told you this before. (And I believe I have a 2011 post on BCT about it, but @#$@#$ search for myself) 13:37 < grau> what distrubs me is that if bribe is possible then it does not matter if you have majority of mining power just if you pay enough 13:37 < amiller> 1 btc for the first block, 2 for the second block on top, then 4, 8 then done 13:37 < amiller> because 13:37 < gmaxwell> grau: if the majority is "greedy", correct. 13:37 < amiller> you wouldn't want people to start fighting until it was basically already settled 13:37 < gmaxwell> amiller: interesting! 13:38 < amiller> so the reward for participating in the next block should always be larger than all the previous blocks since the bribe started 13:38 < gmaxwell> amiller: my thought was that the first one had the largest marginal value. 13:38 < grau> gmaxwell: miner are greedy 13:39 < amiller> grau, for the moment, miners are just *weird* 13:39 < gmaxwell> grau: they are observably not entirely greedy. 13:39 < gmaxwell> yea, "weird" is more accurate. 13:39 < amiller> they're part greedy, part lazy, part nutso 13:39 < amiller> lazy basically means "honest" for the moment since the reference client is pretty fair 13:40 < gmaxwell> well they're also actually part honest. and greedyness can include not wanting the debase their own coins. 13:40 < amiller> yeah. 13:40 < amiller> they're not exactly myopic, they seem to adhere to some kinds of long term interest along those lines 13:41 < amiller> including the up front investment in hardware... 13:41 < amiller> but. 13:41 < amiller> i'm personally comfortable just modeling them as greedy because i think that is what they'll eventually converge on 13:41 < grau> amiller: exactly as more and more capital involved they converge to greedy 13:42 < amiller> and, potentailly worse for us, short-term greedy 13:42 < gmaxwell> Depends on how you define greedy. 13:42 < gmaxwell> Right. 13:42 < gmaxwell> Long term greedy is less concerning. 13:42 < gmaxwell> Long term greedy will probably not reorg the chain for a bit more fees: doing that makes the earned coins (and your hardware!!!) worthless. 13:42 < gmaxwell> Short term greedy will. 13:43 < gmaxwell> (or if not worthless: worth less) 13:43 < sipa> the problem with long term greedy is that it is much harder to quantize 13:43 < sipa> *quantify 13:44 < amiller> the short term greedy miner sells his btc revenue immediately for whatever other currency he likes, like advance on his electricity bill for example, and thus doesn't really need to be worried about the long term stability 13:45 < grau> I question if the number of blocks needed to be sure of a larger transfer should be reconsidered under the possibility of anonymous bribe. 13:45 < gmaxwell> amiller: but if he owns his hardware, he's not going to be so happy about the long term results... unless he can sell that easily too. 13:45 < gmaxwell> grau: they already should have been reconsidered considering pools with 30%-40% hashpower. 13:45 < gmaxwell> BTCguild ends up with 6 block runs with some regularity. 13:46 < gmaxwell> The problem is that if you start crunching the numbers on this kind of thing you end up with rather big numbers. 15:20 < HM2> but are you saying it'll be biased? 15:21 < sipa> yes 15:21 < HM2> I'm confused about the integer multiple bit, because the actual value and length of the ciphertext is irrelevant, you only care about ordering within the block ciphers domain 15:21 < sipa> not every permutations will have the same probability 15:22 < HM2> Hmm perhaps, but you don't actually have to use a symmetric cipher either 15:22 < sipa> irrelevant 15:22 < HM2> How is generating 10000 SHA-1s going to be biased? 15:23 < HM2> for instance, say your arbitrary domain was over [0,1] 15:23 < HM2> basically you're generating SHA(key,1) and SHA(key,2) and comparing which is the greater 15:23 < sipa> ok 15:23 < HM2> you're saying there's going to be a bias of ordering? 15:23 < sipa> say we're sorting [0,1,2] 15:24 < HM2> no just mapping 0 -> 0 or 1 and 1->other one 15:24 < sipa> and we use SHA(key,n) & 0xF 15:24 < HM2> woah 15:24 < sipa> instead of the full SHA 15:24 < HM2> & 0xF? 15:24 < HM2> no 15:24 < sipa> just to prove my point 15:24 < sipa> it's equally valid for larger keys 15:25 < HM2> hmmm 15:25 < sipa> so you have 8 possible outcomes, ignoring the key 15:25 < HM2> yes 15:25 < sipa> and they have to be distributed over 6 possible permutations 15:25 < sipa> wait, i'm wrong 15:25 < HM2> 8x7x6 permutations 15:26 < HM2> erm 15:26 < HM2> (8x7x6)/(3x2) 15:26 < sipa> yes, and this just happens to be possible :p 15:26 < HM2> lol 15:27 < sipa> the point is that if the input to your algorithm (the key) has not a multiple of the possible resulting permutations, there will always be permutations that are more likely then others 15:27 < sipa> that doesn't mean these are easy to find, or that it's insecure 15:27 < HM2> hmm 15:28 < HM2> I still don't really see that. If you encrypt 10000 distinct values with a symmetric cipher you're going to end up with 10000 distinct ciphertexts, the distribution of those ciphertexts should be pseudorandom 15:29 < sipa> you see it as a function that takes as input a key, and returns a permutation 15:30 < sipa> each key is equally likely as input 15:30 < HM2> this is why i tried to boil it down to a very limited domain 15:30 < HM2> [0,1] 15:30 < sipa> HM2: and i'm not talking about pseudorandom or not 15:30 < sipa> in fact, if it's pseudorandom it can never be a perfect shuffle 15:31 < sipa> as no variance in the output probabilities is incredible unlikely 15:31 < HM2> SHA(key,0) should be < than SHA(key,1) ~50% of the time. so how can ordering those outputs not be a good pseudorandom shuffle? 15:31 < sipa> i am NOT talking about pseudorandom or not! 15:31 < HM2> ok 15:32 < sipa> i'm saying that not every permutation will be equally likely 15:32 < HM2> but a shuffle is a permutation 15:32 < sipa> yes 15:32 < HM2> well the paper says nowt about it 15:32 < sipa> sure 15:33 < sipa> it also doesn't matter if you keys are large enough 15:33 < sipa> which is the case in cryptographic applications anyway 15:33 < sipa> but when people try to make a random shuffle based on just some rand() function, this argument can be used to show that their shuffle is biased 15:34 < HM2> oh sure, shuffling is hard, but i still don't see your multiple problem 15:34 < sipa> if your function has N input possibilities, and M output possibilities 15:35 < sipa> then some outputs will be more likely than others 15:35 < sipa> unless N is a multiple of M 15:35 < HM2> but that's not the case 15:35 < sipa> i mean, if there are 4 inputs and 3 outputs, one output will be the result of 2 inputs, while the others will be the result of 1 15:35 < HM2> right agreed 15:36 < HM2> but you're doing this 15:36 < HM2> [encrypt(K,0), encrypt(K,1), encrypt(K,2),encrypt(K,3)] 15:37 < HM2> sorting the results 15:37 < HM2> it doesn't matter if they're 8 bits long or 1024 bits long 15:37 < HM2> relative to one another they're still randomly ordered 15:37 < sipa> for 8 bits the bias should be detectable 15:37 < sipa> iterate over all 256 input keys, see which output permutations you end up with 15:38 < sipa> and you'll see some are definitely more likely than others 15:38 < HM2> ah sure 15:38 < HM2> but you're talking about biases within the block cipher 15:38 < sipa> no 15:38 < sipa> even if that encrypt function has a perfectly uniform output distribution 15:39 < HM2> OK, so you should be able to replace it with a perfect number generator 15:39 < sipa> because there are 256 inputs, and 24 outputs 15:39 < HM2> let's do it with a perfect RNG that produces 4 different 8 bit numbers 15:40 < sipa> ok 15:40 < HM2> 201, 72, 3, 29 15:40 < sipa> now you've changed the function to take a 256^4 input, though 15:40 < sipa> which will still be biased but much much less so 15:40 < HM2> huh? 15:40 < sipa> you consume 4 8-bit numbers from your environment now 15:40 < HM2> what is the "input"? 15:41 < sipa> the random data you consume is the input now 15:41 < HM2> well we're moddling a block cipher as a RNG 15:41 < HM2> assuming the cipher is perfect 15:41 < sipa> doesn't matter 15:41 < sipa> the specific cipher is known 15:41 < sipa> so you cannot assume independence between the outputs 15:42 < sipa> you look at the set of all functions with 8-bit outputs, and pick one of them in advance 15:42 < sipa> and you know which one this is 15:42 < HM2> I'm still trying to nail down where you think this algorithm is flawed 15:42 < sipa> ok 15:43 < sipa> write me a program that produces a random permutation of [0,1,2,3] 15:43 < HM2> ergh 15:44 < sipa> but it only uses 8 bits of randomness 15:44 < sipa> so you get to call rand() % 256 once 15:44 < sipa> and that's it 15:44 < HM2> i never said you use 8 bits of randomness 15:44 < sipa> the key is 8 bits 15:45 < sipa> 21:37:18 < HM2> it doesn't matter if they're 8 bits long or 1024 bits long 15:45 < HM2> the block size, not the key size 15:46 < sipa> ooooh 15:46 < sipa> that changes things :) 15:46 < HM2> for instance, if you're using SHA-1 15:46 < HM2> you could put the works of shakespeare through it 15:46 < sipa> sure sure 15:46 < HM2> but you're producing 4 x 160 bit numbers 15:46 < HM2> then ordering them 15:46 < sipa> yes, but that's all irrelevant 15:46 < sipa> the question is what the size of your key is 15:47 < HM2> i see 15:47 < sipa> well, not irrelevant of course 15:47 < sipa> but it's not the problem 15:48 < HM2> so what has to be an integer multiple? 15:48 < HM2> the key size or the hash/ciphertext size? 15:49 < sipa> the number of possibilities of the key has to be a multiple of the number of potential outcome permutations 15:49 < HM2> hmm 15:49 < sipa> but i'm not in any way talking about secure or not 15:50 < sipa> random functions are always biased a bit, that doesn't mean they're distinguishable from random 15:51 < sipa> where this does matter is if someone wants to write a function to produce a random permutation of some list 15:51 < HM2> well that's exactly what we're doing 15:51 < sipa> and they do so by assigning a 16-bit (independent) random number with each element 15:51 < sipa> and then sorting the random numbers 15:51 < HM2> sure 15:51 < HM2> that's basically it 15:51 < sipa> and returning the elements in that order 15:51 < warren> sipa: oh hey, just curious how your secp256k1 is going? 15:52 < HM2> I don't see how that produces a bias 15:52 < sipa> HM2: because you're taking 2^(16*N) data as input 15:53 < sipa> and those inputs cannot be possibly evenly divided over N! potential outputs 15:53 < sipa> warren: quite good, but slow :) 15:53 < sipa> (progress is slow, not performance :p) 15:54 < sipa> HM2: in case you use some cryptographic-strength randomizing function in between, you're fine, the bias will be impossible to detect 15:54 < sipa> but if you use small random numbers, the bias may be detectable 15:54 < HM2> the number of inputs isn't 2^(16*N). If you assign 1 value from a 16 bit field to the number 0 then 1 can only be picked from field of 2^16 - 1 values 15:54 < sipa> i did say "independent random number" 15:55 < HM2> right, but that isn't the algorithm this paper is using 15:55 < HM2> it's using a block cipher which means it isn't 2^(N*16) possible mappings 15:55 < sipa> right 15:55 < sipa> but now you've moved the problem to the key 15:56 < HM2> If you have a field of size F and a block size of size N then you have N! / (N - F)! possible mappings 15:57 < HM2> I think? 15:57 < sipa> i'm going to stop discussing; i think you think i mean something i'm not :) 15:58 < sipa> and it's pointless anyway 15:58 < HM2> aww cmon 15:59 < sipa> i shouldn't have brought it up here, it is not a problem in this context 16:01 < HM2> you're assigning 16 bit numbers to [0...4] then you have (2**16)! / (2**16 - 5)! possible mappings afaict, your argument for a bias seems to be that that isn't divisible by 5! but I don't see that that's a problem 16:01 < HM2> although...actually it is divisible by 5! 16:02 < sipa> your keyspace size isn't 16:02 < sipa> if it is many times larger, that doesn't matter 16:03 < HM2> right, 2^16 isn't 16:04 < HM2> but i believe the number of mappings divided by the number of output permutations is always an integer 16:05 < HM2> i'll accept that the inner function will always be imperfect but can't see what the flaw you mention 16:05 < HM2> but i'll stop on about it now anyway, it's an interesting paper 16:05 < sipa> true! 16:06 < HM2> http://www.wolframalpha.com/input/?i=%28%282**n%29%21+%2F+%282**n+-+x%29%21%29+%2F+x%21 16:07 < HM2> ^ i think this shows it'll always be an integer as long as 2^n > x 16:07 < HM2> but i'm not sure 16:09 < sipa> HM2: sure, if you take a uniformly random permutation function from 2^N -> 2^N, apply it to the numbers 0..I, and then sort these numbers, you get a uniformly random permutation 16:09 < sipa> but the point is picking a uniformly random permutation function 16:09 < sipa> if you use a cryptographic primitive there, it will be indistinguishable from one 16:09 < HM2> I don't dispute that 16:10 < sipa> but it won't be one 14:10 <@gmaxwell> yes, I agree that there is a usecase for donation addresses, I think you're trying to expand it to other things and its a very poor fit, and comes only at a unknown loss in privacy. (which was acceptable when the alternative was a totally static address, and is not so acceptable when the alternative is a totally private address) 14:10 < petertodd> gmaxwell: but what's the point of this linkability? they can just as easily say "hey! I gave peter money too!", the master pubkey for a stealth address only lets them prove the funds went to the same wallet 14:10 < petertodd> gmaxwell: pragmaticly speaking the window where it matters, say you were all talking on OTR chat, is pretty small 14:11 <@gmaxwell> petertodd: because you can do things like go around and demand people identify all the stealt payments they made. 14:11 < petertodd> gmaxwell: only if you know who to ask, and again, in BIP32, or hell, individually given out one-time-addresses, the human impacts aren't that different 14:12 <@gmaxwell> In any case you've added an additional payer linkablity of payees which is transferable, ... it seems like a really big vulnerablity to add in cases where you really could have complete privacy. 14:12 < petertodd> gmaxwell: rarely does it matter that someone is alleging I received money at one bitcoin wallet or more than one 14:12 <@gmaxwell> petertodd: in BIP32 you can give reusable addresses which are not linkable between users, if you wish. if they're seperate chains they don't have any data in common. 14:13 <@gmaxwell> petertodd: people make allegations about people being the same person all the time. 14:13 < petertodd> gmaxwell: yes I know, which is why you should use a different stealth address for each of your alts 14:13 <@gmaxwell> even when the parties in question weren't really trying to be one or two identites. 14:14 <@gmaxwell> Bitcoin used well today in the bidirectional communication case creates none of that linkage ever. This is adding a vulnerabity where none exists. 14:15 < petertodd> gmaxwell: but I'm not arguing for the interactive bidirectional case, I'm arguing for the semi-bidirectional case where the communication may or may not ever get through at best 14:15 <@gmaxwell> and it scales like n*m so there is a disincentive to use a new stealth address whereever you can. 14:15 <@gmaxwell> petertodd: all of my complaints are stemming because you started suggesting that this is somehow a _general_ replacement for bloom for spv. 14:15 <@gmaxwell> If its only used where people have nearly one way communication and would have otherwise used a static address I don't have a complaint. 14:16 <@gmaxwell> Other then perhaps you'll never get bitcoinj to implement. :P 14:16 < petertodd> gmaxwell: I'm not saying that! this has nothing to do with SPV other than SPV is why it has optional, and user-defined, filtering to cut down on bandwidth 14:17 < petertodd> gmaxwell: and the prefix filtering business has a lot of things going for it regarding scalability, and I'm advocating that separate to this idea 14:17 < petertodd> gmaxwell: bitcoinj no, darkwallet more likely 14:17 <@gmaxwell> if bitcoinj doesn't implement it no one will use it for donations... since you need to implement it merely to _send_ to it. 14:18 <@gmaxwell> and no one wants a donation address that a non-trivial number of people can't send to. 14:18 <@gmaxwell> (I've gotten so many complaints about CJ bounty being unpaytoable) 14:18 < petertodd> gmaxwell: which gets back to the other nice thing about this: suppose I put one of these stealth addresses as a user id in my PGP key: now the UI of my wallet can very easily let me pay a person, authennticate it all properly so I actually know who I'm paying, yet it works fine regardless of how shoddy the communication between the two people is 14:19 < petertodd> gmaxwell: equally, replace PGP with whatever CA system you want 14:20 < petertodd> gmaxwell: if bitcoinj doesn't do that, whatever - this all came up at the darkwallet hackathon with regard to identity systems that people want so payments to individuals are more secure 14:20 <@gmaxwell> in any case I think you should totally seperate the prefix bait proposal. You can just have extra data in transactions for any scheme you want. 14:21 < petertodd> gmaxwell: yeah, and we kept trying to come up with such schemes, and soon realized we needed some way of essentially including encrypted data to the actual recipient, something this ECDH based scheme does unusually efficiently 14:22 <@gmaxwell> petertodd: well not whatever. payment-to has network effect. This matters. Which means designing a proposal which will be tolerable to many different wallets. Esp as this is not a oneline change like p2sh. You have to generate your output addresses after doing coin selection... and it doesn't work if you have all pay to pubkey coins, or all ECDSA free coins. 14:23 <@gmaxwell> (e.g. if we introduce a new signature system in the future) 14:24 < petertodd> gmaxwell: I know that, fortumately the circumstances where you don't have a ECC pubkey are rare, and part of introducing a new signature scheme may very well be to just do my original proposal of "include an encrypted blob" in the transaction 14:24 < petertodd> gmaxwell: but that's costly for now, so we avoid it 14:24 < petertodd> gmaxwell: we also thought abotu stuff like using bitmessage, but ultimattely every solution that doesn't involve the blockchain is less reliable, often by a lot 14:24 < petertodd> gmaxwell: losing payment is very bad after all... 14:24 < petertodd> *payments 14:25 <@gmaxwell> well you make the exact nature of the current usage more of a suicide pact, it makes all of bitcoin more brittle. 14:25 <@gmaxwell> though this may be avoidable. 14:25 < petertodd> think of it this way: it's an optimization of "encrypted blob" 14:25 <@gmaxwell> For example, if the spec allows you to use an OP_RETURN output for the nonce if there is no other public key in the transaction. 14:25 < petertodd> sure, that's easy to do 14:25 <@gmaxwell> then it's less of a fixation on how things are currently done. 14:25 < petertodd> although breaks coinjoin because we only allow a single op_return 14:26 <@gmaxwell> no, they could all use the same nonce. 14:26 <@gmaxwell> you'd just have to agree on it in a CJ. 14:26 < petertodd> right, which breaks the moment someone needs to upgrade something... 14:26 <@gmaxwell> CJ's already break, since presumably you're going to ask people to only check with the first pubkey in the txn. 14:27 <@gmaxwell> CJ mixer needs to recieve the full stealth address. 14:27 < petertodd> not at all, that's why I expect an actual spec to put a limit on tx size (or more likely # of tx inputs) 14:27 <@gmaxwell> ugh! thats a multiplicative increase in the computational cost, usually for no gain. 14:27 <@gmaxwell> getting less interesting. 14:28 < petertodd> yes well, that's life, the alternative is marking the possible txins with nSequence 14:28 < petertodd> which can easily be an info leak - tells you how many "actual" outputs there are 14:28 <@gmaxwell> yuck. 14:29 <@gmaxwell> or you could just give CJ mixers the stealth address ... 14:29 < petertodd> meh, it's a multiplicative increase that'll never be more than the total number of txins in a block - it's not an exponential thing 14:29 < petertodd> I'm expecting most CJ to be two party mixes anyway 14:30 <@gmaxwell> oh but then you have the problem I was griping about earlier... where people get a transferable proof of who someone was. yuck 14:30 < petertodd> it's reasonable to ask that the relevant txins be placed at the top two slots 14:30 <@gmaxwell> petertodd: huh? what if all txins are relevant? 14:30 <@gmaxwell> and if the reciever isn't guarenteed that its at the top they have to check all of them. 14:31 < petertodd> gmaxwell: then you're back to my point about having some sane limit of total number of txins per tx to check - making it only possible to pay, say, 10 stealth addrs in one tx isn't a big deal 14:32 <@gmaxwell> oh this also totally screws up offline signing. 14:32 <@gmaxwell> because you won't be able to author a transaction without access to the secret. 14:33 < petertodd> gmaxwell: OTOH offline signing that's for multisig is not affected 14:33 < petertodd> use the online secret 14:33 <@gmaxwell> sure but if you're increasing the transaction size, might as well just start adding the nonce to an OP_RETURN or txout. 14:34 <@gmaxwell> And expecting multisig to save this is not compatible with schnorr threshold signing. 14:34 < petertodd> well it needs to be more than just a nonce unfortunately, it has to be encrypted to the recipient 14:36 <@gmaxwell> huh? you need a nonce to do the encryption. 14:36 < petertodd> I mean it's not a short nonce, e.g. for ECDH you need a x byte nonce + a 33 byte emphemeral pubkey 14:36 <@gmaxwell> no you don't. 14:37 <@gmaxwell> you need an ephemeral pubkey. 14:37 < petertodd> oh, actually the pubkey is your nonce... 14:37 <@gmaxwell> right. 14:37 <@gmaxwell> it's not short though it can be safely shared. 14:37 < petertodd> ? 14:37 < petertodd> oh, you mean it's 33 bytes but can be safely shared 14:38 < petertodd> see, my other idea was to use bare multisig destinations for this 14:39 < petertodd> but all that's just details to make it compatible with what we have now, obviously <eph> OP_DROP works too 14:41 < petertodd> anyway, timeline on schnorr is easily years, if it gets implemented, you modify the software to use OP_RETURN or something and bump some version bit in the address format to indicate support, people upgrade over time 14:41 < petertodd> drop support for the old mechanism later 14:41 < petertodd> you can always use the ugly hack of keeping a few txouts of low value for backwards compatibility 14:42 <@gmaxwell> its very ugly. at least if getting the nonce from an op_return is standard supported all the stealth recievers don't need to upgrade their software. 20:12 < gmaxwell> The regulatory point isn't the "exchange" it's the handling usd. 20:13 < Mike_B> i was thinking more about either trading with other cryptocurrencies, or with US "ious" a la ripple or what have you 20:22 < jtimon> Mike_B RippleLab's Ripple is not a very good ripple design (sorry for the redundancy) 20:22 < jtimon> Ryan's two-phase commit was actually scalable 20:22 < jtimon> I extended it to support atomic transactions with bitcoin/freicoin 20:23 < jtimon> and then we merged 2pc ripple with what I previously called "ripplecoin" (basically a ripple implementation on pow) 20:24 < jtimon> but they have several big design flaws even if you change their consensus for SHA256 20:24 < Mike_B> like what? 20:24 < jtimon> I just made a fast enumeration to pigeons this mornging...wait 20:25 < jtimon> they should have never replaced inputs/outputs with accounts 20:25 < jtimon> trust-lines don't have to be in the core, they can be simulated with regular market orders 20:25 < jtimon> and orders don't need to be in the ledger 20:26 < Mike_B> so why does the current setup cause problems 20:26 < Mike_B> like why is it a "flaw" 20:26 < Mike_B> the only problems i know about it come from how consensus claims to be decentralized but it isn't 20:27 < Mike_B> we had a good discussion a while ago about how various network topologies can lead to dishonest nodes winning even if the majority of the network is honest 20:27 < jtimon> having all the open orders in the blockchain requires more validations and bandwith 20:28 < jtimon> yeah, I'm talking about the inner structures, assuming you get their code and replace the consensus with pow 20:28 < gmaxwell> jtimon: is mostly talking about layers of the system I know nothing about. :) 20:28 < Mike_B> ah ok 20:28 < jtimon> instead of inputs and outputs like bitcoin 20:28 < jtimon> an address is actually an account 20:29 < jtimon> and all transactions from a given account must be sequenced qith an ugly seq field 20:29 < jtimon> with 20:29 < Mike_B> wait, so addresses aren't just hashed public keys anymore? 20:29 < jtimon> yes, what is missing is outputs 20:30 < jtimon> they have accounts in a ledger 20:30 < Mike_B> ok i'll have to take a look at it 20:30 < jtimon> there's no utxo 20:30 < Mike_B> yeah that's different than i thought it worked 20:31 < jtimon> tehre's a list of accounts and their balance in "each currency" (by currency meaning a 3 letter code) 20:31 < jtimon> and it's also a bad idea 20:31 < jtimon> imo 20:32 < maaku> Mike_B: i assume you're trying to answer the question "how can we create a Ripple-like system using bitcoin primitives?" 20:32 < Mike_B> jtimon: makes sense, i have to read about it more 20:32 < maaku> we (jtimon and maaku) have addressed this : http://freico.in/freimarkets.pdf 20:32 < Mike_B> maaku: i was attracted to ripple mostly because "consensus" has tx's confirming in a few seconds rather than 10m 20:33 < maaku> er, http://freico.in/docs/freimarkets.pdf 20:33 < Mike_B> but, i'm a bit disillusioned about it now because it has some bad flaws in terms of not being decentralized 20:33 < maaku> ok 20:33 < Mike_B> and i was in a trading channel and people were talking about decentralized exchanges and how they'll be the next big thing 20:33 < maaku> they get that by having a completely centralized transaction processing mechanism 20:33 < jtimon> there was also their negative to properly implement demurrage, ejem, interests 20:34 < Mike_B> but then i realized that making a "decentralized exchange," in which trades execute reasonably quickly, is at least as hard as making a new cryptocurrency that doesn't require blockchain confirmations 20:34 < maaku> yeah freimarkets is an architecture for doing decentralized exchanges using bitcoin protocol, but keeping as much data off the chain as possible 20:34 < jtimon> JoelKatz tried to convince me that it was impossible to have ripple transactions with interest bearing assets 20:34 < jtimon> and I tried to make him read my examples 20:34 < maaku> in fact, in real application we expect most applications to be off chain entirely, on private servers that nevertheless communicate with bitcoin-like messages 20:34 < Mike_B> maaku: how long does it take for a trade to execute? 20:34 < Mike_B> 10 minutes to be confirmed by the network * 6 confirmations? 20:35 < maaku> on-chain, yes, it's like any other transaction 20:35 < jtimon> Mike_B that depnds on the value of the trade 20:35 < maaku> off-chain as fast as the private server can process it 20:35 < Mike_B> yeah so if trades take an hour to execute, it's going to be pretty different from how normal exchanges work 20:35 < jtimon> if you trade 0.01 usd one block may be fine 20:35 < maaku> Mike_B: you're not going to get a decentralized platform like bitcoin to do high frequency trading 20:35 < Mike_B> well fair enough, i'll read it 20:36 < maaku> there are fundamental limitations in play here 20:36 < jtimon> well, actually trades are atomic, so you're not waiting to give something in return like in real payments...the value is irrelevant 20:37 < maaku> for things you need global decentralized concensus on, it'll take time to get global consensus 20:38 < maaku> however you can do things like high frequency micro trades using sequence numbers and transaction replacement 20:38 < Mike_B> yeah i'm trying to see the big picture of that 20:38 < maaku> but you run a serious counter-party risk if you don't wait for confirmations 20:38 < Mike_B> global decentralized consensus 20:38 < Mike_B> you basically are exposing the network to an election 20:39 < Mike_B> and somehow it elects an ordering of events 20:39 < Mike_B> and bitcoin is like using the "random ballot" voting principle 20:39 < jtimon> yeah the chain is a global serializer 20:39 < Mike_B> where 1 share of cpu time = 1 ballot 20:39 < maaku> Mike_B: the thing is for nearly all applications you *don't* need global consensus, particularly when you're talking about trading IOUs or stocks or other assets with an inherent trusted party 20:40 < jtimon> you just can't have p2p dollars 20:40 < jtimon> no matter what mastercoin or bitshares claim ;) 20:40 < maaku> but people instantly jump to "decentralize all the things!" mindset, leading to crazy inefficient orderbook-on-the-blockchain proposals and such 20:40 < Mike_B> haha 20:40 < Mike_B> yeah i was trying to decentralize all the things 20:41 < Mike_B> i think it's a fun academic problem though, at the very least 20:41 < Mike_B> i mean say you have a fleet of starships that are flying around in deep space, and they need to synchronize somehow 20:41 < Mike_B> well, there's no one absolute reference frame that tells you the "correct" ordering of events 20:41 < Mike_B> so the bitcoin approach would be to just pick one guy at random to decide (which is what pow does) 20:41 < Mike_B> i was curious if there were other approaches too 20:42 < Mike_B> consensus seemed promising but that flaw re: a minority of dishonest nodes ruining the network kind of kills it 20:42 < maaku> there are plenty other approaches that could work, but very few that are rooted in fundamental physical laws like proof-of-work is 20:43 < maaku> consensus could probably be made better.. but really it's the ugly child that nobody wants 20:43 < jtimon> hehe, here comes entropy... 20:44 < maaku> heh, i'll let Mike_B figure that one out on his own 20:44 < Mike_B> heh 20:44 < jtimon> in any case, Mike_B whatever the consesnsus mechanism 20:44 < jtimon> all nodes on the p2p netwoek must repeat the same validations 20:45 < jtimon> and you just can't have 10,000 nodes validating nasdaq 20:45 < jtimon> independently 20:45 < maaku> if you want fast transactions, there are ways you can have a centralized serializer without having to trust the central node in any way except availability 20:45 < maaku> see: open-transactions, freimarkets private accounting servers, and others i'm sure 20:46 < jtimon> 2PC ripple 20:46 < maaku> yes, 2PC ripple 20:47 < jtimon> http://archive.ripple-project.org/Protocol/Protocol?from=Protocol.Index 20:47 < jtimon> although that's kind of abandoned 20:47 < maaku> well, we did incorporate it into freimarkets 20:48 < jtimon> yeah 20:48 < jtimon> at least functionally 20:49 < Mike_B> hm ok 20:56 < Mike_B> alright, well thanks for the info 20:56 < Mike_B> i'll look into all that 21:04 < maaku> supposid proof of P=NP : http://arxiv.org/pdf/1208.0954.pdf 21:04 < maaku> dubious of a proof that's only 24 pages long 21:06 < andytoshi> maaku: well, a successful proof could be done with a single reduction, that could be short 21:07 < maaku> well, i mean dubious of a short proof to this problem ;) 21:07 < maaku> i'd expect the nearby inferential space to be completely exhausted by this point 21:10 < gmaxwell> it claims to be constructive. 21:11 < andytoshi> right before sec 2 he outlines the plan 21:11 < andytoshi> i'm having trouble understanding what he's saying.. 21:26 < andytoshi> well, it does appear to be constructive, there are explicit algorithm listings everywhere 21:26 < andytoshi> but it is much too elaborate for my poor brain 21:34 < gmaxwell> after it said it was constructed I paged down to the end to see if it had benchmarks for solving some NP problem, even in terms of machine steps... and some boring np problem. 21:34 < gmaxwell> nope. 21:34 < gmaxwell> closed pdf. 21:35 < andytoshi> yeah, he went so far as to claim this was possible 21:36 < andytoshi> very last sentence, "Therefore, the algorithms proposed in the present paper can be used in practice to implement non-deterministic algorithms using deterministic imperative programs. 22:15 < Mike_B> how did this crap get on arxiv.org 22:21 < Mike_B> i'm gonna email the guy and ask him if he can efficiently compute preimages for SHA256 hashes 22:24 < andytoshi> Mike_B: arxiv does not verify or censor anything, 22:24 < Mike_B> andytoshi: to publish something to arxiv you need someone to endorse you 15:23 < jtimon> because there are less computers in the world capable of validating that number of transactions? 15:24 < gmaxwell> jtimon: okay, but then just don't produce a block with 1M transactions. 15:24 < gmaxwell> the snarks mean that the verifiers cost is not related the block size (or at least sublinear, perhaps constant) 15:25 < jtimon> ok, I could only process 100 tx, but then I won't be able to compete with miners that do produce 1M transactions 15:25 < gmaxwell> 'compete'? in any case, to the extent thats true you can still cap blocks 15:26 < jtimon> that was my point 15:26 < jtimon> by compete I mean earning "equivalent fees" as the other miners for the "same" pow 15:27 < nsh> oh, hmm 15:29 < jtimon> so the cap on transactions per block would be to defend p2p-ness against scalability 15:30 < gmaxwell> jtimon: not just that, in bitcoin we need some reason for the fee to be >1e-8 btc. :P 15:31 < jtimon> well, divisibility can be improved 15:31 < gmaxwell> jtimon: but at least such a change would make it so that someone _else_ producing enormous blocks didn't keep non-miners and smaller from validating... so the impact is reduced. 15:31 < gmaxwell> jtimon: that wasn't my point. for the system to be secure we need the pow to be many orders of magnitude more expensive that validation 15:31 < gmaxwell> otherwise the validation is most of the operating cost, and an attacker that just mines a few doublespending txn has an advantage. :) 15:32 < jtimon> oh, I see 15:33 < gmaxwell> an interesting point would be to have a cap only on fee paying txn, but sadly people would pay fees "out of band" :) 15:33 < jtimon> well, there's also demurrage, but now I get your point 15:34 < jtimon> hmm, so there's really no way to cap transactions 15:34 < gmaxwell> jtimon: hm? sure there is it can just be part of the proof. 15:34 < jtimon> oh, sure 15:35 < gmaxwell> though "writes to the spent coin list" or something might be a better capacity metric in a system that has been MMR compressed. 15:36 < jtimon> I'm not sure I understand MMR but it's basically a tree structure for the utxo, like mmaaku's but with other properties, no? 15:36 < jtimon> maaku's 15:39 < jtimon> on the inputs-only proposal, I know petertodd wanted "pow fees" for anti-spam, but does anyone know if he had something in mind for miner's rewards? 16:01 < andytoshi> it seems like i missed a very cool conversation about entropy of identifying information.. 16:01 < andytoshi> if there are no complaints i'll set up a cronjob to publish logs for this channel 16:01 < andytoshi> andytoshi-logbot has been recording for a few days now, seems to be working.. 16:02 < nsh> +1 16:02 < andytoshi> ok, lemme just finish catching up on the logs in secret :} 16:06 < andytoshi> http://download.wpsoftware.net/bitcoin/wizards/ 16:07 < Emcy> how many 'official' places does dev discussion happen now 16:07 < Emcy> at least 2 irc hcans i know of, the sourceforge list, the github list 16:08 < Emcy> which one is the 'source of record' as it were, if the aim is transparency 16:10 < andytoshi> is there a github mailing list? it seems like github links you to sourceforge.. 16:11 < phantomcircuit> no there isn't 16:11 < phantomcircuit> the mailing list is sourceforge 16:11 < phantomcircuit> the issue tracker is github 16:12 < Emcy> the github threads system seems like you can email in and out of it 16:12 < Emcy> probably wrong to call it a list --- Log closed Tue Dec 10 00:00:45 2013 --- Log opened Tue Dec 10 00:00:45 2013 07:33 < petertodd> jtimon: re: inputs only, my thinking is for every tx to be accompanied by PoW 07:33 < jtimon> yeah, that solves spam 07:33 < jtimon> but who is going to mine? 07:33 < michagogo|cloud> petertodd: Like bitmessage? 07:36 < petertodd> jtimon: every user - I also want mining to be non-outsourcable and asic hard 07:36 < petertodd> jtimon: also, ponies 07:36 < petertodd> michagogo|cloud: basically yes 07:36 < pigeons> i think if you add unicorn blood it works 07:37 < petertodd> pigeons: or pigeon blood 07:37 < petertodd> asic hard seems like a reasonable goal, though the end result is more likely to be gpu-minable 07:37 < petertodd> or maybe "fpga soft" so to speak 07:41 < jtimon> petertodd, but if users add pow to txs, who adds pow to blocks? 07:45 < petertodd> jtimon: potentially the tx's do - I proposed something very similar to that tx scalability paper for proof-of-sacrifice where you would do tx's as a dag 07:45 < jtimon> so each tx would commit to the same previous block 07:46 < jtimon> what happens when two tx with the same input appear in the same block? 07:46 < jtimon> which one came first 07:46 < jtimon> ? 07:47 < petertodd> jtimon: potentially you do a tie-breaker via pow, or just make the rules that they can't for the dag path to be valid 07:47 < petertodd> my zookeyv proposal was for the latter 07:48 < jtimon> what's dag? 07:48 < petertodd> directed acyclic graph 07:49 < jtimon> ok, I still don't understand what you mean by " just make the rules that they can't for the dag path to be valid" 07:50 < petertodd> ok, so every node in the dag is essentially a path from the genesis block right? well, multiple paths? so define the path as valid only if no input is ever spent twice 07:50 < jtimon> in the first "pow tie-brake" solution...when isa transaction final? how the "time between blocks" is determined? 07:51 < petertodd> I've proposed before that time between blocks be based on some short block interval with eventual merging... IE min PoW for a tx would be some amount 07:52 < petertodd> or, alternatively, group txs together and make a min PoW for the group 07:52 < petertodd> all very in the air because we don't yet understnd the impact of latency on centralization well yet 07:52 < jtimon> yeah ryan fugger and me speculated about pow chains merging but didn't get anywhere 07:53 < petertodd> I'm meaning to write up a reply to those tx paper guys showing why they're probably going to wreck decentralization via bad incentives 07:53 < jtimon> we had chains where a block was basically a transaction and parallel chains could be merged 07:53 < petertodd> yup, very similar ideas 07:54 < jtimon> by we didn't solve how conflicts are resolved 07:54 < petertodd> with proof-of-sacrifice, specially using an embedded consensus system, the logic is really simple, not so simple when latency matters 07:54 < petertodd> *especially 07:54 < jtimon> basically we had only tx_ids, not even inputs 07:55 < jtimon> but we didn't 07:55 < petertodd> ah cool 07:56 < petertodd> I think implementing zookeyv might be a good educational exercise myself - learn more about such blockchain structures without the complexity of latency 07:57 < jtimon> sorry, zookeyv? 07:57 < jtimon> as said, we gave up because we weren't able to properly resolve merges, what do you have in mind? 07:58 < petertodd> jtimon: largest total sacrifice wins is the logic in zookeyv 07:58 < petertodd> as for what it is: key-value consensus system based on sacrificing bitcoins 07:59 < petertodd> very roughly sketched out on -wizards a few months ago 08:00 < jtimon> oh, kind of a replacement for namecoin 08:01 < petertodd> exactly 08:01 < MoALTz> if you include PoW in transactions then make it so that the PoW nonce is NOT included in the signature check. that way SPV clients can have their transactions "hardened" by a 3rd party 08:01 < jtimon> maaku and I were discussing "freiname" the other days, treating names as land 08:01 < petertodd> nice security properties too in some senses, as you know the BTC value of the re-write security 08:01 < petertodd> MoALTz: absolutely 08:02 < jtimon> he started with a gesellian freiland but we ended up with something more similar to Henry George land tax 08:02 < petertodd> MoALTz: although, equally it is worth considering non-outsourcable schemes where PoW reward - whatever it is - can be stolen by whomever mined it 08:02 < jtimon> I think we reached a good incentive strcture for anti-squatting 08:03 < petertodd> jtimon: oh yeah? 08:03 < jtimon> but back to the chain merging, please, tell me when you think you've solved that problem 08:04 < jtimon> yes, and we could implement it with a soft-fork 08:04 < jtimon> on top of bitcoin/freicoin 08:05 < jtimon> I can mail you the discussion log if you're interested in "freiname" 08:05 < petertodd> jtimon: heh, well, first let me get to a part of the world without 1s latency to the US :p 08:05 < petertodd> sure 08:22 < jtimon> sorry, there's many other things in the log, and we also discuss land reform (that may actually help understand the motivation) 08:22 < jtimon> petertodd http://pastebin.com/ZFHG2LvV 08:23 * nsh would like 16 landcoin please 08:23 < jtimon> about the "chain marging problem", do you think you could solve it assuming zero latency for everyone? 08:25 < jtimon> because we failed without even considering network latency 08:25 < jtimon> not in much detail at least 08:26 < jtimon> by the way, I'm not so sure it is a soft-fork since we would need at least a new OP 08:27 < jtimon> we also talk about integrating it better with freimarket's unique tokens, but that's not really necessary 08:27 < jtimon> new OP_CODE 09:42 < gmaxwell> A consequence of inadequate privacy in payment systems: http://i.imgur.com/Obl8xRW.jpg 09:48 < sipa> :o 09:52 < gmaxwell> Aparrently he'd done about a dozen payments to coinbase in about a month, totaling under $10k. (amusingly, coinbase replicates their high transaction volume bad practices on the ACH side too people make many payments because coinbase won't let them hold USD in their coinbase account. I bet this makes them no friends with banks.) 09:56 < warren> gmaxwell: he is a merchant receiving payments? 09:56 < gmaxwell> No he's just some guy that was buying bitcoin using coinbase. 09:56 < gmaxwell> it was all out from him to coinbase 09:56 < warren> and this made his bank nervous... 09:59 < gmaxwell> banks are like persian cats, fluffy and afraid of everything. 18:11 < maaku> ok, the value bitcoin has which is beyond tulips then 18:12 < nsh> what if it's tulips all the way down, madam? 18:12 < maaku> then we're in for a crash to zero 18:12 < maaku> i don't think that's likely 18:12 < nsh> my favourite price :) 18:12 < nsh> no, there is a utility-based floor 18:13 < maaku> and if i introspect and say why it's not likely, it's because bitcoin-the-network has utility 18:13 * nsh nods 18:13 < nsh> and that utility is predicated on a non-zero price 18:13 < maaku> but you remove that utility (by moving 100% off chain to a currency-agnostic platform), then it really is tulips all the way down 18:14 < sipa> who said anything about 100%, and who said currency-agnostic? 18:15 < maaku> show me an off-chain solution which has the same security properties as bitcoin but doesn't require the expensive global consens protocol... and you will have demonstrated bitcoin's replacement 18:16 < sipa> it won't have the same security properties, but bitcoin isn't perfect either 18:16 < maaku> eather off-chain solutions are fundamentally weaker in some way, or they will replace bitcoin by virtue of being less costly and less burdonsome 18:16 < nsh> diversification is generally more useful than replacement 18:16 < sipa> bitcoin in particular is weak regarding privacy 18:16 < nsh> forms of travel have diversified a lot from walking, but none has ever fully replaced walking 18:17 < sipa> maaku: anyway, how do you see bitcoin being scaled up? 18:19 < maaku> sipa: increasing the block size in lock step with scalability improvements, to get a couple orders of magnitude more tps, 18:19 < maaku> and introduction of centralized but otherwise trust-free private accounting servers 18:19 < maaku> whch will handle a lot of traffic with a different security tradeoff 18:19 < sipa> any particular scalability improvements you're thinking of? 18:20 < maaku> but one which is suitable for self-issued assets 18:20 < Emcy> if increasing the TPS via blocksize creates any new points-of-control/regulation.whatever, they WILL be exploited 18:20 < Emcy> its as simple as that 18:20 < Emcy> maybe not even for 20 years, but it will happen 18:21 < maaku> indexes for lite clients, partial-pow for distributing transaction lists, and moving to proof-provided utxo validation 18:22 < maaku> like peter's mmr for example, but you can do almost as well without sacrificing lite clients with more traditional utxo structures 18:22 < sipa> well indexes certainly help light clients, but they certainly don't help performance of full nodes 18:22 < sipa> what is proof-provided utxo validation? 18:22 < maaku> it means updatable proofs are included with transactions 18:23 < maaku> so full nodes require only small constant-space data 18:24 < gmaxwell> maaku: split-mmr doesn't completely avoid screwing lite clients... since they still can't write a proof that their coin isn't spent. 18:24 < maaku> (pushes the maintenance work of validation from the full-node/miner onto the wallet) 18:24 < gmaxwell> (they still need help to write the proof) 18:24 < maaku> gmaxwell: yes but that can be outsourced 18:24 < gmaxwell> yes, agreed. 18:25 < gmaxwell> maaku: the other issue is shipping the proofs increases bandwidth. 18:25 < gmaxwell> though a tradeoff is possible like "don't send me proofs, I have all the data" 18:26 < sipa> sounds like a jehova's witness 18:26 < maaku> heh 20:49 < amiller> damn i don't think there's any way for my tournament idea to work with current bitcoin :/ 20:55 < HM2> ok enough of that madhouse. thanks for the info gmaxwell 21:56 < nOgAn0o> Hi, me. 21:58 < Emcy> "Since Bitcoin's security relies primarily on the number of confirmations received instead of on elapsed time, we end up getting irreversibility of transactions with very high probability in far less than 10 minutes. 21:58 < Emcy> is that really true 21:59 < gmaxwell> no, it's not it depends on your threat model. 22:00 < Emcy> the part before the comma i mean 22:00 < gmaxwell> no, it's not it depends on your threat model. 22:01 < Emcy> so "longer" blocks are statistically a better confirmation of a txn than shorter ones? 22:03 < gmaxwell> Emcy: in some threat models, e.g. where the attacker is going to lease power to do a short reversal time after the first confirmation is basically all that matters... how much work must the attacker do to undo the confirmation. 22:05 < Emcy> right 22:05 < gmaxwell> Figuring out the safty in their revised selection algorithim isn't simple either. e.g. you could have a block with 10 confirms, but its really compeating with another subgroup which is only 1 confirm behind, and maybe its actually ahead but you've just not heard of one of the blocks required to make it win. 22:05 < gmaxwell> Fun attack in that model: "delayed announcement of your own stale blocks" 22:06 < Emcy> i want to try and read and understand enough to work out for myself if its viable or not 22:06 < Emcy> thought the immediate claim of 1 second blox makes me skeptic 22:06 < gmaxwell> well just ignore the actual numbers. 22:07 < gmaxwell> 1 second would give big advantages to consolidations. 22:07 < Emcy> consolidations? 22:08 < gmaxwell> hashing datacenters. 22:08 < gmaxwell> (or pools for that matter) 22:09 < Emcy> oh yes 22:10 < Emcy> its only a couple of times the causal diameter of the earth :/ 22:10 < gmaxwell> delayed announcement attack you're mining and you find your block stale. but instead of announcing it, you put it aside and hope that later there is less than one block of difference between a fork containing that block and another fork, and if that happens you start mining on it and delay announcing the tiebreaking stale that would let everyone else know that they'd best be mining on that subgroup, until you've found a block. 22:10 < gmaxwell> Emcy: right. 22:10 < gmaxwell> 1 second is almost certantly too fast... though it would take simulations to tell for sure. 22:11 < gmaxwell> not to mention that pratically all mining hardware today has multisecond latencies. 22:11 < Emcy> tahts why im skeptik...another paper leading with a fantastical claim 22:11 < gmaxwell> p2pool had to increase from 10 second shares to 30 second shares because of slow hardware responses. 22:12 < Emcy> did you see p2pool jumped to 3% power this week. hashpower doubled out of nowhere 22:12 < zooko> Hello, wizards. 22:12 < gmaxwell> also, if you wanted to talk about viable: more viable in the context of bitcoin would be basically makine p2pool a protocol requirement with a rule that new shares can't displace transactions in prior ones. 22:12 < Emcy> feelsgoodman.png 22:13 < gmaxwell> and doing that would avoid breaking the scalablity of lite clients. 22:13 < gmaxwell> (in fact, it would just be a soft fork) 22:13 < Emcy> zooko excuse me sir, im a warlock 22:15 < Emcy> gmaxwell i dont see that happening either. If p2pool gets too big its just back to square one. Unless theres a way to split them in a decentralised way 22:15 < gmaxwell> Emcy: ... 22:15 < gmaxwell> Emcy: ::sigh:: 22:15 < gmaxwell> Emcy: what I'm suggesting has nothing to do with p2pool. 22:15 < gmaxwell> Emcy: except using the same technique 22:16 < Emcy> in all but name then? 22:16 < gmaxwell> Emcy: I'm pointing out that you don't have to hardfork bitcoin to have a fast blockchain. We already have a 30 second blockchain, it's called p2pool. 22:16 < Emcy> ah thats true 22:16 < gmaxwell> The only distinctions are that (1) not everyone is forced to use it, (2) it allows later shares to reverse earlier ones they don't accumulate. 22:17 < gmaxwell> those could be fixed. In such a world you could still have a p2pool mining that network which was a fraction of the size. 22:17 < gmaxwell> but the two level chain would give you fast confirmations. 22:18 < gmaxwell> also because its two level it wouldn't increase work for lite clients unless they were interested in hearing about fast confirms 22:18 < Emcy> could it work the other way? 22:19 < Emcy> bitcoin could become a subchain for something else 22:19 < gmaxwell> not without changing bitcoin's rules in a hardforking way. 22:20 < Emcy> perhaps 10 minuties was actually too fast for base chain then 22:20 < gmaxwell> Emcy: in any case, thanks, if I bring up that point again I'll be sure to not mention p2pool. :) 22:26 < Emcy> heh so im your litmus test for being able to properly explain your ideas to the masses :) 22:26 < Emcy> if thats how i help bitcoin so be it 22:27 < gmaxwell> hah. well if it confuses you, its going to confuse other people. 22:29 < Emcy> doesnt help ive got a foot inside migraine territory right now 22:29 < Emcy> in fact yeah i better go 22:29 < Emcy> later wizerds 22:34 < gwillen> Hello zooko, fancy seeing you here. 22:52 < zooko> Hello, gwillen. --- Log closed Sat Dec 07 00:00:38 2013 --- Log opened Sat Dec 07 00:00:38 2013 08:31 < iddo> amiller: gmaxwell: i'm trying to understand regarding DoS by diff-1 orphans at genesis, if we eliminate checkpoints and add to blocks some kind of merkle root committing to the current UTXO (to help lite nodes), how does it mitigate this DoS attack? 08:32 < sipa> there's only a DoS attack possible because of how the current chain-catchup works 08:32 < iddo> hmm 08:33 < sipa> with headers-first synchronization, you can know there is enough PoW on top of a block before actually downloading and processing it 08:34 < iddo> i don't understand, diff-1 PoW blocks are (relatively) easy to generate, what's the rule that will cause you to ignore them instead of bloating your local copy of the blockchain with them? 08:35 < sipa> right, it won't prevent it entirely 08:35 < sipa> but right now, the largest problem is that diff-1 blocks will be downloaded and potentially processed 08:35 < sipa> but with headers-first, you'd only download and process the headers 08:36 < iddo> ahh 08:36 < sipa> until such a chain becomes the actually best total work chain 13:49 < TD> michagogo|cloud: the evidence just in the document needed to get an arrest warrant seems to create an open/shut case. 13:51 < TD> gmaxwell: that .... and prosecutors try to avoid spending time on weak cases. japan has a 99% conviction rate but not the same culture of insane jail sentences 13:52 < TD> UK has 80% 13:53 < TD> anyway home time 13:53 < shesek> michagogo|cloud, if I understand correctly, he did this via a 3rd party company that was marketing to SR users 13:53 < TD> third party guy 13:53 < michagogo|cloud> TD: I was specifically asking about the "sold bitcoins for drugs" part 13:53 < TD> yes 13:54 * michagogo|cloud goes to read 13:54 < TD> shrem knew he was selling bitcoins to a drug dealer on SR, said he knew many times, and explicitly helped the guy avoid bitinstant's partner companies AML controls 13:54 < _ingsoc> TD: Plea deal or jail time? 13:54 < michagogo|cloud> TD: ah 13:54 < michagogo|cloud> BTW, shesek, could you tell me if you're able to access tigerdirect.com? 13:54 < TD> the guy's emails write the case for him. the prosecutor probably doesn't even need to turn up 13:54 < shesek> michagogo|cloud, nope. blocking Israeli IPs? 13:54 < TD> _ingsoc: both? 13:55 < michagogo|cloud> shesek: Would appear so 13:55 < michagogo|cloud> Looks like Germany isn't blocked, while Latvia is 13:55 < shesek> perhaps some poor anti-ddos protection? 13:55 * michagogo|cloud shrugs 13:56 < phantomcircuit> it's internap 13:56 < phantomcircuit> so yeah probably just terrible anti-ddos 13:56 < phantomcircuit> michagogo|cloud, charlie is going to prison for a very very long time 13:57 < michagogo|cloud> internap? 13:57 < phantomcircuit> michagogo|cloud, internap.com 13:57 < shesek> TD, oh, right, guy. I thought Faiella was a company 13:57 < TD> nope. that's his last name 13:58 < phantomcircuit> shesek, he's the guy who was all over sr offering to purchase money packs 13:58 < phantomcircuit> iirc he even had a ridiculous little cartoon king 13:58 < TD> he was getting people to deposit into his personal bank account, even 13:59 < shesek> I never used SR, so I'm not really familiar with that/him 13:59 < gmaxwell> I wonder if he's the guy who OTC downrated me when I punted him from OTC for his moneypak moneylaundering. 13:59 < shesek> o_O his personal bank account? is he stupid? 13:59 < phantomcircuit> TD, afaict faiella legitimately did not believe that he was breaking the law 13:59 < TD> shesek: has anyone who has been involved with SR so far *not* been stupid? 13:59 < phantomcircuit> gmaxwell, he has definitely been on -otc before 13:59 < TD> shesek: i mean, Shrem was supposed to be head of regulatory compliance at BitInstant and was busy telling reporters how he'd only hire people he got stoned with 14:00 < phantomcircuit> shesek, neither have i, but i went through and looked at it out of morbid curiosity 14:00 < TD> phantomcircuit: do read the complaint. they address that. he absolutely knew, and wrote to DPR that he was afraid LE would come for him 14:00 < shesek> TD, I guess consumers are pretty safe - there's too many of them to do anything to any of them 14:00 < TD> they all knew. none of these guys have been idiots 14:00 < phantomcircuit> TD, fiella? 14:00 < michagogo|cloud> Hmm 14:00 < TD> phantomcircuit: yes 14:00 < phantomcircuit> or shrem? 14:00 < TD> phantomcircuit: both 14:00 < michagogo|cloud> Count Three, overt act b 14:00 < gmaxwell> phantomcircuit: fiella, near the end. 14:00 < phantomcircuit> well the question is when 14:01 < michagogo|cloud> Anyone care to guess which service that is? :P 14:01 < gmaxwell> Basically fiella talks to DPR and points out how vulnerable he is. 14:01 < phantomcircuit> i warned charlie that operating in the us was illegal at the same time i shutdown intersango usd trading 14:01 < phantomcircuit> he ignored me obviously 14:01 < TD> shesek: who knows? it's not joe random dealer that worries me, it's that shrem was dealing with businesses who (we think) are legitimate and actually try to follow the law, but the laws are so vaguely written that trying and failing can be punished in the same way as deliberately failing 14:02 < TD> so i'm hoping they don't go after mtgox or the cash processor next (i think i know who that was) 14:02 < TD> given that BitInstant died when their cash processor cut them off for AML violations, hopefully that insulates them 14:02 < gmaxwell> Zipzap. 14:02 < phantomcircuit> TD, the cash processor is pretty clearly zipzap 14:02 < TD> yeah 14:02 < TD> i know. for some reason i didn't want to say it 14:02 < TD> it's not named in the complaint 14:02 < phantomcircuit> zipzap is pretty obviously an unlicensed money transmitter 14:03 < gmaxwell> Obviously the exchange in the complaint is mtgox. 14:03 < TD> yes indeed 14:03 < phantomcircuit> i would be fairly surprised if mtgox is implicated in this in anyway 14:03 < michagogo|cloud> Hm, section 10: is that The Foundation? 14:03 < phantomcircuit> despite bitinstant's claims they were never an agent of mtgox 14:03 < michagogo|cloud> Or some other foundation? 14:03 < phantomcircuit> michagogo|cloud, yes it is 14:03 < shesek> they do need to show intent, I'm not sure how easy that would be... if they did try to follow the law and didn't do anything maliciously, they should be fine 14:03 < phantomcircuit> charlie is a founding member iirc 14:04 < gmaxwell> In any case, its a bit annoying because _legally_ there probably isn't a bright line procedural distinction between what was going on here and what a lot of other things are doing/have done which aren't intentionally trying to facilitate unlawful activity. 14:04 < TD> "vice chair" :( 14:04 < shesek> though... the laws are indeed vaguely written and you never know :-\ 14:04 < phantomcircuit> michagogo|cloud, https://bitcoinfoundation.org/about/board 14:04 < TD> the foundation has sucked at cleaning its website of members that were later found to be involved in bad stuff. the logo of inputs.io is still there! 14:04 < michagogo|cloud> Ew 14:04 < phantomcircuit> TD, is it really? 14:04 < TD> gmaxwell: right, there isn't .... it's part of why banks refuse to deal with bitcoin companies 14:05 < michagogo|cloud> Who's the webmaster? 14:05 < gmaxwell> So while we can all look at this and say "Idiots!" the successful prosecution here may lay the groundwork for causing problems for people who weren't doing anyhting that was so obviously problematic. 14:05 < TD> it was, at least 14:05 < _ingsoc> Lol, Mark. I wonder how badly the US wants him too. 14:05 < sipa> TD: guess i haven't followed up so closely, what is inputs.io? 14:05 < phantomcircuit> shesek, the unlicensed operation of a money transmitter is fairly solidly defined, the failure to file an SAR stuff however largely has to do with whether a reasonable person would have found the activity suspicious 14:05 < shesek> TD, I'm not sure how that works, can he simply be removed from it? 14:05 < TD> yep 14:05 < michagogo|cloud> sipa: webwallet specializing in micropayments 14:05 < phantomcircuit> shesek, (or rather whether a reasonable compliance officer would have known) 14:05 < TD> sipa: a bitbank run by an anonymous dude who vanished with everyones money 14:05 < michagogo|cloud> (off-chain) 14:06 < TD> michagogo|cloud: a new website is being built actually 14:06 < sipa> TD: ah, same old story :) 14:06 < midnightmagic> The knowingly facilitating SR stuff probably is something that will differentiate future *actually* innocent people. 14:06 < phantomcircuit> TD, mybitcoin.com 2.0 14:06 < shesek> TD, there must be some official procedure for removing board members. I'm not sure if its possible to simply delete him from the page :O 14:06 < TD> indee 14:06 < TD> *indeed 14:06 < gmaxwell> Not just that but shortly before inputs.io existed the guy was on the forum selling accounts and stuff, it stank from a long distince away. 14:06 < phantomcircuit> shesek, there is and it can be done within 48 hours 14:06 < midnightmagic> There is a procedure for removing board members who have engaged in criminal activity and it requires a vote from the remaining directors. 14:07 < phantomcircuit> gavinandresen, migggght want to start that 14:07 < midnightmagic> But he's not convicted yet.. 14:07 < jgarzik> catching up... URL of criminal complaint? 14:07 < phantomcircuit> midnightmagic, iirc board members can be removed by a vote of 2/3rds 14:07 < midnightmagic> http://www.scribd.com/doc/202555785/United-States-vs-Charles-Shrem-and-Robert-M-Faiella#download 14:08 < midnightmagic> phantomcircuit: I think it requires cause doesn't it? 14:08 < shesek> or a tl;dr: http://www.reddit.com/r/Bitcoin/comments/1wac1t/ceo_of_bitinstant_arrested_for_conspiracy_to/cf048a1 14:08 < shesek> oops 14:09 < _ingsoc> Wtf was he thinking? 14:09 < phantomcircuit> midnightmagic, ah founding members have more rights than normal members 14:09 < phantomcircuit> 5.16(b) 14:09 < TD> michagogo|cloud: though FWIW i get looped in on a lot of foundation stuff, and i have never once seen a reference to Shrem doing anything at all 14:09 < midnightmagic> shesek: The full bylaws (except for possible changes that they've neglected or deliberately refused to release to the github repo) are here: https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/tree/master/Bylaws 14:09 < shesek> midnightmagic, thanks 14:09 < TD> he may well have been a founding member but he had little impact on the organisation beyond that, i guess 14:10 < gmaxwell> I was surprised to hear that he was in miami, I thought he'd largely dropped off the radar after bitinstant shut down. 14:10 < gmaxwell> esp with people accusing him of theft. 14:10 < phantomcircuit> gmaxwell, yeah he was super busy getting wasted... 14:10 < TD> yeah, i didn't hear anything about him lately either. 14:10 < midnightmagic> lo 14:10 < sipa> gmaxwell: when did it shut down? 14:11 < TD> many months ago 14:11 < TD> when zipzap terminated them 14:11 < gmaxwell> sipa: june 2013ish? 23:20 < gmaxwell> even better, if you're hashpower enough to cause trouble absent 'checkpoint' crud, you mine _two_ of them and then concurrently announce them to half the network each. Goodbye network. 23:20 < gmaxwell> tacotime_: yea, in what tromp__ was suggesting, they'd be worth infinite-ish work. :P 23:22 < tromp__> ic. i shld fix my suggestion. trigger when, not the blockheaderhash, but the whole block hash has 16+ zeroes 23:23 < tromp__> so it has no relation to accumulated difficulty 23:23 < gmaxwell> tromp__: that doesn't change anything relative to the points I made. 23:24 < gmaxwell> also, if it really worked like that, people would mine the whole block hashes instead, as they'd be much easier than normal mining. 23:24 < tromp__> let me educate myself some more on checkpointing procedures... 23:25 < gmaxwell> I reiterate, you really ought to forget that exists at all. 23:25 < tacotime_> I'm out to sleep, night! 23:25 < gmaxwell> Everyhing I've ever seen decribed in that space creates attacks where none existed before, some more serious than others. 23:25 < c0rw1n> good night tacotime_ 23:26 < gmaxwell> in particular, most of them create attacks which are most available to high hashpower consolidations, and if none of those exist then there was little to no advantage to be gained by having anything like that to begin with. 23:27 < tromp__> i have no idea what are these checkpoints you're talking about:-) 23:27 < gmaxwell> :) 23:28 < c0rw1n> "these are not the checkpoints you are looking for" ? --- Log closed Thu Jan 30 00:00:09 2014 --- Log opened Thu Jan 30 00:00:09 2014 14:04 < ZoltanTokay> Bitcoin will raise so much after google will add bitcoin to their wallet.. look they speak live about it... www.thebitcoinsnews.com 14:57 < cymanon> ethereum? risk to high? 15:00 < optimator> it would be nice if all wallets provided a common api for testing. Hook the api up to testnet run through tests, add customer tests (m-n transactions). certified! 15:00 < optimator> *customer=custom 15:10 < phantomcircuit> cymanon, what? 15:17 < cymanon> I don't know ;\ be back later 15:57 < grazs> any recommendations for a cheap fpga kit? 15:58 < maaku> grazs: off-topic 15:59 < maaku> but i would recommend #bitcoin-otc, I'm sure there's plenty of miners getting rid of their gear 15:59 < grazs> i'm sorry 16:00 < grazs> that might actually be a very good idea, thanks! 16:16 < michagogo|cloud> ;;later tell gmaxwell Did you be any chance capture the second day of the ny hearing? 16:16 < gribble> The operation succeeded. 16:16 < michagogo|cloud> by* 16:20 < petertodd> gribble: I hear this is the rasberry pi of FPGA dev kits: http://www.zedboard.org/ 16:20 < petertodd> grazs: er, ^ 16:23 < grazs> petertodd: thanks a bunch! i got inspired when you guys talked about PoW algorithms 16:24 < grazs> and my job doesn't want to buy us such fine toys 16:27 < petertodd> grazs: yeah, the zedboard is very cheap, and stupidly powerful 17:14 < tromp__> the 17:14 < tromp__> Parallella-16 (Expect to re-open orders in January) 17:14 < tromp__> Parallella-16 17:14 < tromp__> sorry; copy-paste issues 17:14 < tromp__> the Parallella-16 board is similar to the zedboard but only $99 (currently sold out) 17:15 < gmaxwell> tromp__: uh, it's almost entirely unlike the zedboard. 17:15 < gmaxwell> It's not a FPGA. 17:15 < gmaxwell> oh you mean the cpu is a zynq 17:15 < gmaxwell> Sorry, indeed. 17:16 < tromp__> it has both a zynq and an epiphany (16 core cpu) 17:16 < gmaxwell> yea, sorry I thought you were saying the epiphany was like the zedboard. :P 17:17 < gmaxwell> One thing about the zedboards is that they come with the license for the fpga tool. I _believe_ there is a cut down version of the zedboard which is a lot cheaper but doesn't include that license; though indeed not as cheap as $99 17:17 < tromp__> i'm not sure what the ipiphany is good for, but you goota love that zynq --- Log closed Fri Jan 31 00:00:09 2014 --- Log opened Fri Jan 31 00:00:09 2014 --- Day changed Fri Jan 31 2014 13:18 < midnightmagic> petertodd: I would once upon a time say that the Icarus was a nice alternative with a stronger fpga onboard, but.. I haven't the foggiest where one would even buy an Icarus-but-with-nextgen-fpga on it these days. 13:24 < gmaxwell> the zedboard is actually a lot nicer than the icarus in a lot of ways. 13:25 < gmaxwell> because there is onboard dual arm core with a memory-speed bus between that and the fpga you can create things where only part of the code is in the fpga quite easily. 13:26 < gmaxwell> E.g. one of the guys working on the daala code has our transforms all running on the fpga on the zedboard with only a few weeks work. But if you had to do the whole codec before you could run anything at all it would likely be months and months of work. 13:26 < gmaxwell> though the fpga in question isn't terribly huge, which is a bit unfortunate. 13:28 < gmaxwell> problem with the zedboard is that its not cheap. would be a lot nicer if it were $50. 13:42 < midnightmagic> Yeah, that's why I said "nice" but not necessarily "better" depending on what I was going to do. I guess I don't mind futzing around with raw gate-level logic in the little circuit drawing section of ise so I like the notion of a stronger fpga 13:52 < midnightmagic> I managed to get one of these for free over christmas: http://www.xmos.com/en/startkit just by asking for it. Got it in the mail a few weeks ago, very tiny little board. 14:53 * andytoshi-logbot is logging 14:53 < andytoshi> systemd says irc-logger was running continuously since Sun 2014-01-19 09:39:07 PST <.< 15:25 < tromp> i put a new version of my cuckoo cycle paper on https://github.com/tromp/cuckoo that discusses parallelizability 15:52 < amiller> i'm frustrated, i found a bunch of errors in this line of work i've been following closely and trying to build off of 15:52 < amiller> in the "universally composable" security framework / network model 15:52 < amiller> i'm trying to submit a paper in like a week 15:53 < amiller> basically the best thing for me to do is to just inherit all of those errors for now. 15:53 < amiller> since the whole thing is unrelated to the main points i'm trying to make 15:53 < amiller> </abstract griping> 15:54 < midnightmagic> :-( 15:57 < gmaxwell> Theoretical work that isn't sound, say it aint so! 16:12 < amiller> theory tends to be neither sound nor practical, but can be broad/expansive and is relatively efficient to work on 16:12 < amiller> practical implementations tend to be neither generic nor sound 16:13 < amiller> and formal methods coq-stroking exercises are sound but neither practically useful nor generic 16:13 < maaku> amiller: but practical implementations to tend to work ;) 16:13 < amiller> mostly :) 16:15 < jtimon> tromp the very term "non-parallelizable pow" seems contradictory to me 16:16 < jtimon> oh, he's gone... 16:16 < jtimon> if two miners can try to solve the same block in parallel, how can't the same miner do the same? 16:17 < jtimon> how can't a single miner do the same? 16:17 < jtimon> well, I'll tell him to find another term another time... 16:18 < tromp__> i'm back 16:18 < tromp__> different miners will work on difference instances, i.e. different cuckoo graphs 16:19 < jtimon> so what you really mean by "non-parallelizable pow"? is non-parallelizable using a given architecture, no? 16:19 < tromp__> i want a single instance to be hard to parallellize 16:20 < jtimon> hard to parallelize in current GPUs and x86 archs? 16:20 < tromp__> yes, because they limit how many random accesses you can make to main memory in parallel 16:20 < gmaxwell> andytoshi: I'm reading LWN and "Hey, the same thing happened to andytosh...ahh" 16:21 < jtimon> tromp__ what's the point? 16:21 < tromp__> and because path conflicts will reduce the prob. of finding a ccyle 16:22 < tromp__> the point of what? 16:22 < jtimon> the point of "hard to parallelize in current GPUs and x86 archs pow" 16:23 < sipa> sc? rs? ch? 16:24 < tromp__> because being able to have many simultaneous random accesses to main memory is generally useful 16:24 < jtimon> for bitcoin? 16:25 < tromp__> for general computation 16:25 < jtimon> in other words...what's the problem you see in SHA256 that you're trying to solve with cucko? 16:26 < tromp__> it promotes custom hardware that it not generally useful 16:26 < tromp__> and centralizes mining power 16:26 < maaku> tromp__: no matter how much you try, dedicated hardware will still be faster/more-'hash'-per-watt by some factor 16:26 < jtimon> and cucko-ASICs will be generally useful? 16:26 < maaku> and our experience shows that it will not be long until someone makes an asic 16:26 < maaku> that is not general-purpose 16:27 < tromp__> fast parallal RAM access is more generally useful yes 16:27 < jtimon> tromp__ with or without RAM, it's still specialized hardware 16:28 < jtimon> ASIC != general purpose computer 16:28 < tromp__> cheap better memory interconnects will be commoditizeed 16:29 < tromp__> your intel CPU and your memory chips are also ASICs 16:29 < tromp__> but because they're general purpose they are commoditized 16:29 < jtimon> no, they're general purpose 16:30 < jtimon> asic = application specific 16:30 < andytoshi> gmaxwell: :P i wondered if you'd catch that. (thx for checking the key for me!) 16:30 < tromp__> here's the thing 16:30 < tromp__> to optimize cuckoo, you have to optimize a more general thing: namely parallel random memory access 16:31 < jtimon> cool, but I'm still not able to run emacs on my old cucko-ASIC 16:31 < tromp__> it's still all about memory 16:31 < maaku> tromp__: no, they will just put all the memory and custom circuits on a single die, because that's the most efficient thing to do 16:31 < maaku> you won't get any commoditization of general purpose hardware 16:31 < tromp__> rather than building an asic full of specific computational steps 16:32 < jtimon> so your goal is for asic manufacturers to research random memory access? 16:46 < gmaxwell> again, being confident that the thing is trapdoor and easy-instance free is important and generally hard to achieve. 16:46 < maaku> such as being progress-free, and dependent on the prior block 16:47 < gmaxwell> maaku: there are a lot of stochastic search problems that can be made dependant. Making them easy-instance and trapdoor free is much harder. 16:47 < maaku> yeah 16:47 < jtimon> like I said, I don't think it's an easy problem gridcoin has solved, but I believe an appropiate task will be found 16:49 < gmaxwell> plus, in general, no one wants computing power like this. It's used very wastefully where it is use. Most of the papers that have come out of folding at home have been "ra ra we can get people to give us computing power, look at the interesting problems we had keeping them busy" not ... "cancer cured!" 16:49 < jtimon> and by the way, maaku, the FF could buy "proofs of results" with ssomething like https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment 16:49 < gmaxwell> I think after a decade folding at home got like .. one actual non-CS result out of the thing. 16:49 < Emcy> wow tahts sad 16:49 < Emcy> wtf 16:50 < iddo> gmaxwell: i'm not completely sure that i understand H(seti(H(header)))<TARGET, you should care both about seti() finding some interesting value, and the hash of it being below the target? if you care only about the hash, the seti() value still needs to be something that's easier to verify than to compute, otherwise it's meaningless? 16:50 < gmaxwell> likewise, seti at home was mostly a marketing thing for seti. The work it was doing could have been done far more cheaply with a $50k stack of fpgas. 16:50 < maaku> yeah the class of problems you can solve with @home style distributed computing is really, really small 16:51 < gmaxwell> iddo: the idea there is that it works for anything where solving randomized instance of the problem is useful. 16:51 < Emcy> i did 5000 seti units :( 16:51 < Emcy> on a penitum 16:51 < gmaxwell> iddo: the idea there is that it works for anything where trying many randomized instance of the problem is useful and where testing a single instance is fast. 16:52 < gmaxwell> iddo: the interesting results other than H(problem())<TARGET can be learned as a side effect. 16:52 < maaku> i converted my university's computer labs to run seti@home in the background over a decade ago ... my sense of morality was less developed as a teenager 16:52 < maaku> we were in the top 10 for 3 months :) 16:52 < Emcy> gmaxwell did you see tht thing that turns protein folding into a 3d game 16:53 < gmaxwell> Emcy: yea, foldit 16:53 < gmaxwell> Are you any good at it? 16:53 < Emcy> turns out humans are better at it than computers, with our intuiation and stuff 16:53 < gmaxwell> unlike folding at home, they had useful medical results fairly quickly. 16:53 < Emcy> yeah i should try it again, it ran like shit on my old computer 16:53 < jtimon> I would love to have many people donating their GPUs to run my neural networks playing go during 1000 generations 16:54 < jtimon> or the same NN learning another task 16:54 < Emcy> did you read the wtory about the quake 3 server running bots that someone forgot about for years 16:54 < iddo> gmaxwell: yes, so is there seti() function that's fast to verify the 'interesting' solution? 16:54 < gmaxwell> Emcy: I only used it when it was very new, I was reasonably good at it, but I understand that it's gotten much deeper since the original release; with things like multiplayer problems. 16:54 < Emcy> quake 3 bots have heuristics 16:55 < Emcy> the bots achieved complete peace....... 16:55 < jtimon> Emcy I can build a q3 bot that plays with the same exactly the same inputs you have 16:55 < jtimon> as a human 16:55 < maaku> i have a boinc design to develop and test molecular nanotechnology pathways via evolutionary search 16:55 < maaku> strangely not much money in that though 16:56 < jtimon> and don't tell him anything about time or space, just about good and bad 16:56 < gmaxwell> iddo: e.g. in the actual seti problems, you're running sinusodial analysis on noisy data looking for chirps. it's not terribly hard to generate random insances of the problem, e.g. adding a small amount of additional noise.. and it could be broken down so that it was cheap to run a single instance. 16:56 < Emcy> http://www.huffingtonpost.co.uk/2013/07/01/quake-3-arena-world-peace_n_3529082.html 16:56 < Emcy> welp reinstalling foldit 16:58 < maaku> that's a good description of what seti@home is doing right now ... but alas we've known for 10+ years that it's probably not what seti@home should be doing 16:59 < jtimon> foldit sounds great, I have though about people getting paid to play games while are solving problems without noticing before 16:59 < Emcy> i heard the air force recruited gamers for thier drone program 16:59 < Emcy> does that count 16:59 < maaku> they're basically looking for giant multi-gigawat omnidirectional beacon in space ... with very little reason to think that one would actually be there 17:00 < iddo> so running a single instance means verifying if the random data has the chirps, ok.. 17:00 < gmaxwell> jtimon: fold it also merges in computational techniques, as you play you can as the computer to jiggle, which really runs a rather expensive molecular dynamics annealer in the background to help machine assist your solutions. 17:00 < Emcy> you sound enamoured with foldit 17:00 < gmaxwell> Effectively the human does the global search, which is intractable, and the machine does the local search which its reasonably good at. 17:00 < jtimon> oh, gmaxwell, I see, you're really donating computing while you play 17:01 < gmaxwell> iddo: right. and getting out some chirp presence indexes. 17:01 < gmaxwell> jtimon: well, indirectly the cpu is used to assist your own game. 17:01 < Emcy> i think of setI@home (the original) as a proof of concept really. 17:02 < gmaxwell> well distributed.new des cracking was the proof of concept. :P 17:02 < jtimon> yeah the point was getting people to donate their computing to scientists 17:02 < Emcy> you say they could have just made an asic farm but they were skint, always scrubbing for money 17:03 < maaku> Emcy: they have a very large fpga array they use to collect, preprocess and break up the data 17:03 < iddo> i saw that the creator of scrypt said that litecoin doesn't have enough memory usage: https://twitter.com/shamoons/status/311256158658760704?x 17:03 < Emcy> they used to have to get the data out of the dish by tape from the middle of peurto rico........ 17:03 < Emcy> maaku they might now but i dont know about before 17:04 < Emcy> i think their receiver on the dish focus assembly broke once and they had a special donation drive to fix it...... 17:04 < jtimon> no we have the masses asking for asic-ressistant algorithms like if GPU-mining was a natural right 17:04 < maaku> iddo: the scrypt parameters of litecoin were set by someone it was later shown was doing GPU-mining from the start 17:05 < iddo> there are problems with bigger memory buffer in scrypt, if it takes say 1 seconds to invoke scrypt() then it will take days to sync the blockchain, also regular PCs maybe have disadvantge in propagating blocks vs ASIC 17:05 < iddo> maaku: artforz? how do you know that he did GPU mining from the start? 17:05 < gmaxwell> iddo: yea, in ltc it makes a _visible_ difference in the sync time... and they have a fancy sse optimized scrypt implementation. 17:05 < Emcy> maaku really? i thought that was never proven 17:05 < jtimon> really maaku? so charlie did kind of premine? 17:05 < iddo> if he did then he should be rich now:) 17:06 < gmaxwell> artforz was rich regardless. 17:06 < gmaxwell> :P 17:06 < gmaxwell> artforz came up with the scrypt implementation that ltc used. 17:06 < maaku> not charles 17:07 < gmaxwell> ironically about a month after having an argument with me in #bitcoin-dev where he successfully convinced me that using scrypt for a pow was stupid. 17:07 < maaku> yeah it was artforz 17:07 < jtimon> lolcust was the first one trying those kind of things, no? 17:07 < gmaxwell> lolcust made it public. 17:07 < jtimon> geist geld 17:07 < iddo> gmaxwell: what was his argument against scrypt? botnets? 17:07 < maaku> lolcust worked with artforz to make a series of scrypt based coins which were accused of premine, then charles made litecoin 17:07 < gmaxwell> iddo: yes. and performance. and blocking custom hardware was irrelevant. same ones I use today. 17:08 < jtimon> oh, I see, charlie didn't changed artforz's gpu-friendly parameters 17:08 < maaku> yes 17:08 < gmaxwell> it was also pointed out that the parameters were dumb, OTOH, I don't think they realistically could have changed them. 17:08 < gmaxwell> If they made it use more memory it would be a _serious_ performance problem in validation. 17:08 < pigeons> well first charles forked lolcust's tenebrix into fairbrix 17:08 < gmaxwell> it's already arguably one. 17:09 < pigeons> which died of hostile forking 17:09 < maaku> and then a few months later, someone did sergio-like analsysis to show that somebody was running a miner with the equivalent of 100's of cpus from the start 17:09 < Emcy> oh dear 17:09 < pigeons> a few parameters were changed from fairbrix to litecoin like max number of coins 17:09 < maaku> and the parameters provided by artforz were conveniently just big small enough to fit in current generation gpus 17:09 < Emcy> how could a premined coin like litecoin get so big 17:10 < pigeons> well that someone providing the analysis accusing artforz of gpu mining was real solid 17:10 < gmaxwell> maaku: yea, during ltcs early life the difficulty was way too high... basically always a loss over power costs to mine, ... until the public gpu miners were release, and then magically the economics changed. 17:10 < phantomcircuit> gmaxwell, i wonder if artforz chose the parameters specifically such that he could gpu mine while everybody else was cpu mining 15:40 < jtimon> so you have {H(A), H(A->B)}, {H(B), H(B->C)}, {H(C), H(C->D)} in the chain, and until it's all published only the owners can trace it but cannot double-spend, yes, it's not that complicated 15:41 < gmaxwell> adam3us: it is, I described two kinda of scheme it could bind, yours would be another one, sort of in-between the two I described. 15:41 < gmaxwell> (basically replacing the anti-replay-oracle in the first one with a chain) 15:42 < jtimon> I see, what I was missing was the double-spent prevention, but this could definitely work 15:43 < adam3us> jtimon: the motivation was actually miners enforcing policy when they get too powerful 15:44 < jtimon> yeah, I'm subscribed to that thread but I didn't really undesrtand this missing piece until now 15:44 < adam3us> jtimon: as you can see they have no remaining visibility until the coins are long mined, in this system blocking recipients or taint would be hopeless 15:44 < jtimon> this could work with freimarket assets too 15:44 < adam3us> jtimon: so its another taint fix without anonymity 15:44 < amiller> adam3us, there are no patents 15:44 < adam3us> amiller: fantastic 15:44 < amiller> adam3us, there is only one fully open source implementation (pantry) and the others are on their way 15:45 < amiller> i have no idea if scip will be open but pinocchio and pantry definitely will 15:45 < jtimon> so the generic term for them all is spark? 15:45 < amiller> snark 15:45 < adam3us> amiller, gmaxwell, TD: it seems to have immense possibilities. i think possibly the only downside is its super cutting edge, if they got anything wrong, or someone breaks it n the bicoin scenario it blows up 15:45 < amiller> succinct non-interactive argument of knowledge (it's a generic crypto term, like zero knowledge) 15:46 < gmaxwell> Yea, these are technically arguments of knoweldge not zkp. ... which is a whole source of potential surprises too. 15:47 < gmaxwell> because we assume that there is cryptographic hardness to producing a false argument, but the evidence for the strength of that is somewhat abstract. 15:47 < jtimon> thanks amiller 15:48 < adam3us> jtimon, gmaxwell: while initially motivated by preventing miner policy abuse (even up to 99% centralized power etc) hidden tx (better than commited tx i agree) 15:48 < amiller> gmaxwell, the difference between "argument" and "proof" just means computational not information theoretic 15:48 < adam3us> jtimon, gmaxwell: has interesting privacy aspects also, its temporarily fully anonymous; unfortunatey there seems to be no way, short of scip to privately compact it 15:49 < amiller> most zk proof systems are in fact computionally-sound proofs which is exactly the same as argument 15:49 < jtimon> well, couldn't you present the snark proof in every hidden tx? 15:50 < amiller> snark proof of what? 15:50 < jtimon> amiller of the last hidden tx 15:50 < gmaxwell> amiller: It means the soundness is only computational. A lot of zkp things are sound but zero knoweldge is computational. 15:51 < jtimon> just like with coinwitness, where you present the snark proof on redemption/republishing 15:51 < amiller> it's not clear to me at least what it is you wuld say about the tx in zero knowledge 15:51 < amiller> i think you'd have to refer to a particular blockchain head 15:51 < gmaxwell> amiller: you would. "The coin I'm spending was confirmed in this chain" 15:52 < amiller> and how do you prove it hasn't been spent by any subsequent txes in between when it was confirmed and the current head? 15:52 < gmaxwell> amiller: see the coinwitness post. 15:52 * amiller rereads it but has had a hard time grasping it previously 15:53 < jtimon> you would present {H(c), snark(c->b)} ? 15:53 < jtimon> you can't divide the coins with this approach though, no? 15:54 < amiller> i think we should come up with a good notation for ZK. 15:54 < amiller> the crypto community has let us down 15:54 < amiller> there is this weird notation like [f(x) | x] or something that says f(x) is true but x is hidden but it's kind of inflexible 15:54 < adam3us> jtimon i guess you only need scip/snark hop by hop, the miner can validate the scip and see the encrypted inputs validate 15:55 < amiller> gmaxwell, i still don't undersatnd from coinwitness how you avoid replays like that 15:55 < maaku> so without snark, is it possible to use something akin to the hidden txn scheme to replace the chaum blinding double-spend db? 15:55 < amiller> you mention a replay oracle but that seems like just a strawman because it's some trusted other party apparently 15:55 < adam3us> amiller: dont u like the ZkPoK[m]{(a,b),c: a<b ^ SIG(c)} notation ;) 15:55 < gmaxwell> amiller: ... 15:56 < gmaxwell> amiller: A lot of people understood this, I don't think I failed to explain it adequately. 15:56 < jtimon> yes, that's what I'm saying, isn't that part of coinwitness already? or does the snark validation only happen on redemption/republishing? 15:56 < gmaxwell> amiller: First understand that it's not a concrete system on its own. 15:57 < gmaxwell> amiller: What I'm pointing out is that if you have a machine verifyable offchain transaction system {details are up to you}, and SNARK validation in bitcoin, you can bind the systems that way. 15:57 < jtimon> amiller, what I was missing until know is that miners validate the inputs to prevent double-spending (you have to publish the hash of the input address) 15:57 < jtimon> until now 15:57 < gmaxwell> amiller: I threw out two examples of possible offchain transaction systems, as just examples of how the binding would work. 15:58 < jtimon> amiller what I wasn't able to understand is that " a machine verifyable offchain transaction system" is feasible 15:59 < gmaxwell> amiller: the general idea is you take a coin and pay it to someone who can (in zero knoweldge) provide a transcript showing they own the coin and have decided to emerge it into bitcoin in your selected offchain system. 15:59 < jtimon> even without snark 16:00 < gmaxwell> amiller: then you go off and transact and build up your transacript, and your last payment in that system pays to special terminal address that indicates you're going to reemerge back into bitcoin. 16:00 < gmaxwell> Then you run a SNARK of the transacript validation program over the transacript and get a proof which you present to bitcoin and collect the coin. 16:00 < amiller> gmaxwell, okay i think i understand coinwitness for the purpose you are describing now where you use it to branch out into some other blockchain or oracle-based ledger 16:00 < jtimon> but the transactions aren't really off-chain in this last example, they were just non-public 16:01 < amiller> i guess all that confused me just now is that i was trying to undersatnd it in terms of comitted blind transactions 16:01 < adam3us> maaku: "so without snark, is it possible to use something akin to the hidden txn scheme to replace the chaum blinding double-spend db? 16:01 < adam3us> maaku: without scip or some analogous changes, the utxo cant be compacted 16:02 < gmaxwell> amiller: okay, well, it doesn't have to be some other blockchain or oracle based ledger. It could be a colored coin in bitcoin, for example. Or one of adam3us's blinded things. It should work for any transaction system which can be reliably verified by a program with maliciously controlled inputs. 16:02 < adam3us> maaku: also its not anonymous as the recipient sees the senders address, but it is encrypted so only people involved see it, which i think is a nice balance 16:02 < maaku> "utxo cant be compacted" <-- what do you mean here? 16:02 < maaku> you mean remove intermediate txns? 16:02 < gmaxwell> making it secure if the {other system} is a chain is a little tricker, you either get 'only' headers security, or you add a public input that locks it to a specific chain. 16:02 < maaku> or the double-spend db? 16:02 < amiller> gmaxwell, okay i think i follow all of that 16:03 < adam3us> maaku: well there isnt really a double spend db anymore as its basically bitcoin tweak 16:03 < gmaxwell> maaku: adam3us's hidden skeem poops commitments all over the place, and you can't clean them up. At least not until they're unhidden. 16:03 < amiller> the only thing i still don't understand is what adam3us's blinded things are 16:03 < amiller> or basically i think i undersatnd them but it has that.... commitment refuse problem 16:03 < maaku> ugh, yeah that's true 16:03 < amiller> commitment garbage* 16:03 < adam3us> maaku: but the utxo is hard because the miners cant tell whats going on 16:04 < gmaxwell> and if you re-emerge them using a SNARK then you can't clean them up even when they're re-emerged. :( 16:04 < adam3us> amiller: thats why it uses mac & encryption so you can prove you have the right key, and the others are garbage 16:04 < maaku> ok what i'm getting at is some way the burden of double-spend prevention can be placed on the recipiant instead of every full node 16:05 < maaku> that's the only thing which keeps me from adding chaum ecash to freimarkets' public chain 16:05 < adam3us> amiller: apart from garbage, you could send just a hash, so it could even be a bandwidth saving (cheaper to drag a payment history than broadcast to everyone) 16:05 < gmaxwell> well if you combine adam3us scheme with petertodd's mmr stuff, then I think you can move the cost onto the reciever. 16:06 < gmaxwell> adam3us: well if you want the emergence to to be small you'll need to have the history encrypted in the transactions themselves as you go. 16:06 < adam3us> gmaxwell: "and if you re-emerge them using a SNARK then you can't clean them up even when they're re-emerged. :(" surely if you reemerge them hop by hop (no hidden form respending) then miners can validate the respend, to the individual but encrypted input tx, and then prune encrypted utxo 16:07 < adam3us> gmaxwell: yes there is no saving unless you never reemerge 01:01 < petertodd> and you know, quite willing to take criticism, and flexible 01:19 < gmaxwell> phantomcircuit: so... seen cointerra's screenshot. 01:19 < gmaxwell> I am boggled. 01:19 < gmaxwell> http://cointerra.com/wp-content/uploads/2014/01/DSC05521.jpg 01:19 < petertodd> that's fast 01:20 < gmaxwell> because it shows it as having submitted 44k shares to eligius... but that address is not in the payout queue, nor has it been paid on the network... and its not in the list of recent miners on eligius. 01:20 < petertodd> oh! 01:22 < gmaxwell> the address is truncated so I can't go straight to the stats, so it's possible that it mined but not enough to be elegible for payout, but not recently enough to be in the 3 hour active list. 01:22 < gmaxwell> petertodd: it's fast, but it's supposted to be 2TH, so not that fast! 01:22 < gmaxwell> http://cointerra.com/engineering-updates-terraminer-iv-hashing-live/ 01:23 < petertodd> gmaxwell: what ASIC tech level is it? 01:24 < petertodd> ah 28nm 02:03 < phantomcircuit> gmaxwell, yeah i saw the video before they posted it 02:03 < phantomcircuit> (aren't i so cool) 02:24 < amiller> got thirty cryptocurrencies aint never been released 02:30 < phantomcircuit> gmaxwell, also it's possible they were using an invalid address, iirc eligius treats that as a donation 02:30 < phantomcircuit> Luke-Jr, ? 02:31 < Luke-Jr> I'm not seeing anything so far. 02:31 < Luke-Jr> but this query will probably take a while 02:31 < gmaxwell> Luke-Jr: well its probably not running now or it would be in the top list. 02:31 < phantomcircuit> iirc he has a share log 02:31 < Luke-Jr> looks like the share log goes back a week 02:33 < gmaxwell> ... weird. well there is a date in the screenshot, also a last block 02:34 < gmaxwell> Luke-Jr: http://cointerra.com/engineering-updates-terraminer-iv-hashing-live/ pic at the bottom 02:49 < gmaxwell> phantomcircuit: it looks like with a slightly different case design they could have fit that in 2u without a problem. 02:51 < gmaxwell> e.g. potentially making it longer and turning the radiators flat. and having airflow that went >_____/ 02:57 < midnightmagic> bah 02:59 < gmaxwell> midnightmagic: if its any consolation CT is no track to deliver another never-break-even miner. Though perhaps they'll rock the world with their power usage and eventually make it back. 03:32 < gmaxwell> https://bitcointalk.org/index.php?topic=319146.msg4494688#msg4494688 < looks like the othercoin thing is being sold now. 03:32 < gmaxwell> I don't have the pre-reqs or the time. But I do think that such a thing could be a valuable addition to the bitcoin ecosystem. 03:33 < gmaxwell> It's basically the digital version of the cassius coins... but allows the user to safely fill it, and electronic transmission. 03:33 < BlueMatt> nice 03:56 < stonecoldpat> looks nice, my concern is that initially if BTC is $1k - then it will cost $350 04:01 < gmaxwell> stonecoldpat: yea, it's not viable at that price but presumably that will be fixed once it actually exists at scale. 04:03 < stonecoldpat> yeah i hope so, also looking at the video, you start the 'handshake' between devices using SMS, i'm wondering why he chose SMS and it has been a little worried (I dont know why it does yet) 04:05 < _ingsoc> Any idea why the issues 404 after page 100 on Github? 04:06 < _ingsoc> Closed issues. 04:06 < _ingsoc> Works: https://github.com/bitcoin/bitcoin/issues?page=100&state=closed 04:06 < _ingsoc> 404: https://github.com/bitcoin/bitcoin/issues?page=101&state=closed 04:07 < _ingsoc> I figured it's important if anyone wants to look at the history. 04:09 < nsh> there are numbers higher than 100?!? 04:09 < _ingsoc> Yeah. :) 04:09 < nsh> i'll need to revise a lot of models :/ 04:09 < _ingsoc> It's concerning because it really needs to be accessible. 04:10 * nsh nods 04:10 < nsh> does it happen on other repositories? 04:10 < _ingsoc> I'm unsure. Let me check. 04:12 < _ingsoc> Yeah, happens on any project when it's 101. 04:12 < _ingsoc> Is there a record of this somewhere, or are all the issues only stored on Github? 04:14 < _ingsoc> If not, it's like erasing history, one page at a time. :D 04:15 < nsh> i'd suspect it's still accessible through git itself 04:15 < nsh> actually, dunno 04:16 < _ingsoc> Not sure how to access issues using git itself. 04:16 < _ingsoc> Everyone should stop working on Bitcoin right now until we figure out how to stop erasing history. 04:19 < wumpus> you could access them one by one through the github API, and make a mirror 04:19 < wumpus> not with git itself as the issues are not part of the repository, only the code changes 04:19 < wumpus> (and commit descriptions in git itself) 04:19 < nsh> ah, right 04:20 < wumpus> so if github goes down we'd lose the discussions that happened on github 04:20 < _ingsoc> That's concerning. 04:20 < wumpus> (which in most cases is no big loss, but I suppose for history's sake you could archive them) 04:21 < _ingsoc> I want to. 04:21 < wumpus> see http://developer.github.com/v3/ 04:23 < _ingsoc> Is there a simple way to get a dump? 04:23 < wumpus> I'm sure someone else already wrote a script for that 07:14 < adam3us> 12hr async conversation, caught up, a couple of comments 07:17 < adam3us> covenants/quinine scripts. I think relating to a payments ability to require transferable restrictions on the next transaction. i think this could be policy dangerous due to the virality. consider a script that requires follow-on script to have an AML id signature, a few regulations on exchanges, and policy. i understand it allows useful things like SPV coloring in chain, etc but I think satoshi script is policy safer 07:18 < adam3us> gmaxwell: "So, is there a way with ECDSA, given three messages pick a pubkey,r,s such that pubkey,r,s is a valid signature of any one of the three messages?" only 2 not 3 i think. 07:19 < adam3us> petertodd: "I think the most fundemental thing I've discovered is the concepts of how mining can be separated into timestamping and proof-of-publication" hmm might've been me that seeded that concept. or yet-another-rediscovery gmaxwell/petertodd/adam3us (i tend to get there last as i only started catch up 10mo ago) 07:47 < adam3us> petertodd: and i guess timestamp/namespace/bitcoin-ful/bitcoin-spv relation struck me in part because i thought about distributed namespace things (in the OT-like federated but reactive security + public auditability) pre-bitcoin. and you maybe because you looked at timestamping. 08:23 < jtimon> adam3us: gmaxwell's thread is full of terrible covenants 08:24 < adam3us> jtimon: on bitcoin talk? a cautionary tale of why the virality of covenants can be a risky proposition? 08:24 < jtimon> but is any covenant economically worse than destroying coins (which we allow)? 08:24 < jtimon> I think is "coincovenants: a f** terrible idea" or something similar 08:25 < jtimon> https://bitcointalk.org/index.php?topic=278122.0 08:28 < jtimon> actually, I propose the AML-KYC covenant there 08:29 < jtimon> and I think it can replace our optional "authorizer tokens" in freimarkets 08:29 < jtimon> not sure about the "issuance tokens" yet, I don't think so 08:32 < adam3us> jtimon: i see that gmaxwell and you share my concern that this is a terrible idea :) this is good. ethereum will have this problem because its script is TC, as well as stateful and lots of non-amenability to theorem provers, security problems inside the language/scripts, and sandbox interpreter escape. 08:33 < jtimon> but the first really-interesting use case I saw yesterday (again in the context of freimarkets) is a covenant that allows you to always buy back interest bearing assets you issued 08:33 < adam3us> jtimon: a covenant is far worse than destroying bitcoins. it is viral and so can be used as a lever to change the social contract an meaning of coins against the users wishes. 08:33 < jtimon> say you issue adamBTC at 1% interest but want to buy them back for BTC at 1:1 when you want, not when the lender allows you to 08:34 < jtimon> I'm not worried, by attaching a "bad" covenant you've made your coins unfungible: they're not bitcoins anymore but another asset 08:35 < jtimon> destroying is not strictily "viral" but it's also irreversible 08:35 < jtimon> the effect on the quantity of "pure btc" is the same 09:22 < adam3us> jtimon: destroying coins is relatively harmless systemically. it reduces 21mil limit, but the divisibility means it just creates some supply contraction. we cant prevent it really, all we could do is force people to do it in a non-utxo compactable way 09:23 < adam3us> jtimon: the problem with virality is its like coinvalidation, it could virally sweep through the system via centralized policy points and change almost all of the coins semantics. for a system which aims for user-centric policy choices, that is a big fail. 09:25 < adam3us> jtimon: if a user wanted to make a convenant, thats their choice, the worry is more around centralized points like exchanges, regulated businesses, etc imposing a viral covenant on their users that flows through the system where the user has a choice to lose fungibility or submit to some outside imposed policy against their preference and self-interset 09:29 < jtimon> well, let's use my visacoin example (KYC covenant) 09:29 < jtimon> if I give btc to an exchange and they give me viscoins back, I calll that fraud and never come back 09:30 < jtimon> the main problem would probably be education and smart clients that show a different separated balance for visacoins 09:32 < jtimon> if we solve that, it doesn't matter if 80% of the btc were turned into visacoins: bitcoins are still p2p 09:32 < jtimon> in the case of freicoin is again less to worry about 09:33 < jtimon> both visacoins and freicoins will be destroyed by demurrage, but miners get fresh clean freicoins 17:24 < andytoshi> wait, no, it's exactly as likely as somebody one block behind pulling one block ahead 17:29 < andytoshi> ok, whenever tholenst shows up again i'll mention this .. it would be a cool idea for an alt if you could post collateral against double-spends 17:35 < Taek> could you use the bitcoin script + contracts to create a distributed exchange between multiple cryptocurrencies? 17:35 < maaku> andytoshi: it's possible for an old fork to overtake the main chain 17:36 < andytoshi> for the chain to shrink does a difficulty retarget need to be involved? 17:38 < maaku> to shrink, yes, but it doesn't have to shrink to cause reorg problems 17:38 < maaku> er, n/m 17:38 < maaku> what i was thinking of is really a double-spend 17:39 < andytoshi> maaku: ah, ok 17:39 < maaku> andytoshi: but isn't that what nLockTime is? 17:39 < andytoshi> maaku: nLockTime makes the output 'unreal' until a certain time 17:39 < andytoshi> in the sense that if i make an nLockTime transaction, i can double-spend that 17:40 < andytoshi> what this does is effectively make an nLockTime transaction that gets mined, so it's impossible to double-spend it 17:40 < maaku> ok i see, the restriction is triggered on the spend 17:40 < maaku> you're looking to lock outputs for a certain amount of time 17:41 < andytoshi> exactly, which is why it's a script opcode rather than some property of the transaction 17:50 < Luke-Jr> hmm 17:50 < Luke-Jr> someone should do a scamcoin generator that doesn't need to compile anything 17:50 < Luke-Jr> just find the constants and hack the binaries 17:50 < Luke-Jr> :D 17:58 < Emcy> wow someone put "please consider donating" and address in the torrent comments for bootstrap.dat 17:58 < Emcy> that strikes me as really low for some reason 18:00 < nsh> agreed 18:01 < Emcy> speaking of is it time for a new bootstrap yet? 18:01 < midnightmagic> 13:59 < adam3us> andytoshi: seems like a snowcrash hiro protagonist problem (wealthy by brownie points on the metaverse but penniless in meatspace) 18:01 < midnightmagic> har har. 18:01 < Emcy> this one from august is still seeding pretty good 18:09 < michagogo|cloud> Emcy: personally, I would say an updated bootstrap would not be a bad thing. I think jgarzik maintains it, though, so I'd ask him what he thinks 18:10 < michagogo|cloud> (Though this is a bit ot for here, I think) 18:12 < maaku> iirc he updates it with each new checkpoint 18:12 < maaku> we haven't had a new checkpoint since august 18:14 < michagogo|cloud> maaku: yeah, though it doesn't need to be like that 18:19 < maaku> yeah 18:19 < maaku> regular 3 month or six month updates would be nice 18:46 < petertodd> andytoshi: s/FAIL_IF_BLOCKHEIGHT_LESSTHAN/OP_CHECKLOCKTIME/ 18:47 < andytoshi> hmmm 18:48 < andytoshi> are you just renaming this or changing the behavior? 18:48 < petertodd> andytoshi: pointing out how you should implement it :) 18:49 < petertodd> andytoshi: I actually did implement that as an exercise a few months back 18:49 < petertodd> andytoshi: and actually, OP_CHECKLOCKTIMEVERIFY to be exact 18:49 < petertodd> (need that to be a soft-fork nop) 18:49 < andytoshi> petertodd: gotcha 18:50 < gmaxwell> I kinda wish the locktime time of reference was the median of last 11 time rather than the current block. 18:50 < andytoshi> petertodd: you'd then want nLockTime transactions to be standard, and nLockTime ignored unless it appears in script? 18:51 < andytoshi> unless OP_CHECKLOCKTIMEVERIFY appears in script* 18:51 < gmaxwell> andytoshi: the locktime is already ignored when the sequence number is maximal. 18:51 < petertodd> andytoshi: ? no they're two separate things 18:51 < petertodd> andytoshi: OP_CHECKLOCKTIMEVERIFY takes a number on the stack and compares it with the IsFinal() method, failing the tx if false, leaving the number on the stack if true 18:54 < andytoshi> petertodd: i'm not clear -- how do miners know whether they should bother mining a transaction? 18:55 < andytoshi> if you have an nLockTime'd transaction today everyone will ignore it if it doesn't unlock for a long time 18:55 < andytoshi> but what i want is, the script can override the nLockTime in some cases (eg a proof of double-spend is provided) 18:56 < petertodd> andytoshi: ah, I get you, yeah you can do that with CHECKLOCKTIMEVERIFY too, but only in the sense that the transaction can't be mined because the txout it's tryng to spend isn't unlocked yet 19:00 < gmaxwell> andytoshi: trying to have an anti-double-spending bond? 19:00 < andytoshi> gmaxwell: yeah, but it's not working out :P 19:00 < gmaxwell> one problem with those is then how do you prevent the bond from being multiple subscribed? 19:00 < gmaxwell> e.g. I make one 1 btc bond. Then I make 1000 0.5 BTC spends secured against it 19:00 < phantomcircuit> andytoshi, bond for what? 19:02 < justanotheruser> petertodd: Are there any posts or technical details on how sharding the blockchain would work? Would it involve removed anonymity? 19:02 < petertodd> gmaxwell: well, what if we had some kind of global consensus on who was making use of the bond? 19:02 * petertodd ducks 19:02 < andytoshi> phantomcircuit: the idea is, i send you some money -- they rather than having you wait for a confirm, i construct an output (which i own) such that you can just take it if you can prove that i've double-spent you 19:02 < gmaxwell> petertodd: but then you have to wait for that consensus to settle, defeats the purpose. 19:03 * justanotheruser frowns 19:03 < petertodd> gmaxwell: that was the joke :) 19:04 < petertodd> justanotheruser: https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03307.html is the best writeup I have 19:04 < gmaxwell> I'd say you could trust a broadcast network to tell you about compeating bond usage, except the theif could redeem his own bond. 19:04 < petertodd> justanotheruser: and it's not strictly about sharding, but you can easily see how it could be 19:04 < andytoshi> gmaxwell: that's the problem that just occured to me when i said "it's not working out :P" 19:04 < gmaxwell> (and he's not obligated to tell the broadcast network) 19:05 < petertodd> gmaxwell: hence it needs to be partial redeem, partial destroy 19:05 < justanotheruser> petertodd: thanks 19:05 < gmaxwell> andytoshi: this isn't to say that such bonds might not be useful. E.g. large ones which mostly destroy their funds. (they only pay at all as a reward for making the cheating public) 19:05 < petertodd> justanotheruser: I had another post on bitcointalk somewhere from a few months back 19:06 < gmaxwell> but there needs to be a way to transfer ownership of such bonds. 19:07 < petertodd> gmaxwell: which I solved, but soon realized then you also need a way to prove that proof-of-fraud isn't waiting to be released, which means you need consensus about all such fraud, which means proving fraud needs to be proof-of-publication-based. Fortunately this txout scheme I think works here. 19:07 < petertodd> gmaxwell: e.g. the proof is the txout bond hasn't been spent via fraud proof 19:09 < gmaxwell> right, but how do you allow transfer and not create a race between a transfer and a fraud? 19:10 < petertodd> gmaxwell: you create an intermediate "cooling off" period before a transfer can actually go through 19:10 < gmaxwell> I guess by having two outputs, one for transfer, one for fraud, and fraud can still be published for some time after the transfer before it settles? 19:10 < gmaxwell> yea, makes sense the resulting protocol has a number of steps though, which is unfortunate. 19:12 < petertodd> Yeah, or some multisig scheme with some kind of mutually agreed on cooling off tx - lots ofpossibilities. 19:12 < petertodd> Well, I think the cooling off thing is unavoidable to be fair to people potentially relying on the bond. 19:12 < gmaxwell> anyone honoring the bond needs to know the ... right 19:13 < petertodd> Which also means the bond txout really needs to be able to constrain the txout of the tx spending it. :( 19:13 < gmaxwell> esp if you want to allow the bond to be honored by 'offline' devices. 19:13 < petertodd> yup 19:13 < andytoshi> petertodd: right, and that means that you have to precommit to your output and you lose the 'spend without waiting for confirmations' benefit :( 19:14 < gmaxwell> andytoshi: only if you expect people to get paid from the bond. 19:14 < gmaxwell> andytoshi: the alternative is you give up on that and just set it up so that misbehavior costs the misbehaving party their valuable bond... you don't get paid back but they don't get to keep using the bond. 19:15 < petertodd> gmaxwell: no, you just make some of the reward of proving fraud be paid out, and some destroyed, and make the destroyed amount larger than the payout amount 19:16 < gmaxwell> petertodd: you still can't promise the defrauded person get paid no matter how much the bond pays out 19:16 < andytoshi> sure, but how does this make it possible to use the bond without commiting to the output? 19:17 < andytoshi> ah, because 'overcommitting' is not a thing 19:17 < petertodd> gmaxwell: ah, right 19:17 < gmaxwell> andytoshi: because you're not promising that any particular victim can get paid. 19:17 < gmaxwell> right. 19:17 < gmaxwell> The payment the victim gets is just for the trouble of actually announcing to the world that they got ripped off. 19:17 < petertodd> gah, I should have written this up back when I was thinking about this stuff for fidelity bonded banks... 19:18 < petertodd> gmaxwell: yeah, they're not guaranteed to be made whole, and it's tricky to guarantee the fraudster has a net loss 19:21 < petertodd> unrelated: took a look at the twister twitter blockchain thing, and it's difficulty is 0.002... a single GPU scrypt miner could 51% attack the thing 19:21 < gmaxwell> haha one of my coworkers just asked me about his ntp daemon at home using lots of bandwidth 19:21 < petertodd> whut? 15:54 < adam3us> to do validation later however, you are going to need the preimage (eg validate back to genesis full validation , new full client comes online) and storing data + h(nonce|data) isnt smaller than storing data 15:54 < adam3us> if the data is not necessary for validation however, that'd be a good idea and does not need to be stored, only maybe relevant to people sending/receiving the payent 15:55 < gmaxwell> adam3us: petertodd is talking about more than proving its a hash, he wants to also prove that the public knew the preimage at some time. 15:55 < gmaxwell> The reason that peter wants that because he wants to use bitcoin as a jamming resistant communications channel. 15:56 < adam3us> and you'd do that in 2 phases, commit first, then disclose hash pre-image? 15:56 < gmaxwell> (In order to do things like announce an anyone can spend transaction in order to prove that funds were thrown away.) 15:57 < petertodd> adam3us: Nope, disclose fully first - I'm not assuming censorship. 15:58 < adam3us> doesnt the tx itself prove funds were spent to anyone? 15:58 < adam3us> (the tx is part of the tx history so anyone can verify that) 15:58 < gmaxwell> adam3us: no, because a miner could spend anyone can spend transactions that no one saw before they were in the block. 15:58 < petertodd> adam3us: A miner can mine and spend the funds to themselves in one go. 15:58 < gmaxwell> So he could be paying himself. 15:59 < adam3us> ah ok i remember that discussion from before 16:00 < petertodd> adam3us: It's a tough problem because the miner might even be making a whole bunch of sacrifices at once, so much so that the sum of the value makes throwing away blocks to find a lucky sequence of a few in a row is still profitable. 16:01 < adam3us> so to prevent that you say, a tx is not considered sacrificed, unless it was announced, for some time, and then released, presuming more than one miner contributed you are reasonably confident no individual miners spent it to themselves 16:01 < petertodd> Basically the interval between announce and commit is proof that n blocks * hashes/second * 10 minutes of hashing power integral saw the transaction. 16:01 < petertodd> Hence proof-of-visibility. 16:15 < adam3us> petertodd: ok, and remind me what is the use case for proof of sacrifice; you mentioned pseudonym reputation (misbehave you lose the pseudonym & sacrifice cost) - anything else? 16:21 < petertodd> adam3us: You can use it as an alternative to PoW 16:21 < petertodd> adam3us: Anti-spam, or even constructing a whole blockchain. 16:23 < adam3us> petertodd: in the form discussed in this thread it is a payment to miners, the PoW uses would need a direct mined version? 16:24 < adam3us> petertodd: proof that i worked towards mining bitcoins for the benefit of miners, which may or may not have resulted in actual coins being created .. eg only 1 in 10000 would it succeed because of limited power 16:26 < petertodd> adam3us: What you are describing is proof-of-work towards a sacrifice; proof-of-sacrifice is more general than that. 16:26 < petertodd> adam3us: You don't need hashing power at all to make a sacrifice proof. 16:27 < adam3us> petertodd: correct, but u said could be used as a PoW - giving bitcoins to miners is like a charitable act 16:27 < adam3us> petertodd: i am not sure you can eg back an alt-coin in the PoW of giving bitcoins to miner charity? 16:28 < petertodd> adam3us: No, as an alterative to a PoW 16:28 < petertodd> adam3us: For instance you can make a consensus key-value system where consensus is achieved by looking for the highest sacrifice of Bitcoins rather than largest proof-of-work. 16:29 < adam3us> petertodd: oh ok, for the stated applications of anti-spam, pseudonym reputation; but you also said as a PoW for constructing a block chain? 16:29 < petertodd> adam3us: As a replacement for a PoW 16:30 < adam3us> petertodd: ok, msg crossed 16:30 < petertodd> What's good about sacrifice rather than proof-of-work is that often getting access to hashing power is hard or inconvenient; making it a sacrifice levels the playing field and simplifies things. 16:30 < adam3us> petertodd: however thats like us politics: one $ one vote - the outcome is biased in favor of the rich criminals? 16:31 < amiller> only if they get the $ after ward 16:31 < amiller> one $ one vote is actually pretty reasonable if you force them to pay 16:31 < amiller> i think its the best you can get 16:31 < amiller> sorry only if they don't* get the $ afterward 16:32 < petertodd> adam3us: Meh, it's the best we have in a decentralized digital system. 16:32 < amiller> if it were actually one $ one vote it would drive out all the richest people who enjoy higher gain investments elsewhere 16:32 < adam3us> petertodd: this sounds a bit like your pay to replace idea: the tx with the highest fee (or fee commit) is going to win period 16:33 < petertodd> adam3us: Well yeah, again, it's a decentralized digital system; there are no alternatives. 16:33 < petertodd> adam3us: It's not like we can have a little AI that evaluates original topical poems as the work function. 16:34 < adam3us> wait wait: if the consensus is in terms of which transaction is considered first (like bitcoin), then one $ one vote is not so good eh? wait for user to accept payment, take goods, outpay their fee to pay to self and override your own previous transaction? 16:34 < petertodd> As always, zero-conf is insecure; wait for sufficient confirmations. 16:35 < Luke-Jr> adam3us: on the other hand, the merchant can screw the scammer by putting 100% of the coins into fee 16:36 < petertodd> (It's interesting to note how proof-of-captcha would be possible if only you could make a captcha whose answer you provably didn't know in advance) 16:36 < Luke-Jr> petertodd: you'd also need to make a captcha that works 16:36 < amiller> one $ one vote is best attainable because if you assume a $ is power incarnate that can purchase anything, which is what money is, then you can literally buy people with it and there isn't really anything that can be done about that 16:36 < petertodd> Luke-Jr: I said possible. :P 16:36 < Luke-Jr> these days I have to try them like 5 times, and the people trying to automate it just hire slaves 16:37 < petertodd> Luke-Jr: Well, slaves is still involving people... actually with a TPM proof-of-captcha would be possible trivially. 16:37 < gmaxwell> yea, I really wish there were some addon that used the commercial captcha solving services. The spammers have driven the captcha prices pretty low. 16:37 < petertodd> gmaxwell: lol! 16:37 < amiller> if you have a tpm then you just use the tpm for all your money and a captcha isn't necessary 16:37 < amiller> you just mean a tpm 16:37 < adam3us> i think the problem with $ for voting is while mining hardware & electricity costs $ also, actual $ is completely elastic supply 16:38 < petertodd> amiller: You might still want proof-of-human though - it might not be a currency we're using this for. 16:38 < adam3us> so it hard to build a fair consensus based on biggest fee wins? 16:38 < petertodd> adam3us: Right, which is why s/$/BTC/... 16:38 < amiller> proof-of-human is nonsense too tbh, what are we gonna do when we have to economize with the hivemind slime mold creatures in space 16:38 < adam3us> yes but i can buy btc for $ 16:38 < petertodd> adam3us: No it's trivial for some definition of "fair" 16:39 < petertodd> adam3us: Irrelevant, inflating the $ supply just makes the BTC more expensive. 16:39 < adam3us> petertodd: the other thing is i think the scammer has more incentive to pay stupidly high fees than real users and real merchants, so the scammer always wins 16:41 < gmaxwell> adam3us: as luke pointed out before, if the merchant is aware of that he can 100% fee in response and so the scammer never wins in that world. 16:41 < adam3us> the other thing is bitcoin consensus is not just saying which tx happened first out of a double-spend set, it is also validating transactions add up 16:42 < adam3us> so how would this work: collect a block of txs, validate them, and attach a fee if you care about a tx in there 16:43 < petertodd> adam3us: All this is silly, just don't accept zero-conf and you're fine. 16:43 < petertodd> adam3us: Or trust in the scorched earth policy that makes scamming useless. 16:43 < petertodd> adam3us: There are *so* many ways to double-spend... 16:43 < adam3us> petertodd: ok no zero-conf, still how does it work 16:44 < adam3us> fee is a signature on the fee tx and the block 16:44 < adam3us> and person who pays biggest fee wins? .. that'll preusmably be the guy with the biggest tx ... eg guy who just bought a house 16:45 < petertodd> adam3us: wins what? 16:45 < adam3us> no one accept the fee-signed block to build on unless they agree there are no double spends in it 16:45 < adam3us> (is considered valid vs competing block signatures?) 16:46 < petertodd> Huh? The definition of a block is that there can be no double-spends in it. 16:46 < adam3us> well relative to previous blocks too 16:47 < petertodd> The definition is also that it can't double-spend previous blocks. 16:48 < adam3us> yes and that fact is validated by full nodes is all i mean 16:48 < petertodd> I don't get where you are going with this... 16:50 < adam3us> just thinking aloud seeing where it goes (using Po sacrifice in place of PoW) strangely it seems to sort of work? 16:51 < petertodd> ah, you mean if you had a cryptocurrency whose block ordering was chosen by PoS 16:52 < adam3us> yep 16:53 < adam3us> i think the problem will come with splits: if some part of the network creates conflicting transactions that are not broadcast until later 16:53 < adam3us> the bitcoin resolution protocol no longer works , instead there will be a bidding war to win, rather than a CPU race 16:54 < adam3us> (even after say 3 blocks where some users may have locally accepted the transaction) 19:21 < jtimon> sipa: I get your point, sometimes just trust-less is enough 19:22 < jtimon> maaku: why do you think strong typing would be better? the little I read about joy sounded very good 19:23 < maaku> jtimon: enforced strong typing is less likely to result in consensus bugss 19:23 < jtimon> like if I could even like the language and all 19:24 < petertodd> maaku: are you thinking of including those languages as libraries or what? 19:24 < jtimon> I see 19:24 < jtimon> replacing the current scripting I think 19:24 < maaku> petertodd: currently hypothetical replacements for script 19:24 < sipa> any reason why you'd use a stack-based language, and not something ast-based? 19:25 < sipa> (i've been following about 1% of the discussions here the past weeks, i've certainly missed a lot) 19:25 < jrmithdobbs> rust txn scripts please! 19:25 < jrmithdobbs> ;p 19:25 < petertodd> maaku: right, because I was going to say, I think you're much more likely to avoid consensus bugs by just making the underlying opcodes/interpreter simple - screw what actual language you end up with 19:26 < petertodd> maaku: strong typing means you have types, and types themselves are a bunch of code with potential consensus failures 19:26 < maaku> sipa: it'd be (relatively) easy to transition from script to some other Forth-like language - essentially just write a translator between the two 19:26 < maaku> and it's nice that, like LISP, the syntax is simple enough that you can code directly and don't really need a compiler 19:27 < sipa> you can do the same for an AST like language 19:27 < sipa> well, in one direction at least 19:27 < sipa> and i'm sure it's much closer to the domain we're representing 19:28 < jtimon> maaku wasn't there more reasons to chose a concatennative lang ? http://en.wikipedia.org/wiki/Concatenative_programming_language 19:28 < petertodd> sipa: I think the big question is do you need the self-modifying code that forth makes possible? 19:28 < petertodd> sipa: for quines it's certainely useful 19:28 < sipa> quines? what do you need that for 19:29 < maaku> sipa: covenants 19:29 < sipa> another thing i need to read... :'( 19:29 < petertodd> sipa: IE things like SPV-verifiable colored coins 19:29 < petertodd> sipa: write a script that forces the transaction spending it to have a certain form, propagating the colored coin definition like a virus 19:30 < jtimon> basically, forcing the outputs of the next transaction to have certain code in their scripts 19:30 < jtimon> well, maybe only some of the outputs 19:30 < maaku> and Forth-like languages are really good for this sort of thing, although not required 19:30 < sipa> right 19:31 < maaku> since you basically just have to test the prefix of the output script 19:31 < petertodd> also, merklized abstract syntax tree schemes *are* very forth compatible, even the self-modifying quine versions 19:31 < jtimon> actually petertodd the colored coins example was confusing to me because of regular colored coins and freimarkets 19:31 < petertodd> forth is just symbol tables, and symbol's can just as equally be merkle hashes 19:32 < maaku> petertodd: re simplicity, that's why i'm looking at Joy/Cat. it's basically two dozen or so combinators + builtins 19:32 < maaku> and a syntax that is even simpler than LISP 19:33 < petertodd> maaku: incidentally, keep in mind that as complex as these sharded blockchain ideas are, they can also make these computationally intensive consensus schemes more viable by spreading the computation and space across more miners 19:33 < jrmithdobbs> forth has seemed like the obvious choice since i first saw the script ... first thing to come to mind was "why isn't that forth" 19:33 < petertodd> maaku: syntax has nothing to do with what goes in the chain necessarily... :) 19:34 < petertodd> jrmithdobbs: because satoshi didn't want a complex symbol table! 19:34 < petertodd> jrmithdobbs: script is even *simpler* than forth 19:34 < jrmithdobbs> petertodd: i know 19:34 < jrmithdobbs> petertodd: but forth is such a great fit for this use case ;p 19:34 < maaku> jtimon: yes i don't think the colored coin example is good for explaining the purpose, but IOU with a buy-back option is a good succinct example 19:35 < petertodd> jrmithdobbs: agreed 19:35 < maaku> i don't think satoshi realized that you could prefix an execution counter to the scriptSig to solve most of the turing-complete worries 19:36 < gmaxwell> sipa: petertodd pointed out that you can make colored coins where the network tracks the color for you by using a covenant scriptpubkey that basicially handles the task of making the network track which coin is colored. 19:36 < gmaxwell> maaku: I don't think a counter is sufficient for resolving "worries" 19:36 < petertodd> maaku: I'm sure he did, and thought of additional issues 19:36 < maaku> gmaxwell: i think the DoS preventions I mentioned in the scrollback solves the remaining worries 19:36 < maaku> is there something I'm missing? 19:36 < petertodd> maaku: though then again, counting sigops in un-exectuted scriptPubKeys was a damn stupid idea 19:37 < jrmithdobbs> petertodd: ya i was going to say, i think you're inferring too much credit there 19:37 < jrmithdobbs> s/in/con/ 19:37 < petertodd> jrmithdobbs: indeed 19:38 < sipa> i don't think satoshi considered several of his changes (disabling opcodes, limited block size, counting sigops) as hard rules, just temporary anti-dos measures 19:38 < petertodd> maaku: the DoS preventions work even better when you do per-tx PoW schemes 19:38 < gmaxwell> maaku: engineering ones, like operation counting bugs creeping in when people implement faster execution engines, or sandbox escape when people implement faster execution engines. 19:39 < jtimon> petertodd how don't you hardcode the per-tx pow? 19:39 < petertodd> gmaxwell: the latter problem isn't specific to execution counters, heck, even the former isn't totally 19:39 < jrmithdobbs> gmaxwell: or emulating some other form of state/etc through some other trickery that would hurt everyone's head 19:39 < petertodd> jtimon: why would it be hardcoded? 19:39 < jrmithdobbs> gmaxwell: those are the really scarey ones imho 19:39 < maaku> gmaxwell: yes, well that's why I'd prefer a simple language with a minimal number of primitives and implementation complexity ... 19:39 < gmaxwell> petertodd: no but IP counting is actually much harder when you've implemented a tracing JIT. 19:40 < maaku> i think you could implement Joy/Cat with the same or less lines of code as current bitcoin script 19:40 < gmaxwell> (A significant fraction of all code execution bugs in firefox have been in the JITs) 19:40 < jtimon> patertodd is just the simplest scheme that comes to mind, just want to know what you had in yours, what's your diff filter? 19:40 < petertodd> gmaxwell: well, that's an argument against sophisticated scripting in general too... 19:40 < jtimon> /pater/peter 19:40 < gmaxwell> maaku: right but when people actually use it there will be a lot of pressure to replace it with a JIT. And a lot of room for bugs resulting in sandbox escapes and instruction counting glitches. 19:41 < petertodd> jtimon: well, *absolutely* simpliest is to say a block has a single tx in it :) 19:41 < gmaxwell> petertodd: it is, indeed. but a JIT for a non-turing complete language is FAR easier to make safe. Esp since it can work with dumb template matching much of the time. 19:42 < jtimon> I thought it was per-tx pow apart from block pow, the thing I'm more confortable with are "optional pow fees" 19:43 < petertodd> gmaxwell: that's nice, but it all comes down to "is programming scripts easy enough and fast enough to be practical?" especially when we're talking things like covenants 19:43 < jrmithdobbs> gmaxwell: is replacing the script being seriously considered or just a toy conversation? 19:43 < petertodd> jtimon: I think it makes most sense when the only pow is in tx's, although exactly what that'd look like is an interesting question 19:44 < sipa> jrmithdobbs: even gavin has mentioned it (though i'm sure he's thinking about much less exotic changes) 19:44 < maaku> jrmithdobbs: jtimon and I are seriously considering it in the context of trying it out on an altchain (freicoin) 19:45 < petertodd> maaku: and it's on my list of things that I need to research for MSC 19:45 < gmaxwell> jrmithdobbs: most of this is speculative conversation. The thing I'd want to replace it with isn't yet realistic to deploy. 19:45 < maaku> although given all the other more important stuff on our plate, it's still a very hypothetical conversation 19:45 < jrmithdobbs> gmaxwell: which is? 19:46 < jtimon> with covenants we could replace we could replace some freimarkets stuff and already have a use case that was actually a missing piece for p2p lending 19:46 < petertodd> maaku: well, for me it's a top priority 19:46 < sipa> if i was asked today to write a script language for bitcoin, i think it'd be an AST with slightly lower level crypto operations than bitcoin has now 19:46 < gmaxwell> using some form of ZK-SNARK instead of doing fancy things directly. (I'd still be in favor of improving things generally, e.g. M-AST) 19:46 < petertodd> sipa: mostly agree there, what's interesting is what types of data would that script have access too? 19:47 < sipa> i don't think byte arrays as data type is such a bad idea 19:48 < jtimon> gmaxwell sipa will an AST really be simpler for script coders? 19:48 < gmaxwell> (since I don't think it ever would make sense to use a SNARK to accomplish a 'simple' (X and Y) or ((X or Y) and 2of3(Q,R,Z)). 19:48 < jrmithdobbs> jtimon: huh? of course it would 19:48 < maaku> gmaxwell: the SNARK would still have a language it understands though, right? (e.g. tinyram) 19:49 < gmaxwell> maaku: no. What I'd do is just implement a generic snark validation, and providing the snark verification key in the transaction. 01:39 < warren> (scrypt. diablo was fine) 01:39 <@gmaxwell> I know it's never especially fast, but I'm thinking more like 100ms. 01:39 < Diablo-D3> intensity in cgminer and shit is the opposite 01:39 < Diablo-D3> -f 1 is higher than -f 60 01:39 <@gmaxwell> stupid driver/gpu turnaround sucks. 01:39 < Diablo-D3> gmaxwell: 100ms? no 01:39 < Diablo-D3> if you're using -f 60 in DM its 16.6ms 01:39 < Diablo-D3> I use -f 120 to preserve desktop performance, so its 8ms 01:40 <@gmaxwell> I suppose this might be a reason to implement share merging. 01:40 < Diablo-D3> gmaxwell: well 01:40 < warren> gmaxwell: what is that? 01:40 < Diablo-D3> thats why I was asking about multiple heads 01:40 < Diablo-D3> warren: more bullshit tx in the block that say "hey remember my share on that other chain? thats mine too" 01:41 <@gmaxwell> warren: say you have multiple ties for the last share on the same best chain you are mining. You make a new share that has all of those shares as parents. You are incentivized to do this because your chain is longer by including them. 01:41 <@gmaxwell> warren: this hides the latency. 01:41 <@gmaxwell> Too much latency hiding is bad because then p2pool would overpay overly latent miners. 01:41 < Diablo-D3> gmaxwell: well wait, why do it that way and not my way 01:42 <@gmaxwell> Diablo-D3: the history much be unique. 01:42 < warren> either of these ways would multiply the amount of p2p traffic 01:42 < Diablo-D3> yeah, but it makes dead chains merged into the main chain 01:42 <@gmaxwell> Diablo-D3: otherwise you mine a long chain that only pays you.. then you merge it in.... 01:42 < Diablo-D3> warren: no it wouldnt 01:42 < jgarzik> Woah! 01:42 < jgarzik> A halpost 01:42 < Diablo-D3> gmaxwell: yeah, and then that means nothing 01:42 < jgarzik> https://bitcointalk.org/index.php?topic=154290.0 01:43 <@gmaxwell> warren: no because the difficulty control algorithim still counts the extra shares. 01:43 < warren> ooh, ok. 01:43 < Diablo-D3> jgarzik: woah, ahvent seen him for awhile 01:43 <@gmaxwell> warren: so the difficulty just goes up and the total number of shares stays the same. 01:43 < Diablo-D3> gmaxwell: yeah, but difficulty would count shares in my system 01:43 <@gmaxwell> 22:42 <@gmaxwell> Diablo-D3: otherwise you mine a long chain that only pays you.. then you merge it in.... 01:43 < Diablo-D3> gmaxwell: yeah and that doesnt DO anything 01:43 <@gmaxwell> ... 01:43 <@gmaxwell> die 01:43 < Diablo-D3> it just means you get paid a lot for the next few blocks 01:44 < Diablo-D3> for work you already have and are credited for 01:44 <@gmaxwell> FOR WORK YOU WERE SELFISHLY DOING ONLY FOR YOURSELF. 01:44 < warren> gmaxwell: hmm, that's pretty good. 01:44 < Diablo-D3> gmaxwell: not really 01:44 <@gmaxwell> GOD THIS IS NOT ROCKET SCIENCE DIE DIE DIE 01:44 < Diablo-D3> you cant ... 01:44 < Diablo-D3> oh 01:44 <@gmaxwell> :P 01:44 < Diablo-D3> gmaxwell: was your guy withholding bitcoin blocks too? 01:44 < Diablo-D3> because thats a dick move 01:45 <@gmaxwell> Diablo-D3: he's only trying to mine blocks that pay him so p2pool should not credit him. 01:45 < Diablo-D3> thats bad 01:45 < Diablo-D3> because I just realized 01:45 <@gmaxwell> You never want to pay people who were mining a different history than you. 01:45 < Diablo-D3> lets say I hack my p2pool variant to do that 01:45 < Diablo-D3> I mine myself until I get 25btc in credit 01:45 <@gmaxwell> Diablo-D3: if you do its no problem, other p2pool miners will not pay you. 01:45 < Diablo-D3> then merge my chain 01:45 < Diablo-D3> every time I dont get a block 01:45 <@gmaxwell> Right. Thats why your idea was a nonstarter. 01:45 < Diablo-D3> but if I DO ge ta block 01:46 < Diablo-D3> I get to keep the 25btc 01:46 < Diablo-D3> and I obviously had less than 25btc in credit at that point 01:46 < Diablo-D3> gmaxwell: could have a maximum length of merging 01:46 < Diablo-D3> you merge a share, but it ignores further merges 01:46 <@gmaxwell> yes, which was why I suggested 1. :P thats sufficient to hide ~10 seconds of latency. 01:46 <@gmaxwell> Hide more than that and you overpay latent miners. 01:46 < warren> how much should it hide? 01:47 < Diablo-D3> gmaxwell: yeah, then your and my technique are identical 01:47 <@gmaxwell> warren: it's a tradeoff with overpaying people who are late enough that it impacts bitcoin returns. 01:47 < Diablo-D3> gmaxwell: and this could be done automatically, ALWAYS name your previous share 01:47 < Diablo-D3> gmaxwell: even if its in your chain 01:47 < warren> I haven't had shell access to remote nodes, so I haven't been able to measure typical share propagation latency. 01:48 < Diablo-D3> and use a bloom filter or whatever to select for uniqueness when paying 01:48 < warren> On my own nodes I sometimes see gaps of 40 seconds during those unlucky times when good peers don't like me. 01:48 < Diablo-D3> gmaxwell: this could be used for main chain signaling too 01:48 < Diablo-D3> gmaxwell: like "ignore all shares on that chain because it just merged into ours" 01:48 < Diablo-D3> so dead heads are trimmed early 01:50 < warren> I wasted a lot of time fiddling with p2pool when I don't own hashing hardware. 01:50 < Diablo-D3> warren: you were port forwarding p2pool's port, right? 01:50 < warren> Diablo-D3: no 01:50 < Diablo-D3> warren: you really should 01:50 < Diablo-D3> p2pool sorta punishes you for that 01:51 < warren> Diablo-D3: oh wait, not port forwarding per se, I have a IPv4 address. 01:51 < Diablo-D3> yeah so? 01:51 < warren> Diablo-D3: it punishes you? where in the code? 01:51 < Diablo-D3> not in the code 01:51 < Diablo-D3> you're just limiting your ability to connect to other nodes 01:51 < Diablo-D3> there are good nodes behind NAT without their ports forwarded 01:52 < Diablo-D3> so you cant connect to them, they can only connect to you 01:52 < Diablo-D3> and if you dont have your port forwarded, they cant connect to you 01:52 < warren> Diablo-D3: oh. that. I know. Sometimes I have 5 nodes running. 01:52 < warren> Diablo-D3: I found the good nodes who don't port forward and blocked incoming connections from nodes that were measured as consistently bad for 24 hours. 01:53 < warren> Diablo-D3: you can make it a little better by manually trimming useless peers so your connections try others 01:54 <@gmaxwell> I wonder if p2pool share delivery would actually be a serious application for network coding. 01:54 < Diablo-D3> gmaxwell: I think so 01:54 < Diablo-D3> but Im going to have to think about this problem for awhile 01:54 <@gmaxwell> Diablo-D3: do you even know what network coding is? 01:54 < Diablo-D3> gmaxwell: I think you're talking about a different kind 01:55 <@gmaxwell> https://en.wikipedia.org/wiki/Network_coding#Random_network_coding 01:55 < Diablo-D3> gmaxwell: I was thinking in the utorrent bandwidth flooding protection sense 01:56 < Diablo-D3> https://en.wikipedia.org/wiki/Avalanche_filesystem 01:56 < Diablo-D3> THAT looks interesting 01:57 < egecko> except for that whole part about microsoft being involved 01:57 < warren> Diablo-D3: I have code to automatically trim bad peers, and move the good peers to the front of a queue, both with a random bias. 01:57 < Diablo-D3> egecko: yeah, but ideas exist to be stolen 01:57 < warren> I'm not certain this would be good for all clients though. It may exacerbate the good peer collusion. 01:57 < Diablo-D3> warren: I would have done that anyways based on latency of response 01:57 * jgarzik grins 01:57 < jgarzik> warren: You are wholly and completely sucked into bitcoin algorithm cool-ness at this point, aren't you? :) 01:58 < warren> jgarzik: =( 01:58 < Diablo-D3> lol 01:58 < Diablo-D3> gmaxwell: well, I think an optimum network would prioritize peers that have the farthest latency 01:58 < Diablo-D3> gmaxwell: before nearest 01:59 < Diablo-D3> so its less likely for you to have chain forks 01:59 < warren> Diablo-D3: it's hard to enforce that though 01:59 < Diablo-D3> warren: enforcing isnt the issue 01:59 < Diablo-D3> detecting it is 01:59 < warren> how the heck would you detect that? 01:59 < Diablo-D3> the utorrent method work similarly 01:59 < Diablo-D3> warren: ping as part of the protocol 01:59 < warren> ping *is* part of this protocol, I think. 01:59 < warren> TCP ping 02:00 < Diablo-D3> utorrent's bandwidth auto-sizing thing works like this 02:00 < Diablo-D3> you're over UDP 02:00 < Diablo-D3> if you start getting high packet loss overall, throttle back 02:00 < Diablo-D3> if peers are taking absurd times to respond, throttle back 02:01 < Diablo-D3> utorrent selects to prioritize peers that have less latency (which implies closer and more bandwidth) 02:01 < Diablo-D3> my way would do all of that, but select for FARTHEST peers 02:01 < warren> gmaxwell: I mainly gave up on p2pool for now because I need to finish my thesis and I couldn't figure out what the hell is wrong with stratum. 02:01 < Diablo-D3> and to throttle back, I just repeat shares to less peers 02:01 < Diablo-D3> warren: 2 bytes is whats wrong with stratum 02:02 < Diablo-D3> warren: and its an upstream bug in cgminer which was already fixed 02:02 < warren> huh? I've been using cgminer git. 02:03 < warren> Diablo-D3: which commit? 02:03 < Diablo-D3> warren: dunno 02:03 < Diablo-D3> forrest fixed it in p2pool until avalon gets their shit together 02:03 < warren> Diablo-D3: how long ago? 02:04 < warren> Diablo-D3: i've been using git of both cgminer and p2pool 02:04 < Diablo-D3> huh not sure 02:05 < Diablo-D3> I swear I saw the commit for it 02:05 < Diablo-D3> but its not in my copy of the repo and my repo is up to date 02:05 < Diablo-D3> warren: ask forrest 02:05 < warren> Diablo-D3: as of a week ago, forrest and conman were blaming each other for this. 02:06 < Diablo-D3> they had differing intepretations of the spec 02:06 < Diablo-D3> con expected 4 bytes for the stratum nonce, forrest was sending 2 15:52 < BlueMatt> but make the connection logic such that you only connect to "that" network if you are bootstrapping 15:53 < petertodd> BlueMatt: I don't think any of them had heard of me before actually, they were just listening to the tradeoffs between bandwidth and decentralization and anonymity, like it or not, you can't mine large blocks anonymously, that's just life 15:53 < BlueMatt> um...no? 15:53 < BlueMatt> thats just not true 15:53 < gmaxwell> BlueMatt: yea, thats not crazy I suppose.. but really that can just be the same p2p network and differentiation with service bits. 15:53 < petertodd> BlueMatt: so how are you going to do that? 15:53 < BlueMatt> you cant mine at all without serious cash, and with that you can mine anonymously... 15:54 < petertodd> BlueMatt: that's completely wrong and you know it, the cheapest ASIC miners are just a few hundred dollars of investment 15:54 < BlueMatt> gmaxwell: well getting connected would be tricky... 15:54 < petertodd> BlueMatt: and $/GH scales linearly, with slightly better MH for lower $'s 15:55 < BlueMatt> petertodd: and the cheapest of asics will do absolutely nothing within a year 15:55 < petertodd> BlueMatt: and after a year, the cheapest asics will still be cheap! 15:55 < petertodd> BlueMatt: that's just how silicon mfg works 15:55 < BlueMatt> and do nothing... 15:55 < BlueMatt> yes, as long as it is cheap and available it will be worthless for reasonable mining 15:56 < gmaxwell> BlueMatt: whats reasonable mean? I mean, my office is full of people who gpu mine... quite profitably now at the moment. 15:56 < petertodd> BlueMatt: individually they do nothing, thousands of them together make for a huge and extremely difficult to censor chunk of hashing power 15:56 < BlueMatt> gmaxwell: yes, because supply is...impoxxible 15:56 < BlueMatt> oh, you said gpu 15:56 < gmaxwell> Of GPUS?!?!?! 15:56 < BlueMatt> meh, whatever 15:56 < gmaxwell> right! 15:57 < gmaxwell> Your discussion feels like a tangent in any case. I think you'd disagree less if you had a nice conversation instead of a debate. :) 15:57 < petertodd> ASIC supply *will* be reasonable in the future, it's just IC mfg, you might as well assume Intel CPU's will be impossible to get because they're hard to make 15:57 < gmaxwell> petertodd: bluematt argues that so long as mining is very proftably supply will tend to zero because people will snaft them up. 15:57 < BlueMatt> petertodd: and even if it is, bandwidth continues to increase 15:58 < BlueMatt> petertodd: I do not argue that we shouldn't increase block size to 10GB/10 minutes 15:58 < BlueMatt> petertodd: but that video drastically overstates the consequences 15:58 < petertodd> Huh? That's crazy. So what if "supply" tends to zero, the question is what is the barrier to entry to buy. 15:59 < petertodd> The barrier to entry is one ASIC chip, and $/GH scales very nicely 15:59 < gmaxwell> I think debating supply is silly however... because very distributed small scale mining is still fine. It doesn't really matter how much each person earns so long as they do it. 15:59 < gmaxwell> so forget that argument. 15:59 < petertodd> gmaxwell: +1 15:59 < gmaxwell> and realize that BlueMatt and you actually argree. (see his last comment) 15:59 < gmaxwell> you just perhaps disagree on the number and how you determine it. 15:59 < petertodd> Right, but small scale *hashing* is useless, only small scale *mining* matters. 16:00 < gmaxwell> Fortunately we have a plan of attack to convert more small scale hashing into small scale mining. 16:00 < gmaxwell> (one which sounds very viable, and now has a bunch of people basically on board for it) 16:01 < petertodd> Yup, but the plan fails if you raise the blocksize above what people can process, which is all the more reason to do it as fast as possible. 16:01 < BlueMatt> petertodd: me being upset with that page has nothing to do with your fundamental argument, Im just incredibly pissed that you would do such a video that so far overstates the consequences of a few mb increase 16:02 < zooko> gmaxwell: quick pointer to that plan for small-scale-mining? 16:02 < petertodd> Well, that you assume the video was talking about a few mb increase is a big problem. It was talking about what happens to Bitcoin if we go the on-chain route for everything, and in the long run as Bitcoin scales to the whole world. 16:02 < BlueMatt> its clearly designed as a simple scare video 16:03 < zooko> Hey, do you folks mind if I invite Adam Back to this channel? 16:03 < petertodd> zooko: yes, he's smarter than me :P 16:03 * zooko laughs. 16:03 < zooko> me too 16:03 < BlueMatt> petertodd: then you are very confused about how that video actually came across 16:04 < gmaxwell> The channel is not technical a secret. Just not promoted to keep the noise down. Invite anyone who would find the conversation interesting. 16:04 < zooko> gmaxwell: cool 16:04 < BlueMatt> petertodd: also, the idea that you want people to start standing up and emailing pools and everything to get them to publicly post that they "disagree with any blockchain increase" is just not cool 16:05 < petertodd> BlueMatt: Alright, look at it this way, if Bitcoin gets to the point where we need 1GB blocks soon, do you think what the video says makes sense? 16:05 < warren> petertodd: curious, the text doesn't mention spam or dust at all? 16:05 < petertodd> BlueMatt: In the next few years disagreeing with any blockchain increase makes sense because tech just won't have changed much. 16:05 < gmaxwell> zooko: The plan is to integrate modern mining support with bitcoind... provide some good UI that makes it interesting.. AND provide a mode where user configured pools provide only the coinbase transaction, but the local node provides everything else. This way the pool pools only the payouts, not the network consensus. (there are a bunch of details, but this is the high level goal) 16:05 < BlueMatt> petertodd: wait, WAT? 16:05 < petertodd> warren: Oh in the site? Yeah, I need to add that stuff. 16:06 < zooko> gmaxwell: huh, interesting! 16:06 < BlueMatt> petertodd: the tech is chaining (as in power to process stuff and bandwidth availability) 16:06 < zooko> gmaxwell: I very much value decentralizing mining. 16:06 < petertodd> BlueMatt: My train of thought it mining must be possible anonymously and on a small scale, and I know damn well that it'd take at least 5 more years until anonymous bandwidth availability is even close to improving enough to consider an increase. 16:06 < BlueMatt> petertodd: and there is no question that by the point we have /that/ many txn something will have to go off-chain 16:06 < gmaxwell> BlueMatt: The answer you should make to petertodd is to _demonstrate_ the tech can handle whatever block sizes you think it should.. keep in mind that until a few months ago we couldn't handle >500k safely and didn't even know it. :( So regardless of your views, doing that will be super useful. 16:07 < petertodd> BlueMatt: Anonymous bandwidth availability has *very* little to do with tech and everything to do with politics. 16:07 < BlueMatt> gmaxwell: because I have time for that? 16:07 < BlueMatt> oh god 16:07 < gmaxwell> BlueMatt: I didn't mean you personally at least not right now. 16:07 < sipa> i'm getting complaimts from a pool operator that GBT is taking 10s since very recently 16:07 < BlueMatt> petertodd: its not a question of being able to mine over tor 16:07 < BlueMatt> you wont ever be able to do that reasonably 16:08 < gmaxwell> sipa: yea, its due to correct horse stapler battery spatular nunchuck 16:08 < BlueMatt> sipa: Ive hear that a lot 16:08 < gmaxwell> sipa: the workaround is to run 0.8.2 for obvious reasons. 16:08 < petertodd> BlueMatt: And not being able to do that is unacceptable. 16:08 < BlueMatt> petertodd: no, its the ability to mine from wherever over your connection in $RANDOM_COUNTRY 16:08 < BlueMatt> you cant mine over tor now 16:08 < gmaxwell> petertodd: you guys should stop arguing and look at the points you agree over. There is substantial agreement. 16:08 < BlueMatt> and you wont ever be able to 16:08 < BlueMatt> get over it 16:08 < gmaxwell> BlueMatt: I have mined many blocks over tor in the last month. 16:08 < gmaxwell> I have, in fact, yet to have an orphan. 16:08 < petertodd> sipa: Another correct horse tx got mined. 16:09 < BlueMatt> if I /need/ to mine anonymously, Ill go to uganda and set up shop there 16:09 < petertodd> gmaxwell: You gotta add "mined over tor" to your coinbase... 16:09 < gmaxwell> petertodd: convince someone else to first. :( 16:09 < petertodd> BlueMatt: I've told people about those options, and they see that as unacceptable. 16:09 < BlueMatt> the ability to mine over tor is /definately/ not something we need to protect 16:09 < petertodd> gmaxwell: lol, true 16:09 < gmaxwell> In any case, I think that the tor argument is kinda a tangent or at least it's not my own priority. 16:10 < BlueMatt> the ability of any random user to mine /is/ 16:10 < gmaxwell> I agree with bluematt there mostly, besides that difference is probably just some small constant factor in scale. 16:10 < BlueMatt> if we want to make sure users can mine over tor, why are we not working to ensure users can mine over dial up? 16:10 < petertodd> BlueMatt: Look, fundementally you are happy with a less secure to censorship Bitcoin than I am. That's why it's a political, not technical, argument. We both agree on the technical aspects here, just on what the political implictions are. 16:10 < BlueMatt> because there are a lot of people in repressive gov'ts who only have that 16:11 < BlueMatt> btw, tor isnt secure against censorship... 16:11 < gmaxwell> BlueMatt: because dialup is not a necessary condition of a repressive government, forcing people to dialup has a lot of coolateral damage. 16:11 < BlueMatt> its been done quite a bit... 16:11 < gmaxwell> collateral* 08:02 < warren> sipa: (I'm assuming the one-block attack from a hostile miner, as I suspect that's the easiest/cheapest attack to do. I could be wrong.) 12:13 < realazthat> hey fellas 12:13 < realazthat> any ideas for a bitcoin-based project? 12:14 < sipa> write a python script that implements blockexplorer-like website, by using bitcoind RPCs 12:14 < realazthat> heh I just wrote a python blockchain parser 12:15 < realazthat> is the API powerful enough to do that? 12:15 < sipa> not for address-based lookups 12:15 < sipa> but for pretty much everything, yes 12:15 < sipa> if you enable txindex 12:15 < realazthat> doesn't blockexplorer use a patch or somesuch 12:15 < sipa> blockexplorer was written when bitcoind was version 0.3.17 or so 12:16 < realazthat> ok 12:16 < realazthat> this sounds like a doable project 12:16 < realazthat> how useful would it be? 12:17 < sipa> i think a lot of people currently depend on blockexplorer-like sites for trivial queries that their own bitcoind could do 12:17 < sipa> but using the RPC interface isn't particularly user-friendly 12:18 < realazthat> so this would be a locally run site 12:18 < realazthat> ? 12:19 < sipa> yeah 12:19 < sipa> i'd very much like to see something like that in bitcoin's contrib/ directory 12:19 < realazthat> any ideas for a python website framework lib or somesuch to use 12:20 < realazthat> or to make it on raw sockets 12:20 < sipa> i don't know enough python for that, but for example p2pool has a very nice built-in stats page 12:20 < sipa> no idea how it's implemented though 12:20 < realazthat> ok, I'll do some research 12:21 < sipa> thanks! 13:01 < realazthat> ok so I think I wanna use something simplistic 13:01 < realazthat> not a whole framework 13:02 < realazthat> something like http://code.activestate.com/recipes/577047-bible-verse-quiz-servletpy/ 13:03 < realazthat> I'll get started 13:04 < sipa> realazthat: awesome1 13:04 < sipa> realazthat: awesome! 13:04 < sipa> poke me if you need help 13:05 < realazthat> it will take some time, I need to get a bitcoind up and running 13:59 < realazthat> sipa: should I be using python-bitcoinrpc 14:02 < sipa> realazthat: i don't care :) 14:50 < HM> sipa: is "txindex" accepted in bitcoin.conf as well? 14:50 < HM> or anyone 14:50 < HM> txindex=1 14:55 < sipa> yes 14:56 < HM> i'm starting a fresh daemon, i don't want to download twice or rebuild 14:56 < HM> so just -daemon -txindex=1 14:56 < HM> or txindex=1 in .conf 14:56 < sipa> indeed 14:56 < sipa> or -txindex 14:57 < HM> cheers 15:04 < realazthat> oh cool I'll put it there 15:05 < realazthat> does bitcoind respond to rpc calls if its still downloading the chain? 15:07 < HM> seems to real 15:10 < realazthat> kk 15:13 < sipa> realazthat: there is no difference between downloading the chain and not 15:13 < sipa> as you're always trying to catch up 15:14 < realazthat> yeah i figured that; was just running into an error 15:14 < realazthat> turns out it was a 401 unauthorized 15:14 < sipa> some calls are disabled when the client is sure it's nit done yet 15:14 < realazthat> the rpc lib didn't print anything though, it just errored 15:17 < realazthat> ok rpc is working 15:20 < HM> realazthat: you working on a web frontend? 15:20 < realazthat> yeah 15:21 < realazthat> block-explorer-like 15:21 < realazthat> but focused on locally run 15:29 < HM> that's not a bad idea generally 17:24 < realazthat> sipa: ok, gonna be afk for ~24 hrs --- Log closed Sat Mar 30 00:00:12 2013 --- Log opened Sat Mar 30 00:00:12 2013 09:51 < HM> there's a discrepency in the rpc implementation 09:51 < HM> HTTP not authorized returns HTTP/1.0 09:51 < HM> all the requests are HTTP/1.1 09:51 < HM> not that it really matters, since it's not a real http server 09:52 < HM> fixable though 20:45 < jrmithdobbs> why wont startcom issue me a cert with STOPUSINGTHEFUCKINGCNFORVALIDATION as the cn and proper subjectAltNames set? 20:45 < jrmithdobbs> damn it 20:46 < jrmithdobbs> wanted to try and break stuff using the public pki but need a ca who follows the letter and not the spirit ;p 23:37 < realazthat> sipa: ping 23:38 < sipa> pong 23:39 < realazthat> is there somewhere I can set this up so you can see the results 23:39 < realazthat> like a machine with bitcoind 23:39 < realazthat> (I'm just starting on the actual display of data) 23:43 < sipa> realazthat: post a screenshot? :) 23:43 < realazthat> well its just simple data for now 23:43 < realazthat> what features of blockexplorer do you want me to replicate 23:44 < realazthat> for now I started with the "Most recently mined blocks in the bitcoin block chain" table 23:44 < sipa> i think a block-view that lists transactions, and a transaction-view that shows inputs/outputs of a transaction would be nice 23:45 < realazthat> ok, I'll continue with that 23:48 < sipa> a block-view that needs to request all inputs of all transactions would be quite slow i think, so maybe have that optional 23:49 < realazthat> well it can link to them 23:49 < realazthat> hmm, I'll see how slow it is 23:49 < realazthat> it is indeed slow to do many requests atm, because I am dumping the i/o 23:50 < realazthat> but if I stop that, I'll see how fast/slow it is 23:50 < realazthat> if its a local bitcoind, it might not be so slow 23:50 < realazthat> if it isn't local, then yeah its prolly gonna be slow 23:50 < realazthat> I have my bitcoind running on a lan atm 23:51 < sipa> right, but to compute for example the fee of a transaction, you need its inputs 23:52 < realazthat> ah 23:52 < realazthat> so that multiplies the amount of things you need by a lot 23:53 < sipa> yes, that's why i'd suggest not computing that by default for a block 23:53 < sipa> but for example have a button "show fees and inputs" 23:53 < sipa> that fetches the expensive version 23:53 < realazthat> yeah ok, I'll see 23:53 < realazthat> lots of design wiggle room here, and I'm not 100% sure of the rpc API yet 23:54 < sipa> hmm? 23:54 < realazthat> for example, 23:54 < realazthat> I could cache that in a db 23:54 < sipa> i wouldn't do that; at least not initially 23:54 < realazthat> or, delay that field in the table, and have it fetched 23:54 < realazthat> yeah, I am trying to KISS 23:55 < realazthat> so if its hard, for now I'll just leave it out 23:55 < realazthat> wrt API, for example, I don't know how to compute block size 23:55 < realazthat> which is listed in the blockchain.info's table for last k blocks 23:56 < sipa> i wouldn't mind adding that to the getblock RPC call, if it isn't there already 23:56 < realazthat> also, did you notice, block 228851 took > 1hr to compute >OO< 23:56 < realazthat> is that common? 23:56 < sipa> yes 23:56 < realazthat> ok, a lottery with a lot of deviation :D 23:56 < sipa> standard deviation is 10 minutes 23:56 < sipa> but it's not normally distributed 23:57 < realazthat> ok 23:57 < realazthat> also, I am not gonna work on making it fancy at all for now 23:57 < realazthat> no CSS etc. 23:57 < sipa> ACK 23:57 < realazthat> just basically tables of data --- Log closed Sun Mar 31 00:00:13 2013 --- Log opened Sun Mar 31 00:00:13 2013 00:08 < realazthat> sipa: are the block indices used by the API zero-based? 00:08 < realazthat> such that getblockcount() returns top index +1 00:10 < BlueMatt> isnt this more appropriate for #bitcoin-dev or #bitcoin ? 00:10 < sipa> yeah 00:10 < realazthat> er sorry 01:39 < realazthat> sipa: nvm I think I see a size field 06:38 < realazthat> sipa: ping 06:38 < realazthat> dunno what hours you keep haha 06:39 < realazthat> its 0630 here 06:39 < sipa> don't ask 06:40 < realazthat> lol same 06:40 < realazthat> ok I think I have something to show 06:40 < realazthat> shall I just put the code on github 06:40 < realazthat> and you can check it out yourself 14:53 < jgarzik> Random bitcoin wizards question: 14:54 < jgarzik> Is there any way to have a single bitcoin address, which may receive bitcoins, that is then _guaranteed_ to be divided up and distributed to a pre-specified list of bitcoin addresses? 14:55 < jgarzik> ie. the simple example is "donate to developer group" 14:55 < jgarzik> Clearly you can pay to a single P2SH hash... 14:56 < jgarzik> But what would a redeem script look like... that _split_ the funds? 14:56 < jgarzik> "Any-of-N may redeem" is easy, because the redeemer gets 100% of the funds. 14:56 < jgarzik> But it seems outside the scope/ability of bitcoin to split to the funds 14:56 < gmaxwell> Only e.g. by having a trusted (e.g. TPM) oracle that controls the private key. Alternatively, you could make it a multisig of those people and then they have to agree on the split. 14:57 < jgarzik> Yeah, the best solution I could think of was a bot 14:57 < gmaxwell> But yea, script can't control output values. 14:57 < jgarzik> but not within plain ole bitcoin 14:57 < jgarzik> I need to research US state laws 14:58 < gmaxwell> if we had another address type we could specify an address that encoded N addresses to sendmany to, I suppose. 14:58 < jgarzik> I bet I could find a US state where an escrow bot would be legal 14:58 < jgarzik> nod, something like that 14:58 < gmaxwell> well, as I said, the bot could just be a TPM oracle it might not even know what bitcoin is. 14:59 < sipa> how about a payment request for such a sendmany? 14:59 < gmaxwell> If the bot is something like: trusted computing enviroment, you send it a script, it generates per-script private keys based on the hash of the script.. then it runs the script. you could send it a script that teaches it how to sign transactions but only if they have the right outputs. 15:00 < gmaxwell> The operator of this thing wouldn't even know it was being used for 'escrow payments'. It's just generic infrastructure. 15:02 < gmaxwell> speaking of that, we got a 10 BTC donation to developers a while back that we should do something with. 15:02 < gmaxwell> (sent to a p2sh of our public keys) 15:24 < jrmithdobbs> dude 18:21 < adam3us> amiller: maybe you could do something with p2sh - if that gives you a way to hash a random value and a 0 or 1 bool 18:28 < warren> cfields: perhaps its time to submit the osx cross gitian as a PR? Mark it "DO NOT COMMIT" at first. More visibility for review? 18:29 < warren> cfields: although please add the equivalent of https://github.com/bitcoin/bitcoin/pull/3191 18:30 < gmaxwell> Note that gavin has had corruption on a newer toolchain, but very rarely. So perhaps _yet another bug_ 18:31 < warren> gmaxwell: with the memory barrier patch? 18:31 < gmaxwell> warren: I am relatively confident that the issue in question doesn't exist in a sufficiently new toolchain. 18:32 < cfields> warren: i got the mac icon fixed... 18:32 < cfields> is it possible that's a regression since .8 branch? 18:32 < warren> cfields: possible, my Bitcoin 0.8 branch has stuff from master 18:32 < Ryan52> maaku, phantomcircuit: no, I just didn't realize moving to 8192 bits was a thing so soon. 18:33 < Ryan52> perhaps obselete for new keys? or not even? 18:33 < warren> Ryan52: you need to edit the gnupg source and rebuild to be able to generate 8192 bit keys 18:34 < cfields> warren: http://pastebin.com/raw.php?i=DdNtY5ia 18:34 < sipa> what is moving to 8192 bits? 18:34 < Ryan52> warren: oh, wow, so you are just super future-proofed. 18:34 < Ryan52> sipa: gpg keys 18:34 < cfields> yea, that's a regression from the qt5 commit 18:34 < sipa> why not to ECC? :( 18:35 < warren> Ryan52: not really. xkcd 538 is much easier. 18:35 < sipa> but with 8192 bit RSA, even xkcd 538 will be obsolete! 18:36 < warren> The cost of xkcd 538 cracking is constant at any bit length. 18:36 < warren> O(1) 18:36 < Ryan52> heh --- Log closed Wed Nov 27 00:00:07 2013 --- Log opened Wed Nov 27 00:00:07 2013 --- Day changed Wed Nov 27 2013 01:19 < warren> http://www.pcworld.com/article/2067400/link-between-satoshi-bitcoin-account-and-the-silk-road-dissolves.html 01:19 < warren> jgarzik was quoted. 02:32 < phantomcircuit> 2013-11-27 07:24:42 ProcessMessages(ping, 0 bytes) : Exception 'CDataStream::read() : end of data' caught, normally caused by a message being shorter than its stated length 02:32 < phantomcircuit> 2013-11-27 07:24:42 ProcessMessage(ping, 0 bytes) FAILED 02:32 < phantomcircuit> what the dicks 02:32 < warren> phantomcircuit: there's an entire thread on this 02:33 < warren> phantomcircuit: I found one way to do that by accident too 02:35 < phantomcircuit> well anyways 02:35 < phantomcircuit> this servers connection slots are 100% used 02:35 < phantomcircuit> im going to restart with maxconnections=512 02:35 < warren> phantomcircuit: huh? legit peers? 02:36 < warren> phantomcircuit: wait 02:36 < warren> phantomcircuit: what version of the client? 02:37 < phantomcircuit> master/HEAD 02:37 < phantomcircuit> appear to be legit peers 02:37 < warren> phantomcircuit: https://github.com/litecoin-project/bitcoinomg/commits/0.8.5-OMG5 Use this bitcoin branch. Among other things it has some of the useful debug.log print stuff from master that tells you more information about peers in real-time. 02:37 < warren> oh 02:37 < warren> nm 02:52 < midnightmagic> Nice quote, Shamir: In his email, Shamir said Bitcoin enthusiasts do not like analyses that do "not fully support their beliefs." He also took a swipe at the media. 02:52 < midnightmagic> What an utter, utter jerk. 02:54 < phantomcircuit> lol seriously 02:54 < phantomcircuit> what a retard 03:26 < gmaxwell> Yes, we do not like analyses which do not support our belief in objective reality. 03:48 < BlueMatt> midnightmagic: coming from the guy who originally did an analysis of the "chain html"? 03:49 < BlueMatt> to be fair, no one likes analyses which do not support their own belief in reality...some are willing to accept them, others are fox news 04:07 < sipa> i'm sure the bitcoin community is full of people that don't analyses that don't support their beliefs 04:08 < sipa> still doesn't mean you should go make claims that are trivially falsifiable with a google search 04:08 < gmaxwell> hah, yes indeed its true in a very empty sense. :) I've lamented the groupthink downvotes I get on reddit. :P 04:09 < warren> BlueMatt: to be fair, it's easy to believe whoever pays your paycheck 04:13 < gmaxwell> even when you think you're trying not to. :( 04:14 < warren> Just create an environment where a 24 hour news network and all your friends agree with you. 04:18 < BlueMatt> gmaxwell: human nature. it sucks. 04:18 < BlueMatt> warren: to be fair, i never said all the people there actually agree, just that they say things... 04:19 < warren> BlueMatt: I know, I was joking. 04:48 < Emcy> still complaining about that paper? 05:08 < _ingsoc> I didn't know about this place. 05:09 < mappum> one mention and 5 people join 05:09 < _ingsoc> xD 05:17 < mappum> gmaxwell: you were saying it's an issue that my PoW is outsourceable, i'm not sure that's actually a problem 05:17 < mappum> as long as the miner can serve the data when requested it's not broken 05:18 < mappum> and what is bad about cloud mining? 05:18 < gmaxwell> mappum: because it means there will only just be one copy of the data in the world at some big pool and thats it. 05:18 < warren> gmaxwell: I was really hoping more people wouldn't join here. 05:19 < petertodd> warren: we should fidelity-bond admission 05:19 < warren> or at least require showing a wizard diploma 05:20 < mappum> Hogwarts class of '11 here 05:20 < gmaxwell> warren: yea, well. It's people flooding #bitcoin-dev with talk about Proof-of-foo functions. 05:21 < gmaxwell> it's material for this channel, though indeed I like it quite in here too. :) 05:21 < petertodd> warren: proof-of-wizard 05:21 < warren> I read that as proof-of-poo 05:21 < warren> and that would have been better 05:21 < gmaxwell> mappum: in any case if you don't think thats a problem then ... maybe it's not. 05:21 < gmaxwell> though if your goal is to achieve good distribution of your data, then I'm afraid you may fail. 05:22 < swulf--> I have a solution I'll try to put up tonight that helps with distribution of data and separates miner/storage requirements 05:23 < swulf--> I have a strategy (I hope) that will incentivize as many people as possible to try and complete to claim the storage for data 05:23 < swulf--> compete* 05:23 < mappum> well part of this is a DHT, and if the work hash included the miner's DHT ID hash, i think it might fix it 05:25 < swulf--> I think a DHT of sorts is a requirement for any service like this 05:25 < gmaxwell> -EWANKDETECTED 05:25 < swulf--> gmaxwell: Yes, my apologies. But I am thoroghly excited about it;) 05:26 < mappum> me too :) 05:26 < warren> If you mention DHT your wizard license is automatically revoked. 05:26 < gmaxwell> nah not you.. sorry, like, I've developed a pratice of reflexively ignoring anyone who says DHT. It's usually invoked by people who encounter a problem they don't understand and it really means "magical distributed thingy". Like early physicists invoking god when they encountered something they couldn't explain. 05:27 < Emcy> dht is a great technology thoighh 05:27 < swulf--> I specifically mention using a kademlia network, where hashes of pubkeys are used as node-ids in the network and used to locate and store data. 05:27 < mappum> so you're saying they are magic... that means i'm a wizard? 05:27 < petertodd> mappum: around here wizards understand how their spells work 05:28 < mappum> i understand DHTs well enough 05:28 < petertodd> mappum: then you would know they don't hold up well to attack 05:28 < swulf--> petertodd: why? 05:28 < swulf--> distributed networks are all prone to attacks 05:29 < petertodd> swulf--: yes, which is the beauty of bitcoin systems where you ask very, very, little of the network 05:29 < mappum> i would think it holds up to attacks a lot more than anything that isn't distributed 05:29 < swulf--> petertodd: agreed. but I think in a paid-for kademlia net, you can sign messages saying you have a right to retrieve data.. should alleviate some DoS. 05:30 < mappum> so you mean attackers using a lot of resources? the thing i was talking about that would use that would be fine against that since it requires fees 05:30 < petertodd> mappum: you can play all kinds of games with DHT's, for instance manipulating hashes to cause biases in the key distribution 05:30 < petertodd> mappum: or sybil attacking part of the keyspace and then deleting the data 05:32 < petertodd> mappum: doesn't mean you can't fix this stuff, but in our experience people promoting DHT's don't realize the issues 05:32 < adam3us> kind of surprised at shamir - the guy is a crypto genius, to get suckered into co-authoring such a paper with unsupported claims. about the best they could've said is the 'data doesnt disprove' until the guy stepped forward and provided more data that did disprove! 05:32 < mappum> good point, i'll have to think about that 05:33 < adam3us> dht's usuall have extremely poor even non-hostile user characteristics, dht in a byzantine threat environment with real money on the line 05:33 < petertodd> adam3us: "suckered" depends on how much money he got... 05:35 < adam3us> yeah generally i heard he's a nice guy - i mean his profile is like rivest, but he doesnt even charge a fraction of what he could for review work. he's done a ton of cutting edge crypto stuff, in many areas of it. secret sharing, fiat shamir transform, differential cryptanalysis the publication list is huge and usually cutting eduge 05:35 < gmaxwell> yea, dht's basically appear to be unworkable in an adversarial enviroment. 05:36 < petertodd> adam3us: he could be simply naive, or not as sharp as he used to be 05:36 < mappum> don't they hold up well in BitTorrent? 05:36 < gmaxwell> petertodd: you are just young enough that the fact that intellect declines with age doesn't scare you shitless yet. 15:18 < petertodd> in practice for user acceptance you probably want to usually send it in the same or follow-up tx - we can't make this stuff have barriers to usage 15:19 < petertodd> also note that you can't guarantee two separate txs will get mined in any particular order other than by waiting, which users hate... 15:20 < petertodd> and more generally, re-orgs have some nasty traps with this - you probably want to rescan starting at least a dozen blocks behind when you learn of a new chaincode 15:21 < petertodd> I also have my suspicions that for wallets with a lot of keys the original scheme of a straight 1/n-th anonymity set might actually be more scalable - if you end up with 500 incoming payments, all from different people, now you've really got to scan for 500 chain codes + some number of extras; gets ugly quick 15:22 <@gmaxwell> adam3us: yea, but that address was used mostly for computation bragging, not convenience... I don't use it for convenience... but I don't disagree with the argument and even repeated it above. 15:22 < petertodd> this chaincode stuff has a lot of state too on the wallet side... 15:22 <@gmaxwell> I agree having more private one way addresses is good, but the question is how to prevnet them from being generally awful to implement. 15:23 < petertodd> gmaxwell: well keep in mind the comparisons to bitcoin: we're using the blockchain as a communications channel, and you have an anonymity set of some fixed % of all traffic. 15:23 <@gmaxwell> oh you went on to say the same stuff, agreed. 15:23 < petertodd> *comparisons to bitmessage 15:24 < petertodd> see, one thing that might help is if you use the op-return ephemeral key as the selector as well, and then communicate a totally random nonce with that to generate a totally random address 15:25 < petertodd> even without fancy chaincodes, and putting the payment in the same tx, with coinjoin you've achived a lot of your goal of non-linkability via that anonymity set 15:25 < petertodd> not all of it, but a lot 15:26 < petertodd> that does imply we have indexes of op-return scriptPubKeys on a per-block basis, but I have no objection to that 15:40 <@gmaxwell> andytoshi: so when is your coinjoiner going to go back on mainnet? 15:43 < andytoshi> gmaxwell: as soon as i get a SSL cert 15:43 < andytoshi> by end of day today, i didn't realize there was any demand :} 15:44 < andytoshi> actually, i can put it on mainnet now.. it'd just be non-https 15:44 <@gmaxwell> andytoshi: ah, yea, I'd like to try to get some people around #bitcoin-otc doing a weekly organized coinjoin 15:45 < andytoshi> cool, it's just sync'ing now 15:45 <@gmaxwell> andytoshi: as far as the cert goes.. startssl... if you have any problems lemme know and I'll help out. 15:45 < andytoshi> there was a power outage 36 hours ago 15:45 < andytoshi> cool, thx 15:52 < andytoshi> ok, i think in 15 minutes it'll switch to mainnet 15:52 < andytoshi> we'll be able to tell because the donation address will switch over 16:08 < michagogo|cloud> andytoshi: Will it also be tor-accessible? 16:08 < michagogo|cloud> (hidden service, I mean) 16:13 < andytoshi> michagogo|cloud: yeah, i'll set that up 16:14 < andytoshi> the whole testing.wpsoftware.net domain used to be a hidden service actually..i think i didn't set that up when i replaced the server last year tho 16:18 < HM2> i hate ASN1 with a passion 16:34 < kinlo> andytoshi: what's the url for your coinjoiner? 16:35 < andytoshi> http://testing.wpsoftware.net/coinjoin/ 16:35 < andytoshi> it says testnet but it is not anymore 16:38 < adam3us> petertodd: "ommunicating a BIP32 chaincode is you make it so the 1/n-th anonymity set only applies to the fact that one of these exchanges was setup at all with a given recipient" yes well that just reveals someone anonymous setup a payment association (chain code) to the identified recipient; doesnt say who did it. 16:48 < CodeShark> cool, andytoshi 16:49 < CodeShark> lol - 1ForFeesAndDonationsSpendHer 16:50 < CodeShark> I tried 16:50 < andytoshi> :P damn checksum.. 16:59 < michagogo|cloud> andytoshi: s/Spend/Send/ 16:59 < CodeShark> does it support multisignature transactions, andy? 16:59 < michagogo|cloud> one solution 17:00 < andytoshi> CodeShark: pretty sure, yes, it just validates it with bitcoind and my own coinjoin software 17:00 < andytoshi> and both of those are fine with it 17:00 < andytoshi> but to the best of my knowledge nobody has tested it 17:01 < CodeShark> I just did :) 17:01 < CodeShark> well, I submitted one 17:01 < andytoshi> oh, cool, i'll through a tx in then to join you 17:05 < andytoshi> done 17:05 < andytoshi> thx gmaxwell for the 'force inputs to match outputs' idea, i almost screwed myself 17:05 < andytoshi> and donated too much to my own joiner.. 17:06 < CodeShark> so now we wait for 10 minutes? 17:07 < andytoshi> yup 17:07 < andytoshi> i can speed it up by prodding around in the db, but i'd probably fat-finger it, sorry 17:08 < CodeShark> presumably if we had higher volume we could reduce the wait time :) 17:08 < andytoshi> yeah 17:08 < andytoshi> idk if we'll get higher volume, maaku for example is developing a joiner that does automatic negotiation, so users don't have to be fiddling with rawtx's 17:09 < andytoshi> but i suppose i could write a client for my thing too 17:09 < CodeShark> I'm speaking theoretically, of course - this specific implementation needn't be the one that ends up taking off 17:10 < CodeShark> has anyone figured out a solution that doesn't require a server? 17:14 < CodeShark> is there any cryptographic transform that is invertible and commutative? 17:15 < CodeShark> so that ABA^(-1)B^(-1) = Identity? 17:16 < CodeShark> and applying A and A^(-1) requires knowledge of a secret 17:17 < CodeShark> ok, time's up 17:17 < andytoshi> CodeShark: ok, there is a donation to 1ForFeesAndDonationsSpendHerdtWbWy still in there <.< 17:17 < andytoshi> sorry, i'll fix that.. 17:17 < CodeShark> hehe 17:18 < CodeShark> we can donate 0.000025 to the vacuum of space :) 17:20 < CodeShark> hmm, we're donating 0.00005 to the vacuum of space, it looks like 17:21 < andytoshi> yeah, it adds all donations to the same output 17:21 < CodeShark> hmm and the scriptSigs have been cleared completely 17:21 < CodeShark> that breaks my multisigner :p 17:21 < andytoshi> yeah, it drops everything when it's merging unsigned transactions 17:21 < andytoshi> really? 17:21 < andytoshi> hmm 17:22 < andytoshi> so, the way it tells when all the signatures have come in is that none of the scriptsigs are blank anymore 17:22 < CodeShark> hmmm - my multisigner cannot, in general, know whether it can sign any transactions unless the public keys are available 17:23 < CodeShark> also, it uses placeholders for signatures so different signers can add signatures 17:23 < CodeShark> I just use a 0-length signature to indicate "unsigned" 17:24 < CodeShark> but keep the keys/redeemscripts 17:26 < CodeShark> the reason for this is that different signing nodes could participate without having to know anything about how the p2sh addresses were generated 17:28 < CodeShark> if you can replace the scriptSig of my input with what I had originally submitted, I'll sign it:) 17:28 < CodeShark> I guess I could replace it on my end 17:29 < andytoshi> well, i've gotta fix the donation address thing 17:30 < andytoshi> then i'll think about what to do about scriptsigs...my assumption was that anything in there was just noise 17:30 < andytoshi> since if somebody had signed something, the signature would be invalid after joining 17:31 < CodeShark> inputs in general contain more than just signatures - it would be nice to have a separate field in the input just for signatures rather than just pushing them on a stack 17:31 < CodeShark> this is especially true for p2sh transactions 17:31 < andytoshi> yeah, bad assumption on my part 17:36 <@gmaxwell> petertodd: instead of using the signer's public key, perhaps use his r value (as its the x corrid for k*G). This has an advantage of working for more transaction types, and also if the sender is reusing addresses it wouldn't case reuse for payments to the same thing. 17:40 < andytoshi> CodeShark: this is a weird bug, it is failing to read the last byte of the address when it calculates the scriptpubkey of the donation address 17:41 < andytoshi> so the length is wrong and i'm also missing a byte 17:41 < andytoshi> but the logic looks correct and it worked with testnet <.< 17:42 < phantomcircuit> so it occurs to me that the behavior of IsConfirmed is already broken 17:42 < phantomcircuit> and simply removing the unconfirmed dependency checking is probably optimal 17:44 < andytoshi> oh, i see, i'm popping an entire byte to remove the version field .. but i guess that's not right .. i need to look up what i'm doing with these addresses 17:48 < CodeShark> so nobody has an answer for my earlier question? is there a cryptographic transform that has an inverse and is commutative such that ABA^(-1)B^(-1) = identity? gmaxwell? petertodd? :) 17:49 < CodeShark> I guess exponentiation... 17:49 < andytoshi> i think what you're asking describes blind signature schemes 17:49 < CodeShark> yeah :) 17:50 < CodeShark> so yeah, I suppose we can use exponentiation, where the inverses here are modulo phi(field modulus) 17:50 < andytoshi> so, the wiki article on that has an example using RSA, and there is an entry on matthew green's blog about ecc 17:50 < andytoshi> http://blog.cryptographyengineering.com/p/note-on-blind-signature-schemes.html 17:50 <@gmaxwell> CodeShark: just addition in EC groups works. (with the modular inverse to undo) 17:51 < CodeShark> right 17:54 < adam3us> andytoshi: there is an ec schnorr blind sig also 17:54 < adam3us> andytoshi: but no ecdsa one. there is a horrendously complex dsa one. 17:54 < CodeShark> so the only part remaining to solve for decentralized coinjoin is peer discovery 19:08 < phantomcircuit> i've come to the point that i want to use raw transactions to effectively get a two phase commit 19:08 < gmaxwell> phantomcircuit: seperate the sign from the send and make it in the database before you send? 19:08 < phantomcircuit> currently what im doing is setting the transfer to processing, calling sendtoaddress and updating with the transaction result 19:09 < phantomcircuit> however if there is a failure after sendtoaddress but before the request is updated 19:09 < phantomcircuit> then i have to manually go in and fix it 19:09 < phantomcircuit> so my question is 19:09 < phantomcircuit> is there a way to get bitcoind to do the output selection 19:09 < gmaxwell> right, so you want a sendmany that returns a raw transaction? then you can call sign on it, write it to your database.. then send it? 19:09 < phantomcircuit> gmaxwell, yeah 19:10 < phantomcircuit> well except im using sendtoaddress since there's very rarely transactions that can be grouped 19:10 < gmaxwell> yea but you can sendmany with just one output. 19:10 < phantomcircuit> yeah 19:10 < gmaxwell> I would have done that already except we @#$@# call signing inside the coin selection innerloop. Which is retarded. If you feel like fixing that, the rpc would be really easy to write. 19:11 < gmaxwell> Though I think it should just be a sendmanyraw or a flag to sendmany that lets it output the raw txn. 19:11 < nanotube> midnightmagic: scrollback in this channel. :) 19:12 < phantomcircuit> gmaxwell, well the returned tx would optimally be signed already 19:12 < jrmithdobbs> gmaxwell: that rommixmc thing is interesting and similar to my "fix" for scrypt that i haven't had time to work on since last i talked to you about it, haha 19:12 < midnightmagic> nanotube: thanks man 19:12 < phantomcircuit> signed but not committed to the wallet.dat database yet 19:12 < jrmithdobbs> gmaxwell: that is a very cool solution 19:13 < gmaxwell> phantomcircuit: for your usage, but not signing it is more general. What if your online wallet was locked.. and your unlocked wallet was not "online" ? e.g. just rs232 connected box or something. 19:13 < phantomcircuit> gmaxwell, ah 19:13 < phantomcircuit> yeah i guess that's true 19:13 < gmaxwell> phantomcircuit: the cost of not signing it is that you have to make another rpc roundtrip, pretty mild cost. 19:14 < phantomcircuit> well the primary cost is that i have to fix the coinselection stuff 19:14 < jrmithdobbs> gmaxwell: catenta still doesn't address the dependency on sha2 for the first obsfucation though unless i'm missing something =/ 19:14 < phantomcircuit> where as right now i could probably add a flag to sendmany to not broadcast/save to the wallet 19:15 < nanotube> midnightmagic: starting about 2200 my time on sep 8. :) 19:15 < jrmithdobbs> gmaxwell: sorry, responding to something from like 2 days ago :) 19:15 < gmaxwell> yep. The problem isn't fundimentally hard. The signature will only have four possible sizes: compress, uncompressed, p2pubkey compressed, p2pubkey uncompressed, (assuming that you just aproximate the size by rounding up. 19:15 < gmaxwell> jrmithdobbs: yea its fine I knew what you were responding to. 19:16 < gmaxwell> jrmithdobbs: I thought the recommendation on catenta was just use sha3 all ove.r 19:16 < jrmithdobbs> gmaxwell: their splitting of client/server work is very much in the same line of thinking i was going down, makes me wish I had time to go back to that before the PHC deadline cause that's nice confirmation i was on to something ;p 19:16 < Luke-Jr> jrmithdobbs: you have a "fix" for scrypt? 19:17 < jrmithdobbs> Luke-Jr: i have a set of improvements i've been toying about with for almost a year now, yes 19:17 < Luke-Jr> jrmithdobbs: does it make it a viable POW? 19:17 < jrmithdobbs> part of it was trying to address the cache timing attack the cantena guys address, in fact 19:17 < gmaxwell> and I was pointing catenta out to jrmithdobbs because I knew that he was concerned with some of the things it addresses. 19:18 < jrmithdobbs> gmaxwell: i don't see how sha3 is all that much better suited other than we don't know it's issues yet =/ 19:18 < jrmithdobbs> i mean it's obviously better than using sha3 for the task 19:18 < jrmithdobbs> but ... 19:18 < jrmithdobbs> err better than using sha2* 19:18 < gmaxwell> jrmithdobbs: really any function is suited. Nothing busted in the last 20 years has been busted so much to harm its usage as a kdf. 19:18 < gmaxwell> (any cryptogrphic hash) 19:19 < jrmithdobbs> gmaxwell: that's true, md5 is still usable for that in most scenarios 19:19 < jrmithdobbs> not recomended, but realistically, it's usable 19:19 < gmaxwell> s/most/all/ really. md4 would be fine too. Better to use something better... but. 19:20 < jrmithdobbs> gmaxwell: if you have access to enough key samples for some reason md4/5 could be problematic, no? 19:20 < gmaxwell> I don't think so, not after you've iterated them thosands of times. 19:20 < jrmithdobbs> but yes, anyways, i'll conceed your point ;p 19:20 < phantomcircuit> i love that most CA root certs are md2 19:20 < jrmithdobbs> that line of thinking just makes me feel dirty 19:21 < jrmithdobbs> because it reeks of situations like with the people with "credibility" telling people to revert to 20-year-old-known-broken-to-statistical-analysis ciphers for a half a decade so the nsa can log all our traffic =/ 19:21 < gmaxwell> I'm really excited about the asymetric memoryhard trapdoor proof of work I came up with this morning.. though I worry the validation will be too slow. 19:21 < jrmithdobbs> (fuckin rc4) 19:21 < gmaxwell> yea... wtf well.. ssl is a cluter@#$@ in general. 19:22 < jrmithdobbs> anyways, back to work 19:22 < jrmithdobbs> gmaxwell: i'm gonna read over that a few more times, there's good work there (catenta) 19:23 < phantomcircuit> damn 19:23 < jrmithdobbs> nice to see someone besides the scrypt guy looking at the problem. not enough people are 19:23 < phantomcircuit> my 2TB external hdd is full 19:23 < phantomcircuit> >.> 19:23 < gmaxwell> now the problem with catenta is that it's new. :( 19:23 < jrmithdobbs> gmaxwell: it's not though 19:23 < jrmithdobbs> gmaxwell: it's a modified rommix with a different hash 19:23 < gmaxwell> scrypt was finally getting old enough to get people to accept it, and now we have a new version. 19:23 < gmaxwell> I know. 19:24 < jrmithdobbs> true 19:24 < gmaxwell> I did read the paper. I love it. Its a big improvement IMO. 19:24 < jrmithdobbs> and scrypt wasn't "new" either 19:24 < jrmithdobbs> it was old stuff applied in a novel way 19:24 < phantomcircuit> that's new 19:24 < phantomcircuit> :) 19:24 < jrmithdobbs> scrypt was really just modernized bcrypt with more long term thinknig and a better cipher behind it, if you look at it 19:25 < jrmithdobbs> the basic construction isn't very novel (it's cool, don't get me wrong ;p) 19:25 < gmaxwell> well no, the romix idea was novel. Also catenta still doesn't go quite far enough. 19:25 < gmaxwell> e.g. it doesn't make optimal use of the memory hierarchy. 19:25 < jrmithdobbs> it also still reveals too much to the authenticating party imho 19:26 < jrmithdobbs> but that's a bigger problem 19:26 < jrmithdobbs> (I don't think the authenticating party should ever have the hash) 19:26 < gmaxwell> ideally such a function would achieve optimal speed only if you has a given ratio of adder speed to l2 cache speed to memory speed. 19:27 < jrmithdobbs> and once you start needing to think about that portability kind of goes out the window for the simple solutions 19:27 < jrmithdobbs> but isn't optimized portable code an oxymoron? 19:28 < jrmithdobbs> gmaxwell: also why do they recomend keccak and not blake2? if you're trying to avoid cache timing issues isn't reusing salsacore as much as you can one of the best things you can do? 19:29 < jrmithdobbs> if it's all re-referencing the same damned code the code doesn't get kicked out of cache, after all 19:29 < jrmithdobbs> or at least, it's harder to forcibly evict 19:30 < gmaxwell> it doesn't mater if its kicked out of cache, the access pattern is not data dependant. 19:34 < jrmithdobbs> oh bleh, that's right it's timing on the data access not code segments, i'm going to run instead of saying stupid shit on the internet in my prednisone fueled mania 19:34 < jrmithdobbs> ;p 19:34 < jrmithdobbs> and by run 19:34 < jrmithdobbs> i mean physically 19:47 < phantomcircuit> i just realized something 19:47 < phantomcircuit> i can just copy this desktops hdd into a vm 19:47 < phantomcircuit> derp 19:48 < phantomcircuit> obvious solution is obvious 19:48 < phantomcircuit> sorry totally off topic 20:23 < nanotube> anyone care to test if my bitcoind hidden service is visible? gb5ypqt63du3wfhn.onion 20:31 < gmaxwell> 2013-09-11 00:26:20 receive version message: version 70001, blocks=257216, us=5yljdotwhmx65nlk.onion:8333, them=gb5ypqt63du3wfhn.onion:8333, peer=127.0.0.1:58807 20:31 < gmaxwell> so you're working and sending out the right address in your version message. 20:32 < nanotube> cool. :) 20:32 < nanotube> i have your node in addnode 20:33 < nanotube> my guess is it isn't currently possible, but it probably should - to set connection limits separately for tor and non-tor. 20:33 < nanotube> to ensure an active tor-nontor bridge 20:33 < nanotube> otherwise given the relative paucity of tor nodes, it could be that all slots can be eaten up by nontor nodes and you lose the tor bridge 20:33 < nanotube> ? 20:33 < jrmithdobbs> nanotube: it's possible in that you can give a list of known nodes as -connect/-seed nodes 20:34 < jrmithdobbs> so long as all of them in your list don't drop at once ... 20:34 < nanotube> right, but let's say tor hiccups and you lose all tor connections, slots fill up... 20:34 < nanotube> then tor comes back up but you're cut fof. 20:34 < nanotube> off 20:34 < phantomcircuit> nanotube, connect reserves the slot for outbound connections 18:28 < phantomcircuit> bitch is crazyyyy 18:29 < MC1984> are you amused or harassed 18:29 < gmaxwell> phantomcircuit: you should tell her that you paid her but {pick a victim} took the money. 18:29 < phantomcircuit> MC1984, mostly amused 18:29 < phantomcircuit> if she continues im going to call the police and have her deported 18:30 < MC1984> all goof fun then 18:30 < phantomcircuit> she's a uk national on a fiance visa 18:30 < phantomcircuit> if she has any negative contact with the police she is immediately deported 18:30 < phantomcircuit> but that would just make her even more angry 18:30 < MC1984> what if something got lost between britcoin>intersango or somthing 18:30 < phantomcircuit> so tradeoffs in life 18:30 < phantomcircuit> MC1984, im pretty sure i have all the bank records 18:31 < MC1984> invite her to sue then 18:31 < phantomcircuit> MC1984, god i dont want to actually deal with that shit 18:31 < phantomcircuit> but yeah i think that's what i have to do 18:31 < MC1984> can you countersue in the uk 18:32 < phantomcircuit> MC1984, she's in like florida or georgia or something 18:32 < phantomcircuit> so yeah i could pretty much ruin her 18:32 < phantomcircuit> but really who wants to ruin a crazy lady who would then have nothing better to do than direct even more crazy at you 18:32 < MC1984> well 18:32 < MC1984> fair warning and all that 18:33 < gmaxwell> MC1984: if she gets deported back to the UK she'll likely have even more free time to bug him. 18:34 < MC1984> tru 18:36 < Emcy> oh nice 18:36 < phantomcircuit> gmaxwell, exactly 18:36 < Emcy> just grouped this nick 18:36 < Emcy> henceforth i am Emcy 18:36 < phantomcircuit> actually at this point she's probably gone past the point of harassment and is well within terroristic threats 18:36 < phantomcircuit> which would mean jail time 18:36 < phantomcircuit> but she'd still be crazy 18:36 < phantomcircuit> just even more angry 18:38 < gmaxwell> there should be a service that you can hire that redirects the crazy people to be mad at them, or better, ficticious persons they create just for that purpose. 18:38 < Emcy> terroristic rly 18:38 < Emcy> anyone seen the complaint letter generator thing? 18:38 < phantomcircuit> Emcy, it's a deceptive term us lawenforcement uses to mean threatening to commit a crime against someone 18:38 < Emcy> had a few people on forums with that 18:39 < phantomcircuit> gmaxwell, that's actually a really good idea 18:39 < Emcy> well still, dont perpetuate it 18:39 < Emcy> its one of the worst things to happen in the last 10 or 15 years 18:40 < phantomcircuit> Emcy, sure except in this case she is literally threatening to kill me 18:41 < Emcy> well yeah but is that legit terrifying 18:42 < Emcy> like, what happend to just threats of harm 18:42 < Emcy> over here you have all the rights in the world when dealing with police, unless he "suspects you of terroristic activity", and then youre his pet for the next while 18:42 < phantomcircuit> Emcy, i have literally thought about what i would do if she broke into my house and tried to kill me 18:42 < Emcy> its not right 18:43 < phantomcircuit> so yes 18:43 < phantomcircuit> yes it is 18:43 < Emcy> get a gun? 18:43 < phantomcircuit> i've moved 18:43 < phantomcircuit> cant find me now 18:44 < adam3us> https://twitter.com/adam3us/status/401492797846335488 18:44 < adam3us> @DataTranslator seems like PR distinction: Coin Validation is trying to fan viral run on fungibility by businesses. But *they* dont police. 18:45 < phantomcircuit> that's a large part of why she's mostly just annoying 18:46 < gmaxwell> phantomcircuit: you still in the bay area? 18:46 < phantomcircuit> gmaxwell, nope 18:46 < phantomcircuit> i moved to a loverly place where i can carry a concealed firearm 24/7 18:46 < phantomcircuit> and will be doing so shortly 18:48 < Emcy> you handled weapons before? 18:49 < phantomcircuit> Emcy, nope 18:49 < adam3us> man we've so got to fix fungibility 18:49 < phantomcircuit> have a ccw course scheduled and will tell them it's not a joke 18:49 < adam3us> & talk some sense into Yifo & Coin Validation 18:50 < phantomcircuit> adam3us, no 18:50 < phantomcircuit> just leave them alone 18:50 < phantomcircuit> the more you talk about them the more credibility you give them 18:51 < adam3us> phantomcircuit: do you think they realize how dangerous to fungibility and bitcoin continued existence that they are doing is? i mean they dont actually want to kill it or they have no business to validate 18:51 < phantomcircuit> adam3us, my first guess would be yes 18:51 < sipa> look at it this way: if business believe what they're selling is useful, cryptocurrencies like bitcoin have probably little chance of surviving (at least in its original fungible spirit) 18:52 < phantomcircuit> and they're just being dicks 18:52 < Emcy> meanwhile in britain 18:52 < Emcy> breadknives come with an 18+ warning 18:52 < adam3us> phantomcircuit: or maybe they do know and Gifu is just the tech sucker/grunt in a bigger scheme 18:52 < phantomcircuit> Emcy, yeah well if you fucks would stop stabbing each other... 18:52 < sipa> but if we're just ignoring them, i think the chance of them just silently being forgotten increases 18:52 < gmaxwell> Yea, I don't see any reason to debate with them... we should just moot them. 18:52 < Emcy> phantomcircuit thats mostly london 18:52 < gmaxwell> arguing with them gives them credability. 18:52 < phantomcircuit> Emcy, lol i was kidding 18:53 < gmaxwell> if no one responded a lot of people would just think "bitcoin is anonymous so what you're suggesting can't work!" 18:53 < adam3us> have to educate bitcoin biz people i bet there are enough of them who dont understand the fungibility risks 18:53 < sipa> adam3us: agree there 18:53 < gmaxwell> then again, yifu ahs probably ripped off enough miners at this point to fund this effort for a long time. :( 18:53 < Emcy> well i would not want my countrymen to have firearms any way. It would be a mostly accidental bloodbath 18:54 < sipa> adam3us: but doing it as a reaction to the co-invalidation thing is not the right signal 18:54 < adam3us> gmaxwell: i think its more likely this mellon trust fund guy thats funding the gig 18:54 < kill\switch> Which one does the PR videos on weusecoins? I forget the nick, he's on IRC 18:54 < phantomcircuit> gmaxwell, i dont even know what he did 18:54 < sipa> kill\switch: justmoon made that site, a long time ago, before he was at opencoin 18:54 < phantomcircuit> i dont think he did the videos though 18:54 < kill\switch> I think a PR video series about fungibility basics would go far to making the case for 'normal' people 18:54 < phantomcircuit> he paid someone to do it 18:55 < sipa> yes, there was a crowdfunding for the video 18:55 < jrmithdobbs> the weusecoins guy? ya he paid someone 18:55 < adam3us> kill\switch: hat sounds like a good idea 18:55 < jrmithdobbs> it was like the only bounty that ever actually got paid i think 18:55 < jrmithdobbs> ha 18:55 < sipa> and the wallet.dat file was subsequently lost... 18:55 < gmaxwell> sipa: and the video only used like half of the raised funds, and the rest were lost. 18:56 < jrmithdobbs> ya that too 18:56 < gmaxwell> I think they lost over 5000 btc if I was remembering correctly. 18:56 < sipa> IIRC it was something like 7k BTC 18:56 < jrmithdobbs> nah it was 5000 usd 18:56 < gmaxwell> if you average our opinions ... :P 18:57 < sipa> https://bitcointalk.org/index.php?topic=83794.0#post_toc_19 18:57 < sipa> 7000 BTC 18:58 < phantomcircuit> aahah 18:59 < phantomcircuit> man i forgot how much btc was taken in mybitcoin 18:59 < phantomcircuit> 78k 19:02 < sipa> cdecker lost 9k BTC? :o 19:02 < sipa> i never knew 19:03 < gmaxwell> Its interesting that it lists the mooncoin thing and not the reorg attacks on mooncoin, cdouble's exchange, etc. 19:04 < gmaxwell> (several exchanges were attacked with reorgs and timewarps on altcoins used to empty their orderbooks and walk with bitcoins around that time) 19:04 < gmaxwell> bitscalper lol 19:04 < gmaxwell> that was funny. 19:05 < gmaxwell> the story there is incomplete. the site was woefully insecure, some speculated it was intentionally so to cover up for it being a scam. 19:08 < gmaxwell> " The thief is still unknown at this point, but the theft has supposedly been entirely returned" .. facepalm 19:09 < gmaxwell> whomever wrote this was far too kind 19:10 < sipa> where do you read that? 19:10 < sipa> Victim: Users of Bitscalper 19:10 < sipa> Status: MiningBuddy (bitcointalk.org user) attempted to reorganize bitscalper, but failed. No coins have been returned at all. 19:10 < sipa> ah bitcoinica 19:10 < gmaxwell> in that thread. 19:12 < gmaxwell> in the bitcoinica final theft the funds went through several places all provable linked to Zhou. Finally ending up in an exchange account owned by zhou on another exchange. Which were frozen when the tried to withdraw them. Then magically zhou realized the theif must be a mysterious friend of his and 'brokered' a deal that the funds would be returned if the investigation was ended. 19:13 < gmaxwell> but we have no idea who the theif was... 19:13 < gmaxwell> :P 19:18 < Emcy> its impressive for a 14 year old --- Log closed Sat Nov 16 00:00:52 2013 --- Log opened Sat Nov 16 00:00:52 2013 00:43 < midnightmagic> I thought he was 17. 00:44 < midnightmagic> Anyway his family was/is privileged. 00:46 < gmaxwell> I always assumed he wasn't actually that young, but it was instead just the friendly disreputability layered on to prevent people from noticing the deeper rot. 03:24 < adam3us> gmaxwell: morning: dreaming about EdDSA - i think it should work for split key etc. djb et al have only placed restrictions on d as d is random k with a few bits 0d. So then d1G+d2G=dG where d1+d2=d nod n 03:25 < adam3us> gmaxwell: futher the compression of R has to be optional - you can decompress it so thats just wire compression unrelated to the sig scheme 12:17 < HM_> (rather than "scalar" point multiplication) 12:17 < HM_> mind boggles. g1 x g2 x g3 12:20 < HM_> so I*[g1]^x in the notation i'm looking at would be X_Coord_of(PointMul(x, g1)) mod n, multiplied by I 12:20 < HM_> in EC terms 12:31 < HM_> I guess as long as it's commutative and has the mathematical properties you want, it doesn't matter how you encode a point 15:25 < gmaxwell> This might be of some idle amusement: 15:25 < gmaxwell> 12:21 < mjg59> How much real money would it cost for me to be able to back up 10GB of content into the bitcoin block chain? 15:25 < gmaxwell> 12:22 < mjg59> I'm looking to have cheap replicated backups 15:26 < gmaxwell> (mjg59 is Matthew Garrett, well known linux person who now works at https://www.nebula.com/ ) 15:27 < amiller_> lol 15:28 < petertodd> nice 15:29 < petertodd> tell him ~$1000 to $10,000 15:30 < gmaxwell> petertodd: thats not realistic. 15:31 < gmaxwell> It would take 70 days of full blocks to do it. It would be blocked long before then. 15:31 < petertodd> I never said how long 15:31 < gmaxwell> And so you'd need to factor in the cost of paying someone to work around the block or buying astroturfing to prevent the blocking. 15:31 < petertodd> Those are, IIRC, the numbers for a mechanism that's tricky to block. 15:32 < gmaxwell> ah, well, then that would take a long time indeed. 15:32 < petertodd> yeah, takes forever, but in theory it's doable 15:33 < petertodd> more likely by the time your 10% done you'll find that fee competition is an issue 15:33 < petertodd> simply because other people get the "bright idea" 16:09 < jgarzik> would be an excellent faq / blog post 16:09 < jgarzik> answering that question, both time and cost 16:10 < petertodd> yeah, and stress that if people start actually doing that, the cost is going to go way, way up 17:12 < amiller_> is there a good way of slowing down the tx processing time 17:12 < amiller_> like making a costly to validate transaction using only standard tx 17:12 < amiller_> the best i can think of is just to have a bunch of txinputs in separate transactions and try to hurt the leveldb but it's hard to imagine it taking very long 17:13 < amiller_> or to have only one invalid transaction signature and hopefully it's the last one validated 17:17 < gmaxwell> CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG CHECKSIG 17:17 < gmaxwell> but we deal with that. 17:17 < jgarzik> heh 17:22 < amiller_> that's not a standard tx is it? 17:23 < amiller_> and how is that dealt with 17:23 < amiller_> "// Support up to x-of-3 multisig txns as standard" 17:30 < gmaxwell> the maximum number of checksig operations per block is limited... and anyone accepting non-standard txn should hopefully be smart about not letting a single txn use up their quota. 17:37 < jgarzik> that level is smart is absent in mining right now 17:38 < gmaxwell> yea, but so is accepting non-standard txn generally. 18:37 < amiller_> i'm not interested in per block so much as for mempool 18:38 < gmaxwell> Protected by IsStandard --- Log closed Tue Jun 25 00:00:15 2013 --- Log opened Tue Jun 25 00:00:15 2013 --- Log closed Wed Jun 26 00:00:18 2013 --- Log opened Wed Jun 26 00:00:18 2013 --- Log closed Thu Jun 27 00:00:21 2013 --- Log opened Thu Jun 27 00:00:21 2013 --- Log closed Thu Jun 27 03:30:08 2013 --- Log opened Thu Jun 27 03:30:26 2013 --- Log closed Thu Jun 27 17:55:35 2013 --- Log opened Thu Jun 27 17:56:18 2013 22:51 * jgarzik sends a draft of the decentralized identity sacrifice protocol off to petertodd 23:20 * jgarzik also tries to figure out some semi-decentralized method of conducting an ebay auction, where buyers bid ever-increasing amounts with proven funds 23:28 < petertodd> #2 sounds really similar to the fee auction process you know... 23:28 < petertodd> but we don't have the ability (yet) to lock a txout in any way which makes a in-Bitcoin port tough 23:29 < Luke-Jr> sounds easy enough? 23:30 < Luke-Jr> the seller can just publish an output which is used as an input to bids 23:30 < Luke-Jr> bidders sign transactions consuming it 23:30 < Luke-Jr> seller only signs the one winner 23:31 < petertodd> you mean a multisig output? 23:33 < petertodd> ah, I see, the output is to ensure only one tx, IE bid, can go through, simple enough 23:35 < Luke-Jr> yep 23:35 < gmaxwell> on the subject of random crypto protocols, I came up with one so that a movie renting place could rent you a single movie while learning nothing about which of the movies they loan is the one you picked. 23:36 < gmaxwell> (I came up with it on the spot when I was explaining to someone how funny crypto things like you make trustless protocols for things that model relationships people want to have and they suggested keeping your movie preferences private as an example) 23:37 < Luke-Jr> haha, that's the opposite direction rental businesses want to go I think :P 23:38 < gmaxwell> (You encrypt all the movies and give them to them; you also encrypt all the movie keys with homomorphic encryption and give them all the E(Renter_key,K)s. They pick the movie they want and compute E(rentee_key,E(Renter_key,K)) for the movie they want and then ask you to decrypt it.) 23:38 < gmaxwell> (and you only decrypt one key for them) 23:39 < realazthat> you can still eavesdrop which they download though 23:39 < petertodd> jgarzik: re decen identity: you seem like you have a protocol that doesn't create a strong proof after the fact that the sacrifice was genuine 23:39 < realazthat> unless they download all of them 23:39 < petertodd> jgarzik: it's almost but not quite a proper announce-commit 23:40 < realazthat> erm 23:40 < realazthat> I was thinking of a similar scheme 23:40 < realazthat> nvm 23:41 < realazthat> in ur case you stated they get them all 23:41 < gmaxwell> realazthat: yes, they get them all. I do not know of a way to do a _efficient_ oblivious database where the reader and writer are different parties. 23:42 < petertodd> Luke-Jr: nah, gmaxwell's protocol still works for that: just give people the *option* of using this fancy feature, if they do, they're almost certainely renting Enemy of the State 23:42 < petertodd> realazthat: use a DHT 23:42 < gmaxwell> Luke-Jr: well part of my point is that one of the reasons businesses go the route of watching everything is that it's easiest to do that, and "impossible" for a superior business partner to prove that they aren't. 23:43 < Luke-Jr> gmaxwell: it's also useful information 23:43 < gmaxwell> Except with cryptographic protocols a superior business partner can actually prove that they're not, and perhaps benefit from their superiority. 23:43 < Luke-Jr> gmaxwell: I often wish someone did some analysis of anime preferences, and recommended me ones I'm likely to enjoy 23:43 < gmaxwell> (Privacy is like the worst lemon market that there ever was) 23:43 < realazthat> lol 23:44 < gmaxwell> Luke-Jr: sure. I use movielens for things like that. But there is no need to force you into analysis which: doesn't benefit you, which loses more than it strictly needs to etc... 23:44 < gmaxwell> (http://movielens.umn.edu/login) 23:45 < Luke-Jr> gmaxwell: without enough sample data, it won't work 23:45 < gmaxwell> e.g. nothing would stop you from also submitting your movie preferences to another party perhaps behind a pseudonym even automatically. So then no one learns more than they need to and the party learning movie preferences is actually providing you with a useful service. 23:46 < gmaxwell> vs the renter doing it, and which they may just be selling the data to someone who wants to make a list of people with varrious politics in order to oppress or what have you. 23:56 < Luke-Jr> gmaxwell: I can't even find 5 movies I've seen -.- 23:56 < gmaxwell> hah 23:57 < gmaxwell> on movie lens? 23:57 < gmaxwell> "You've rated 371 movies." .. and there are a bunch I've seen but haven't rated because I don't remember them well enough to give them a rating. 23:58 < petertodd> needs a new rating: "Didn't rate; probably sucks" 23:58 < gmaxwell> I emailed them and pointed out that in the netflix data that saw vs not-saw actually had most of the predictive power. 23:59 < gmaxwell> (and suggested they add a "dunno; but I saw it") 23:59 < gmaxwell> but they didn't respond. :( 23:59 < gmaxwell> A "I made a conscious decision not to watch this" would be interesting too, I expect. 23:59 < petertodd> heh, maybe that's already mostly what their algorithm actually is... --- Log closed Fri Jun 28 00:00:31 2013 --- Log opened Fri Jun 28 00:00:31 2013 --- Day changed Fri Jun 28 2013 00:00 < gmaxwell> petertodd: I expect it actually is I mean, thats basically what a linear SVM trained on the netflix prize data produces: a model that predicts what you'll like based on what you've seen regardless of your rating. 00:00 < Luke-Jr> gmaxwell: yeah 00:01 < gmaxwell> but sadly the fact that it forces you to rate means that people provide less data than they could. 00:01 < Luke-Jr> still stick at 4 movies x.x 00:01 < Luke-Jr> wtf, they have Q: The Winged Serpent, but not the Tron sequel? 00:02 < gmaxwell> E.g. right now it suggests that I watch "Legend" which is like ... from the mid 80s. I've seen it and assume I didn't hate it, but I can't usefully rate it. 00:02 < gmaxwell> they have the tron sequel 00:02 < gmaxwell> http://movielens.umn.edu/movieDetail?movieId=82461 00:02 < Luke-Jr> the initial entry needs a search >.> 00:04 < Luke-Jr> grr 00:04 < Luke-Jr> the search from that page won't work until I find 15 either 00:05 < gmaxwell> turn off exclude movies without predictions? 00:06 < Luke-Jr> no, it's the "MovieLens needs at least 15 ratings from you to generate predictions for you." screen 00:06 < Luke-Jr> grr, I missed Short Circuit 00:08 < gmaxwell> I've seen a bunch of good weird movies because of movie lens. 00:08 < jgarzik> petertodd, how so? 00:08 < Luke-Jr> Live Nude Girls (1995) lolwut 20:35 < phantomcircuit> gwillen, no no, he's saying that not only does it not flush 20:35 < phantomcircuit> but it DROPS the dirty pages 20:35 < gwillen> right 20:35 < gwillen> yeah, sorry, I mean, not flushing but keeping things pending would be okay 20:35 < gwillen> but dropping them is really odd 20:35 < phantomcircuit> yeah that sounds strongly like a bug in os x 20:35 < phantomcircuit> which is what i've assumed all along 20:36 < gwillen> well, evidently posix doesn't require it to do anything useful 20:36 < phantomcircuit> apple gaming the fuck out of benchmarks basically 20:36 < cfields> yea, the spec doesn't say it needs to flush. in fact, one of the docs explicitly says you need to msync() for that 20:36 < cfields> s/spec/bsd docs/ 20:36 < phantomcircuit> right 20:36 < phantomcircuit> if im reading this right, he's saying that not only do they not flush, they also drop the dirty pages entirely 20:37 < phantomcircuit> like they have a separate page cache for mmap than from normal file io or something bizarre 20:40 < phantomcircuit> my guess is that there is some small pool of memory in the mmap subsystem which is used to buffer changes to the page cache that is dropped when munmap is called 20:41 < cfields> imo that's not the case... 20:42 < cfields> my theory was that there's a quick write, then a quick read. The read comes from an fd on osx rather than mmapping. So the last write may not be on-disk yet, since it's still showing the zeroed region 20:43 < phantomcircuit> hmm maybe 20:47 < warren> "His victory speech" 20:47 < warren> heh 20:50 < midnightmagic> cfields: You're talking about this from msync(2)?: Filesystem operations on a file that is mapped for shared modifications are unpredictable except after an msync(). ? 20:50 < cfields> yea 20:50 < phantomcircuit> actually thinking about it iirc you can only get like 50k write() syscalls/second 20:51 < phantomcircuit> so i can see how that would be a limiting factor 20:51 < phantomcircuit> except leveldb is single threaded so an inmemory buffer with a timer should work well enough 20:51 < phantomcircuit> er i mean no it's not 20:52 < phantomcircuit> but a thread with the end of the journal that gets flushed when it's a certain size or after it's 500ms old or something 20:52 < midnightmagic> phantomcircuit: the better alternative to to use scatter/gather and iovec structs 20:52 < cfields> hmm, wait a sec 20:53 < midnightmagic> then individual syscall overhead is reduced (ideally) and the structs can sometimes be utilized by underlying storage subsystems to speed up their own writes. 20:53 < phantomcircuit> midnightmagic, sure but that's not going to be obviously platform independent :) 20:53 < gmaxwell> gwillen: cc-*-4.0 has extended the patent badness into all creative commons licenses now, fwiw. 20:53 < midnightmagic> dirty internal page caches when flushed to disk in multiples shouldn't be done with plain write()s 20:53 < phantomcircuit> (which is the fundamental issue here) 20:54 < gmaxwell> gwillen: thank universities for that one, mostly. 20:54 < midnightmagic> phantomcircuit: huh? why isn't it portable? 20:54 < midnightmagic> we only care about bsd/linux/windows/osx right? 20:54 < gwillen> gmaxwell: all the 4.0 ones appear to say is 'Patent and trademark rights are not licensed under this Public License.' 20:54 < cfields> https://github.com/bitcoin/bitcoin/blob/master/src/leveldb/util/env_posix.cc#L357 20:54 < gwillen> gmaxwell: which is a weaker statement even than cc0 20:55 < gwillen> gmaxwell: and which doesn't seem like much of a statement at all 20:55 < cfields> a call to Sync() flushes the fd to disk, before msync has been called 20:55 < phantomcircuit> cfields, so basically that's backwards 20:55 < cfields> and on osx, we've forced that flush to be a really hard flush, too :) 20:56 < gmaxwell> gwillen: yes, thats the narrowest crafting that they could get through. It's still fatally bad. 20:56 < gwillen> gmaxwell: I'm really not sure I agree. 20:56 < phantomcircuit> midnightmagic, oh i see you mean the libc ones 20:56 < phantomcircuit> hmm 20:56 < gwillen> gmaxwell: There's no reason to believe that not having it would cause patent or trademark rights to be licensed. 20:56 < cfields> phantomcircuit: hmm, it sure looks that way to me 20:56 < phantomcircuit> yeah i guess that should be very portable 20:56 < gwillen> gmaxwell: It should be more or less a no-op. 20:57 < gmaxwell> gwillen: the legal minds (e.g. Eben Moglen) believe that the BSD license contains an _implied_ patent license because it permits you to use/copy the work which would otherwise require a patent license. 20:57 < gmaxwell> gwillen: there is no ambiguity, if you recieve a work under cc-by-sa-4.0 there is no implied patent license. 20:57 < gwillen> gmaxwell: Nobody's going to rely on an implied patent license 20:57 < gwillen> not on purpose, anyway 20:57 < gmaxwell> gwillen: millions of people depend on an implied patent license. 20:57 < phantomcircuit> tbh leveldb is kind of a mess 20:57 < midnightmagic> phantomcircuit: The structs can be passed to the lower-level, it takes a single syscall (usually) and there's a huge win. I've been advocating for scatter writes using iovecs internally here for like a decade but nobody listens to me and I'm too stubborn to write it for them. 20:57 < phantomcircuit> it seems like it would be easier to write a BitcoinKVDB 20:58 < gwillen> gmaxwell: also, CC is rarely used for code 20:58 < gmaxwell> gwillen: quallcom and and apple are basically filing a new patent against llvm/claim per week each. Your only ability to use clang at all is an implied patent license. 20:58 < gwillen> gmaxwell: patent licenses are not likely to be important on documentation or literature 20:58 < phantomcircuit> inb4NIHs 20:58 < midnightmagic> what the heck is NIHs ? 20:58 < gmaxwell> gwillen: indeed, which is a saving grace, though a narrow one. They are not too infrequently used for scientific publications. 20:59 < gmaxwell> gwillen: and yea, the implied patent license sucks. I look forward to seeing you try to convince all the patent carrying packages you use that are bsd licensed to adopt the apache license. 20:59 < gmaxwell> s/llvm/claim/llvm/clang/ 21:00 < gwillen> gmaxwell: I dunno, I kind of handwave the whole issue with "all software ever written violates multiple patents anyway" 21:00 < gwillen> "therefore whether you get sued is not about what you write, but about who you piss off" 21:01 < gwillen> I hope the courts wipe out the whole software patent sector and we get to stop worrying about it 21:01 < gmaxwell> gwillen: true, though the magnitude of it is worse when its patents are owned by the same people writing the software (little ambiguity that the patents apply), and they're known vexatious litigants. 21:02 < gwillen> me nods 21:02 * gwillen nods* 21:02 < cfields> midnightmagic: which set of man pages did you pull that msync(2) from? 21:02 < gmaxwell> gwillen: it's all squishy in any case, which is why an implied license is helpful, the ambiguity makes litigation less likely, etc. 21:03 < gmaxwell> gwillen: so it's unfortunate to lose the ability to argue that maybe there is one. 21:03 * gwillen nods 21:04 < phantomcircuit> midnightmagic, not invented here syndrom 21:04 < phantomcircuit> e 21:19 < midnightmagic> cfields: NetBSD 21:20 < midnightmagic> cfields: Anytime there's a question like that, just assume NetBSD. 21:20 < cfields> heh 21:35 < gmaxwell> cfields: wrt mmap and leveldb... 21:35 < gmaxwell> cfields: I was pretty sure that 32 bit builds of leveldb do not use mmap. 21:35 < cfields> gmaxwell: for reading 21:35 < cfields> for writing they do 21:36 < gmaxwell> ah, interesting! okay. 21:36 < cfields> that's why i was bugging gavin about whether he could repro on his 64bit builds or not 21:37 < warren> cfields: we have three reports of no avoiding corruption with the mem barrier thing with people who had corruption on every run prior, weird coincidence? 21:37 < warren> s/no// 21:38 < cfields> gmaxwell: please check me, though. Anyone who's known me for a while knows that I typically go through ~3 rounds of sure-thing fixes before finding the real one :) 21:38 < gmaxwell> cfields: no, you're right I see that too now. 21:39 < cfields> warren: i still think the mem-barrier patch should go in upstream. But that was an indirection to us at best. 21:39 < cfields> warren: if it really fixed something for someone, i'd be really curious to know specifics 21:40 < warren> it's hard enough to get these people to respond 21:41 < gmaxwell> the mem barrier change is clearly right but uh. so it would be good to know why its fixing things if it indeed is. 21:42 < gmaxwell> Perhaps we should buy one of the machines that reproduces this so easily? (I dunno why we didn't do this before the bounties) 21:43 < phantomcircuit> gmaxwell, that was my suggestion last week 21:44 < phantomcircuit> but really who is going to want to sell us their laptop 21:44 < warren> do we know why many users can't reproduce the problem at all? 21:44 < phantomcircuit> warren, the race is a very close one probably 21:44 < phantomcircuit> it might be easier to write a stress test actually 21:45 < cfields> gmaxwell: i have one 21:46 < cfields> gmaxwell: rather, i borrowed one from a friend. and i was nice enough to upgrade her to 10.9 :p 21:46 < cfields> though, i was still never able to reproduce it 21:47 < gmaxwell> yea, what I was saying is that there are people who claim it always or at least frequently fails for them. Theirs is the computer you want. :) 21:47 < cfields> not without adding some sleeps in code, anyway 21:47 < gmaxwell> well the sleeps is a good idea in any case. 21:47 < warren> it happens on every run of bitcoin-qt for coblee 21:48 < cfields> warren: that's got to be a different issue i'd think 21:48 < warren> for him the mem barrier patch made bitcoin-qt usable 16:19 < petertodd> sipa: my main thinking is that wallet software wants to be able to sync transactions, rather than just funds. this also ties into a paper I'm writing on privacy issues and blockchain data 16:29 < sipa> petertodd: not sure i'm following the big picture anymore 19:28 < maaku> petertodd sipa: two separate indices under consideration here right? 19:29 < maaku> the TXO MMR which is an append/update structure whose hash root is committed to the coinbase 19:30 < maaku> you append each new output, and update a spent-bit for each input 19:30 < maaku> and a separate, per-block tree of outputs indexed by TXO, right? 19:35 < gmaxwell> At some point I'd convinced myself that it made sense to have seperate append only and insert only datastructures, though I don't know why. Obviously managing an append only one is much easier. 19:40 < maaku> oh i guess it can be the same structure as actual insertion/append order within a block doesn't matter 19:42 < maaku> gmaxwell: for double-spend validation I still think an updatable trie structure is best 19:42 < maaku> but lately I've been thinking about a MMO-like structure for the scriptPubKey index 20:05 < gmaxwell> justanotheruser: So perhaps its possible to construct a precisely brittle cryptosystem and paired signature system such that I encrypt data using keys plus some additional data which I give you, such that knoweldge of _any_ signature with the key is enough to decrypt the data. 20:05 < gmaxwell> but not enough to forge signatures. 20:06 < nsh> i really want to see more of a sketch of how this would work, and elaborations on the intractability of adaptive difficulty 20:06 < nsh> or at least some clearer idea of to achieveable precision in likely decryption window 20:06 < nsh> *the 20:07 < gmaxwell> DSA like schemes can be constructed so that they leak a linear relationship between the the private key and the message. So the trickyness would be figuring out how to leak just enough that the encryption is revealed but not forgery. 20:07 < nsh> (re: POW which turns the distributed computation into ticking for timelock encryption) 20:07 < nsh> right 20:07 < gmaxwell> nsh: yea, I dunno, it's a very vague sketch. I was happy that something like it sounded possible because it just seemed to me to be the most realistic way of having non-trustbased timelock encryption I'd ever heard or thought of. 20:08 < justanotheruser> I wish this was possible with bitcoin because this altcoin would only be valuable for secret keeping meaning the only exchanges would be between miners and secret sharers 20:08 < justanotheruser> and speculator 20:08 < justanotheruser> s 20:08 < gmaxwell> But the obvious ways to go about bilding it are super ugly. 20:08 < nsh> mmm 20:09 < gmaxwell> justanotheruser: Well, as I said before a two phase protocol could make it possible to pay for it in bitcoin. The advantage of the alt thing is just that the pow would be "useful". 20:09 < gmaxwell> E.g. lets not go building a bunch of things that require people to needlessly burn energy when we can instead just build one. :P 20:11 < justanotheruser> gmaxwell: So you're saying the secret miners would be securing the network in this altcoin, while they wouldn't be in bitcoin? 20:11 < justanotheruser> I mean you're saying that's your concenr 20:12 < gmaxwell> justanotheruser: right. The idea on the altcoin page is that you have a cryptocurrency who's POW has a side effect of yielding previously unknown private keys for public keys which were set way in advance. 20:12 < gmaxwell> which IMO is way more useful than that primecoin crap. :P 20:14 < gmaxwell> My example of using DLP cracking is lame because DLP cracking is super-not-progress-free. You get a quadratic speedup from being stateful... but there are a LOT of different cryptosystems out there. I would be really surprised if something weren't reasonably sutiable. But even ignoring that details like handling difficulty seem hard to get right. 20:14 < justanotheruser> gmaxwell: Is there a use for primecoins PoW? No one has been able to explain who wants Cunningham chains 20:15 < gmaxwell> No. There is no use as far as I can tell, except abstract numbertheory navel gazing. 20:15 < gmaxwell> of course, insight comes from unexpected places at times. 20:16 < gmaxwell> plus, I _suspect_ that PoW might be the _only_ really viable way to have truly secure timelock encryption. 20:16 * nsh nods 20:16 < gmaxwell> just because the timelock usage alone could never really fund enough processing power to make it secure. 20:17 < justanotheruser> The problem I see is your secret being worth 3 times as much as the secret rewards meaning your secret is found 4 times as fast as it should have been. 20:17 < gmaxwell> well thats part of the reason I propose encrypting with all intermediate keys. 20:18 < gmaxwell> so the comparison is not one blocks reward, its all rewards between here and now. 20:21 < justanotheruser> hm 20:21 < justanotheruser> gmaxwell: Do you consider any altcoins useful other than namecoin? 20:21 < gmaxwell> You could also strengthen a decenteralized timelock with distributed timelocks. 20:22 < nsh> hmm 20:22 < gmaxwell> justanotheruser: not really so far, mostly they've done absolutely nothing interesting. The few that aren't just copied of the bitcoin code with a few lines changed are mostly either pure marketing and vaporware or are trivially insecure rubbish. 20:23 < andytoshi> i bet a way to find cunningham chains quickly would also yield some useful number-theory results 20:23 < andytoshi> so primecoin will become useful exactly when it's destroyed :) 20:23 < gmaxwell> E.g. To decrypt this message you need all the blocks between now and 2016 and 6 of 10 timelock servers OR all the blocks between now and 2017. 20:24 < justanotheruser> gmaxwell: how do you handle an increasing network power? 20:24 < maaku> justanotheruser: one of many unsolved problems here 20:24 < gmaxwell> hm? no I proposed a solution, but its kludgy. 20:25 < justanotheruser> Or is this the centralized distributed solution with the servers verifying the block time 20:26 < maaku> gmaxwell: it's not on your alt page... 20:26 < maaku> you've got a mechanism for scaling reward 20:26 < justanotheruser> maaku: "POW which turns the distributed computation into ticking for timelock encryption" 20:26 < maaku> but say I want to encrypt something to 2016. how do I know how far to go? 20:27 < gmaxwell> justanotheruser: I suggested running multiple problems. Say your problems are just H("timelock is great"||x||y) = pubkey. and x and y start at 0. When a solution for a given problem is found, y is incremented. 20:27 < maaku> justanotheruser: i'm talking about difficulty adjustment specifically 20:27 < gmaxwell> If difficulty is too low then to solve a block you start requiring work on x=0 and x=1 ... if it's still too low you require work on x=0 and x=1 and x=2 20:27 < maaku> gmaxwell: ah, i misunderstood. so you break each key into multiple problems? 20:27 < justanotheruser> maaku: your concern is it being found faster with higher network hashpower? 20:28 < gmaxwell> and so basically instead of solving one timelock sequence you solve 1 to n time lock sequences, with n depending on difficulty. 20:29 < gmaxwell> you can encrypt your message with as many of the sequences are you believe will exist in the future, but there is some risk if the difficulty is too low that the network is not solving the sequence you need. 20:29 < justanotheruser> gmaxwell: That involves centralization right? 20:29 < gmaxwell> wtf 20:29 < gmaxwell> no 20:29 < gmaxwell> sorry, I'm just confused as to where you'd get that idea! :P 20:29 < justanotheruser> I was confused by "and 6 of 10 timelock servers" 20:30 < gmaxwell> justanotheruser: oh I thought you were talking about me explaining how difficulty adjustment works. 20:30 < gmaxwell> that was just a comment on 17:21 < gmaxwell> You could also strengthen a decenteralized timelock with distributed timelocks. 20:30 < gmaxwell> and yes, its not decenteralized. 20:30 < justanotheruser> I see 20:31 < gmaxwell> But, e.g. decenteralized + distributed OR lots-more-decenteralized doesn't seem too bad to me. 20:31 < maaku> justanotheruser: my concern is that you cannot predict which keys to use to encrypt something such that it won't be release until day X in the future 20:32 < justanotheruser> I don't see how 6 of 10 timelock servers verifying blockchain length to release a secret is different from them verifying the data 20:32 < gmaxwell> maaku: well you can in my example, you just encrypt using x=0 y={0..expected time in the future} 20:32 < gmaxwell> justanotheruser: huh? there is no verifying the blockchain at all. 20:32 < justanotheruser> brb 20:33 < maaku> gmaxwell: but then in the future when people have asic ecdsa crackers for this, difficulty will require each block to iterate x=0..(some very large amount) 20:33 < maaku> but it could just as easily be built to do x=0 y=(0.. some large amount) 20:34 < andytoshi> maaku: presumably they'd not do this, prefering to get the block reward 20:34 < gmaxwell> maaku: yes, correct. Though if they did that they'd not get the block reward. 20:34 < andytoshi> i don't think this is safe against an asic explosion 20:34 < maaku> so they give up 1 block reward in order to destroy entirely the utility of the timelock encryption 20:35 < gmaxwell> maaku: No, because you have the option of also using the higher Xs... but it puts a tradeoff over the risk that the network may not tick for all the work you need in the future. 20:36 < gmaxwell> basically, to use it with perfect security requires you to predict the future difficulty. But it can be constructed so that if you fail to guess right all is not lost. 20:36 < maaku> Which means you might as well just make the network tick with a single appended value, so you guarantee all keys are moved through 13:58 < jgarzik> meh. TD's argumentation can be compelling, but json-rpc is more compelling. JSON Just Works in python and JS, and matches nicely with their native data structures. protobufs are great for avoiding manual marshalling code drudgery, type checking and other utility, but the hurdles for end users are slightly higher 13:58 < jgarzik> both JS and python handle json without additional downloads, compiles, package installs 13:58 < jgarzik> the downside is 13:59 < jgarzik> no type checking, binary stuff passed as hex, ridiculously strict parsing 13:59 < gmaxwell> Yep. you can write it with a text editor. Like HTTP. It's not pretty but its "accessible" 13:59 < jgarzik> debuggable 14:00 < Luke-Jr> someone should make a protobuf editor 14:00 < Luke-Jr> :P 14:01 < Luke-Jr> then the only problem is that it needs a schema 14:01 < Luke-Jr> but that's mostly unavoidable 14:01 < Luke-Jr> even EBML needs schemas I think 14:03 < jgarzik> Manually written marshalling code is certainly drudgery and bug-prone 14:04 < gmaxwell> Luke-Jr: it does, well, you're free to not define them and make everything an informal adhoc mess (largely whats happened in mkv) 14:04 < jgarzik> I bet somebody somewhere has already done work on JS or python code generation, to eliminate some of that headache 14:05 * Luke-Jr hates how protobuf generates code currently 14:05 < jgarzik> unfortunately the bitcoin world seems to be the largest consumer of JSON-RPC 14:05 < Luke-Jr> with Python at least, it should be more than possible to automatically parse protobuf from a .proto direclty 14:05 < jgarzik> I look around for json-rpc libs in $language, and inevitably find the author a bitcoiner 14:06 < jgarzik> compiling a foo.proto file into json-rpc type-checking code would be nice 14:06 < jgarzik> and optimal 14:07 < jgarzik> (not protobufs data definition strictly; obviously details would change for JSON) 14:12 < Luke-Jr> we really should have hijacked some bits from nVersion for the block nonce.. 14:13 < Luke-Jr> with the speeds 28nm are going to do 14:13 < gmaxwell> Luke-Jr: pft nonsense. people should be building miners that can update their work faster than once per 30 seconds.. what a mess. 14:14 < Luke-Jr> gmaxwell: it's already once per second for a single bitfury chip 14:14 < Luke-Jr> and 28nm chips to 600 Gh alone 14:14 < Luke-Jr> do* 14:15 < gmaxwell> Luke-Jr: yea, and? random desktop cpu should be able to do 500,000 roots per second or something loopy like that. 14:15 < Luke-Jr> (or maybe it was 300 Gh, but not important) 14:15 < Luke-Jr> gmaxwell: with up to potentially 1 MB coinbases? :p 14:15 < Luke-Jr> and 10+ MB blocks? 14:15 < gmaxwell> Luke-Jr: yea well, do the p2pool style extranonce. 14:16 < gmaxwell> Luke-Jr: 10mb blocks is irrelevant. 14:16 < Luke-Jr> today. 14:16 < Luke-Jr> do you really want non-scalable mining chips? 14:16 < gmaxwell> No, I mean its forever irrelevant 14:16 < Luke-Jr> explain 14:17 < gmaxwell> log2.. it takes 21 sha256s to compute the root for a 1GByte block. 14:17 < gmaxwell> (assuming 500 byte transactions) 14:18 < gmaxwell> 30 for a 1 TB block. 14:18 < gmaxwell> the coinbase is a bigger issue, but as I mentioned you can do what p2pool does. 14:18 < gmaxwell> OP_RETURN output in the last transaction and do midstate compression. 14:18 < gmaxwell> er OP_RETURN in the last output 14:20 < Luke-Jr> yeah 14:20 < Luke-Jr> but that's with a host generating the work 14:20 < Luke-Jr> if these ASICs get any faster, they will have to generate work internally 14:20 < gmaxwell> I wish the hash tree geometry were different... that coinbases forked off at the top.. I wish that transactions themselves were hash trees, so that you could update one part without the rest, but we've got what we've got. If I were to hard fork, I wouldn't worry about header nonce. We have scarcely few bits in the header.. stealing one for nonce would would do little good but might hurt a lot if we ever need more than a flag there. 14:21 < gmaxwell> Luke-Jr: they can do the same thing that the host does on a little FPGA. 14:21 < gmaxwell> (no need to take the risk of fabricating it directly) 14:22 < Luke-Jr> hmm, so use part of the ASIC die for a FPGA? 14:22 < Luke-Jr> is that R&D-cheap? 14:23 < gmaxwell> Luke-Jr: nah, you just use a seperate fpga which then serves as your MCU (they make fpgas that have small cpus fixed on them, alternatively you just load a cpu onto it) 14:24 < gmaxwell> Seriously, these people are making _tens of millions of dollars_ and yes solving these challenges will take a little work. Tough. Thats business. The nonce already gives them a 4 billion to one work reduction, two or four times that if you're willing to steal a couple of timestamp bits. 14:25 < gmaxwell> Meanwhile taking too long before updating the hashroot is bad for the network, it increases orphaning. 14:25 < gmaxwell> Luke-Jr: any idea why the bitfurry stuff has high stales on p2pool? 14:25 < gmaxwell> Its worse than avalon. 14:25 < Luke-Jr> gmaxwell: I'm afraid they'll gladly make crappy non-scalable chips to get it out the door sooner with more profit :/ 14:26 < Luke-Jr> gmaxwell: because the bitfury code people are using sucks? 14:26 < gmaxwell> (I can't say that I'm complaining much, I think I'm now at 105% efficiency with my avalons 14:27 < Luke-Jr> I've been basically rewriting it entirely for BFGMiner 14:27 < gmaxwell> (though part of that 105% is the asicminer things ... lol .. can't longpoll) 14:28 < Luke-Jr> bitfury can't longpoll either 14:28 < Luke-Jr> the chip itself 14:28 < Luke-Jr> I think asicminer's chip can longpoll 14:28 < Luke-Jr> (the USB ones in fact seem to work for doing that) 14:30 < Luke-Jr> bitfury's chip CAN return results in realtime (no waiting until the end like BFL) 15:57 < jgarzik> gmaxwell, petertodd: Bruce S says "thanks" for the collision-reward forum link I sent him 19:10 < sipa> jgarzik: THE bruce schneier? 19:11 < sipa> Bruce Schneier can recite pi. Backwards. 19:11 < Luke-Jr> in tonal? 19:12 < sipa> Obviously. 19:13 < Luke-Jr> :D 19:13 < sipa> he's probably to come up with two number systems in which the digit expansion is identical 19:13 < sipa> +able 19:19 < gmaxwell> it's easier to do it backwards in tonal. 19:19 < gmaxwell> (really) 19:20 < Luke-Jr> gmaxwell: easier maybe if it were even possible! 19:21 < sipa> ba kwards is impossible 19:21 < gmaxwell> Luke-Jr: On the basis of http://en.wikipedia.org/wiki/BBP_formula 19:21 < sipa> but in tonal (well, anything binary or power thereof) there is an efficient algorithm to compute arbitrary digits 19:22 < Luke-Jr> gmaxwell: but the end/! 19:23 < sipa> it's just slightly less impossible 19:23 < sipa> but still impossible really 19:24 < gmaxwell> It's still deeply weird that there is random access to pi. :) 19:55 < nanotube> lol didn't know that - that's awesome 22:32 < petertodd> jgarzik: awesome, forward me the email 23:31 < amiller> okay i solved bitcoin, it's no problem 23:31 < amiller> gmaxwell, i've been stressing out about this anti outsourcing puzzle but it is way simpler than i thought 23:32 < amiller> the trick is that you should not reveal the actual puzzle solution 23:32 < amiller> but a zero knowledge proof that you know a proof of work solution 23:33 < amiller> that's all there is to it really, but i should clarify that it should reveal *nothing* else about the solution, for example you should not reveal that the solution contains a commit to valid transctions or anything like that 23:34 < amiller> if you want to commit some transactions into a block, you must bind those *after* you find the solution, 23:34 < amiller> otherwise there is a 'watermarking attack' that makes hosted mining feasible --- Log closed Sat Sep 14 00:00:36 2013 --- Log opened Sat Sep 14 00:00:36 2013 00:56 < gmaxwell> amiller: so I've been swimming in all sorts of psycho things that one way signatures enable. 00:57 < amiller> gmaxwell, word, what else have you come up with? 00:57 < amiller> one way aggregatable 00:58 < gmaxwell> amiller: I dunno if you saw me mention it, but it greatly reduces the problems of miners making more by reorging out other miners blocks instead of moving forward in a world driven by fees. 00:59 < gmaxwell> because if the fees are taken from a block using a aggregate signature you couldn't learn any more transactions from a competitors block. 01:00 < amiller> i read all your posts in that thread 01:00 < gmaxwell> well, I'd commented in here some too. 01:00 < amiller> is your idea basically that miners who receive transactions 01:00 < amiller> will merge all the transactions before broadcasting them 01:00 < amiller> so that other miners can't take them piecemeal and make easier blocks? 01:01 < gmaxwell> Right. Well they can take them, but the miners fee output will already be added and they can't remove it. 01:01 < amiller> one thing i vaguely think is the same as this but i haven't thought hard about is 01:01 < amiller> oh 01:01 < amiller> oh cool so they add their own personal fee explicitly 01:01 < amiller> okay so 01:01 < gmaxwell> yes. relayers could too. 01:01 < amiller> this is an implementation of bitcoins and red balloons basically 01:01 < gmaxwell> yes. 01:01 < gmaxwell> but it's efficient. 01:02 < gmaxwell> the signatures are smaller than ours. (only one G1 group element per transaction for the keys, and one G1 element for the aggregate signature) 01:02 < gmaxwell> and so if the paring has high k you get adequate security with just 160-256 bit G1 elements. 01:05 < amiller> that doesn't effect verification time but transmission cost sure 01:05 < amiller> you still have to transmit the expanded public keys 01:06 < gmaxwell> In any case yes, it makes red balloons scalable (so long as you don't mind one pairing operation per transaction), and it also means that even the miners themselves have the red balloons property. 18:50 < theymos> Even an amateur programmer has some chance of finding it if they try hard enough. 18:50 < Emcy> so just an equation of eyeballs 18:50 < petertodd> It's a lot less likely for me to find the bug than a total outsider; for one thing I don't have a Mac... 18:51 < Emcy> virtualise one? 18:51 < petertodd> Emcy: the bug is likely to do with hardware IMO 18:51 < Emcy> anyone had the bug on mavericks yet 18:52 < warren> petertodd: i doubt it is hardware, it's probably something stupid in their OS 18:52 < warren> Emcy: yes, 10.8 and 10.9 18:52 < warren> no reports with 10.7, but that might just be no users 18:52 < warren> Emcy: and some users never have the bug ever 18:52 < petertodd> warren: see, if it's fsync() I figure it's likely OS stupidity + hardware 18:53 < petertodd> warren: especially given it's not easily repeate 18:53 < petertodd> *repeated 18:53 < sipa> the weirdest report is the "uncorruption" 18:53 < sipa> where a restart fixed a corrupted database 18:54 < warren> I have a hunch for the why it effects some users but not others 18:54 < sipa> which really sounds like an OS cavhe level issue 18:54 < warren> I need a mavericks machine to try it 18:54 < warren> my only mac is Litecoin's "build server" 18:54 < warren> (an old macbook with a shattered screen in a data center) 18:55 < warren> runs 10.6.8 to match Gavin's build environment for releases 18:56 < Emcy> so you just ship then stuff like that and theyll put it in a rack for you? 18:56 < warren> Emcy: people owe me big favors 19:00 < warren> theymos: sigh, it's hard to get dev things to be voted up 19:01 < theymos> It's doing pretty well. 19:01 < warren> it is? 19:01 < warren> will 8 votes get it on the front page? 19:02 < theymos> It has several votes more than its neighbors in /new. It might eventually make the front page. 19:14 < petertodd> warren: best time to get a story upvoted is to post it in the early morning in the US 19:19 < petertodd> sipa: see, what you need is an algorithm where you take the longest block header chain, and make downloading the next block to extend your block chain towards that best header tip have the highest QoS. Of course, normal networking practice is completely unable to do that. :( 19:20 < petertodd> sipa: which makes me think just fetching roughly simultaneously is by far the simpliest, and provided block interval >> block fetch + validate time it'll be alright even if not ideal 19:20 < petertodd> sipa: doesn't really look to me like we can optimize this one without risking ugly edge cases. 19:21 < warren> theymos: inappropriate to temporarily sticky something like that? 19:21 < adam3us> petertodd: what about making it so you dont know the block hash until you get the block 19:21 < petertodd> adam3us: we're talking about a scenario where block headers are distributed separately from blocks 19:21 < theymos> warren: Yeah, I think so. Stickies are really only for super-emergencies IMO. 19:21 < adam3us> petertodd: yes so then dont do that :) 19:22 < warren> theymos: screwing over all mac users for months seems like a slow motion train wreck... 19:22 < sipa> petertodd: agreed 19:22 < petertodd> adam3us: it's for sipa's headers first code - maybe what it does suggest is that the headers first be only allowed to be used for the initial block download... 19:23 < petertodd> IE, if you receive a header on a header, you just ignore it. 19:23 < adam3us> sipa: the aim is to reduce propagation delay? 19:23 < warren> theymos: likely holding back bitcoin, as well as weakening the network. we've had a drop in listening nodes. 19:23 < petertodd> adam3us: make initial block download (and catching up) faster 19:23 < sipa> adam3us: that wasn't the original intent 19:24 < sipa> the nicest advantage imho is not needing chwckpoints anymore 19:24 < petertodd> adam3us: also, for pruning where not everyone has all blocks 19:24 < petertodd> yeah, !checkpoints is good too 19:24 < sipa> but also harder to break 19:24 < sipa> and simplifying parallel block download 19:25 < sipa> petertodd: my former attempt used the rule that block download was only delayed in case we know we're not yet caught up 19:25 < adam3us> sipa, petertodd: if there is an attack with current blocks, maybe dont do it for the most recent 6 19:25 < petertodd> sipa: btw, you realize that in this circumstance, you actually still want *a* checkpoint, but in the form of "we know that there exists a block header at height foo with total work bar, therefore don't accept anything worse than that" 19:26 < sipa> yup 19:27 < petertodd> sipa: makes sense. The code right now basically downloads all blocks that extend tip simultaneously IIRC. 19:27 < gmaxwell> petertodd: yes, but it could be a pure difficulty "checkpoint" 19:27 < petertodd> gmaxwell: oh right, it is total work and nothing else 19:27 < sipa> there's also a "fill memory with silly low-difficupty headers" attack 19:27 < sipa> which checkpoints are still useful for 19:28 < petertodd> sipa: or commit-and-choose 19:28 < petertodd> *interactive commit and choose 19:28 < gmaxwell> sipa: I still think at some point we should do the worlds safest hardfork and increase the minimum difficulty to a million or something. 19:29 < warren> what for? 19:31 < petertodd> heh, well the fastest the difficulty can drop to 1 again is 104 weeks... 19:32 < petertodd> 30 weeks to 1 million 19:32 < gmaxwell> warren: because it makes avoiding a bunch of stupid dos attacks easier. 19:33 < sipa> petertodd: i get 51 days 19:33 < gmaxwell> and its indistinguishable unless difficulty somehow falls to that, ... which it couldn't do without leaving the network insecure in any case. 19:33 < sipa> ugh 19:33 < sipa> never mind 19:33 < petertodd> sipa: diff_now/4^(2*4*weeks) == diff_future 19:34 < petertodd> sipa: don't forget the *4 19:34 < sipa> never mind, i assumed it could drop a factor 4 every 3.5 days rather than 8 weeks 19:34 < petertodd> sipa: er, I mean (weeks/(2*4)) 19:34 < petertodd> sipa: lol 19:35 < sipa> the fasteat it could get from 1 to today's diff, is 51 days 19:35 < warren> gmaxwell: would testnet remain as is? 19:35 < gmaxwell> warren: sure. 19:36 < gmaxwell> It's not a serious proposal right now, but I think we should do something like that someday. 19:36 < gmaxwell> perhaps after the hashrate stablizes again. 19:36 < warren> will that ever happen? 19:36 < gmaxwell> it should 19:39 < petertodd> gmaxwell: definitely be a reasonable thing for a SPV implementation to do 19:45 < warren> Luke-Jr: ping 19:56 < warren> Luke-Jr: you earlier mentioned 25 BTC were donated toward the deterministic linux -> mac cross compile goal. Is that still available? cfields now has time to focus on that. 20:13 < Luke-Jr> warren: if that's what I said before, then it should be, yes 21:41 < warren> I'm not sure why people downvoted the bounty thread. 22:01 < Luke-Jr> warren: trolls will downvote anything 22:01 < Luke-Jr> reddit seems to be nearly as bad as BCT 22:59 < Emcy> Luke-Jr what weird character is your bot using 22:59 < Luke-Jr> Emcy: which one do you consider weird? 22:59 < Emcy> some of the numbers in the tbc section are fucked up 22:59 < Emcy> is it just me 22:59 < warren> Emcy: it's just you. 22:59 < Luke-Jr> Emcy: do you have a tonal font? 23:00 < Luke-Jr> TBC only makes sense with tonal fonts 23:00 < Emcy> troll level elevated 23:01 < Emcy> http://imgur.com/eyGmhsx 23:01 < Emcy> supposed to be just numbers right 23:03 < Luke-Jr> http://luke.dashjr.org/tmp/screenshots/snapshot113.png 23:04 < Emcy> are you serious 23:05 < Emcy> what are those characters supposed to be 23:05 < Emcy> gah tonal strikes again 23:06 < Luke-Jr> http://books.google.com/books?id=aNYGAAAAYAAJ&pg=PA15#v=onepage&q&f=false 23:08 < Emcy> thats mental. someone actually made a font for it 23:08 < Emcy> surely most people cant even see them though 23:09 < Luke-Jr> there are multiple fonts with tonal support 23:09 < Luke-Jr> http://eligius.st/~gateway/products/block-erupter-sapphire 23:10 < Luke-Jr> webpages can use webfonts to solve lack of widespread font support at least :D 23:11 < Emcy> what the hell is an effect 23:12 < Luke-Jr> http://books.google.com/books?id=aNYGAAAAYAAJ&pg=PA38#v=onepage&q&f=false 23:15 < wizkid057> ?! 23:16 < Emcy> hopefully they can define a kilogramme from some sort of fundamental constant someday soon 23:17 < Emcy> then we can put all this stuff to bed once and for all 23:17 < Luke-Jr> Emcy: pfft, SI is lame 23:18 < Emcy> it may or may not be but it works 23:18 < Emcy> christ its only been 45 odd years since they decimalised money 23:19 < Emcy> ive got a a couple of shillings and tuppences in a draw somewhere...... 23:19 < warren> Luke-Jr: we're still willing to make tonal default in Litecoin if you join us. 23:19 < Emcy> next up, decimal time (somehow) 23:20 < Emcy> well that probably wont happen since its based of radians for a good reason 23:20 < Luke-Jr> warren: REALLY? 23:20 < phantomcircuit> Luke-Jr, i think he's just messing with you 23:20 < Luke-Jr> Emcy: SI tried decimal time originally 23:20 < warren> phantomcircuit: maybe 23:20 < Luke-Jr> Emcy: even with all their force and threats, they couldn't make people adopt that 23:20 < Emcy> whose force and threats 23:20 < Luke-Jr> Emcy: that's how SI got adopted at all 23:21 < Emcy> did the empire spread it? 23:21 < Luke-Jr> go read up about the "metric martyrs" 23:21 < Luke-Jr> people who were put in jail for refusing to adopt it 23:21 < Luke-Jr> I think there are still some today even 23:22 < Emcy> hm 23:22 < Luke-Jr> SI has never been adopted by free choice 23:23 < Emcy> https://en.wikipedia.org/wiki/Swatch_Internet_Time 23:25 * Luke-Jr sticks with good old tonal time 23:25 < Emcy> the EU mumbled something about banning the pint from sale in the UK once. There was a good upforious shitstorm about that. 05:52 < Luke-Jr> I saw my clock, saw the time, assumed I must have been hacked and my clock screwed with, finished locking down, and then realised.. it really *is* almost time for people to wake up 05:52 < Luke-Jr> x.x 05:53 < Luke-Jr> guess I should go to bed 06:06 < Emcy> does sunlight burn you? 06:07 < Emcy> does me, somewhat. My eyes. 07:26 < michagogo|cloud> 01:00:11 <phantomcircuit> im gonna order a bunch of flash drives with the blockchain + bitcoin-qt loaded on them 07:26 < michagogo|cloud> 01:00:25 <phantomcircuit> and include a nice little script to start with -loadblocks 07:26 < michagogo|cloud> Erm, why -loadblocks? Just call the file bootstrap.dat and shove it in the datadir. 09:03 < TD> there is now a #bitcoinj IRC channel 12:07 < BlueMatt> hmmm...strange spike in the number of nodes which are coming back to dnsseed with a block count too low to be included...any guesses? 12:08 < BlueMatt> I say spike, I mean restarted on a different server and now getting a serious count for LOW_BLOCK_COUNT, which I havent seen very much in the past 12:09 < gmaxwell> BlueMatt: just new nodes being brought up. 12:09 < BlueMatt> ahhh, seems reasonable 12:09 < BlueMatt> lets see how many convert to GOOD 12:15 < TD> BlueMatt: see here: http://getaddr.bitnodes.io/chart/nodes/?category=v 12:15 < TD> huge spike lately. not sure what's going on there. but presumably related to the press cycle 12:15 < TD> i hope the people running bitcoin-qt understand what they're getting in for .... 12:41 < phantomcircuit> TD, im not sure that's accurate 12:41 < phantomcircuit> TD, that number is based on the number of connections to the nodes controlled by bitnodes.io 12:41 < phantomcircuit> it's entirely possible that someone is just fucking witht hem 13:02 < petertodd> phantomcircuit: bandwidth usage on my EC2 node went to 100%, so I turned it off given that costs money... 13:03 < petertodd> phantomcircuit: obviously a lot of new nodes coming up 13:03 < phantomcircuit> heh 13:41 < cfields> so ehm, is anyone else noticing a bunch of unreachable websites today? 13:42 < cfields> probably just local, but i can't get to a bunch of sites I need for dev today :\ 13:43 < cfields> http://www.downforeveryoneorjustme.com/packages.ubuntu.com 13:44 < cfields> http://www.downforeveryoneorjustme.com/trac.macports.org 13:44 < cfields> so.. not just me 13:52 < BlueMatt> TD[away]/gmaxwell: yea, I see +- 1/3 of all nodes that are connectable have LOW_BLOCK_COUNT 13:52 < gmaxwell> thats about right. 13:52 < gmaxwell> actually a bit low, ... must mean they're catching up. 13:52 < gmaxwell> (I'm saying it's right on the basis of the bitnodes.io growth) 13:53 < gmaxwell> went from about 5000 to about 11000. 13:53 < BlueMatt> yea, could also be that the seeder is still bootstrapping and the newest nodes may not have propagated as far in addr messages 13:53 < BlueMatt> though that seems unlikely, I'd have to reread the addr code 14:00 < phantomcircuit> uhh 14:00 < phantomcircuit> i have a node with 70 open connections 14:01 < gmaxwell> warren: I guess IsStandard is enforced on litecoin? 14:01 < phantomcircuit> im pretty sure i started this yesterday too 14:01 < phantomcircuit> yeah i did 14:01 < phantomcircuit> that's probably not good 14:02 < gmaxwell> warren: I was contemplating setting up a coinswap based decenteralized bitcoin/ltc trade script. but it will need hash and sig locked transactions made IsStandard on both chains. 14:03 < petertodd> gmaxwell: namecoin doesn't enforce IsStandard 14:04 < gmaxwell> petertodd: namecoin doen't have the raw transactions api, so a bunch more coding. :( 14:07 < petertodd> gmaxwell: yeah, if you're not using a library like python-bitcoinlib that's an issue 14:08 < gmaxwell> even to use that, I'd have to make it fully support namecoin, .. vs in bitcoind I can getrawtransaction to do all the block exploring needed to confirm the txn went through. 14:09 < petertodd> gmaxwell: well, the block structure is the same, so provided you can get raw blocks you'd be good 14:09 < petertodd> gmaxwell: heck, read them direclty off the blockdata file 14:09 < gmaxwell> petertodd: hm, I would have assumed the MM would goof that up. 14:09 < petertodd> gmaxwell: true, I've never actuallly looked into how that works... probably not hard to deal with though 14:10 < petertodd> gmaxwell: or... trade BTC and testnet BTC :P 14:10 < gmaxwell> I could ... hah jinx 14:10 < gmaxwell> well.. hm. it's not isstandard in bitcoin yet either. 14:11 < petertodd> gmaxwell: sure, but eligius 14:11 < petertodd> no other coin has a miner like that 14:11 < wizkid057> what'd I do now? :P 14:11 < petertodd> wizkid057: you've been useful 14:12 < gmaxwell> you'll mine non-standard txn. 14:12 < wizkid057> gmaxwell: namecoin-qt has the *rawtransaction RPC stuff 14:12 < phantomcircuit> wizkid057, is there a namecoin version that actually works? 14:12 < wizkid057> phantomcircuit: seems so, I compiled the latest namecoin-qt and it seems to work fine 14:14 < wizkid057> if you mean that actually works as far as fixing that bug that totally breaks what makes namecoin namecoin, then I dont think so. Not until the hard fork at block 150k 14:14 < petertodd> wizkid057: didn't they implement it as a soft-fork? 14:15 < petertodd> wizkid057: not that it's terribly relevant given no-one actually uses namecoin almost... 14:15 < wizkid057> petertodd: I think the now to hardfork at 150k fix is in place which is a soft fork of sorts 14:15 < gmaxwell> I think it must be a hardfork, as they're fixing the stolen names. 14:15 < wizkid057> but needs a hard fork to fix 14:15 < wizkid057> since someone could mine a block with an exploiting txn til then 14:16 < petertodd> gmaxwell: ah, yeah you're right 14:16 < wizkid057> gmaxwell: how are they doing that, actually? I didnt read enough into it 14:16 < wizkid057> i know they're blocking the exploit with the hardfork, but I didnt know about fixing the damage 14:18 < petertodd> wizkid057: yeah, just blocking would be a softfork, fixing is the hardfork 14:18 < gmaxwell> I can only guess they'll reindex the chain and ignore the invalid spends. 14:24 < midnightmagic> I use namecoin. :) 14:25 < midnightmagic> The current fix ignores bad outputs which are still legal. The hardfork will correct it so the bad outputs aren't allowed in the blockchain anymore. 14:25 < midnightmagic> But namecoin is ultimately prunable, so, we can just put it off. 14:26 < midnightmagic> The exploiting txn can be mined but it is ignored. That's why d/wav doesn't have "ha ha I stole your domain in it" right now. 14:28 < midnightmagic> I guess as long as people are there to fix it, and the issue is corrected, even with a hardfork, it turns out killing a coin isn't just a question of releasing an exploit. 14:30 < sipa> is namecoin prunable? i always heard it wasn't 14:36 < petertodd> sipa: nope 14:36 < midnightmagic> There's lots of dead-end data and expired names which are prunable. 14:37 < midnightmagic> Coins are actually destroyed in the process of registering names. 14:37 < petertodd> Well, I should clarify, I mean usefully prunable w/ non-full-node proof; you're right I'm not using my terms correctly. 14:38 < petertodd> bbl 14:38 < gmaxwell> midnightmagic: does that mean it will someday run out of coins and be unusuable? 14:38 < midnightmagic> gmaxwell: Yep. 14:38 < midnightmagic> gmaxwell: Procrastination saves us from worrying about that. 14:39 < midnightmagic> well. that and the stupid cheap names that that dork vince left us with. 14:39 < midnightmagic> (term used affectionately) 14:40 < gmaxwell> midnightmagic: I dunno if you noticed but nmc surged on btc-e for some reason. 14:42 < midnightmagic> i didn't notice, I don't sell my names. I calculated how long I have before I can't maintain my own name registrations anymore and selling them it out of the question. 14:42 < midnightmagic> er.. *coins 14:48 < phantomcircuit> gmaxwell, against BTC or against USD? 14:48 < phantomcircuit> they have both markets 14:48 < gmaxwell> phantomcircuit: both. 14:48 < phantomcircuit> i've actually seen it before that there was an arbitrage opportunity between the three all on btc-e 14:48 < phantomcircuit> which is bizarre 14:49 < jtimon> I thought the registering destruction of coins ended after some time... 15:37 < midnightmagic> jtimon: No, names will never be free. Only some things. 15:38 < jtimon> I'm not saying that names will be free, but I thought at some point you just paid to miners instead of destroying the coins 15:40 < jtimon> http://dot-bit.org/FAQ#How_much_does_it_cost_to_register_a_domain_.28a.k.a._a_name.29.3F 15:43 < jtimon> hmm, name_new appears to cost 0.01 NMC at any block height... 16:09 < midnightmagic> jtimon: Lemme double-check. Something went free lately.. 16:10 < gmaxwell> first update 16:21 < midnightmagic> My mistake. Sorry about that. Looks like GetNetworkFee() is free now. I keep forgetting that. I don't think we're destroying coins anymore. 16:22 < midnightmagic> We're past this point: if ((nHeight >> 13) >= 60) { return 0; } 16:24 < midnightmagic> jtimon: So all that's left is paying miners, you are correct. 16:24 * midnightmagic gets there eventually. 16:25 < jtimon> thanks for checking it midnightmagic 16:52 < warren> gmaxwell: IsStandard is the same as bitcoin 0.8.5 except we disabled IsDust 16:53 < warren> wow. bitcoin-qt.exe worked in wine on mac too. 17:07 < sipa> warren: you should test whether it also causes corruption :p 17:13 < Luke-Jr> anyone here with some free time? :x 17:18 < sipa> unlikely! 17:18 < jgarzik> :) 17:18 < K1773R> Luke-Jr: is there a faucet for free time or can it be mined? 17:20 < jgarzik> The only way to create new free time, bending the space-time continuum, is to stumble across an enormous distraction when multiple separate deadlines are looming. 17:20 < jgarzik> like a bear in a lambourghini 17:21 < warren> sipa: it doesn't corrupt with native mac on 10.6.8 AFAICT 17:22 < K1773R> jgarzik: lol 12:50 < realazthat> its actually sig(P,R), with R being the result 12:50 < petertodd> ah, as in SCIP is the project that gives you the tools to easily write SNARK circuits? 12:50 < realazthat> programs 12:50 < petertodd> hiding it all behind a VM model? 12:50 < realazthat> yeah 12:50 < realazthat> yes 12:51 < realazthat> the circuits would be huge though; it is programs 12:51 < realazthat> but they are time bound 12:51 < petertodd> whereas for Bitcoin stuff, it may be worth it to figure out an optimal SNARK circuit directly? (at the cost of maintainability) 12:51 < realazthat> mmm I dunno about that 12:51 < realazthat> er 12:52 < realazthat> emphasis on circuit? or emphasis on optimal, ie custom VM assembly 12:52 < realazthat> yes, to latter 12:52 < realazthat> dunno about former 12:52 < petertodd> I see, circuit is just way too low-level then. So the stuff about merkle trees, basically you'd just extend that vm with some operations that act on them directly, closer to the underlying SNARK model? 12:53 < realazthat> gmaxwell was saying that the compiler is great for bootstrapping a program to tinyram (name of the vm/virtual architecture), but you'd hand-code it for best results 12:53 < realazthat> I dunno 12:53 < realazthat> no, I think you can still use it in a blackbox manner 12:53 < realazthat> on the merkle trees 12:53 < realazthat> I can give an example 12:53 < petertodd> I'm interested 12:53 < realazthat> I had this idea, I proposed it to eli, he responded that it was called "bootstrapping" and was in another paper 12:53 < realazthat> so, one huge problem 12:54 < realazthat> is that although it is succinct, Alice must take T(P) time to generate/compile the program 12:54 < realazthat> which is pretty dumb for verifying a blockchain 12:54 < petertodd> T(P) == polynominal time? 12:54 < realazthat> because, Alice wants Bob to verify the blockchain, so she must spend T(P) time to generate the program and then Bob runs it in T(P) time 12:54 < realazthat> time of program 12:55 < realazthat> P is program 12:55 < realazthat> sorry 12:55 < realazthat> so the program P runs in T(P) time 12:55 < realazthat> Alice must take T(P) time to generate/compile the program 12:55 < realazthat> this is undesirable 12:55 < petertodd> ah I see, so Alice is spending as much time compiling the program as it would take to run basically? 12:55 < realazthat> right 12:55 < realazthat> so there are several easy solutions 12:55 < realazthat> you can do it once 12:55 < realazthat> and it can be reused 12:56 < realazthat> by everyone 12:56 < realazthat> so my idea was, to do it so that it does a sqrt(|B|) of the blockchain (B == blockchain) 12:56 < realazthat> then alice spends sqrt(T(P)) to generate P' 12:56 < realazthat> P' runs on a sqrt(|B|) of the blockchain 12:56 < realazthat> and, 12:56 < realazthat> Bob runs P' sqrt(|B|) times 12:57 < realazthat> so that is essentially called bootstrapping 12:57 < petertodd> what do you mean by "does a sqrt(|B|)" of the blockchain? 12:57 < realazthat> it can be possibly be done generically to any P 12:57 < realazthat> petertodd: lets say there are 100 blocks 12:57 < realazthat> P will verify 0-24 12:57 < realazthat> er 12:58 < realazthat> P' will do that rather 12:58 < realazthat> or 12:58 < realazthat> 0-10 12:58 < realazthat> w/e 12:58 < realazthat> it breaks it down 12:58 < realazthat> and Bob runs P' 10 times 12:58 < realazthat> and covers the whole chain 12:58 < realazthat> now Bob can return all the sigs 12:58 < realazthat> and input/outputs 12:58 < petertodd> right, so we've distributed the problem across multiple people 12:58 < realazthat> and thus P' is chained into P 12:58 < realazthat> well thats also possible 12:59 < realazthat> but now I am thinking just one person 12:59 < realazthat> alice and bob 12:59 < realazthat> bob will verify the blockchain in 10 sized peices 12:59 < realazthat> then return all the sigs, inputs, outputs 12:59 < realazthat> which can be verified 12:59 < realazthat> ie. 12:59 < realazthat> P'(10,20) will verify everything from 10 to 20 13:00 < petertodd> ok, so basically because the program takes polynominal time to run, you're best off running it on a smaller dataset? 13:00 < realazthat> no 13:00 < realazthat> the reason you are better running it on a smaller dataset 13:00 < realazthat> is because the T(P) sent to Bob takes T(P) time to generate 13:00 < realazthat> now alice only needs to spend sqrt(T(P)) time to generate it 13:01 < realazthat> yet it still takes Bob ~ T(P) time to run (by breaking it down and running it on separate peices) 13:01 < petertodd> oh, I see now, so generating the *program* has taken us less time 13:01 < realazthat> yep 13:01 < petertodd> now I get it 13:01 < realazthat> additionally 13:01 < petertodd> so it's a time/proof-size trade-off basically 13:01 < realazthat> we can remove more tradeoff 13:01 < realazthat> instead of sending the many sigs back to alice 13:01 < realazthat> she can send over a sig-verification function 13:02 < realazthat> and ask *Bob* to run the verification 13:02 < realazthat> and just get proof that the verification runs 13:02 < petertodd> yup, and return a sig proving he did so honestly 13:02 < realazthat> so now there is not a lot of communication 13:02 < realazthat> so, 13:02 < realazthat> I told you all this 13:02 < realazthat> because now you can start understanding how it would work with merkle trees 13:02 < realazthat> its very similar I think 13:02 < petertodd> right, that's totally a merkle tree 13:03 < realazthat> you just need to verify the merkle tree works 13:03 < realazthat> not that I understand the applications of that all that well 13:03 < petertodd> interesting 13:03 < realazthat> but anyway, it is improvable upon what eli is doing now; possibly in a blackbox manner 13:03 < realazthat> this is my q to eli 13:03 < realazthat> Q: Why can't a simple 1-level recursion reduce Alice's required generation time? That is, Alice verifies a verification function was run on chained runs of a smaller task, which sum up to P? I think this can get the generation time to sqrt(T(P)). And possibly lower, if it is done with more levels of recursion. 13:03 < petertodd> and my understanding is they'll be able to make the protocol non-interactive with zero-trust in the future? IE right now my understanding is Alice needs to generate the program herself because the person doing so can cheat 13:04 < realazthat> eli: Good idea, this is known as "bootstrapping" but getting it right is far from trivial. There are a few works on the topic, such as by Paul Valiant (titled "incrementally verifiable computation"), and by Chiesa and Tromer (called "Proof carrying data and heresay arguments") and more recently by them+Bitansky, cannetti, titled Recursive composition and bootstrapping for SNARKS and proof-carrying data. 13:04 < realazthat> mmm I know stage 1 has several undesirable properties 13:04 < realazthat> stage 2 is the sweet spot, except for alice's generation time 13:05 < petertodd> right, although, in that case alice can be the person offering up the proof right? 13:05 < realazthat> I don't remember all the undesirable properties of stage 1 13:05 < petertodd> like, I'd want you to be able to publish a proof, and I guess the program to verify that proof, showing the sacrifices were valid and formed a proper chian 13:06 < petertodd> running that proof will need to be done relatively frequently 13:06 < realazthat> ah yeah, you can basically verify anything on someone elses computer, without revealing anything with this 13:06 < realazthat> so it has many many possible applications 13:06 < petertodd> yeah, although in this case, none of the data is secret, it's just too bulk to pass around 13:06 < realazthat> yes 13:06 < realazthat> two uses 13:06 < realazthat> SNARK has a use even if it is slow on large computation 13:06 < realazthat> that it is a zero knowledge proof 13:07 < realazthat> but SCIP makes it somewhat reachably practical to do it for offloading work 13:07 < petertodd> yeah, the latter is probably more useful to bitcoin in general 13:07 < realazthat> yes 13:07 < gmaxwell> I think the offloading work cases are a bit dreaming right now. 13:07 < realazthat> hehe 13:07 < realazthat> well PoW doesn't really need it to be fast 13:08 < realazthat> so for that "offloading" it is ok 13:08 < petertodd> not many applications can trade-off a million bucks of EC2 time for less bandiwdth... 13:08 < realazthat> but for some computing-market, or chain validation, then yes 13:08 < petertodd> oh... so make the SCIP computation the PoW... nice 13:08 < realazthat> yes, maybe :D 13:08 < realazthat> you can use any program this way 13:08 < realazthat> like ... something useful 13:09 < petertodd> that has so many levels of magic stacked up.... I don't think I'd trust it... 13:09 < petertodd> but it's a nice dream 13:09 < realazthat> lol 13:09 < realazthat> well if it can be done, someone's gotta do it 13:09 < realazthat> and it is just too cool 13:09 < petertodd> Always a bad thing when the security of your system depends on brand-new technology staying slow... 13:09 < realazthat> not to do :D 13:09 < gmaxwell> realazthat: verifying the pow does need to be fast... as its our hashcash anti-DOS tech. :) 13:09 < realazthat> petertodd: nah, it can be adjusted 13:09 < realazthat> mmm 13:09 < petertodd> realazthat: yes, but only if the technique to make it blazingly fast is public 13:10 < realazthat> gmaxwell: yes, thats a constants/practical matter 13:10 * realazthat so wants to get hands on codes now 13:10 < petertodd> heh, maybe it's best I don't get that code so I actually get some real work done 13:10 < realazthat> lol 13:11 < realazthat> Is there a guarantee that there is no way to generate a signature if a correct answer is otherwise found in a quicker manner than running `P`, the original program, via running `Q` instead? 13:11 < realazthat> (asked to eli) 21:05 < amiller> and if we figure out how to make fees that encourage good behavior of the utxo, then you might as well figure out how to do it for arbitrary indexes 21:05 < petertodd> I'd suggest writing some example tx's to get a feel for what makes sense - I posted one to bitcoin-dev recently actually 21:06 < amiller> just think of the whole thing as a pay-per-use key-value-store and it's a little simpler imo. 21:06 < petertodd> well, sounds like you're getting away from something that's arguably bitcoin 21:06 < petertodd> at least my opcode ideas just feel like new opcodes 21:08 < amiller> sure, i'm just saying why not include an op_fetchfalue(keylen,key) that takes basically an arbitrary string 21:09 < amiller> then you can have blockhash:restofthekey and utxo:restofthekey as special cases of just one opcode 21:09 < amiller> maybe op_rangesearch lets you automatically sweep txes or something 21:09 < petertodd> ah right - think about how you'd encode this stuff though, we want efficiency for common cases 21:09 < amiller> well you could optimistically cache at the client support keys 21:09 < amiller> if it all goes in a leveldb it hardly makes a difference 21:10 < amiller> by 'support keys' i mean likely-to-be-used-standard prefixes 21:10 < petertodd> sounds like a worst-base-avg-case-best-case attack waiting to happen 21:10 < amiller> wat 21:10 < amiller> rephrase? 21:11 < petertodd> IE, caching anything makes the worse-case different than avg and best cases 21:11 < petertodd> for security having everything the same speed is much preferable in a consensus system like bitcoin; performance can break consensus 21:12 < amiller> ok well your leveldb already caches utxos so that's present anyway 21:12 < petertodd> sure, which IMO is kinda scary 21:12 < amiller> nothing about using one opcode and key prefixes really changes that 21:12 < petertodd> hmm... 21:12 < amiller> i think you're stuck with that anyway which is one reason to think in terms of the more general case 21:12 < petertodd> well, in any case, write up an example tx for arguments sake 21:12 < amiller> k 21:13 < petertodd> amiller: here is one I did http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02602.html 21:13 < amiller> i think i currently have two items on my "Write an example tx script or shut up" stack 21:13 < petertodd> ha 21:13 < petertodd> it was written as a semi-joke, although jdillon pointed out it actually worked, cheeky bastard 21:17 < amiller> ahh that's really cool 21:17 < amiller> you basically implement merkle tree traversal using the stack script 21:17 < petertodd> yes! 21:18 < petertodd> although read jdillon's reply, turns out it's not needed at all 21:18 < amiller> it has dup and hash and concatenate so it's actually straightforward to do that despite barely having support for anything else 21:18 < petertodd> crazy isn't it? 21:18 < amiller> yeah. 21:18 < petertodd> like, if we hadn't removed those damn opcodes, you actually could do a bunch of nifty stuff... 21:19 < amiller> yeah 21:20 < petertodd> speaking of, I figured out how you could have used codeseparator to delegate tx signing after the fact 21:20 < amiller> i wonder if traversing hash graphs in code was a main example underlying this script language actually 21:20 < petertodd> well, almost... 21:20 < petertodd> could very well be, on the other hand, could also just be satoshi quickly added a bunch of froth opcodes at the last minute figuring "why not?" 21:22 < amiller> we could probably implement an updateable tree/trie over this pretty easily 21:23 < petertodd> oh yeah? 21:23 < amiller> yeah updates aren't any harder than what you've written 21:23 < amiller> you just rehash on the way back up 21:23 < amiller> when you get back up to the top, you have a new root digest 21:23 < amiller> if you have enough reflection capability that you can place the new root digest in the txout 21:24 < amiller> you can basically make a bitcoin-script-quine 21:24 < amiller> like you could spend a txout with restrictions on how it could be spent later that way by making it propagate its own scripthash basically too 21:24 < petertodd> ah right, as in how I'm controlling the next script 21:24 < petertodd> I was going to reply to jdillon that a nice scheme would be to just have an index, and update it with +1 for each subsequent spend 21:25 < amiller> let me try to undersatnd how you refer to txin and txout in the current tx 21:26 < amiller> GET-TXOUT-SCRIPT and GET-TXOUT-VALUE basically hm 21:26 < petertodd> yeah, semi place-holders there 21:26 < amiller> and GET-THIS-SCRIPT for that matter 21:26 < amiller> well hm. 21:26 < petertodd> I mainly wanted to get the use-case down, and explore what uses for that, before commiting to what it would actually be 21:27 < amiller> so if you have EVAL 21:27 < amiller> unforutnately i think you almost-unvaoidably have an infinite loop 21:27 < amiller> however if you just take a hash of the GET-TXOUT-SCRIPT without executing it it's probably ok 21:28 < amiller> do you think you'd support, like, iterating over all the txouts? 21:28 < amiller> your example references exactly the 0th one 21:28 < petertodd> Ah, I was talking about relative addressing though 21:28 < amiller> oh i see 21:28 < petertodd> I'm not even sure how to do iteration properly, or if we want to do it at all - people do like static eval. 21:29 < amiller> yeah. 21:30 * amiller stops worrying and learns to love the stack machine 21:30 < amiller> you know stacks might be the right shape of that computing model i desire 21:31 < amiller> stacks themselves are easy to merkleize and compose 21:31 < petertodd> yeah 21:31 < petertodd> oh, did I ever show you my merkle mountain range idea? IMO the most intuitive way to do an incremental merkle tree 21:31 < amiller> there's this theoretical programming language called Call-By-Push-Value lambda calculus that has stack semantics but i haven't understood it too well 21:31 < amiller> petertodd, yeah we chatted about that a bit, i have a similar idea 21:32 < petertodd> ah good, glad to see it's something people come up with naturally 21:32 < petertodd> It's pretty similar to merkle skip lists in many ways, but it's just so simple and easy to describe compared to it. 21:32 < amiller> i think the last time we mentioned it i tried to convince you it leads to a really efficient work-sampling procedure for spv clients 21:32 < petertodd> yeah 21:32 < amiller> you only need to look at the peaks of the mountain range 21:33 < amiller> the high quality information is up there with the snowflakes 21:33 < petertodd> that's one version, my one was actually more the random sampling version 21:33 < petertodd> remember there's nothing inherently special about mountain range peaks, except in the summation version 21:33 < amiller> petertodd, yeah there's nothing special about the selection condition actually being zeros 21:33 < amiller> they're equivalent 21:34 < petertodd> ah, I think you're talking about something different then 21:34 < amiller> maybe. 21:34 < petertodd> merkle mountain ranges was just the way of essentially combining multiple perfect merkle trees into one commitment 21:34 < petertodd> as the number of root digests grows, the trees merge --- Log closed Fri Aug 02 00:00:44 2013 --- Log opened Fri Aug 02 00:00:44 2013 --- Log closed Sat Aug 03 00:00:47 2013 --- Log opened Sat Aug 03 00:00:47 2013 --- Log closed Sun Aug 04 00:00:52 2013 --- Log opened Sun Aug 04 00:00:52 2013 --- Log closed Mon Aug 05 00:00:56 2013 --- Log opened Mon Aug 05 00:00:56 2013 --- Log closed Tue Aug 06 00:00:01 2013 --- Log opened Tue Aug 06 00:00:01 2013 --- Log closed Wed Aug 07 00:00:07 2013 --- Log opened Wed Aug 07 00:00:07 2013 17:17 < amiller> i think i'm narrowing in on a composition rule for bitcoin 17:17 < amiller> this is basically an all new idea 17:18 < amiller> the most exciting part is that it seems to be an approach for having smaller networks that are secure in a different way, that compose to form a larger global network like bitcoin 17:18 < amiller> by "secure in a different way", I mean in particular secure against a *distant* attacker 17:19 < amiller> bitcoin's security model is the special case at the global extreme, where the attacker is assumed to be bounded only in power, but not bounded in proximity 17:21 < amiller> suppose you have a small local subnetwork 17:21 < amiller> and your attacker, e..g, lukedashjr, is far more powerful than you, but further away 17:22 < amiller> it's feasible you can achieve some notion of security, in otherwise the same setting as bitcoin (no PKI or trusted administrator etc) 17:23 < amiller> the approach is basically to have a best-chain-selection rule that includes *total interaction* and not just *total work* 17:24 < amiller> the massive remote mining farm can out-compute you, but it can't "out-interact" you --- Log closed Wed Aug 07 17:25:40 2013 --- Log opened Wed Aug 07 17:25:44 2013 17:30 < gmaxwell> amiller: hm. this is starting to sound vaguely like how the darknet DHTs (cjdns, freenet) achieve security against sybils. 17:32 < gmaxwell> (a computationally unbounded attacker can produce identifiers whereever they want in keyspace to pollute the keyspace, but that only lets them blackhole nodes near them on the darknet topology) 17:34 < amiller> i don't think i understand what "on the darknet topology" means 17:34 < amiller> i think i understand cjdns pretty well, better than i understand freenet, but i could have easily just disregarded this approach to sybil defense if i wasn't looking for it 17:35 < amiller> is the darknet topology formed using latency somehow, or by friendnetting? 17:36 < gmaxwell> friendnetting. 17:36 < amiller> ahh. 17:36 < amiller> ok 17:37 < amiller> well what i'm talking about today is not friendnet, it's basically the same setting as bitcoin where you just have a general broadcast diffuser thing and no idea who's around you 09:10 < brisque> not long in both directions, probably about 30 seconds before being touchable/untouchable 09:11 < michagogo|cloud> I wish I hadn't lost my infrared thermometer 09:12 < brisque> one of those things that I've always wanted, but never had a reasonable excuse to purchase 09:12 < brisque> a FLIR camera would be optimal, one of the cheaper ones flashed with the $8000 ones firmare. 09:14 < michagogo|cloud> brisque: I don't actually remember buying it 09:15 < michagogo|cloud> I think it was in a bag of stuff that my family had ordered online to be delivered to my grandparents in the US, since they were coming to visit us 09:16 < brisque> michagogo|cloud: I swear I've never bought kitchen towels either, but there they are. 09:17 < michagogo|cloud> Nobody knew who it was for, so we ended up just asking "who wants it?" 09:23 < brisque> michagogo|cloud: contact thermometer says 61 , but it's probably higher 09:24 < michagogo|cloud> 09:24 < brisque> yes. 09:26 < brisque> seems to top out at 68 (154F), but I don't know how accurate that is. 10:16 < michagogo|cloud> brisque: Still got your BE pointed at it? 10:16 < michagogo|cloud> I just got back 10:17 < michagogo|cloud> Just started mine going 10:33 < brisque> michagogo|cloud: one sec. 10:35 < brisque> michagogo|cloud: heh, you're actually orphaning my blocks I think. my latency to the MagicCoin server is extremely high. 10:35 < michagogo|cloud> "the MagicCoin server"? 10:36 < brisque> well, my node is on a VPS quite far from my block eruptor 10:37 < brisque> 50% of my work is being orphaned before the RPC server can catch up. I suppose that's why very high frequency altcoins have troubles. 10:41 < adam3us> brisque: OMG what have we done:D... u know someone sent me an interesting psychology article which seems to indicate that the more trouble users have achieving their objective (novice or I suppose technical also) the more they ascribe value and feel involved with the result 10:42 < adam3us> brisque: so in fact an altcoin (from coingen) may actually achieve a higher market cap by putting misleading, conflicting instructions and crufty command line, no UX, crashy softwre with gotchas etc so then the users have to work hard on a forum to get the thing to work period. 10:43 < brisque> adam3us: presumably there's a limit to that, a sweet spot where it's difficult enough to be rewarding to the user to get it set up, but not so difficult as to be above the heads of the target user 10:43 < adam3us> brisque: then they feel a big sense of accomplishment once they get it to actually mine foobarcoins and will be reluctant to sell for low prices i guess, and maybe they build a sense of community while they are battling the poor instructions 10:43 < adam3us> brisque: probably :) 10:44 < brisque> michagogo and I bonded by simultaneously burning fingers on moderately dangerous ASIC hardware. 10:44 < michagogo|cloud> brisque: Uh? 10:44 < brisque> michagogo|cloud: havent burnt yourself on yours yet? 10:45 < michagogo|cloud> Nope 10:45 < michagogo|cloud> Haven't touched it since plugging it in 10:45 < brisque> you're lucker than I. 10:45 < michagogo|cloud> heh 10:45 < michagogo|cloud> Also, I think I'm not orphaning *all* of your blocks 10:45 < michagogo|cloud> One just got rejected, according to bfgminer 10:45 < brisque> adam3us: that is interesting though, there's a lot of psychology going on with altcoins that I find fascinating 10:46 < brisque> michagogo|cloud: certainly, but you end up with a significantly higher proportion of hashrate due to the way I've got my network setup. we'd be even if not for my latent RPC connection. 10:46 < michagogo|cloud> Right, probably 10:47 < adam3us> brisque: dogecoin and shitcoin ... whatever you do - the users STILL mine the heck out of it! call it pyramid coin or scam coin, or dont mine this coin, i bet they'll still mine it 10:47 < michagogo|cloud> A:76 R:13 10:47 < brisque> A: 41 R: 22 10:47 < michagogo|cloud> brisque: Have you got reorgs in your debug.log, then? 10:47 < brisque> adam3us: because there's the mentality that something has got to make them rich, I suppose. 10:48 < michagogo|cloud> Balance: 2850.00 MGC 10:48 < michagogo|cloud> Immature: 3950.00 MGC 10:48 < brisque> michagogo|cloud: no, what's happening is you're outstripping me and then the getwork submission gets rejected due to the latency 10:49 < michagogo|cloud> brisque: So how come it's not A:13 R:76? 10:49 < brisque> if we were both mining with 0 latency then we'd get reorganisations presumably 10:49 < michagogo|cloud> or something? 10:49 < brisque> couldn't tell you, I'm going on my best assumptions given what I'm seeing (rejects but little if any reorganisations) 10:50 < adam3us> brisque: seems likely the motivation for almost everything except bitcoin itself which languished at < 1c value for years. there are some coins with interesting features and actual thought. but even amongst those its often accompanied by a mass premine or other demonstration of unsustainable greed that probably would kill the coin / share. 10:50 < michagogo|cloud> brisque: oh, of course 10:50 < michagogo|cloud> wait, no 10:50 < michagogo|cloud> nvm 10:51 < brisque> I also seem to be wasting work, my BE will get two results in a second and only one will make it into a returned block. it never got the time to get the work for the next block. 10:51 < michagogo|cloud> Interesting 10:52 < brisque> adam3us: it's possible that there's interesting thought in there, but it's outweighed by the number of people just flooding useless coins with creative names and marketing. 10:53 < adam3us> brisque: yes thats why the coingen idea is so interesting (and entertaining)... maybe it'll squelch the silly coins and leave room for actual innovation. 10:56 < brisque> adam3us: I guess we will see how it plays out. the comments on the little-too-soon post on reddit.com seems to imply that there's demand but they don't want to pay $200 for it, implying that they would like to for less cost. 10:56 < adam3us> brisque: i would say do it for $0. 10:56 < adam3us> brisque: the whole point is to get lots of alt-coins. make money by giving them a free listing on an alt-to-alt exchange. 10:56 < jgarzik> adam3us, RE "i bet they'll still mine it" -- some people who consider themselves wizards (note: they typically aren't) run bots that auto-switch across any new coin that appears, scam or not. "scamcoin1" and "scamcoin2" are just two more entries in a bot's working list. And In Theory(tm), the bots will notice when profitability is possible, or not. 10:57 < brisque> adam3us: I'd personally make it a small barrier, then you've proved somebody has 0.01BTC of faith in the system or whatever the value will be. 10:58 < brisque> adam3us: helps bluematt cover his server bills too, I imagine compiling lots of altcoin binaries gets boring for it after a period. 10:59 < adam3us> brisque: yeah, 0.01btc or even .001btc ought to do it. 10:59 < adam3us> brisque: you probably have to do some kind of anti-DoS or someone will script it. 11:00 < brisque> nobody would script something you have to pay for. 11:01 < adam3us> brisque: yes thats my point. well they might if they figure their bot can script, then mine, flip on the included alt-alt exchange and repeat :) but thats ok if it covers server bills 11:01 < brisque> I'm sure $10 a coin would be worthwhile for bluematt to churn out 11:02 < adam3us> brisque: its just cpu for some minutes. probably with a bit of tweaking it could be incrementally compiled -- diffs isolated 11:04 < michagogo|cloud> It's not very useful in its current form 11:04 < michagogo|cloud> It kinda needs more in the way of options 11:04 < brisque> I'm sure he'll get to it. 11:05 < michagogo|cloud> brisque: I think you're getting a bunch 11:05 < michagogo|cloud> My immature balance is hovering around 3000-3500 11:05 < brisque> 14k coins matured, heh 11:06 < michagogo|cloud> If I were getting all the blocks, it'd be 5000 flat 11:06 < michagogo|cloud> or maybe 6000 11:06 < adam3us> michagogo|cloud: yeah i think it needs a premine amount choice, block interval, retarget interval, inflation/deflation choices 11:06 < brisque> I'm sure he'll be happy to add features for additional fees 11:06 < michagogo|cloud> adam3us: premine? 11:06 < adam3us> michagogo|cloud: maybe a hard fork option (like protoshares did) 11:07 < michagogo|cloud> Just mine a bunch before you release it 11:07 < brisque> michagogo|cloud: it's the hip altcoin thing. a bit of mining before the public release to make sure the owner gets rich. 11:07 < adam3us> michagogo|cloud: yeah u know mirror the choices made by various alt-coins. some of them are hugely premined, it saves electricity 11:07 < michagogo|cloud> (also, it probably needs an option to keep it private, or at least unlisted) 11:07 < adam3us> brisque: yes but for some reason even quite large premines dont seem to discourage miners much :) 11:08 < adam3us> brisque: apparently 100% proof of stake doesnt seem to deter people either (nxt?) dont think they thought that through at all 11:09 < adam3us> brisque: oooh and exodus model. need an exodus model. but on an alt chain, cant spam the bitcoin block chain. i think nxt has that also (there was 21 btc sent to the exodus address with 100% proof of stake model!) 11:09 < adam3us> brisque: apparently solidcoin was a gold mine of interesting params, though I missed that fun :) 11:09 < brisque> you're thinking too detailed. this is quite a simple premise with no thought was involved. 11:13 < amiller> it's fun to see a crisis of participation in this new world, rather than non-participation :o 11:15 < brisque> michagogo|cloud: it's been fun making magic with you, but my VPS is about to be destroyed. 11:15 < michagogo|cloud> Why? 11:16 < brisque> I've had my fun, I don't see any use in keeping the instance any longer 11:16 < michagogo|cloud> oh 11:16 < michagogo|cloud> I misunderstood you 11:22 < TD> they exert pressure in the right direction, but someone still has to do all the work to create an actually better situation :) 11:23 < gmaxwell> the concern with things like the nseq in my mind isn't the incentives so much as the vulnerability of it like betcoin taking unconfimred payments. 11:24 < TD> we lack tools, documentation and experience to help business do risk analysis. but over time i expect risk analysis to play a bigger and bigger role in bitcoin 11:24 < TD> like, where the block chain becomes a very strong signal that is nonetheless blended with others 11:24 < TD> betcoin took a bet and lost 11:25 < gmaxwell> sure, 99.99% of the time it'll be great. But in that remaining 0.01% ... watch out. Attacks aren't random though, at least when non-trivial amountes are involved a probablistic approach doesn't always work well. 11:25 < jtimon> TD: "the value of their money" you assume miners are always at the same time btc speculators, they can just sell them 11:25 < TD> businesses all have to do crazy risk analyses today to accept existing forms of payments, it's not really an alien concept for them. so we'll see. next dice site will have to weigh up the prospect of being double spent, at least until/unless the mining situation improves 11:25 < TD> jtimon: for how much? 11:26 < TD> jtimon: all miners are speculators to some degree because they have amortised costs 11:26 < jtimon> like saying "bitcoin can't work because miners have incentive to merge together and then do 51% attacks to double spend" <-- 11:26 < jtimon> no, it works because it's easier and more long term for them to just make money out of honest mining 11:26 < gmaxwell> of course if you're able to trust the payer... why even bother with fancy protocols. "Pay me what you owe eventually." 11:26 < TD> jtimon: in theory a miner who has paid off all his hardware and has no electricity/ongoing costs wouldn't care what the price is indeed. but i guess that won't be true for a long time 11:26 < TD> well that's what in practice we do already with unconfirmed transactions. 11:27 < TD> the block chain has a sweet spot where it's really useful and appropriate. other times it's not so helpful 11:29 < TD> though i'm kinda looking forward to the day that people are dropping nitrogen-cooled ASIC farms into the middle of the desert with a solar farm next door 11:30 < jtimon> well, don't want to take my description as assuptions, just wanted to pointed out that you're assuming to much about miners but... 11:30 < jtimon> when you compare capital, say a pub, a building and a mining rig 11:31 < TD> we don't know if i'm assuming too much or not because we never got a chance to try. the feature was disabled due to DoS/surface area risks a long time ago. 11:31 < TD> perhaps one day we'll get a chance. in the absence of a killer app for the feature though, it's a bit hard to justify right now 11:31 < jtimon> you compare them by capital yield, doesn't matter if you're doing it with your own money or with borrowed money 11:31 < jtimon> if it's your money you don't have more incentiveto accept low yields 11:32 < jtimon> you could lend/invest more profitably somewhere else 11:33 < jtimon> TD: I mean you're assuming too much about miners by assuming they keep the btc for more than 100 blocks 11:33 < TD> my assumption is really just that they care about the price 11:33 < TD> which is pretty basic, yes 11:35 < jtimon> my assumption (another simplification of reality) is that they care about yields and only indirectly about price, I don't know about their preffered unit of account, tend to asume is fiat 11:35 < jtimon> anyway, they won't destroy bitcoin by taking the higher fee when receiving double-spends 11:35 < jtimon> with or without seq 11:36 < jtimon> and if seq relies on that, well, then it is not very secure 11:36 < TD> of course they would 11:36 < TD> that would be the absolute worst thing miners could do 11:37 < TD> no unconfirmed transactions? watch the price collapse 11:37 < jtimon> why? 11:37 < TD> many miners would never make back their ASIC investments then 11:37 < jtimon> mhmm 11:38 < jtimon> what satoshi proposed for "unconfirmed transactions" were services that contracted with pools to connect directly with them I think 11:38 < jtimon> it's in the snack machine thread I think 11:39 < TD> no 11:39 < jtimon> killerstorm also says that the high "frequency tunel" use case doesn't need seq 11:39 < TD> in the snack machine thread he pointed out merely that the cost of double spending would be higher than the value of the snack 11:39 < TD> and that it could listen for double spends on the network anyway 11:40 < TD> it doesn't need tx replacement as long as the micropayment channel flows in one way direction 11:40 < TD> if you want more flexible arrangements it does. 11:40 < TD> fortunately for many interesting applications, one direction is enough 11:41 < jtimon> TD https://bitcointalk.org/index.php?topic=423.msg3867#msg3867 11:41 < jtimon> "No, the vending machine talks to a big service provider (aka payment processor) that provides this service to many merchants. Think something like a credit card processor with a new job. They would have many well connected network nodes." 11:41 < TD> any node can do that. pools didn't even exist back then 11:42 < TD> so he obviously wasn't talking about contracting with pools 11:42 < TD> :) 11:42 < jtimon> correct he didn't said pools, just well connected 11:42 < TD> once double spend relaying is done, you won't even need to be very well connected 11:42 < TD> so this is not really a big deal 11:42 < jtimon> maybehe was thinking about mining farms? 11:43 < jtimon> "double spend relaying" I'm not sure that's really secure 11:43 < TD> he said what he was thinking of - a service provider that performed the job of watching for double spends 11:43 < TD> why not? 11:43 < jtimon> if it was secure we wouldn't need PoW 11:43 < TD> i think you're confused 11:44 < TD> double spend alerts tell you that there has been a double spend. it does not tell you which spend will win. 11:44 < jtimon> oh, sorry 11:44 < jtimon> I thought it was some of those proposals to "prvent double spending" 11:45 < jtimon> I think there's even a paper about that 11:45 < TD> no, i said "double spend relaying" 11:45 < jtimon> sorry again 11:45 < TD> np 11:46 < adam3us> so about (2-way) pegged side-chains again. the security insulation from not accepting more coins than moved, is good. but i think to avoid eg fractional reserve building up in the side-chain, i think the SPV proof needs history back to the coin migration? 11:47 < jtimon> TD I still think future miners will just mine the highest fee transaction (even with double spend relay) 11:47 < TD> *shrug* and i think you're wrong. guess we're done :-) 11:48 < jtimon> adam3us: preventing fractional reserve? I must have missed something about the proposal... 11:48 < jtimon> TD hehe, yes, well we can detail how each other see the future 11:48 < adam3us> jtimon: well that is not part of the proposal, i'm thinking of the min requirements to prevent it happening. the code in the side chain is subject to change 11:49 < jtimon> TD I think instant transactions won't be in-chain because in-chain transactions will be expensive 11:49 < jtimon> TD in-chain will be used for debt settlement mostly 11:49 < adam3us> jtimon: that assumes we cant make it scale quite a bit more. 11:49 < TD> these conversations are all years old 11:49 < TD> tbh i'm tired of them 11:49 < TD> back in 2010 it was interesting 11:50 < adam3us> petertodd: is the man to wind up for game-theory arguments. 11:51 < jtimon> adam3us I think we can make it scale it more, just not enough to process all the world's transactions 11:51 < jtimon> adam3us which I also predict will be many more in the future 11:51 < adam3us> jtimon: i am not sure. maybe pegged side chains offer another flexibility. 11:53 < jtimon> adam3us: still if each node processes the whole world transactions, there won't be many full nodes 11:53 < jtimon> or miners 11:53 < adam3us> jtimon: think multiple side-chains, maybe shard the transaction set 11:53 < petertodd> jtimon: the scalability future will be in blockchains that are sharded, and it's feasible to "process the worlds transactions" with such structures 11:54 < jtimon> we advocate for private chains, though the most promising scalability improvements can only come from more data being directly exchanged between parties without toughing the chain 11:55 < jtimon> petertood: yeah something like sharding could make me wrong, but I'm unconvinced that's feasible for now 11:55 < jtimon> not that I don't think about that myself 11:55 < petertodd> jtimon: I disagree there, off-chian is a nice safe way to get better scalability, but I think the best is to reduce the consensus "size" required 11:55 < TD> it's already done: alt coins 11:56 < petertodd> indeed it is, what's interesting is how to better integrate multiple chians into a cohesive whole 11:56 < jtimon> TD altcoins are very wasteful the way they are right now, they're just highly subsidized by seignoriage greed and stupidity 11:57 < TD> the p2p chain-trade thing would seem to be the best way. not that anyone is really exploring it properly 11:57 < TD> jtimon: so they take some of the stupid-load off the bitcoin chain. win :-) 11:57 < petertodd> jtimon: though also I see *no* reason to think you can get fast, let alone instant, consensus requried for retail payments 11:57 < jtimon> just adding more altcoins doesn't scale, not even with merged mining, miners still need to process everything 11:58 < TD> jtimon: what i was thinking is that the world could shard into eurocoins, americoins, or by subject (bitcoins for the internet, corpcoins for big corporate payments, etc) 11:58 < TD> jtimon: then you'd have exchange rates between them. but that's painful. 11:58 < TD> easier to scale the tech, i suspect 16:04 < amiller> the simplest way to implement fwd validation i think is to have new opcodes like OP_PUSH_TXOUTS that load the txouts from the transaction-currently-undergoing-validation into the validation stack 16:05 < amiller> and OP_PUSH_TXIN i guess too 20:57 < jgarzik> fork success! bitcoind starts up and shuts down a new process, complete with pipe RPC. Of course, just a skeleton that does nothing useful at all. But it forks! 20:57 < jgarzik> RPC (IPC?) has one command at the moment, BCE_SHUTDOWN_REQ 21:26 < gmaxwell> lol 21:28 < HM> jgarzik: you're working on a new RPC implementation? 22:12 < jgarzik> HM: no, adding fork() separation between the network code and "everything else" (RPC/wallet) 22:12 < warren> nice! 22:13 < HM> jgarzik: eh? but won't the 2 forks need to communicate via their own RPC mechanism? 22:13 < jgarzik> HM: well, ok, I guess you can call that a new RPC implementation. But it's not a public RPC interface, but a private, inter-process communication interface. 22:14 < HM> right 22:14 < HM> you could make use of network namespaces as well 22:14 < HM> put the main process in to its own network namespace so it can't talk to the outside world 22:14 < HM> interesting little project anyway, cool beans 22:15 < jgarzik> the "everything else" process (wallet/GUI/JSON-RPC) is the master process, and the "blockchain engine" is a sub-process of that main process. 22:15 < HM> right 22:15 < jgarzik> blockchain engine manages the P2P network code, and the blockchain dataset 22:15 < jgarzik> BCE might be chroot-able, as well as enabling things like network namespaces 22:18 < sipa> discussion idea: peer rotation; this is something gmaxwell and I have been discussion a long time ago, and the idea is this: instead of always maintaining 8 outbound connections, after timeout N, start attempting creating a 9th connection anyway, and when it works, disconnect one of the existing one. This should make the network much more dynamic and less deterministic, and more quickly crawl through existing peers. For selecting the peer to... 22:18 < sipa> disconnect, the idea is to aim for an "exponential distribution of connection times", so have some connections that live very shortly, and some that live for very long. Some simulations have shown that giving each outbound peer a chance proportional to its connection_time^(-0.8) would approximately achieve that nicely, ideally combined with some health metrics per-peer as modified to prevent disconnecting the peer that relays most blocks... 22:18 < sipa> first, for example 22:19 < HM> sounds sensible 22:20 < HM> jgarzik: i think the RPC mechanism needs overhauling. process separation would potentially make way for an RPC v2. I've already been toying with a proxy for Apache Thrift that layers over the existing HTTP JSON RPC 22:21 < sipa> the problem is that RPC does interaction with multiple fundamentally different components 22:21 < sipa> it does interaction with the blockchain, the network, and the wallet 22:21 < sipa> while ideally, each of those would have a single interface that can be used for both interaction with humans and with other components 22:22 < HM> well, Thrift just got service multiplexing committed to git 22:22 < HM> and it supports about a dozen languages 22:23 < HM> the drag for a lot of these marshalling formats though is that bitcoin inherently deals with a lot of custom binary data 22:23 < jgarzik> sipa: indeed 22:24 < jgarzik> sipa: a big part of my task here is "drilling holes" -- creating internal IPC calls from RPC server into the blockchain process, and back again 22:24 < jgarzik> sipa: e.g. getconnectioncount, for a simple example --- Log closed Mon Apr 01 00:00:15 2013 --- Log opened Mon Apr 01 00:00:15 2013 14:08 < amiller> ok i've roughly worked out the missing part of my authenticated data structure library 14:08 < amiller> the key thing is a type system for algorithms/queries 14:09 < amiller> and a rule for deriving the security claim from the type 14:10 < amiller> the minimal type codes to include are one for normal types, one for 'authenticated' types, and an arrow type combinator 14:11 < amiller> so like insert :: Term (Base Int --> Auth Tree --> Auth Tree) 18:32 < petertodd> away --- Log closed Mon Apr 01 19:40:52 2013 --- Log opened Mon Apr 01 19:41:09 2013 23:34 < jgarzik> re FinCEN and IRC bots... https://bitcointalk.org/index.php?topic=158138.msg1718975#msg1718975 23:34 < jgarzik> I wonder if it could be as easy as registering with FinCEN, and proactively looking for suspicious activity 23:35 < jgarzik> with an IRC bot doing micropayments, ideally you could figure out ways to limit large flows, split into small chunks 23:41 < petertodd> Interesting. Sounds like there isn't anything directly saying anonymity can't be baked it, AKA chaum. 23:42 < petertodd> Of course, that can change in an instant... 23:43 < petertodd> The bit about "mining as a business" is worrying though. Sounds like they could argue the miner should be verifying suspicious transactions they mine. 23:47 < jgarzik> petertodd: perhaps; it read like the poster's speculation more than FinCEN opinion, to me 23:48 < jgarzik> and it looks like US state of New Mexico does not require a money transmitter license 23:48 * jgarzik wonders about NM escrow laws 23:51 < petertodd> of course, worrying about local laws may prove fatal if it turns out your customers weren't local 23:59 < jgarzik> As a US citizen I would mainly worry about myself complying with local law. Customers are expected to comply with their jurisdiction's laws. I'd make a good faith effort to limit accounts to tiny amounts, file suspicious activity reports if any is seen, and shut down activity if it seems suspicious. --- Log closed Tue Apr 02 00:00:16 2013 --- Log opened Tue Apr 02 00:00:16 2013 00:02 < petertodd> Yeah, hopefully... At least it does make it likely that I could safely, say, sell remote attestation capable hardware security modules. If being a money transmitter might be legal, selling some fancy hardware that doesn't even have the software to transmit money should be too. 00:03 < jgarzik> Being a money transmitter is definitely legal. You just have to jump through the hoops. ;p 00:03 < petertodd> Heh, well, Canada's MintChip thing looks totally serious... 01:12 < jgarzik> hmmm. I wonder how to route cgminer transparently over Tor 01:13 < gmaxwell> making all accounts require an instant refund address so the service could be trivially shut down might help. 01:14 < warren> some exchanges have that 01:14 < warren> and mining pools 01:14 < jgarzik> ah, excellent. socks4 proxy option in cgminer. 01:16 < gmaxwell> superior to multibit. :P 06:32 < warren> sipa: nice to see C-ify done. unfrotunately past sprint break now. I will be crushed with school until April 29th then I'm free 06:33 < warren> sipa: if you aren't totally done by then, it would be helpful if you could add to the TODO list what you would like the full openssl replacement API's to look like. 08:14 < lumos> amiller, http://steve-yegge.blogspot.co.uk/2010/12/haskell-researchers-announce-discovery.html 09:56 < sipa> warren: :) 09:56 < sipa> warren: i hope by then, that won't be needed anymore 15:39 < jgarzik> "because you might be interested" disclosure... renting out my Avalon to ucsd.edu botnet researchers. miner -> ucsd getwork proxy -> botnet "black" mining pool. exMULTI is contracting with ucsd, clearing their legal dept etc. 15:39 < jgarzik> (exMULTI is my one-person microbiz for all things bitcoin) 15:40 < jgarzik> for expected-daily-BTC plus 1% 15:47 < amiller> lol, cool. 15:48 < amiller> i don't see how the mining power helps them do anything with botnets 15:48 < amiller> oh i see 15:49 < amiller> there must be some bitcoin mining equivalent of the "affiliate marketing program managers" for spam 15:49 < amiller> that they want to study 15:50 < amiller> but with spam, the affiliate marketing program provides extra service like dealing with the supply and shipping, but its' comparably straightforward to just run your own mining op... i guess not if you include cashing out the money 22:53 < warren> I suppose this happens every month ... in the last two days, somebody forked bitcoin-0.8.1 and launched a new coin that just used string replace on everything. 22:53 < warren> Then somebody did the same for litecoin-0.6.3 22:55 < sipa> which name? 22:56 < warren> https://bitcointalk.org/index.php?topic=164569.0 sha256 fork of 0.8.1. https://github.com/bryan-mills/bytecoin 22:56 < warren> I'm guessing a single avalon could crush it in a few minutes 22:58 < jgarzik> warren: did they change genesis block and pchMessageStart, I hope? 22:58 < warren> I didn't look deep enough 22:58 < jgarzik> we should put a "if making your own coin, change these things AT LEAST" doc in bitcoin repo 22:58 < gmaxwell> they did, thats about all they changed. 22:58 < warren> I'm guessing this could be merge mined if anyone cared. want to ruin their day? 23:01 < warren> gmaxwell: http://radon.gdries.nl:6327/static/ 23:03 < warren> If that p2pool readout is accurate, almost the entire coin is this p2pool node. 23:03 < gmaxwell> warren: you can't merge mine something that isn't designed for it. 23:05 < warren> this p2pool looks doctored to give fake numbers 23:10 < jgarzik> Trivia: bASIC guy emailed me, asking for personal advice on the following subject: if you paid X BTC (worth $Y) for a device, MUST the refund be X BTC (now worth $Y * 10)? 23:10 < jgarzik> completely random. never corresponded with him personally before, even during bASIC purchase process. 23:27 < gmaxwell> poor guy. He's been slowly refunding people $Y worth... which is an amount decreasing by the day. 23:29 < warren> what happened with bASIC? I wasn't around. 23:38 < jgarzik> warren: dunno the inner workings. He took pre-orders, then the project failed. Long pause, CC refunds, long pause, BTC refunds trickling out. 04:56 < BlueMatt> gmaxwell: implementation detail: do you require the side-chain be merged-mined? 04:56 < justanotheruser> BlueMatt: seems like that would be ideal 04:56 < TD> good evening guys 04:56 < gmaxwell> BlueMatt: I don't think bitcoin should require that, though it would probably be pretty darn prudent. 04:57 < BlueMatt> hi TD 04:57 < gmaxwell> BlueMatt: at least my thought is really "just add enough so that bitcoin can verify a sutiable proof, and then you can build anything out of that which you can make fit" 04:57 < gmaxwell> HI 04:57 < sipa> TD: timezone deficiency? 04:57 < TD> evening for them. morning for us :) 04:58 < gmaxwell> BlueMatt: so while it might be _wise_ to merge mine it, and perhaps there are some optional strenghtening things that could be done, I don't think it would make sense to require it. 04:58 < sipa> ah, right 04:58 < BlueMatt> gmaxwell: makes sense 04:58 < TD> lol 04:58 < TD> "Since we're generating the points randomly, I'm going to ignore the first condition because it happens far less frequently than malfunctions in the CPU instructions that I might use to detect it." 04:58 < TD> i think i'm going to remember this excuse for ignoring edge cases, for the future :) 04:58 < sipa> link? 04:58 < TD> https://www.imperialviolet.org/ 04:59 < TD> agl talking about implementing elligator for curve25519 04:59 < gmaxwell> e.g. ideally the pubkey could specify the proof geometry required with enough flexibility that you could merge in something rather throughly unlike bitcoin. 04:59 < justanotheruser> sipa: seem into producing acronyms... 05:00 < gmaxwell> BlueMatt: though annoyingly some of the already existing altcoins can't have compact spv-like proofs. :( 05:00 < justanotheruser> gmaxwell: scryptcoins? 05:00 < TD> how did they manage that? 05:01 < TD> justanotheruser: no, scrypt based coins still use sha256 for the merkle tree 05:01 < BlueMatt> gmaxwell: meh, I dont care about current altcoins that do dumb things, I want to enable actual innovation, not knob twiddling 05:01 < TD> says the guy behind coingen.io :) 05:01 < justanotheruser> TD: but how do you verify the PoW without including scrypt into bitcoin or implementing scrypt in a bitcoin script? 05:02 < BlueMatt> TD: yes, hopefully it will saturate the market with knob twiddling and people will get bored of it 05:02 < gmaxwell> TD: well PPC's proof of stake stuff appears to need a (mostly) unpruned blockchain history to validate. And a primecoin headers look like they're a couple kilobytes and need primality testing?! 05:03 < TD> gmaxwell: surely even in proof of stake, transactions are in blocks and arranged into a merkle tree though? 05:03 < TD> or you mean you can't just download headers at all 05:03 < gmaxwell> TD: you need to prove it hasn't been spent. 05:04 < gmaxwell> well they have no getheaders p2p messages either, but thats an aside. :P 05:05 < gmaxwell> basically at least as PPC is now, I don't think you can extract a compact proof that a header is valid. maybe you can get close enough by extracting the transactions and assuming they weren't subsiquently spent, but I dunno, since there is no POW on those blocks attacking is cheap. I honestly haven't thought about it much. 05:06 < gmaxwell> at a minimum it's complicated. 05:07 < sipa> maybe we should write a "if you're going to create an altcoin, think about:" document 05:08 < BlueMatt> sipa: yea, think about: "2-way pegged value" 05:08 < sipa> listing some of the easy-if-we-knew-it-at-the-start ideas like p2sh only, or simplifying script, or having amounts in the signature hash 05:08 < sipa> and concerns like compact proofs 05:09 < sipa> oh and maybe explain the reason for block times being slow 05:10 < gmaxwell> sipa: dunno that it would help, couldn't hurt. I say I don't know because of how they've responded when encountering problems. 05:11 < BlueMatt> for current-gen alts, its sure to make no difference 05:12 < gmaxwell> (e.g. the general response has been to do something even dumber) 05:12 < BlueMatt> for people making real alts (maybe, though I'm very unconfident) coingen will help 05:14 < gmaxwell> e.g. feathercoin had instability and attacks in due to some of their parameter choices, their response was to pay the ppcoin person to license "advanced checkpointing" from ppc (developer broadcast "checkpoints"). 05:15 < Taek42> are people licensing cryptocurrency ideas now? 05:16 < _ingsoc_> BlueMatt: Lol. 05:16 < gmaxwell> thats the only incident of it that I'm aware of. 05:16 < TD> i never liked p2sh only as an idea. 05:16 < gmaxwell> unless you count coingen.io 05:17 < gmaxwell> It's certantly something I'd do when starting from scratch. Opinions may differ. 05:17 < TD> ethereum might evolve into an interesting alt 05:17 < TD> gmaxwell: well, it'd rule out things like OP_RETURN tagged outputs and the like, which people have found uses for. 05:18 < gmaxwell> TD: yea, the ethereum warez site agent is totally going to be popular. :P 05:18 < TD> is that actually on their website? 05:19 < gmaxwell> TD: no reason that it would preclude having a no index flag (or really just a seperate field in transactions for aux data). 05:19 < gmaxwell> TD: no, I was kidding, but it seemed to follow naturally from the description of it I read. :P 05:19 < TD> you saw payfile, right? :) 05:19 < sipa> what is ethereum? 05:19 < gmaxwell> TD: you couldn't tell for sure though 05:20 < TD> gmaxwell: that's true. you could extend the tx format at the same time. 05:20 < gmaxwell> sipa: vitalik altcoin based on turing complete script. 05:20 < gmaxwell> doesn't exist yet as far as I know. 05:20 < sipa> ah 05:20 < gmaxwell> a bunch of the design decisions wouldn't be ones I would have made but. ::shrugs:: 05:21 < gmaxwell> sipa: in particular it's supposted to support being able to upload code into the network which the network runs triggered by events e.g. independantly of transactions, which can do things like create transactions. 05:21 < sipa> ewww 05:21 < TD> hah 05:21 < gmaxwell> and a handwave at fees to pay for it, without any consideration of the incentives around that. 05:22 < gmaxwell> Yea, my response too. But at least its different. 05:22 < TD> right. hence me thinking it's the most interesting alt, even if i also think it's unlikely to work 05:22 < TD> but we'll see 05:22 < gmaxwell> be nice or I'll suggest they name one of their currency units after you. 05:22 < nsh> nobody talks about Dr Frankenstein advanced the field of medicine 05:22 < nsh> +how 05:23 < gmaxwell> http://demotivators.despair.com/demotivational/mistakesdemotivator.jpg 05:23 < TD> the guardian did a nice article on alt coins. i banged the drum about how they demonstrate the fundamentally democratic nature of crytocurrencies 05:24 < TD> so coingen and other joke alts are not entirely useless. they educate people about the tech and more importantly, make BlueMatt a lot of money 05:24 * nsh smiles 05:24 < gmaxwell> Sadly alt's don't work too well as education on what not to do, just like invent your own blockcipher usually doesn't because they usually don't reach the point where they justify a serious attack, but oh well. 05:24 < TD> well, that's education of developers. i'm thinking of education of users. showing how bitcoin developers are not simply the new central bankers 05:25 < TD> http://www.theguardian.com/technology/2014/jan/07/bitcoin-me-how-to-make-your-own-digital-currency 05:25 < gmaxwell> TD: hey, I strongly promoted that idea. I'm all for it. I also suggested it to people who wanted to "fight" altcoins as the fair and ethical way to do so... "we think these things are pointless, well it's not fair to stop them, but lets reduce the friction that makes making a pointless altcoin profitable." 05:26 < gmaxwell> TD: did you see the fallout from the launch of the 'conya' coin? (or however its spelled?) 05:26 < gmaxwell> coinye 05:27 < warren> gmaxwell: I'm guessing ICANN procedure to get the domain taken away will be tried next 05:27 < gmaxwell> yea probably. 05:27 < gmaxwell> did you see they were having zillion block reorgs? 05:28 < sipa> who? 05:29 < TD> i saw that kanye's lawyer was trademark-whacking them. lol. 05:29 < gmaxwell> coinye coin. another purpusfully dumb coin, but it started out with about 1/1000th of the initial difficulty it should have had. 05:29 < TD> and the anonymous authors response was basically to wave two fingers at them and say they'll bump up the release date 05:29 < gmaxwell> (they basically released a password to unlock the software at some time with enormous hype) 05:30 < sipa> eh? 05:31 < warren> if they were anonymous devs, with people unable to examine the software before the launch of mining, they could have included a trojan to steal <real coins> 05:31 < warren> lots of idiots would rush in 05:31 < gmaxwell> and now pools that lost the reorg wars have shuttered and people are angry that they're not getting paid. 05:31 < warren> and they would cash out in an unexpected way 05:31 < Taek42> warren sounds like something worth trying 05:32 < BlueMatt> warren: I'm honestly surprised we haven't seen more of that 05:32 < gmaxwell> it was only released a couple hours ago and has like 5000 blocks. 05:32 < gmaxwell> BlueMatt: esp now that some of these exchanges will happly add brand new coins. 05:35 < gmaxwell> is it just me or is bc.i switching to USD every time other people follow a link to it? 05:36 < sipa> experienced that as well 05:40 < michagogo|cloud> gmaxwell: not just you 05:54 < warren> BlueMatt: to avoid that someone could release all the code except for the genesis 05:54 < gmaxwell> I believe thats how ltc was launched. 05:55 < gmaxwell> https://bitcointalk.org/index.php?topic=404888.0 < fwiw, I posted asking about bc.i's switching 06:06 < TD> sigh. we need to beat some rationality into the fees market 06:19 < warren> TD: the way we rolled out 20x lower fees might be feasible (albeit very dumb) 01:49 < petertodd> the storage providers will look at the sum of potential earnings, and buy enough storage to take advantage. 01:49 < petertodd> yes, you can pay more to make it more likely the providers will bother. 01:50 < petertodd> (the real issue: who knows what the btc/GiB ratio will be) 01:50 < amiller> i think it's going to turn out to be even more of a challenge when defining what the retrieval costs are supposd to be 01:50 < amiller> i really like this one extreme example, Amazon glacire 01:51 < amiller> https://aws.amazon.com/glacier/ 01:51 < petertodd> retrieval costs don't need to be defined, that ones actually a bidding process you realize 01:51 < petertodd> I've got ~300GiB there 01:52 < petertodd> big spender I know 01:52 < amiller> have you ever retrieved it 01:52 < petertodd> not all of it 01:52 < amiller> heh, do you ever probe it with PoR's effectively 01:52 < petertodd> I know the fees are crazy if you want it fast 01:52 < petertodd> lol 01:53 < petertodd> I rely on others to do that for me :P 01:58 < amiller> so 01:58 < amiller> in the case of bitcoin, you rely on mining nodes to do full validation 01:59 < amiller> an individual SPV client may only care about checking the total amount of work, which basically makes it expensive to overwhelm with effort, whether it's valid data or not 02:00 < amiller> for a complicated transaction of mine i think i should only expect the whole global network to do something like SPV style validation before deciding to release my funds 02:00 < amiller> although i would probably be interested in doing the more complete validation 02:00 < amiller> or i dunno hiring a smaller number of people to do this validation at lower cost, but not globally 02:00 < amiller> do i get anything by having a larger network do cursory SPV validation 02:00 < amiller> vs only having a small network do full validation? 02:01 < amiller> with merge mining, there is no validation 02:01 < amiller> from the big network to the smaller one i mean 02:03 < amiller> i think the important thing about SPV validation is that work that passes SPV can't also be repurposed to achieve anything else 02:03 < petertodd> why have all that complexity? why not focus on ways to make the transactions small as much as possible? 02:03 < petertodd> only do fancy stuff when you get desparate, and that fancy stuff can happen in a different chain dedicated to it with correct incentives, releasing funds via oracle or something 02:04 < petertodd> look how for the data storage example the proofs actually aren't all that bad 02:05 < amiller> oracles are just another fancy name for TTP 02:05 < amiller> in any case... 02:05 < amiller> well the fancy stuff happening in a dedicated chain 02:05 < amiller> correct incentives.. what do you mean? 02:06 < amiller> that's kind of what i have in mind 02:06 < petertodd> who knows? 02:06 < amiller> that's why this is a compositionality thing 02:06 < amiller> how can i use the Big Network's safety and stable money, as an incentive in my celebration-of-random-strings altchain 02:06 < petertodd> now, what I want you do to, is write down a quick summary of how op_blockhash and op_blockheight helps you in this goal, so we can get an idea of the uses for new opcodes and start figuring out what is worth implementing 02:07 < petertodd> because you have Yet Another Example of a cool and useful thing we can do 02:07 < amiller> i want to be able to define SPV validation for another chain! 02:08 < amiller> i'll need hashes for consuming merkle tree proofs 02:08 < amiller> and... really none of that requires anything else i guess 02:08 < petertodd> Ok, so write up an example script. 02:08 < amiller> hm 02:08 < amiller> Ok. 02:08 < petertodd> Sounds like you just need OP_CAT, OP_SUBSTR and what not. 02:09 < petertodd> See, I've got a soft-forkable mechanism in mind where we can gradualy enable more stuff as we prove we haven't screwed up. 02:09 < petertodd> And I'm thinking MAST support should be #1 02:10 < amiller> interesting 02:11 < petertodd> MAST is actually pretty simple too: just make OP_IF and OP_ELSE take a digest, rather than opcodes, if the branch isn't executed, and use that digest in the calculation of the tree 02:11 < petertodd> It'll look kinda like P2SH really 02:12 < petertodd> If bitcoin isn't interested, worth asking litecoin. 02:13 < amiller> what about breaking a computation into parts 02:13 < amiller> so it could be spread over multiple tx 02:13 < amiller> that's unnecssary complexity nvm 02:13 < petertodd> That would be complex, and incompatible with how Bitcoin scripting usually works. 02:13 < petertodd> KISS 02:14 < petertodd> *Another* thing I want to do, like soon, is add "debugging" support to scripts to trace the state they take, which is similar code. 02:15 < petertodd> example: http://webbtc.com/script/31d3fb6b4af93525e04e9d97690cffdd292ca554791cfadd34af76ecbb9bdf29:0 02:15 < amiller> hm 02:15 < amiller> i could probably just model bitcoin's stack language in ocaml and use my compiler hack directly as a reference design 02:15 < petertodd> that's using bitcoin-ruby, which is broken - very much worth adding this to bitcoin itself for debugging/pedalogical reasons 02:16 < petertodd> *pedagogical 02:16 < amiller> that's slick, thanks for link 02:16 < petertodd> heck, testing too: make hashes of those execution traces and store them in the unittests 02:16 < petertodd> frankly if anything changes, it's almost certainely a bug 11:59 < jgarzik> petertodd, amiller: anybody given any thought to identity (SINs) + file sharing? Trying to figure out if a decentralized Amazon S3 could ever be possible 11:59 < jgarzik> i.e. where data hosting entities can come and go, and be compensated for their work. users can come and go, and pay for storage. 12:00 < jgarzik> data hosting has two layers, as zooko and Tahoe-LAFS well know, low level storage and upper level accounting. 12:00 < jgarzik> accounting/indexing 12:04 * jgarzik always thought of Tahoe-LAFS as cumbersome to build but doable -- but the HARD part is figuring out economic/game theory incentives to make such a system self-supporting 12:04 < amiller> mojonation was supposed to be that 12:04 < amiller> tahoe-lafs is a much reduced scale 12:04 < amiller> so hm. 12:05 < amiller> my observation though is if you have accounting that works, you probably don't even need SINs... 12:11 < jgarzik> possibly true 12:11 < jgarzik> I was thinking that SINs form a nexus around which you can build a positive reputation 12:13 < jgarzik> users need to provably pay for their download. providers need to provably get paid for providing a download. difficult if not impossible without proxying through third party verification 12:13 < jgarzik> (or so it seems to me) 12:18 < jgarzik> and these might be semi-trusted proxies, that audit each others' work and build a reputation 12:19 < jgarzik> perhaps users and providers follow a protocol that sends a request to A and B, yet provably expects the response to be delivered by C 12:20 < jgarzik> that gives other providers an awareness of requests going through the system, setting expectations for delivery by C 12:50 < jgarzik> switching topics, 12:50 < jgarzik> petertodd, still not totally happy with anyone-can-spend 12:51 < jgarzik> petertodd, lacking a bitcoind mod, the rational behavior is to send two transactions, the required anyone-can-spend and also a new tx spending that 12:51 < jgarzik> certainly the announce gives others the /chance/ to spend 12:52 < jgarzik> but in the initial stages of any such system, the identities will be cost-free 15:30 < petertodd> jgarzik: Did you see the discusstion between amiller and myself about proving you have some data as a way of incentivising storage? 15:30 < petertodd> jgarzik: anyone-can-spend *only* works if it's timelocked in any case, so with announce-commit it's actually three transactions. 15:31 < petertodd> jgarzik: Adding auto-spend support to the mempool in bitcoin upstream is easy - I wouldn't get hung up on that. 15:34 < petertodd> jgarzik: People already have huge wallets watching for coins being spent to tens of thousands of addresses they've done dictionaries for re: brainwallets. 15:36 < petertodd> jgarzik: For instance "jgarzik"=1KCvSPxjaJdVQtzP15bJgBXXDbrBxCNhj7, and "petertodd"=16VpZwEfw2PCwf4dZEBNeXpKgFPdbiUnf, and a 50mBTC payment to both got spent within about a second. 15:37 < petertodd> jgarzik: Provided spending a anyone-can-spend is standard, I don't think we have an issue at all. 15:39 < petertodd> Reminds me: we should consider a transaction input standard in AreInputsStandard() if a empty scriptSig, or scriptSig=OP_TRUE, is able to spend it in any case. 15:56 < petertodd> Also, that's a rational for anyone-can-spend too IMO: you don't need to be a miner to have an incentive to setup the infrastructure to claim it. 15:57 < petertodd> (especially with an anyone-can-spend based on OP_CHECKMULTISIG where it's already a standard tx) 16:09 < jgarzik> petertodd, I'm just concerned about initial bootstrapping. After the system is running, it's fine. 16:11 < petertodd> Well, if anyone can spend is useful from a technical point of view, then why not use the OP_CHECKMULTISIG version? 16:11 < petertodd> Also, add scriptPubKey=<digest> to your OP_RETURN <data> pull-req. 16:12 < petertodd> (with <digest>!=0) 16:34 < petertodd> Keep in mind that for something like IRC, where a heck of a lot of proofs might need to be stored, you really want to keep the proof size small for the sacrifice. Eventually anyone-can-spend will need as little as a SHA256 midstate + <digest> + value + nLockTime and the merkle path. It's even better if you allow people to use the coinbase version, and proof-of-work coinbase version. (latter where you mine a share that would have been worth xBTC) 17:54 < midnightmagic> petertodd: zooko et al were doing a lot of work in that regard not so long ago. 23:34 < realazthat> the sha() must take a few additional params to prove it was started in a recent block, and so can't be reused again and again 23:34 < realazthat> etc. 23:34 < realazthat> there are lots of other issues as well 23:34 < realazthat> I have some of them listed on a page 23:37 < amiller> the work market idea really appeals to me but i don't understand the details 23:37 < amiller> i'd like to read about that 23:37 < realazthat> mmm 23:37 < realazthat> lemme see if I can find gmaxwell's BIP 23:38 < amiller> i think we havea pretty coarse idea about what it takes economically for schemes like this to make any sense 23:38 < amiller> it's real hard to empirically test them 23:39 < realazthat> well the work market could work on the current bitcoin network first I think 23:39 < realazthat> but I don't think people would appreciate deprecating mining :P 23:39 < realazthat> mmm 23:39 < realazthat> yeah 23:43 * amiller waits for cool links 23:47 < realazthat> https://en.bitcoin.it/wiki/BIP_0013 << I *think* this is it 23:47 < realazthat> and maybe 16 23:47 < realazthat> gmaxwell: ding ding 23:48 < realazthat> basically, something that would integrate SCIP into bitcoin, and only pay out to someone who ran a program, and can give a valid response + signature 23:48 < realazthat> ie. scip signature 23:48 < realazthat> which is PoW 23:55 < realazthat> funny, I can't find where gmaxwell linked it to me in my logs :/ 23:57 < realazthat> aha 23:57 < realazthat> got it 23:57 < realazthat> https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked 23:57 < realazthat> amiller: ^^ 23:58 < realazthat> he is using it for the zero-knowledge aspect 23:58 < realazthat> but it could also be used for PoW in the same way as SCIP can be used for both 23:58 < realazthat> I think 23:59 < realazthat> dunno why I thought it was a BIP --- Log closed Mon Jun 03 00:00:00 2013 --- Log opened Mon Jun 03 00:00:00 2013 00:05 < amiller> PoW is a loaded term 00:05 < amiller> i don't think what you're talkinga bout is meaningful as pow 00:05 < amiller> or at least not for mining 00:06 < realazthat> mmm SCIP can do PoW 00:06 < realazthat> look, I'll quote a Q/A from eli 00:07 < realazthat> Q: Is there a guarantee that there is no way to generate a signature if a correct answer is otherwise found in a quicker manner than running P, the original program, via running Q instead? 00:07 < realazthat> Eli: Yes, the only way (assuming you cannot break crypto) is to run P, not Q. 00:08 < realazthat> anyway, this isn't for mining 00:09 < realazthat> 1st, is a work market 00:09 < amiller> if it's not for mining it's fine 00:09 < amiller> i think mining doesn't actually use PoW 00:09 < amiller> but something else 00:09 < realazthat> this could be done right now, in the bitcoin chain with this extension 00:09 < realazthat> mmm 00:09 < realazthat> I dunno then 00:09 < realazthat> I am proposing another method of mining, I don't know if it is sound 00:09 < amiller> i've been working on this a lot 00:09 < realazthat> it would obviously have to be in another chain 00:10 < amiller> basically the work should be incremental 00:10 < amiller> like suppose you were going to put out a bid for work 00:10 < amiller> like a bid for having a gazebo built for your house 00:10 < amiller> and you tell the contractors 00:10 < amiller> both of you start working 00:10 < amiller> it should take you about a month 00:10 < amiller> and whichever one of you finishes first gets paid, the loser gets nothing 00:11 < amiller> the fact that bitcoin is *not* even based on PoW at all means its okay 00:11 < amiller> because each incremental unit of work is so small compared to the latency 00:11 < amiller> that the loss due to duplicated work is pretty low 00:12 < realazthat> mm 00:12 < amiller> now if you break a large computation up into tiny pieces 00:12 < amiller> such that you can get *partial payment for partial work* 00:12 < amiller> then we're back on track 00:12 < realazthat> yes, well I was thinking of something like, 00:12 < amiller> which is in fact exactly what those bootstrap recursive snark things seem to be about 00:12 < amiller> which is really really promising then 00:12 < realazthat> a magic protein folding algorithm, which would take in an IV 00:13 < realazthat> and each worker can do his own part of the work-space 00:13 < realazthat> so the workitself would be tiny peices even 00:13 < realazthat> well 00:13 < realazthat> just different peices 00:14 < realazthat> each worker does a different part of the workspace, say by using some uniquely his as the IV 00:14 < amiller> it's a dos problem if you try to pay people for every single hash they compute 00:14 < realazthat> mmno I am not trying to solve that problem 00:14 < realazthat> the work would still take a long time 00:14 < amiller> so the nice thing about lotteries is that they add some uncertainty and indivisibility but you get a good improvement in communication costs 00:14 < amiller> ok 00:14 < realazthat> just it wouldn't be duplicate 00:15 < amiller> and they can be paid even if they're done in parallel 00:15 < realazthat> but its a good problem you pose 00:15 < amiller> that would mean you'd need a block dag sort of thing 00:15 < amiller> that can merge work 00:15 < realazthat> yeah but reserving payment so its not a race; thats a problem 00:15 < amiller> yeah 00:15 < amiller> it might be possible thouhg 00:15 < amiller> it's an interesting idea 00:15 < realazthat> well with gmaxwell's proposal, 00:15 < realazthat> it would almost surely result in some sort of market 00:16 < realazthat> the mining could be built on top of this, by forcing (via mining protocol) the worker to include H(B) into his IV 00:16 < realazthat> and then you can verify the output against the input 00:16 < realazthat> and you know he started at a certain time 00:16 < realazthat> so you cannot save up work 00:17 < realazthat> and, you would win by chance among all the workers 00:17 < realazthat> now, you can weight it somehow (chances of winning) to make it fair 00:17 < realazthat> ie. long jobs have a higher hash-number-limit 00:17 < realazthat> so the difficulty is less 00:18 < realazthat> so, if H(sig(P)) < basedifficulty+T(P) 00:18 < realazthat> then you win 00:18 < realazthat> and get to mine the block in addition to claiming your payment 00:18 < realazthat> T(P) can be proven 00:19 < realazthat> via the sig 00:19 < realazthat> to be correct 00:19 < amiller> well it stucks if you start late then you have no incentive to participate at all 00:19 < amiller> that's another thing that's better about the tiny increment work 00:19 < realazthat> well you always have incentive because of the normal money 00:19 < amiller> you can always join a pickup game at any time 00:19 < realazthat> the lottery is just a side benefit 00:19 < amiller> okay well then just no incentive with the new thing 00:19 < amiller> uh 00:19 < realazthat> most people won't expect to win the lottery 00:19 < amiller> so you can reserve money before acutally completing the work? 00:20 < amiller> what happens if you just don't complete the work? 00:20 < realazthat> oh so thats a good question 00:20 < realazthat> yes, good problem that remains 00:20 < realazthat> I need to think about that 00:20 < realazthat> mmm 00:20 < realazthat> here is what you can do 00:20 < realazthat> one of several things 00:21 < realazthat> the work job is given like this: 00:21 < realazthat> run P(iv), T(P) is the time bound (it is known/given) in instructions, you must complete it by block Y, or you lose; all those that give it by block Y split the coins 00:22 < realazthat> so you can precalculate if you can complete it ontime 00:22 < realazthat> usually 00:22 < realazthat> if you do, you are guaranteed something 00:22 < realazthat> perhaps this will be too unstable 00:22 < realazthat> but I bet the market would adapt 00:22 < realazthat> make sense? 00:27 < amiller> i don't think the market would adapt i think it would be a pretty bad market 00:27 < amiller> the bitcoin mining market is actually super well behaved 00:27 < amiller> the problem is that i think it would be very difficult to tell what chance you had of winning 00:27 < amiller> also a lot of work would still be duplicated likely 00:28 < amiller> with bitcoin mining because everyone is playing the same game, it's really easy to calculate exactly how much you shoudl win *on expectation* 00:28 < amiller> and by joining pools (which maybe could be made endogenous built-in to bitcoin) you can calculate exactly how much you're going to win real accurate 00:29 < amiller> here if you're the only one working on the puzzle then you'll get the whole thing, if someone else works on it you'll get much much less 00:29 < amiller> and you don't even get a reward for being the first to finish 00:29 < amiller> um 00:29 < amiller> i'm not sure how to fix it but maybe we can at least state clearly what the goals should be here? 00:29 < amiller> the decision to do the work should be rational 00:30 < amiller> meaning before you decide to do the work, you should be able to calculate accurately how much money you will get as a function of the decision to do the work or not do the work 00:30 < realazthat> right that would be very hard 00:30 < realazthat> it depends on the type of job 00:30 < amiller> or if it's probabilistic you should be able to calculate what the distribution is of getting paid 00:30 < realazthat> and how many others are willing to do it 00:30 < amiller> again this is a nice thing that bitcoin mining definitely has 00:30 < amiller> and it's obviously important! because that's a lot of how people bitcoin mine 00:30 < realazthat> yeah, so basically you would try to calculate it this way: 00:30 < amiller> they figure out their hash rate and what they earn and try to figure out how cheap they need power etc 00:30 < realazthat> 1. do you have enough power to solve this ontime? 00:30 < realazthat> if yes, 20:48 < zooko> Another way of putting that is that the problem of storage of utxos would eventually impose a limit on smaller-ganularity payments. 20:49 < zooko> What's 200 GB? If every satoshi were a utxo, then it would take only 200 GB to store it all? 20:49 < zooko> That sounds way too small. 20:49 < gmaxwell> Though 200gbytes isn't some horrible unattainable value... basically even if there is no long term problem (not clear!) there can still be a short term one with the system becoming costly to operate faster than it becomes valuable to use. 20:50 < gmaxwell> zooko: no, the chain can't grow faster than ~50gbytes/yr due to the maximum blocksize. So every satoshi couldn't be a seperate utxo yet. 20:51 < zooko> gmaxwell: ok. 20:51 < zooko> Thanks. 20:51 < zooko> Time for dinner with my kids, then hopefully I'll get back on IRC... --- Log closed Fri May 10 22:00:20 2013 --- Log opened Fri May 10 22:00:33 2013 --- Log closed Sat May 11 00:00:43 2013 --- Log opened Sat May 11 00:00:43 2013 --- Log closed Sat May 11 16:39:28 2013 --- Log opened Sat May 11 16:39:45 2013 --- Log closed Sat May 11 19:43:41 2013 --- Log opened Sat May 11 19:43:54 2013 --- Log closed Sun May 12 00:00:46 2013 --- Log opened Sun May 12 00:00:46 2013 14:50 < HM2> http://cppquiz.org/ 14:50 < HM2> fun little test for you bitcoin devs, since bitcoind is written in C++ ;) 15:07 < HM2> question 15 is nice 15:15 < HM2> (15 in the url) 16:07 < jrmithdobbs> hmmmm... the 1.2 hiera cli util doesn't seem to hono :merge_strategy: deeper when using -a and -h 16:07 < jrmithdobbs> completely wrong channel --- Log closed Mon May 13 00:00:48 2013 --- Log opened Mon May 13 00:00:48 2013 04:30 < amiller> http://arxiv.org/pdf/cs.LO/0312015.pdf 04:30 < amiller> With the advent of global computing there are an increasing variety of situations 04:30 < amiller> where one would need to be able to obtain formal bounds on resource usage by 04:30 < amiller> programs: for instance before running code originating from untrusted source or 04:30 < amiller> in settings where memory or time is constrained, like in embedded systems or 04:30 < amiller> synchronous systems 04:30 < amiller> this is a paper called Soft lambda-calculus: a language for 04:30 < amiller> polynomial time computation --- Log closed Mon May 13 10:34:56 2013 --- Log opened Mon May 13 10:35:12 2013 --- Log closed Mon May 13 13:35:04 2013 --- Log opened Mon May 13 13:35:20 2013 --- Log closed Tue May 14 00:00:51 2013 --- Log opened Tue May 14 00:00:51 2013 --- Log closed Wed May 15 00:00:53 2013 --- Log opened Wed May 15 00:00:53 2013 --- Log closed Thu May 16 00:00:56 2013 --- Log opened Thu May 16 00:00:56 2013 15:04 < jrmithdobbs> can puppet take json instead of yaml from a classifier? 15:05 < jrmithdobbs> erm wrong channel --- Log closed Fri May 17 00:00:58 2013 --- Log opened Fri May 17 00:00:58 2013 17:30 < HM_> Heh 17:31 < HM_> I'm not sure why anyone want want to break 128bit ECC when you could break 112bit 3-DES and compromise so many traditional financial systems --- Log closed Sat May 18 00:00:01 2013 --- Log opened Sat May 18 00:00:01 2013 14:22 < zooko> This conference is awesome. 14:27 < zooko> Is gmaxwell not at Bitcoin2013? 14:27 < BlueMatt> yes, he is 14:27 < zooko> Thanks. 14:27 < zooko> Are you? 14:27 < BlueMatt> no 14:27 < BlueMatt> :9 14:27 < BlueMatt> ( 14:30 < zooko> Bummer. 15:06 < amiller> :] --- Log closed Sun May 19 00:00:04 2013 --- Log opened Sun May 19 00:00:04 2013 03:23 < warren> sipa: I have a litecoin wallet last touched by 0.6. With secp256k1 0.8.x reports the wallet is corrupt. I am trying to reproduce this with bitcoin. 03:23 < warren> 0.8.x without secp256k1 works fine with that wallet 03:24 < warren> init message: Loading wallet... 03:24 < warren> Error reading wallet database: CPrivKey corrupt 03:24 < warren> Error reading wallet database: CPrivKey corrupt 03:24 < warren> Error loading wallet.dat: Wallet corrupted 03:27 < warren> It's entirely likely this is my fault. 03:47 < warren> I'll report back if I manage to isolate it to a particular key or reproduce it on bitcoin. 05:47 < warren> Yeah, it seems fine with fresh wallet.dat's. 07:30 < wumpus> I don't think you should ask sipa questions about litecoin 07:36 < wumpus> oh it's about his secp library, never mind 09:48 < sipa> warren: i recently fixed a bug involving incorrect privkey serialization 15:26 < warren> sipa: I'm using your latest code 15:30 < sipa> that's remarkable 15:30 < sipa> let me check whether i committed it 15:30 < warren> oh? 15:31 < warren> https://github.com/sipa/secp256k1/commits/master 15:31 < sipa> looks good 15:32 < warren> When I build 0.8.x with openssl it loads the 0.6 wallet just fine. I'll add some print statements and figure out what's going on. 15:35 < warren> heading out for shopping, bbl 16:01 < sipa> warren: it may be related to compressed keys? 16:01 < zooko> Hi sipa! 16:01 < sipa> hi zooko! 16:01 < zooko> I think I saw you entering the Bitcoin Foundation. 16:02 < zooko> Um, meeting, I mean. 16:02 < sipa> i'm there right now 16:08 < warren> sipa: did 0.6 support compressed keys? 16:09 < sipa> warren: yes 16:10 < warren> When I'm back I'll see if I can reproduce this from bitcoin-0.6 -> bitcoin-0.8.x 16:10 < warren> If that fails, are you interested to see my code and wallet.dat? --- Log closed Mon May 20 00:00:06 2013 --- Log opened Mon May 20 00:00:06 2013 01:42 < warren> sipa: would you be interested in an affected wallet.dat? 02:09 < warren> the keys are all compressed. I'm digging through code. 07:50 < warren> petertodd: where is your site about the 1MB block limit again? 13:42 < gmaxwell> eek how did I forget to rejoin. 13:44 < gmaxwell> For those who weren't at the Bitcoin conference Eli Ben-Sasson presented on his computational integrity work. This is that stuff we'd talked a little about in here that converts arbitrary programs (in ansi C) into zero knoweldge proofs, allowing you to run them on secret data and produce compact and quickly validated 'signatures' over the output that proves the program was executed faithfully. 13:46 < gmaxwell> Importantly, I got some more performance details from him. ... sounds like the proving (signing) cost is on the order of n * 900 * log(n) where n is operations in the computation. 13:47 < gmaxwell> The validation is some constant times the length of the compiled program. Right now their compiler has a n*poly log n cost like proving however, but they know how to fix that. 13:48 < realazthat> gmaxwell: mmm reminds me of this https://hcrypt.com/ 13:48 < gmaxwell> Sounds like the scalablity ends up memory limited in their actual implementation right now.. To get an idea, each asm opcode produces something like 1500 constraints, and they've used their system successfully on programs of 30 million constraints or so on 'desktop hardware'. 13:48 < realazthat> related I mean 13:48 < realazthat> but cool 13:49 < realazthat> is there a link to this stuff online somewhere? 13:49 < gmaxwell> realazthat: it's in that same general family of techniques... but whats important is that the cost is polynomal. This is actually (nearly-) pratical for a lot more stuff. 13:49 < gmaxwell> realazthat: Their paper should be published in a few days. 13:49 < realazthat> cool 13:49 < gmaxwell> There is, however, a video https://www.youtube.com/watch?v=CjUNj8ow6UE 13:49 < realazthat> ah nice 13:50 < gmaxwell> The thing I'd like to use it for is this: https://en.bitcoin.it/wiki/User:Gmaxwell/why_hash_locked 13:53 < realazthat> mm that is cool; I wonder how applicable these use cases actually are though 13:53 < realazthat> what greater application I mean 13:54 < gmaxwell> There are more powerful ideas for it... for example, you could use these techniques to produce checkpoints that can't cheat. If you replaced script validation with the validator for it, you could make transactions depend on complex C code but these things are currently infeasable just because of the computational cost. But because the techniques are poly cost, we can hope that even if they only get a bit better, that computers getting 13:55 < gmaxwell> realazthat: Well, I can give some examples for why hash locked, but I don't like them much. The problem is that things like constests for beautiful pictures or whatever can normally just be solved via escrow, we don't really need zero trust in most pratical cases. 13:55 < realazthat> well I can imagine something like crazy financial instruments can come out based on bitcoin using all these hard-to-apply features 13:56 < gmaxwell> The best example I can give you is: "We anonymous parties will pay 100 BTC for some anonymous party to leak Foo DRM's uber-secret master key" can't use escrow because thats a point of attack. 13:56 < realazthat> haha 13:56 < HM_> and then the proof would be some C code that validated the DRM key 13:57 < realazthat> I was thinking/dreaming of putting a bounty on satoshi signing something 13:57 < gmaxwell> yes, you could create some fancy contracts ... but I think the interesting applications of that require the validation _inside_ the bitcoin protocol. Wherease the DRM example works with my wiki page above: totally external to bitcoin. 13:57 < gmaxwell> (And so the fact that the proof is @#$@# expensive is irrelevant, so long as you can compute them on conventional hardware in a few hours) 13:57 < realazthat> does satoshi have a public gpg key or something? 13:57 < realazthat> (so my dream would make sense) 13:58 < gmaxwell> realazthat: kinda. He has a gpg key that many people will vouch for, but there is actually very little public evidence that it's actually his. 13:58 < realazthat> ah ok 13:58 < gmaxwell> he could, however, signmessage with the genesis key. 13:58 < realazthat> haha great idea 13:58 < gmaxwell> (if he still has it) 13:59 < realazthat> I imagine one day ppl will try to track bitcoins through the chain to identify him :P 22:39 < gmaxwell> Fact of the matter is that we use analogies to understand thing by approximation. But there is no need that the (best) analogies need to be physically intutive, in fact basically all of higher mathmatics is about manipulating abstractions which are in no way physically intutive. 22:40 < petertodd> gmaxwell: also equally insane if you postulate an insecure signature algorithm that can be broken with 2^64 work 22:41 < petertodd> gmaxwell: I'll add to my wizards list that if you successfully got through a hard first year calc/analysis course with emphasis on proofs you're going to understand crypto-currencies much better 22:42 < gmaxwell> well, either that or it broke you completely and you're unable to reason without a pile of symbology in front of you. 22:43 < petertodd> heh 22:45 < petertodd> gmaxwell: probably a good thing I failed second year calc - the alternative was to be broken by it 22:46 < andytoshi> petertodd: second year calc is crap, it has no business being in a math degree 22:47 < petertodd> andytoshi: what did you do in second year calc? 22:47 < andytoshi> petertodd: half a dozen methods for computing second-year-calc integrals, and something about taylor series i think 22:48 < andytoshi> standard calc 2 fare, "here are some algorithms, run them by hand without ever checking hypotheses, hundreds of times" 22:48 < petertodd> huh, we did taylor in first year; second year was all about multi-variable versions of first year stuff, as well as a bunch of set theory stuff 22:48 < andytoshi> mathematical analysis was probably more difficult, but made far far more sense and was better motivated 22:49 < gmaxwell> I like that they don't even bother teaching people the chain rule in basic undergrad calculus anymore apparently. 22:49 < andytoshi> (analysis is when i switched into math honours and decided to take my degree seriously .. and also where i met my girlfriend :P) 22:49 < petertodd> gmaxwell: wtf? 22:50 < petertodd> andytoshi: typical, impressing a girl... 22:50 < andytoshi> gmaxwell: they do at UTexas at least .. 22:50 < gmaxwell> andytoshi: whew. okay perhaps I was just talking to idiots then. 22:51 < andytoshi> petertodd: that's pretty-much it, a bit ironic that now i'm in grad school 2500km away from her 22:52 < andytoshi> gmaxwell: i'd guess so, first-year calc only has 3-4 derivative rules plus a collection of limit stuff, there isn't much room to trim 22:52 < petertodd> gmaxwell: this is the second year calc curriculum that I took: Sequences and series. Uniform convergence. Convergence of integrals. Elements of topology in R2 and R3. Differential and integral calculus of vector valued functions of a vector variable, with emphasis on vectors in two and three dimensional euclidean space. Extremal problems, Lagrange multipliers, line and surface integrals, vector analysis, Stokes theorem, Fourier series, ... 22:52 < petertodd> ... calculus of variations. 22:52 < andytoshi> well, UT has room to trim, there's a ton of theoretical stuff that doesn't connect properly, so the course feels very rushed and confused 22:52 < andytoshi> petertodd: holy shit 22:53 < gmaxwell> andytoshi: I think this is because they don't teach differentation in algebra classes, but instead just teach people a bunch of rules which actually are differentiation, but don't explain why they work? 22:53 < petertodd> gmaxwell: first year was this: A theoretical course in calculus; emphasizing proofs and techniques, as well as geometric and physical understanding. Trigonometric identities. Limits and continuity; least upper bounds, intermediate and extreme value theorems. Derivatives, mean value and inverse function theorems. Integrals; fundamental theorem; elementary transcendental functions. Taylors theorem; sequences and series; uniform convergence and ... 22:53 < petertodd> ... power series 22:54 < petertodd> gmaxwell: well, almost, they changed the curriculum around and moved more of what I was taking into the harder class (that's the harder classes current description) 22:54 < andytoshi> gmaxwell: i think that's right, i explain to my classes what they are actually doing, and they (a) appreciate it and (b) act like they were completely unaware of it before 22:54 < petertodd> instead just teach people a bunch of rules which actually are differentiation, but don't 22:54 < petertodd> andytoshi: heh, I don't feel so bad failing it then :) 22:55 < petertodd> andytoshi: the hard version of second year is this: Topology of Rn; compactness, functions and continuity, extreme value theorem. Derivatives; inverse and implicit function theorems, maxima and minima, Lagrange multipliers. Integrals; Fubinis theorem, partitions of unity, change of variables. Differential forms. Manifolds in Rn; integration on manifolds; Stokes theorem for differential forms and classical versions. 22:55 < andytoshi> petertodd: that's a serious calc sequence, what you listed was calc 1/2/3/4, two analysis classes, a variational calc class, and a bit of a third analysis class 22:55 < andytoshi> not that my school was terribly difficult, i spent the latter half of my undergraduate doing reading courses with professors instead of the standard sequence.. 22:56 < petertodd> andytoshi: ha, lovely, and I did that after like six years doing a fine arts degree 22:56 < petertodd> andytoshi: that's UofT fwiw 22:56 < andytoshi> petertodd: wow, good to know then 22:56 * nessence wonders how many UT folks are @ cointerra 22:57 < andytoshi> i was told that grad students who go there teld to be unhappy, that the profs don't pay attention to them..maybe this is why 22:58 < petertodd> andytoshi: interesting - the teachers in first year weren't very good, and second year downright atrocious. You literally had TA's who were too shy to speak to students and spend the whole class facing the chalk board mumbling. 22:58 < jcrubino> petertodd: your my hero now with your calc story 22:59 < petertodd> jcrubino: lol 22:59 < andytoshi> petertodd: fwiw, at SFU we had very slow sequences as i described, then a serious problem with fourth-year students who had no knowledge of mathematics, but we had to give them degrees since we'd led them on for three years, and they'd be incomprehensibly stupid 22:59 < petertodd> andytoshi: ha! nah, uoft just fails people instead :P 23:00 < petertodd> andytoshi: first year calc we quite literally had about 90% of the class drop out 23:00 < andytoshi> yeah, that's an extreme workload especially if the teachers are all crap 23:00 < andytoshi> it'd be almost reasonable with excellent professors and TAs 23:01 < petertodd> yup, and a heck of a shock coming from art school - see, at art schools even the best in the field often take teaching jobs to earn some more money... I suspect with math it's a lot harder to attract talent on a budget 23:02 < andytoshi> yeah, generally there are rich schools who get ~2-400 applicants per year and get to choose -- then there are the rest who have perpetually open positions but terrible offers 23:02 < andytoshi> (UTexas is in the former, they accepted 30/400 applicants last semester o.O) 23:03 < petertodd> ha, uoft has 50k students 23:03 < petertodd> heck, they have more teachers then my previous school had students 23:03 < andytoshi> yes, it is very irritating when they make half the grad department TA calculus <.< 23:04 < petertodd> ugh, and it seems that uoft actually takes their better TAs and teachers and has them teach the easier math classes aimed at the non-math students 23:04 < andytoshi> 16k math students, 8k in the calculus sequences in any given semester, which means around 80 calc TAs i guess 23:05 < andytoshi> ( UTexas has similar total numbers to UofT i think) 23:05 < petertodd> probably about right 23:05 < andytoshi> petertodd: ugh, that's terrible 23:07 < petertodd> andytoshi: heh, well I still managed to learn enough from it to have some hope of learning more math :) 23:09 < andytoshi> very true, i was suprised to hear you (and gmaxwell) have so little formal math education 23:09 < andytoshi> i guess i don't really either, i have the papers but the upper-division part of my degree was almost entirely reading courses 23:10 < petertodd> gmaxwell is way ahead of me with math you know 23:10 < andytoshi> and i did a grad course in QFT, i had a fun time explaining to the physics chair who i was and what i was doing there :P 23:11 < gmaxwell> I don't know anything, but seeing as how I don't know anything I am also not afraid of anything. 23:11 < petertodd> decentralized consensus systems are probably the only "theoretical" branch of crypto I'll ever have a hope of coming up with new ideas in - notice how even my intuition for things like how ECC signatures work is relatively shakey 23:12 < petertodd> andytoshi: lol, quantum anything just sounds scary, and relatively useless :P 23:12 < andytoshi> petertodd: i did not notice that, your blockchain/MMR stuff is so advanced that i assumed you were a math/cs genius :P 23:13 < andytoshi> petertodd: quantum field theory is -very- shakey, it was a great course to learn what physicists are up to but i knew i didn't want to deal with it after that 23:13 < andytoshi> scott aaronson has somewhat changed my mind on that point tho, to the extend that he calls what he does "physics" 23:14 < gmaxwell> everything understandable to more than a few people is understandable to almost everyone if approached from the right perspective. 23:15 < petertodd> gmaxwell: +1 23:15 < andytoshi> gmaxwell: that's my feeling, i've managed to explain SNARKs on a conceptual level to people who haven't had any experience with crypto 23:15 < andytoshi> they have to let me talk for two hours about cryptography, though, so maybe i'm filtering people.. 23:15 < petertodd> andytoshi: lol, I keep on thinking "what the fuck symbol am I supposed to use for foo?" 23:15 < petertodd> andytoshi: every time I try to write anything vaguely resembling a paper 20:42 < maaku> andytoshi: coinjoin can be used to hide from your employer as they can no longer be sure which outputs are yours, or coinswap which lets you swap identities with some other coin 20:46 < maaku> TD: i'm assuming that you can actually realistically determine the owner of a key from network analysis with better than random probability, even if it's a use-once key 20:47 < TD> i am not convinced that assumption is valid 20:47 < TD> it should *not* be valid at least, if addresses are not reused and merge avoidance is done 20:48 < maaku> if merge avoidance is done by every other node i transact with 20:48 < maaku> i don't like outsourcing my privacy to those i transact with 20:51 < TD> coinjoin requires outsourcing as well, in effect. you have to hope that there are enough others available at the time who have a sufficient amount they wish to mix that you get reasonable deniability 20:51 < TD> otherwise you end up with implausible deniability only 20:52 < maaku> TD: the scenarios I've considered for coinjoin mixing involve doing it in the background, yielding outputs that are made availble to the spendable balance 20:53 < maaku> coinjoin-as-payment is just an added bonus that obscures the fact that a payment is even occuring 20:53 < maaku> the quality of the mix doesn't matter so much then 23:08 < phantomcircuit> lol 23:08 < phantomcircuit> i just finished reading mikes entire blog post 23:08 < phantomcircuit> intersango hot wallet already sort of does that --- Log closed Thu Dec 12 00:00:49 2013 --- Log opened Thu Dec 12 00:00:49 2013 07:47 < nsh> bit into a discussion in #bitcoin regarding whether or not it would be possible to spoof p2pool mining with a centralized (e.g. miner cluster) resource, in some hypothetical case where p2pool mining was better rewarded to incentivize decentralization 07:47 < nsh> i thought initially you could demontrate the sharechain of p2pool and that would guard against spoofing, but now i'm not sure it couldn't be simulated with minimal overhear 07:47 < nsh> *overhead 07:48 < nsh> thoughts? 07:49 * nsh considers reading some papers on collusion resistence models 07:51 < nsh> i suspect they all require some kind of fine-grained synchrony or something equally tricky 12:54 < andytoshi> i haven't read past the abstract and authors, but this is probably an interesting paper 12:54 < andytoshi> http://arxiv.org/abs/1312.3230 12:54 < andytoshi> "how to deal with malleability in the current bitcoin system" 12:57 < nsh> what's malleability? 12:58 < sipa> being able to modify a transaction, without knowing the private key, and without invalidating it 12:58 < andytoshi> nsh: any part of the transaction which is hashed but not signed, you can change (even after signing) to get a valid transaction 12:59 < nsh> oh 12:59 < andytoshi> and this messes up a lot of the contract stuff, since you're supposed to have chains of unconfirmed transactions 12:59 < nsh> yeah, that could be a problem 12:59 < andytoshi> and changing a hash breaks the chain 13:00 < andytoshi> nice, the paper's only 6 pages 13:03 * maaku cringes every time he sees "BitCoin" in an academic paper 13:03 * TD used to write it like that 13:04 < MoALTz> maaku: why? 13:04 < maaku> Bitcoin is not camel-case 13:05 < MoALTz> maaku: could be worse. could have scrapped blockexplorer for the blockchain info. 13:05 < maaku> Journalists I forgive.. at least they're writing about Bitcoin 13:05 < maaku> But someone who is purportedly researching the core bitcoin protocol should know better 13:05 < maaku> heh, that's true 13:06 < andytoshi> i think it may be deliberate, to express their out-of-touch-ness with the real world 13:06 < maaku> "BitCoin is a chain of linked HTML5 documents...." 13:06 < andytoshi> "read our paper, we're all in the same ivory tower" 13:08 < MoALTz> when i skimmed over the zerocoin paper i noticed that they had a careless mistake (saying that 1 BTC is 10^9 satoshis) 13:19 < sipa> maaku: blockexplorer.com was HTML5? :o 13:19 < maaku> heh, true 13:21 < nsh> maybe we can delegate bitcoin security to timbl's html drm working group in future versions 13:36 < TD> haha 13:41 < Emcy> is timbl really his hacker name? 13:41 < Emcy> its pretty good 13:43 < France> (apparently, at some point i group "France" to my nick on freenode then completely forgot about it) 14:08 < gmaxwell> http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html < I wonder why they didn't disclose whos certificates they made. 14:09 < gmaxwell> Anyone know if it's public? (I know at least some of what they made certs for but I'm not sure if I was supposted to repeat it) 14:09 < gmaxwell> oh googling reveals that it is public. 14:09 < gmaxwell> They minted google certs. http://googleonlinesecurity.blogspot.de/2013/12/further-improving-digital-certificate.html?m=1 14:13 < TD> presumably they minted many certs and it's just that google detected it 14:13 < TD> whereas others didn't 14:24 < nsh> aye, google only caught it because of their cert pinning in chrome 14:24 < nsh> i suspect they were mitming * for some govt employees somewhere 14:43 < gmaxwell> Tehe: "Open source: the software is still terrible but now it is your fault too." 14:49 < nsh> :) 14:52 < sipa> well... we do reply with "file a bug report" or "fixes welcome" when people complain :) 16:54 < BlueMatt> ;;seen TD 16:54 < BlueMatt> nanotube: where is gribble when you need it? 16:55 < BlueMatt> yay, manual gribble 16:55 < BlueMatt> what timezone is 12:59, though 16:55 < gmaxwell> Pacific. 16:55 < gmaxwell> (because I IRC from a host in Oregon) 16:55 < nanotube> there he is. :) 16:56 < gmaxwell> and because people other than me have a crazy practice of setting up hosts with timezones other than utc. 16:56 < sipa> iirc, TD is in pacific timezone as well :) 16:57 < gmaxwell> I saw him on saturday. 16:57 < BlueMatt> sipa: yes, hence why he should be awake and irc-ing (what else would he be doing?) :p 16:57 < gmaxwell> so did BlueMatt 16:57 < sipa> ha, cool 16:58 < sipa> i'm syncing from scratch on leveldb 1.15 16:58 < sipa> it's horrible, so many orphans and duplicate blocks 16:59 < sipa> i think i'm downloading every block 5 times, and keeping hundreds in RAM... 16:59 < BlueMatt> bitcoind's sync algorithm is soooo good... 16:59 < gmaxwell> what changed? it wasn't _that_ bad before. Is this just due to increased blocksize? IIRC I only found a 2x (I think? do you remember?) overhead. 17:06 < sipa> gmaxwell: not an actual measurement, just impression 17:07 < sipa> also, i'm only at block 213000 17:45 < Emcy> so you get orphan warnings while downloading deeply buried blocks because the block downloading code is a bit silly? 17:46 < MoALTz> i found 31 orphans in my blk*.dat files 17:48 < Luke-Jr> someone I spoke with recently was looking for 2009-era stale block.. anyone got any? :P 17:48 < Luke-Jr> MoALTz: you mean stale, not orphan. orphan blocks never get written to risk 17:48 < Luke-Jr> to disk* 17:49 < MoALTz> ah yes 17:49 < MoALTz> although i did look out for true orphans in my code too (although there were none, as those lists were empty after i loaded the files) 17:50 < Emcy> whats a stale block? 17:53 < Luke-Jr> Emcy: one that didn't get accepted in the main chain, long-term 17:53 < BlueMatt> Emcy: #bitcoin 17:56 < Emcy> dont bitcoin me 17:56 < Emcy> ive just never once heard of a stale block 17:57 < Luke-Jr> Emcy: it's what happens when a miner finds a block, but the block is lost due to a race --- Log closed Fri Dec 13 00:00:51 2013 --- Log opened Fri Dec 13 00:00:51 2013 03:44 < epscy> does anyone know if 0.8.6 has the address index patch? 03:46 < sipa> hell no 03:55 < epscy> sipa: is the address index controversial? 03:56 < epscy> I thought it was going to be included in the next release 03:57 < sipa> unless someone brings it up to date, no 03:57 < sipa> and i,m no fan of it myself 03:57 < sipa> see the (closed) pull request for why 04:00 < epscy> thanks i will check it out later 04:02 < sipa> https://github.com/bitcoin/bitcoin/pull/2802 04:04 < wumpus> depending on the use case, you might use the watch-only pull which is more up to date: https://github.com/bitcoin/bitcoin/pull/3383 04:04 < sipa> wumpus: regarding watch-only, i agree having a way to query spendable vs unspendable balance 04:04 < wumpus> sipa: yep, I'm going to work on that 04:05 < sipa> (it applies equally to locked outputs) 04:08 < wumpus> indeed 04:11 < wumpus> unspendable unconfirmed, spendable confirmed, unspendable confirmed,, and spendable unconfirmed... hmm 04:15 < sipa> combinatorial explosion 04:16 < sipa> how about two booleans to be passed to getbalance 04:16 < sipa> in the gui maybe: 04:16 < wumpus> yes, well in this case one boolean passed to GetBalance and GetUnconfirmedBalance 04:16 < sipa> Balance: X (+ Y unspendable) 04:16 < wumpus> but yeah explaining it to the user is most difficult 04:17 < wumpus> ah that would work 04:17 < sipa> only shown if Y is nonzero 04:17 < wumpus> right 17:05 < gmaxwell> adam3us: if that wasn't a birthday search I'd assume that it would be 000000 or something and not two random looking ones. :) 17:06 < adam3us> gmaxwell: (referring to post on openpgp list for others context) yeah i didnt look at it, its easy to steer RSA v2 based keyids because they are the lsb of the RSA modulus however the v3 ones are teh lsb of the fingerprint 17:08 < adam3us> gmaxwell: i presume this is a v3 fingerprint so it would represent either a preimage attack of 2^64 on an RSA key (each RSA key being moderately expensive to compute) or a birthday attack on them (using a fair bit of ram or a tmto and more compute) and probably tossing aside security to make prime reuse and generation faster 17:08 < gmaxwell> adam3us: there is metadata like a timestamp in the fingerprint 17:08 < gmaxwell> so it's not hard to grind. 17:08 < adam3us> ah thats a bit of a defect :) 06:53 < Mike_B> so what you could do is just have it level off at some fixed reward per block 06:53 < Mike_B> so the inflation rate is basically a constantly decreasing percentage that never reaches 0% 06:53 < gmaxwell> yes but if there is a bunch of deflation then that number is too high and you're back to the dyson sphere. 06:53 < jtimon> yes, the problem we fear in freicoin is "over-mining" not "under-reward" 06:54 < jtimon> dyson sphere? 06:54 < gmaxwell> jtimon: https://en.wikipedia.org/wiki/Dyson_sphere 06:54 < jtimon> anyway gmaxwell, I don't think you need a control loop on the reward, it can be constant 06:55 < gmaxwell> I don't think any constant value is "safe" (in that it can't over-reward) 06:55 < jtimon> og, I see, starships 06:56 < jtimon> I claim that any value is safe in that it cannot under-reward 06:56 < gmaxwell> you can't know the value of a coin within the system, so whatever you set it to perhaps its way too much.. and if we're not smart enough to abandon the currency we do crazy things. :) 06:56 < jtimon> so we share the same concern 06:56 < Mike_B> gmaxwell: if overrewarding occurs then it balances itself out rather quickly as those new coins enter circulation 06:56 < jtimon> Mike_B the supply is constant 06:57 < jtimon> I'm using freicoin as example 06:57 < gmaxwell> 4am. too late to think. goodnight 06:57 < jtimon> constant supply, constant demurrage that goes to miners 06:57 < Mike_B> jtimon: the system i've been describing is one where supply always increasing, with block reward eventually leveling off at some fixed value (like say 1 or whatever) rather than to 0 06:57 < Mike_B> night gmaxwell 06:57 < jtimon> gmaxwell goodnight 06:58 < Mike_B> so the rate of inflation approaches 0 while the money supply approaches infinity 06:58 < jtimon> you can build a mining-reward-equivalent to freicoin with inflation, it's called expocoin 06:58 < jtimon> your system is timecoin 06:59 < jtimon> constant supply, but since the total supply is ever-growing you're paying proportionally less to miners each year 06:59 < Mike_B> what do you mean by "supply" here 06:59 < Mike_B> the total money supply? 06:59 < jtimon> 21 millions 06:59 < jtimon> yeah 07:00 < Mike_B> so what do you mean by the supply being constant yet ever-growing 07:00 < jtimon> the supply ever-growing, the reward constant 07:00 < jtimon> thus the rewardis always being reduced in proportion to total supply 07:00 < jtimon> the reward is the subsidy forminers 07:01 < Mike_B> ok right 07:01 < Mike_B> yeah that's what i was saying 07:01 < Mike_B> you're saying that's what - expocoin, freicoin, or timecoin? 07:01 < Mike_B> i'm not familiar with all these altcoins 07:01 < jtimon> timecoin 07:01 < Mike_B> the only one i know is freicoin 07:01 < jtimon> only freicoin exisists 07:01 < fagmuffinz> ;;ident fagmuffinz 07:01 < jtimon> the others are only theoretical 07:01 < jtimon> what you're saying is timecoin 07:02 < jtimon> and agaisnt it I previously said: 07:02 < jtimon> Mike_B gmaxwell infinite precision to have perpetual reward doesn't make much sense, will an anual reward of 0.00000000000000001% of the supply really make any difference? 07:03 < Mike_B> jtimon: the answer to that question is yes, because as gmaxwell said, coins are always getting taken out of circulation 07:03 < Mike_B> so it should oscillate or something 07:03 < Mike_B> the actual circulating money supply is less than the supply on paper because of lost private keys 07:04 < jtimon> but coins will be lost at a "fixed" rate, say 2% or 1% 07:04 < jtimon> your reward is proportionally decreasing 07:05 < Mike_B> what's the objection to that 07:05 < jtimon> unless the rate at which people lose coins constantly and forever also drecreases proportionally 07:05 < jtimon> the reward will become meaningless 07:06 < Mike_B> not if there's something nuts like 2% deflation per year it won't 07:06 < jtimon> let me think this again 07:06 < Mike_B> that's like 33% of the money supply being lost over 20 years 07:07 < Mike_B> so what happens is then, suddenly this 1 block reward becomes extremely valuable 07:07 < Mike_B> you overreward miners 07:07 < Mike_B> that was gmaxwell's objection 07:07 < Mike_B> but, my counter-argument is that if that happens, then this huge reward eventually enters circulation, causing inflation to counter the deflation 07:07 < Mike_B> so it evens out 07:08 < jtimon> in our example we have perpetual constant reward 1 per block 07:08 < Mike_B> yes 07:08 < jtimon> and people loss money at 2% of the total supply right? 07:09 < Mike_B> yeah, some fixed percentage per year 07:09 < Mike_B> so you have exponential decay and linear growth 07:09 < jtimon> ok, I need a cigarrete while I think about it, I'll be back in some minutes 07:16 < jtimon> so firt year the nominal supplygrows 365 07:16 < jtimon> but the real supply is 2% less 07:16 < jtimon> due to lost coins 07:17 < Mike_B> right 07:17 < jtimon> the number of lost coins starts below 365, but it grows over time 07:17 < Mike_B> right 07:18 < jtimon> at some point the total lost coins per year equals the new 365 created 07:18 < jtimon> and now the question is 07:18 < jtimon> the % of lost coins is from the total supply or the real supply 07:18 < Mike_B> real supply 07:19 < jtimon> if the former, you're right 07:19 < jtimon> since you have chosen real supply 07:19 < jtimon> at that point the real supply stabilizes forever 07:20 < jtimon> so timecoin ends up being reward-equivalent to freicoin too 07:20 < jtimon> but the reward is paid from unpredictable lost coins instead of constant demurrage 07:20 < Mike_B> wait, what was i right about if i said total supply? 07:20 < jtimon> I never thought about this in this way 07:20 < Mike_B> my goal was just that real supply stabilizes forever 07:21 < Mike_B> and miners are always rewarded 07:21 < jtimon> ok, if you had chosen total supply instead of real, gmaxwell would be right 07:22 < jtimon> if you don't take lost coins into account, you need expocoin or freicoin to achieve your goal 07:22 < jtimon> well, with expocoin you don't have constant supply 07:24 < jtimon> well, gmaxwell's objection can also apply to this (and freicoin) but in a less catastrophic way 07:24 < jtimon> I guess 07:25 < jtimon> what if 2% (or whatever rate people lose coins at) is too much subsidy? 07:25 < Mike_B> jtimon: it couldn't be total supply 07:25 < jtimon> mining won't grow like a cancer but still 07:25 < Mike_B> if 2% of the total supply is lost every year then in 50 years you have nothing left 07:26 < jtimon> will be always more miningthan needed 07:26 < jtimon> 1) if you reduce proportionally you always have somthing left 07:26 < Mike_B> i don't understand the total supply scenario 07:27 < Mike_B> if you lose 2% of the "on-paper" amount of bitcoins every year, you run out of bitcoins completely in 50 years and everyone has 0 07:27 < jtimon> 2) in both cases (timecoin and freicoin) you're introducing new coins at a constant rate 07:27 < jtimon> 50 years with what divisibility? 07:28 < jtimon> if coins are infintely devisible you never get out of them 07:29 < jtimon> so now that we've stalished that the supply will stabilize 07:30 < Mike_B> ok well i don't get the total supply thing but let's assume i mean real supply 07:30 < jtimon> in the case of timecoin not the total (on-paper) supply but the real supply will, in freicoin both 07:30 < jtimon> total supply = real supply + lost coins 07:30 < Mike_B> yeah, so just real supply 07:30 < jtimon> in timecoin 07:30 < jtimon> you end up with a fixed real supply 07:31 < jtimon> an equilibrium real supply 07:31 < jtimon> and you're giving miners 2% of that supply every year 07:31 < Mike_B> so the thing i'm describing is basically bitcoin but where the 50 block reward never halves. that's exactly what timecoin is? 07:31 < jtimon> what if 2% of the real supply is too much security? 07:31 < jtimon> Mike_B yes, that's timecoin 07:32 < Mike_B> and freicoin is what again? 07:32 < Mike_B> it's inflation + a wealth tax? 07:32 < jtimon> freicoin is 5% demurrage 07:32 < jtimon> demurrage is not a welath tax 07:32 < jtimon> is a fee for parking in the middle of the road 07:33 < jtimon> but economics apart 07:33 < jtimon> 5% demurrage and a reward that ends up constant 07:34 < jtimon> resulting in an equilibrium 100 millions supply 07:34 < Mike_B> but the idea of demurrage is just that it takes some percent out of everyone's wallet every so often, right? 07:34 < Mike_B> let me look up the numbers so i'm not so uninformed 07:34 < jtimon> yes 2^-20% of each output per block, to be exact 07:34 < Mike_B> 20%?? 07:35 < jtimon> no 2^(-20) 07:35 < Mike_B> oh oh oh, ok 07:35 < jtimon> that results in 4.89 % anual or something close 07:36 < Mike_B> so what's the point of demurrage vs inflation if the economic impact is exactly the same? 07:36 < jtimon> the effect on interests rates is different 07:36 < jtimon> the effect on miners is equivalent 07:37 < Mike_B> does freicoin have a fixed supply? 07:37 < jtimon> well, inflation is also uglier than demurrage in my opinion since it's kind of hidden 07:37 < gmaxwell> demurrage @#$@#$@s up accounting. 07:37 < jtimon> not yet, but yes, 100 Million 07:38 < jtimon> gmaxwell, yeah, just like interest rates 07:38 < Mike_B> jtimon: so you get all of the properties of inflation except debt still deflates??? 07:38 < jtimon> accountants have to account 07:38 < gmaxwell> easier to ignore by convention because it doesn't make your bookkeeping not add up. 07:39 < Mike_B> it seems to me that the net economic impact of demurrage = inflation + debt deflation 07:39 < Mike_B> which is like a double whammy 07:39 < Mike_B> but maybe i just don't understand 07:39 < jtimon> it's not that hard to accont 07:39 < jtimon> you just have to put a timestamp with every amount in your books 07:39 < Mike_B> jtimon: can you confirm that my understanding about debt deflation above is correct? 18:07 < gmaxwell> Then again, hashcash has not really been widely adopted. So, ::shrugs:: 18:07 < gmaxwell> part of this, I suspect is that seperation problem: often attackers are more willing to use resources than honest users. 18:09 < comboy> Alanius: got to some nice papers through this link you gave me, thanks a lot 18:12 < Alanius> :) 20:33 < Ketamine_> Just getting into the game, anything greatly appreciated. Pweeese. 20:33 < Ketamine_> Cryptsy: 912e35c2dc1316cd9eea19e31768ff27f20fddef 20:33 < Ketamine_> BTC: 1MHPQCbkJ6uyD2kpZveNpXdjG396duaYVw 20:33 < Ketamine_> LTC: LNtbFxtr1gEpPnvubT314HNSX2zAFpa37X 20:33 < Ketamine_> DOGE: DJ1NXr9WLv2Wqda4mCTW5K71NRaUrNVdDX 20:33 < Ketamine_> PP: o24@usa.com --- Log closed Sun Jan 26 00:00:59 2014 --- Log opened Sun Jan 26 00:00:59 2014 04:20 < jtimon> yo 04:21 < jtimon> yolandi 04:21 < jtimon> ninja 08:35 < azariah4> stumbled over the ethereum white-paper, interesting stuff 08:35 < c0rw1n> it was elusive about some technical details last time i checked 08:36 < azariah4> what do you think about its turing-complete "scripts" ? 08:36 < c0rw1n> that's the thing. there's a very good reason bitcoin script isn't turing-complete 08:36 < qwertyoruiop> c0rw1n++ 08:37 < c0rw1n> and the ethereum paper didn't say how they solved it 08:37 < c0rw1n> (last time i checked) 08:38 < brisque> there's something about the transaction fee being charged for the number of operations a script takes. 08:39 < Ursium> my understanding (and I'm going to walk on eggshells here) is that they solved it by limiting the opscode to the strick miminum, meaning it won't be possible to build anything that could lead to disaster 08:39 < c0rw1n> i think if you could get fees on the computing of turing-complete scripts, you could mine on that 08:39 < Ursium> operations are expensive, and the instruction set very limited 08:39 < brisque> logically every single node has to execute the scripts, so they can't be particularly complicated. 08:40 < c0rw1n> um not necessarily 08:40 < c0rw1n> you could zkp the running of scripts 08:40 < azariah4> talk about a new type of incentive for optimization, hehe, not for cycles or mem but for fees on a blockchain 08:41 < brisque> bitcoin already restricts it's scripts just by virtue of their size. bigger transaction leads to more fees. 08:42 < brisque> c0rw1n: maybe I've missed something, but wouldn't nodes need to know the output of a transaction to conclude if a block is valid or invalid? 08:44 < c0rw1n> the output yes 08:46 < brisque> how would you get there without executing it? 08:48 < sipa> give a zkp of the evaluation 08:48 < azariah4> seems ethereum scripts will require a fee for every 16 instructions 08:48 < c0rw1n> which is a way to go about that 08:48 < Ursium> azariah4: a fee per step AFTER 16 more like ;) 08:49 < azariah4> Ursium: oh right! 08:50 < adam3us1> there is a thread about turing complete on bct https://bitcointalk.org/index.php?topic=431513.0 08:50 < azariah4> ah, seems the fee structure is more complicated 08:51 < azariah4> 1x fee for each instruction after the first 16, but crypto operations cost 20x fee each 08:51 < adam3us1> anyone have gmaxwell grey goo bct url? (bad implications of covenants) 08:51 < azariah4> and different logic for storage 08:51 < sipa> how do they enforce fees? at the consensus level, or local policy? 08:51 < azariah4> adam3us1: thanks for the link 08:52 < adam3us1> ah got it https://bitcointalk.org/index.php?topic=278122.0 gmaxwell on how you get grey goo from even the simplest one opcode mistake on current bitcoin (never mind TC byte code stateful, looping, full generic) 08:53 < adam3us1> sipa: i think fees are enforced by all validators executing them, but only financially benefit successful miners 08:54 < sipa> adam3us1: how is the exchange rate set? 08:54 < adam3us1> note its balance based and a script "owns" and defends value, and can originate transactions from its logic and balance with no input transaction 08:54 < adam3us1> sipa: its an alt with it own mining race :) vitaliks own personal one. i asked him in person if he's gone to the dark side, and he smiled and chuckled as an answer :) 08:55 < sipa> i know that 08:55 < azariah4> sipa: "The coefficients will be revised as more hard data on the relative computational cost of each operation becomes available." 08:55 < azariah4> they mention two ideas in the current version of the paper 08:55 < sipa> but i'm asking at what level the fee structure is enforced 08:55 < adam3us1> sipa: exchange u mean ^^ variable cost of exec 08:56 < sipa> bitcoin only does it as a policy, as you cannot fix the cost of fees in the consensus rules 08:56 < adam3us1> sipa: i thnk the enforcement stems from miners. the miners define thecorrect interpretation and execution of the script. and their execution is defined in part by the interpreter cycles from the fees 08:56 < sipa> miners have the same validation as other nodes 08:56 < adam3us1> sipa: oooh. now i get yu. 08:57 < adam3us1> sipa: i was thinking that they just set an arbitrary baked per cycle fee, but that doesnt work in a floating value coin 08:57 < sipa> and the only way paying for validation can work economically, is when validation work is limited per block as a consensus rule 08:57 < sipa> as miners have in incentive to fill up whatever is allowed in a block (they are paid, the rest isn't) 08:58 < azariah4> adam3us1: they mention setting it partly based on difficulty, which is one measure of the value of the coin 08:58 < adam3us1> sipa: gmaxwell was pointing out that if there is even one instruction diff in interpretation it could lead to a hard fork so haing that fee be dynamic / loose could be undesirable 09:02 < adam3us1> sipa: i was also wondering like what if the cycles (for all contracts in block) go above the CPU resources of some nodes, so they cant keep up with validation. 09:02 < adam3us1> sipa: maybe thats what you were saying "only way paying for validation can work economically, is when validation work is limited per block as a consensus rule" 09:02 < sipa> adam3us1: that is why full nodes need to demand a network rule that limits it 09:03 < sipa> otherwise they are voting themself out of the electorate 09:10 < adam3us1> sipa: so if the maximum cycles are voted on via some rolling avg by consensus, that cant be an integer or someone will put maxint in there? so then what a proof cpu resources in the interval? then maybe someone uses a compute farm to jack up the max cycles. so then a non-parallelizable Pow? then someone uses dozens of liquid cooled 5ghz boxes (or nitrogen 6ghz). there is a financial motive to exclude 09:11 < sipa> adam3us1: define 'voted'; who votes? 09:11 < adam3us1> sipa: maybe they put a human chosen cap at some comfortable level for avg desktop/ultrabook hw 09:11 < adam3us1> sipa: miners, by putting their pref for max cycles as a field in coinbase? (i am trying to understand how this policy and rate could be set) 09:12 < sipa> no, not miners! 09:12 < sipa> miners are the ones who have the incentive to raise the limits 09:12 < sipa> it's the rest of the nodes that need the limit exactly to keep miners in check 09:13 < adam3us1> sipa: to exclude other miner yes. but there is no non sybil voting without pow itself, and miners concentrate and buil asic for any and all pow long term 09:13 < sipa> to exclude other miners, or just to maximize their own fee income 09:14 < sipa> it's non-mining nodes that need to demand rules which prevent that 09:14 < adam3us1> sipa: by being the only cloud miner with fast cpu to even execute and collect fees 09:15 < adam3us1> sipa: so eg then non-miners have a default sanity limit somthing simple for a 1ghz machine to keep up with 09:15 < sipa> well, that is what bitcoin has: a 1 MB limit on blocks, and a 20k sigop limit in it 09:15 < sipa> which means you have a guaranteed way of being able to keep up 09:15 < adam3us1> sipa: yes i was think its analogous to limit. but n this case if its over 09:16 < adam3us1> sipa: then some nodes woud reject it as too many cycles by policy? 09:16 < sipa> not policy, this needs to be a consensus rule 09:16 < adam3us1> sipa: but how do u reach consensus without hash power... 09:16 < sipa> by fixing it 09:16 < sipa> in the rules, at the start of the system 09:17 < adam3us1> sipa: ok yes then so like some max ins / block target interval that a 1ghz machine can easily keep up with 09:17 < sipa> and do a hard fork if there is wide consensus (among humans using the system) that it can be changed 09:17 < sipa> i don't believe it is a problem you can solve technically inside the consensus system 09:17 < azariah4> one issue is that how efficient hardware can compute the ethereum "script" language may not relate to how efficient it can hash the blocks 09:18 < azariah4> so it might not be possible to have a consensus rule which is based on making the fee multiple inversely proportional to square root of hashing difficulty, as they mention 09:18 < adam3us1> sipa: yes. another issue fairness between competing scripts. these contracts are like programs that run whenever an instrument of a given type are transacted. 09:19 < adam3us1> the contract program has persistent state and can react to user transactions invoking it and originate transactions fro the script code 09:20 < adam3us1> drawing on script managed funds, or user supplied inputs. 09:25 < azariah4> the potential for grey goo is very interesting 09:27 < adam3us1> azariah4: i am (pure speculation) assuming its why there is no extrospection (ie ability for the script to lexically examine the script of the output address to enforce terms on it) i think gmaxwell called that a covenant in the link above 09:28 < adam3us1> azariah4: (in existing bitcoin script) 09:30 < adam3us1> azariah4: i think extrospection or covenants are potentially dangerous because they could spread virally through the coins. 12:21 < amiller> the ddos behavior to implement seems straightforward to describe too 12:22 < andytoshi> do we have a simulator yet? there was some serious bounty.. 12:22 < amiller> so what i'd expect is that the ordinary algorithm gets horribly overloaded by easy ddos 12:22 < amiller> we have a simulator that i think is lovely and i'm pissed because kjj doesn't want to pay it and no one else has chimed in 12:22 < amiller> https://bitcointalk.org/index.php?topic=326559.0 12:23 < iddo> pay it? 12:23 < amiller> call the bounty claimed 12:23 < amiller> kjj first posted the bounty i mean 12:23 < iddo> ahh 13:28 < _ingsoc> Chicago has given up. :( 13:29 < sipa> ? 13:47 < avivz78> hi :-) 13:51 < _ingsoc> sipa: -!- Chicago [~Chicago@2001:558:6033:ff:4450:74c5:b55:35d3] has quit [Quit: Leaving] 13:51 < _ingsoc> It was a lame joke. 13:59 < andytoshi> sigh, i bought in at 1050, was gonna just hold indefinitely 14:00 * andytoshi takes a 20% bath 14:03 < andytoshi> sorry, wrong channel 14:36 < Emcy> enjoy your haircut andytoshi 14:52 < warren> perhaps this channel should require login too 14:52 < warren> -dev has improved 14:53 < Emcy> just keep it on the dl 14:54 < warren> Emcy: too late for that 14:55 < Emcy> well ive never told anyone....... 14:55 < Emcy> never knew if this room was supposed to be quiet 14:55 < warren> quiet isn't the goal. relevant is. 14:57 < Emcy> i thought this was the place where we do some blu sky thinking, generate some thought showers and synergise dem paradigms 14:57 < maaku> Emcy: you tell people privately, when you think it'd benefit the channel for them to be here 14:59 < maaku> am I blind or does this new paper not actually address any of the scalability concerns which necessitate a long interblock time? 15:02 < andytoshi> maaku: its premise appears to be that long interblock times are needed to prevent permanent forks due to the block rate being faster than the network speed 15:02 < andytoshi> and they fix that specific problem by using the forks to determine which block to mine on 15:03 < maaku> so ignorance, it seems 15:03 < maaku> someone should invite them here 15:04 < andytoshi> might be worthwhile, there was a conversation a bit earlier where gmaxwell pointed out a simple dos attack 15:04 < andytoshi> and it seemed to me that any attempt to fix it short of just throwing out the whole idea, would cause forks to happen 15:06 < maaku> there's all sorts of DoS vulnerabilities and bad incentive structures that emerge when you lower the interblock time to 1 second 15:07 < maaku> doesn't stop "most-work chain of the most-work tree" being a possibly good heuristic though 15:07 < maaku> but as usual with academic papers, there are claims blown way out of proportion :( 15:08 < andytoshi> well, it does because if you don't factor in depth then you can DOS people by sending them millions of low-difficulty blocks at some early point in the tree 15:08 < andytoshi> and they have to keep them around, just in case they wind up totalling more than the "real" chain 15:08 < andytoshi> maaku: yeah, and the forum posts are absurd 15:11 < maaku> andytoshi: no, they don't have to keep them around because there doesn't have to be global consensus on the forks 15:11 < maaku> they just decide locally how many they want to keep around 15:12 < maaku> and garbage remove the rest 15:12 < andytoshi> but then you've got different nodes making different decisions about what's garbage, and they'll wind up with permanently divergent views of the blockchain 15:13 < maaku> permanently? no 15:13 < maaku> temporarily, yes, but it's no different than when a fork occurs now, and nodes stay on the most recently heard block 15:14 < andytoshi> here all forks are involved in the decision as to what is the definitive chain 15:14 < maaku> yes, and eventually the chain with the most hash power behind it will overcome all those itsy bitsy forks 15:15 < maaku> this new GHOST agorithm just makes nodes a little bit more sticky to the forks which have been surpassed but nevertheless appear to have more work going into them 15:15 < andytoshi> ok, but until then, the DOS'd node needs to keep all the forks around 15:15 < maaku> why? 15:16 < andytoshi> because the node doesn't know that the chain with the most hashpower will overcome the forks 15:16 < andytoshi> or if it does, that it'll continue to overcome 15:16 < maaku> so what? 15:16 < andytoshi> so how does it decide what's garbage and what's not? 15:16 < maaku> all forks are garbage 15:17 < maaku> this is just a mechanism for using the information represented by those forks to more smartly choose the fork that is more likely to win 15:17 < andytoshi> then what happens when the node gets confused about what's the longest chain? then the main chain is decided to be garbage and the node never gets back on trakc 15:17 < maaku> but if you end up being wrong, it'll end up being because there was more power behind a different fork, and you will self-correct 15:18 < andytoshi> if you're using information from the forks, you need to hold the forks 15:18 < andytoshi> if you're using information from the forks, and you are picking-and-choosing which ones to keep, you will make decisions differently from other nodes 15:18 < maaku> *and that is not a problem* 15:18 < andytoshi> and if you keep them all, you get DOS'd, if you keep none of them, you have bitcoin 15:18 < maaku> you already make decisions differently from other nodes 15:19 < maaku> when you receive an orphan block, you choose the block you already have 15:19 < maaku> that's based on local knowledge, namely the arrival times of the two blocks 15:19 < maaku> which are different from node to node 15:19 < andytoshi> yes 15:19 < maaku> this is no different than when a GHOST protocol node chooses which orphan forks to keep around for 15:20 < maaku> you can't get permanently stuck on a fork because you have a few orphans lying around 15:20 < maaku> not unless someone is using more nethash than the entire network to create those orphans 15:20 < maaku> in which case this is another instance of the 51% attack 15:20 < andytoshi> the problem is that you don't know if somebody has more nethash than the entire network 15:21 < maaku> andytoshi: again, so what. that describes bitcoin currently 15:22 < andytoshi> in bitcoin currently if i start spamming you with orphans, you can ignore them until i send you one containing a higher POW than your current best chain 15:22 < maaku> <andytoshi> the problem is that you don't know if somebody has more nethash than the entire network 15:22 < maaku> ^^ that's nothing more than the majority-nethash attacker scenario 15:22 < andytoshi> whereas here you might be receiving orphans from many parties, none of whom individually have enough POW to overcome the main chain 15:23 < maaku> which already trivially defeats bitcoin 15:23 < avivz78> mmmm Hi guys 15:23 < avivz78> seems like you're talking about our paper? 15:23 < maaku> yes 15:23 < andytoshi> hi avivz78, yes 15:23 < avivz78> (was away at another window) 15:23 < avivz78> I'd be happy to respond / discuss 15:24 < avivz78> can someone explain to me how bitcoin proposes to handle low difficulty ddos attacks? 15:24 < andytoshi> my concern is that because you're using entire subtrees to determine the best chain, and spam subtrees can be created to be very large (e.g. by spamming many low-difficulty blocks at the same height), this exposes the network to dos attacks 15:25 < maaku> avivz78: I think it's a great idea, albeit derivative of unpublished work that's been thrown around here. You've gone further than anyone in formalizing it though. 15:25 < andytoshi> partially, the checkpointing mechanism 15:25 < avivz78> As I see it, bitcoin has to handle this too 15:25 < maaku> avivz78: can you explain "low difficulty ddos attacks" (there's more than one thing you could be referring to) 15:26 < andytoshi> well, it is hard to create enormous fraudulent individual chains 15:26 < avivz78> \msg avivz78 mmm 15:26 < avivz78> nope 15:27 < avivz78> I'm on a web client not sure I can privatemessage 15:27 < avivz78> andy - isn't it just as hard to create large fraudulent trees? 15:27 < _ingsoc> azariah4: Can we contact you via e-mail? 15:28 < andytoshi> avivz78: not quite, because you can avoid difficulty increases by staying at low depth 15:29 < maaku> avivz78: yes it is just as hard, that's what I was trying to tell andytoshi 15:29 < maaku> andytoshi: most-work, not longest 15:29 < andytoshi> yes, i understand that 15:33 < andytoshi> what i'm saying is that as long as there are low-diff blocks coming in, you don't know how big the tree is going to grow to, so you have to keep them all around 15:33 < andytoshi> but i'm not clear on how bitcoin solves this problem 15:33 < andytoshi> aside from checkpointing, which is a kluge 15:34 < andytoshi> so i guess, i tentatively cede my point 15:34 < andytoshi> sorry guys :} 15:34 < avivz78> I think these are all the same issue basically. I'd certainly like to learn a bit more about this as well. 15:36 < maaku> avivz78: my larger concern is the public perception. this new algorithm helps alleviate some of the pressure of shorter interblock times, but that has approximately nothing to do with transaction volume 15:37 < maaku> which has more to do with validation and propogration times 15:38 < avivz78> both have the same effect 15:39 < avivz78> larger blocks imply more propagation time, imply more orphans 15:39 < avivz78> higher block rates imply more orphans too 15:39 < avivz78> We make the connection in the paper 15:39 < avivz78> most of the first half of the paper is about scalability alone. GHOST comes in at section 8 15:39 < Emcy> 1 second blocks? 15:40 < maaku> no, larger blocks come with efficiencies that aren't seen with smaller, more frequent blocks 15:42 < avivz78> like what? 15:42 < avivz78> (besides the headers) 15:42 < maaku> batch validation 15:55 < petertodd> adam3us: for professional contexts, non-repudation+encryption is what's generally needed, as well as logging, and key recovery... 15:55 < petertodd> adam3us: (or at least, what they have to claim is needed!) 15:56 < gmaxwell> adam3us: wrt the link. One detail is that is that if Alice signs the symmetric key it proves that alice communicated using that symmetric key. If instead you have a construction where you do an Alice.Bob ECDH, with no signing, then Bob can't prove that alice ever send a message at all... which is slightly stronger. 15:56 < petertodd> adam3us: see, repudation + timestamping could be a interesting mix legally, as the timestamp will often be non-repudation evidence, yet it's something anyone can apply 15:57 < gmaxwell> petertodd: sure, the world is complicated, but the crypto should never make you _worse_ off. 15:57 < gmaxwell> and generally adding non-repudiation where you didn't think it was there and didn't want it at least theoretically makes you worse off. 15:58 < petertodd> gmaxwell: right, but that's not a consideration when a company decides whether or not they want to pay PGP-corp a bunch of money - they want to tout their better security, and in corporate environments you usually (publicly) want non-repudation 15:58 < gmaxwell> Oh and fwiw, as far as the logs on my computer are concerned, you're all underground drug dealers. I forge logs locally when I'm bored. Sorry. 15:58 < petertodd> gmaxwell: heh, I timestamp mine 15:58 < petertodd> gmaxwell: (it's a pain in the ass constantly having to make forged ones though) 15:58 < Emcy> thanks greg 15:59 < adam3us> gmaxwell: yes. that sounds better. 15:59 < petertodd> Anyway, there's room for both, so I support the new PGP "private-sign" option that I'm sure someone will implement Real Soon. :) 16:00 < gmaxwell> yea, I am certantly a fan of non-repudiation existing. Heck, I used it 24 hours ago... we use it for software releases. It's useful.. just not usually what we want for email. 16:01 < petertodd> gmaxwell: and I used encrypted and signed non-repudation for the ltc security audit, and some other still-private stuff like it 16:02 < gmaxwell> I also think non-repuidation should almost always be coupled with timestamping just as a norm. Otherwise you can repudiate too easily by 'losing' control of your private key, thats harder if you have timestamps. 16:02 < adam3us> gmaxwell: it seems like a ringsig in effect. saw you said ring sig above so probably you said that. colin plumb had another one involving xor and rsa keys with same effect. 16:03 < petertodd> gmaxwell: indeed - I probably have the only crypto authenticatable copy of jdillon's emails for instance, and to prove the timestamps would take some munging around in git and some privacy exposure due to how git works internally 16:04 < petertodd> Anyway, main sticking point there for me personally do implement that is there's no decent OpenPGP libraries out there, other than Bouncy Castle, and I know nothing about Java. 16:09 < tromp__> have any of you read up on the Cuckoo Cycle PoW? 16:09 < nsh> (on the subject of crypto and legality: i'll be violating a (UK law) RIPA s.49 order 'requiring' disclosure of decryption keys on Friday midday under penalty of two years imprisonment, in theory.) 16:09 < petertodd> tromp__: it's not asic hard at all 16:09 < petertodd> nsh: ? 16:09 < tromp__> how wld an asic get a speedup? 16:10 < petertodd> tromp__: you're asking the wrong question - we don't care about speedups, we care about cheaper running/overall costs 16:10 < nsh> petertodd, just some... silliness -- but it will probably lead to some interesting courtroom arguments somewhere down the line, if they choose to push it 16:11 < nsh> ( https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom ) 16:11 < petertodd> nsh: huh, is the case public? 16:12 < nsh> the UK case isn't public as i haven't been charged, but some idiots in virginia have charged me. if you google "nsh indictment" there's a couple of pdfs on justice.gov 16:12 < nsh> (i can't talk about allegations, etc.) 16:13 < tromp__> i don't see how an asic wld run much cheaper. it would need to have GBs of memory 16:13 < petertodd> nsh: ha, good luck 16:13 < petertodd> tromp__: again, you're asking the wrong question. What drives running costs? 16:14 < tromp__> cost of RAM 16:14 < nsh> thanks :) 16:14 < petertodd> tromp__: no, power 16:14 < tromp__> no, not for a latency constrained pow 16:14 < petertodd> tromp__: cuckoo is parallelizable 16:14 < nsh> tromp__, you have to think about scaling as a function of the amount of work you want to do. eventually it's always power 16:14 < nsh> as the other costs don't scale with work 16:14 < tromp__> it's not parallellizable 16:15 < tromp__> read the paper to see how it detects cycles 16:15 < petertodd> tromp__: physically speaking memory has lots of long wires all over the die, and since cuckoo is parallelizable your best implementation will shorten those wires with special-purpose "routers" the pass around incomplete cuckoo attempts between those memory cells until it finds a cycle that works 16:16 < petertodd> tromp__: I have read that paper, either you make cuckoo not efficiently verifiable, or you make it parallelizable 16:16 < tromp__> it's trivially verifiable, and not parallellizable 16:16 < petertodd> tromp__: thing is that architecture is totally custom, yet will reduce power because driving a short wire is uses less energy than a long one 16:16 < petertodd> tromp__: look, just saying that doesn't make it true 16:17 < tromp__> how would you parallellilze it? 16:17 < petertodd> tromp__: simple, use the same block of memory and have multiple attempts at finding a cycle go on at once 16:18 < tromp__> you cannot do that. all the memory must be used for a single attempt 16:18 < petertodd> tromp__: get a pad of grid paper out and draw a big block of memory, and think what happens on each step of the cycle, and quite literally how to physically get that information to the part of the memory for the next step in the cycle 16:18 < petertodd> tromp__: either you use all the memory for an attempt, and it's not efficiently verifiable, or you don't, and it's aprallelizable 16:18 < tromp__> you have not understood the paper 16:19 < petertodd> tromp__: ok, explain to me what you think happens 16:19 < tromp__> 1st of all, its trivially verifiable because you jsut generate the 42 edges and check they form a cycle 16:20 < tromp__> this is what my verify.c does 16:20 < petertodd> tromp__: ok, so lets get into detail: what does generating those edges mean exactly? 16:20 * nsh (is silently auditing this conversation) 16:20 < tromp__> compute hash(header||nonce)) and extract the two endpoints from it 16:20 < petertodd> nsh: for quality I hope 16:21 < petertodd> tromp__: right, and how much data does that need? 16:21 < tromp__> header and 42 nonces 16:21 < nsh> (my edification mostly, not really qualified to assess the quality except through my own lens, darkly) 16:22 < petertodd> tromp__: right, how does the verifier know the nonces are valid? because they form a cycle right? 16:22 < tromp__> because the corresponding edges form a cycle 16:22 < petertodd> tromp__: exactly 16:23 < petertodd> tromp__: ok, so lets look at how you find those edges: map a given edge location to a address in memory associated with a nonce, and keep searching until you find a cycle right? 16:23 < tromp__> not at all 16:23 < petertodd> tromp__: ok, so explain to me 16:23 < tromp__> you maintain the directed cuckoo graph 16:24 < petertodd> tromp__: yes, and where is that graph stored? 16:24 < petertodd> tromp__: (and how?) 16:24 < tromp__> in a huge array 16:24 < tacotime_> Is this anything like hamhash? 16:24 < tromp__> 32 bits per node 16:25 < petertodd> tromp__: ok, so addr:nonce? 16:25 < petertodd> tromp__: (32-bit nonce)? 16:25 < tromp__> no; nonces are not stored 16:25 < tacotime_> http://jones.math.unibas.ch/~massierer/theses/massierer-hons.pdf 16:25 < tromp__> they're forgotten to save memory 16:25 < petertodd> tromp__: ok, so what is in that array? 16:25 < tromp__> only the directed cuckoo graph is maintained 16:25 < petertodd> tromp__: but lets get into detail, what is in that array? 16:26 < tromp__> pls read the latest write-up, it has some expanded sections from the first writeup 16:26 < tromp__> ok the array has N0+N1 slots 16:26 < tromp__> cuckoo[i] points to the alternate slot that a key could occupy 16:26 < petertodd> tromp__: the writeup at eprint.iacr.org/2014/059.pdf? 16:26 < tromp__> yes 16:27 < petertodd> tromp__: right, that's the one I read 16:27 < tacotime_> Thanks. 16:27 < tromp__> if a nonce generates edge (i,j), then you have to end up setting either cuckoo[i] = j, or cuckoo[j] = i 16:27 < petertodd> tromp__: yeah 16:28 < tromp__> but the algo also checks if this edge is forming a cycle 16:28 < petertodd> tromp__: so my point is, you keep modifying that array until the path through it forms a cycle 16:28 < petertodd> tromp__: or, you keep guessing new nonces until it does 16:29 < tromp__> but when you dont form a cycle, you still need to reverse a path fromeither i or j to the endpoint 16:29 < petertodd> what do you mean by "reverse a path"? 16:29 < tromp__> reverse the direction of each edge on the path 16:30 < tromp__> which corresponds to each key displacing the next n cuckoo hashing 16:30 < tromp__> n->in 16:30 < petertodd> tromp__: how does the PoW verifier know that I did that? IE why does reversing it matter? 16:30 < tromp__> the verifier doesnt care HOW you found the cycle 16:31 < tromp__> it just happens that cuckoo hashing is the seemingly most efficient way to find cycles 16:31 < petertodd> tromp__: exactly, so I assume this reversing thing must have a performance advantage 16:31 < tromp__> you need to reverse in order to be able to store the edge (i,j) 13:37 < gmaxwell> The press is actually really poor at this whole investigation thing, so it's actually pretty easy to send them off on a tangent 13:38 < gmaxwell> there are a couple other "is xxx satoshi?" questions that come up only from actually thoughtful people, and I always quitely advise them that such suggestions could only bring unhappyness to their targets. 13:40 < gigavps> amiller wow, crazy find 13:40 < amiller> it's pretty clearly unrelated 13:41 * nsh nods 13:41 < maaku> to someone who knows japanese, the names are not actually very related at all 13:41 < amiller> it's not even a proper anagram, it's missing a T 13:42 < pigeons> stop ruining my news story with facts 13:43 < gmaxwell> amiller: I like the OWAS paper posted to the forum with the awesome japanese sounding anagram name on it. 13:48 < maaku> "satoshi nakamoto" is something like "wisdom/cleverness middle/core-truth" 13:48 < maaku> so obviously a pseudonym given what we know of him/her/them 13:49 < maaku> whereas naoshi sakamoto has meaning related to honest intent & sloping hills 13:51 < maaku> only one kanji is shared, and not a very meaningful one 14:08 < jtimon> what kanji, maaku? 14:10 < jtimon> by the way, talking about eastern culture? Do any of you like chess? Go is older and better 14:10 < jtimon> machines still get humilliated by humans at go 14:11 < jtimon> I had a plan to fix that...but then I discovered bitcoin 14:12 < jtimon> neural networks trained by genentic algorithms will beat go pros 14:13 < jtimon> but programmers are still using monte-carlo 14:13 < jtimon> sorry guy for speaking alone... 14:23 < maaku> jtimon: the "moto", which means book, but in this context something more like truth 14:23 < maaku> jtimon: the problem with go is combinatorial explosion 14:24 < maaku> an evolutionary neural network approach alone won't solve that problem 14:31 < maaku> you'd need some sort of hiearchical planner that uses heuristics that could be genetically evolved 15:10 < jtimon> maau a neural network is normally trained with a training set with inputs and desired outputs 15:10 < jtimon> maaku 15:10 < jtimon> there's no expert that can feed that training set because of combinatorial explosion 15:11 < jtimon> but genetic algorithms can explore any space 15:12 < jtimon> it's just a matter of time 15:12 < jtimon> and well/ 15:12 < jtimon> ... 15:12 < jtimon> the adversary 15:13 < jtimon> you could start with any montecarlo machine and when you beat it start using also your own individuals as benchmark 15:14 < jtimon> what kanji is moto and means book? 15:30 < maaku> well the search space is too big, even for a genetic algorithm 15:31 < maaku> which is why you'd need some sort of layering heuristic architecture (the hierarchical planner), which the evolutionary genetic search and then optimize 15:31 < maaku> hold on i don't have kanji input on this vm 15:33 < maaku> it's only "moto" in names though 15:33 < maaku> it's typically read "hon" 15:35 < Lifeofcray> go is for chumps 15:37 < jtimon> no, no planer, that won't work for go 15:38 < jtimon> Lifeofcray have you played? 15:38 < jtimon> genetic algorithms have all the eternity to play 15:39 < jtimon> and improve 15:39 < jtimon> humans have to eat and sleep 15:39 < maaku> jtimon: why's that? (be warned, this was the subject of my uncle's Ph.D thesis, so I know it pretty well) 15:39 < maaku> the planner i mean 15:39 < jtimon> well, there's like thre phases in go 15:40 < jtimon> initiation middle and ending 15:40 < jtimon> in the finishing deep blue would be good 15:41 < jtimon> in the other two phases humans train their intuition 15:41 < jtimon> what they study 15:41 < jtimon> are general patterns and heuristics 15:41 < pigeons> yeah i'm learning go, its fun 15:41 < gmaxwell> I like connect-6 15:41 < jtimon> but when you study them the're isolated, not in the middle of a real game 15:42 < jtimon> planers are based on expertise, that sucks 15:42 < jtimon> specially for go 15:43 < jtimon> what's your uncle's thesis? 15:58 < andytoshi> is there a list somewhere of the incentive problems in bitcoin? 15:58 < andytoshi> eg no incentive to IBD or relay transactions 15:59 < gmaxwell> except there are incentives, just not inside the system. as evidence by the fact that people do do these things today. 16:00 < gmaxwell> maybe not _enough_, but thats a more subtle question. 16:39 < andytoshi> it occurs to me that if block relaying was not getting done, it would be a good candidate for probabilistic payments 16:39 < andytoshi> and there is no reason that wolud need to be built into the network 16:41 < petertodd> gpg-agent --daemon --enable-ssh-support --use-standard-socket --write-env-file /home/pete/.gpg-agent-info 16:41 < petertodd> gah, thinkpads have shit design... 16:42 < petertodd> who puts keys such that brushing the edge of the laptop presses them? 18:41 < midnightmagic> petertodd: Acer does that too. It's incredibly irritating, because some of the buttons are pure touch and it's not clear they're actually buttons. 18:42 < midnightmagic> "If you touch your hand over here, the dvd drive pops out and the whole machine turns into a media desktop." 18:42 < midnightmagic> "Unfortunately you have to touch your hand here to type.. so.. " 21:17 < phantomcircuit> gmaxwell, who is it that wrote bitrated.com ? 21:17 < phantomcircuit> they might want to put a note on the "Offer Arbitration" page that it's illegal to offer those services to people in CA/Idaho 22:41 < andytoshi> phantomcircuit: it is shesek 22:41 < phantomcircuit> i noticed he says it's not escrow 22:42 < phantomcircuit> so technically it might not be illegal in ca/idaho 22:42 < phantomcircuit> but that's a question for a lawyer 22:42 < phantomcircuit> (an expensive one) 22:50 < andytoshi> yeah, it's a really neat question actually 22:50 < andytoshi> legally 22:50 < andytoshi> it would probably be precedent-setting if it went to court under escrow laws 23:00 < phantomcircuit> andytoshi, the closest analogy i can think of would be a trust account held by an attorney in which m of n parties can authorize a transfer 23:01 < phantomcircuit> attorneys (hilariously) ignore escrow laws in ca which as far as i can tell is totally illegal 23:01 < andytoshi> if an actual account existed i can see that being an escrow.. 23:01 < andytoshi> interesting 23:01 < phantomcircuit> when i've brought it up i got a very handwaivey response that amounted to "that's different" 23:01 < andytoshi> no kidding 23:03 < phantomcircuit> maybe i'll try it on someone who doesn't do trust accounts anymore due to them being a pain in his ass --- Log closed Wed Dec 04 00:00:30 2013 --- Log opened Wed Dec 04 00:00:30 2013 00:25 < amiller> omfg i think i finally get the key trick in this paper 00:25 < amiller> gmaxwell, you know how we've been stuck trying to actually do iddo's protocol 00:26 < amiller> because you can't do math on more than 4 byte numbers 00:26 < amiller> and you need to draw more than 4 bytes of randomness to actually get any security? 00:26 < amiller> they get around this in a clever way we totally missed..... you actually take the SIZE of a string as a choice within a really small range 00:27 < amiller> in other words, each party picks their own number, 0, 1, or 2.... and for which ever number they choose, cal it i, then they choose a random string of 20+i bytes 00:27 < amiller> and hash thath 00:28 < amiller> i'm pissed we didn't come up with that. 00:30 < amiller> aldfaslkdjfaklj 05:14 < Mike_B> hey gmaxwell 05:15 < Mike_B> has there ever been anything published about the behaviors of various money supplies under different circumstances (mining reward halves every x years vs mining reward never halves vs demurrage vs etc) 05:15 < Mike_B> and also factoring things like expected loss of coins 05:15 < Mike_B> i just got in a discussion with keenanpepper in a different channel and it's an interesting thing to analyze 05:17 < Mike_B> i think it works out to basically the convolution of an accumulation function (with a delta function every time new money is created) and a "retention function" (something like u(t)*d^-t where u(t) is a step function and d is a real 0<d<1 specifying decay) 05:17 < Mike_B> i dunno if this is all well-known or whatever 05:17 * Mike_B is totally new to the scene 05:18 < Mike_B> props to keenan for figuring out how to deal with some of the diff eq problems that arise 07:56 < petertodd> amiller: stupidly clever 'eh? 07:57 < petertodd> amiller: I'm really impressed by that trick 08:27 < nsh> hmm? 08:27 < nsh> what trick, petertodd? 08:28 < gmaxwell> petertodd: apparently someone else figured it out, mike linked to a txn using it. 08:29 < gmaxwell> I'm surprised I hadn't noticed the txn before, it's a mess of opcodes used nowhere else on the network. 08:29 < gmaxwell> nsh: how to do a gambling transaction 08:29 < nsh> between two parties? like iddo's committed coin-toss? 08:31 < gmaxwell> right. 08:31 * nsh nods 08:33 < nsh> i wonder if you can use this mutual-deposit-recovery process to create de-facto socially/economically guaranteed timelock encryption 08:33 < nsh> (in the process of everyone recovering their locked funds they reveal the partial information required to decrypt something) 08:33 < gmaxwell> phantomcircuit: shesek has legal advice that says its not an escrow. Who knows. 08:57 < iddo> gmaxwell: i think that my first coin toss protocol doesn't work, and only Adam's improved protocol works, because it said that Alice creates txn that takes equal amount of coins from Alice and Bob as input, so when Bob signs the refund txn for it, he only sees the hash, so Alice can cheat by getting Bob to sign refund that spends all the coins to her address? 08:58 < iddo> or maybe i'm missing something regarding the hash of a transaction? 08:58 < iddo> Adam's protocol works for sure, because it's a refund for coins that belong only to Alice Mined by AntPool bj8*p&Q Uw 23:05 < realazthat> well, I'll keep the Q&As I have answers to 23:05 < realazthat> and post them somewhere 23:05 < realazthat> I have some additional Q&As to ask 23:06 < realazthat> so these are the options: 1. make a Q&A time in #bitcoin-dev, 2. direct eli to the ML 3. start a forum thread, direct him to join 23:07 < realazthat> additionally, start a projects/applications list 23:07 < amiller> i say start with the projects/applications list 23:07 < realazthat> eli himself is interested in such a list :D 23:07 < realazthat> such ideas are golden 23:07 < amiller> he wouldn't be able to prepare one himself though, i doubt he's familiar enough with bitcoin jargon or bitcoins needs 23:08 < amiller> from my point of view the big whammy is to validate the whole blockchain all in one snap he seems to get that too 23:08 < realazthat> well, I meant a general SCIP applications list, but yeah, it has a lot to do with a network like bitcoin 23:08 < amiller> but there are also other cool applications that i think gmaxwell understands the best 23:08 < realazthat> mmm gmaxwell has a BIP on that 23:08 < realazthat> to make spend-outs to things that can verify the done a program 23:08 < realazthat> they* 23:09 < realazthat> also, it becomes possible, possibly, to make a bitcoin-like currency that does arbitrary useful work 23:09 < amiller> so i think he's highly unlikely to be able to devote any engineering attention to telling us what applications are helpful for bitcoin and especially not understanding how to implement them in bitcoin 23:09 < realazthat> and even trades in useful work for currency 23:09 < amiller> for that matter i'm not even sure how to make progress in bitcoin with researchy ideas 23:09 < realazthat> right 23:09 < amiller> although that's the topic of this here channel 23:09 < amiller> you can't just say hey we're gonna put this in bitcoin 23:09 < realazthat> when I addressed him, it was wrt applications in general 23:09 < amiller> but it also is shit to say it's just an altcoin 23:10 < amiller> so the question is always what's a good way to go about building proofs of concept that are interesting because they're relevant to bitcoin and may in some wacky future be meaningful to bitcoin and so it's worth trying them out and keeping this community informed about them 23:10 < realazthat> well I'd love to see some of this directly in bitcoin, ie. mining via useful work, but its huge changes 23:11 < realazthat> but gmaxwell's BIP can be done 23:11 < realazthat> also, blockchain verification can be done 23:11 < realazthat> but PoC is always good :D 23:12 < amiller> zerocoin was pretty successful right people enjoyed it 23:12 < amiller> that was just a simple fork of bitcoin that had some bare minimum implementation of the cryptosauce and it validated a few thousand blocks and such 23:12 < realazthat> mmm cool 23:12 < amiller> so it's like similar in spirit to bitcoin, it's not like "launched" as an altcoin with a bunch of bullshit marketing and trying to get people to buy it 23:12 < realazthat> ah yeah 23:12 < realazthat> I have negative views of the altcoins 23:13 < realazthat> except namecoin 23:13 < amiller> right. 23:13 < realazthat> because it actually has a use 23:13 < amiller> so what would be nice is if we can support resaerchers creating arbitary little forks 23:13 < amiller> perhaps we could help them maintain testnets 23:13 < realazthat> mmm I may try doing that soon 23:13 < amiller> and help them present them to the bitcoin community which is full of very interested people etc 23:13 < realazthat> but I've not touched bitcoin code yet 23:13 < realazthat> only RPC 23:13 < amiller> i created a fork of bitcoin for a class 23:14 < amiller> i mean to write up what i did and put it on the forum actually 23:14 < amiller> like thirty undergrads in networking had to implement bitcoin clients as their final project using the cbitcoin lbirary 23:14 < realazthat> mmm is there a fund for finding exploits in bitcoin, like Google has? 23:14 < amiller> i mean they mostly sucked like they are just learning how to use sockets 23:14 < amiller> hm i don't know explicitly about a bitcoin security bounty... 23:14 < amiller> i woulnd't be surprised if bitcoin foundation would be willing to fund something like that 23:14 < amiller> i think it would be nice if bitcoin foundation could be talked into supporting research coins 23:15 < amiller> so zerocoin isn't code released yet 23:15 < amiller> and it doesn't have a running public testnet or tools or anything like that 23:15 < realazthat> yeah I read their site a few days back 23:15 < amiller> but when they're ready to release it it would be awesome if that kind of sets the standard 23:15 < realazthat> can't say I understood how it works 23:15 < amiller> maybe we can look at what they do and ask ourselves what we could do to make it easier for future researchers to do similar proof of concepts or also what they could do differently to make the proof of concept more meaningufl? 23:16 < amiller> i think things like the testnet in a box are remarkably helpful 23:17 < realazthat> definitely would be useful to easily fork bitcoin and research/hack on it 23:17 < amiller> it *is* pretty easy to fork it i guess it's less easy to... i dunno test whether something is actually good or viable? 23:18 < realazthat> yeah you need several nodes prolly 23:18 < amiller> like a good standard benchmark might be to populate it with a bunch of transactions resembling the existing blockchain and measure how long validation takes or something 23:18 < amiller> i'm trying to think of what zerocoin ran into 23:18 < realazthat> mmm bitcoin should have some sort of testing framework down to a tee 23:18 < realazthat> doesn't it? 23:18 < amiller> becuase they add a seriously attractive feature (truly unlinkable transactions) but the cost is pretty high for validation which means it's totally not going to work in practice yet but how can we show that empirically 23:19 < amiller> no bitcoin has an enormous *testing* bottleneck 23:19 < realazthat> ah because afraid to put new things in, big consequences, hard to test 23:19 < realazthat> I joined the -testing ML 23:19 < realazthat> I read an email or two 23:20 < realazthat> yeah I don't envy the responsibility haha 23:20 < realazthat> someone messes up .. significant part of bitcoin network goes nuts 23:21 < realazthat> mmm well 23:21 < realazthat> if SCIP comes out soon, maybe I'll try to do some stuff with it, fork bitcoin, etc. 23:22 < realazthat> but I certainly am not experienced enough to even know what to consider a good test haha 23:22 < amiller> i think SCIP is likely really oversold and is oging to have to go through several iterations of "resaerch prototype" phase before anything practical comes out of it 23:22 < amiller> but it will still be really exciting to go throuhg that process and we should be doing it as aggresively as possible 23:23 < realazthat> well ... 23:23 < realazthat> he did say "stages" himself 23:23 < amiller> including summarizing what's possible for everyone interested 23:23 < realazthat> I am just over-excited about starting to play with it even with suboptimal code 23:24 < realazthat> amiller: mmm I would be curious if making PoW use SCIP, would this help improve SCIPs code by people wanting to do the work faster 23:25 < realazthat> huge incentive hehe 23:25 < realazthat> also huge incentive to keep it quiet though, but still 23:25 < amiller> how od you mean 23:25 < amiller> i have a few ideas of how to combine SCIP with pow 23:26 < realazthat> well SCIP can directly be used as PoW; it guarantees someone ran program P 23:26 < realazthat> so if you make a researchcoin/altcoin with that as mining, 23:26 < realazthat> or, 23:27 < realazthat> you use gmaxwell's BIP to post incentives to complete a particular task for payment 23:27 < realazthat> then peoeple will be running intensive SCIPs for coins 23:27 < realazthat> and SCIP is basically a slow VM 23:27 < realazthat> with relatively high constants 23:28 < realazthat> and room for code improvement 23:28 < realazthat> thus, there would be huge coin insentive to hack on the SCIP code and improve it 23:28 < amiller> we don't really want PoW though :) 23:28 < amiller> because 23:28 < amiller> suppose we could have a really long proof of work 23:28 < amiller> such that as soon as you finished it you were surely going to be a winner 23:28 < amiller> except that 23:29 < amiller> as soon as anyone else finishes faster 23:29 < amiller> you have to discard all your computatoin and start over again! 23:29 < realazthat> ah well you mean for mining 23:29 < amiller> it's really important that the actual work (e.g., just computing a single hash) is really small 23:29 < amiller> yeah 23:29 < amiller> that's what i mean 23:29 < realazthat> ok so thats part of what I mean by significant changes 23:29 < realazthat> so here is my idea(s) on that 23:30 < realazthat> imagine a network that is primarily focuses on trading compute time for work 23:30 < realazthat> using gmaxwell's BIP 23:30 < realazthat> so you can make money by doing work 23:30 < realazthat> nvm mining 23:30 < realazthat> the lottery could be slightly different 23:31 < realazthat> it could be played among all workers 23:31 < realazthat> and you take sha(sig(P)), and have to test that against the upper-limit-number 23:31 < realazthat> so you can't really control that 23:31 < realazthat> and you aren't really mining 23:31 < realazthat> you are trading work for coin 23:31 < realazthat> + a chance to win a lottery 23:32 < realazthat> the guy who wins gets additional coin and mints the block 23:32 < realazthat> so everyone is trading work 23:32 < realazthat> thats the main thing 23:32 < realazthat> its a huge work market 23:32 < realazthat> am I making any sense? 23:33 < realazthat> ofc I miss out a few details 15:49 < zooko> amiller_: I want off-line transaction. You and I meet on the dark side of the moon, and I give you something, and you can't communicate with anyone else, but you're satisfied that I've enriched you, so you give me a crate full of valuable ores and we part. 15:49 < zooko> gmaxwell: yeah. 15:49 < zooko> amiller_: but I hadn't thought through the threat of the PUF-manufacturer making duplicable/duplicate PUFs... 15:50 < gmaxwell> zooko: of course, if you're on the dark side of the moon, amiller can't tell if you're broke or not either (and if he knew you weren't he could tell you). :P hard to be satisified that you've been encriched through an IOU from a throwaway identity. :P 15:50 < zooko> Is that threat considered by the PUF literature? 15:50 < zooko> gmaxwell: sorry, I was starting a second stream of conversation there. 15:50 < amiller_> no the PUF threat model begins after the secure manufacturing process 15:50 < zooko> The "deaf and blind spender" is the one I was talking about with you, and the "what's the use of PUFs" was the dark side of the moon. 15:50 < zooko> amiller_: oh darn. 15:51 < amiller_> fwiw i think a rational wallet should attempt double spends autoamtically at all times 15:51 < zooko> amiller_: haha! Good point. 15:51 < amiller_> and insist on innocence blaming something something distributed keys etc for the discrepeancy 15:51 < zooko> I agree that would be a civic-minded thing to do. 15:52 < zooko> vulnerability to DoS, inefficient cheat-detection, these are like garbage cluttering up our fair city. 15:52 < zooko> Don't contribute to the worsening problem by refraining from attempting double-spends! 15:53 < zooko> amiller_: well, do you believe in a PUF that you can be sure the manufacturer of it didn't manufacture any duplicates? 15:53 < zooko> How about a program to make PUFs on your home 3D printer? 15:54 < amiller_> i believe in affordable PUFs yes and that they're probably awesome for small / subjective networks if not the big global ones 15:54 < amiller_> for example i construct a PUF and mail it to you 15:55 < zooko> I want to know that not only the person who handed me the PUF as we floated in the lee of the moon 15:55 < zooko> but also that nobody in history, can have generated an identical PUF. 15:55 < zooko> And it only has to be worth as much as a box of valuable ores. 15:56 < amiller_> ok so i print a few PUFs for you and your friends, now you and your friends go to mars and you can still safely transact using the PUFs, no communication back to me required 15:56 < amiller_> and when we synch up again after the long eclipse, we can still all trust those pufs 15:57 < amiller_> so yes i think pufs are swell (pun), it's just still a trusted-originator scenario 15:57 < zooko> I have the feeling you might know of a way to use PUFs for some kind of computation that I don't know of. 15:58 < zooko> So you make some PUFs for me and my friends. 15:58 < zooko> What is the "trust-origination" part? 15:58 < zooko> Is it that we can't be sure you didn't make duplicates, or retained the ability to do so? 15:58 < amiller_> you had to be sure i actually made a PUF 15:58 * zooko thinks. 15:59 < amiller_> suppose i make a PUF and a non-PUF at the exact same time 15:59 < amiller_> i give you one of them. 15:59 < amiller_> you cannot tell whether i gave you the puf or the non-puf 15:59 < amiller_> but if i gave you the non-puf then everything is totally insecure 15:59 < zooko> I see. 15:59 < zooko> Darn. 16:01 < warren> hmm, 0.8.1 -> 0.8.2 changes the minimum fee from 0.0005 to 0.0001? Users could upgrade to 0.8.2 quickly, but how do they know it is safe to begin using the lower fees? 16:06 < gmaxwell> warren: the new fees relay already, so its safe as soon a one large miner applies the new criteria. 16:07 < warren> So users can reduce fees, at the risk of delays, as usual. 16:08 < warren> I hope the dust relay protection makes a difference. IMHO ~5k satoshi's was too small a threshold. 16:08 < gmaxwell> it's also not a "minimum fee" gah. it's important to speak clearly about this. It is the base fee per kilobyte. 16:08 < warren> ah, sorry. 16:09 < gmaxwell> warren: any higher would have had SD paying people to attack the change. 16:09 < gmaxwell> (directly or indirectly) 16:10 < gmaxwell> (and also wouldn't have been so obviously harmless: you would have had to make a value judgement about SD's business practices) 16:10 < warren> I might have missed this, how does it handle if change would fall below that threshold? 16:11 < gmaxwell> same way it always has, converts it to fees. Keep in mind, we've long had that behavior. 16:12 < gmaxwell> because change <0.01 results in not qualifying as a free transaction, thus a fee of 0.0005 BTC. 16:12 < gmaxwell> so when your change was less than 0.0005 it instead turned it into fee. 16:12 < warren> ah 16:12 < warren> good 16:27 < warren> FYI on those silly alt coins. A few weeks ago "Feathercoin" started, clone of Litecoin, identical in every way except 200 subsidy per block instead of 50. It went straight onto multiple exchanges and began a massive bubble, at one point it was 5 x more profitable to mine FTC and sell for BTC than to mine BTC directly. Difficulty skyrocketed. For the past few days their difficulty has been stuck at this level, with more and more miners qu 16:27 < warren> itting the estimated time to target is getting longer every day. Now their dev is talking about hardforking for faster retargeting, like Terracoin's "innovation". 16:29 < warren> It's frightening to see how many miners jump on the latest bandwagon, over and over again. 16:30 < RedEmerald> agreed 16:30 < zooko> Oh hi there, RedEmerald. 16:30 < RedEmerald> howdy 16:33 < zooko> Happy to find out that Adam Back is going to bitcoin2013. 16:37 < RedEmerald> i wish i had the time for that 16:37 < RedEmerald> too many conventions planned for this year already 20:09 < amiller_> <gmaxwell> amiller_: and as has been said before, I think it's too big of an economic change to be anything but a non-starter in bitcoin. Perhaps we'll get an ECDSA break that lets us make old utxo unspendable... but who knows. 20:09 < amiller_> zooko, ^^ 20:10 < amiller_> i guess i understand the point about the big economic change thing but i'm not sure where to go from there 20:10 < amiller_> maybe just prepare the solution in case there's an ecdsa break like you said? 20:11 < amiller_> or consider it as a thing so we don't have to delete any old coins that are grandfathered in... 20:13 < amiller_> a good argument is that at some point the ad hoc solutions to inflating utxo will be worse than the parking meter approach which is straightforward and reasonable and *not demurrage* 20:21 < gmaxwell> even with a break, what evidence I'm seeing so far is that people still will oppose making old outputs unspendable. I don't know if this is just a sampling error from the lolbertarians in the bitcoin community or what. But I do think thats the best chance. 20:22 < gmaxwell> people were agressively calling the no-create-dust changes recently theft. 20:23 < amiller_> well right now they are expecting free rent forever and that's obviously an unsustainable business 20:23 < amiller_> unless they're squatters 20:24 < amiller_> i mean i know it's not you that disagrees with me here you're just explaining to me what the consensus seems to be 20:25 < gmaxwell> well, it's not clear how unsustainable it is.. the utxo set can't grow faster than the blockchain. Soooo under the current network rules .... 20:25 < gmaxwell> even if you ignore that, with current granularity, if we deny 0 value outputs, the maximum utxo size is about 45 PB which is clearly not infinite. 20:26 < gmaxwell> if you're a member of the church of infinite-exponential-improvement-of-technology 45 petabytes sometime in the far future sounds pretty good. 20:26 < gmaxwell> (but there is a reason I describe that as a religion...) 20:27 < RedEmerald> i dont think 45 PB is outside the realm of possibility for a home computer 20:28 < RedEmerald> theres some cool storage tech being worked on that makes for some really dense storage 20:30 < zooko> Hi, amiller_. 20:38 < zooko> Was the no-create-dust patch motivated by utxo storage being an unfunded externality? 20:39 < warren> zooko: that has been one of the motivations for months now. 20:41 < gmaxwell> there are a bunch of motivations, thats one of them but probably the least short term significant right now. 20:43 < warren> I did like the ideas of eventually expiring tiny uxto's if they fail to pay rent. 20:44 < zooko> gmaxwell: but, you're saying that motivation may be unfounded? 20:45 < zooko> I.e., a proliferation of utxos may be not too costly, even though it is an externality? 20:45 < gmaxwell> zooko: at what timescale? 20:45 < zooko> I guess that would imply that there is some limit on it, possibly just a natural limit on people *wanting* to make utxos? 20:45 < zooko> gmaxwell: well, I don't know. 20:45 < zooko> I thought you were saying maybe the current rules would be sustainable. 20:46 < gmaxwell> we have to worry about all timescales. ... if you assume continued acceleration of technology and us not allowing zero value txo, then its not an issue in a sufficiently long timescale because the number of possible non-zero value utxo is finite. 20:47 < gmaxwell> zooko: "There are levels of survival we are prepared to accept" ... right now it can grow about 50gbytes/year. 20:47 < zooko> Uh, what? 20:47 < zooko> Oh, if every satoshi is its own utxo. I see. 20:47 < gmaxwell> Right 21e14 utxo. 20:48 < gmaxwell> If the utxo set were already its maximum size, e.g. about 200gbytes... then I think its very likely bitcoin would fail: that kind of cost to run a full node would not be justified by usefulness and significance of bitcoin. 22:47 < gmaxwell> they could do other things to make it right. Their COGS on these devices should be very low. They _should_ be able to afford to double everyones order, for example.. which is what cointerra did for their december orders. 22:47 < gmaxwell> but god knows, maybe their had a failed spin. 22:48 < gmaxwell> s/their/they/ 22:49 < brisque> that market is fascinating really. we have BFL, Avalon, Hashfast and Bitfury all acting quite strangely for companies 22:49 < brisque> I can't fathom what's going on with Bitfury and ghash.io. by the looks of things they own most of the network with their own hardware. 22:51 < brisque> frustratingly there's very little information about what ghash.io actually is, and what Bitfury is doing behind the scenes with it 22:59 < gmaxwell> the old "miners will avoid violating the security assumptions for fear of making their coins worthless" argument turns out to fail because its possible to violate the assumptions and keep them secret, and people are willing to gamble that no one will notice or care if the security assumptions are violated. 23:03 < brisque> easy enough to hide your hashrate with a fake pool anyway or by replicating coinbases. 23:03 < brisque> do you like Luke would notice if I mined a block with Eligius.st's coinbase? 23:05 < brisque> back to the point, I don't think anybody would notice or care in a wider sense if Bitfury took a larger potion of the network. as it stands his portion is absolutely massive, and has some real world attacks under it's belt.. yet there's nothing really that anybody can do about it. 23:07 < gmaxwell> well, for one, they could stop giving him _more_ hashpower. :P 23:07 < gmaxwell> best estimatimates still have 1/2 to 1/3 of ghash.io's hashpower is third party. 23:08 < phantomcircuit> brisque, bitfury supplies cex.io which uses ghash.io 23:08 < gmaxwell> they could also stop buying more insanely priced chips from him, since every chip you buy from him pays for him to put 10x more than that chip onto his own farm. 23:08 < phantomcircuit> they're actually different people 23:08 < phantomcircuit> but since they're all ukrainians with weird names nobody can tell 23:09 < gmaxwell> phantomcircuit: I don't believe they are. They claim to be, but evidence I've seen suggests it's one person with a couple employees. 23:09 < phantomcircuit> gmaxwell, it's definitely different people 23:09 < phantomcircuit> they are obviously very close though 23:10 < nessence> are dzminercoop guys legit? 23:15 < CodeShark> gmaxwell: https://github.com/CodeShark/bips/blob/master/bip-n1.mediawiki 23:17 < gmaxwell> CodeShark: you realize that partially signed transactions are already implemented by bitcoin-qt, bitrated, brainwallet, and a half dozen other things, right? 23:18 < CodeShark> is there a standard? 23:19 < CodeShark> many "partially signed transaction" implementations I've seen just blank out entire input scripts 23:19 < CodeShark> which makes some of the use cases I'm considering impossible 23:20 < gmaxwell> A defacto one at least. I'm not sure what you mean by "entire input scripts" 23:20 < CodeShark> as in the entire input script is blanked 23:20 < maaku> CodeShark: what use cases are you considering? 23:21 < maaku> or rather, what do you need to do? 23:21 < CodeShark> maaku: the main thing for me right now is supporting p2sh 23:22 < CodeShark> especially in cases where the signing devices don't know anything about the scripts a priori 23:22 < CodeShark> they just need to know whether they can sign and if they sign what the implications are 23:24 < CodeShark> IMO, the signatures should have been kept as a separate list structure in the txin 23:24 < CodeShark> rather than making them part of the script :p 23:24 < CodeShark> but that's another story 23:24 < CodeShark> an account management app keeps track of script pairs (txinscript/txoutscript) 23:25 < CodeShark> the txinscript just have placeholders for signatures 23:25 < CodeShark> the signing devices just keep keychains 23:25 < CodeShark> they don't even need to know about the scripts a priori at all 23:26 < CodeShark> this will allow a good separation between account management/inbound payment processing tools (a.k.a. watch-only wallets) and signing devices 23:26 < maaku> CodeShark: why is scriptSig connected to p2sh? 23:26 < maaku> don't they figure that out by looking at the scriptPubKey? 23:27 < CodeShark> no 23:27 < CodeShark> the scriptPubKey for a p2sh only holds a hash of the script 23:27 < CodeShark> which is useless to anyone who doesn't already know the script 23:27 < maaku> ok so you're partially constructing the p2sh scriptSig 23:28 < maaku> (a) wallets probably already know the scripts (but I can imagine cases where they do not) 23:28 < maaku> (b) pass it out-of-band 23:28 < CodeShark> yes 23:28 < CodeShark> I like the p2sh approach generally - it's the recipient's responsibility to know how to claim the output 23:29 < CodeShark> the sender doesn't really care 23:33 < CodeShark> I mean, there could be conceivable cases where the sender cares - but not for the use cases under consideration here 23:33 < gmaxwell> ... https://bitcointalk.org/index.php?topic=392166.0 < KNC miner botnet. 23:36 < CodeShark> the out-of-band stuff is the principal motivation, maaku - I'm trying to develop a signing request protocol might turn out to be a natural extension of the payment protocol 23:36 < CodeShark> a "generalized" payment protocol, so to speak 23:37 < CodeShark> which works for multisigs, coinjoin, internal company policy, merchants, and several other use cases 23:37 < phantomcircuit> gmaxwell, he's just brute forcing the passwords for web exposed boxes 23:37 < phantomcircuit> it's comical anybody has web exposed boxes at all 23:37 < gmaxwell> phantomcircuit: yea, sort of, except he can do an offline brute force, which digest auth is supposted to prevent. 23:37 < gmaxwell> presumably it uses a constant nonce or something stupid like that. 23:38 < phantomcircuit> probably 23:38 < maaku> why the hell was this posted online? 23:38 < phantomcircuit> but still 23:38 < phantomcircuit> maaku, the guy who found it decided to 23:40 < gmaxwell> someone reported the post and asked me to remove it, but I think its too late. 23:40 < maaku> phantomcircuit: i understand, but besides being unethical it is illegal with legal implicaitons if any of those boxes do get hacked 23:40 < phantomcircuit> maaku, publishing an exploit like that isn't illegal 23:40 < gmaxwell> in the grand scheme of shitty behavior in bitcoin land, someone hacking miners to divert them is probably the most minor. 23:40 < phantomcircuit> admitting to breaking into 28 boxes is 23:41 < phantomcircuit> gmaxwell, well he is basically rootkitting them 23:41 < gmaxwell> hehe 'most minor' 23:41 < phantomcircuit> those 28 people are going to have to pull the sd card to fix them 23:41 < maaku> phantomcircuit: depends on your jurisdiction, but yes publishing exploits is typically illegal 23:41 < gmaxwell> he said he didn't actually do that. 23:41 < maaku> if done in a negligent way 23:41 < phantomcircuit> oh i missed that part 23:42 < phantomcircuit> maaku, not in parts of the world with freedom 23:42 < gmaxwell> maaku: illegal? probably not. Exposes him to civil claims, perhaps. 23:42 < phantomcircuit> im going to assume he doesn't live in north korea 23:42 < phantomcircuit> since he's on the internet 23:42 < gmaxwell> actually reading again, I'm not sure what he's saying. 23:43 < gmaxwell> http digest auth doesn't prevent bruteforcing, and it actually does sound like he's doing a regular bruteforce attack. kinda boring. 23:44 < maaku> phantomcircuit: North Korea? try France, for example. In the U.S. this is borderline. see: https://www.eff.org/issues/coders/vulnerability-reporting-faq 23:44 < phantomcircuit> maaku, im not aware of anybody who has even been prosecuted in the us for disclosing a flaw 23:45 < phantomcircuit> numerous people have been subsequently accused of using the flaw under the assumption they the attack happened before they had disclosed it 23:45 < phantomcircuit> so thye must have been the attacker 23:45 < phantomcircuit> but that's not the same thing 23:50 < CodeShark> the funny thing is that this guy's "exposure of vulnerability" applies just about to pretty much any device connected directly to the Internet :p 23:50 < CodeShark> so it's not so much an exposure as it is just another example of a well-known attack 23:55 < maaku> CodeShark: it's pointing people at the factor reset script and config files to update which is more unique 23:55 < maaku> not hard to figure out by anyone technically compitent, but he reduced it down to script kiddie level 23:57 < CodeShark> the hard part is getting root access :p 23:58 < CodeShark> but yeah, this guy sounds a tad bit too boastful --- Log closed Tue Dec 31 00:00:42 2013 --- Log opened Tue Dec 31 00:00:42 2013 00:03 < brisque> that's bold, announcing that you're exploiting people's hardware on a public forum. 00:05 < brisque> depending on the country that's most certainly illegal, akin to breaking and entering. if they get charged for doing it or not is a whole different matter. 00:05 < CodeShark> it's not announcing it that's illegal - it's doing it that's illegal 00:06 < brisque> certainly, but announcing that you did it is foolhardy 00:07 < brisque> oh dear. the user has also posted their KNC order number on the forums, and their country. 00:14 < brisque> who connects an embedded device directly to the internet anyway? 00:19 < phantomcircuit> brisque, people putting them in a dc who dont pay attention 00:20 < brisque> right. forgotten people might be doing that. 00:37 < gmaxwell> hey, could be worse, he could have posted instructions for making it look like one 1/4 of the hardware failed, while sending the 1/4 of the hashrate to himself. 11:22 < gmaxwell> It appears the secp256k1 was also selected using basically the same nothing up my sleeve technique. (just motified to produce curves with the fast implementation) 11:24 < gmaxwell> Hm. I take that back. 11:24 < gmaxwell> thats odd that they didn't do that. 11:25 < gmaxwell> then again the form constrains the design space a fair amount. 11:30 < HM> well it's enjoyable reading the pandemonium 11:31 < jgarzik> if forced, could we come up with our own curve parameters? or switch to djb's favorite curve? 11:31 < gmaxwell> jgarzik: it's a softforking change to add another checksig. 11:31 < jgarzik> yes 11:32 < gmaxwell> Though I'd prefer that we not uberparanoia with yet another ECC implementation, and just stick in lamport signatures as the oh-shit fallback. 11:32 < jgarzik> I consider it akin to replacing SHA256 11:32 < gmaxwell> well a complete replacement of sha256 is a hardforking change. 11:32 < HM> I doubt the NSA are going to waste their time on Bitcoin, it's more a concern if any advances they have tucked away become public 11:32 < gmaxwell> a CHECKSIG2 we could have deployed and usable in a month. 11:35 < gmaxwell> (lamport having the benefit of being immune to any DLP or EC related weakness, and giving a pat answer to quantum computer fud, plus a trivial implementation is still ultra fast. Downside: big signatures.) 11:47 < HM> Lamport still relies on solid hash functions 11:47 < HM> Pretty much everything touching crypto seems to use a hash function at some point, so they're obvious targets 11:49 < gmaxwell> HM: sure, but no ecdsa implementation is useful without a strong hash function. Besides, hash functions never get broken in a way that would break lamport. 11:51 < gmaxwell> Nothing is certian of course, but at least it's completely orthorgonal. 11:51 < gmaxwell> or as near as completely as anything is. 11:51 < gmaxwell> and has a trivial implementation. (well, I'd like to use some compression that makes it slightly less trivial.) 11:52 < HM> But can't keypairs only be used once? 11:53 < HM> publishing a public key requires trust, so having to do it regularly is undesirable 11:55 < gmaxwell> HM: nah, you just make a public key a tree of public keys. They have a finite lifespan but you can make it large. 11:55 < gmaxwell> e.g. 1024 uses. 11:56 < gmaxwell> or with the imbalanced tree thing I suggested make it very large while only making heavy reuse bit. 11:56 < gmaxwell> er big. 11:56 < HM> meh 11:56 < HM> I guess if you got 1024 uses you could use your final message to publish a new public key 11:57 < gmaxwell> e.g. 32768 reuses, but uses 1-4 are only one extra hash each. 20:52 * amiller starts writing about the parking meter fee model --- Log closed Sat Sep 07 00:00:14 2013 --- Log opened Sat Sep 07 00:00:14 2013 --- Log closed Sun Sep 08 00:00:17 2013 --- Log opened Sun Sep 08 00:00:17 2013 08:56 < gmaxwell> oh come on. I just actually looked at the random ecdsa curves in FIPS.. and sure, they're determistically generated... but the seed values are implausably high. 08:58 < sipa> ? 08:58 < sipa> veing? 08:58 < sipa> being? 08:59 < gmaxwell> e.g. for P-256r 09:00 < gmaxwell> SEED 09:00 < gmaxwell> = 09:00 < gmaxwell> c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 09:04 < gmaxwell> the determinstic procedure is basically sha1(the seed) to generate a bunch of random numbers, pull out the parameters and check the curve order. 09:06 < gmaxwell> As least the prime is uses is the largest prime less than 2^256. 09:06 < gmaxwell> but the other paremeters could be freely cooked. :( 10:37 < HM> then Schneier is right 10:44 < gmaxwell> I think its even worse than if they hadn't done the "verifibly random" procedure. :-/ 10:49 < HM> The way I'd do it is announce you're going to use the hash of the front page headlines of 12 internationally renowned newspapers ahead of time :P 10:51 < HM> Completely original I swear 11:05 < gmaxwell> nah, you have a bunch of resepected people commit to secrets. Then you hash the commitments and commit to in a bitcoin block. Then everyone reveals their secrets and you hash that them up with the block hash and feed to to some quite-expensive KDF. 11:05 < gmaxwell> What http://tools.ietf.org/html/rfc5639 also looks basically reasonable, if not quite as good. 11:06 < HM> 'respectable' is personal 11:06 < HM> using news events has the advantage that if the headline is "Aliens arrive on Earth and win poker tournament", you can be reasonably sure it wasn't rigged 11:10 < gmaxwell> HM: the reason to use the bitcoin step in my example is to make it computationally infeasable to cheat even if you think all the respected people potentially conspired. 11:11 < gmaxwell> all your requires is someone to control a couple newspaper headlines. 11:11 < gmaxwell> And the use of the people step in my example is to make it hard for someone to dismiss it as "oh nsa can instantly do sha256 so the bitcoin part is pointless" 11:11 < HM> not so, it also requires they be able to select 12 inconspicuous and consistent (with current event) headlines within whatever window you allow that hash to what you require 11:11 < gmaxwell> "respected" might also be hundreds or thousands of people. 11:12 < gmaxwell> HM: bullshit, if you only care about picking a few bits of the final version then you just need to control the phrasing or typesetting. 11:12 < gmaxwell> of a single headline too, assuming that you simply know the other ones. 11:13 < HM> sure...i guess, but if you only require a couple of bits then i think that weakness would be easier to discover in whatever algorithm you're using 11:14 < HM> i mean, if all even seeds were crackable then you're probably not going to pass inspection 11:15 < gmaxwell> who says? you're talking about embedding a property which isn't known to the public.. it might exist only in one in thirty two curves. You could easily pick that with your newspaper headlines. 11:16 < gmaxwell> besides, if you're really fixated on them you could just add them to my scheme too. :P 11:16 < HM> if it exists in only 32 curves, you'd need to fix, say, 251 bits of your 256 bit hash 11:17 < gmaxwell> HM: one in thirty two. 11:17 < gmaxwell> 1/32 11:17 < gmaxwell> as a rate. 11:18 < HM> *shrug* 12:01 < sipa> gmaxwell: they are perhaps optimized for certain weakness, but not more than a an exhaustive search can find 12:01 < sipa> as the sha1 in the deterministic procdure is assumed to be irreversible 12:02 < sipa> if there is a weakness that appears in a very high frequency of curves, a small number or a large number as seed doesn't make a difference 12:05 < HM> We used the 160bit sequence from pi offset N, where N is totally random. Promise. 12:07 < gmaxwell> sipa: sure. The distinction there is they could have chosen for weaknesses which were as rare as-say- 1:2^40 through this method without hypotizing enormous expenditures on the project. 12:07 < gmaxwell> (or strenghts, for that matter) 12:07 < gmaxwell> Effectively they've failed to show that they weren't selecting for additional criteria which might have made it stronger or weaker. 12:08 < sipa> right 12:08 < sipa> but they do show that whatever selection criterion was used, it cannot be faster than exhaustive search 12:10 < sipa> if there exists a weakness that is present in 1 in 2**128 curves, if the parameters were given without any alhorithms, they could have been found through a algebraic method 12:10 < sipa> and be vulnerable to it 12:14 < gmaxwell> Yes, having this scheme is better than just giving the parmeters and saying "here you go" 12:15 < gmaxwell> The scheme reduces the space of attacks, but at the same time leaves the space of attacks unnecessarily wide, which is curious since they did go through the trouble of acknowledging the concern. 12:34 < jrmithdobbs> nsa dhe/ec speculation/theories (don't mean that dismissively) or did i miss something else? 12:37 < jrmithdobbs> if the former, on a related note, i really like how it's starting to look like nsa really is decrypting rc4 ... between djb's recent paper and the recent snowden/etc publications ... 12:37 < jrmithdobbs> or at least, are close enough to being able to do so that it's worth storing 16:58 < gmaxwell> jrmithdobbs: you would be interested in http://eprint.iacr.org/2013/525 16:58 < gmaxwell> jrmithdobbs: I like it because the memory access pattern is constant, not only would it avoid leaking data via timing, but it sould be harder to optimize out than scrypt's memory accesses. 17:16 < amiller> that looks awesome 17:18 < amiller> "Catena supports client-independent updates by increasing the garlic or by turning salt bits into pepper." 17:31 < amiller> yeah i guess it makes sense 20:35 < maaku> holy cow, how did i not know about this channel 20:35 < maaku> are there logs? 20:36 < gmaxwell> I could send you them... though I don't know that they're that interesting. 20:38 < gmaxwell> You should be in here though. Mostly we discuss cryptographic rocket science in here, and stuff.. which may only have applications to bitcoin in the (far?) future. 20:39 < gmaxwell> basically lots of us have interest in things like zero knoweldge proofs, fancy and speculative crypto, changes to the bitcoin protocol which are not near term (or ever?) viable, etc.. and it was crufting up #bitcoin-dev which should try to stay on-topic for transparency reasons. 20:40 < gmaxwell> (and I was a major source of the offtopic stuff. :( ) 20:48 * phantomcircuit puts on his wizard hat 20:51 < gmaxwell> phantomcircuit: Awesome. So the old proof of non-fractionality had the bank commit to a tree over its outputs, and allowing for randomized checking that it did indeed have the balance it claimed. And then a hashtree over balances, to show users that their balance was in the balances proof and that the sum of balances was <= the sum of funds. 10:14 < TD> the US finances are so completely unfixable that once that infrastructure is in place, the temptation to tax foreigners will be overwhelming and irresistable 10:14 < TD> yes sure, but i'm talking about stuff that will pay down the deficit. doing that would be politically popular. 10:15 < phantomcircuit> TD, iirc the law actually only provides for enforcing existing obligations, but does not actually allow for rejecting your renunciation 10:15 < jgarzik> It is quite literally impossible to fully pay down the deficit. 10:15 < adam3us> TD: probably increased inflation to inflate away the debts value, that has been the historical method 10:15 < phantomcircuit> jgarzik, we could sell like maine 10:15 < TD> they're already doing that 10:16 < jgarzik> Inflating away debt is the only tool remaining in the toolbox. 10:16 < phantomcircuit> adam3us, the debt is growing much faster than inflation 10:16 < jgarzik> (I'm not saying that's a good thing... just the engineering reality) 10:16 < TD> the problem is the politics of it. the way modern governments inflate away their debts is that the central bank prints money and lends it to the other branches of government 10:16 < phantomcircuit> it's like 800 billion/year and we're at about 17 trillion 10:16 < TD> technically the government is printing money, but when you add up the "debt" it includes debt to the central bank 10:16 < phantomcircuit> so ~4% 10:16 < TD> and people will then be shown a graph of debt going upwards 10:17 < phantomcircuit> (that's a conservative number) 10:17 < adam3us> its possible we're looking at a second round of financial system shocks, eg when more major countries default, historically it has happened relatively often, and more recently than people imagine 10:17 < phantomcircuit> inflation is ~2.5% 10:17 < jgarzik> Fallacy: most countries will not default. 10:17 < TD> which is unpopular and then politicians looking to get elected will campaign on "reducing the deficit". but they can't raise taxes domestically, because that's even more unpopular than deficit, and they can't cut back the DoD because it's such a huge part of the economy 10:17 < jgarzik> Gold bugs love to think about impossible scenarios where 95% of the world melts down, except for the wise people holding gold. </eye roll> 10:17 < phantomcircuit> TD, the problem is that the US has actually borrowed money from itself for decades 10:17 < TD> so - that leaves, taxation of foreign income 10:18 < phantomcircuit> TD, so now there are massive unfunded obligations like social security and medicare 10:18 < TD> yes, pensions are a huge problem everywhere. but massive deficit spending on the military makes a bad situation worse, and that's politically infeasible to fix 10:18 < jgarzik> Politicians get elected by writing checks that can be inflated away. Money in the pocket now, and not thinking about long term consequences. But when the crisis comes, the populace will vote for whatever avoids total meltdown for their local community. Simple self-interest. 10:18 < TD> for reasons i don't really get, but still, that's how it is 10:19 < adam3us> TD: maybe some more faux-imperialism - annex some more countries in thte name of exporting "freedom" and install us megacorps to exploit their resources 10:19 < phantomcircuit> jgarzik, that depends on if you're using the technical definition of default and whether you include obligations to citizens or just to bond holders 10:19 < TD> well that was already tried in iraq 10:19 < TD> and it sorta worked and sorta didn't 10:19 < TD> they're running out of things that weren't done yet 10:19 < phantomcircuit> jgarzik, it's almost certain that nearly every western country will default on it's obligation to citizens 10:21 < adam3us> phantomcircuit: they may avoid technical default, but there maybe some major money printing bail outs eg within europe, haircuts for depositors, bondholder conversion (the paper work maybe prepped for that by now) 10:21 < phantomcircuit> TD, in large parts of the us military spending is a significant part of the economy, because of the way representatives are selected (it's a combination of districts and number of people) they have disproportionate representation relative to population size 10:21 < TD> yeah. i know about the way the campaign donations are structured. but military spending isn't unpopular 10:21 < TD> it's barely even discussed, it seems 10:21 < phantomcircuit> TD, more so they pretend to have many issues but really they only have one 10:21 < phantomcircuit> more pork for their district 10:22 < phantomcircuit> TD, because it's largely pointless 10:22 < phantomcircuit> there is a significant voting bloc which only cares about that one issue 10:23 < jgarzik> phantomcircuit, c.f. Crysler bailout. USG has already proven it is willing to favor a junior-yet-politically-favored class over senior debt holders 10:23 < TD> people who work for the military or have relatives who do, i guess 10:23 < jgarzik> Chrysler 10:25 < jgarzik> phantomcircuit, Having lived in a military family in military towns... that's demonstrably not true... unless the local base is majorly threatened. People tend to ignore the issue unless somebody threatens to close the local base. 10:26 < jgarzik> phantomcircuit, a lot of the US military tends to vote Republican/tea party/conservative, not pro-government Democrat 10:27 < TD> because they know the republicans are anti-spending, except for the military, where they always spend more. 10:30 < adam3us> amiller: you mentioned you had a solution to non-outsourceable puzzle - are you going to update the bct thread? 10:34 < amiller> adam3us, yes, probably not for a week or so though 10:35 < adam3us> amiller: nudge me when you do - interested if there maybe other apps of it 10:38 < TD> jgarzik: btw bitpay rocks 10:38 < TD> jgarzik: i can now purchase takeout food in zurich thanks to bitpay+lieferservice.ch 10:38 * TD remembers just 18 months ago pondering creating a manual gateway for buying pizza locally with bitcoin. 10:40 < jgarzik> hehe 10:40 < jgarzik> TD, I am scheming to buy real estate with bit coins, through bit pay. 10:41 * TD is happy with smaller pleasures 10:41 < jgarzik> TD, investors pay bitcoins, and bitpay auto-converts and puts money in the escrow bank account used for purchasing real estate :) 10:41 < TD> like pizza 10:41 < jgarzik> hehe 10:41 < TD> so they can more easily switch from one bubble to another? nice! :) 10:41 * TD is finding it so hard to concentrate this afternoon 10:42 < jgarzik> My lifelong dream has been to build cool real estate, like affordable castles (strongly built with redundancy, but affordable for the average person) 10:42 < jgarzik> Nah, the real estate thing will not use leverage, just cash. Less bubbly ;p 10:43 < TD> a mans home is literally his castle? 10:43 < jgarzik> That's the middle class dream, and we are amazingly close to it 10:44 < TD> screw castles. i want one of those: http://www.digsdigs.com/photos/the-most-futuristic-house-4.jpg 10:44 < TD> although - possibly with a road next to it 10:44 < jgarzik> Think about everything that only a king had access to, 400 years ago: food preparers, groundskeepers, imported food and wine, servants (now at $/hr, divided out and outsources) 10:44 < jgarzik> personal doctors/health care 10:44 < TD> a harem? 10:45 < jgarzik> TD, redtube.com? 10:45 < jgarzik> ;p 10:45 < TD> lol 10:45 < TD> close enough 10:45 < TD> http://lifewithoutbuildings.net/greentextiletower.jpg 10:45 < TD> i'd also settle for that one 10:46 < TD> ooh: http://futuristicnews.com/wp-content/uploads/2012/07/Cocoon-House-Jeju-Island-Korea-02.jpg 10:46 < jgarzik> That's the best of the three 10:49 * TD is debugging code that is too complicated and is procrastinating 10:49 < TD> best thing is - i wrote it! 11:18 < adam3us> maaku, jtimon: when we were discussing blind certificates with chaum blinding (or brands) here yday or so, you mentioned using ZC for on chain respending 11:21 < adam3us> maaku, jtimon: but if you have an issuer (or an offline issuer, but online transaction server), maybe you could consider giving the transaction server a key authority to reblind the tokens, optionally using the chain as the authority for double spending prevention 12:32 < adam3us> had to say something about the coin validation stupidity 12:32 < adam3us> https://bitcointalk.org/index.php?topic=333882.new#new 12:32 < adam3us> (the forbes article) 12:40 < TD> if they want buyers to have to identify themselves, the right approach is a payment protocol extension 12:40 < TD> but their thinking seems muddled in other ways, so i am not surprised they didn't think of that 12:46 < adam3us> TD: precisely - its stupid and the wrong approach - identify the user, not break fungibility 12:46 < TD> fungibility isn't absolute even with bitcoin. i made this point on the foundation forums 12:46 < TD> e.g. unconfirmed coin with zero fee < 100 confirms 12:47 < TD> though technically they both give you bitcoins 12:47 < adam3us> i encourage everyone to ram home to any bitcoin biz people who may not understand, that this will damage fungibilty, and so if their business depends on fungibility, and bitcoins success particpating in this is destructive 12:48 < adam3us> TD: yes bitcoin fungibility is imperfect which is partly is what makes it vulnerable to the dangers coin validation creates 12:48 < adam3us> TD: and the defenses that exist (or could be implemented) like wallet coin control, coinjoin are either not impl or not widely deployed 12:50 < adam3us> (if fungibility was cryptographically perfect, they'd be force to adopt a sensible approach- provide users with certificates that they can use with regulated businesses when AML/KYC are required) 12:50 < TD> none of those are related to the lack of fungibility i just pointed out 04:23 < petertodd> that just says litecoin isn't very valuable 04:23 < warren> yup 04:23 < petertodd> pool ops can always say they'll accept tx's directly iwth lower fees 04:24 < warren> they aren't smart enough to realize that 04:24 < petertodd> well then start your own pool that does that 04:26 < warren> Then I also figured out how to reduce the UXTO set by 50%. 04:26 < warren> at no cost 04:31 < warren> petertodd: err... does decreasing the hard limit really matter for them? Even if mining pools remove the soft limit, the cost of including absurd sized tx's in the block is extremely high. 04:31 < petertodd> you mean increasing? 04:32 < warren> oh, misunderstood you later 04:32 < warren> err earlier 04:32 < petertodd> it must not be opposite day for you 04:33 < warren> very tired 04:33 < petertodd> go to bed 04:33 < warren> night =) 04:33 < warren> thanks for confirming my p2pool realization. this sucks. =( 04:33 < warren> well, it isn't THAT bad, block header forwarding can be improved 04:34 < petertodd> go to bed :) 04:34 < warren> night =) 05:43 < warren> went to bed, then my mtgox shenanigans alarm went off on my phone. I look at the chart and *holy crap* 11:09 < gmaxwell> 00:14 < petertodd> >1MB blocks will without a doubt kill p2pool for that exact reason 11:09 < gmaxwell> no, 11:09 < gmaxwell> jesus 11:09 < gmaxwell> fucking fools, all of you :P 11:10 < gmaxwell> warren: I'm not sure how you missed the complicated design where p2pool nodes are forced to _pre send_ all the txn they're mining on to their peers 11:10 < gmaxwell> and then when they find a share the share contains the whole txn list 11:10 < gmaxwell> meaning that all the peers can recover the block cheaply 11:11 < gmaxwell> this means that (1) it doesn't take much bw for a p2pool node to transmit a block and (2) if its slow at doing this it will have a higher p2pool stale rate and naturally get paid less 11:14 < gmaxwell> The p2pool 'luck' is well within the expected norms, and it appears to have a _much_ lower orphan rate than eligius (appears because there is a lot of shot noise in any such measurement) now (it didn't prior to the change to doing the share preforwarding) 11:16 < gmaxwell> 00:43 < petertodd> p2pool would be making the assumption that tx's have propagated to the whole network 11:16 < gmaxwell> No, it forces them to be propagated there is no assumption. 11:16 < gmaxwell> If you're mining on a txn you tell your peers about it first. If you don't your peers will discourage your shares. 11:50 < petertodd> oh, good to hear, although if you read the whole discussion warren and I did come to the conclusion that p2pool did that... in any case, still doesn't solve the real issue, which is the same as any other one: the bandwidth will get too expensive relative to the profit, but that's a long way off 11:50 * petertodd needs to stop writing about stuff at 4am when he's trying to do other things at the same time. 12:24 < gmaxwell> yea, sure but that issue isn't unique to p2pool. And sure, generally the bigger the blocks are the more genuine argument there is for cost saving existing for consolidating mining. 12:50 < petertodd> of course it's not unique, but p2pool is a good example where it very directly leads to centralization --- Log closed Thu Apr 11 14:11:51 2013 --- Log opened Thu Apr 11 14:12:23 2013 15:14 < warren> gmaxwell: why do I see INCOMPLETE BLOCK so frequently then? 15:15 < warren> gmaxwell: whatever the issue is it appears it can be improved 15:18 < gmaxwell> warren: I _never_ got that on bitcoin p2pool. (just went to grep logs) Perhaps some genius litcoin p2pool users have modified their code in some daft way 15:18 < warren> how long do your logs go for? 15:18 < gmaxwell> warren: it's written so that it won't include a txn until it has relayed it, so other than right at startup or with modification, that should just not happen. 15:19 < gmaxwell> warren: The whole time share preforwarding existed while I was on p2pool. 15:20 < warren> hmm... weird. INCOMPLETE BLOCK disappeared entirely four days ago. it was like 50% before that. 15:20 < gmaxwell> it was probably some idiot who thought they could get some great advantage by turning off share preforwarding 15:21 < warren> OK, thank you for cluebatting me. 15:21 < warren> gmaxwell: btw, saw the post where ck claims to have reduced the avalon latency to 100ms? 15:22 < gmaxwell> warren: link? 15:22 * warren finds 15:24 < warren> https://bitcointalk.org/index.php?topic=18313.msg1761478#msg1761478 "I've spent quite a bit of time hacking on the Avalon(s) the last few days thanks to Aseras and then Xiangfu giving me access to them. I've come to the conclusion that any latency issues that prevent it mining on p2pool should be resolved in the next cgminer release incorporating the changes I've committed to the code. The max latency for restart should be on the order of 1 15:24 < warren> 00ms now which is fine even for 10s longpolls. Hopefully it will talk to p2pool better via stratum as well." 15:24 < warren> He goes on to say that p2pool has some other bugs that need to be fixed. 15:55 < warren> gmaxwell: are his latency improvements real? --- Log closed Thu Apr 11 16:12:58 2013 --- Log opened Mon Apr 15 10:58:38 2013 10:58 !wolfe.freenode.net [freenode-info] if you're at a conference and other people are having trouble connecting, please mention it to staff: http://freenode.net/faq.shtml#gettinghelp 19:21 < BlueMatt> so my research advisor commented that people dont want to do research on bitcoin because it is "the biggest ponzi scheme in history" :( 19:21 < BlueMatt> ofc I didnt have time to correct him then, so I had to put it in an email :( 19:24 <@gmaxwell> But it is the worlds first ponzi scheme based on CRYPTOGRAPHY! 19:24 <@gmaxwell> I usually find that it's best to embrace the skepticism. "Sure it's crazy and going to lose people money but look how _interesting it is_" .. a week later they're asking me how to buy bitcoins. 19:25 < BlueMatt> all I had time to do (lecture had already started) was say that "ehh, the system is freaking awesome, even if you dont care about the currency" 19:25 <@gmaxwell> yea, thats the general approach. 19:26 <@gmaxwell> Once someone has grasped the idea its often hard to talk them _out_ of buying into it. Convincing technical people that bitcoin isn't a scam is not a limiting factor in my expirence. 19:26 < BlueMatt> problem is, I highly, highly doubt he has time to read into the system 19:27 < BlueMatt> hes "director of undergraduate studies" so... 19:28 < petertodd> indeed, I spend most of my time talking to my coworkers about how many serious problems bitcoin has 19:28 < BlueMatt> what production system doesnt? 19:28 < petertodd> and the other day I had two of them asking me what's the best ASIC company to buy mining equipment from... 19:28 < warren> I already told this story (here?). 2.5 weeks ago a MBA student asked if I had bitcoins to sell him. I refused to sell to him and told him to do his own risk/reward research. This guy doesn't know how to use his own computer. 19:29 < BlueMatt> heh 19:30 < petertodd> ouch... 19:30 < warren> perhaps interest in ASIC's will be lower now. 19:30 < petertodd> maybe, although I will say, one of those co-workers wanted to buy his 17 year old son an ASIC miner, because he figured he'd either learn about crypto, or business, specifically risk 19:31 < BlueMatt> heh, thats a fun gify 19:31 < BlueMatt> t 19:31 < petertodd> I support repeatable life-lessons :) 19:31 < BlueMatt> he should have given him a bitcoin a week ago 19:31 < petertodd> ha, for sure 19:35 < petertodd> so, wizard topic: I'm thinking it might be worthwhile to make the mother of all alt-coin scams, er, I mean trusted ledgers. basically addresses in this scheme would look like 1AGUP2MVtTqMHysb9gS3upedZmSvaV1f5h@3CK4fEwbMP7heJarmU4eqA3sMbVJyEnU3V and the logic is pretty much as you would expect "pay to the first bit, and the transaction is guaranteed and recorded in some ledger by the second address" 19:35 < petertodd> the advantage being you can re-use all the existing transaction infrustructure, in particular, existing and future hardware wallets and similar things 19:36 < petertodd> the logic also becomes nice: pay to the person holding these public keys, but guarantee the transaction using whomever is running the ledger service with the identity this set of pubkeys 19:36 < petertodd> s/pubkey/seckeys/ 19:36 <@gmaxwell> so basically the 3CK4fEwbMP7heJarmU4eqA3sMbVJyEnU3V identifies the ledger in question? 19:37 < petertodd> exactly, how you determine how to communicate with that is another matter, but it's that signature that is important 19:37 < petertodd> (hence my post on the -dev list about multisig signmessage) 19:38 <@gmaxwell> I'd worry about cross ledger signature rebinding in that. 19:38 < petertodd> what do you mean exactly? 19:39 <@gmaxwell> E.g. you make a transaction X in ledger 1 and I replay that transaction in ledger 2. 19:41 < petertodd> right, yeah, I'm thinking the ledgers should act like blockchains, which means when coins enter the ledger, apply something like HMAC(on-chian-txid, ledger-identity) to the txid's to ensure that they don't make sense in the context of another ledger. 19:44 < petertodd> also, from a ui perspective, you need to ensure the user can determine where coins are being sent, so I'd just take the ugly hack of interleaving txouts the user wants, with txouts specifying what ledger (or the blockcahin itself) each txout is going to, heck, those txouts can contain the fees... 19:45 < petertodd> basically, the philosophy being leverage existing software as much as possible for v0.1 19:46 <@gmaxwell> I think it's too abstract for me to say anything more. 19:46 < petertodd> well, sounds like it's not inherently a bad idea, so worth a prototype 16:36 < adam3us> maaku: the person who bought it cares maybe 16:36 < justanotheruser1> whats freimarkets 16:37 < maaku> adam3us: yes, but all your fears about regulation etc. could just as easily be applied to the person who issued it in real life 16:37 < adam3us> maaku: especially if it was expensive or the issuer is a bank say 16:37 < gmaxwell> that goes back to the point I made earlier about distinguishing the currency vs other things and not allowing the grey-goo on the currency. 16:37 < gmaxwell> (nice metaphor) 16:37 < adam3us> maaku: this is true. well i mean there is regulation in the market weak though it is, and hackable by banksters as it is, to protect consumers from malicious financial instruments 16:38 < maaku> adam3us: the benefit here is that there is a mechanism for stating the conditions of these financial instruments, in a way which can't be retroactively changed 16:38 < maaku> that is actually pro-consumer 16:39 < maaku> (idk. maybe we end up using old-style bitcoin scripts for host currency outputs, to avoid the grey-goo, or disable opcodes) 16:39 < adam3us> maaku: yeah that i like and is a central promise of smart-contracts as applied to block-chain validation 16:40 < adam3us> maaku: but at a high-level would you no want to constrain the covenant to the instrument, not have it infect and convert other assets into the same form somehow. not sure how to do that. 16:40 < michagogo|cloud> andytoshi: Ah, so you just call createrawtransaction? 16:40 < maaku> justanotheruser1: ok i'm a pragmatist who defines "perfect" as the best which can be actually achieved :) 16:41 < justanotheruser1> maaku: okay. 16:41 < maaku> justanotheruser1: https://bitcointalk.org/index.php?topic=278671.0 16:41 < michagogo|cloud> andytoshi: Hmm, I clicked the "Submit Transaction to Joiner" button 16:41 < michagogo|cloud> Nothing seems to have happened 16:42 < michagogo|cloud> http://testing.wpsoftware.net/coinjoin/ doesn't show there being a session 16:43 < justanotheruser1> maaku: is there a reason this has to be part of bitcoin and not just merged mined with it? 16:43 < maaku> adam3us: I think if you disabled the LOAD_TRANSACTION opcode in host currency, all of these fears would disappear 16:44 < maaku> justanotheruser1: what are you talking about? 16:44 < justanotheruser1> maaku: What do you mean by "an extension of bitcoin"? 16:46 < maaku> justanotheruser1: freimarkets is an extension of the bitcoin protocol. it adds new features by changing the transaction format, introducing new scripting opcodes, and changing the validation rules 16:46 < maaku> this are hard-fork changes 16:46 < justanotheruser1> maaku: does it have merged mining? 16:47 < maaku> justanotheruser1: that's a tangential question. this could in principle be applied to bitcoin in a future hard fork 16:47 < maaku> but given that the chance of this happening in bitcoin itself is approximately nil, we're going to deploy it in freicoin and freicoin will be merged mined against bitcoin 16:48 < maaku> so yes, it will be merged mined, but that's a point separate from the proposal itself 16:49 < michagogo|cloud> andytoshi: aha, the cj-client tries to spend to the mainnet fee/donation address 16:49 < michagogo|cloud> So it fails because that address isn't valid 16:51 < justanotheruser1> maaku: whats the difference between this and protoshares an mastercoin? 16:51 < justanotheruser1> *and 16:51 < justanotheruser1> and coloredcoins 16:51 < maaku> justanotheruser: read the thread 16:51 < justanotheruser> I am 16:52 < michagogo|cloud> andytoshi: Heh, I tried manually creating that transaction 16:52 < maaku> also this one : https://bitcointalk.org/index.php?topic=280292.0 16:52 < michagogo|cloud> On attempt to submit to the coinjoiner's web interface, 413 Request Entity Too Large 16:52 < maaku> (more appropriate to post there if you have technical questiosn than the crowdfund thread) 16:57 < adam3us> maaku: anyway enough from me about hypothetical systemic risks, I am actually quite interested in the potential of smart-contracts, and like the extensions you put in freimarket from a programming perspective. 16:57 < maaku> adam3us: what do you think about simply disabling the load-transaction opcode in the host currency? i feel silly for not thinking of this before the long-winded argument 16:58 < adam3us> also maybe i am not enuf of a forth-fan but bitcoin scripts seem kind of hard to read & program with. maybe it was envisaged that there would be some higher level language translated into it 16:58 < maaku> yeah forth is kinda on the level of intermediate code 16:59 < adam3us> maaku: i dont know what load-tx does? 16:59 < gmaxwell> adam3us: really? I think forth is basically ideal. 17:00 < gmaxwell> adam3us: The problem with higher level languages is that they're easy to hide subtle behaviors in. 17:00 < adam3us> gmaxwell: taste i guess. i did some dc programming, kind of reminds me. yes unambiguity is a good thing 17:00 < maaku> adam3us: load-transaction is how all these covenants are accomplished - it pushes the transaction onto the stack so it can be examined by the script 17:00 < adam3us> maaku: i guess the extrospection hook? 17:00 < maaku> yeah 17:00 < gmaxwell> "oh look, this does exactly the opposite of what you expected because the hostile author took advantage of some order of operations subtly" 17:01 < gmaxwell> The forth is high enough level to express what it means, mostly, but low enough level to also express what it does. 17:01 < adam3us> gmaxwell: only complaint is like readability. especially with the long OP_BLAH names. 17:01 < gmaxwell> takes more study to understand than something higher level but has a harder time lying to you. 17:02 < gmaxwell> oh well yea, surely better tools could be done for working with it. 17:02 < gmaxwell> including things like pesudo opcodes that compress common and easily explained idioms. 17:04 < adam3us> maaku: does that kill interest bearing loans denominated in freicoin but not in maakucoin (self-issued iou)? there is some feature downside implied. 17:06 < maaku> adam3us: yes you would have to use user-issued IOUs, although that was the original scenario 17:07 < maaku> in fact I'm not sure how you'd do the loan trading freicoins for freicoins 17:07 < maaku> the point was that you loan the freicoins into existence 17:08 < maaku> you could still do some nasty things based on UTXO state (maybe you disable that as well) 17:08 < adam3us> maaku: doesnt that risk uncontrolled supply side inflation? 17:08 < maaku> that's ... rather the point isn't it? 17:09 < maaku> debt-based IOU currency 17:09 < maaku> maybe there's a misunderstanding here? i'm not sure what it is 17:09 < adam3us> maaku: fair enough there, but in relation to there existing two types: mined freicoins with demurrage and iou ones 17:12 < maaku> well sortof. IOU freicoins are actually freicoins, just a promise from whoever issued them to eventually, someday redeem them 17:12 < maaku> they're only usable as currency in so much as other people are willing to accept that IOU promise 17:12 < maaku> ripple is built on this premise 17:13 < gmaxwell> How is ripple doing btw? 17:13 < adam3us> maaku: but then you have the ripple graph of trust so they can circulate, quite far from the issuer and his immediate friends indirectly 17:14 < maaku> oh i meant pre-OpenCoin ripple. no idea what they're up to :) 17:14 < maaku> adam3us: yes, and with sub-transactions you can build atomic movements of these IOUs through the trust graph 17:14 < adam3us> maaku: i think it'd be fair to call this real-ripple. 17:15 < gmaxwell> meh. I still think real-ripple ought not need a global consensus system. 17:15 < maaku> but where there are gaps in the graph, exchanging IOU-for-freicoin instead of IOU-for-IOU lets you get hard currency 17:16 < maaku> gmaxwell: agreed, except when you want to interact with non-ripple assets like bitcoin/freicoin 17:17 < maaku> jtimon and I are planning on having these user assets be off-chain, but using the same scripting system so you can coordinate movements with the chain when public assets are involved 17:17 < gmaxwell> maaku: well, when you want to interact with them in a way which isn't trusting of an issuer. 17:17 < maaku> yes 17:20 < midnightmagic> real-ripple didn't. 17:20 < midnightmagic> :-( 17:21 < maaku> midnightmagic: unfortunately the distributed protocol was never implemented :\ 17:22 < midnightmagic> yah. sad-midnight-face 17:31 < andytoshi> michagogo|cloud: sorry, was afk 17:31 < andytoshi> michagogo|cloud: one moment, cj 17:32 < andytoshi> michagogo|cloud: one moment, cj-client doesn't choose the donation address, the server does, but i forgot to set that for the testnet version 17:57 < andytoshi> michagogo|cloud: gonna head out now, will work on this later tonight, i have having decode problems that didn't happen with mainnet, sorry 17:57 < am42> ? 18:10 < jgarzik> adam3us, unlinkedable static address... USA! USA! USA! 18:10 * jgarzik waits for the conspiracies to start 18:11 < adam3us> jgarzik: not getting conspiracy part? 18:12 < jgarzik> adam3us, a poor attempt at a joke. e.g. paid by USA to develop tech whose acronym is USA 18:12 < adam3us> jgarzik: oooh.. didnt notice the acronym :) 18:12 < jgarzik> plus an acknowledgement that the bitcoin community will imagine a conspiracy for all events. 18:12 < jgarzik> It's like the multiverse of conspiracies 18:12 < jgarzik> quantum conspiracy theory 18:13 < adam3us> jgarzik: just wish i could find an efficient spv compatible version (or a replacement for bloom that worked with them).. would be sooo nice to forget about address reuse and battling user confusion and wallet author laziness 18:14 < jgarzik> indeed 18:14 < sipa> that seems contradictory 18:14 < sipa> you want something that achieves privacy from the public 18:14 < sipa> but still want them to do efficient filtering for you 07:40 < jtimon> I don't undesrtand what makes you think that, and no, (natural) 0% interest rates prevent debt exponential gorwth 07:40 < jtimon> demurrage encourages debtors to pay their debts 07:42 < jtimon> Mike_B demurrage is inpired in this book (parts 3 to 5): https://www.community-exchange.org/docs/Gesell/en/neo/ 07:42 < Mike_B> jtimon: so let's assume freicoin has a 0% loss rate to make it simple 07:42 < Mike_B> and let's assume this is in the future when all coins are mined 07:42 < jtimon> take a look at part IV point 5 How Free-Money will be judged 07:42 < Mike_B> now, let's make the (silly) assumption that nobody is lending anything to anyone - that no debt exists. this is silly, but bear with me for a second 07:43 < Mike_B> under the assumption that there's no debt at all, do you agree that a 5% demurrage rate is exactly equivalent to a 5% rate of inflation? 07:43 < jtimon> ok, but just a second 07:43 < jtimon> uff 07:43 < jtimon> I have never thought about a world without debt 07:44 < jtimon> debt is not intrinsically bad 07:44 < jtimon> there's 0% itnerest debt too 07:44 < Mike_B> i'm just doing this to simplify the math 07:45 < Mike_B> we'll bring debt back into it in a second 07:45 < Mike_B> i just want us to get on the same wavelength first re: assumptions 07:45 < jtimon> yes, I guess in a world without a finantial markets, investors that borrow money, without IOUs, without time banks, etc... 07:45 < jtimon> inflation would be equivalent to demurrage 07:46 < jtimon> but I also think that the assumption is totally irrealistic 07:46 < Mike_B> so assuming there's no debt, or let's say "only 0% interest debt", then do you agree the following two scenarios produce exactly identical results? 07:46 < Mike_B> 1) take 5% of money out of circulation proportional to everyone's holdings, give it to some guy (a miner, a bank, whatever) 07:46 < Mike_B> 2) increase the money supply by 5%, give it to some guy (a miner, a bank, whatever) 07:46 < Mike_B> ok 07:46 < Mike_B> so now let's bring debt back into it 07:47 < jtimon> yes, the re-distribution part is equivalent 07:47 < Mike_B> say I borrow $100,000 from you to buy a house 07:47 < jtimon> we're talking usd, really? 07:47 < jtimon> why not a simpler currency like gold or bitcoin? 07:47 < jtimon> usd is very hard to understand 07:48 < jtimon> shells or gold in an island, please? 07:48 < Mike_B> so i have to pay you back that $100,000 over x years or whatever, let's even say there's 0% interest 07:48 < Mike_B> i just have to pay you back $100k 07:48 < jtimon> what do you mean by "there's 0% interest"? 07:48 < Mike_B> however, now the two scenarios are different 07:48 < jtimon> you want to lend me 100k usd at 0% why? 07:49 < jtimon> you should just keep them yourself 07:49 < Mike_B> 1) demurrage scenario: i get 5% taken out of my paycheck per year due to demurrage, so i actually have to make something like $105,000 just to pay back the $100,000 07:49 < jtimon> you won't gain anything by lending usd to me at 0% 07:49 < jtimon> no 07:50 < jtimon> if they were freicoins, for example, it could make sense for you to lend me 100k of them at 0% interest 07:50 < Mike_B> assuming i try to pay it back in one year 07:50 < jtimon> but I owe you 100k frc, not 105k 07:51 < jtimon> so if I make 100k frc I will call you as soon as possible to pay you 07:51 < Mike_B> aw man, i dropped 07:51 < Mike_B> jtimon: what was the last thing you heard from me? 07:51 < Mike_B> i was typing into the ether for a while 07:53 < jtimon> I've pasted it privately 07:54 < Mike_B> ok yeah so my connection was weird 07:54 < Mike_B> you saw stuff i was saying but it didn't send me anything you were saying 07:54 < Mike_B> jtimon: yeah so now that i have the full log, i'll clarify 07:54 < Mike_B> say i'm borrowing $100,000 worth of freicoin 07:54 < Mike_B> from you 07:54 < Mike_B> and the loan is denominated in freicoin 07:54 < Mike_B> ok? 07:55 < jtimon> ok 07:55 < Mike_B> and i'm going to pay you back in one year, and you're going to charge me 0% interest 07:55 < jtimon> ok 07:55 < jtimon> assuming constant frc/usd price? 07:55 < Mike_B> yeah 07:55 < Mike_B> let's just say it's 100k freicoins, whatever 07:56 < Mike_B> i dunno how much that is 07:56 < jtimon> me neither 07:56 < Mike_B> so under that scenario i owe you 100k freicoins, but because I lose 5% a year, i actually have to earn 100k/.95 = 105263 freicoins to have 100k left over after demurrage to pay you back 07:56 < jtimon> 400k frc i think 07:56 < Mike_B> agree so far? 07:56 < jtimon> but wait, did you borrow the frc to hard them? 07:57 < jtimon> hoard 07:57 < Mike_B> yeah, you're a bank and you're lending me freicoins to buy a house 07:57 < Mike_B> no, it's a loan 07:57 < jtimon> ok, you could have probably done something more productive but whatever 07:57 < Mike_B> you lend me them to start a business, i dunno 07:57 < Mike_B> point is i don't have it anymore 07:58 < jtimon> when you buy the house you stop paying demurrage 07:58 < Mike_B> jtimon: i don't stop paying demurrage because now i have to pay you back, and those payments come from my salary, and my salary is subjected to demurrage 07:58 < jtimon> why would the borrower pay demurrage? 07:58 < jtimon> but you don't receive your salary yearly do you? 08:00 < jtimon> whatever you pay back from the loan each month, you will want to pay it as soon as you receive your salary 08:00 < Mike_B> jtimon: hm, maybe i don't understand. does demurrage only take money out of each transaction, or out of your holdings as well? 08:00 < jtimon> from all outputs all the time 08:00 < Mike_B> ok but if i just have a million freicoins in a wallet and leave them there for 10 years and never move them around, they aren't touched? 08:01 < jtimon> of course they're touched 08:01 < jtimon> when you want to spend them in a year you will have 950,000 frc 08:01 < jtimon> aprox 08:02 < Mike_B> ok so i thought you were saying it only comes from tx outputs 08:02 < Mike_B> and it's like 2^-20% per each output 08:02 < jtimon> the only way to dodge demurrage is spend, invest or lend 08:02 < jtimon> no, from every "account" 08:02 < jtimon> but there's really no accounts in bitcoin 08:02 < Mike_B> oh oh oh sorry 08:02 < jtimon> only public keys 08:03 < Mike_B> you meant it takes 2^-20% from the total set of utxo's 08:03 < Mike_B> i thought you just meant new utxo's from the current block 08:03 < jtimon> no, every block, the amounts in the utxo are reduced 08:04 < jtimon> well, we use a reference height for each transaction 08:04 < Mike_B> ok, so yeah, so then that's back to what i was saying before 08:04 < Mike_B> i owe you 100k and i have to pay it back over a year with 0% interest 08:04 < jtimon> and you calculate current_available_amount(refHeight, old_amount, current_block_height) 08:05 < jtimon> you have to pay me back the 100k in one payment or are you allowed to make 12 smaller payments? 08:05 < Mike_B> ok, i have to think about this 08:05 < jtimon> I recommend Gesell's book 08:06 < Mike_B> yeah, so if it's one large payment at the end of the year, i actually have to pay you 105263 freicoins 08:06 < jtimon> no 08:06 < Mike_B> like if i get paid all at once and save it for a year or something 08:06 < jtimon> say you get the loan and buy a house for 100 k 08:06 < jtimon> in one year, you sell the house for 100 k frc again and pay me back 08:07 < jtimon> but I think it will more typical that I allow you to pay me back gradually 08:07 < Mike_B> what's the block time for freicoin 08:07 < Mike_B> still 10m? 08:08 < jtimon> maybe I know I won't spend 120k frc I have soon and prefer to lend you 08:08 < jtimon> so that you pay me 10k frc a month back for the next year 08:09 < Mike_B> ok, i see what's happening now 08:09 < Mike_B> very interesting 08:10 < jtimon> that's what savers usually want, not spend now but spend in the future 08:11 < jtimon> https://www.community-exchange.org/docs/Gesell/en/neo/part4/5g.htm 08:19 < Mike_B> jtimon: ok, i'll think more about it 08:20 < Mike_B> intersting 08:27 < jtimon> cool, Mike_B I'm glad that you find the concept interesting 08:27 < jtimon> and I understand is hard to digest 13:14 < maaku> <Mike_B> under the assumption that there's no debt at all, do you agree that a 5% demurrage rate is exactly equivalent to a 5% rate of inflation? 13:15 < maaku> No they are not the same. Demurrage is reflected immediately whereas inflation takes time to move through the economy (price updating, etc.) 13:16 < maaku> Which has real-world economic consequences, causing those close to the source of inflation (large investment banks with fiat, miners with cryptocurrency) to have significant unearned advantages over the little guy 13:19 < maaku> The purpose of Freicoin is to eliminate advantages the holders and creators of money have due only to the nature of money 13:19 < maaku> Which in the inflationary case, includes the temporal advantage of being close to the source of inflation 13:20 < maaku> That could alternatively be neutralized by having everyone everywhere continuously update prices with electronic counters, based on current inflation rates 13:21 < maaku> Or, as Freicoin does, just make the clearing house software update wallet balances by protocol. We found that to be the easier solution - build the fix into the nature of money itself. 13:29 < amiller> i just found the strangest paper. 13:29 < amiller> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.45.1255&rep=rep1&type=pdf 13:29 < amiller> it's by "Naoshi Sakamoto" 13:29 < nsh> mmm 13:30 < nsh> is real person i think 13:30 < amiller> meh i'm pretty sure it's a red herring 13:30 < amiller> it's not that interesting a find. oh well 13:30 < maaku> japanese is a sound-poor language 13:30 < maaku> it's not surprising 13:36 < gmaxwell> amiller: Do take care that you don't cause some poor dude to get hounded by the press. 17:10 < gmaxwell> Yea, I don't think I've seen any convincing evidence art was doing that. But it does make sense. 17:11 < gmaxwell> plus art always was a bit sneaky like that. :) 17:11 < Emcy> artforz was/is the Switzerland of cryptocoins 17:11 < gmaxwell> he's still on irc you know. 17:11 < gmaxwell> just hiding from the bitcoin channels. 17:11 < Emcy> keeps his nose out of pointless shit, skims a tidy living off everyone elses pointless shit 17:12 < iddo> gmaxwell: iirc you said once that scrypt isn't the best choice (to resist ASIC) because it's not so efficient for GPUs ? is there another hash function that works better on GPUs and is hard for ASIC ? 17:13 < Emcy> isnt choosing any hash function that is x arch resisteant only really delaying the inevitable? 17:13 < gmaxwell> iddo: no function is hard for asics in a useful enough sense. I mean, what do you think gpus are made from? :P At most you can do is try to reduce the specialization gap by making use of "all of the bison". 17:13 < phantomcircuit> <ecurrency> does any one have any idea why the latest version of bitcoind keeps stopping? Been trying to download the blockchain since yesterday and everytime I return I have to restart bitcoind (under ubuntu 12.04 (and 12.10)) 17:13 < Emcy> in that if the coin succeeds then it fails cos someone will make hardware for it making it moot 17:13 < phantomcircuit> i've seen a number of people saying the same thing recently 17:13 < phantomcircuit> i wonder if there is someone running nodes that dont serve anything 17:14 < gmaxwell> phantomcircuit: they don't need to restart, they'll continue on the next block but they don't wait that long. 17:14 < Emcy> how simple a change would it be for the p2p to just pull a block each from all your connections in a round robin fashion? 17:14 < gmaxwell> phantomcircuit: presumably they are pulling from nodes whos operators shut them down because they get irritated by 1 second pingtimes. 17:15 < gmaxwell> which is what happens when someone pulls the chain from you and you have consumer DSL today. 17:15 < Emcy> as an interim. I got a feeling lots of nodes never finish bootstrapping which is a crying shame 17:17 < pigeons> this one of Artforz contributions to lolcust's forum a few months back now: http://dpaste.com/1493066/ 17:17 < pigeons> I notice the forum isnt up at the moment 17:17 < maaku> phantomcircuit: is your clock synced? 17:17 < phantomcircuit> maaku, not my node :) 17:18 < Emcy> Colin Percival @cperciva 11 Mar 17:18 < Emcy> @shamoons I'd suggest talking to @solardiz about this -- my knowledge of how litecoin misuses scrypt comes mostly from him. 17:18 < Emcy> #iceburn #shotsfired 17:22 < Emcy> aw that quake bot story was fake 17:22 < Emcy> fucking internet 17:37 < jtimon> hehe, the bot world peace? 17:47 < warren> Emcy: Colin Percival is both correct and wrong about misuse. 17:47 < warren> Emcy: scrypt was designed for passwords. scrypt in Litecoin is crappy for passwords. It is good for fast validation 17:48 < warren> Emcy: we don't care about passwords 18:03 < Luke-Jr> Emcy: the goal would be to make it *just as easy* for CPUs/GPUs as it is for custom ASICs 18:03 < Luke-Jr> Emcy: but that has some practical concerns still 18:03 < Luke-Jr> you cannot make ASICs hard (relatively), so you just have to make something else just as easy 18:04 < Luke-Jr> now that SHA256d has lots of custom ASICs, it is essentially at that point 18:25 < andytoshi> because schnorr signatures can be used additively, is it true that multisig transactions would look identical to single-sig ones? 18:25 < andytoshi> and in particular, coinswap could be done without anything looking odd 18:25 < andytoshi> (if bitcoin used schnorr) 18:33 < gmaxwell> andytoshi: 12:05 < gmaxwell> petertodd: if we used schnorr than 2 of 2 multisig txn would be indistingushable from regular transactions. 18:33 < gmaxwell> yea, I'd made that same point before. 18:33 < gmaxwell> It's a big advantage for privacy IMO. 18:34 < gmaxwell> somewhere on my todo list I have actually implementing that for ed25519 to confirm that it works, and that nothing in ed25519 breaks it. 19:01 * andytoshis-logge is logging 19:07 < firepacket> wow this channel is pretty awesome. has anyone ever thought of a pow based on some kind of turing test? would it be possible? 19:08 * andytoshi-logbot is logging 19:08 < maaku> firepacket: sorry, that doesn't even make sense 19:08 < sipa> firepacket: that would require a human to validate... 19:09 < andytoshi> firepacket: the closest thing to a turing test used today are captchas, and i think machines are better than humans at that anyway ;) 19:09 < firepacket> yes it would 19:09 < firepacket> machines are better at solving captchas? 19:09 < firepacket> why would it be a problem? it would employ humans for a pay check 19:09 < firepacket> it would prevent consolodation 19:10 < sipa> what is'it' ? 19:10 < sipa> who creates the probkems? 19:10 < andytoshi> also limiting miners to humans with way too much free time would definitely cause consolidation 19:10 < firepacket> a computer would have to generate the problem 19:10 < firepacket> im not sure how 19:10 < sipa> which computer? 19:11 < firepacket> not sure 19:11 < firepacket> it could be generated based on information from the last block 19:11 < sipa> please think aout those things more first :) 19:12 < firepacket> it could also be generated using the chosen nonce 19:12 < sipa> i don't think you understand the problem 19:13 < sipa> the computer that generates the problem can trivially solve it 19:13 < sipa> as it knows the answer 19:13 < sipa> and there is no way to validate that a human-generated solution is right without knowing the real answer already 19:14 < firepacket> maybe validating other peoples tests could be the test itself 19:14 < sipa> come back when you have actual ways to deal with this :) 19:14 < michagogo|cloud> firepacket: Do you know what the properties that a PoW system needs to have are? 19:14 < michagogo|cloud> (I suspect not) 19:15 < sipa> not "maybe we could do something *handwaving* X" 19:16 < firepacket> i was just wondering if anyone had ever thought of it 19:16 < firepacket> i mean captcha still seems to work 19:16 < michagogo|cloud> ...no, because it can't be done 19:17 < firepacket> alright. 19:17 < michagogo|cloud> Yes, captchas are useful for many things 19:17 < michagogo|cloud> PoW isn't one of those things. 19:18 < Luke-Jr> captchas are useful for what exactly? 19:18 < firepacket> ensuring a human is present 19:18 < Luke-Jr> they seem to keep humans out better than bots 19:18 < firepacket> well, in reality it just spawned a captcha solving industry 19:18 < firepacket> that the bots use 19:18 < firepacket> but it still limits you to the number of people on earth at any given time 19:19 < Luke-Jr> I have to try like 4 or 5 times to solve captchas 19:20 < michagogo|cloud> Well, some captchas are better than others 19:20 < firepacket> googles are the worst 19:20 < maaku> firepacket: the point is i don't think you understand the purpose of a proof-of-work 19:20 < michagogo|cloud> I'm usually able to get recaptchas first try 19:20 < maaku> the intent is not to determine if there is a live human on the other side 19:20 < michagogo|cloud> (it helps that recaptcha is also somewhat flexible in certain ways) 19:21 < firepacket> maaku: what don't i understand? 19:21 < maaku> <maaku> the intent is not to determine if there is a live human on the other side 19:21 < firepacket> maaku: I know that is not the primary intent, but it could be helpful if the goal is to resist asics 19:21 < maaku> 1) the goal is not to resist asics 19:21 < maaku> 2) it's not the intent *at all* 19:21 < Luke-Jr> firepacket: that's a bad goal 19:22 < andytoshi> firepacket: why is asic resistance a goal? 19:22 < firepacket> or colsolidation rather 19:22 < andytoshi> i am genuinely curious as to the mindset behind this.. 19:22 < firepacket> consolidation* 19:22 < firepacket> if all *humans* in the world were able to help verify bitcoin transactions and get paid to do so from anywhere in the world 19:22 < firepacket> how would not that help promote diversity? 19:23 < firepacket> it also gives us clear sides when the machines attack 19:23 < hno> humans very often fail to follow even basic rules. 19:24 < firepacket> i didnt say we should trust them 20:06 < Mike_B> has anyone thought about forking ripple and turning it into a decentralized forex exchange? 20:06 < Mike_B> like a really decentralized one 20:06 < Mike_B> i guess that'd be really hard to do though 20:07 < Mike_B> given the best way i know to decentralize ripple is to get away from consensus and go back to pow 20:07 < Mike_B> and then trades take 60m to confirm 20:08 < gmaxwell> Mike_B: you can make pow much faster than bitcoin if you don't care about decenteralization of the network... though never as fast as a non-anonymous system. 20:08 < gmaxwell> Mike_B: e.g. you control the difficulty to achieve a constant orphan rate, instead of constant time. 20:09 < gmaxwell> it's still slower because you need settling time because you don't know if there is a hidden majority. 20:09 < gmaxwell> whereas in a non anonymous network the majority can never be hidden. 20:11 < Mike_B> right 20:11 < Mike_B> i was thinking about how a decentralized exchange would work 20:11 < Mike_B> to stop the government from going after gox and bitstamp or whatever 20:12 < Mike_B> and it seems to me that this problem is just as hard as making a cryptocurrency where transactions don't take 10m to hit the blockchain 20:12 < gmaxwell> but you can't really do that in any case. 20:12 < Mike_B> unless you want trades to take place quickly 20:12 < gmaxwell> US is not a cryptocurrency. 20:12 < Mike_B> yeah of course 20:12 < gmaxwell> Creating a US crypto currency is almost certantly unlawful, and anyone issuing US crypto notes in the past has been shut down. 00:49 < BlueMatt> that way if any alts popup that get to big, we can just step in and shut down their networks with the bloom /0 bug 00:51 < andytoshi> hmm, this sounds like a slippery slope to actually becoming the illuminati 00:51 < nsh> wait, i thought that was the plan? 00:51 < andytoshi> yeah, i guess i could live with that :) 00:51 < BlueMatt> nsh: shhhhh 00:51 * nsh smiles 00:52 < nsh> BlueMatt, what's required for altcoin builder? 00:52 < BlueMatt> me spending a night and learning bootstrap and then y'all advertising it 00:52 < nsh> i've been semirecruited for a somewhat similar venture, so might be able to help 00:54 < BlueMatt> not sure what you're offering here... 00:54 < nsh> neither do i, it's fine 00:54 < BlueMatt> heh, ok 00:55 < nsh> "Summary: Remote p2p crash via bloom filters" is that the bloom /0 bug? 00:55 < BlueMatt> yup 00:55 < nsh> ah, *reads* 00:55 < BlueMatt> yours truly cant code 00:56 < nsh> ah, it's just a case of iterative failure most of the time 00:56 < gmaxwell> wasn't your fault in coding it, there is one of you and more people than you reviewed it. 00:56 < gmaxwell> crashbugs are the fault of the reviewers. 00:56 < nsh> idd 00:56 < gmaxwell> :P 00:57 < nsh> has there been any exploitation of it? 00:57 < nsh> i don't recall hearing about it until now which is a good sign 00:57 < BlueMatt> you cant really exploit it, just crash the node 00:57 < nsh> that's what i meant, sorry 00:57 < BlueMatt> ideally someone will step up and kill nodes to force upgrades slowly 00:57 < nsh> i'd volunteer, but... 00:57 < nsh> :) 00:57 < BlueMatt> ie kill a few nodes a day until there are no more nodes with the bug running 00:58 * nsh nods 00:59 < nsh> they'll turn over eventually. plenty worse vulns out there... 00:59 < nsh> 28 million open DNS resolvers on the internet or something 01:09 < BlueMatt> well, sure 01:10 < BlueMatt> not my job to fix the internet though, I just need to fix bitcoin 01:16 < nsh> true 02:16 < maaku> i wish there was someone whose job is was to fix the internet 02:16 < BlueMatt> there may be a few of those... 03:43 < gmaxwell> petertodd: I see you changed to SIGHASH_NONE in dust-b-gone, now you need to automatically feed the dust-b-gone data into andy's tool when there is an open cj. 03:43 < gmaxwell> though I expect andy's joining will need to be taught to not strip that signature. :P 03:48 < gmaxwell> andytoshi: ^ PT's dustbegone now generates transactions which spend dust coins (ones with very low value) with the sighash flags set to NONE|ANYONECANPAY if you supported these being submitted to you, you could have people one-pass give away coins to the join. 12:30 < andytoshi> gmaxwell: cool, i'll definitely check this out 12:31 < andytoshi> how much of OP_CHECKSIG do i need to implement to find the hash byte? 12:46 < andytoshi> ah, i see, none -- the wiki is just worded weirdly 13:31 < midnightmagic> petertodd: Does this mean I'm updating dust-b-gone? 13:32 < andytoshi> midnightmagic: latest commit was dec 19 13:33 < midnightmagic> guess so then. 13:41 * nsh imagines dust-b-done being advertised as a 1950s style household cleaning product with subtle sexual undertones 13:41 < nsh> *gone 13:59 < andytoshi> ok, i have updated coinjoin so that it won't strip signatures in the specific case that sighash is NONE|ANYONECANPAY 13:59 < andytoshi> petertodd: if you want to throw dust in the joiner, you will also have to add an output to the donation address to indicate that it should all go to fees 14:00 < andytoshi> CodeShark: maybe this gives you a way to preserve your multisig information? if you can make your scriptSigs look like an ordinary NONE|ANYONECANPAY sig then the joiner won't wreck them 14:17 < andytoshi> (if the scriptSig starts with a PUSHDATA, coinjoin just jumps to the end of the data and reads that byte as a hashType) 14:35 < midnightmagic> andytoshi: Is there a way I can fire off dust txes into the next coinjoin tx on the command-line? 14:35 < midnightmagic> :-D 14:36 < midnightmagic> I seem to get a lot of dust. It's pretty annoying 14:36 < maaku> midnightmagic: sign it away NONE|ANYONECANPAY 14:37 < maaku> actually, make a transaction paying to the fee address, and sign with NONE|ANYONECANPAY 14:37 < maaku> then submit it as a usual coinjoin transaction 14:37 < midnightmagic> hrm 14:38 < andytoshi> midnightmagic: the POST form on the coinjoin site is dead simple, you can probably use curl 14:38 < andytoshi> it doesn't report errors in a super simple-to-parse way.. so don't make mistakes ;) 14:38 < midnightmagic> ok 14:38 < andytoshi> you can read the current status in text https://www.wpsoftware.net/coinjoin/status.php 14:39 < andytoshi> one moment, i'll pastebin the source of that file so you can see all possible outputs 14:40 < BlueMatt> anyone looked into the network fork? 14:40 < andytoshi> http://pastebin.com/nYLHDMfM 14:40 < andytoshi> BlueMatt: i'm reading all the txouts right now, haven't seen any weird ones 14:41 < andytoshi> there are a few massive txs 14:41 < andytoshi> eg 057f800f430b22417bdf829d16e78393249634d5409c36b63f058c1a2b54fcf1 14:41 < andytoshi> is about 64k 14:42 < BlueMatt> which block is this? 14:42 < andytoshi> block 277596 is 0000000000000001947cc7acbbc9a240517f9ba19c16b4f937795c6b58019fb5 14:42 < andytoshi> bc.i and blockexplorer are stuck at 277595 14:42 < BlueMatt> bc.i isnt anymore 14:42 < BlueMatt> yea 14:44 < maaku> ;;cjs 14:44 < gribble> Coinjoin Status: There is no currently open session. Visit https://www.wpsoftware.net/coinjoin/ or http://xnpjsvp7crbzlj3w.onion/ to start one. 14:46 < andytoshi> i've found 2 now which exceed 64k, which makes bash whine at me..idk if 64k is a magic number for anything else 14:46 < andytoshi> make that 3 14:46 < andytoshi> 5 15:10 < justanotheruser> Whats all this I'm hearing about 277596 15:15 < nsh> it's the new magic number. three has retired 15:29 < Emcy> whats interesting about that block 15:33 < andytoshi> Emcy: on #bitcoin-dev they are discussing it, appears to be just a communication problem around an ordinary reorg 15:35 < BlueMatt> Emcy: not even communication, just a reorg 15:41 < midnightmagic> andytoshi: Hey I think your .onion hidden site doesn't work with the /coinjoin/ action. nginx says file not found. 15:42 < andytoshi> oh, thanks 15:42 < andytoshi> fixed 15:43 < Emcy> andytoshi i got it 15:43 < Emcy> big reorg tho 15:44 < Emcy> that guy limiting his blocks to 32kb wtf 15:51 < andytoshi> fyi there is a new paper on bitcoin mining vulnerabilities out: http://eprint.iacr.org/2013/868.pdf 15:52 < andytoshi> which we may get swamped by over the next few days 15:52 < andytoshi> it starts by assuming an attacker can communicate with every miner faster than they can communicate with each other 15:53 < andytoshi> the top of page 3 invokes the sunk cost fallacy as some sort of determiner of miner behavior, so i stopped reading there 15:54 < BlueMatt> so...same assumption as many other attacks on mining stuff... 15:59 < Emcy> isnt the biggest predictor of miner behavior the fire and forget factor 16:03 < BlueMatt> in other words we need to further encourage mining pool peering even though it already exists pretty extensively for the largest ones afaiu 16:05 < Emcy> why? it reorged fine 16:05 < BlueMatt> re: the paper, not the reorg 16:05 < Emcy> oh 16:23 < midnightmagic> lol 16:25 < phantomcircuit> BlueMatt, re: super old stale block 16:25 < phantomcircuit> some mining hardware fails to flush when the network finds a new block 16:25 < phantomcircuit> so they can submit shares for minutes and minutes after the pool has updated 16:25 < nsh> sacrifices to the fallen CPU miners 16:26 < nsh> pour out some hashes for your homies 16:26 < phantomcircuit> smarter pools publish the block on the off chance it's accepted 16:34 < midnightmagic> lol 16:38 < BlueMatt> phantomcircuit: does that effect the paper or just random statement of dumb mining hardware? 16:38 < phantomcircuit> BlueMatt, i was commenting on the recent fork 16:38 < BlueMatt> ahh 16:38 < BlueMatt> Im not even sure this is the case here 16:39 < phantomcircuit> BlueMatt, just the terrible operator with his terrible connection 16:40 < phantomcircuit> also the stuff about chinese internet beign terrible is true but im sure he can afford a real connection 16:40 < phantomcircuit> it doesn't even have to be that big 16:40 < midnightmagic> andytoshi: Okay, I'm attempting to submit a transaction to the coinjoin interface consisting of 0.00000004 btc, with the sum being completely "donated" to the fee address. It's telling me my inputs are not valid, usually meaning they've already been spent. 16:42 < BlueMatt> he limits his blocks so he can relay with 1 udp packet.... 16:42 < BlueMatt> I mean thats just overkill no matter how shitty your connection is... 16:42 < phantomcircuit> that's just sillyness 16:42 < phantomcircuit> im sure he has the bandwidth but his latency is probably terrible 16:43 < phantomcircuit> also i wonder if he remembers to retransmit 16:43 < phantomcircuit> im guessing no 16:44 < BlueMatt> probably not 16:50 < andytoshi> midnightmagic: can you msg me the tx? 16:51 < andytoshi> or just the input ids? 17:12 < midnightmagic> andytoshi: sure 22:18 < phantomcircuit> huh 22:18 < phantomcircuit> sitting here it just hit me why a deflationary spiral is a non sequitur with bitcoin 22:19 < phantomcircuit> risk of collapse makes the issue of people as a whole "hoarding" bitcoins impossible 22:19 < phantomcircuit> ironic 22:30 < gmaxwell> the point I like to make is one that I don't have a succinct expression of yet... 22:31 < gmaxwell> which is that you can only use that as argument against such against any deflationary asset existing since any "deflationary spiral" 'risk' exists if you use it or not. 00:09 < jgarzik> petertodd, It does need a blockchain piece to ensure a single identity is commited to that 00:09 < jgarzik> petertodd, without a chain, someone could create any number of root records for a given sacrifice pair 00:10 < jgarzik> petertodd, is there any issue beyond that? 00:11 < petertodd> jgarzik: just sent you my reply 00:17 < jgarzik> petertodd, OP.RETURN <txid> seems sufficient proof in the future, if you provide the serialized TX later? by broadcast perhaps ;p 00:19 < jgarzik> petertodd, I do agree that OP_RETURN <master pubkey digest> makes life much easier 00:22 < petertodd> jgarzik: but the txid doesn't prove that the serialized tx was available to anyone but you to mine 00:22 < petertodd> jgarzik: I could never broadcast the txid, and with my %5 hashing power just wait until I find a block 00:24 < petertodd> or even almost zero hashing power if I'm willing to fail the first few times, at no cost other than the fees associated with TX1 00:28 < jgarzik> petertodd, oh, I see your point, agreed 00:29 < petertodd> jgarzik: you're just trying to get around how few people want to allow large OP_RETURN data payloads aren't you? 00:33 < jgarzik> petertodd, yes :) 00:34 < jgarzik> petertodd, having to broadcast the entire tx is burdensome 00:35 < jgarzik> s/broadcast/encode in another tx that is broadcast/ 00:35 < petertodd> jgarzik: indeed, but there is no other way 00:35 * jgarzik nods 00:35 < petertodd> jgarzik: also don't forget to take into account signature mutability 00:36 < petertodd> jgarzik: the mined tx might not be identical to the announced one; make sure they spend the same inputs 00:38 < petertodd> adam3us: is http://eprint.iacr.org/2007/433.pdf the state of the art in combining multiple proofs of work? 00:39 < petertodd> adam3us: I could use a scheme to combine proofs-of-* arbitrarily to keep proof size down, but it strikes me as an inherently difficult problem if the proofs are arbitrary 00:41 < adam3us> reading paper, not seen before 00:41 < petertodd> adam3us: thanks 00:48 < adam3us> btw you know multi-sub-puzzle approaches to lower variance are a problem because they create progress, and for bitcoin you cant have progress, or powerful nodes/miners win disproportionately to their power (even more than the proportion their power is higher than a less powerful node) 00:48 < petertodd> for sure; I have very different application in mind 00:49 < amiller_> yeah i know that paper 00:50 < amiller_> the thing is bitcoin is *not* actualy based on a proof of work 00:50 < amiller_> it's based on something else! 00:50 < amiller_> the ideal proof of work (like the one in this constant-verification-effort) is that it takes *precisely* a certain amount of work to complete 00:50 < petertodd> what would you describe what bitcoin is based on? 00:50 < amiller_> but it's more important in bitcoin that the puzzle acts like hashcash rather than that 00:50 < petertodd> s/what/how/ 00:51 < amiller_> it has to have high variance and really small trials 00:51 < amiller_> it's better described as a lottery than a proof of work 00:51 < petertodd> "proof-of-ticket-purchase" 00:51 < amiller_> yeah 00:51 < petertodd> "proof-of-wager" 00:51 < petertodd> "proof-of-gambling-problem" :P 00:52 < amiller_> this guy dave levin i've been talking with has some interesting, one thing he likes he calls the 'alibi' problem 00:52 < petertodd> ? 00:52 < amiller_> basically it's easy to prove something happened, but it's harder to prove something didn't happen 00:53 < petertodd> hence the UTXO proof stuff... 00:53 < amiller_> you can do it exhaustively by showing every single thing that *did* happen and showing that a bad thing is not included 00:53 < jgarzik> petertodd, Updated and simplified design, https://en.bitcoin.it/wiki/Identity_protocol_v1 Thanks for the assist. 00:53 < petertodd> or the double-spend problem in general 00:53 < amiller_> but the alternate is to show an "alibi" 00:53 < amiller_> so every time you spend a hash mining on a block, that's a hash that's *definitely* not for some *different* block 00:53 < amiller_> merge mining is sort of the opposite idea though which is interesting too 00:54 < petertodd> so that means that a convincing proof-of-non-double-spend would be to somehow show that all the available hashing power was doing something else 00:54 < amiller_> right 00:54 < amiller_> if suddenly the observed hashpower rate drops by 70% 00:54 < amiller_> then it should be really concerning to everyone 00:54 < amiller_> where did that hashpower go and what's it doing 00:55 < amiller_> but as long as all the asics we estimate have been produced are accounted for you know they're not doing anything else 00:55 < amiller_> something like that 00:55 < petertodd> yeah, yet that's always fuzzy, because there is no engineering way to achieve consensus quickly in a distributed network, let alone a decentralized one 00:56 < petertodd> jgarzik: I have a few edits 00:57 < amiller_> hm, this proposal is pretty neat actually 01:00 < petertodd> jgarzik: also, code wise, you planning on implementing a library or adding it to an existing one or what? 01:01 < petertodd> amiller_: it'll be very interesting to see how the social dynamics of proof-of-sacrifice SIN's work out 01:02 < petertodd> amiller_: and Freenet among other's need them 01:02 < amiller_> yeah. 01:02 < amiller_> it'll be the first new hat in the ring in a long time as far as identities go 01:03 < amiller_> well, besides vanity addresses 01:03 < petertodd> Reminds me: I was thinking that for a lot of social applications the correct metric to compare different sacrifices is probably value*time 01:04 < petertodd> Like, for anti-spam you want to reward the identity that has been around the longest, not just that has sacrificed the most. 01:04 < petertodd> Or if you are trying to figure out which GPG key is probably correct. (in the absense of a consensus key-value store of course) 01:05 < amiller_> there's all sorts of other subtle cues like 01:05 < jgarzik> petertodd, code-wise, the first will be a minimal command line tool just to prove it works 01:05 < amiller_> if it's been in forum sigs on the wayback machine, famous tweets, etc 01:06 < petertodd> jgarzik: cool; I was intending to put fairly generic proof-of-sacrifice code under my yet-to-be-written trustbits library 01:06 < jgarzik> petertodd, thus "version 1" 01:07 < petertodd> jgarzik: "1" is a bit ambitious IMO :P 01:07 < petertodd> jgarzik: version 0 01:07 < jgarzik> petertodd, This is just to get something out there that works. I imagine a version 2 will appear within 12 months, if people like the concept 01:07 < jgarzik> ;p 01:08 < petertodd> jgarzik: Yeah, mainly I'm thinking to make sure we don't wind up with a bunch of subtley different sacrifice techniques... 01:08 < jgarzik> petertodd, feel free to edit if you think I won't yell and complain ;p 01:14 < petertodd> jgarzik: "Hyphenate or space SIN for easier human reading" <- tricky because base58 has inconsistent length 01:15 < jgarzik> petertodd, IMO it is needed, even so 01:17 < jgarzik> petertodd, disagree with that last. it should be a miner's fee. 01:18 < petertodd> jgarzik: but then you have to provide proofs of tx existence for every input 01:18 < adam3us> seems to me this paper http://eprint.iacr.org/2007/433.pdf does not use partial collisions internally 01:18 < petertodd> adam3us: what do you mean by internally? 01:18 < adam3us> it does not even mention partial collisions in their proposed merkle 01:19 < adam3us> i mean the merkle tree hashes below root 01:19 < adam3us> or even in the root 01:19 < adam3us> maybe its unstated assumption? 01:19 < petertodd> jgarzik: although, brainfart, it should be <digest> OP_TRUE in that case 01:19 < adam3us> otherwise it seems to scale to a lot of work you hve to have a massive merkle tree that barely fits in ram 01:20 < petertodd> adam3us: I read that as an unstated assumtpion; it's a mechanism to combine multiple partial collisions 01:20 < adam3us> they talk about a slower hash as an option, but that slows down the verifier 01:20 < jgarzik> petertodd, miner's fee is a requirement. Can be on T1 if not T2. 01:20 < petertodd> jgarzik: No, the miners fee or anyone-can-spend has to be on T2, because T1 can be mined for free with patience. 01:21 < jgarzik> true 01:21 < adam3us> petertodd: i think they are aiming for space optimality and so maybe they dont like that because if you have internal node including sub-collisions you have to encode the ones you disclose in the P.log(N) nodes in the proof 01:22 < jgarzik> petertodd, OP_TRUE is anyone-can-spend? 01:22 < adam3us> but that would make sense and then you could view their advance as to say that you can more efficiently encode multiple sub-puzzle solutions via their approach to select which sub-puzzles to disclose based on the root hash 01:22 < jgarzik> petertodd, additional, I was trying to think of a way to use 100% standard transactions, perhaps with multisig abuse 01:23 < petertodd> jgarzik: yeah, technically it can be just <digest> but a anyone-can-spend IsStandard() thing would want to add the OP_TRUE so that <digest> can be non-true and to prevent mistakes 01:23 < petertodd> adam3us: yeah, I read it as more of a "I did all this work, and I'm revealing some of it in a way where I can't do less of that work and get away with it" 01:23 < petertodd> jgarzik: I really think we should avoid that... 01:24 < petertodd> jgarzik: just make OP_RETURN with a reasonable payload IsStandard() 01:25 < petertodd> jgarzik: note BTW that a miner can spend an anyone-can-spend output really cheaply: scriptSig="", scriptPubKey=OP_RETURN, value out=0, thus turning the into into fees and sending it to the coinbase 01:26 < petertodd> *thus turning the input into fees 03:12 < Luke-Jr> <.< 03:12 < realazthat> "Add your signatures" 03:13 < realazthat> doesn't that take away the old signature? 03:13 < Luke-Jr> not necessarily' 03:13 < Luke-Jr> every input has a signature 03:13 < realazthat> right 03:14 < realazthat> mmm, I am just forgetting the protocol 03:14 < realazthat> what ensures that the output is not forged? 03:14 < realazthat> I'll just look taht up 03:14 < Luke-Jr> realazthat: you check it before signing :P 03:15 < realazthat> heh, I implemented a blockchain parser to figure all this stuff out 03:15 < realazthat> but I forgot some details already 03:18 < realazthat> Luke-Jr: so if you could remind me (since you are trying to be distracted anyway, I don't feel bad wasting your time), what stops a client that sees a tx from modifying the outputs? 03:18 < Luke-Jr> realazthat: the signatures include a hash of the outputs 03:24 < realazthat> oh I think I remember now 03:24 < realazthat> the inputs' scripts are written so that they strip all the other inputs and include the outputs 03:24 < realazthat> and they hash that 03:25 < Luke-Jr> yes 03:25 < realazthat> so how do we "fix" this when combining? 03:26 < realazthat> oh ah 03:26 < realazthat> does it go back to the originator who then resigns it? 03:26 < realazthat> and then back to you 03:26 < realazthat> and you resign it 03:27 < realazthat> if thats the way it works, then I think I at least understand it conceptually :D 03:44 < zooko> Here's what I did tonight instead of understanding this channel's conversation: https://twitter.com/zooko/status/340010405525061632 03:46 < realazthat> lol 03:47 < realazthat> is that a safe use of random? 03:48 < realazthat> I would use pycropto or somesuch 03:48 < Luke-Jr> realazthat: the signing is p2p :p 03:48 < realazthat> Luke-Jr: is it how I described? 03:48 < Luke-Jr> almost 03:49 < Luke-Jr> each change is rebroadcast, and everyone participating in it has to resign 03:49 < realazthat> right 03:49 < Luke-Jr> but they don't need to resign in any specific order 03:49 < realazthat> right 03:49 < realazthat> yeah I get it 03:49 < realazthat> I am wondering if I could do this all via the rpc 03:49 < Luke-Jr> probably 03:49 < realazthat> because I haven't touched bitcoin source itself 03:49 < realazthat> yeah I know how to construct the txs 03:49 < realazthat> so I think I can 03:50 < realazthat> mmm 03:50 < realazthat> but does this allow some sort of DOS 03:51 < realazthat> because how do peers know to resend a ctx if some of the sigs are missing/bad 03:51 < realazthat> a valid tx makes sense to rebroadcast 03:51 < realazthat> a half valid tx ... 03:51 < realazthat> I guess if the peer knows the origina ctx, and the new one, and sees that you combined 03:52 < realazthat> then it is worthy to rebroadcast 03:59 < zooko> realazthat: good question. It would be unsafe if it were "random.choice" or "random.Random". 03:59 < zooko> But it is "random.SecureRandom", so it is safe. 03:59 < zooko> I wouldn't recommend relying on pycrypto... 03:59 < zooko> Goodnight! 04:00 < realazthat> random.SystemRandom 04:00 < realazthat> "The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator. 04:00 < realazthat> " 04:01 < realazthat> - py.random docs 05:55 < wumpus> the advantage of using SSL random is that it is more portable, it is secure even on systems that have insecure system random generators 05:56 < wumpus> and you can feed arbitrary additional entropy sources into SSL 12:44 < realazthat> wumpus: so random.SystemRandom is fine? 12:44 < realazthat> except for those advantages? 12:44 < realazthat> I would be suspcious of side-channel attacks :/ 12:44 < realazthat> and just assume SSL does the most magic that it can 12:45 < realazthat> openssl 12:45 < realazthat> and hi wumpus :D 12:47 < wumpus> nah if random explicitly warns against using it for security you should likely heed that warning 12:47 < wumpus> hi realazthat 12:59 < zooko> There may be some confusion here. There is an explicit warning against using random.Random, not random.SystemRandom. 13:03 < realazthat> mmmm 13:03 < realazthat> "generators of the random module should not be used for security purposes" 13:03 < realazthat> dunno ... 13:03 < realazthat> random module 13:04 < realazthat> bad source of randomness is notorious for side-channel attacks 13:04 < realazthat> even if it is system 13:04 < realazthat> unless it is explicitly meant for crypto, I would not trust it 13:05 < realazthat> anyway 13:05 < realazthat> I don't think your program is susceptable 14:13 < realazthat> mmm 14:13 < realazthat> now that I think about it, if you use SCIP for proof of work in a blockchain, it doesn't really matter if there is a faster way to solve the problem; you must run the program 14:14 < realazthat> no? 14:16 < realazthat> or is that not a guarantee 14:33 < gmaxwell> realazthat: they can just simplify the SCIP computation. :) 14:34 < realazthat> yeah but its at least O(T), no? 14:34 < realazthat> oh 14:34 < realazthat> mmm 14:34 < realazthat> if T is less 14:35 < realazthat> than maybe SCIP is less, is what you saying? 14:35 < realazthat> gmaxwell: are you certain about that? 14:36 < realazthat> basically, to rephase question: 14:36 < realazthat> Is there a guarantee that there is no way to generate sig if a correct answer is otherwise found in a quicker manner than running `P`, the original, via running `Q` instead. 14:57 < Luke-Jr> I don't think SCIP supports sleep() :P 14:57 < Luke-Jr> almost certainly not random 14:58 < realazthat> mmm 14:58 < realazthat> thats beside the point 14:58 < realazthat> but anyway it does support random AFAICT 14:58 < realazthat> because you can have that as input 14:58 < realazthat> ie. int[] randoms 14:58 < realazthat> and input can be private 14:58 < realazthat> my point is, 14:59 < realazthat> can you do BogoSort 14:59 < realazthat> and force him to actually do bogosort 14:59 < Luke-Jr> but you can't guarantee the input was chosen randomly 14:59 < realazthat> or can he do an optimal sort instead 14:59 < realazthat> oh yeah 14:59 < realazthat> probably not 14:59 < realazthat> but again, I don't see how that answers or related to the question I am asking 21:02 < warren> http://www.coinchoose.com/charts.php <--- looks scary, suggesting a lot of people are assigning stupid value to scam coins 21:02 < warren> but the methodology is wrong, the alts are a lot smaller than this chart suggests 21:46 < petertodd> warren: remind me to start an altcoin called "OneCoin" that has exactly one coin, just so I can claim is has a much higher OneCoin/USD ratio than Bitcoin itself 21:49 < Luke-Jr> ask them to replace BTC with kBTC 21:49 < Luke-Jr> <.< 21:54 < realazthat> ohcool 21:54 < realazthat> I gonna email eli 22:57 < zooko> Okay I finished reading http://pastebin.com/Rj4bshY3 23:51 < realazthat> mmm 23:51 < realazthat> just sent email --- Log closed Fri May 31 00:00:51 2013 --- Log opened Fri May 31 00:00:51 2013 00:01 < realazthat> mmm 00:02 < realazthat> gmaxwell: eli mentions implementing something analogous to zerocoin 00:02 < realazthat> what is your opinion on that? 00:08 < petertodd> zooko: thoughts? like a better name than pos-key-value? 00:09 < petertodd> zooko: come up with a good one or it's gunna be zookey 00:09 < zooko> Haha! 00:09 < petertodd> zookeydns! 00:10 < petertodd> Hmm... actually, overruled, it's now zookey 00:10 < zooko> Well, I didn't understand all of it. 00:10 < zooko> Haha! 00:10 < zooko> Very funny 00:10 < zooko> I'm honored. 00:10 < petertodd> What didn't you understand? 00:10 < zooko> So, I was chatting in here with gmaxwell about some relatedish topics, IIUC. 00:10 < petertodd> At least I didn't name it zooko^2... 00:10 < zooko> Namely, the possibility of a rebooted and improved Namecoin. 00:10 < petertodd> ...which should be done 00:11 < petertodd> ooh, zookeyv has a nice ring too it 00:15 < zooko> Let's see... I didn't fully understand why a Bitcoin or Bitcoin-like thingie would be necessary or useful for this catalog of identities. 00:15 < zooko> Also, I think the notion of "identity" that was being discussed, especially by jgarzik is underspecified and maybe not that useful. 00:16 < zooko> Sorry for the delay -- there is a security investigation ongoing here and I'm trying to ignore it and have fun hacking instead. 00:16 < petertodd> Fun... 00:16 < petertodd> Well, it all boils down to a global consensus on a mapping of keys to values right? 00:16 < petertodd> So zookeyv is just that mapping, which can be used for a lot of things. 00:16 < petertodd> How do you come to a global consensus? Voting. We know of no other way. 00:17 < zooko> Okay, so that is what I have always perceived as the core usefulness of Namecoin. 00:17 < zooko> I'm not sure what you mean by "voting". My answer would be "Bitcoin". 00:17 < petertodd> How do we vote? Proof of work; proof of sacrifice is really just transferrable proof of work. 00:17 < petertodd> See, this could be implemented directly on Bitcoin, but then people would try to kill me. 00:18 < zooko> ;-) 00:18 < petertodd> Specifically gmaxwell, and he knows where I live. 00:18 < zooko> Okay, so my answer would be "The Bitcoin Idea". 00:18 < zooko> Which is the first plausible global consensus system. 00:18 < petertodd> Indeed, and once you have one global consensus system, you don't need any more. 00:18 < zooko> I think there are more options than proof-of-work, proof-of-sacrifice... 00:18 < petertodd> There's proof-of-stake 00:19 * zooko nods. 00:19 < petertodd> ...and really proof-of-stake is proof-of-work done in the past. 00:19 < zooko> Okay, so suppose we're going to maintain a k-v mapping with global consensus. 00:19 < petertodd> *proof-of-work-done-in-the-past 20:38 < warren> you folks manage to get it? I have westlaw and lexis access right now 20:40 < phantomcircuit> warren, i have it but scribd doesn't like me 20:43 < phantomcircuit> gmaxwell, http://198.27.67.106/hashfast.pdf 20:43 < gmaxwell> phantomcircuit: Can I post that URL on the forum? 20:44 < warren> from PACER? 20:44 < phantomcircuit> gmaxwell, sure 20:44 < gmaxwell> Thanks. 20:45 < phantomcircuit> warren, yes 20:45 < warren> well, good luck to them on getting their BTC back... USD value seems more likely 20:47 < phantomcircuit> warren, sure, but at what day? 20:47 < phantomcircuit> warren, did you notice the spike to 1000 on mtgox? 20:47 < phantomcircuit> i wonder if that's a coincidence 20:47 < phantomcircuit> or you know... not 20:49 < jgarzik> michagogo|cloud, yes, it is time to update bootstrap torrent. Past time, even. 20:50 < phantomcircuit> http://ia600407.us.archive.org/25/items/gov.uscourts.cand.273355/gov.uscourts.cand.273355.docket.html 20:52 < phantomcircuit> i wonder if pacer has broken recap on purpose 21:10 < phantomcircuit> http://www.archive.org/download/gov.uscourts.cand.273355/gov.uscourts.cand.273355.1.0.pdf 21:10 < phantomcircuit> there we go 21:10 < phantomcircuit> that cost me like $10 21:10 < phantomcircuit> stupid pacer 21:57 < fagmuffinz_> +1 on updating the bootstrap torrent 21:58 < fagmuffinz_> I'm currently catching up my laptop and it's > 10 weeks behind 21:58 < fagmuffinz_> Been several hours now and I'm just 7 weeks behind now 22:01 < gmaxwell> the torrent is just papering over the lack of the headers first patches. 22:16 < maaku> fagmuffinz_: it will take just as long to verify via the bootstrap download 22:16 < maaku> unless you manually set a checkpoint or something 22:18 < phantomcircuit> maaku, actually it's much faster 22:18 < gmaxwell> maaku: fetch is seriously fuxored now.. 22:19 < maaku> well i guess it depends on your internet speed :P 22:19 < maaku> i'm behind an ADSL.1 here :( 22:19 < maaku> rural speeds 22:24 < gmaxwell> maaku: right you now you can expect to fetch the same blocks over and over again during sync, doesn't help when you're on adsl. :( --- Log closed Wed Jan 08 00:00:06 2014 --- Log opened Wed Jan 08 00:00:06 2014 00:21 < michagogo|cloud> jgarzik: do you know which block you'll extend it to? 00:22 < michagogo|cloud> (If so, I can generate the file myself, and be ready to seed when it goes live) 00:33 < gmaxwell> warren: http://peercoin.net/index.php < click Myth 2. 00:51 < michagogo|cloud> gmaxwell: o_O 00:52 < michagogo|cloud> They were the ones that allow the dev to add new checkpoints at any time without an update to the software, right? 00:52 < BlueMatt> gmaxwell: though that looks ridiculous, it does say they dont enforce checkpoints by default.... 00:52 < BlueMatt> michagogo|cloud: yes 00:54 < gmaxwell> BlueMatt: it's not true. 00:54 < BlueMatt> ahh 00:54 < gmaxwell> BlueMatt: the text they're quoting there is about XPM not PPC. 00:54 < BlueMatt> well...thats just ridiculous 00:54 < gmaxwell> BlueMatt: it also says that Bitcoin and Litecoin has "checkpoints" too. 00:54 < BlueMatt> yea 00:54 < BlueMatt> I liked that bit 00:55 < michagogo|cloud> And even if it were true, if part of the network enforced them DNA another part didn't, that means a hardfork 00:55 < michagogo|cloud> and* 00:55 < gmaxwell> The PPC consensus model _requires_ them, not just for fuzzy security reasons, but because you cannot validate PoS without a transaction index containing the stake thats being used on the block... so they only allow coins which have been immobile for >30 days to be used for PoS and then use the checkpoints to make damn sure the network agrees about the state in the past. 00:56 < gmaxwell> I also checked the PPC codebase, they're on, and there appears to be no way to turn them off. 00:57 < warren> gmaxwell: and of course it doesn't matter if it isn't enabled by default, if pools do then the users don't have a choice. 00:58 < michagogo|cloud> Erm, maybe not hard 01:40 < gmaxwell> I wish people would ask better questions: http://www.reddit.com/r/Bitcoin/comments/1uoq6e/what_do_you_guys_think_of_proof_of_stake_mining/cek9fhq 01:42 < home_jg> I wish reddit would not suck so much 01:43 < home_jg> Cardinal example of upvoting/downvoting systems producing herds of fast-moving idiots 01:43 < home_jg> I say this as a near-daily reddit user, of course 01:45 < home_jg> well-informed cautionary answers on brainwallets routinely get downvoted 01:53 < Guest58374> herding idiots 01:53 < Guest58374> i'm going to remember that :) 01:58 < gmaxwell> the upvoted downvotey stuff overweighs superficial opinions. It's fine for cat pictures. 01:58 < gmaxwell> (which is mostly why I browse reddit) 01:58 < gmaxwell> I hardly read any bitcoin or technology things at all, mostly just funny pictures of animals. 02:00 < Taek42> I'm not sure that it's a symptom of upvotes and downvotes so much as Reddit being a general audience 02:01 < maaku> people are stupid 02:01 < gmaxwell> Taek42: nah, normally the general audience doesn't have their hands firmly placed on the steering wheel. 02:01 < maaku> it boggles my mind that when you have a crowd of them, wisdom is supposed to emerge 02:01 < gmaxwell> lol 02:01 < Taek42> democracy! 02:02 < gmaxwell> to be fair even the crappy "Wisdom of the crowds" book said that wasn't actually so. 02:04 < Taek42> I've often wondered what would happen if voting had a cost to it, and you could pick the power of your vote by adjusting the cost 02:04 < maaku> never actually read it. was the thesis that you need proper incentives? 02:07 < michagogo|cloud> Taek42: a monetary cost, you mean? 02:08 < Taek42> well, some sort of currency that could be swapped for real currency 02:08 < maaku> citizen cost a la starship troopers? 02:08 < Taek42> dogecoin, perhaps 02:08 < gmaxwell> voting already has a substantial cost in terms of time/trouble. 02:08 < Taek42> on reddit, the first vote is pretty costly 02:08 < Taek42> seeing as you have to log in, and maybe create an account 02:08 < Taek42> but the rest are painless 02:09 < michagogo|cloud> Or creddits 02:09 < Taek42> I imagine though that it wouldn't actually be that different even if there were a monetary cost to each vote (or a karma cost) 02:10 < Taek42> The problem being that the average person could have as much authority/power as the expert 02:10 < michagogo|cloud> I seem to recall there was some site like that 02:10 < michagogo|cloud> Where you spend reputation points to vote 02:11 < phantomcircuit> gmaxwell, is there still a penalty for p2pool? 02:11 < phantomcircuit> iirc there used to be a substantial orphan rate 02:11 < phantomcircuit> also @anybodyelse 02:12 < gmaxwell> phantomcircuit: it has the lowest orphan rate of any pool as far as I can tell. 02:12 < phantomcircuit> what's it's current orphan rate? 02:13 < gmaxwell> there has been two this year. 02:14 < gmaxwell> 0.12% in my data. (eligius, by comparison, has been ~1%) 02:14 < phantomcircuit> that's interesting 02:14 < gmaxwell> phantomcircuit: p2pool changed a couple years ago to a model where nodes pre-forwarded transaction data to their peers. So when one finds a block it just has to send the list of transactions that were actually in it. 02:15 < Taek42> theoretical problem: suppose every miner picks the maximum-payout pool. Wouldn't every miner end up picking the same pool? 02:15 < gmaxwell> it will also mine a transactionless block in brief windows when the local bitcoind is lagging but p2pool peers have produced shares against a further along chain. 02:15 < phantomcircuit> any idea why the orphan rate would be lower than eligius? 02:16 < gmaxwell> phantomcircuit: because it has an enormous network connectivity advantage. 02:16 < phantomcircuit> it might also have to do with what kind of hardware is connected to p2pool 02:16 < phantomcircuit> some of them have uh 02:17 < phantomcircuit> interesting ideas of what stale means 02:17 < gmaxwell> p2pool blocks end up being concurrently announced by a dozen peers in the first 30ms after finding a block... hundreds within 400ms. 02:18 < gmaxwell> phantomcircuit: maybe, p2pool direct miners to return "stale" shares. 02:18 < gmaxwell> in any case, if some miner is overly agressive in what its discarding, its not getting paid for that portion of its work. 03:51 < gmaxwell> I think bitcoin is becoming the new DHT. :( 03:52 < wumpus> yo, slap a blockchain on it 03:53 < roidster> COULUD STAND FOR HEMROID 03:53 < roidster> could* pardon the caps 03:55 < BlueMatt> gmaxwell: I think we've known that was gonna happen for a while 03:55 < BlueMatt> /has been happening for a while 03:55 < wumpus> well yes bitcoin is the new idea of the day, so now we're in the [try_with_new_idea(x) for x in old ideas] phase 03:56 < wumpus> and you get nonsensical ideas, like in the internet boom.... just like your old pet shop, but online! 04:06 < gmaxwell> a miracle happened on reddit today 04:07 < gmaxwell> someone mentioned my name in a ppc thread, which is what brought my attention to those claims on that website. 04:07 < gmaxwell> I refuted them with citations to source code. 04:07 < warren> URL? 04:07 < warren> (reddit thread) 04:08 < gmaxwell> http://www.reddit.com/r/Bitcoin/comments/1uoq6e/what_do_you_guys_think_of_proof_of_stake_mining/cek7vbc 04:08 < gmaxwell> and someone argued with me... and then actually accepted my counter arguments. and I'm not being voted down! 04:14 < sipa> i've been explaining the problem with PoS a few times now at the zurich bitcoin meetups 04:14 < sipa> people do seem to understand it 04:18 < gmaxwell> it makes me sad, I really wish it worked. 04:19 < justanotheruser> What are the potential problems of associating namecoin registration price with transaction fee sum? 04:19 < gmaxwell> what is a "transaction fee sum"? 16:50 < adam3us> maaku: i mentioned last few days that i think multiple smaller blocks are statistically harder to 51% attack because p^12 << p^6 eg (if you have p=10% or whatever) and to do an n-confirmation attack you need a chain n blocks long, and so if block interval is lower, then you can get more security per time-interval (eg within 30mins say) 16:51 < maaku> adam3us: SPV nodes must download headers + merkle path + coinbase tx for every block. that alone is a large but manageable cost already 16:52 < maaku> plus they must perform a boom or prefix query for the contents of each block 16:52 * sipa likes boom queries 16:54 < adam3us> adam3us: so actually i think shorter block intervals allow more short confirmations (in a given time interval) and so are more secure, per elapsed time, and or allow faster confirmation to a given assurance level 16:54 < sipa> adam3us: depends on whether your attack model is about someone buying hash power, or buying hashes 16:54 < adam3us> maaku: (i know that was refuted in terms of "litecoin more secure than bitcoin" but i am not saying 6-conf on each I am saying 24-conf on 2.5min block interval is more secure than 6-conf on 10min block interval) 16:54 < sipa> i think 16:55 < maaku> adam3us: yes, but how often are those few minutes really worth it? 16:55 < adam3us> maaku: (sorry meant "ltc faster..." not "ltc securer" as people said yes but weaker so not usefully faster) 16:56 < maaku> vs increasing bandwidth requirements for spv nodes by an order of magnitude - especially when these users are often on data-capped mobile plans 16:56 < adam3us> maaku: spv min feed bloat is bad, yes. 16:57 < justanotheruser> Any idea how much of ghash is cloud mining? 16:57 < adam3us> sipa: there would be less electricity used, and smaller reward interval, so if they were bought yes they would be economically weaker. alternatively in terms of you own some hash power then statistically stronger 16:58 < maaku> adam3us: actually it is generally true that you should compare confirmations, not work done 16:58 < maaku> at least in standard bitcoin 16:58 < maaku> and so long as you're not approaching bandwith/latency limits 16:59 < adam3us> maaku: yes that was in regards sipas comment "depends on whether your attack model is about someone buying hash power, or buying hashes" 16:59 < sipa> maaku: i've suggested using (total_work_at_tip - total_work_at_inclusion)/current_difficulty as measure for confirmations 16:59 < sipa> "PoW equivalent time" 17:00 < adam3us> maaku: you cant determine work done really. luck. if you meant that in a strict sense 17:00 < michagogo|cloud> ;;later tell andytoshi Heh, your cj client is impossible to use on unencrypted wallets 17:00 < gribble> The operation succeeded. 17:01 < sipa> unfortunately, the current PoW-equivalent confirmation time of the genesis block is around 50 days 17:01 < adam3us> maaku: maybe you meant compare ltc 6-conf to btc 6-conf (rather than compare ltc 24 to btc 6) 17:03 < adam3us> sipa: yes thats a fun fact, nice stat feels weak intuitively, but it still its a long way from a rogue network subset going off and rewriting history. 17:03 < maaku> michagogo|cloud: why? 17:03 < michagogo|cloud> Because it assumes there's a passphrase 17:04 < maaku> michagogo|cloud: ah 17:04 < adam3us> sipa: the formula is nice for long confirmations separated by difficulty adjustments 17:04 < michagogo|cloud> maaku: http://imgur.com/4RYgCpJ 17:04 < maaku> adam3us: i'm saying ltc 6-conf is equal to btc 6-conf in realistic attack scenarios 17:05 < maaku> e.g. a pool trying to win money from a zero-conf service 17:06 < maaku> if the question is "what's the probability of my fraud chain pulling ahead?" interblock time doesn't factor into that 17:06 < sipa> adam3us: http://bitcoin.sipa.be/powdays-50k.png 17:06 < adam3us> sipa: yeah i know, i saw it, very nice :) 17:09 < maaku> sipa: it's an interesting measure, but it doesn't really factor into real attack analysis now does it? 17:10 < maaku> i should say, it's relevant if you can actually pull off a 51% attack 17:11 < maaku> otherwise you know you're going to lose in the long run so the question becomes liklihood of success , which depends on # confirmations, not pow days 17:11 < gmaxwell> maaku: so modifying your statement, "foocoin with 1ns blocks 6-conf is equal to btc 6-conf in realistic attack scenarios" 17:15 < adam3us> gmaxwell: i think it sipa had it better, shorter interval = lower reward loss/lower PoW cycles; but same probability 17:15 < maaku> [13:58:25] <maaku> and so long as you're not approaching bandwith/latency limits 17:16 < adam3us> maaku: exactly. 17:18 < adam3us> maaku: actually i suppose the probability of pulling off a 51% attack per time interval is higher, because there are more block intervals pr time period (more attacks to run) 17:19 < adam3us> maaku: eg with lite coin i get 4 tries per hour, with bitcoin i get 1 (other params than block interval being equal, same total reward aggregate etc) 17:21 < maaku> adam3us: yes, but if you're trying every block then your costs similarly increase 17:21 < maaku> and the payoff remains the same, if measured as expected gain/loss per block 17:22 < gmaxwell> maaku: ignoring that fact that orphaning causes increased hashpower dillution 17:22 < gmaxwell> thats why I gave the 1ns example. 17:22 < adam3us> maaku: so probability of being able to double spend goes from p^6 to 1-(1-p^6)^4 17:23 < adam3us> maaku: eg 25% hash power from .024% to .098% 17:24 < adam3us> maaku: your costs are the same i think .. no reward for 1hr period presuming same reward distribution per hour 17:24 < maaku> adam3us: the costs are whatever you're trying to double-spend, not the reward per se 17:25 < maaku> adam3us: also there's a reason I said "assuming standard bitcoin" 17:25 < adam3us> maaku: thats a (misgotten) profit not a cost? 17:25 < maaku> if you assume GHOST, then it actually makes the double-spend harder to pull off 17:25 < adam3us> maaku: (assuming something liquid with low commission to trade against with your fraud, like say ltc/btc or whatever) 17:25 < maaku> because the honest chain has stales the fraud chain does not 17:26 < maaku> and if you assume fractional proof of works are distributed it gets worse for the attacker 17:27 < maaku> adam3us: you will never find zero commision, zero spread 17:29 < adam3us> maaku: agreed the commission & spread is the additional cost 17:33 < adam3us> maaku: there seem to be faster params that are more secure against double spend. so like 8x 2.5min blocks less chance of double spend per hour, and less chance per try and shorter confirmation (than 6x10min) 17:35 < adam3us> maaku: p^6=.024%, p^8=.0015%, 1-(1-p^6)^4=.098%, 1-(1-p^8)^3=.0046% 17:42 < adam3us> maaku: but as u said the spv cost for more blocks is a problem with ghost. they even mention 1 second interval. surely that would lead to quite strong advantages for cloud hosted mining 18:09 < andytoshi> michagogo|cloud: that's correct, i am mulling over supporting unencrypted wallets 18:09 < andytoshi> michagogo|cloud: i just put a passphrase on my testnet wallet, which was annoying.. --- Log closed Sun Jan 19 00:00:43 2014 --- Log opened Sun Jan 19 00:00:43 2014 05:23 < adam3us> petertodd: your time-lock stego for msc non payment msgs, why not make keys available, then time-lock decrypt is just a reactive fail-safe plan in event of blocking, the fast/normal path would be to reveal keys via msc only sub-net, or even reveal of previous keys (in a committed tx like way) with later msgs. consensus is preserved, speed & cpu efficiency is improved 05:23 < adam3us> petertodd: (not that i think stego spamming btc network is a good idea, just because of the interesting theoretical question:) 11:57 < tacotime_> Hey guys. I'm going on stealth transactions right now and I'm trying to wrap my head around them. To fully anonymize, do you also need another protocol on top of it like coinjoin to anonymize inputs and outputs? 11:57 < tacotime_> *on=over 11:59 < sipa> tacotime_: don't confuse privacy with anonimity 12:00 < sipa> bitcoin doesn't provide anonimity at all, and stealth addresses nor coinjoin help with that 12:00 < sipa> both do improve privacy though, and in different ways 12:00 < tacotime_> Okay. 12:00 < sipa> but apart from that, yes, you likely want both 12:01 < sipa> stealth addresses helps preventing address reuse - you could do it without stealth addresses too 12:02 < orperelman> I agree with Sipa, on that - bitcoin doesn't provide anonimity 12:05 < tacotime_> Does it require a hardfork to implement (is the stealth address itself published to the blockchain)? I understand the generation of a secret and secret sharing to generate a private key for the receiver to spend the funds at the sender's public address, but I'm fuzzy on the way things go on in the actual blockchain for this. 12:07 < sipa> stealth addresses don't require any change to the protocol 12:09 < tacotime_> OK 12:17 < tacotime_> The payee's address never actually receives inputs under this system, but is just used to generate addresses for a payer to send to? 12:19 * nsh wonders... 12:21 < nsh> could a payer and a payee use some kind of asymmetric diffie-hellman exchange to arrive at a payment address with the payee having enough information to construct the corresponding private key... 12:22 < tacotime_> (or, I guess, the address corresponding to the pubkey Q) 12:25 < tacotime_> Oh, OP_RETURN is used to publish the pubkey to the blockchain. And you can't associate these with any given payments because they have no outputs other than fees. 12:27 < tacotime_> The reddit ELI5 is really helpful for this, heh. 12:35 < tacotime_> Neat. Is OP_RETURN used very much at the moment? 12:39 * andytoshi-logbot is logging 02:07 < warren> Diablo-D3: that's the tracebacks I'm seeing, the nonce is an odd-length or some other problem 02:07 < warren> it crashes on two different lines 02:07 < Diablo-D3> warren: yeah, but I dont know where the hell the commit went 02:07 < Diablo-D3> I swear I saw it in #p2pool on the commit bot 02:08 < warren> uh.... 02:08 < Diablo-D3> maybe I was seeing things 02:08 < warren> Diablo-D3: some other scrypt coin fork run by Balthazar apparently has a forked p2pool which disables stratum for this reason 02:08 < Diablo-D3> yeah, I can see why he'd do that 02:10 < Diablo-D3> gmaxwell: so wait 02:10 < Diablo-D3> gmaxwell: your way 02:10 < Diablo-D3> I send the share header in clear text 02:10 < warren> p2pool/bitcoin/stratum.py: 02:10 < warren> coinb_nonce = extranonce2.decode('hex') 02:10 < warren> assert len(coinb_nonce) == self.wb.COINBASE_NONCE_LENGTH 02:10 < warren> it crashes on either of these lines 02:11 < Diablo-D3> gmaxwell: and then I send the share body as reed solomon codes? 02:11 < Diablo-D3> gmaxwell: so remote peers can reconstruct the body without all the codes? 02:12 < Diablo-D3> gmaxwell: well, reed solomon as an erasure code 02:12 <@gmaxwell> Diablo-D3: the idea is that you get X share chunks from X peers and can reconstruct X shares. .. without the risk that two peers sent you the same thing. 02:13 < Diablo-D3> gmaxwell: yeah, but you dont need X shares for X peers 02:13 < Diablo-D3> with a proper erasure code setup you can do, say, X-1 blocks from X-1 peers 02:13 < Diablo-D3> and reconstruct the missing one 02:14 <@gmaxwell> Diablo-D3: forget x-1. 02:14 < Diablo-D3> and if you dont get enough to reconstruct you select random low latency peers "I have 1, 2, 3, , n, randomly send me one I dont have" 02:14 < Diablo-D3> gmaxwell: well, if this was DiabloPool, it'd be over UDP 02:14 <@gmaxwell> For an N,M code you can get any N out of M syndromes and recover N shares. 02:14 < Diablo-D3> gmaxwell: oh, you're doing it that way 02:14 < Diablo-D3> I was doing it for the share body 02:15 <@gmaxwell> forget the body, we're latency not throughput limited. 02:15 < Diablo-D3> no, if we wre throughput limited I'd be throwing lz4 on top of this 02:15 < Diablo-D3> or full scale gzip 02:16 < jrmithdobbs> gmaxwell: i thought you were trolling me, this is really where the interesting conversation from -dev went ;p 02:17 < Diablo-D3> gmaxwell: wait, is M less than N? or more than? 02:17 < jrmithdobbs> M *of* N 02:17 < jrmithdobbs> so <= 02:18 < Diablo-D3> ahh kay 02:18 < jrmithdobbs> err wait, actually i'm confused which you were using for which in that sentence too 02:18 < jrmithdobbs> gmaxwell: ^ 02:18 < Diablo-D3> oh heh 02:18 < Diablo-D3> [02:14:41] <gmaxwell> For an N,M code you can get any N out of M syndromes and recover N shares. 02:18 < Diablo-D3> I assume M is > N 02:19 < Diablo-D3> well >= 02:20 < jrmithdobbs> n >= m, it's n of m, so n shares to combine, m total shares in existence 02:20 < jrmithdobbs> err n <= m 02:21 < jrmithdobbs> damn it 02:21 < Diablo-D3> so I was right 02:21 < jrmithdobbs> yes, i'm dyslexic tonight apparently 02:21 < Diablo-D3> happens 02:21 < jrmithdobbs> i hate m/n x/y etc naming in this crap :P 02:21 < jrmithdobbs> i/j is the worst 02:22 < Diablo-D3> yeah so do I 02:22 < Diablo-D3> heh i 02:22 < warren> Diablo-D3: if you do find that patch it would be very appreciated. I haven't seen anything like it anywhere. 02:22 < Diablo-D3> the only time I use i as a variable in code 02:22 < jrmithdobbs> i&j actually kind of anger me when i see them outside of very very simple loop counters ;p 02:22 < Diablo-D3> is if its an obvious foreach loop 02:22 < Diablo-D3> I dont even like using j 02:22 < jrmithdobbs> ya either/or in isolation is fine 02:22 < jrmithdobbs> but both at once is just NO 02:22 < Diablo-D3> because if I use j, I almost invariably have to rename j to k 02:23 < Diablo-D3> because I have to insert a loop between i and k 02:23 < Diablo-D3> happens every fucking time 02:23 < Diablo-D3> and then, of course 02:23 < Diablo-D3> I always miss one 02:23 < Diablo-D3> and then wonder why my code isnt working for ten minutes 02:23 < warren> Although I didn't quit p2pool because of the tracebacks, I think the tracebacks are only on pseudoshares that are invalid, so you're not losing anything. 02:23 < jrmithdobbs> and you can't :%s///g because that will end in hilarity 02:24 < jrmithdobbs> that's the worst part ;p 02:24 < jrmithdobbs> and yet, EVERYONE KEEPS DOING IT 02:24 < Diablo-D3> jrmithdobbs: and on my vim, for some reason 02:24 < Diablo-D3> g isnt g 02:25 < jrmithdobbs> seriously, this should be day one of hs/undergrad cs classes (because the formally "educated" seem worst about it;p) 02:25 < Diablo-D3> it doesnt replace every occurance on each line 02:25 < Diablo-D3> and I havent been assed to figure out why 02:25 < jrmithdobbs> 'IF YOU EVER THINK YOU SHOULD USE A ONE LETTER VARIABLE NAME YOU ARE WRONG AND WILL FAIL THIS AND ALL FUTURE CS CLASSES!' 02:25 < jrmithdobbs> and enforce it as part of the code of conduct 02:25 < Diablo-D3> but yeah 02:25 < Diablo-D3> i only exists for obvious foreach loops 02:25 < jrmithdobbs> for the love of god 02:25 < Diablo-D3> jrmithdobbs: hell, people dont even realize they can do linked list shit with for 02:26 < jrmithdobbs> i'd be willing to give up i for that use to get rid of the rest of it! 02:26 < jrmithdobbs> ;p 02:26 < jrmithdobbs> i shall henceforth be called iterator 02:26 < jrmithdobbs> DONE 02:27 < jrmithdobbs> that's how it reads anyways. 02:27 < Diablo-D3> for(your_struct **head = &your_head; *head; *head; **head = (*head)>next) or some shit like that 02:27 < jrmithdobbs> (should*) 02:27 < Diablo-D3> er, ignore the doubled middle arg there 02:29 < jrmithdobbs> Diablo-D3: dude things like size_t end=strlen(input)+1;/*horrible*/for(src=&input,end=src+end;src<end;src++) ; are enough to confuse most people =/ 02:29 < Diablo-D3> well, mainly because of your lack of whitespace 02:29 < jrmithdobbs> no even with the whitespace 02:30 < Diablo-D3> er, +1? you sure about that? 02:30 < Diablo-D3> why do you want to see the end null? 02:30 < jrmithdobbs> positive 02:30 < jrmithdobbs> because i'm copying it 02:30 < Diablo-D3> because if you're just copying it use memcpy 02:30 < jrmithdobbs> also, such a construct is obv not useful on anything you can run strlen on in the first place 02:30 < Diablo-D3> then you get the wide copy enhanced versions 02:30 < Diablo-D3> OR 02:31 < Diablo-D3> if you're doing it for read only 02:31 < jrmithdobbs> the strlen was just for ilustration 02:31 < jrmithdobbs> ;p 02:31 < Diablo-D3> just make another pointer jumped into the string 02:31 < Diablo-D3> jrmithdobbs: you know whats interesting? 02:31 < Diablo-D3> strlen can be done extremely fast 02:31 < Diablo-D3> you can check 8 bytes at a time to see if any of them have a zero byte nearly for free 02:31 < jrmithdobbs> sure but any data you'd want a loop like that for is most likely not a null terminated string 02:32 < jrmithdobbs> because if it was, you already have super highly optimized libc routines to do 99% of what you need to with it ;p 02:32 < Diablo-D3> yeah 02:32 < jrmithdobbs> (assuming your platform doesn't suck) 02:32 < Diablo-D3> I cant think of a good example where that makes sense 02:33 < jrmithdobbs> also i never said it was useful, i just said simple loop constructions like that confuse people, of course trying to do linked list traversal in your control variables is going to confuse people 02:33 < jrmithdobbs> that was my point :) 02:33 < Diablo-D3> well, it confuses me to as why anyone would write that 02:33 < Diablo-D3> if I was syntax parsing, thats not what I'd use 02:34 < jrmithdobbs> it confuses me as to why anyone would traverse a linked list like you showed too 02:34 < jrmithdobbs> heh 02:34 < jrmithdobbs> Diablo-D3: anyways, it's useful for things like inplace byte string reversal 02:35 < Diablo-D3> jrmithdobbs: here 02:35 < Diablo-D3> http://wordaligned.org/articles/two-star-programming 02:35 < Diablo-D3> this is why. 02:35 < jrmithdobbs> (if you pretend you live in a world without SIMD and/or need portability) 02:35 < Diablo-D3> Ive known about the trick for years, but thats a good explaination why 02:35 < Diablo-D3> jrmithdobbs: heh, if it was bit reversal 02:36 < Diablo-D3> that can be done quickly 02:39 < jrmithdobbs> err, what he's talking about doesn't have to do with the silly-ish loop usage necessarily ... but when you put it in context of deletes i see what you were originally getting at 02:45 < warren> Diablo-D3: The hash > target and tracebacks bug happens in p2pool BTC, but it is so rare that you almost never see it. A month of p2pool BTC here and I saw it only once. 02:49 < Diablo-D3> warren: I have several months of logs 02:49 < Diablo-D3> its not on mine 02:49 < Diablo-D3> jrmithdobbs: I dunno, I think doing it linus's way is more elegant 02:50 < jrmithdobbs> ya but that's not the thing you said, the loop in that article makes sense ;p 03:08 < Diablo-D3> yeah I think I fucked that one up 03:08 < Diablo-D3> I wasnt doing the if on the next though 03:12 < jrmithdobbs> ya i see what you were getting at now :) 03:59 < jgarzik> On legality of IRC micropayment bots: https://bitcointalk.org/index.php?topic=154754.msg1640873#msg1640873 03:59 < jgarzik> I still think he's overly optimistic 04:00 < jgarzik> but maybe that just means I'm overly pessimistic :) 04:00 < petertodd> Heh, who knows really. 04:00 < petertodd> I still wouldn't run one myself. 04:02 < petertodd> Has FinCEN said anything about more general logging requirements? Chaum tokens are an obvious counter-example... Transaction limits are pretty much meaningless when identities are cheap and you can just do thousands of transactions instead of one. 14:11 < michagogo|cloud> phantomcircuit: 3.6(b), you mean? 14:11 < TD> july 14:11 < TD> it's in the complaint 14:11 < shesek> some people are also accusing him of stealing money - http://bitinstant.info/ 14:12 < phantomcircuit> michagogo|cloud, 3.6(b) defines how a member can be terminated, 5.16(b) defines how a founding member can be terminated 14:12 < phantomcircuit> shrem is a founding member 14:12 < TD> i looked at the SR forums once, a long time ago. it was full of threads complaining about bitinstant's AML policies. i figured charlie had finally wised up. 14:12 < TD> guess not 14:12 < michagogo|cloud> 3.6(b) is what defines founding members' special rights, afaict 14:12 < maaku> phantomcircuit: charges are pretty damning and not defending shrem at all ... but innocent until proven guilty is a pretty important part of due process 14:13 < shesek> so if I understand this correctly, until (and if) he's convicted, and unless he resigns, he remains a foundation members and part of the board 14:13 < phantomcircuit> maaku, sure, but the foundation is not the government, charlie has no right to be assumed innocent by a private party 14:13 < maaku> maybe there's some sort of way his duties as director can be suspended 14:13 < phantomcircuit> especially when he is so clearly guilty as all hell 14:13 < phantomcircuit> shesek, that's correct 14:14 < TD> there's a 2/3rd vote that could also remove him 14:14 < sipa> gmaxwell: and how long has that bitinstant.info thing been going on? 14:14 < michagogo|cloud> Hrm 14:14 < shesek> 3.6b - Except for the Founding Members who shall only be removed for cause (per the requirements detailed in Section 5.16(b)) ... 5.16b: : (i) declared of unsound mind by a final order of court; (ii) convicted of a felony; or (iii) found by a final order or judgment to have breached any duty arising under these Bylaws, 14:14 < michagogo|cloud> I haven't read the whole thing, but it looks like he can be removed as director under 5.16(c) 14:14 < shesek> right 14:14 < _ingsoc> sipa: First time I heard of it. :/ 14:14 < sipa> _ingsoc: same 14:14 < michagogo|cloud> All that requires cause is removal of his membership entirely 14:15 < phantomcircuit> TD, you're right 5.16(c) 14:15 < shesek> michagogo|cloud, not as a founding member, it seems 14:15 < phantomcircuit> TD, except looking at the sitting members of the board you're not going to get that 14:15 < maaku> sipa: since about the time bitinstant shut down, I forget when that was 14:15 < michagogo|cloud> shesek: From those two sections, I think it's only his membership that's protected as a founding member 14:15 < michagogo|cloud> Not his directorship 14:15 < phantomcircuit> michagogo|cloud, there isn't a way to remove him as a director without stripping his membership afaict 14:16 < michagogo|cloud> Isn't there? 14:16 < TD> sipa: that site is itself kind of dodgy looking. 14:16 < sipa> TD: no doubt about that 14:16 < michagogo|cloud> What about 5.16(c)? 14:16 < sipa> i just never knew there was any problem with bitinstant or people complaining about it :) 14:16 < sipa> but i clearly missed some things :) 14:16 < michagogo|cloud> Or is there something saying that removing a director necessarily removes their membership? 14:16 < TD> i knew they had an issue supplying people during the april spike and that triggered a class action lawsuit. this sounds different 14:17 < shesek> I bumped into that .info site for the first time today, too 14:17 < shesek> I have no idea who's behind that and if they have anything to back that up, was just pointing out he's accused by some people 14:18 < phantomcircuit> TD, they have bigger problems than that 14:18 < TD> clearly! 14:19 < phantomcircuit> TD, well... 14:19 < phantomcircuit> i believe bitinstant actually lost a good amount of their records 14:19 < phantomcircuit> as in they failed to deliver because they didn't know who purchased what 14:19 < michagogo|cloud> It would seem to me, from sections 3.6 and 5.16, that while his membership can't be terminated without cause, he can be removed as a director 14:19 < TD> at this point i'd believe anything about them 14:19 < michagogo|cloud> (unless there's a part saying that removing a director terminates their membership...) 14:19 < phantomcircuit> michagogo|cloud, except getting 2/3rds of the board to agree isn't something i expect to happen 14:19 < michagogo|cloud> Ah. 14:20 < jgarzik> "my night out with bitcoin millionaire and proud stoner Charlie Shrem" http://www.vocativ.com/12-2013/night-bitcoin-millionaire-proud-stoner-charlie-shrem/ 14:20 < midnightmagic> michagogo|cloud: Only if he's convicted. 14:20 < jgarzik> Profile pieces like that can't help. 14:20 < michagogo|cloud> midnightmagic: no 14:20 < michagogo|cloud> midnightmagic: If he were convicted, his membership could be terminated 14:20 < midnightmagic> Ah (c) 14:20 < michagogo|cloud> But without a co-yes 14:20 < TD> and banned in russia too? crappy day for bitcoin indeed 14:21 < midnightmagic> Simple majority required for cause. 2/3 for without cause. 14:21 < phantomcircuit> russia is bipolar about regulation 14:21 < phantomcircuit> tomorrow they'll change their mind entirely 14:21 < TD> seems like it's the usual thing where different parts of government can't agree 14:21 < phantomcircuit> midnightmagic, you'll notice a felony conviction doesn't automatically eject them 14:21 < phantomcircuit> this is because roger ver is a felon 14:22 < TD> i would assume it'd be easy to distinguish between "convicted whilst being a member" and "convicted before being a member" 14:22 < TD> anyway. home time. 14:26 < midnightmagic> lol 14:26 * michagogo|cloud cringes at the away nick 14:26 < midnightmagic> phantomcircuit: Yeah I remember we had that conversation before and thinking it was odd but I suppose not unexpected. 14:27 < maaku> :sigh: is it really so hard to run an honest bitcoin business? 14:27 < maaku> /honest/law-abiding/ 14:28 < gmaxwell> it's probably very hard or nearly impossible to be pedantically law abiding for many classes of business. 14:28 < midnightmagic> maaku: The attraction is very very strong to psychopaths and sociopaths. It's not hard. It's just easier to someone who literally can't anticipate or is completely unaffected by, consequences for actions. 14:28 < midnightmagic> .. to choose to conduct themselves unethically. 14:28 < gmaxwell> So you have this cooling effect where people who are both smart enough and interested enough in being law abiding run for the hills. What remains is overly dense with people who are stupid or sleezy. 14:29 < midnightmagic> and what gmaxwell said 14:29 < midnightmagic> maaku: The cool part is honest people are pretty good at recognising other honest people, and especially non-psychopaths. 14:30 < midnightmagic> s/honest/honest\/smart/ 14:30 < midnightmagic> :) 14:30 < gmaxwell> Back in early 2011 I got pulled into technically consult with some people looking at running an exchange in the US and basically they concluded that the regulatory uncertanty was so great esp with the possiblity of criminal charges even if you thought you were doing everything right that no amount of potential upside would make it make sense. 14:30 < jgarzik> yep 14:30 < jgarzik> I concluded same, independently ;p 14:31 * midnightmagic is glad to live in Canada, not for the first time 14:31 * jgarzik wanted to do an exchange in late 2010, but research proved 'hell no' 14:32 < phantomcircuit> gmaxwell, the principle issue is that it's difficult to operate a legitimate business if your competition are not compliant 14:32 < phantomcircuit> their costs are temporarily below yours 14:32 < _ingsoc> jgarzik: Smart man. 14:33 < jgarzik> phantomcircuit, indeed 14:33 < phantomcircuit> gmaxwell, operating an exchange in the us isn't impossible, just wildly expensive 14:33 < sipa> this is not really a wizards discussion, though... 14:33 < midnightmagic> sometimes wizards non-technical analyses or research is a quick way to disseminate myth-free facts. 14:34 < midnightmagic> just.. wanted to say I appreciate the links and quick refreshers on bitinstant history. 14:35 < jgarzik> sipa, agreed, though I think it's OK on rare days, when it's not drowning out other discussion 14:36 < jgarzik> days like when bitcoin is almost-banned in Russia and Shrem is arrested, for instance ;p 14:36 < sipa> well, i'm not innocent in keeping the discussion alive either 14:36 < sipa> but i like the rule of keeping this channel about non-actual-today-bitcoin stuff 14:37 < gmaxwell> sadly I don't think I can extract any real wizards discussion from this. 14:39 < optimator> sobering read - http://www.scribd.com/doc/202555785/United-States-vs-Charles-Shrem-and-Robert-M-Faiella 14:41 * midnightmagic 's optimism gets strangled in its crib 14:41 < jgarzik> sipa, part of the "problem" is that the conversation is really people-centered, not topic-centered. #bitcoin-dev-chatter-but-without-the-assholes. 14:41 < michagogo|cloud> optimator: Is that document identical to http://www.scribd.com/doc/202572639/Faiella-Robert-M-and-Charlie-Shrem-Complaint? 14:41 < jgarzik> thus is appears whereever we are ;p 14:41 < michagogo|cloud> (appears to be) 14:43 < optimator> michagogo|cloud - i think so, it's just the link i had 15:38 < adam3us1> ooh policy-wizards :) shrem = crazy guy, doing seemingly self-sabotaging actions if the accusations are correct. 15:46 < petertodd> adam3us1: overhearing him talking with a group while prepping my talk in the speakers room at the san jose conference convinced me the dude was a bit unbalanced to say the least 15:47 < petertodd> bbl 16:36 < jtimon> has anyone looked into twister? 16:37 < jtimon> seems interesting http://twister.net.co/ He proposed 20 MB, with no exponential increase. Again, no agreement, no counter proposal, no willingness to compromise, despite all indications that the community at large wants to do a hard fork. Gavin suggested that perhaps we could do 8 MB. Again, no counter proposal, no compromise. Look, the developers owe the community nothing. They're working for free, making free software that makes Bitcoin, and by extension, the world, better. However, the community also has a right to move from their consensus if it deems it sub-optimal. Hopefully it won't come to that, and cooler heads will prevail, and reach some kind of mutually acceptable consensus. permalink save parent report give gold reply ]awemany 6 points 17 hours ago Gavin suggested that perhaps we could do 8 MB. Again, no counter proposal, no compromise. That's the point. Consensus isn't reached when one party (the blocksize limiters) vetoes everything. And they don't even really veto it. They just stay stubborn and let Gavin argue for an increase - and they basically sit there without reacting. That, IMO, is not constructive behavior at all. That alone makes me think that it is indeed a wise choice of Satoshi to hand Gavin the keys and not Greg. Greg certainly has some very deep, technical knowledge and great ideas - but lacks the overall high-level perspective and foresight that Gavin has. Because he was on this blocksize increase issue for years, and given the contention here, he was obviously right in planning it and pushing it forward now. permalink save parent report give gold reply ]whitslack 5 points 1 day ago If any of the core devs wants to make an hard-fork change that can't gain consensus, he should indeed make a new coin. That's exactly what happens at any hard fork, consensus or no. The only question is which of the two coins (old or new) will ultimately win the battle for market share. I personally will refrain from betting, by running both clients and demanding that anyone paying me a large sum pay me in both block chains. permalink save parent report give gold reply ]Noosterdam 6 points 22 hours ago ruled by consensus, not by dictatorship. Open source means you always can have consensus if you value it over all else. There is no actual dictatorship, except in the quite trivial sense that each maintainer is the dictator of their own fork. No one is in control. Gavin can't dictate that the coin issuance increase to 22M coins, for example. If he does, he's suddenly the dictator of an unused fork. No actual people are being controlled in any way. Everyone is free to do anything they want. The users will gravitate toward whoever is creating the most value at any given time. permalink save parent report give gold reply ]exo762 5 points 13 hours ago /r/bitcoin members have been repeating words decentralized and consensus which both mean very specific things in so many contexts that they pretty much lost their meaning. Consensus is achieved while solving Byzantine generals problem by miners. It's a consensus between machines and it's about transactions. It's not a consensus between people or between developers. Decentralization. Same thing - no way to censor or block transactions, to limit one's access to network, to shutdown whole thing by attacking single point of failure. It's not decentralization of development process or decision making process. Successful projects have leadership. Peter Todd is not a leader, he is at most advisor. He has knowledge, but he obstructs action by excessive warnings about often obscure dangers, not leading minds forward. This is not how a proper engineering is done. permalink save parent report give gold reply ]dudemanguysirmister 11 points 1 day ago Humans have never and will never reach 100% consensus on anything. Would you say that if Satoshi was still developing the coin? It would be his project and he can do what he wants with it. Gavin was given control of the project and at some point he's going to have to lead. Gavin is not the only developer in favour of the increase. If everyone is sensible and wants to increase it, then let's increase it. The mechanism is 1 line of code. The timing is within the next year. permalink save parent report give gold reply ]lorempsum[S] 3 points 1 day ago Consensus doesn't necessarily mean 100%. Reaching a broad consensus is possible even if a few developers are against it. The current state of affairs, where everyone other than Gavin and Mike are opposing the change, is VERY FAR from any kind of consensus. If anything, there's a very clear consensus against Gavin's proposal (but not against raising the limit in general). Would you say that if Satoshi was still developing the coin? I would say the exact same thing. If he was in such a clear minority pushing for a change, the change should be rejected. He's not god and shouldn't be trusted blindly. I trust reason and rational, not people. The mechanism is 1 line of code. The change being simple code-wise does not make it simple. There are many ideological, political and technical challenges there. Changing the total number of coins is also a one line change - do you consider that a "simple" change too? permalink save parent report give gold reply ]dudemanguysirmister 11 points 1 day ago* Last I knew, more than just Mike and Gavin wanted the increase. Furthermore, a large percentage of the community wants it and is being held hostage with solutions that don't exist. Just because a project is open source doesn't mean we treat every person in the auditorium with an idea as a special snowflake. Look at Linux as an example. As for the block limit, it's pretty simple actually, it used to be higher and was artificially capped. This isn't some kind of new paradigm shift or technological breakthrough where we aren't sure what will happen. Miners can still relay smaller blocks if they want to. UTXO will fill up some but that's inevitable. The coin limited was never artificially capped and can't be. It is simply not a good comparison. I actually don't care if Gavin makes Gavincoin. I would use that and sell all my Bitcoin because Bitcoin would serve no purpose any more. Bitcoin with larger blocks will not cease to function and is a more robust payment network, it's closer to reaching its potential. Even lightning devs have said they would need bigger blocks. With Gavincoin, developers could port Lightning to it and all the other Bitcoin addon layers. Bitcoin would then look silly in comparison and the people left behind would have deliberately shot themselves in the foot. How is Bitcoin going to be the internet of money with 1 MB blocks? Make it 4 MB then. IDC at this point, it must increase to something. permalink save parent report give gold reply ]lorempsum[S] -3 points 1 day ago Last I knew, more than just Mike and Gavin wanted the increase. Nope. It is just Mike and Gavin. The majority of the other core devs wants an increase, just not as per Gavin's proposal. a large percentage of the community wants it This should not be a popularity contest. Many in the community wants it only because Gavin is pushing for it and their vulnerability to "appeal to authority" arguments. This is evident by the shrinking support since the public debate started, compared to when Gavin originally started his push to 20mb blocks. This isn't some kind of new paradigm shift or technological breakthrough where we aren't sure what will happen. It sure is. It would effect the decentralized nature of the network, make the requirements for running a full node higher, exclude many people from running a full node, change the fee-market economics and alter one of the two important scarcities in Bitcoin (the coins limit being the other one). In addition, and probably most importantly, it alters the decision-making process of Bitcoin development from rule-by-consensus to rule-by-dictatorship, which is the part I find most problematic. Miners can still relay smaller blocks if they want to. There are many problems with that. The blockchain is a public good and is prune to the tragedy of the commons issues. Once could say the same thing about coin generation - why not let the "free market mining process" determine that too? I actually don't care if Gavin makes Gavincoin. That would be much better than forcing a change down Bitcoin's throat, but also quite problematic for the future of Bitcoin. I would still be completely okay with that (though, imho, Gavin is only playing that Bitcoin-XT card to gather support for a 20MB change in Bitcoin itself; More of a game-theory kind of thing where he makes that threat so that he doesn't have to actually do that). How is Bitcoin going to be the internet of money with 1 MB blocks? I'm totally for a block size increase; Just not to 20mb in one quick jump made now. permalink save parent report give gold reply ]dudemanguysirmister 6 points 1 day ago* Blocks aren't consistently full now so it doesn't really change the fee structure all that much. Blocks also wouldn't magically become 20 MB overnight. They wouldn't become 8 MB overnight. I don't really care what the number is so long as it's greater than 4 MB, which would make this a very temporary fix. This is all going to look ridiculous in retrospect. As long as the miners are being subsidized by the block reward the fee-market doesn't matter except for getting included in a full block. The fee market will not matter for a long time. If the limit was increased to 8 MB then we would eventually get back to this same exact scenario and you would be saying the same exact thing. I agree that Gavin's proposal of forcing it isn't the best idea, but nobody is actually compromising. If you could point to a post where Maxwell et. al says anything greater than 4 MB would be ok then I'd be interested to read that. Last I saw Gavin was trying to get 8 MB, chinese miners were saying no, and the other devs were silent. The problem with going too low is we'll be back to this same scenario rather quickly. edit: I want to add that nodes are not a problem. This is like when Peter Todd said he sold x% of his coins because mining centralization was a problem. Look at how wrong he was. I said it at the time on a different account that he would be proven wrong and that it was VERY obvious that he would be. All of us involved in the community know that it is in our best interest to see Bitcoin succeed, whether it's from a purely ideological standpoint or an economic one. I run a full node because I know it's important. I pay for a server in a data center with a huge connection. If the node count dropped drastically and was in danger then I'd run more. It would be stupid of me not to (because of the wealth I have in Bitcoin), and I know a large portion of this community is in it to win it. We aren't going to watch our money evaporate because we can't be hassled to run a few servers. Don't kill the goose that laid the golden egg. permalink save parent report give gold reply ]eragmus 4 points 1 day ago Last I saw Gavin was trying to get 8 MB, chinese miners were saying no, and the other devs were silent. Chinese miners actually said "yes" to that proposal. I agree though that I didn't actually hear any other devs respond to it, beside Luke (props to Luke for participating). Let's get proper discussion on the 8MB/4MB idea. According to Gavin, that compromise would be viable, so this seems like a far better place to start than with 20MB. permalink save parent report give gold reply ]laisee 0 points 23 hours ago Can we simplify the debate to 8MB or No Change? Final offer from all sides. There has been enough talk and, IMHO, Gavin has tried very hard to find a sensible compromise. 8MB or No - whats the answer? permalink save parent report give gold reply continue this thread ]persimmontokyo 2 points 13 hours ago Chinese miners were good with 10MB who expressed an opinion. Please don't spread FUD. permalink save parent report give gold reply ]awemany 1 point 17 hours ago Is blocking consensus at all costs itself consensus? I don't think so... permalink save parent report give gold reply ]bobbyb500 1 point 1 day ago I thought it was ruled by the consensus of the miners. It's not a dictatorship when any dev can make any change they want, but it's up to the miners to implement that change. If Gavin makes this change to the block size and the miners consent to that change, shouldn't that be all that it takes? permalink save parent report give gold reply [+]lorempsum[S] comment score below threshold (12 children) ]bit-cash -1 points 17 hours ago No. The miners don't have any power. The power lies in the hands of people that are willing to purchase the mined coins. So miners will make sure they mine the coins that have the best value, because if they don't they will go bankrupt. And that will be the scalable version, I have zero doubt in that. permalink save parent report give gold reply ]mmeijeri 2 points 20 hours ago Peter Todd is not proposing a fork. permalink save parent report give gold reply ]pointjudith 3 points 13 hours ago Fork him. permalink save parent report give gold reply ]aminok 4 points 1 day ago* It seems like the least bad option if all else fails, but it is indeed a very poor and dangerous option, and should be avoided if at all possible. permalink save parent report give gold reply ]eragmus 1 point 1 day ago* Seems like utter nonsense and incredibly foolish. Gavin is not ruler of Bitcoin and the $3.2 billion of value it represents. Many people made Bitcoin what it is today, and Gavin has a responsibility (if he thinks 'wisdom' and 'humility' are virtues) to aim for consensus and not act rashly. If alarmist fools are "pushing him to be more of a dictator", then he should have the sense to resist that "push" instead of allowing the ignorant/emotional mob to inflate his ego. The more I hear Gavin's arrogance come out, the more I feel he has lost his mind and needs to step down from his position or forcefully be made to step down. I'm having a hard time believing he is still a good steward of Bitcoin, or that he can responsibly handle a position of power. Gavin needs to gain a sense of perspective, perhaps by looking at great leaders of the past for his inspiration, e.g. the great Roman emperor, Marcus Aurelius. "Marcus Aurelius' Stoic tome Meditations, written in Greek while on campaign between 170 and 180, is still revered as a literary monument to a philosophy of service and duty, describing how to find and preserve equanimity in the midst of conflict by following nature as a source of guidance and inspiration." permalink save parent report give gold reply ]BusyBeaverHP 5 points 1 day ago Gavin isn't the ruler of bitcoin, he's just a man whom Satoshi handed Bitcoin's GitHub keys to before disappearing, therefore Satoshi's will is with Gavin. That isn't to say he is infallible, but the thing is, Gavin has the popular support AND the support of many key players in the space regarding the blocksize increase: https://www.reddit.com/r/Bitcoin/comments/37y8wm/list_of_bitcoin_services_that_supportoppose/ ... On the other side of the blocksize debate, there's GMaxwell. GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good. An excerpt: I believe that a Bitcoin like that would be a failure even if the coins somehow retained high value, because it would be just a reboot of the existing infrastructure, but probably worse-- lacking the a design purpose fit for a centralized world, as well as the regulatory history and experience of the traditional systems... ...Instead, I believe Bitcoin can be successful as a truly decentralized system which depends on cryptographic proof rather than trust. To get there we have to frankly face the extreme costs of having a decentralized system, and potentially tolerate slower short term adoption... So Maxwell's got his million dollars from Blockstream's VC rounds, and has leisurely time to mull about theoretical things without running real numbers backing them up, and has no incentive to increase the value of the network in the face of innumerable alt-coins waiting for Bitcoin to fuck up. Just as the construction of the blockchain is a competition, Bitcoin is a zero-sum contestant in the cryptocurrency space. Having less value while there are many competitors who are faster to adopt whatever slow changes you throw their way plus their own innovation, is asking for death by a thousand cuts. When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it. Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? If I was running a company and some engineer was spouting some bullshit like holding off our company's growth (hence increased revenue) in the face of competition, I'd fire him on the spot. Last but not least. GMaxwell's shining leadership on display: If the Bitcoin community wants to go commit suicide, I'm confident that I can sell my most of my bitcoins before most of the public has realized things have gone wrong. permalink save parent report give gold reply ]aminok 4 points 1 day ago* GMaxwell has proposed several ways to tackle the hard fork issue, and has always said he's not for a "1 MB block size limit forever". He's entitled to his views on decentralization, and entitled to walk away if the project moves in a direct not congruent to his views. This would be a great loss to the community, and to the future of digital currency, so this should be discouraged if at all possible. permalink save parent report give gold reply ]eragmus 0 points 1 day ago That's where we disagree. I think it should be avoided at all costs, especially since most of the experts are against the increase, including Garzik. Gavin and Hearn are essentially the only core contributors in favor of a massive 20x increase in block size. permalink save parent report give gold reply ]conv3rsion 1 point 23 hours ago in MAXIMUM block size. its not massive. its just not. its < $50 a year in storage if all blocks were full, total. permalink save parent report give gold reply ]eragmus 2 points 23 hours ago Storage is one factor, but the bigger concern is a 20x increase in bandwidth requirement for nodes. Bandwidth is still very scarce in many parts of the world, including the U.S. (due to the U.S.'s telecom monopolies and horrible competitive landscape for broadband). permalink save parent report give gold reply ]conv3rsion 1 point 23 hours ago 20MB blocks require a MAXIMUM of 1 MB/S broadband. Most of the world is way way past that. In fact, 110 countries have faster AVERAGE broadband than that. Can we at least target something that works almost everywhere in the world? Source: http://www.netindex.com/download/allcountries/ permalink save parent report give gold reply ]zeusa1mighty 2 points 22 hours ago You forget data caps; the speed is irrelevant. It's the total bandwidth usage per month. Upping to 20mb would multiply the data requirements by 20x (assuming all full blocks in both 1mb and 20mb scenarios). People with reasonable datacaps (I now have 750gb/month) may not be able to keep a full node running on their ISP. permalink save parent report give gold reply ]i_wolf 1 point 17 hours ago 20mb requires only 170gb per month. If we'll see an actual 50x spike in demand then there will be plenty of new full nodes and miners all over the world. permalink save parent report give gold reply continue this thread ]eragmus 2 points 6 hours ago The argument concerns data caps, not speeds. See: https://www.reddit.com/r/Bitcoin/comments/393fym/gavin_andresen_a_lot_of_people_are_pushing_me_to/cs0xznd permalink save parent report give gold reply ]lorempsum[S] 4 points 1 day ago ... On the other side of the blocksize debate, there's GMaxwell. And every other core developer, other than Gavin and Mike (though Mike isn't really a contributing developer for a long long time now). GMaxwell thinks he's libertarian, but he's extremely tyrannical by the fact that he thinks his beliefs of what is decentralization should be imposed on others for their own good. Come on, really? How is that even relevant? Talk about his claims and rational, not about his personality. https://yourlogicalfallacyis.com/ad-hominem When given a chance to raise Bitcoin's value, never, ever, ever back down, because the moment we do, the Alt-coins and powers-that-be will not waste a moment's time to capitalize on it. There are many valid reason to oppose a change that might increase Bitcoin's value on the short-term, but harm it in the long-term. Your arguments are just classic scare tactics. Last I checked, wasn't Blockstream funded to improve the cryptographic protocol and not impose ill-researched economic decisions on the entire ecosystem? Blockstream has no opinion on this matter; It's the people who happen to work there that too. I don't see any relevance in that argument, at all. permalink save parent report give gold reply ][deleted] 1 day ago [deleted] ]aminok 2 points 1 day ago Your contribution is really moving the discussion forward in a civil and constructive direction. /s permalink save report give gold reply ]laisee 0 points 23 hours ago Blockstream has no opinion, but it does have a stake in the argument though it's expected future profits. Tell me that doesn't change the debate ever so slightly for the "No" camp. permalink save parent report give gold reply ]laisee 0 points 23 hours ago Blockstream has no opinion, but it does have a stake in the argument though it's expected future profits. Tell me that doesn't change the debate ever so slightly for the "No" camp. permalink save parent report give gold reply ]mmeijeri 2 points 20 hours ago Gavin does not need to step down from any official position as Bitcoin doesn't have any official positions. He's just some guy on the internet, just like you and me, only with far more influence than you or me. permalink save parent report give gold reply ]eragmus 2 points 7 hours ago Sadly. permalink save parent report give gold reply ]Apatomoose 4 points 23 hours ago In the face of all the chaos and lack of action it is refreshing to see someone stepping up and talking a strong lead. Heil Gavin! permalink save report give gold reply ]DakotaChiliBeans 2 points 17 hours ago Bitcoin price is up today. The market has spoken, it demands more division among bitcoin users. To the Moooonnn!!! permalink save report give gold reply ]BeefSupreme2 2 points 23 hours ago My coins are going to be worthless after this debacle :( permalink save report give gold reply ]scotty321 1 point 21 hours ago LOVE GAVIN ANDRESEN!!! permalink save report give gold reply ]MeanOfPhidias 1 point 1 day ago That's the exact kind of sentiment that needs to find another project. If that is where his heart lies maybe it's time to listen to the Dark Wallet folks permalink save report give gold reply ]leon6677 2 points 23 hours ago Gavin we trust you do what you think I'd best in the long run permalink save report give gold reply ]luckdragon69 1 point 23 hours ago don't fall for scare tactics - the other devs arnt worried, Gavin is in the Minority permalink save parent report give gold reply ]leon6677 1 point 15 hours ago it with SVN. Place your .po file 3 directories deep under the src directory. Open it with poedit and do Catalog->Update from sources.<br /><br />So for example, you have:<br />src<br />src\\base58.h<br />src\\bignum.h<br />...<br />src\\util.cpp<br />src\\util.h<br />src\\xpm<br />src\\locale\\ru\\LC_MESSAGES\\bitcoin.po<br /><br />Open bitcoin.po with poedit, do Catalog->Update from sources. It looks for the sourcecode up 3 directories (..\\..\\..) from where bitcoin.po is.<br /><br />This updates your existing .po file you already worked on and adds any news strings. It may try to match close strings, so check things over and make sure it didn't make any bad guesses.<br /><br />Make sure you use the .po file I uploaded to SVN or in a release, because I always fix up at least a few things. I'm attaching your Russian one to this message.<br /> 15366 1347 6 1286221720 15366 0 xx 1 Re: [PATCH] increase block size limit It can be phased in, like:<br /><br />if (blocknumber > 115000)<br /> maxblocksize = largerlimit<br /><br />It can start being in versions way ahead, so by the time it reaches that block number and goes into effect, the older versions that don't have it are already obsolete.<br /><br />When we're near the cutoff block number, I can put an alert to old versions to make sure they know they have to upgrade.<br /> 15660 151 6 1286379759 15668 1286383231 satoshi xx 1 Re: Website and software translations poedit reorganised the file for some reason. I re-ran update from sources and it put it back in the original order so it's fine now. Did you run it on a drive where files aren't sorted alphabetically, like a FAT drive or USB flash drive?<br /><br />Strings aren't added or changed very often. It's months before enough changes build up.<br /><br />I uploaded the changes.<br /><br />This Windows build has the Russian translation in it:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.2-win32-setup.exe 15662 1378 3 1286379992 15662 0 xx 1 Re: I'm not seeing post attachments... Fixed. <br /><br />You were right. Post Attachments and View Attachments was unchecked. 15672 1306 6 1286384063 15672 0 xx 1 Re: I broke my wallet, sends never confirm now. That's going to be more of a SelectCoins thing.<br /><br />SVN rev 161 has a refinement to recursively determine if your own unconfirmed transactions can be spent. This is needed because you should be able to spend your own change right away.<br /><br />The new recursive determination is: 0/unconfirmed can be spent if it's yours and all its dependencies are either in a block or also yours.<br /><br />Here's a Windows build:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.2-win32-setup.exe<br /><br />This version is an improvement if you already had a 0/unconfirmed transaction and might have already spent it. If you were the original creator of a 0/unconfirmed transaction, you still need theymos' patch instead. 15682 1375 6 1286386601 15682 0 xx 1 Re: Tor connections not working reliably, many seednodes offline Maybe you were just unlucky to have an exit node without reverse lookup.<br /><br />The IRC server's response doesn't look like it was disconnecting you for that. It's supposed to go IRC SENDING: NICK after that, and it doesn't so it gets timed out.<br /><br />I see the problem. The IRC code is looking for various phrases to see when the server is ready to receive your NICK, but it's not looking for that particular phrase. I'll fix it.<br /><br />I don't know if it's really required to wait for the server to finish looking up hostname before sending nick.<br /><br />How long did it take to get connected with TOR the first time, having to use the seed nodes? 15741 1268 5 1286406631 16341 1286662327 satoshi xx 1 Re: The Niche List [quote author=kiba link=topic=1268.msg13828#msg13828 date=1285257616]<br />1. Download site like rapidshare and other crappy host. Inconvenient captcha and required paypal. Bitcoin can possibly take both roles and streamline the whole process.<br />[/quote]<br />Repeating myself here, but there is open source software for that, so it would just be a matter of bolting on a Bitcoin payment mechanism. One good one I found was Mihalism Multi Host. It's designed as a free host, so it would just need a few tweaks to loosen up restrictions consistent with paid use.<br /> 16316 1414 6 1286655573 16316 0 xx 1 Key pool feature for safer wallet backup SVN rev 163 (ver 0.3.13.3) has the key pool feature. Pre-generated new keys are aged in a queue before use, so that backups of wallet.dat hold keys you'll use in the future.<br /><br />For now I made the default pool size 100. It can be configured with -keypool=. Be aware, it takes a little time to increase the pool size, so don't go crazy with it. Disk space is about 1K per key.<br /><br />I have not addressed the recovery side of this yet. If you actually did restore an old wallet.dat, I think you may have to delete blk*.dat to rediscover your own transactions during the redownload.<br /><br />I've only tested this moderately. You might not want to use this for a website server until it's had some more testing. 17924 1528 6 1287679167 17961 1287700410 satoshi xx 1 Version 0.3.14 Version 0.3.14 is now available<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.14/<br /><br />Changes:<br />- Key pool feature for safer wallet backup<br />Gavin Andresen:<br />- TEST network mode with switch -testnet<br />- Option to use SSL for JSON-RPC connections on unix/osx<br />- validateaddress RPC command<br />eurekafag:<br />- Russian translation<br /> 17965 151 6 1287701447 17965 0 xx 1 Re: Website and software translations The order matters not to the program, but it matters to me maintaining it. If it jumbles the order of the .po file then I can't diff for changes. I have to update all 7 translation files when I change the English text in the program, and it's easier when they're all in the same order.<br /><br />I can still put it back into normal order by making poedit rescan it.<br /><br />It is normal that untranslated strings are shown on top.<br /><br />[quote author=eurekafag link=topic=151.msg15697#msg15697 date=1286393976]<br />By the way, there are some similar lines that possibly may be replaced by one. They are very close by meaning and differs only by 1-2 words. Just a suggestion of course.<br />[/quote]<br />I know, but not easily without complicating the sourcecode. 18241 1530 4 1287858169 18243 1287858772 satoshi xx 1 Re: ERROR - PLEASE HELP ME! [quote author=theymos link=topic=1530.msg17955#msg17955 date=1287698426]<br />his block count remains "stuck" at 1698.<br />[/quote]<br />He was generating invalid blocks at difficulty 1.0. He must have a corrupted entry in his blk0001.dat or blkindex.dat file. He just needs to delete blk*.dat and let it redownload.<br /><br />The safety lockdown detected the problem and was displaying "WARNING: Displayed transactions may not be correct!" because it saw a longer chain existed that it was unable to accept. The safety lockdown cannot stop generation or it would create an attack possibility.<br /><br />[quote author=gavinandresen link=topic=1530.msg18074#msg18074 date=1287757514]<br />The Bitcoin client really shouldn't allow coin generation until you have all of the blocks up to the last block checkpoint.<br />[/quote]<br />Good idea, I made a change to make sure it won't generate before checkpoint block 74000.<br /> 18245 1530 4 1287859084 18245 0 xx 1 Re: ERROR - PLEASE HELP ME! OK, if it really won't get past block 1698 on redownload, then we're in stranger territory.<br /><br />Yes, possibly he has antivirus software or even a router or filewall that is pattern matching a sequence of bytes and censoring it.<br /><br />It would be instructive to get knightmb's blk*.dat and see if that gets him past that point. 18246 1540 4 1287859922 18246 0 xx 1 Re: Win7 64bit since last patch Tues now crashes [quote author=Odin link=topic=1540.msg18105#msg18105 date=1287782678]<br /> Fault Module Name:\tmingwm10.dll<br />[/quote]<br />This is the important clue. I believe it's saying it crashed in that. Maybe there are other versions of it to try. mingwm10.dll is just a simple placeholder thing that satisfies some callback requirement for multithreaded apps.<br /><br />Is anyone else running OK on Windows 64-bit? 18250 1545 6 1287860577 18250 0 xx 1 Re: Suggestion: Allow short messages to be sent together with bitcoins ? ECDSA can't encrypt messages, only sign signatures.<br /><br />It would be unwise to have permanently recorded plaintext messages for everyone to see. It would be an accident waiting to happen.<br /><br />If there's going to be a message system, it should be a separate system parallel to the bitcoin network. Messages should not be recorded in the block chain. The messages could be signed with the bitcoin address keypairs to prove who they're from. 18349 665 6 1287947871 18349 0 xx 1 Re: Multiple Wallets, one computer I have the beginning of something like this. It's mostly like what Gavin described.<br /><br />Some more rpc interface:<br /><br />move <fromaccount> <toaccount> <amount><br /> Move from one internal account to another. I think blank account name ("") will be your default account. If you sell something to a user, you could do move "theiraccount" "" 123.45.<br /> Is "move" the best name for this? I shied away from "transfer" because that sounds too close to sending a transaction.<br /><br />I'm thinking a new function getaccountaddress instead of overloading getnewaddress:<br /><br />getaccountaddress <account><br /> Gives you an address allocated from getnewaddress <account>. It'll keep giving the same address until something is received on the address, then it allocates a new address. (It automatically does what the sample code I posted some time ago did)<br /><br />Would these commands make it possible in simple cases to implement your website without needing a database of your own?<br /> 18508 665 6 1288025633 18508 0 xx 1 Re: Multiple Wallets, one computer Here's some pseudocode of how you would use the account based commands. It sure makes website integration a lot easier.<br /><br />print "send to " + getaccountaddress(username) + " to fund your account"<br />print "balance: " + getbalance(username, 0)<br />print "available balance: " + getbalance(username, 6)<br /><br />// if you make a sale, move the money out of their account<br />move(username, "", amount, 6)<br /><br />// withdrawal<br />sendfrom(username, bitcoinaddress, amount, 6) 18511 1540 4 1288027667 18682 1288110542 satoshi xx 1 Re: Win7 64bit since last patch Tues now crashes The only thing I can think of is to see if there are other versions of mingwm10.dll you can get. mingwm10.dll is a tiny little DLL that came with the MinGW compiler that you need when you build for multi-thread. I don't know exactly what it does, but it probably just says something like "yes Windows, see I'm in a DLL like you insisted."<br /><br />The end of your debug.log file might show the last thing it was doing before it crashed. 21766 64 1 1289609751 21766 1289610386 satoshi xx 1 Re: New icon/logo I'm happy if someone with artistic skill wants to contribute alternatives. The icon/logo was meant to be good as an icon at the 16x16 and 20x20 pixel sizes. I think it's the best program icon, but there's room for improvement at larger sizes for a graphic for use on websites.<br /><br />It'll be a lot simpler if authors could make their graphics public domain. 21896 1668 6 1289690726 21896 0 xx 1 Re: Some testing that I did on the testnetwork, my findings. Thank you for limiting flood tests to the testnet.<br /><br />Version 0.3.15 combines several features to help legitimate transactions jump the queue during a flood attack. The key was Gavin's idea for prioritising transactions based on the age of their dependencies. Every coin is entitled to turn over so often. The longer waited, the more priority accumulates. Priority is sum(valuein * age) / txsize. Transaction fee still takes precedence over priority, and priority determines the order of processing within a fee strata.<br /><br />In support of the priority feature, SelectCoins only uses your own 0 conf transactions only as a last resort if that's all you have left. This helps keep you from turning your coins over rapidly unless you're forcing it by actually turning all your coins over rapidly. 21897 1780 6 1289690800 21897 0 xx 1 Version 0.3.15 Version 0.3.15 is now available.<br /><br />Changes:<br />- paytxfee switch is now per KB, so it adds the correct fee for large transactions<br />- sending avoids using coins with less than 6 confirmations if it can<br />- BitcoinMiner processes transactions in priority order based on age of dependencies<br />- make sure generation doesn't start before block 74000 downloaded<br />- bugfixes by Dean Gores<br />- testnet, keypoololdest and paytxfee added to getinfo<br /> 21959 1668 6 1289753599 21959 1289754952 satoshi xx 1 Re: Some testing that I did on the testnetwork, my findings. [quote author=ByteCoin link=topic=1668.msg21899#msg21899 date=1289692511]<br />Of course, if the network is not being flooded and you're not overly concerned about the current transaction getting held up then it's probably worth preferring to use your 0 conf transactions so that you can "save" the higher priority coins for when the network [b]is[/b] being flooded.<br />[/quote]<br />You should use at least some priority in case a flood comes along before the next block.<br /><br />As long as all dependencies have at least 1 conf, if the transaction doesn't have enough priority at first, the dependencies will age until it does.<br /><br />[quote]<br />Gaming the system by including 1000 or so recently turned over BTC to bump the priority as described in my post above still works of course! <br />[/quote]<br />Or managing how much priority you spend on a transaction. The software would have to know your future plans to know 9530 823 6 1281905949 9530 0 xx 1 Re: overflow bug SERIOUS Here's the preliminary change. Look right? I have more changes to make, this isn't all of it. Will SVN shortly.<br /><br />[code]<br /> bool CheckTransaction() const<br /> {<br /> // Basic checks that don't depend on any context<br /> if (vin.empty() || vout.empty())<br /> return error("CTransaction::CheckTransaction() : vin or vout empty");<br /><br /> // Check for negative and overflow values<br /> int64 nTotal = 0;<br /> foreach(const CTxOut& txout, vout)<br /> {<br /> if (txout.nValue < 0)<br /> return error("CTransaction::CheckTransaction() : txout.nValue negative");<br /> if (txout.nValue > 21000000 * COIN)<br /> return error("CTransaction::CheckTransaction() : txout.nValue too high");<br /> nTotal += txout.nValue;<br /> if (nTotal > 21000000 * COIN)<br /> return error("CTransaction::CheckTransaction() : txout total too high");<br /> }<br /><br /> if (IsCoinBase())<br /> {<br /> if (vin[0].scriptSig.size() < 2 || vin[0].scriptSig.size() > 100)<br /> return error("CTransaction::CheckTransaction() : coinbase script size");<br /> }<br /> else<br /> {<br /> foreach(const CTxIn& txin, vin)<br /> if (txin.prevout.IsNull())<br /> return error("CTransaction::CheckTransaction() : prevout is null");<br /> }<br /><br /> return true;<br /> }<br />[/code]<br /><br />Don't sticky the topic, nobody looks up there. There'll be enough posts to bump. 9531 823 6 1281906405 9531 0 xx 1 Re: overflow bug SERIOUS It would help if people stop generating. We will probably need to re-do a branch around the current one, and the less you generate the faster that will be.<br /><br />A first patch will be in SVN rev 132. It's not uploaded yet. I'm pushing some other misc changes out of the way first, then I'll upload the patch for this. 9539 823 6 1281907435 9539 0 xx 1 Re: overflow bug SERIOUS Once you have an update, you could download knightmb's block chain. You'll want one that's old enough that it ends [i]before[/i] block 74000 so the most recent security lockin will check it. Can someone find the link for that? 9548 823 6 1281908419 9548 0 xx 1 Re: overflow bug SERIOUS Patch is uploaded to SVN rev 132! <br /><br />For now, recommended steps:<br />1) Shut down.<br />2) Download knightmb's blk files. (replace your blk0001.dat and blkindex.dat files)<br />3) Upgrade.<br />4) It should start out with less than 74000 blocks. Let it redownload the rest.<br /><br />If you don't want to use knightmb's files, you could just delete your blk*.dat files, but it's going to be a lot of load on the network if everyone is downloading the whole block index at once.<br /><br />I'll build releases shortly. 9573 823 6 1281913088 9573 0 xx 1 Re: overflow bug SERIOUS Don't update the block chain download. When you take someone's block chain download, you don't want it right up to the end. A somewhat old one is better so it can download and verify the most recent blocks.<br /><br />tcatm's 4-way SSE2 SHA-256 is in the file sha256.cpp and already uploaded a few revs ago.<br /><br />I just now uploaded rev 134 which is the makefile.unix that enables building with it on Linux. If you build rev 134 on Linux now you'll get the -4way switch.<br /><br />If you have problems building because of it, then edit makefile.unix and:<br />- remove -DFOURWAYSSE2<br />- remove obj/sha256.o from the end of these lines:<br />bitcoin: $(OBJS) obj/ui.o obj/uibase.o obj/sha256.o<br />bitcoind: $(OBJS:obj/%=obj/nogui/%) obj/sha256.o<br /><br />The 0.3.10 linux build [i]will[/i] have the -4way option when I build it.<br /><br />Here are the patch downloads for Windows:<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32-setup.exe<br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32.zip<br /><br />SHA1 16645ec5fcdb35bc54bc7195309a1a81105242bb bitcoin-0.3.10-win32-setup.exe<br />SHA1 4f35ad7711a38fe8c880c6c9beab430824c426d3 bitcoin-0.3.10-win32.zip<br /><br />Steps:<br />1) Shut down.<br />2) Download knightmb's blk files and replace your blk0001.dat and blkindex.dat files.<br />http://knightmb.dyndns.org/files/bitcoin/blocks/<br />http://rapidshare.com/files/413168038/BitcoinBlocks.torrent<br />3) Upgrade to 0.3.10.<br />4) It should start out with less than 74000 blocks and redownload the rest.<br /><br />Or if you don't want to mess with downloading blk files, you can just do this:<br /><br />1) Shut down.<br />2) Delete (or move) blk*.dat<br />3) Upgrade to 0.3.10.<br />4) It redownloads all blocks, probably take about an hour.<br /><br /><br /> 9576 823 6 1281914244 9576 0 xx 1 Re: overflow bug SERIOUS [quote author=knightmb link=topic=823.msg9574#msg9574 date=1281913144]<br />[b][edit][/b] Just saw your post, I'll build one to less than 74,000 then, should at least save you technical people a few minutes of downloading the new chain. ;)<br />[/quote]<br />Just leave the old one alone! Older is better. What block number is it? Anywhere from 60000-74000 is good. The one that you've had available for a while has been vetted and is the best choice. 9584 823 6 1281915370 9584 0 xx 1 Re: overflow bug SERIOUS Starting at 67000 is [i]perfect[/i]. <br /><br />Yeah, at the moment you'll stop at 74638. It should start slowly creeping up as more nodes upgrade and generate.<br /><br />Linux build links below.<br /><br />The Linux version includes tcatm's 4-way SSE2 SHA-256 that makes generating faster on i5 and AMD CPU's. Use the "-4way" switch to enable it and check if it's faster for you.<br /><br />Download links:<br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32-setup.exe<br />http://www.bitcoin.org/download/bitcoin-0.3.10-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.10-linux.tar.gz<br /><br />SHA1 16645ec5fcdb35bc54bc7195309a1a81105242bb bitcoin-0.3.10-win32-setup.exe<br />SHA1 4f35ad7711a38fe8c880c6c9beab430824c426d3 bitcoin-0.3.10-win32.zip<br />SHA1 e3fda1ddb31b0d5c35156cacd80dee6ea6ae6423 bitcoin-0.3.10-linux.tar.gz 9586 823 6 1281915427 9586 0 xx 1 Re: overflow bug SERIOUS [quote author=Joozero link=topic=823.msg9582#msg9582 date=1281915163]<br />I think that you should add something about this: http://www.bitcoin.org/smf/index.php?topic=259.0<br />There must be a label on the client that show a warning message if needed :)<br />Now everyone have always to check the website, and I think that this is bad.<br />[/quote]<br />Agree, wanted to do that for a long time, haven't had time to do it.<br /><br />For now, you could also subscribe to the bitcoin-list mailing list. It rarely gets used except for announcements like this and major new versions.<br /><br />Subscribe/unsubscribe page:<br />http://lists.sourceforge.net/mailman/listinfo/bitcoin-list<br /> 9590 827 1 1281916102 9734 1281964256 satoshi exclamation 1 Version 0.3.10 - block 74638 overflow PATCH! Version 0.3.10 patches the block 74638 overflow bug. http://www.bitcoin.org/smf/index.php?topic=823<br /><br />The Linux version includes tcatm's 4-way SSE2 SHA-256 that makes generating faster on i5, i7 (with hyperthreading) and AMD CPU's. Try the "-4way" switch to enable it and check if it's faster for you. <br /><br />Download from sourceforge:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.10/<br /><br />SHA1 16645ec5fcdb35bc54bc7195309a1a81105242bb bitcoin-0.3.10-win32-setup.exe<br />SHA1 4f35ad7711a38fe8c880c6c9beab430824c426d3 bitcoin-0.3.10-win32.zip<br />SHA1 e3fda1ddb31b0d5c35156cacd80dee6ea6ae6423 bitcoin-0.3.10-linux.tar.gz<br />SHA1 b812ccff4881778b9090f7c0b0255bcba7b078ac bitcoin-0.3.10-macosx.zip<br /><br />It is no longer necessary to delete blk*.dat. The good block chain has overtaken the bad block chain, so you can just upgrade and it'll automatically reorg away the bad block chain. 9608 828 6 1281918508 9608 0 xx 1 Re: 0.3.10.1 Question on where block should be I suspect there's some difficulty receiving blocks if all the nodes you're connected to are 0.3.9 or lower. We need enough of us so that at least one node you connect to will be 0.3.10. The problem will start to go away when we make up more than 1/8th of the network.<br /><br />It'll help if you port forward so you can get lots of connections. 9612 828 6 1281919040 9612 0 xx 1 Re: 0.3.10.1 Question on where block should be For now, can some people running 0.3.10 with static IP who can receive incoming connections post their IP? Then we can -addnode= them and make sure to connect to at least one 0.3.10 node.<br /><br /> 9623 823 6 1281920445 9623 0 xx 1 Re: overflow bug SERIOUS [quote author=Ground Loop link=topic=823.msg9609#msg9609 date=1281918595]<br />Question about fallout: I had a [b]transaction[/b] that I submitted after the bad block, using the bad block chain.<br /><br />What is the status of that transaction?<br />From what I can tell, my (updated) sending client wallet shows the deducted amount.<br /><br />Will it get reincorporated into the fixed chain, and will the recipient be able to spend it?<br />[/quote]<br />Right, it will get reincorporated into the fixed chain. The transaction won't disappear, it'll still be visible on both sides, but the confirmation count will jump back to 0 and start counting up again.<br /><br />It's only if you generated a block in the bad chain after block 74638 that the 50 BTC from that will disappear. Any blocks in the bad chain wouldn't have matured yet. 9624 823 6 1281920544 9624 0 xx 1 Re: overflow bug SERIOUS [quote author=kosovito link=topic=823.msg9615#msg9615 date=1281919157]<br />I did all steps, now my client is 0.3.10 and it stopped at block 74638. Is all fine?<br />[/quote]<br />If you still show 74638 blocks then you aren't connected to any 0.3.10 nodes. <br /><br />For today, try adding these parameters: <br />-addnode=75.158.131.108 -addnode=99.27.237.13 -addnode=68.68.99.14<br /><br />See<br />http://www.bitcoin.org/smf/index.php?topic=828 9628 823 6 1281921125 9628 0 xx 1 Re: overflow bug SERIOUS [quote author=trebronics link=topic=823.msg9625#msg9625 date=1281920555]<br />Most people running clients are not reading this message thread. So... Silly questions:<br /><br />1) How will this continue to affect version 3.8.1 (pre-catastrophe) clients with bad block chain?<br />2) How will this affect clients that upgrade to 3.8.10 but don't remove their block chain files?<br />[/quote]<br />1) Once more than 50% of the node power is upgraded and the good chain overtakes the bad, the 0.3.10 nodes will make it hard for any bad transactions to get any confirmations. <br />2) If you didn't remove your blk*.dat files, you're not helping to contribute to that 50%, and you'll still show bad transactions until the good chain overtakes the bad chain. 9642 823 6 1281924970 9642 0 xx 1 Re: overflow bug SERIOUS The bad chain is also slowed down as more nodes upgrade.<br /><br />We've already generated 14 blocks since 74638. The builds of 0.3.10 were uploaded about 2 and 3 hours ago. Of the nodes I'm connected to, more than half are already 0.3.10. I would say we probably already have more power than the bad chain.<br /> 9648 823 6 1281926301 9648 0 xx 1 Re: overflow bug SERIOUS On Windows, findstr /c:"version message" debug.log<br /><br />It looks like the bad chain was on block 74678 recently. Can't wait to overtake it.<br /><br />On the stats at http://nullvoid.org/bitcoin/statistix.php there's been 5 blocks per hour in the last 3 hours. We had a difficulty adjustment about a day ago that should have put it back to 6 blocks per hour.<br /> 9655 820 6 1281927477 9655 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2 [quote author=tcatm link=topic=820.msg9617#msg9617 date=1281919419]<br />I propose to compile sha256.cpp with -O3 -march=amdfamk10 (will work on 32bit and 64bit) as only CPUs supporting this instruction set (AMD Phenom, Intel i5 and newer) benefit from -4way and it'll improve performance by ~9%.<br />[/quote]<br />GCC 4.3.3 doesn't support -march=amdfamk10. I get:<br />sha256.cpp:1: error: bad value (amdfamk10) for -march= switch<br /><br /><br />[quote author=NewLibertyStandard link=topic=820.msg9630#msg9630 date=1281923341]<br />With 4way, I get significantly better performance when I have all my virtual cores enabled. I think I get about the same amount of hashes when hyper threading is turned off with or without 4way.<br />[/quote]<br />Hey, you may be onto something!<br /><br />hyperthreading didn't help before because all the work was in the arithmetic and logic units, which the hyperthreads share.<br /><br />tcatm's SSE2 code must be a mix of normal x86 instructions and SSE2 instructions, so while one is doing x86 code, the other can do SSE2.<br /><br />How much of an improvement do you get with hyperthreading?<br /><br />Some numbers? What CPU is that?<br /> 9661 820 6 1281928984 9661 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2 [quote author=Vasiliev link=topic=820.msg9660#msg9660 date=1281928627]<br />try -march=amdfam10<br />[/quote]<br />That works.<br /><br />That's strange... are we sure that's the same thing? tcatm, try amdfam10 and make sure you get the same speed measurement. it's not an accident waiting to happen.<br /><br />It would be nice if the forum could be at www.bitcoin.org/forum/ instead of www.bitcoin.org/smf/ but that's a whole nother thing. Would you be in favour of that change? If we want to do that, I should do it because I already know where all the path settings are and how to do it, since I had to figure all this stuff out the first time there was the Forum URL https/http problem. There are other urls under Admin->Themes and Layout. I think if a mirror directory forum -> smf was created, it would be possible to change the urls in the admin interface without the forum software stopping working.<br /> 217 33 3 1265239271 217 0 xx 1 Re: Installed anti-bruteforce module to Drupal 3 seems dangerously low to get ourselves locked out. Why not make it 10? 219 27 4 1265239797 219 0 xx 1 Re: Bitcoin crash when sending coins I uploaded this fix to the SVN. It watches for spent coins and updates your wallet on load and also continuously as blocks come in. I also put a better error message, but it should never hit it because it always finds spent coins ahead of time, unless you spent the same money at the same time on two computers at once.<br /><br />If you want to try it, PM or e-mail me your e-mail address where I can send it as an attachment and also what OS (win, linux 32-bit, linux 64-bit). 220 35 4 1265240214 220 0 xx 1 Re: Win32 CPU Cycles vs 'Live Protection' Engines ? Thanks for that. Which version of Windows? 222 34 1 1265242027 222 0 xx 1 Re: Questions about Addresses Port forwarding forwards a port to one computer. It tells the router which computer handles connections to that port. So that's the computer receiving.<br /><br />If you didn't set up port forwarding, then incoming connections won't go to any computer, and attempts to send to that IP would just say it couldn't connect to the recipient and nothing is sent. When sending by IP, you still send to a bitcoin address, but your computer connects to that IP, gets a new bitcoin address from it, gives the transaction directly to the them and confirms that it was received and accepted.<br /><br />Someone should post their static IP so people can try out sending by IP and also give that user free money.<br /><br />There's a 32-bit checksum in bitcoin addresses so you can't accidentally type an invalid address.<br /><br />If 4) you send to a recipient who has abandoned or lost their wallet.dat, then the money is lost. A subtle point can be made that since there is then less total money in circulation, everyone's remaining money is worth slightly more, aka "natural deflation". 223 22 6 1265243450 223 0 xx 1 Re: TOR and I2P When using proxy port 9050, it will only make one attempt to connect to IRC, then give up, since it knows it will probably always fail because IRC servers ban all the TOR exit nodes. If you're using another port, it would assume it might be a regular old normal proxy and would keep retrying IRC at longer and longer intervals. You should not use Polipo or Privoxy as those are http filters and caches that would corrupt Bitcoin's messages if they make any changes. Bitcoin might be trying to overcome it by reconnecting. You should use port 9050.<br /><br />As riX says, the "is giving Tor only an IP address. Apps that do DNS..." warnings are nothing to worry about. Bitcoin doesn't use DNS at all in proxy mode.<br /><br />Since Bitcoin can't get through to IRC through Tor, it doesn't know which nodes are currently online, so it has to try all the recently seen nodes. It tries to conserve connection attempts as much as possible, but also people want it to connect quickly when they start it up and reconnect quickly if disconnected. It uses an algorithm where it tries an IP less and less frequently the longer ago it was successful connected. For example, for a node it saw 24 hours ago, it would wait 5 hours between connection attempts. Once it has at least 2 connections, it won't try anything over a week old, and 5 connections it won't try anything over 24 hours old. 249 43 1 1265397552 11340 1282868283 satoshi xx 1 Proof-of-work difficulty increasing We had our first automatic adjustment of the proof-of-work difficulty on 30 Dec 2009. <br /><br />The minimum difficulty is 32 zero bits, so even if only one person was running a node, the difficulty doesn't get any easier than that. For most of last year, we were hovering below the minimum. On 30 Dec we broke above it and the algorithm adjusted to more difficulty. It's been getting more difficult at each adjustment since then.<br /><br />The adjustment on 04 Feb took it up from 1.34 times last year's difficulty to 1.82 times more difficult than last year. That means you generate only 55% as many coins for the same amount of work.<br /><br />The difficulty adjusts proportionally to the total effort across the network. If the number of nodes doubles, the difficulty will also double, returning the total generated to the target rate.<br /><br />For those technically inclined, the proof-of-work difficulty can be seen by searching on "target:" in debug.log. It's a 256-bit unsigned hex number, which the SHA-256 value has to be less than to successfully generate a block. It gets adjusted every 2016 blocks, typically two weeks. That's when it prints "GetNextWorkRequired RETARGET" in debug.log. <br /><br />minimum 00000000ffff0000000000000000000000000000000000000000000000000000<br />30/12/2009 00000000d86a0000000000000000000000000000000000000000000000000000<br />11/01/2010 00000000c4280000000000000000000000000000000000000000000000000000<br />25/01/2010 00000000be710000000000000000000000000000000000000000000000000000<br />04/02/2010 000000008cc30000000000000000000000000000000000000000000000000000<br />14/02/2010 0000000065465700000000000000000000000000000000000000000000000000<br />24/02/2010 0000000043b3e500000000000000000000000000000000000000000000000000<br />08/03/2010 00000000387f6f00000000000000000000000000000000000000000000000000<br />21/03/2010 0000000038137500000000000000000000000000000000000000000000000000<br />01/04/2010 000000002a111500000000000000000000000000000000000000000000000000<br />12/04/2010 0000000020bca700000000000000000000000000000000000000000000000000<br />21/04/2010 0000000016546f00000000000000000000000000000000000000000000000000<br />04/05/2010 0000000013ec5300000000000000000000000000000000000000000000000000<br />19/05/2010 00000000159c2400000000000000000000000000000000000000000000000000<br />29/05/2010 000000000f675c00000000000000000000000000000000000000000000000000<br />11/06/2010 000000000eba6400000000000000000000000000000000000000000000000000<br />24/06/2010 000000000d314200000000000000000000000000000000000000000000000000<br />06/07/2010 000000000ae49300000000000000000000000000000000000000000000000000<br />13/07/2010 0000000005a3f400000000000000000000000000000000000000000000000000<br />16/07/2010 000000000168fd00000000000000000000000000000000000000000000000000<br />27/07/2010 00000000010c5a00000000000000000000000000000000000000000000000000<br />05/08/2010 0000000000ba1800000000000000000000000000000000000000000000000000<br />15/08/2010 0000000000800e00000000000000000000000000000000000000000000000000<br />26/08/2010 0000000000692000000000000000000000000000000000000000000000000000<br /><br />date, difficulty factor, % change<br />2009 1.00<br />30/12/2009 1.18 +18%<br />11/01/2010 1.31 +11%<br />25/01/2010 1.34 +2%<br />04/02/2010 1.82 +36%<br />14/02/2010 2.53 +39%<br />24/02/2010 3.78 +49%<br />08/03/2010 4.53 +20%<br />21/03/2010 4.57 +9%<br />01/04/2010 6.09 +33%<br />12/04/2010 7.82 +28%<br />21/04/2010 11.46 +47%<br />04/05/2010 12.85 +12%<br />19/05/2010 11.85 -8%<br />29/05/2010 16.62 +40%<br />11/06/2010 17.38 +5%<br />24/06/2010 19.41 +12%<br />06/07/2010 23.50 +21%<br />13/07/2010 45.38 +93%<br />16/07/2010 181.54 +300%<br />27/07/2010 244.21 +35%<br />05/08/2010 352.17 +44%<br />15/08/2010 511.77 +45%<br />26/08/2010 623.39 +22%<br /> 250 34 1 1265399086 250 0 xx 1 Re: Questions about Addresses [quote author=Sabunir link=topic=34.msg246#msg246 date=1265391090]<br />Perhaps there should be a feature against this? For instance, if a transaction isn't accepted by the recipient for a long period of time (a month?), the transaction will be canceled and the coins returned to the one who sent them?<br />[/quote]<br /><br />That's not possible. You've handed control of the money over to the recipient's keypair. Only that key can control it.<br /><br />It's similar to if you encrypt a file with AES and a strong password, and you lose the password. The data is lost. 264 7 1 1265490392 264 0 xx 1 Re: Repost: Request: Make this anonymous? When you send to a bitcoin address, you don't connect to the recipient. You send the transaction to the network the same way you relay transactions. There's no distinction between a transaction you originated and one you received from another node that you're relaying in a broadcast. With a very small network though, someone might still figure it out by process of elimination. It'll be better when the network is larger.<br /><br />If you send by IP, the recipient sees you because you connect to their IP. You could use TOR to mask that.<br /><br />You could use TOR if you don't want anyone to know you're even using Bitcoin.<br /><br />Bitcoin is still very new and has not been independently analysed. If you're serious about privacy, TOR is an advisable precaution. 267 44 7 1265498753 267 0 xx 1 Re: How divisible are bitcoins and other market/economic questions Eventually at most only 21 million coins for 6.8 billion people in the world if it really gets huge.<br /><br />But don't worry, there are another 6 decimal places that aren't shown, for a total of 8 decimal places internally. It shows 1.00 but internally it's 1.00000000. If there's massive deflation in the future, the software could show more decimal places.<br /><br />If it gets tiresome working with small numbers, we could change where the display shows the decimal point. Same amount of money, just different convention for where the ","'s and "."'s go. e.g. moving the decimal place 3 places would mean if you had 1.00000 before, now it shows it as 1,000.00. 278 45 1 1265592149 278 0 xx 1 Re: Make your "we accept Bitcoin" logo No, sorry. I've been meaning to redo it. The largest icon that still looks good is the 20x20 one which is used for the tray icon in GNOME. Any larger than that looks bad. The 16x16 and 20x20 ones have quite a bit of hand tweaking to get the pixels to work out right. If you just scale down a larger image, the pixels end up blurred and awkward in places where the lines in "BC" don't land square on a pixel.<br /><br />The best 16x16 with full alpha channel is in src/rc/bitcoin.ico. I don't like the 32x32 version.<br /><br />I'm attaching bitcoin20x20.png, the 20x20 version with full transparency. 279 47 1 1265592422 296 1265731172 sirius-m xx 1 Bitcoin client and website translation Thank you for the offer to help translate. That is probably the best way you could help.<br /><br />I will need to prepare the code for translation first. wxWidgets has locale support, and most strings are in generated code that is already wrapped, so it shouldn't be too hard. We also must finish upgrading to wxWidgets-2.9.0 to get UTF-8 support. I've done test builds with 2.9.0 and there is one bug left to fix. <br /><br />What operating system are you using? Windows, Linux 32-bit or 64 bit?<br /><br />[color=blue]Split from [url=https://www.bitcoin.org/smf/index.php?topic=44]another thread[/url].<br />sirius-m[/color] 283 47 1 1265645437 283 0 xx 1 Bitcoin client and website translation It's much easier to have a single binary and multiple .mo files. It's too much maintenance work to have lots of build variations. Once the software support is implemented, anyone could contribute translations.<br /><br />wxWidgets uses the gettext standard. You use the gettext tools or something like poedit to create a .po file by scanning the sourcefiles for strings and editing the translations into the .po file, then compile it into a .mo file. The program loads the .mo file at runtime and reskins all the strings. Additional languages can be added to an existing program by adding .mo files without recompiling the program.<br /><br />On Windows, the .mo files would go in a lang subdirectory in the directory where the EXE is located.<br /><br />Right now I'm working on JSON-RPC and command line support, but when I'm finished with that I hope to do this next. 284 46 1 1265647044 284 0 xx 1 Re: Simple to implement feature requests There are command line options:<br /><br />bitcoin -addnode=1.2.3.4 to tell bitcoin about a node to connect to<br />bitcoin -connect=1.2.3.4 connect only to the specified node(s)<br /><br />You can use more than one of these, for instance<br />bitcoin -connect=(first to try) -connect=(next to try) ...<br /><br />You can specify non-routable IPs with -connect like 192.168.x.x, so if you had a server farm and you wanted one server to connect to the world and the rest to connect to the one server, you could do that.<br /><br />In particular, -addnode is needed if you're always going to connect through TOR, since the IRC server blocks all the TOR exit nodes. To connect through TOR, you could use:<br /><br />bitcoin -proxy=127.0.0.1:9050 -addnode=212.159.72.216 315 49 4 1265941982 315 0 xx 1 Re: DEB Package? Are you just trying to run the program or do you really need to compile it? There's a 32-bit linux binary that can be run on 64-bit ubuntu if you "sudo apt-get ia32-libs".<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-linux.tar.gz/download<br 2886 72 4 1279129111 2886 0 xx 1 Re: bitcoin auto-renice-ing Laszlo corrected this, but unfortunately it was too late to make it into 0.3.0. There will probably be a 0.3.1 soon though.<br /><br />The problem is I used PRIO_MIN, I should have used PRIO_MAX for the lowest priority. The OS isn't supposed to let you increase priority, so the PRIO_MIN ought to leave it at priority 0. 2895 305 4 1279130548 2895 0 xx 1 Re: Stuck on 513 blocks This is the second time I've seen this "Live Protection" problem reported.<br /><br />It must be blocking the program's network communication. It sounds like it's allowing connections to be made, hence the 10 connections shown, but not allowing any data to be sent or received on them.<br /><br />We need to understand this problem better.<br /><br />Can someone write some instructions on the wiki explaining how to turn off or add an exclusion to Live Protection or whatever its full proper name is. 2898 351 3 1279131319 2898 0 xx 1 Live Protection causing initial block download early stallout Twice I've seen reports of Live Protection causing initial block download to stall out early.<br />http://www.bitcoin.org/smf/index.php?topic=305<br /><br />Just brainstorming here how this could happen.<br /><br />Someone saying they got 513 or 1001 blocks before it stalled, yet they report having 10 connections. The person had port forwarding, and must have since this is Windows and outbound from windows is limited to 8, and they had 10 connections. With port forwarding usually you'd have more than 10, but if IRC was blocked, I could see how inbound would be a lot more limited like 10.<br /><br />Seems like Live Protection is allowing connections to be made, but keeping them silent. Or maybe only allowing a little data to go out but not much, which is strange. Maybe it doesn't want to block outbound requests like browser page requests, which are less than 1K or so, but it wants to shut down large data transfer, so it stops it after just a little bit of data like the size of a URL.<br /><br />If IRC is blocked, you typically do get like 501 or 5?? or 1001 blocks at first from the seed node. You connect to a seed node, get the address list, then disconnect from the seed node but it usually slips in one or two block requests before the disconnect, hence around 500 or 1000 blocks. If Live Protection zombies all further connections, that would give the result the guy got. Maybe it zombies all inbound connections, and after the first seed node, the inbound connections came and gave him 10 connections so he didn't connect outward anymore, so it's all inbound connections.<br /><br />That seems to fit what happened the best. IRC blocked by Live Protection. The node connects to a seed node, gets roughly 500 or 1000 blocks, broadcasts inbound IP address to the net, disconnects seed node, doesn't get any more outbound connections before the inbound connections give him 10 connections and it stops looking for outbound. Now all his connections are inbound, and maybe Live Protection zombies the inbound, letting them connect but not letting any data through (or only one direction). He doesn't get the usual 50 or so connections because he's not visible on IRC.<br /> 2903 318 4 1279131941 2903 0 xx 1 Re: Error on Ubuntu 10.04 What language is your computer set to? Is it set to German, Dutch or Italian? Is it one of those sub-languages like "nl-??"?<br /><br />It's trying to load a translation and failing. You could delete the locale directory that came with bitcoin so it doesn't try to use it.<br /><br />Can someone test each language on Ubuntu and see if there's a problem with just one of them or maybe all three? 2908 299 4 1279133153 2908 0 xx 1 Re: Runaway CPU usage for 64bit BitCoin (Linux Client) After it initially tries incorrectly to set itself to the lowest priority, the generate thread only changes its priority again temporarily when it finds a block. When you've found a block, you should want it to hurry up and broadcast it as soon a possible before someone else finds one and makes yours invalid. The generate thread only changes to higher priority for less than a second every few days.<br /><br />There should be a 0.3.1 release for this soon. There are a few other issues we need to look at fixing in 0.3.1 before making a release.<br /><br />[quote author=knightmb link=topic=299.msg2409#msg2409 date=1278974353]<br />On a side note, I've tracked down the other GUI issue.<br /><br />The "minimize to tray instead of taskbar" is what was eating up all the CPU on my system. After I turned this off, the issue was resolved with Runaway CPU.<br /><br />This only seems to affect the 64 bit Client, as the 32 bit Clients I have don't seem to be affected by this.<br /><br />I did notice on the 64 bit Client, what happens is, it spawns multiple "tray" icons until X server finally kills over, so I guess I should submit that as a bug to somewhere? ???<br />[/quote]<br />That's interesting. I know the minimize to tray on Ubuntu is very clunky, but I didn't know it had a CPU peg problem too. Anyone else able to reproduce this problem? We had this feature disabled on Linux before, but then it seemed better to have the imperfect UI than to lose the feature entirely. I'm thinking we should disable it again on Linux. 2913 291 4 1279133789 2913 0 xx 1 Re: Warning this block was not received by any other nodes Microsoft Security Essentials Live Protection is blocking your communication with the network. You have connections, which tricks Bitcoin into thinking it's connected, but they are silent because the data is being blocked.<br /><br />You need to make bitcoin.exe an excluded process in Live Protection.<br /><br />This is becoming a common problem. Someone should write this up in a pegged thread.<br /><br />The message "Warning: This block was not received by any other nodes" occurs when Bitcoin broadcasts a block, but nobody confirms they received it. The warning is there just for this kind of situation, where for some reason you have connections, but they have gone dead and nobody can hear you. Your block will never become valid because nobody received it.<br /> 2935 325 6 1279139106 2935 0 xx 1 Re: Hash/sec Throttling for Democracy [quote author=knightmb link=topic=325.msg2917#msg2917 date=1279135063]<br /> So if your computer was only 1% towards solving block 68000 [/quote]<br />This is a common point of confusion. There's no such thing as being 1% towards solving a block. You don't make progress towards solving it. After working on it for 24 hours, your chances of solving it are equal to what your chances were at the start or at any moment.<br /><br />It's like trying to flip 37 coins at once and have them all come up heads. Each time you try, your chances of success are the same.<br /><br />The RNG is the OpenSSL secure random number generator. On Windows it's seeded with the complete set of all hardware performance counters since your computer started, on Linux it's dev/random. 2947 286 6 1279141852 2947 0 xx 1 Re: Scalability The design outlines a lightweight client that does not need the full block chain. In the design PDF it's called Simplified Payment Verification. The lightweight client can send and receive transactions, it just can't generate blocks. It does not need to trust a node to verify payments, it can still verify them itself. <br /><br />The lightweight client is not implemented yet, but the plan is to implement it when it's needed. For now, everyone just runs a full network node. <br /><br />I anticipate there will never be more than 100K nodes, probably less. It will reach an equilibrium where it's not worth it for more nodes to join in. The rest will be lightweight clients, which could be millions.<br /><br />At equilibrium size, many nodes will be server farms with one or two network nodes that feed the rest of the farm over a LAN. 3008 299 4 1279153103 3008 0 xx 1 Re: Runaway CPU usage for 64bit BitCoin (Linux Client) OK, the undocumented switch "-minimizetotray" which re-enables the option.<br /><br />I uploaded the change to SVN. 3146 351 3 1279201337 3146 0 xx 1 Re: Live Protection causing initial block download early stallout I still don't see a pegged thread about Microsoft Security Essentials Live Protection. Someone needs to write a thread telling people if they have Microsoft Security Essentials how to exempt or whatever bitcoin.exe and pin it ASAP. I'm really busy, surely someone else can do this?!!<br /><br />I'm adding this to the readme.txt of the 0.3.1 release:<br />If you have Microsoft Security Essentials, you need to add bitcoin.exe to its<br />"Excluded Processes" list.<br /><br />Kind of a blind guess because I don't have it so I can't look exactly what it says, but going on what others have said.<br /><br />Here's another case:<br />http://www.bitcoin.org/smf/index.php?topic=323.0 3150 373 4 1279202720 3150 0 xx 1 Re: [Bitcoin 0.3.0] Runtime error More directly, this:<br />http://www.bitcoin.org/smf/index.php?topic=246.0<br /><br />I will be posting release candidate of 0.3.1 with this fix shortly. Please try that and let me know if it fixes the problem. 3157 326 4 1279204384 3157 0 xx 1 Re: Static Linux x86_64 bins for those having libcrypto troubles We don't even specify linking glibcxx_3.4.11, so gcc must automatically link it behind the scenes. There's probably a compiler switch that would tell it to static link it. I'm not sure what the licensing issues would be. Typically, compiler stuff is fully redistributable. 3162 327 1 1279205940 3162 0 xx 1 Re: resource hog Then all the CPU time is the generate thread, which definitely runs at the lowest possible priority, idle priority. It's normal that your CPU meter is 100%. Since it's idle priority, it won't actually slow anything else down, even though the CPU meter is 100%. 3198 383 6 1279213554 3589 1279314042 satoshi xx 1 Bitcoin 0.3.1 released This is a bugfix maintenance release. It is now uploaded to SourceForge. Mac OS X didn't need any fixes so we don't really need to update it, 0.3.0 is still good.<br /><br />The download links are on bitcoin.org<br /><br />Changes:<br />- Added Portuguese translation by Tiago Faria<br />Windows<br />- Fix for 22DbRunRecoveryException if your username has non-ascii characters in it<br />Linux<br />- Laszlo's fix for lowering generate thread to lowest priority <br />- Fix for if you're having trouble with libcrypto linkage<br />- Gavin Andresen's implementation of "start on windowing system startup" option<br /> 3205 383 6 1279214628 3205 0 xx 1 Re: 0.3.1 release candidate, please test Well, it can't hurt to do a backup and it's a good idea to backup regularly, but no, a backup is not required before installing this.<br /><br /> 3211 351 3 1279215151 3211 0 xx 1 Re: Live Protection causing initial block download early stallout I used that link to write the following in the readme.txt:<br /><br />If you have Microsoft Security Essentials, you need to add bitcoin.exe to its<br />"Excluded processes" list. Microsoft Security Essentials->Settings tab,<br />select Excluded processes, press Add, select bitcoin.exe, OK, Save changes.<br /><br />Is there anything else we should do? Maybe a link on the lower part of the homepage like "If you have Microsoft Security Essentials, see these instructions to add bitcoin.exe to the Excluded processes list." 3221 383 6 1279216603 3221 0 xx 1 Re: 0.3.1 release candidate, please test I don't think you have a particular problem, I think your system is laggy because you're running a lot of things at once and hitting the pagefile because memory is full. You confirmed when you shut off generation that your CPU drops to 0%, so the CPU usage is definitely all idle priority. There's nothing in the 0.3.1 that would affect these things. 3238 151 6 1279218622 3238 0 xx 1 Re: Website and software translations [quote author=aidos link=topic=151.msg3017#msg3017 date=1279154951]<br />Ok here is the .po file for French. While I'm at it, I noted a couple of issues:<br /><br />1. The "About" box didn't take the translation into account, it still displays the english version to me, even though the rest of the software is using the translated strings, and the .po file contains the translation string of the "About" box message. Same problem with the "Apply" button in the Settings window.<br />[/quote]<br />I need to give an updated .po file.<br /><br />[quote author=aidos link=topic=151.msg3017#msg3017 date=1279154951]<br />2. If an transaction's description in the list of transaction in the main window contains a diacritical character (such as " "), it's not displayed. I suppose the string is not being properly handled as UTF8 somewhere.<br />[/quote]<br />OK, this must be a problem somewhere, I'll have to take a look at it or one of the other devs can.<br /><br />[quote author=aidos link=topic=151.msg3017#msg3017 date=1279154951]<br />4. About the .po file :<br /> - There are a few strings in the .po file that don't needs translation (ie: "Bitcoin"). Maybe those shouldn't be inside _("...") ?<br /> - Others shouldn't be split. I can remember one message about transaction fee where the string is split in two to insert the fee value, where you could simply have put a %s. It makes the message harder to translate as I had to go in the source to find exactly what was going on.<br /> - Some strings have whitespace at the end or start, which necessity is very debatable, and it's easy to miss in PoEdit.<br />[/quote]<br />Many of the strings are in code automatically generated from uiproject.fbp where nothing can be done about these things. I have a program I use to find all the spacing inconsistencies at the beginning and ending of strings in your .po file and manually fix them up before I upload them to SVN.<br /> 3242 151 6 1279219033 3242 0 xx 1 Re: Website and software translations I uploaded an updated bitcoin.po for 0.3.1 attached to this message:<br />http://www.bitcoin.org/smf/index.php?topic=151.msg1259#msg1259<br /><br />please use it if you're starting a new translation.<br /><br />If you already have a po file, poedit /><br />I recently updated the SVN for building on 64-bit Karmic with wxWidgets 2.9.0. This was after the 0.2.0 release. The 0.2.0 release did not build on 64-bit yet.<br /><br />Unfortunately there currently isn't a -dev deb package of either of the versions of wxWidgets that we can use. On Karmic they only have the UTF-16 version. We need either the ANSI (libwxgtk2.8-ansi-dev) version or the UTF-8 (wxWidgets 2.9.0) version. We're moving towards 2.9.0.<br /><br />I know you said you didn't want VM, but as a last resort, last I checked the Windows version runs fine in Wine. 316 48 1 1265944088 327 1266129391 satoshi xx 1 Re: What's with this odd generation? There's a small transaction fee for very large transactions. The node that generates the block that contains the transaction gets the fee.<br /><br />If the same money gets sent again, it won't incur the fee again. If all you have is generated coins in your wallet, if you send them all in one huge transaction, it has to bundle hundreds of 50 bc coins together. After that it's just one line to send the combined unit. 322 49 4 1265990257 322 0 xx 1 Re: DEB Package? [quote author=soultcer link=topic=49.msg321#msg321 date=1265985110]<br />If you want, I can provide you with a precompiled binary.<br />[/quote]<br /><br />Am I missing something? Is there something wrong with the 32-bit linux precompiled binary on bitcoin.org?<br /><br />The bitcoin binary in the distribution static links the wxWidgets library, and its shared links (openssl and GTK) are included in Ubuntu, so it can run without needing to be a .deb to pull down dependencies.<br /><br />Since we're upgrading to wxWidgets 2.9.0 for UTF-8, which doesn't have a DEB package yet, we'll continue to need to static link it. 324 7 1 1265995712 324 0 xx 1 Re: Repost: Request: Make this anonymous? True, sending by IP through Tor trades one problem for another. The Tor exit node can see the text of your message and potentially MITM you.<br /><br />Best to only send to bitcoin addresses then. Payments by bitcoin address are broadcast over the network as part of the normal network traffic. All communications with the network are broadcasts of public information. 326 49 4 1266025117 326 1266106172 satoshi xx 1 Re: DEB Package? I couldn't get wxWidgets 2.8.9 to compile on Karmic 64-bit either.<br /><br />I have been compiling the latest SVN on Karmic 64-bit with wxWidgets 2.9.0, which compiles fine on 64-bit. Read build-unix.txt and use the given ../configure parameters on wxWidgets so you can use the makefile.unix.wx2.9 as supplied. (--enable-debug --disable-shared --enable-monolithic)<br /><br />[s]There's one cosmetic bug with 2.9.0 I still need to fix where the status number display is bunched up for some reason.[/s] -- fixed<br /><br />The download link on the homepage is to the sourceforge tar.gz archive which contains the 32-bit binary and the 0.2.0 sources, which were not yet buildable on 64-bit at the time.<br /><br />The SVN was first buildable on 64-bit with wx2.9.0 on 28 January 2010.<br /><br />Hopefully they'll have a wxWidgets 2.9.0 debian package someday. 327 48 1 1266128883 327 0 xx 1 Re: What's with this odd generation? [quote author=theymos link=topic=48.msg318#msg318 date=1265963512]<br />Does the sending client send more BitCoins to account for the fee (so the recipient gets what he's expecting)?<br />[/quote]<br />Yes.<br /><br />[quote author=SmokeTooMuch link=topic=48.msg319#msg319 date=1265980269]<br />why do we even need fees ? i thougt the no-fees-feature was one of the advantages of bitcoin ?!<br />[/quote]<br />Almost all transactions are free. A transaction is over the maximum size limit if it has to add up more than 500 of the largest payments you've received to make up the amount. A transaction over the size limit can still be sent if a small fee is added.<br /><br />The average transaction, and anything up to 500 times bigger than average, is free.<br /><br />It's only when you're sending a really huge transaction that the transaction fee ever comes into play, and even then it only works out to something like 0.002% of the amount. It's not money sucked out of the system, it just goes to other nodes. If you're sad about paying the fee, you could always turn the tables and run a node yourself and maybe someday rake in a 0.44 fee yourself. 329 48 1 1266162743 329 1266163376 satoshi xx 1 Re: What's with this odd generation? Right. Otherwise we couldn't have a finite limit of 21 million coins, because there would always need to be some minimum reward for generating. In a few decades when the reward gets too small, the transaction fee will become the main compensation for nodes. I'm sure that in 20 years there will either be very large transaction volume or no volume. 346 43 1 1266215318 346 0 xx 1 Re: Proof-of-work difficulty increasing 14/02/2010 0000000065465700000000000000000000000000000000000000000000000000<br /><br />2009 1.00<br />30/12/2009 1.18 +18%<br />11/01/2010 1.31 +11%<br />25/01/2010 1.34 +2%<br />04/02/2010 1.82 +36%<br />14/02/2010 2.53 +39%<br /><br />Another big jump in difficulty yesterday from 1.82 times to 2.53 times, a 39% increase since 10 days ago. It was 10 days apart not 14 because more nodes joined and generated the 2016 blocks in less time. 360 54 4 1266284096 360 0 xx 1 Re: Setting up multiple bitcoin machines behind NAT Right now there isn't a port number setting to do that. It's a feature yet to be implemented. You can only set up your NAT to port-forward to one of the computers. (I said something earlier about NAT port translation, but that wouldn't work, other nodes wouldn't know to connect to that port)<br /><br />If you want, as a small optimization, you could run the rest of your computers as:<br />bitcoin -connect=<the IP of the first computer><br /><br />so they get all their network communication from the first computer and don't all connect over the net individually for the same information. This saves bandwidth, although it doesn't use much bandwidth to begin with, so it wouldn't really matter unless you had tons of computers.<br /><br />For redundancy in case the first computer goes down, you could have two that connect out and the rest connect to both of them. The first two are run normally, the rest are run like:<br />bitcoin -connect=<IP1> -connect=<IP2> 376 43 1 1266341800 376 0 xx 1 Re: Proof-of-work difficulty increasing [quote author=Suggester link=topic=43.msg361#msg361 date=1266286549]<br />Satoshi, I figured it will take my modern core 2 duo about 20 hours of nonstop work to create ฿50.00! With older PCs it will take forever. People like to feel that they "own" something as soon as possible, is there a way to make the generation more divisible? So say, instead of making ฿50 every 20 hours, make ฿5 every 2 hours? <br />[/quote]<br />I thought about that but there wasn't a practical way to do smaller increments. The frequency of block generation is balanced between confirming transactions as fast as possible and the latency of the network.<br /><br />The algorithm aims for an average of 6 blocks per hour. If it was 5 bc and 60 per hour, there would be 10 times as many blocks and the initial block download would take 10 times as long. It wouldn't work anyway because that would be only 1 minute average between blocks, too close to the broadcast latency when the network gets larger. 388 43 1 1266429483 388 0 xx 1 Re: Proof-of-work difficulty increasing [quote author=Sabunir link=topic=43.msg372#msg372 date=1266310311]<br />. Perhaps it has to do with my connection's very high latency (2000ms or more on average) <br />[/quote]<br />2 seconds of latency in both directions should reduce your generation success by less than 1%.<br /><br />[quote author=Sabunir link=topic=43.msg372#msg372 date=1266310311]<br />and/or my high packet loss (sometimes up to 10% loss)?<br />[/quote]<br />Probably OK, but I'm not sure. The protocol is designed to resync to the next message, and messages get re-requested from all the other nodes you're connected to until received. If you miss a block, it'll also keep requesting it every time another blocks comes in and it sees there's a gap. Before the original release I did a test dropping 1 out of 4 random messages under heavy load until I could run it overnight without any nodes getting stuck. 389 47 1 1266434383 389 0 xx 1 Re: Bitcoin client and website translation I updated the SVN with changes to support translation. Translatable strings are all enclosed in _(""), and we're using UTF-8 on all platforms.<br /><br />When the program runs, it looks in the directory of the EXE for the file: locale\\<langcode>\\LC_MESSAGES\\bitcoin.mo<br /><br /><langcode> is the two letter code of the language your OS is set to, like "de" or "nl".<br /><br />On Linux, it also looks for:<br />/usr/share/locale/<langcode>/LC_MESSAGES/bitcoin.mo<br />/usr/local/share/locale/<langcode>/LC_MESSAGES/bitcoin.mo<br />(are there other standard places it should look on linux?)<br /><br />Here's a quick walkthrough using poedit to make a .po and .mo file:<br /><br />- Download the bitcoin sourcecode from SVN<br />- In the trunk directory, mkdir locale\\<lang>\\LC_MESSAGES<br />- In poedit, File->New catalog->Paths tab<br />- Click the "New item" dotted rectangle button<br />- Put "../../.." and MAKE SURE TO PRESS ENTER to add the path<br />- Click OK<br />- Save the file as "bitcoin.po" in the LC_MESSAGES directory you made<br />- It should then scan the sourcecode and find about 170 strings<br />- If it didn't find anything, check Catalog->Settings->Path tab, make sure the "../../.." was added<br /><br />When you're done translating, commit both bitcoin.po (the editable catalog file) and bitcoin.mo (compiled data used by the program).<br /> 413 58 6 1266723828 413 0 xx 1 Re: Number of connections Nodes stop trying to initiate connections once they have 15. If you can accept incoming connections, then you can get well above that from nodes connecting to you, otherwise you max out at 15.<br /><br />I don't know if there's any reason to have 15 connections. Maybe it should be 10.<br /><br />Since nodes that can only connect out are probably at or near 15 most of the time now, you should level off to an equilibrium. 45 suggests a ratio of 3 out-only nodes to every 1 in-accepting node.<br /><br />The number of connections won't be a good gauge of the size of the network any more. Someone should periodically IRC to the bitcoin channel on chat.freenode.net and count the number of users. That gives you the total count of network nodes (except TOR nodes).<br /><br />Block generation is again running ahead of pace. We're in for another big step up in difficulty at the next adjustment in about 5 days. 414 59 1 1266725993 2877 1279126387 satoshi xx 1 Post your static IP It would be nice to have a list of static IPs for new users to send test donations to so they can see how the software works. If you can accept incoming connections and you have a static IP address, post it here!<br /><br />Anything sent to these IPs should be considered a donation. <br /><br />If you do request a round-trip, be sure to include your return bitcoin address or IP in the comment, but please assume it'll be one-way. They won't necessarily be watching for incoming transactions to send back. 415 57 7 1266731064 415 0 xx 1 Re: Current Bitcoin economic model is unsustainable Excellent analysis, xc.<br /><br />A rational market price for something that is expected to increase in value will already reflect the present value of the expected future increases. In your head, you do a probability estimate balancing the odds that it keeps increasing.<br /><br />In the absence of a market to establish the price, NewLibertyStandard's estimate based on production cost is a good guess and a helpful service (thanks). The price of any commodity tends to gravitate toward the production cost. If the price is below cost, then production slows down. If the price is above cost, profit can be made by generating and selling more. At the same time, the increased production would increase the difficulty, pushing the cost of generating towards the price.<br /><br />In later years, when new coin generation is a small percentage of the existing supply, market price will dictate the cost of production more than the other way around.<br /><br />At the moment, generation effort is rapidly increasing, suggesting people are estimating the present value to be higher than the current cost of production. 426 60 1 1266788881 426 0 xx 1 UI improvements Uploaded some UI changes to SVN as version 0.2.5.<br /><br />Instead of View->Show Generated, we now have tabs:<br />- All Transactions<br />- Sent/Received<br />- Sent<br />- Received<br /><br />Makes it a lot easier to flip to received and check for payments.<br /><br />Moved the "Your Addresses" book inside the main address book. It was confusing having two address books.<br /><br />I found the "To:" in "From: unknown, To: (one of your bitcoin addresses)" still confusing, so I changed it to "From: unknown, Received with:". The bitcoin address is abbreviated so you can see the label that you set in the Receiving tab of the address book.<br /><br />Fixed a few UI glitches from the upgrade to wxWidgets 2.9.0.<br /><br />I haven't forgotten about you people who want non-UI, but I had to do some fun stuff before more build bashing.<br /> 433 61 1 1266886196 433 0 xx 1 Re: generation slowed down dramatically Just a random streak of bad luck. It looks steady to me.<br /><br />Competition doesn't have an effect until the next automatic retarget adjustment, and we haven't reached the next one yet.<br /><br />The adjustments are every 2016 blocks. To calculate our progress towards the next one, divide the block total by 2016. The fractional part is how far we are to the next one. <br /><br />My back-of-the-envelope projection: 42032 blocks/2016 = 20.85 = 85% of the way. About 1.5 days to go until the next one. That'll only be about 10 days since the last one, the target is 9676 820 6 1281933419 9676 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 [quote author=jgarzik link=topic=820.msg9665#msg9665 date=1281929728]<br />[code]cpu family\t: 6<br />model\t\t: 26<br />model name\t: Genuine Intel(R) CPU 000 @ 3.20GHz<br />stepping\t: 4[/code]<br />[/quote]<br />cpu family 6 model 26 stepping 4 is an Intel Core i7.<br />That's a 23% speedup with -4way, 63% total speedup with -4way + hyperthreading.<br />33% faster with hyperthreading than without it. 9734 823 6 1281963578 9734 0 xx 1 Re: overflow bug SERIOUS It looks like we overtook the bad chain somewhere around 74689. 0.3.9 and lower nodes have been responding with the current block number for some hours now.<br /><br />That means it's no longer necessary to delete blk*.dat before upgrading. You can just upgrade and it'll reorg away the bad block chain.<br /><br />Thanks to everyone for the quick response! 9736 820 6 1281965881 9736 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 I wrapped sha256.cpp in <br />#ifdef FOURWAYSSE2<br />#endif // FOURWAYSSE2<br /><br />try it now. 9754 832 6 1281972354 9812 1281989218 satoshi xx 1 Re: [PATCH] Automatic block validation That's a difficult approach.<br /><br />We need to cause a reorg, which will disconnect the invalid chain.<br /><br />This is code that will rarely ever get tested, and is fairly intricate, so something simple and safe is best.<br /><br />Here's what I was thinking of. (I haven't tested this yet) It checks all the blocks in the main chain. If it finds a bad one, it sets all that chain's bnChainWork to 0 so it can't win best chain again, and it reduces best chain work to the fork level so any new block after the fork will cause a reorg. (It can't change pindexBest without actually doing a reorg)<br /><br />This isn't perfect yet. It still needs to receive one valid block to trigger the reorg. <br /><br />It would probably be possible to initiate an AddToBlockIndex or Reorganize after the check, but it would require a lot more careful attention. I probably should break out part of AddToBlockIndex that sets the new best block. I'll probably end up doing that instead of the code below.<br /><br />[code]<br />bool CTxDB::LoadBlockIndex()<br />{<br /> ...<br /><br /> // Verify blocks in the main chain<br /> vector<CBlockIndex*> vChain;<br /> for (CBlockIndex* pindex = pindexBest; pindex && pindex->pprev; pindex = pindex->pprev)<br /> {<br /> vChain.push_back(pindex);<br /> CBlock block;<br /> if (!block.ReadFromDisk(pindex))<br /> return error("LoadBlockIndex() : block.ReadFromDisk failed");<br /> if (!block.CheckBlock())<br /> {<br /> bnBestChainWork = pindex->pprev->bnChainWork;<br /> foreach(CBlockIndex* pindex2, vChain)<br /> pindex2->bnChainWork = 0;<br /> }<br /> }<br /><br /> return true;<br />}<br />[/code] 9757 837 6 1281974365 9757 0 xx 1 blocks minus 1 I'd like to reduce the number of blocks displayed in the status bar by 1. When you first load the program, it'll display 0 blocks instead of 1:<br />"0 connections 0 blocks 0 transactions"<br /><br />It's always been "nBestHeight + 1" because it's counting the genesis block. Technically, yes, the genesis block is a block. It's a hardcoded block that you start out with. You can't [i]not[/i] have the genesis block. Maybe think of it as a reference coin that you measure other coins against. The block count people are looking for is the number of blocks they've downloaded.<br /><br />The main benefit is that blocks will be equal to the block number of the current best block. If blocks is 10, then the highest block number you have is 10. It means you have block 10 and you don't have block 11.<br /><br />It would reduce the confusion we had here:<br /><br />[quote author=kencausey link=topic=823.msg9588#msg9588 date=1281915926]<br />[quote author=davidonpda link=topic=823.msg9580#msg9580 date=1281915097]<br />... It already is on block 74638. I assume that means that block is now a good one?<br />[/quote]<br /><br />I had some confusion on this myself and got clarification in #bitcoin-dev:<br /><br />The bad block was number 74638, the last good one was 74637. The numbers start at 0, so when your client shows there are 74638 blocks then that means you have up to block number 74637, the last good one.<br />[/quote]<br /> 9774 837 6 1281978387 9774 0 xx 1 Re: blocks minus 1 Done in SVN rev 137 9775 832 6 1281978482 9793 1281984613 satoshi xx 1 Re: [PATCH] Automatic block validation [quote author=satoshi link=topic=832.msg9754#msg9754 date=1281972354]<br />It would probably be possible to initiate an AddToBlockIndex or Reorganize after the check, but it would require a lot more careful attention. I probably should break out part of AddToBlockIndex that sets the new best block. I'll probably end up doing that instead of the code below.<br />[/quote]<br />This is what I ended up doing in SVN rev 139.<br /><br />Instead of deleting the bad chain, I added an extra CheckBlock to ConnectBlock so bad blocks can't get back into the best chain once they're kicked out. 9813 841 6 1281989266 9813 0 xx 1 Checking the block chain on load SVN rev 139 does a basic check of the block chain after loading.<br /><br />With this we wouldn't have needed to delete blk*.dat, it would have automatically done a reorg back to the fork. There wasn't time to do a careful implementation of this at the time.<br /><br />It might take longer than we want, since it has to load all the blocks. If it's too slow, we could have it only go back to a certain block number. 9816 834 1 1281990053 9816 0 xx 1 Re: checkpointing the block chain There is no way for the software to automatically know if one chain is better than another except by the greatest proof-of-work. In the design it was necessary for it to switch to a longer chain no matter how far back it has to go.<br /><br />The only exception to that is the manual checkpoints I've added. If it weren't for those, it would be able to reorg all the way back to the first block. 9841 823 6 1281999295 9841 0 xx 1 Re: overflow bug SERIOUS Un-upgraded nodes have the correct chain most of the time, but they are still trying to include the overflow transaction in every block, so they're continually trying to fork and generate invalid blocks. If an old version node is restarted, its transaction pool is emptied, so it may generate valid blocks for a while until the transaction gets broadcast again. 0.3.9 and lower nodes still must upgrade.<br /><br />The SVN now has the code we needed to automatically reorg the block chain without having to delete the blk*.dat files manually. I knew I couldn't write that code fast and carefully enough yesterday, so I went with the quick manual option. 9843 834 1 1281999708 9843 0 xx 1 Re: checkpointing the block chain [quote author=NewLibertyStandard link=topic=834.msg9839#msg9839 date=1281998548]<br />How is the strength of the chain calculated?<br />[/quote]<br />Total proof-of-work. 10067 850 1 1282150724 10067 0 xx 1 Re: New screenshots to the front page? Definitely. The old screenshots of 0.1 are very outdated.<br /><br />Windows Aero is a good choice. Windows is still the largest user group. Mind what's behind it for the transparent parts.<br /><br />What to have displayed in the transaction list? Not completely filled up with stuff, just a few things. 10076 846 6 1282154500 10076 0 xx 1 Re: Difficulty: More nodes active, or faster nodes? The performance numbers posted from a VIA C7's hardware SHA-256 weren't astronomical. Only in the 1500 khash/s range. If you think about it, just because it's implemented in hardware doesn't mean it's crazy fast. It still has to do all the steps. It's only if simplifying it down to single-purpose hardware makes it small enough to fit many in parallel. That's not necessarily easy or a given.<br /><br /> 10082 841 6 1282156108 10082 0 xx 1 Re: Checking the block chain on load In the next SVN rev, I'll make it only go back to the last checkpoint at block 74000. If we need to correct a problem in the future, we can always make sure it goes back at least as far back as the problem. Also, I'm adding code to verify the block index, which means the proof-of-work chain is checked.<br /><br />Still, the system won't be entirely secure against your blk*.dat files. You are trusting someone if you use a copy of their blk files.<br /> 10272 867 6 1282243476 10272 0 xx 1 Re: Convert Bitcoin to GTK: Yes? No? wx is better? [quote author=BioMike link=topic=867.msg10226#msg10226 date=1282205118]<br />WxWidgets is not really a problem. My problem is the version that is used (2.9), which is considered unstable by many distro packagers (although the WxWidgets devs say it isn't). On the other side, as far as I know WxWidgets uses gtk under Linux for drawing the whole stuff and makes it for the bitcoins devs easy to make things cross platform.<br />[/quote]<br />wxWidgets 2.9 is their first UTF-8 version. We are UTF-8 on all platforms including Windows.<br /><br />The distro packages of 2.8 are UTF-16, so they just trip people up. People had endless build problems with 2.8 and its wxString UTF-16/ANSI conditional build options until we standardized on 2.9. Also, to use 2.8, we were using ANSI, which was just a temporary stopgap until wxWidgets supported UTF-8.<br /><br />This is a problem that will solve itself. With time, 2.9 will become a more mainline release. 10275 868 6 1282244148 10275 0 xx 1 Re: HOWTO: Compiling Bitcoin on Ubuntu 10.04 (Karmic) That's a really well written walkthough. Someone should confirm if they followed it and didn't run into any snags.<br /><br /> 10281 820 6 1282244863 10281 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 [quote author=Ground Loop link=topic=820.msg10167#msg10167 date=1282173266]<br />Any non-Mac i5 love?<br />Windows i5 64-bit got slower here.<br />[/quote]<br />That's the first I've heard anyone say i5 was slower. Everyone else has said 4way was faster on i5. Moreso with hyperthreading enabled.<br /><br />[quote author=nelisky link=topic=820.msg10164#msg10164 date=1282172545]<br />And i5, at least on my macbookpro<br />[/quote]<br />Good, so I take it that's a confirmation that it's working on Mac as well?<br /><br />Laszlo told me he did compile in the -4way stuff on Mac, so the -4way switch is also available to try on Mac. I don't think makefile.osx on SVN has it yet, just the built version. 10290 862 4 1282246830 10290 0 xx 1 Re: 28 days without generation, i have 4200khash/s Make sure your computer's date and time are correct. 10297 873 4 1282248841 10297 0 xx 1 Need a post writing up some things users should know I'm not sure what to call it, but we could use a post that lists these things users should know. If someone has time to write it, here's the list:<br /><br />- Make sure your clock is set correctly. <br /><br />- Microsoft Security Essentials. This never got written up proper.<br /><br />- Warning not to mess around with your wallet.dat file. It's a database file, it's not as simple as you think. In this Beta version, we haven't had time to try and tinker-proof it yet. It may not work as expected if you start swapping it around.<br /><br /> 10300 870 4 1282249730 10300 0 xx 1 Re: Hypothetical question on lost coins / transfers That's right. You don't need to be re-broadcasting your transactions for it to work.<br /><br />When any node disconnects a fork, it dumps all the transactions from the fork back into the transaction pool to add to the new chain. The entire network is making sure to re-integrate your transactions again. All you should see is that your number of confirmations starts over from 0.<br /><br />In some types of forks, your transaction would have gotten into both forks already, so you're already good either way. 10715 873 4 1282517460 10715 0 xx 1 Re: Need a post writing up some things users should know The clock part will be covered in the next release (0.3.11 or higher). SVN rev 141 pops up a message box if your clock is too far off. 10717 862 4 1282518062 10717 0 xx 1 Re: 28 days without generation, i have 4200khash/s Search debug.log for "proof-of-work found". If you find any, then check for any errors right after that.<br /><br />[quote author=davidonpda link=topic=862.msg10291#msg10291 date=1282246981]<br />How big of a margin on the time is allowed for things to work right.<br />[/quote]<br />The margin is 2 hours.<br /><br />This should be solved in SVN rev 141 and the next release (0.3.11+). It'll pop up a message box alerting you if your clock is off by more than an hour. 10720 820 6 1282519310 10720 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 Thanks for clearing that up. I read the link someone posted about AMD making that change around 2007, but I didn't know what the story was for Intel.<br /><br />There's no hope for Core/Core2 then. They only have half the SSE2 hardware.<br /><br />Strange that Intel has 3 128bit units, but AMD with 2 128bit units is the faster one.<br /> 10722 898 6 1282521306 11150 1282751853 satoshi xx 1 Development of alert system I've been working on writing the alert system. Alerts are broadcast through the network and apply to a range of version numbers. Alert messages are signed with a private key that only I have.<br /><br />Nodes can do two things in response to an alert:<br />- Put a warning message on the status bar.<br />- Make the money handling methods of the json-rpc interface return an error.<br /><br />In cases like the overflow bug or a fork where users may not be able to trust received payments, the alert should keep old versions mostly safe until they upgrade. Manual users should notice the status bar warning that way is a non-obvious trap.<br /><br />[quote author=jgarzik link=topic=2151.msg28301#msg28301 date=1291849642]<br />[quote author=satoshi link=topic=2151.msg28292#msg28292 date=1291847805]<br />3) A transaction can be replaced by a double-spend with a different txid. You would count both spends.<br />[/quote]<br /> listtransactions does not add anything to this problem, beyond that which is already vulnerable through listreceivedbyaddress.<br />[/quote]<br />Suppose both spends are to the same address. getreceivedbyaddress would always count only one or the other spend at any given time, never both.<br /><br />Using listtransactions, it would be very easy to count both. You see the first spend, you count it. You see the second spend, you count it. Total is double counted.<br /> 28533 2162 6 1291905425 28533 0 xx 1 Re: Version 0.3.18 New transaction templates can be added as needed. Within a few days, there will be plenty of GPU power that accepts and works on it. Network support will be thorough [i]long before[/i] there'll be enough clients who understand how to receive and interpret the new transaction.<br /><br />Timestamp hashes are still already possible:<br /><br />txin: 0.01<br />txout: 0.00 <appid, hash> OP_CHECKSIG<br />fee: 0.01 <br /><br />If there's an actual application like BitDNS getting ready to actually start inserting hashes, we can always add a specific transaction template for timestamps.<br /><br />I like Hal Finney's idea for user-friendly timestamping. Convert the hash of a file to a bitcoin address and send 0.01 to it:<br /><br />[quote author=Hal link=topic=2077.msg27173#msg27173 date=1291592636]<br />I thought of a simple way to implement the timestamp concept I mentioned above. Run sha1sum on the file you want to timestamp. Convert the result to a Bitcoin address, such as via http://blockexplorer.com/q/hashtoaddress . Then send a small payment to that address.<br /><br />The money will be lost forever, as there is no way to spend it further, but the timestamp Bitcoin address will remain in the block chain as a record of the file's existence.<br /><br />I understand that this is arguably not a good use of the Bitcoin distributed database, but nothing stops people from doing this so we should be aware that it may be done.<br />[/quote]<br /> 28549 2162 6 1291907873 28549 0 xx 1 Re: Version 0.3.18 I came to agree with Gavin about whitelisting when I realized how quickly new transaction types can be added.<br /><br />[quote author=nanotube link=topic=2162.msg28434#msg28434 date=1291875545]<br />why not make it easier on everyone and just allow say, 64 or 128 bytes of random data in a transaction?<br />[/quote]<br />That's already possible. <pubkey> OP_CHECKSIG. <pubkey> can be 33 to 120 bytes.<br /><br />I also support a third transaction type for timestamp hash sized arbitrary data. There's no point not having one since you can already do it anyway. It would tell nodes they don't need to bother to index it. 28640 2151 6 1291918088 28640 0 xx 1 Re: JSON-RPC method idea: list transactions newer than a given txid [quote author=jgarzik link=topic=2151.msg28330#msg28330 date=1291856285]<br />I agree with you and satoshi about "txs after <txid>". My listtransactions (now xlisttransactions) patch pointedly does not have that feature, and never has.<br />[/quote]<br />As long as the interface is designed for things like showing the user the last N transactions history, it's fine, now that we have the Accounts feature making it easier to do payment detection the right way.<br /><br />Gavin, could listtransactions have an option to list transactions for all accounts?<br /><br />I'm not sure what the interface could be, maybe:<br />listtransactions <JSON null type> [count]<br /><br />It would be hard to do that from the command line though. <br /><br />I can't think of a good solution for the interface, that's the problem. Maybe "*" special case like "" is. Everyone would have to make sure no user can create account name "*".<br /><br />[quote author=jgarzik link=topic=2151.msg28572#msg28572 date=1291911230]<br />Sure, and that's easy enough to track with transactions.<br />[/quote]<br />I don't get how that's "easy" to track with transactions. 28643 644 6 1291919325 28643 0 xx 1 Re: Automated nightly builds Thanks for setting this up Cdecker. <br /><br />Is there any chance of getting it to build the GUI version also? If this is Ubuntu, if you get wxWidgets 2.9.0 it should just be a matter of following the steps in build-unix.txt exactly. Is this an environment where you can build wxWidgets once and leave it there and just keep using it? 28696 1790 1 1291928562 28696 0 xx 1 Re: BitDNS and Generalizing Bitcoin I think it would be possible for BitDNS to be a completely separate network and separate block chain, yet share CPU power with Bitcoin. The only overlap is to make it so miners can search for proof-of-work for both networks simultaneously.<br /><br />The networks wouldn't need any coordination. Miners would subscribe to both networks in parallel. They would scan SHA such that if they get a hit, they potentially solve both at once. A solution may be for just one of the networks if one network has a lower difficulty.<br /><br />I think an external miner could call getwork on both programs and combine the work. Maybe call Bitcoin, get work from it, hand it to BitDNS getwork to combine into a combined work.<br /><br />Instead of fragmentation, networks share and augment each other's total CPU power. This would solve the problem that if there are multiple networks, they are a danger to each other if the available CPU power gangs up on one. Instead, all networks in the world would share combined CPU power, increasing the total strength. It would make it easier for small networks to get started by tapping into a ready base of miners. 28715 1790 1 1291934810 28720 1291936748 satoshi xx 1 Re: BitDNS and Generalizing Bitcoin [quote author=nanotube link=topic=1790.msg28700#msg28700 date=1291929640]<br />seems that the miner would have to basically do "extra work". and if there's no reward from the bitdns mining from the extra work (which of course, slows down the main bitcoin work), what would be a miner's incentive to include bitdns (and whatever other side chains) ?<br />[/quote]<br />The incentive is to get the rewards from the extra side chains also for the same work.<br /><br />While you are generating bitcoins, why not also get free domain names for the [i]same work[/i]?<br /><br />If you currently generate 50 BTC per week, now you could get 50 BTC and some domain names too.<br /><br />You have one piece of work. If you solve it, it will solve a block from both Bitcoin and BitDNS. In concept, they're tied together by a Merkle Tree. To hand it in to Bitcoin, you break off the BitDNS branch, and to hand it in to BitDNS, you break off the Bitcoin branch.<br /><br />In practice, to retrofit it for Bitcoin, the BitDNS side would have to have maybe ~200 extra bytes, but that's not a big deal. You've been talking about 50 domains per block, which would dwarf that little 200 bytes per block for backward compatibility. We could potentially schedule a far in future block when Bitcoin would upgrade to a modernised arrangement with the Merkle Tree on top, if we care enough about saving a few bytes.<br /><br />Note that the chains are below this new Merkle Tree. That is, each of Bitcoin and BitDNS have their own chain links inside their blocks. This is inverted from the common timestamp server arrangement, where the chain is on top and then the Merkle Tree, because that creates one common master chain. This is two timestamp servers not sharing a chain.<br /> 28729 2181 6 1291939134 28729 0 xx 1 Re: Fees in BitDNS confusion Not locktime.<br /><br />There's a possible design for far in the future:<br /><br />You intentionally write a double-spend. You write it with the same inputs and outputs, but this time with a fee. When your double-spend gets into a block, the first spend becomes invalid. The payee does not really notice, because at the moment the new transaction becomes valid, the old one becomes invalid, and the new transaction simply takes its place.<br /><br />It's easier said than implemented. There would be a fair amount of work to make a client that correctly writes the double-spend, manages the two versions in the wallet until one is chosen, handles all the corner cases. Every assumption in the existing code is that you're not trying to write double-spends.<br /><br />There would need to be some changes on the Bitcoin Miner side also, to make the possibility to accept a double-spend into the transaction pool, but only strictly if the inputs and outputs match and the transaction fee is higher. Currently, double-spends are never accepted into the transaction pool, so every node bears witness to which transaction it saw first by working to put it into a block. 28917 1790 1 1292002168 29148 1292070528 satoshi xx 1 Re: BitDNS and Generalizing Bitcoin Piling every proof-of-work quorum system in the world into one dataset doesn't scale.<br /><br />Bitcoin and BitDNS can be used separately. Users shouldn't have to download all of both to use one or the other. BitDNS users may not want to download everything the next several unrelated networks decide to pile in either.<br /><br />The networks need to have separate fates. BitDNS users might be completely liberal about adding any large data features since relatively few domain registrars are needed, while Bitcoin users might get increasingly tyrannical about limiting the size of the chain so it's easy for lots of users and small devices.<br /><br />Fears about securely buying domains with Bitcoins are a red herring. It's easy to trade Bitcoins for other non-repudiable commodities.<br /><br />If you're still worried about it, it's cryptographically possible to make a risk free trade. The two parties would set up transactions on both sides such that when they both sign the transactions, the second signer's signature triggers the release of both. The second signer can't release one without releasing the other. 28947 2202 6 1292008863 28947 0 xx 1 Accounts example code Some sample pseudocode using the new Accounts based commands in 0.3.18.<br /><br />print "send to " + getaccountaddress(username) + " to fund your account"<br />print "balance: " + getbalance(username, 0)<br />print "available balance: " + getbalance(username, 6)<br /><br />// if you make a sale, move the money from their account to your "" account<br />if (move(username, "", amount, 6, "purchased item"))<br /> SendTheGoods()<br /><br />// withdrawal<br />sendfrom(username, bitcoinaddress, amount, 6, "withdrawal by user")<br /><br />You can use listtransactions(username) to show them a list of their recent transactions.<br /> 28959 1790 1 1292010912 29014 1292019370 satoshi xx 1 Re: BitDNS and Generalizing Bitcoin [quote author=Hal link=topic=1790.msg28938#msg28938 date=1292008444]<br />additional block chains would each create their own flavor of coins, which would trade with bitcoins on exchanges? These chain-specific coins would be used to reward miners on those chains, and to purchase some kinds of rights or privileges within the domain of that chain?<br />[/quote]<br />Right, the exchange rate between domains and bitcoins would float.<br /><br />A longer interval than 10 minutes would be appropriate for BitDNS.<br /><br />So far in this discussion there's already a lot of housekeeping data required. It will be much easier if you can freely use all the space you need without worrying about paying fees for expensive space in Bitcoin's chain. Some transactions:<br /><br />Changing the IP record.<br /><br />Name change. A domain object could entitle you to one domain, and you could change it at will to any name that isn't taken. This would encourage users to free up names they don't want anymore. Generated domains start out blank and the miner sells it to someone who changes it to what they want. <br /><br />Renewal. Could be free, or maybe require consuming another domain object to renew. In that case, domain objects (domaincoins?) could represent the right to own a domain for a year. The spent fee goes to the miners in the next block fee. 28963 1790 1 1292012379 29149 1292070609 satoshi xx 1 Re: BitDNS and Generalizing Bitcoin I agree. All transactions, IP changes, renewals, etc. should have some fee that goes to the miners.<br /><br />You might consider a certain amount of work to generate a domain, instead of a fixed total circulation. The work per domain could be on a schedule that grows with Moore's Law. That way the number of domains would grow with demand and the number of people using it. 29159 1790 1 1292072910 29159 0 xx 1 Re: BitDNS and Generalizing Bitcoin @dtvan: all 3 excellent points. <br />1) IP records don't need to be in the chain, just do registrar function not DNS. And CA problem solved, neat.<br />2) Pick one TLD, .web +1.<br />3) Expiration and significant renewal costs, very important.<br /><br />[quote author=joe link=topic=1790.msg29130#msg29130 date=1292064838]<br />However, thinking more about this now I support inclusion of additional coinbases / tracking systems in the main network. The reason for doing this is so as not to water down CPU power into multiple networks. We want one strong network, so the network should be versatile.<br />[/quote]<br />Avoiding CPU power fragmentation is no longer a reason. Independent networks/chains can share CPU power without sharing much else. See: http://www.bitcoin.org/smf/index.php?topic=1790.msg28696#msg28696 and http://www.bitcoin.org/smf/index.php?topic=1790.msg28715#msg28715<br /> 29165 2208 6 1292074357 29165 0 xx 1 Re: Bitcoin and buffer overflow attacks [quote author=da2ce7 link=topic=2208.msg29095#msg29095 date=1292046562]<br />direct to IP address transfers seems like a obvious surface area to attack.<br />[/quote]<br />If you ever find anyone who turned it on. It's disabled by default.<br 73 16 1 1261003536 73 1261015885 satoshi xx 1 Bitcoin 0.2 released! Bitcoin version 0.2 is here!<br /><br />Download links:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-win32-setup.exe/download<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-win32.zip/download<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.2.0-linux.tar.gz/download<br /><br />New Features<br /><br />Martti Malmi<br /> - Minimize to system tray option<br /> - Autostart on boot option so you can keep it running in the background automatically<br /> - New options dialog layout for future expansion<br /> - Setup program for Windows<br /> - Linux version (tested on Ubuntu)<br />Satoshi Nakamoto<br /> - Multi-processor support for coin generation<br /> - Proxy support for use with TOR<br /> - Fixed some slowdowns in the initial block download<br /><br />Major thanks to Martti Malmi (sirius-m) for all his coding work and for hosting the new site and this forum, and New Liberty Standard for his help with testing the Linux version.<br /> 77 12 6 1261075086 77 0 xx 1 Re: A few suggestions That's good, is it running fine on FreeBSD?<br /><br />I committed the changes to headers.h. For consistency, I used __BSD__. The complete list of defines is at http://docs.wxwidgets.org/stable/wx_cppconst.html<br />#ifdef __BSD__<br />#include <netinet/in.h><br />#endif<br /><br />malloc.h is only needed on windows, I'll move that into the __WXMSW__ section before it causes any more trouble. 79 12 6 1261157868 79 0 xx 1 Re: A few suggestions What you can currently do is set "Minimize to the tray" in options, then run it as "bitcoin -min" so it starts minimized. The only visible part will be a small (20x20) icon on the tray, which can be doubleclicked if you want to access the UI. Note: there's a bug with tray icons sometimes disappearing on 64-bit Karmic Koala, not sure if it's from 64-bit or Karmic, it was fine on 32-bit Jaunty.<br /><br />We didn't have time to implement the "Start Bitcoin on system startup" feature on Linux in time for 0.2 so it's greyed out. I figured Linux people wouldn't mind doing that manually anyway. I guess they need to know about the -min switch to do it right.<br /><br />You can locate the data directory where you want with the "-datadir=<directory>" switch. I know someone is already doing that to put it on a TrueCrypt USB drive. 85 17 1 1262721646 85 1262724851 satoshi xx 1 Re: Is my second Transaction working correctly? +Transfer Question The transfer is immediate if you send by IP address. If you send by bitcoin address and the recipient isn't online at the time, it might take 30 minutes or more to see it. <br /><br />Also, the recipient needs to be synced up with the block chain before it'll see the received transaction. That means the status bar at the bottom needs to say at least 33000 blocks, like "x connections 33200 blocks x transactions".<br /><br />[quote author=sirius-m link=topic=17.msg84#msg84 date=1262654406]<br />[quote]<br />However, once that transaction was complete, a new transaction hasn't started. Or maybe it has. There's only one transaction in the list but I'm up to 131 Blocks under "Status". Is this the way it's supposed to happen? Does it keep processing on the same transaction and generating coins every 120 blocks or so? Or is it supposed to start a new transaction?<br />[/quote]<br /><br />The number of blocks of a transaction is the amount of new blocks that have been generated by the whole network after the transaction. Each new block in the chain means new coins to its creator. One "generated" -transaction in your transaction list means that you have generated one block. You're not the first one to find the concept of a "block" a bit confusing on the first sight.<br />[/quote]<br /><br />Would it be clearer if the status said "x confirmations", like:<br />2/unconfirmed<br />3/unconfirmed<br />4/unconfirmed<br />5/unconfirmed<br />6 confirmations<br />7 confirmations<br />8 confirmations<br /><br />Each block essentially means another node has confirmed that it agrees with all transactions up to that point.<br /><br /> 97 18 1 1263500240 97 0 xx 1 Re: 64bit support I haven't tried compiling 64-bit yet. 64-bit wouldn't make it any faster, since it uses 64-bit numbers in only a few places and SHA-256 is a 32-bit algorithm, but it may be convenient for those running a 64-bit OS. If I get a chance I'll try -m64 and see what the problem is.<br /><br />You can run the 32-bit version on 64-bit Linux by installing ia32-libs. (sudo apt-get install ia32-libs) If we made a Debian package, it could automatically pull that in as a dependency. 98 4 3 1263501396 98 0 xx 1 Re: SMF Config Notes Is there any reason to have e-mail confirmation?<br /><br />If you're doing that out of spam concerns, I've already got that covered. I made some customizations to the registration HTML so any spambots designed for SMF won't be able to figure it out. The CAPTCHA image URL requires an extra parameter, and there are 3 different CAPTCHA images, but only one shows because the others have stuff like width=0 height=0. 112 21 1 1264018035 112 1264022635 satoshi xx 1 Re: Number of connections? Coins generate at the same speed with any number of connections >= 1.<br /><br />More connections just add redundancy. If you only had one connection, what if that node is slow or busy, or only connected to you? Having several connections increases the certainty that you're well connected to the network. That hasn't been a problem in practice, the network is very thoroughly connected. If you have 2 or 3 connections, you're fine. 113 22 6 1264025128 113 0 xx 1 Re: TOR and I2P I've been thinking about that for a while. I want to add the backend support for .onion addresses and connecting to them, then go from there.<br /><br />There aren't many .onion addresses in use for anything because the user has to go through a number of steps to create one. Configure TOR to generate a .onion address, restart TOR, configure it with the generated address. Perhaps this is intentional to keep TOR so it can't be integrated into file sharing programs in any sufficiently automated way.<br /> 156 27 4 1264629147 156 0 xx 1 Re: Bitcoin crash when sending coins That is what happens if you copy wallet files around. If you copy your wallet file to a second computer, then they both think the money in the wallet is theirs. If one spends any of it, the other doesn't know those coins are already spent and would try to spend them again, and that's the error you would hit.<br /><br />Now that it's clear this is a key error message, it ought to be something more like "the money appears to be already spent... this could happen if you used a copy of your wallet file on another computer." <br /><br />You can move or backup your wallet file, but it needs to have only one "lineage" and only used in one place at a time. Any time you transfer money out of it, then you must no longer use any previous copies.<br /><br />This brings up a good point. In the case of restoring a backup that may be from before you spent some coins, we need to add functionality to resync it to discover which coins have already been spent. This would not be hard to do, it just hasn't been implemented yet. I'll add it to the list. This would make it mostly repair the situation instead of giving that error message. 159 25 1 1264640508 159 0 xx 1 Re: A newb's test - anyone want to buy a picture for $1? Yes, it's a technical limitation. Sending by bitcoin address enters the transaction into the network and the recipient discovers it from the network. You don't connect directly with them and they don't have to be online at the time.<br /><br />I very much wanted to find some way to include a short message, but the problem is, the whole world would be able to see the message. As much as you may keep reminding people that the message is completely non-private, it would be an accident waiting to happen.<br /><br />Unfortunately, ECDSA can only sign signatures, it can't encrypt messages, and we need the small size of ECDSA. RSA can encrypt messages, but it's many times bigger than ECDSA. 160 28 1 1264640913 160 0 xx 1 Re: Blocks never stop generating? Where it says "# blocks" in the status column I'm changing it to say "# confirmations". That might be clearer.<br /><br />If you doubleclick on the transaction you get a little more information. 169 32 3 1264717768 169 0 xx 1 Re: SSL certificate I think I could receive @bitcoin.org, but I'd rather procrastinate on this and work on other things first. Is there a reason we need this sooner? 170 27 4 1264720082 170 0 xx 1 Re: Bitcoin crash when sending coins The resync idea would go through your wallet and check it against the block index to find any transactions that your current computer doesn't realize are already spent. That could happen if they were spent on another computer with a copy of the wallet file, or you had to restore the wallet to a backup from before they were spent. Currently, the software just assumes it always knows whether its transactions are spent because it marks them spent in wallet.dat when it spends them.<br /><br />A wallet merge tool is possible to implement but much less in demand once resync solves most of the problem. With resync, you could do about the same thing by sending all the money from one wallet to the other. The receiver would resync and discover all its overlapping coins were spent, then receive them in the new transaction. 172 29 1 1264721169 172 0 xx 1 Re: Payment server That's the right way to do it as riX says. The software can generate a new bitcoin address whenever you need one for each payment. "Please send X bc to [single-use bitcoin address] to complete your order" When the server receives that amount to the bitcoin address, that could trigger it to automatically fulfil the order or e-mail the shop owner.<br /><br />Adding command line support is a high priority. It's just a matter of getting the time to code it. 173 25 1 1264724533 173 0 xx 1 Re: A newb's test - anyone want to buy a picture for $1? The recommended ways to do a payment for an order:<br />1) The merchant has a static IP, the customer sends to it with a comment.<br />2) The merchant creates a new bitcoin address, gives it to the customer, the customer sends to that address. This will be the standard way for website software to do it.<br /><br />RSA vs ECDSA: it's not the size of the executable but the size of the data. I thought it would be impractical if the block chain, bitcoin addresses, disk space and bandwidth requirements were all an order of magnitude bigger. Also, even if using RSA for messages, it would still make sense to do all the bitcoin network with ECDSA and use RSA in parallel for only the message part. In that case, everything that's been implemented up to now would be implemented exactly as it has been.<br /><br />We can figure out the best way to do this much later. It could use a separate (maybe existing) e-mail or IM infrastructure to pass messages, and instead of RSA, maybe just put a hash of the message in the transaction to prove that the transaction is for the order described in the message. The message would have to include a salt so nobody could brute force the hash to reveal a short message. 174 18 1 1264725769 174 0 xx 1 Re: 64bit support I committed a fix for 64-bit compile and some fixes to support wxWidgets 2.9.0.<br /><br />There was one compile error in serialize.h with min(sizeof()) that I fixed for 64-bit. The rest of the 64-bit compile errors I was getting were in wxWidgets 2.8.9, so I started working on supporting wxWidgets 2.9.0.<br /><br />wxWidgets 2.9.0 is UTF-8. We've been using the ANSI version of wxWidgets 2.8.9 in anticipation of wxWidgets UTF-8 support.<br /><br />I compiled and ran on 64-bit Ubuntu 9.10 Karmic.<br /><br />I think the only bug left is where the status number is mashed up. I'm not sure why, I have to suspect it's a UTF-8 thing, but no idea how that could happen. Haven't looked into it.<br /><br />build-unix.txt is updated and two makefiles on SVN:<br />makefile.unix.wx2.8<br />makefile.unix.wx2.9<br /><br />Unfortunately there's still no debian package for either version of wxWidgets we use. They only have the wchar ("unicode") version of wxWidgets 2.8, which is a disaster because wchar wxString doesn't convert to std::string. We use either ANSI wxWidgets 2.8, or wxWidgets 2.9. So you still have to get it and build it yourself.<br /> 175 32 3 1264726572 175 0 xx 1 Re: SSL certificate I didn't know all the forum links point to https. I always use https so I wouldn't have noticed. SMF is supposed to detect and give you the same as what you've got. If you're on an http page, then all the links should also be http. If that's not working then I need to fix it. 176 32 3 1264728923 176 0 xx 1 Re: SSL certificate OK, the problem was that $boardurl was switched to https://www.bitcoin.org/smf again. It's supposed to be http://www.bitcoin.org/smf and the software will replace http with https as needed. It always assumes the base $boardurl is http. It can't switch it in the other direction.<br /><br />$boardurl is "Forum URL" under:<br />Under Admin->Server Settings->Core Configuration<br /><br />The cause of the problem is that the default fill-in for "Forum URL" is the cooked $boardurl, with https in it. So, if you are logged in with https, it fills it in with https, so if you submit that page as is, you change it to https.<br /><br />It's an accident waiting to happen if you ever submit that page without changing the https to http each time, that happens.<br /><br />I switched it back to http, please doublecheck that all the links are now http if you're using the forum as http.<br /><br />I don't have time to fix the admin page right now so 3565 43 1 1279305831 3565 0 xx 1 Re: Proof-of-work difficulty increasing Right, the difficulty adjustment is trying to keep it so the network as a whole generates an average of 6 blocks per hour. The time for your block to mature will always be around 20 hours.<br /><br />The recent adjustment put us back to close to 6 blocks per hour again.<br /><br />There's a site where you can see the time between blocks, and since block 68545, it's been more like 10 minutes per block:<br />http://nullvoid.org/bitcoin/statistix.php 3579 417 6 1279309510 3579 0 xx 1 Sample account system using JSON-RPC needed We need someone to write sample code, preferably Python or Java, showing the recommended way to use the JSON-RPC interface to create an account system. Most sites that sell things will need something like this. Someone who's kept up on the JSON-RPC threads here should have some idea how it should work.<br /><br />When a user is logged in to their account, you show the bitcoin address they can send to to add funds. Before showing it, you check if it's been used, if it has then you replace it with a new one (getnewaddress <username>). You only need to keep the latest bitcoin address for the account in your database. (I posted a sample code fragment for this in an earlier thread somewhere, search on getnewaddress)<br /><br />You use getreceivedbylabel <username> with the username as the label to get the "credit" amount of the account. You need to keep a "debit" amount in your database. The current balance of the account is (credit - debit). When the user spends money, you increase debit.<br /><br />If you're requiring more than 0 confirmations, it's nice if you show the current balance (0 confirmations) and the available balance (1 or more confirmations), so they can immediately see that their payment is acknowledged. Not all sites need to wait for confirmations, so the dual current & available should be optional. Most sites selling digital goods are fine to accept 0 confirmations. <br /><br />A nice sample app for this would be a simple bank site, which would have the above, plus the option to send a payment to a bitcoin address. The sample code should be the simplest possible with the minimum extra stuff to make it a working site.<br /><br />vekja.net is an example of a site like this.<br /> 3590 383 6 1279314417 3590 0 xx 1 Re: Bitcoin 0.3.1 released I uploaded windows 0.3.1 rc1 and linux 0.3.1 rc2 to SourceForge and updated the links on the homepage.<br /><br />You don't need to update to 0.3.1 unless you had one of the problems listed in the first post. If you've got it working already, stay with 0.3.0. 3601 418 3 1279317740 3601 0 xx 1 Re: DOS attack happening right now? I'll take a look a the logs.<br /><br />It could be someone's server farm all starting at once.<br /><br />There have been some issues with garbage addr messages in previous versions. Not saying that's the problem now, just want to make you aware.<br /><br />In 0.1.5 there was a bug where a socket could get closed twice, which (maybe only on linux) could end up closing another random socket that could get reopened by IRC. If that node was in the middle of receiving an addr message, IRC content could be converted into addr messages.<br /><br />0.3.0 ignores addr messages from 0.1.5, but a 0.2.0 node could relay it. I don't think there are any 0.1.5 nodes left anymore though.<br /><br />In 0.2.9, I added a checksum to the message headers so no unintended messages can get into the system. The new verack message is part of the version negotiation used to switch to the new header. I'm embarrassed that I didn't do this originally, but I thought TCP already does that.<br /><br />I have seen addr messages that are made of other addr messages shifted by 3 bytes. I added some filtering in 0.2.9 for that in net.h. The comment there explains how a 3-byte shift might happen if just the right bytes are garbled.<br /><br />Garbage addr messages always have something else in the pchReserved field, so no nodes actually try to connect to the garbage addresses.<br /><br />These problems should improve as more 0.2.0 nodes upgrade. <br /><br />0.2.0 obsoletes on 20 Feb 2012. 0.3.0 nodes will require the checksum header on that date and refuse to talk to 0.2.0 nodes.<br /> 3605 128 1 1279318809 3605 0 xx 1 Re: A New Currency System for the World [quote author=hugolp link=topic=128.msg1082#msg1082 date=1273315131]<br /> When I run bitcoin it becomes very sluggish, almost unusable. When I stop bitcoin everything goes ok again. Its running Ubuntu desktop 10.04 amd64 using ia32libs and the binary in bitcoin 0.20 tarball.<br />[/quote]<br />0.3.1 fixes that, sets the generate threads to the lowest priority. Download links are on the homepage now. 3672 418 3 1279341408 3672 0 xx 1 Re: DOS attack happening right now? I looked at the logs. It looks like it's just heavy addr traffic. I only saw a few garbage addresses, it's mostly well formed addresses.<br /><br />There's much too much addr traffic though. I'm making adjustments to quiet it down.<br /><br />I added some code in 0.3.0 to limit the amount of addr messages, but the limits were pretty loose. I'm limiting it down much more in 0.3.2. In 0.3.0, it only sent to 10 other nodes, but those 10 nodes changed every hour, so you could have the same addr going around every hour. In 0.3.2 I'm lowering it to 4 nodes and every 12 hours.<br /> 3769 432 6 1279382772 3769 0 xx 1 Re: BUG Report: Rounding glitch It must be a rounding error when getinfo converts to floating point to return the JSON-RPC result. The only place where it uses floating point to represent money is returning a value in JSON-RPC.<br /><br />1.139999999999 is longer than bitcoin can internally represent.<br /><br />internally, it could only be:<br />1.13999999 or<br />1.14000000<br /><br />1.139999999999 is much much closer to 1.14000000 than 1.13999999, so it must be 1.14000000.<br /><br />The code is this:<br />(double)GetBalance() / (double)COIN.<br /><br />(I can't think of an easy way to fix it at the moment) 3770 434 6 1279384059 3770 0 xx 1 Re: Privacy versus Safety: handling change We should queue up a supply of pre-made addresses in the wallet to use when a new address is needed. They aren't very big, so it wouldn't hurt to have a lot of them. This would more generally cover the case also where someone backs up, then requests a new address and receives a big payment with it. Maybe there should be separate queues so one type of demand on addresses doesn't deplete it for the others.<br /><br />The addresses would be created and stored in the normal place, but also listed on a separate list of created-but-never-used addresses. When an address is requested, the address at the front of the never-used queue is handed out, and a new address is created and added to the back.<br /><br />There's some kind of rescan in the block loading code that was made to repair the case where someone copied their wallet.dat. I would need to check that the rescan handles the case of rediscovering received payments in blocks that were already received, but are forgotten because the wallet was restored. 3773 431 1 1279385766 3854 1279416831 satoshi xx 1 Re: Nenolod, the guy that wants to prove Bitcoin doesn't work. 0.3.2 has some security safeguards to lock in the block chain up to this point and limit the damage a little if someone gets 50%.<br /><br />But if someone has 50%+ of the CPU power and malicious intent, they can prove what it already says in the design document. 3807 437 6 1279402551 3834 1279410373 satoshi xx 1 Bitcoin 0.3.2 released Download links available now on bitcoin.org. Everyone should upgrade to this version.<br /><br />- Added a simple security safeguard that locks-in the block chain up to this point.<br />- Reduced addr messages to save bandwidth now that there are plenty of nodes to connect to.<br />- Spanish translation by milkiway.<br />- French translation by aidos.<br /><br />The security safeguard makes it so even if someone does have more than 50% of the network's CPU power, they can't try to go back and redo the block chain before yesterday. (if you have this update)<br /><br />I'll probably put a checkpoint in each version from now on. Once the software has settled what the widely accepted block chain is, there's no point in leaving open the unwanted non-zero possibility of revision months later. 3819 423 1 1279405753 4072 1279489756 satoshi xx 1 Re: Bitcoin snack machine (fast transaction problem) I believe it'll be possible for a payment processing company to provide as a service the rapid distribution of transactions with good-enough checking in something like 10 seconds or less.<br /><br />The network nodes only accept the first version of a transaction they receive to incorporate into the block they're trying to generate. When you broadcast a transaction, if someone else broadcasts a double-spend at the same time, it's a race to propagate to the most nodes first. If one has a slight head start, it'll geometrically spread through the network faster and get most of the nodes.<br /><br />A rough back-of-the-envelope example:<br />1 0<br />4 1<br />16 4<br />64 16<br />80% 20%<br /><br />So if a double-spend has to wait even a second, it has a huge disadvantage.<br /><br />The payment processor has connections with many nodes. When it gets a transaction, it blasts it out, and at the same time monitors the network for double-spends. If it receives a double-spend on any of its many listening nodes, then it alerts that the transaction is bad. A double-spent transaction wouldn't get very far without one of the listeners hearing it. The double-spender would have to wait until the listening phase is over, but by then, the payment processor's broadcast has reached most nodes, or is so far ahead in propagating that the double-spender has no hope of grabbing a significant percentage of the remaining nodes.<br /> 3823 400 4 1279406226 3823 0 xx 1 Re: Assertion Failure - Ubuntu Lucid [quote author=singpolyma link=topic=400.msg3815#msg3815 date=1279405188]<br />My coins disappeared, but I assume they'll come back when it's up to current?<br />[/quote]<br />Right, they'll re-appear when it's finished downloading all the blocks. 3825 437 6 1279407264 3825 0 xx 1 Re: Bitcoin 0.3.2 released [quote author=llama link=topic=437.msg3810#msg3810 date=1279403785]<br />However, it's important that you don't lock all the way up the very latest block. Otherwise, the attacker could generate a fake block (or a few) right before you happen to lock it, and then his attack would be far easier than it would have been without the block lock.<br />[/quote]<br />I went about 200 blocks back. The block chain was a clean straight line without branches, and there was only one known version of the locked block.<br /><br />[quote author=llama link=topic=437.msg3810#msg3810 date=1279403785]<br />Also, I'm assuming that the block lock means that the blocks will also come prepackaged with the client. Is this so?<br />[/quote]<br />Sorry, not yet, but I do want to make the initial block download faster.<br /> 3828 393 6 1279408710 3828 0 xx 1 Re: Source code documentation I didn't realize you were going to document all the intentionally undocumented commands. They're unsupported and not intended to be used by users.<br /><br />All the user-facing commands are listed in the -? help. 3830 419 6 1279409116 3830 0 xx 1 Re: Network Size [quote author=NewLibertyStandard link=topic=419.msg3817#msg3817 date=1279405329]<br />Version 0.3 was supposed to reduce the number of outgoing connections on non-port forwarded clients from 15 to 8, but I don't think it really happened. I'm not positive if this is the case. Correct me if I'm wrong.<br />[/quote]<br />In 0.3.0, the change to 8 only ended up in the Windows version, the other versions still had 15.<br /><br />Please upgrade to 0.3.2, it's available now. 3867 423 1 1279418355 3867 0 xx 1 Re: Bitcoin snack machine (fast transaction problem) [quote author=llama link=topic=423.msg3836#msg3836 date=1279411409]<br />This is a good start, but still not impermeable.<br />[/quote]<br />I didn't say impermeable, I said good-enough. The loss in practice would be far lower than with credit cards.<br /><br />[quote]<br />(for example, by refusing to propogate word of the transaction at the vending machine)<br />[/quote]<br />No, the vending machine talks to a big service provider (aka payment processor) that provides this service to many merchants. Think something like a credit card processor with a new job. They would have many well connected network nodes. 3999 393 6 1279465974 3999 0 xx 1 Re: Source code documentation They're only intended for intrepid programmers who read the sourcecode. 4008 55 6 1279469176 4008 0 xx 1 Re: URI-scheme for bitcoin [quote author=lachesis link=topic=55.msg1597#msg1597 date=1276668845]<br />I think you're misunderstanding the issue. My browser will always be able to go to 127.0.0.1 (barring some strange IE settings or a virus). If I type the address into the URL bar or click a link, it will work fine. However, it isn't possible to use Javascript to complete POST requests between domains (or ports on the same domain).<br />[/quote]<br />That's what I thought too.<br /><br />[quote author=sirius-m link=topic=55.msg1598#msg1598 date=1276676774]<br />Yeah, I meant to say that cross-domain javascript calls are forbidden, so you can't call 127.0.0.1 from a javascript that doesn't reside in 127.0.0.1. Come to think of it, it would be quite funny if browsers allowed malicious cross-domain javascript to change people's Facebook pages etc.<br />[/quote]<br />Now I'm hearing a report that it IS possible for javascript to do a cross-domain POST request to 127.0.0.1. Not other domains, but just specifically to that one. Great...<br /><br />If this is the case, then do not use the -server switch or bitcoind on a system where you do web browsing.<br /><br />I'll get started on adding the password field.<br /> 14 days, so 14/10 = 1.4 = around 40% difficulty increase.<br /> 434 60 1 1266887788 434 0 xx 1 Re: UI improvements There are now "Sending" and "Receiving" tabs in the Address Book. Your addresses are referred to as "receiving addresses".<br /><br />madhatter was working on building it on Mac. He had errors probably caused by UTF-16 wxWidgets 2.8. Should have better luck now with 2.9.0. wxWidgets 2.9.0 is UTF-8 and wouldn't have that problem.<br /><br />I think he had it working on FreeBSD, but he wanted a non-UI version.<br /><br />I have the command line and JSON-RPC daemon version working now. Will SVN it in a day or two.<br /><br />I disabled gdm on my Ubuntu system so it boots into command line. I hope I will be able to get it enabled again with rcconf. 443 62 1 1266942369 443 0 xx 1 Re: Bitcoin Address Collisions There's a separate public/private keypair for every bitcoin address. You don't have a single private key that unlocks everything. Bitcoin addresses are a 160-bit hash of the public key, everything else in the system is 256-bit.<br /><br />If there was a collision, the collider could spend any money sent to that address. Just money sent to that address, not the whole wallet.<br /><br />If you were to intentionally try to make a collision, it would currently take 2^126 times longer to generate a colliding bitcoin address than to generate a block. You could have got a lot more money by generating blocks.<br /><br />The random seed is very thorough. On Windows, it uses all the performance monitor data that measures every bit of disk performance, network card metrics, cpu time, paging etc. since your computer started. Linux has a built-in entropy collector. Adding to that, every time you move your mouse inside the Bitcoin window you're generating entropy, and entropy is captured from the timing of disk ops. 446 60 1 1266944007 446 0 xx 1 Re: UI improvements [quote author=Xunie link=topic=60.msg439#msg439 date=1266928107]<br />[i]/etc/init.d/gdm start[/i] and it will start gdm!<br />[/quote]<br />Ah yes, there we go, back to normal again.<br /><br />The ctrl+alt+F[1-8] thing never worked on this computer. The screen just goes haywire. 452 63 6 1266963341 453 1266970364 satoshi xx 1 Command Line and JSON-RPC Version 0.2.6 on SVN can now run as a daemon and be controlled by command line or JSON-RPC.<br /><br />On Linux it needs libgtk2.0-0 installed, but does not need a GUI running. Hopefully gtk can be installed without having a windowing system installed.<br /><br />The command to start as a daemon is:<br />bitcoin -daemon [switches...]<br /><br />Or, to run the UI normally and also be able to control it from command line or JSON-RPC, use the "-server" switch.<br />bitcoin -server [switches...]<br /><br />With either switch, it runs an HTTP JSON-RPC server that accepts local socket connections on 127.0.0.1:8332. The port is bound to loopback and can only be accessed from the local machine, but from any account, not just the user it's running under.<br /><br />To control it from the command line, the interface is a command name without any switches, followed by parameters if any.<br />bitcoin <command> [params...]<br /><br />For example:<br />bitcoin getinfo<br />bitcoin getdifficulty<br />bitcoin setgenerate true<br />bitcoin stop<br /><br />It's a simple JSON-RPC client and prints the JSON result. Look at rpc.cpp for the list of commands.<br /><br />Web apps or anything automated will normally use JSON-RPC directly, not command line. There are JSON-RPC libraries for all the major languages. In script languages like PHP and Python the syntax is as natural as calling a local function. 453 62 1 1266963840 453 0 xx 1 Re: Bitcoin Address Collisions [quote author=NewLibertyStandard link=topic=62.msg450#msg450 date=1266951887]<br />Are generated bitcoins encrypted with whichever address is currently displayed in the main Bitcoin window?<br />[/quote]<br />No, each generated transaction uses a new, single-use address.<br /><br />Nothing uses the address in the main window, it's just there for convenience for you to copy. 0.2.5 has a "New..." button next to it to make it easy to change each time you use it. 481 55 6 1266991063 481 0 xx 1 Re: URI-scheme for bitcoin That would be nice at point-of-sale. The cash register displays a QR-code encoding a bitcoin address and amount on a screen and you photo it with your mobile. 482 63 6 1266992243 482 0 xx 1 Re: Command Line and JSON-RPC [quote author=theymos link=topic=63.msg467#msg467 date=1266980857]<br />[quote author=satoshi link=topic=63.msg452#msg452 date=1266963341]<br />On Linux it needs libgtk2.0-0 installed<br />[/quote]<br />Will this requirement be removed sometime? I'd rather not have to deal with GTK.<br />[/quote]<br />How much "dealing with" does GTK actually require? Is it just a matter of "sudo apt-get install libgtk2.0-0" and having some extra libraries sitting around? GTK doesn't have to do anything, just be there for bitcoin to link to when it loads up, have the gtk-init-check call fail because no GUI present, then it's done. <br /><br />It saves us butchering everything with ifdefs and a separate compile and binary to use wxBase just to try to avoid linking GTK. 504 64 1 1267046663 21762 1289607746 satoshi xx 1 New icon/logo New icons, what do you think? Better than the old one?<br /><br />[img]http://www.bitcoin.org/download/bitcoin16.4.png[/img] [img]http://www.bitcoin.org/download/bitcoin20.4.png[/img] [img]http://www.bitcoin.org/download/bitcoin32.5.png[/img] [img]http://www.bitcoin.org/download/bitcoin48.5.png[/img]<br /><br />Full size 530x529 image for scaling down to custom sizes:<br />[url=http://www.bitcoin.org/download/bitcoin530.png]http://www.bitcoin.org/download/bitcoin530.png[/url]<br /><br />The perspective shadow was too thick on the larger sizes. I updated 32, 48 and the full size.<br /><br />I release these images into the public domain (copyright-free). I request that derivative works be made public domain.<br /> 507 45 1 1267048432 507 0 xx 1 Re: Make your "we accept Bitcoin" logo If you GPL stuff, I have to avoid using it. Nothing against GPL per-se, but Bitcoin is an MIT license project. Anything GPL please clearly mark it as such. 509 63 6 1267049335 509 0 xx 1 Re: Command Line and JSON-RPC When and how fast did memory usage increase? Right away, slowly over a long time, or starting at some later event?<br /><br />I have -daemon running on ubuntu 9.10 64-bit and memory usage is steady.<br /><br />It has to be something about the difference on the server besides 64-bit. Maybe some malfunction from the lack of GUI. A memory leak debug tool could give a clue. 510 43 1 1267051344 510 0 xx 1 Re: Proof-of-work difficulty increasing The automatic adjustment happened earlier today.<br /><br />24/02/2010 0000000043b3e500000000000000000000000000000000000000000000000000<br /><br />24/02/2010 3.78 +49%<br /><br />I updated the first post.<br /> 521 64 1 1267062984 521 0 xx 1 Re: New icon/logo [quote author=Sabunir link=topic=64.msg519#msg519 date=1267062476]<br />I like them. Do they come in higher resolutions?<br />[/quote]<br />Yes, the original is 546x531 pixels.<br /><br />It looks good at larger size too, but since the small icons are what you mostly always see, I wanted to judge it on those first. I'll post larger sizes and full size a little later. 539 63 6 1267138457 539 0 xx 1 Re: Command Line and JSON-RPC OK, I made a build target bitcoind that only links wxBase and does not link GTK. Version 0.2.7 on SVN.<br /><br />I split out the init and shutdown stuff from ui.cpp into init.cpp, so now ui.cpp is pure UI. ui.h provides inline stubs if wxUSE_GUI=0. We only have four functions that interface from the node to the UI. In the bitcoind build, we don't link ui.o or uibase.o.<br /><br />[quote author=sirius-m link=topic=63.msg538#msg538 date=1267115537]<br />It started increasing right away. I'll see if valgrind can help me.<br />[/quote]<br />Sure feels like it could be something in wxWidgets retrying endlessly because some UI thing failed or something wasn't inited correctly. Our hack to ignore the initialize failure and run anyway means we're in uncharted territory. We're relying on the fact that we hardly use wx in this mode. We do still use a few things like wxGetTranslation and wxMutex.<br /><br />Another way to debug would be to run in gdb, wait until everything is quiet and all threads should be idle, and break it and see which thread is busily doing something and what it's doing.<br /><br />I suspect bitcoind will probably work fine, but I hope you can still debug the problem. 540 43 1 1267139189 540 0 xx 1 Re: Proof-of-work difficulty increasing The formula is based on the time it takes to generate 2016 blocks. The difficulty is multiplied by 14/(actual days taken). For instance, this time it took 9.4 days, so the calculation was 14/9.4 = 1.49. Previous difficulty 2.53 * 1.49 = 3.78, a 49% increase. <br /><br />I don't know what you're talking about accepting easier difficulties. 555 63 6 1267201761 555 0 xx 1 Re: Command Line and JSON-RPC wx/clipbrd.h isn't used, move it inside the #if wxUSE_GUI.<br /><br />Updated headers.h on SVN.<br /><br />Sorry, I linked to wxbase but I had full wxWidgets on my computer.<br /><br />The db.h:140 class Db no member named "exisits" is stranger. pdb->get, pdb->put, pdb->del compiled before that. Do you have version 4.7.25 of Berkeley DB?<br /><br />Db::exists()<br />http://www.oracle.com/technology/documentation/berkeley-db/db/api_reference/CXX/frame_main.html<br />http://www.oracle.com/technology/documentation/berkeley-db/db/api_reference/CXX/dbexists.html<br /><br />I suppose they might have added exists recently, using get before that. 561 64 1 1267226239 561 0 xx 1 Re: New icon/logo Good suggestion. I made the B slightly lighter and the background slightly darker. Very slightly. The foreground is now exactly the same colour as the BC in the old one.<br /><br />It's kind of OK if you can't easily read the B in the 16x16. At that size, you just need to see that it's a coin. It doesn't matter so much what's embossed on it, just that there be some detail there because it wouldn't look like a coin if it was a blank smooth circle.<br /><br />It's slightly wider than tall because the dark perspective under it goes more to the right than down.<br /><br />I finished and posted the 32x31 and 48x47 versions in the first message. I like the 48 a lot.<br /><br />How does everyone feel about the B symbol with the two lines through the outside? Can we live with that as our logo? 562 63 6 1267228124 562 0 xx 1 Re: Command Line and JSON-RPC Are you using wxWidgets 2.9.0? I don't recommend using anything other than 2.9.0.<br /><br />It looks like they've got a reference in the wx headers (arrstr.h) to something outside of wxBase.<br /><br />Removing -D__WXDEBUG__ from bitcoin's makefile would probably solve it.<br /><br />If that doesn't work and you just want to get it working, you could edit wxWidgets include/wx/arrstr.h, line 167 and comment out the wxASSERT_MSG. 566 64 1 1267244909 566 0 xx 1 Re: New icon/logo [quote author=Cdecker link=topic=64.msg565#msg565 date=1267241047]<br />How about an SVG version? That way we could automatically generate smaller and larger versions as needed.<br />[/quote]<br />I don't know how to do SVG, but I did the original very large, over 500 pixels across, so it can be scaled down. I'll give the original when I'm finished.<br /><br />I had to custom tweak each icon size so the vertical lines land square on their pixels, otherwise they're ugly blurry and inconsistent. Such is the challenge of making icons. The original will be good for scaling to custom sizes between 48 and 500 but not smaller. 571 65 6 1267305773 571 0 xx 1 Re: wxWidgets 2.9.0 [quote author=Cdecker link=topic=65.msg569#msg569 date=1267290599]<br />Looking through the source of 2.8.10 it appears that [i]unicode[/i] is possible with that version too.<br />[/quote]<br />In the Windows world, "unicode" means UTF-16 (wchar).<br /><br />2.8 has two build variations, ANSI and UTF-16 (unicode). The UTF-16 version is the "unicode" version provided in the Debian package. I believe 2.8 and its UTF-16 build labelled simply "unicode" has been the source of build problems described in the forum. We were previously using 2.8 ANSI in anticipation of getting to UTF-8 without going through UTF-16 hell. We cannot compile with UTF-16.<br /><br />2.9 has only one version, UTF-8. On Windows, we set the codepage to UTF-8, so on all platforms our code is UTF-8 and wxWidgets interfaces with us in UTF-8. On Linux I assume the codepage is already UTF-8. By standardizing on 2.9 we avoid the multi-build confusion of 2.8, and we need 2.9 for UTF-8 internationalization.<br /><br />Make sure you read build-unix.txt and configure wxWidgets using the configure parameters given.<br /><br />Curious, why is it incredibly hard to provide wxWidgets 2.9.0? If you mean for users, that's why we static link it.<br /><br />It's unfortunate that we require so many big dependencies, but we need them all. At least on Debian/Ubuntu, all but wxWidgets are available as packages. Eventually they'll provide a 2.9 package. 588 64 1 1267497185 588 0 xx 1 Re: New icon/logo We have the standard icon sizes, and the full size scales nicely to anything else.<br /><br />I added the full size to the first post. 614 69 8 1267590536 614 0 xx 1 Re: Money Transfer Regulations When there's enough scale, maybe there can be an exchange site that doesn't do transfers, just matches up buyers and sellers to exchange with each other directly, similar to how e-bay works.<br /><br />To make it safer, the exchange site could act as an escrow for the bitcoin side of the payment. The seller puts the bitcoin payment in escrow, and the buyer sends the conventional payment directly to the seller. The exchange service doesn't handle any real world money.<br /><br />This would be a step better than e-bay. E-bay manages to work fine even though shipped goods can't be recovered if payment falls through. or easily malleable either<br />- not useful for any practical or ornamental purpose<br /><br />and one special, magical property:<br />- can be transported over a communications channel<br /><br />If it somehow acquired any value at all for whatever reason, then anyone wanting to transfer wealth over a long distance could buy some, transmit it, and have the recipient sell it.<br /><br />Maybe it could get an initial value circularly as you've suggested, by people foreseeing its potential usefulness for exchange. (I would definitely want some) Maybe collectors, any random reason could spark it.<br /><br />I think the traditional qualifications for money were written with the assumption that there are so many competing objects in the world that are scarce, an object with the automatic bootstrap of intrinsic value will surely win out over those without intrinsic value. But if there were nothing in the world with intrinsic value that could be used as money, only scarce but no intrinsic value, I think people would still take up something.<br /><br />(I'm using the word scarce here to only mean limited potential supply)<br /> 11439 941 6 1282946052 11504 1283006064 satoshi xx 1 Version 0.3.11 with upgrade alerts Version 0.3.11 is now available.<br /><br />Changes:<br />- Some blk*.dat checking on load<br />- Built the -4way code with -march=amdfam10, which makes it a little faster<br />- Warning if your clock is too far off<br />- Warnings/errors/alerts can also be seen in the getinfo command<br />- Alert system<br /><br />The alert system can display notifications on the status bar to alert you if you're running a version that needs to be upgraded for an important security update.<br /><br />In response to an alert, your node may also go into safe mode, which disables the following json-rpc commands (used by automated websites) to protect it from losing money until you get a chance to upgrade:<br /> sendtoaddress<br /> getbalance<br /> getreceivedbyaddress<br /> getreceivedbylabel<br /> listreceivedbyaddress<br /> listreceivedbylabel<br /><br />If you decide it's a false alarm and want to take your chances, you can use the switch -disablesafemode to re-enable them.<br /><br />This is an important safety improvement. For a large segment of possible problems, this can warn everyone immediately once a problem is discovered and prevent them from acting on bad information.<br /><br />Nodes keep operating and do not stop generating in response to an alert, so old versions may still try to make a fork, but the alert system can make sure users are warned not to act on anything in the fork.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.11/<br /> 11503 820 6 1283005635 11503 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 The simplification is intentional. There will only be more than one thash[7]=0 in one out of 134,217,728 cases. It only makes it 0.0000007% slower.<br /> 11505 941 6 1283007244 11505 0 xx 1 Re: Version 0.3.11 with upgrade alerts [quote author=torservers link=topic=941.msg11499#msg11499 date=1283000437]<br />The "About" dialog still shows 0.3.10.1 beta.<br />[/quote]<br />What OS? I ran the Windows and 64-bit Linux version and checked the about dialog.<br /><br />The Mac version is still 0.3.10.1.<br /><br />[quote author=pavelo link=topic=941.msg11481#msg11481 date=1282980967]<br />iirc, it is possible to specify -march on a per-function basis using some gcc __attribute__. That way, only the function in question would be optimized, and if the user doesn't specify -4way, everything else should be ok.<br />[/quote]<br />I updated the first post to be more specific. Only the -4way code is compiled this way.<br /> 11610 816 6 1283120076 11610 0 xx 1 Re: Big endian code problems The code assumes little-endian throughout and was written with the intention of never being ported to big-endian. Every integer that is sent over the network would have to be byte swapped, in addition to many dozens of other places in code. It would not be worth the extra sourcecode bloat.<br /><br />Big-endian is on its way out anyway. 12062 967 4 1283729132 12062 0 xx 1 Re: CryptoPP Assertion Error You can probably just comment out the line<br />cryptopp/secblock.h:187<br /> //assert(false);<br /><br />Let me know if it works, and watch if it memory leaks. <br /><br />It looks like a template class to make sure the derived class defines its own version of allocate and deallocate. It would be weird if that was the actual problem and it made it all the way to release. Probably a false alarm. 12063 960 4 1283729780 12063 0 xx 1 Re: Warning : Check your system ( Help me ) Any suggestions for better text to put for this error message so the next person will be less likely to be confused?<br /><br />It's trying to tell them their clock is wrong and they need to correct it.<br /><br />It's relying on 3 time sources:<br />1) the system clock<br />2) the other nodes, if within an hour of the system clock<br />if those disagree, then<br />3) the user (asking the user to fix the system clock)<br /><br />I've thought about NTP, but this is more secure. 12130 969 6 1283808081 12130 0 xx 1 Re: HTTP status codes from the JSON-RPC api This is in SVN rev 147.<br /><br />This is more standard, and although json-rpc 1.0 didn't specify the format of error objects, it did specify that they would be [i]objects[/i] not strings or other values, so we needed to change this to be correct. The code/message members have become standard in later json-rpc specs.<br /><br />If you have code that checks the error and expects a string, you'll need to change it. When there is an error, the error member is now an object not a string.<br /><br />Also in SVN rev 147:<br />- The command line json-rpc returns the error code as its exit code. Exit codes can only be 0-255 on unix, so it's abs(code)%256.<br />- The "backupwallet <destination>" command that was discussed in another thread. It locks the wallet and copies it, so you can be sure you get a correct copy.<br /> 12132 960 4 1283809266 12132 0 xx 1 Re: Warning : Check your system ( Help me ) [quote author=Insti link=topic=960.msg12101#msg12101 date=1283777497]<br />[quote author=satoshi link=topic=960.msg12063#msg12063 date=1283729780]<br />Any suggestions for better text to put for this error message so the next person will be less likely to be confused?<br />[/quote]<br />"Please check that your computer's date and time are correct. If your clock is wrong Bitcoin will not work properly."<br />[/quote]<br />Thanks. 12134 921 6 1283809510 12134 0 xx 1 Re: auto backing up of wallet.dat rpc backupwallet <destination> is in SVN rev 147. 12135 992 4 1283809965 12135 0 xx 1 Re: bitcoind as daemon in OSX Can you build?<br /><br />Try changing line 78 of init.cpp from:<br />#ifdef __WXGTK__<br /><br />to:<br />#ifndef __WXMSW__<br /><br />If that works, I'll change the source. It should work. 12168 994 1 1283877141 12168 0 xx 1 Re: Always pay transaction fee? Another option is to reduce the number of free transactions allowed per block before transaction fees are required. Nodes only take so many KB of free transactions per block before they start requiring at least 0.01 transaction fee.<br /><br />The threshold should probably be lower than it currently is.<br /><br />I don't think the threshold should ever be 0. We should always allow at least some free transactions.<br /> 12181 999 6 1283887075 12190 1283891671 satoshi xx 1 Version 0.3.12 Version 0.3.12 is now available.<br /><br />Features:<br />- json-rpc errors return a more standard error object. (thanks to Gavin Andresen)<br />- json-rpc command line returns exit codes.<br />- json-rpc "backupwallet" command.<br />- Recovers and continues if an exception is caused by a message you received. Other nodes shouldn't be able to cause an exception, and it hasn't happened before, but if a way is found to cause an exception, this would keep it from being used to stop network nodes.<br /><br />If you have json-rpc code that checks the contents of the error string, you need to change it to expect error objects of the form {"code":<number>,"message":<string>}, which is the standard. See this thread:<br />http://www.bitcoin.org/smf/index.php?topic=969.0<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.12/<br /> 12237 994 1 1283967014 12237 0 xx 1 Re: Always pay transaction fee? Currently, paying a fee is controlled manually with the -paytxfee switch. It would be very easy to make the software automatically check the size of recent blocks to see if it should pay a fee. We're so far from reaching the threshold, we don't need that yet. It's a good idea to see how things go with controlling it manually first anyway.<br /><br />It's not a big deal if we reach the threshold. Free transactions would just take longer to get into a block.<br /><br />I did a rough tally of 4000 blocks from around 74000-78000. This is excluding the block reward transactions:<br /><br />There were average 2 transactions per block, 17 transactions per hour, 400 transactions per day.<br /><br />Average transaction bytes per block was 428 bytes, or 214 bytes per transaction.<br /><br />The current threshold is 200KB per block, or about 1000 transactions per block. I think it should be lowered to 50KB per block. That would still be more than 100 times the average transactions per block.<br /><br />The threshold can easily be changed in the future. We can decide to increase it when the time comes. It's a good idea to keep it lower as a circuit breaker and increase it as needed. If we hit the threshold now, it would almost certainly be some kind of flood and not actual use. Keeping the threshold lower would help limit the amount of wasted disk space in that event.<br /> 12240 999 6 1283969164 12240 0 xx 1 Re: Version 0.3.12 Bitcoin clients currently only create and recognize transactions that match two possible templates. <br /><br />Those are some quick tests that loosely check if transactions fit some general metrics that those standard transactions fit. Nodes will only work on adding those transactions to their block.<br /><br />In the future, if we add more templates to the existing 2 types of transactions, we can change the "rather not work on nonstandard transactions" test to accept them.<br /> 12248 955 1 1283977659 12248 0 xx 1 Re: Bitcoin Blogger: Is It Better To Buy Or Generate Bitcoins? [quote author=BitLex link=topic=955.msg12189#msg12189 date=1283890254]<br />AMD X3 @2.8ghz<br />->stock client<br />~3800khs ~150Watt<br />[/quote]<br />Did you try -4way?<br /><br />[quote]<br />How many hashes can I expect with a 24 core machine? I have a quad-core generating 4,300 hashes-per-second, so I am estimating a 24-core machine could mine bitcoins at 25,000 hashes-per-second.<br />[/quote]<br />AMD Phenom (I think 4-core) CPUs are doing about 11,000khps with -4way, about 100% speedup. 24 cores should get 66,000khps. AMD is the best choice because it has the best SSE2 implementation. (or maybe because tcatm had an AMD and optimised his code for that)<br /><br />There's been so much else to do that I haven't had time to make -4way automatic. For now you still have to do it manually.<br />http://www.bitcoin.org/smf/index.php?topic=820.0<br /> 12262 1007 6 1283994245 12262 0 xx 1 Auto-detect for 128-bit 4-way SSE2 SVN rev 150 has some code to try to auto-detect whether to use 4-way SSE2. We need this because it's only faster on certain newer CPUs that have 128-bit SSE2 and not ones with 64-bit SSE2.<br /><br />It uses the CPUID instruction to get the CPU brand, family, model number and stepping. That's the easy part. Knowing what to do with the model number is the hard part. I was not able to find any table of family, model and stepping numbers for CPUs. I had to go by various random reports I saw.<br /><br />Here's what I ended up with:<br />[code]<br /> // We need Intel Nehalem or AMD K10 or better for 128bit SSE2<br /> // Nehalem = i3/i5/i7 and some Xeon<br /> // K10 = Opterons with 4 or more cores, Phenom, Phenom II, Athlon II<br /> // Intel Core i5 family 6, model 26 or 30<br /> // Intel Core i7 family 6, model 26 or 30<br /> // Intel Core i3 family 6, model 37<br /> // AMD Phenom family 16, model 10<br /> bool fUseSSE2 = ((fIntel && nFamily * 10000 + nModel >= 60026) ||<br /> (fAMD && nFamily * 10000 + nModel >= 160010));<br />[/code]<br /><br />I saw some sporadic inconsistent model numbers for AMD CPUs, so I'm not sure if this will catch all capable AMDs.<br /><br />If it's wrong, you can still override it with -4way or -4way=0.<br /><br />It prints what it finds in debug.log. Search on CPUID.<br /><br />This is only enabled if built with GCC. 12341 1013 1 1284078204 12341 0 xx 1 Re: Won't let me send coins because it requires a transaction fee? What version is the one where this happened? Release build, or built it yourself? Which operating system? <br /><br />Were you sending by IP or by Bitcoin Address?<br /><br />When you sent 49.99, did it prompt you to pay a 0.01 fee?<br /><br />There was a change in GetMinFee, but I can't see how it would cause this. It only starts to apply when a block gets huge. <br /><br />The reason for the difference in block number is the number displayed was reduced by 1 in 0.3.11 because it made more sense that way. 12342 1013 1 1284079597 12342 0 xx 1 Re: Won't let me send coins because it requires a transaction fee? I think I know what happened. Doubleclick on the generated transaction. It probably has a sub-0.01 transaction fee in it.<br /><br />Someone has been paying a 0.00000010 transaction fee. I don't think you can even set that with -paytxfee, I think you'd have to modify the code to do it. Your generated block is worth 50.00000010, so when you try to send the whole thing you have 0.00000010 left over for the change, which triggers the dust spam 0.01 fee.<br /><br />It would normally be harmless except in this corner case. I should add a special case to CreateTransaction to handle this. 633 63 6 1267753585 633 0 xx 1 Re: Command Line and JSON-RPC [quote author=sirius-m link=topic=63.msg502#msg502 date=1267035455]<br />This is strange... When I start Bitcoin as a daemon on my 64 bit Linux server, it eats up all the 250MB of remaining RAM, 700MB of swap and eventually crashes. On my 32 bit Ubuntu desktop, it works fine and stays at 15MB of memory usage. The server is running a 64 bit build of Bitcoin. Maybe there's something wrong with the build or something.<br />[/quote]<br />sirius-m debugged this, it was 64-bit related. <br /><br />The fix is now available on SVN, file util.cpp. 639 71 3 1267759330 639 0 xx 1 Re: Lots of guests online Maybe an embedded link or image in a post somewhere else, such that when anyone reads the post on the busier forum, it loads part of the content from this forum.<br /><br />It's stopped now. 717 72 4 1268678652 717 0 xx 1 Re: bitcoin auto-renice-ing It sets different priorities for each thread. The generate threads run at PRIO_MIN. The other threads rarely take any CPU and run at normal.<br /><br />#define THREAD_PRIORITY_LOWEST PRIO_MIN<br />#define THREAD_PRIORITY_BELOW_NORMAL 2<br />#define THREAD_PRIORITY_NORMAL 0<br /><br />The priorities converted from Windows priorities were probably from a table like this:<br /><br /> "The following table shows the mapping between nice values and Win32 priorities. Refer to the Win32 documentation for SetThreadPriority() for more information on Win32 priority issues.<br /><br />nice value \tWin32 Priority<br />-20 to -16 \tTHREAD_PRIORITY_HIGHEST<br />-15 to -6 \tTHREAD_PRIORITY_ABOVE_NORMAL<br />-5 to +4 \tTHREAD_PRIORITY_NORMAL<br />+5 to +14 \tTHREAD_PRIORITY_BELOW_NORMAL<br />+15 to +19 \tTHREAD_PRIORITY_LOWEST"<br /><br />If you have better values, suggestions welcome.<br /><br />Also, there was some advice on the web that PRIO_PROCESS is used on Linux because threads are processes. If that's not true, maybe it accounts for unexpectedly setting the priority of the whole app.<br /><br /> // threads are processes on linux, so PRIO_PROCESS affects just the one thread<br /> setpriority(PRIO_PROCESS, getpid(), nPriority);<br /> 719 83 1 1268680616 808 1269453031 satoshi xx 1 Idea for file hosting and proxy services When you want to upload an image to embed in a forum post, there are services like imageshack, but because they're free, they limit the number of views. It's a minuscule amount of bandwidth cost, but they can't just give it away for free, there has to be something in it for them. It would be nice to be able to pay for the bandwidth and avoid the limits, but conventional payments are too inconvenient for such a minor thing.<br /><br />It's worse if you want to upload a file for others to download. There are services like rapidshare, but they require the downloaders to go through extra steps and delays to make them look at advertising or encourage upgrading to a paid subscription, and they limit it to 10 or so downloads.<br /><br />It would be nice if we made some free PHP code for an image and file hosting service that charges Bitcoins. Anyone with some extra bandwidth quota could throw it on their webserver and run it. Users could finally pay the minor fee to cover bandwidth cost and avoid the limits and hassles. Ideally, it should be MIT license or public domain.<br /><br />Services like this would be great for anonymous users, who have trouble paying for things. 729 84 6 1268768927 729 0 xx 1 Re: On IRC bootstrapping Thanks soultcer for talking with the Freenode staffer. Good to know it's OK at the current size, and now they know who we are. They're supportive of projects like TOR so I hope they would probably be friendly to us. We don't want to overstay our welcome. If we get too big, then by the same token, we're big enough that we don't need IRC anymore and we'll get off.<br /><br />We only needed IRC because nobody had a static IP. In the early days there were some steady supporters, but they all had pool-allocated IPs that change every few days. IRC was only intended as a temporary solution. Bitcoin's built-in addr system is the main solution.<br /><br />Bitcoin can get the list of IPs from any bitcoin node. In that sense, every node serves as a directory server.<br /><br />When there are enough static IP nodes to have a good chance that at least one will still be running by the time the current version goes out of use, we can preprogram a seed list.<br /><br />How do you think we should compile the seed list? Would it be OK to create it from the currently connected IPs that have been static for a while?<br /><br />BTW, if we want to supplement by deploying separate directory server software, may I suggest IRC? IRC is a good directory server (I've heard it has other uses too), and there are mature IRC server implementations available that anyone can run. :) Bitcoin's IRC client implementation is already thoroughly tested. 731 83 1 1268770654 731 0 xx 1 Re: Idea for file hosting service That's a great idea. There's a thriving business in those services, but I've always thought the standard payment methods are at odds with privacy minded customers.<br /><br />Would you consider making your software freely available so anyone could easily set one up? I know for competitive reasons the inclination is to keep it to yourself, but it could get an order of magnitude more use if anyone could give proxy access to their country just by putting the software on a server.<br /><br />I wonder if there are other kinds of web application servers where we would only have to tack on the payment mechanism to an already existing system?<br /> 806 88 1 1269357761 806 0 xx 1 Re: who is bitcoin.com It's unrelated. There wasn't anything there when I started.<br /><br />The price of .com registrations is lower than it should be, therefore any good name you might think of is always already taken by some domain name speculator. Fortunately, it's standard for open source projects to be .org. 807 87 8 1269365734 807 0 xx 1 Re: Exchange Methods LR and Pecunix have many established exchanges to paper currencies by various payment methods, and a number of vendors accept them as payment, so an exchange link between Bitcoin and LR/Pecunix would give us 2nd-hop access to all that. The possibility to cash out through them would help support the value of bitcoins.<br /><br />Bitcoin has unique properties that would be complementary. LR/Pecunix are easy to spend anonymously, but hard to buy anonymously and not worth the trouble to buy in small amounts. Bitcoin, on the other hand, is easy to get in small amounts anonymously. It would be convenient to buy LR/Pecunix with bitcoins rather than through conventional payment methods.<br /><br />Most customers who convert to LR to buy something would probably ask the seller first if they accept Bitcoin, encouraging them to start accepting it. 809 83 1 1269453717 809 0 xx 1 Re: Idea for file hosting and proxy services Title changed.<br /><br />It helps that we have someone with actual experience running a proxy service. Do you think Psiphon is the best one currently? (sometimes the one you run was the best when you started but you found better ones later) 810 83 1 1269453775 810 0 xx 1 Re: Idea for file hosting and proxy services Mihalism Multi Host is a popular open source PHP file hosting server.<br /><br />It's geared toward image hosting, but I think by increasing the file size limit and liberalising the allowed file extensions, it could just as easily be used for general file upload hosting. They need the limits to keep it reasonable as a free service, but if we bolt on a Bitcoin payment mechanism, the limits could be relaxed.<br /><br />It doesn't have a bunch of client side scripting or anti-embedding junk to rip out. It generates standard links that work normally.<br /><br />There's a turnover churn in these free hosting sites. Small sites can give free image hosting, but once one starts getting popular, it gets too swamped with moochers using them for free bandwidth. Any site that gets well known has to become more aggressively pay-naggy to cover bandwidth costs. It's a perfect example of a service where the needed price point is in the no-man's-land between just a little too expensive to be free, but too cheap for most users to take the trouble of a conventional payment. It's in the gap between 0 and 19.95. The best they can do is try to maybe get 1 out of 1000 users to pay 9.95, but that has 999/1000 users treated like freeloaders. It can't really be advertising supported because the images are embedded in other sites and downloaded without going to the hosting site.<br /><br />An example of a site running the software:<br />http://www.imagez.ws/<br /><br />Forum:<br />http://www.mihalism.net/<br /><br />Download:<br />http://code.google.com/p/mihalismmh/<br /><br />What do you think? If I made a Bitcoin payment integration for this, would anyone be interested in running it? It might be the first fully automated service available to buy with Bitcoins. The advantage it could offer over the free services is general file upload hosting of large files without making downloading users go to the upload site and jump through hoops. It would give a normal link directly to the file. 1130 130 6 1274043704 1130 0 xx 1 Re: Could the bitcoin network be destroyed by someone generating endless bitcoin add When you generate a new bitcoin address, it only takes disk space on your own computer (like 500 bytes). It's like generating a new PGP private key, but less CPU intensive because it's ECC. The address space is effectively unlimited. It doesn't hurt anyone, so generate all you want. 1131 129 8 1274045856 1131 0 xx 1 Re: For a website taking payments with bitcoins, better: IP or bitcoin addresses? [quote author=Xunie link=topic=129.msg1124#msg1124 date=1273873973]<br />I suggest we disable IP transactions while the user uses a Proxy!<br />Just to be on the safe side.<br />[/quote]<br />That's a good idea. At the very least a warning dialog explaining that it'll connect to the IP and send the information cleartext, giving the chance to cancel.<br /><br /> 1132 55 6 1274049441 1134 1274053985 satoshi xx 1 Re: URI-scheme for bitcoin [quote author=Karmicads link=topic=55.msg1038#msg1038 date=1272694013]<br />A freenet URI is like this:<br /><br />http://127.0.0.1:8888/USK@oshw3DxmJUt7q4ThF4dCez5IXbc9hCGcv0VuwLRCmeQ,ckeXv20F1gBzkqssB4RXHZ2nB1YRT8Pb8KYZk8wj-bs,AQACAAE/occamsrazor/6/f.pdf<br />[/quote]<br /><br />There you go, we could easily do it the same way, like:<br />http://127.0.0.1:8330/?to=<bitcoinaddress>;amount=<amount><br /><br />Bitcoin can answer port 8330 on local loopback just as it does for JSON-RPC on 8332. It would give an HTTP answer.<br /><br /><br />[quote author=DataWraith link=topic=55.msg1045#msg1045 date=1272798789]<br />A bitcoin-link should be more like mailto: than magnet: IMHO.<br />[/quote]<br /><br />I think we can do that.<br /><br />Although it would be possible for Bitcoin to take care of business in the HTTP response by presenting HTML UI to the user, as a user I would wonder if some website is trying to trick me or if I'm really talking to my own Bitcoin server.<br /><br />The HTTP response could simply be HTML with the JavaScript equivalent of the back button, sending it back to the page. Bitcoin then pops up the Send Bitcoins dialog with the destination bitcoin address and amount already filled in. It would work just like a mailto: link that pops up a new email with the address filled in.<br /><br />127.0.0.1 loopback is accessible by any user on the machine, it doesn't have per-user separation, but it's OK because it would only serve the convenience function of pre-filling the fields in a dialog. You'd still have to press Send. We'd have to make sure the Send button is not selected so it couldn't jump into the foreground while you're typing a space or enter.<br /><br /><br /> 1133 135 4 1274050439 1133 0 xx 1 Re: Exception: 9key_error error Does it happen every time you run it, or just happened once at some random time?<br /><br />I've never seen that fail before. It's a call to OpenSSL that I assumed would never fail, but I put an error check there just in case. I can't imagine how it would fail. Out of memory maybe.<br /><br />The code is:<br /><br />key.h:<br /> EC_KEY* pkey;<br /><br /> pkey = EC_KEY_new_by_curve_name(NID_secp256k1);<br /> if (pkey == NULL)<br /> throw key_error("CKey::CKey() : EC_KEY_new_by_curve_name failed");<br /><br />NID_secp256k1 is a constant. 1134 101 4 1274052880 1135 1274055988 satoshi xx 1 Re: removing bitcoin addresses SheriffWoody:<br />Bitcoin addresses you generate are kept forever. A bitcoin address must be kept to show ownership of anything sent to it. If you were able to delete a bitcoin address and someone sent to it, the money would be lost. They're only about 500 bytes.<br /><br />sirius-m:<br />Thousands of own addresses should not be any problem at all. If you've generated 50000 BTC, then you already have 1000 own addresses, one for each 50 generated. Those are hidden, they're not shown in the UI.<br /><br />It would be a good idea to add a little code that keeps giving the same address to the same IP. Here's what I did in C++ to keep giving the same key (aka bitcoin address) until they use it:<br /><br /> // Keep giving the same key to the same ip until they use it<br /> if (!mapReuseKey.count(pfrom->addr.ip))<br /> mapReuseKey[pfrom->addr.ip] = GenerateNewKey();<br /> <br /> ...sends the key mapReuseKey[pfrom->addr.ip]<br /><br />...later...<br /><br /> // Received something with this key<br /> mapReuseKey.erase(pfrom->addr.ip);<br /><br />If it's not convenient to know when you've received, just clear the cached keys every 20 minutes.<br /><br />I want to add a parameter to getnewaddress for number of days to expire if nothing is received with the address.<br /> can update it. <br />- Get the src directory from the 0.3.1 release candidate posted in the development forum, any version will do:<br />http://www.bitcoin.org/smf/index.php?topic=383.0<br />- Make a subdirectory under src: locale/??/LC_MESSAGES<br />(?? could be anything really, "en" or your language 2-letter code)<br />- Put your .po file there<br />- Open it with poedit<br />- In poedit, Catalog->Update from sources<br /><br />The key is that the src directory with the sourcefiles needs to be 3 directories up from the .po file. 3247 151 6 1279219434 3247 0 xx 1 Re: Website and software translations [quote author=SmokeTooMuch link=topic=151.msg2619#msg2619 date=1279047355]<br />I recommend to remove the download links at the bottom of the main page.<br />As you can see the links on the English page points to the new 0.3 release, but the other languages only contain links for the old 0.2 version.<br />There's a download box with the current releases on the right anyway, so why not remove the links from the translated pages.<br />[/quote]<br />I updated them to 0.3.0.<br /><br />I am tempted to remove the download links from the other languages and only keep it on English.<br /><br />They will need to be updated for 0.3.1 soon. Perhaps there's a way for someone to manage the updating of the translated drupal pages. 3257 151 6 1279221134 3257 0 xx 1 Re: Website and software translations Thanks for the Spanish and French translations! The edited and updated .po files are attached.<br /><br />I uploaded these to the SVN. 3264 390 3 1279221635 3264 0 xx 1 .po file management Does anyone want to take over management of the .po files?<br /><br />You would monitor the translation forum when translators come along with .po files.<br /><br />The job is basically what I've been doing with them, which includes editing the .po file as a text file to fix up spacing, using poedit on it to update the strings from the latest sourcecode and maybe fixing up anything the automatic update got wrong, generating the .mo file. Edit their e-mail address out of the header, put their forum name instead. Need to know how to use SVN. Attach the .po file back to the person so if they make any more changes they can go from the edited version. Would make more sense for a non-developer since you don't need any development skills for this. 3295 383 6 1279230034 3295 0 xx 1 Re: 0.3.1 release candidate, please test [quote author=knightmb link=topic=383.msg3269#msg3269 date=1279222630]<br />On Windows, the priority of the Coin Generation is still net for normal. If you run BitCoin in Generate Coin mode, then load up something to eat up all the CPU (like CPU hog for example: http://www.microtask.ca/cpuhog.html) you'll see that both BitCoin and CPU hog share the CPU 50/50 instead of CPU Hog taking all the CPU and BitCoin running only on idle/low process. The khash/s is also reduced in half, so further evidence that the threads are not running in a lower than normal prioirty.<br />[/quote]<br />I was not able to reproduce this. I have dual-proc, so I ran two memory hogs. Bitcoin got 0% of CPU according to the task manager. The khash/sec meter stayed stuck because it couldn't get any CPU to update it.<br /><br />Do you have dual-proc? Are you sure you weren't running a single processor hog? 3305 383 6 1279231655 3305 0 xx 1 Re: 0.3.1 release candidate, please test [quote author=knightmb link=topic=383.msg3274#msg3274 date=1279224946]<br />On the Linux client (64 bit), the "minimize on close" will still minimize to tray (causing X server hang after a short while by spawning multiple tray icons).<br />[/quote]<br />I updated the first post with a link to rc2 for linux with the fix for this. Please check that this is fixed for you. Thanks!<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.1.rc2-linux.tar.gz 3306 383 6 1279231819 3306 0 xx 1 Re: 0.3.1 release candidate, please test [quote author=db link=topic=383.msg3278#msg3278 date=1279226348]<br />The listreceivedbyaddress and getreceivedbyaddress commands are duplicated in bincoind help. (Same in 0.3.0.)<br />[/quote]<br />Yes a bug. It'll have to be fixed in the next version. 3308 391 4 1279232306 3308 0 xx 1 Re: "SetIcons(): icon bundle doesn't contain any suitable icon" That's surprising that we've never heard of that before now.<br /><br />Maybe you're the first person to ever run it on Vista :) <br /><br />I have to guess it has something to do with your display color depth selection. e.g. 8-bit, 16-bit, 24-bit, 32-bit, what is it? Do you have a weird video card, display setup or running it on a tablet or mobile or something? 3309 299 4 1279232550 3309 0 xx 1 Re: Runaway CPU usage for 64bit BitCoin (Linux Client) The fix for the thread priority level on linux is available in the 0.3.1 release candidate here:<br />http://www.bitcoin.org/smf/index.php?topic=383.msg3198#msg3198 3319 383 6 1279236184 3319 0 xx 1 Re: 0.3.1 release candidate, please test [quote author=RHorning link=topic=383.msg3311#msg3311 date=1279232968]<br />I don't see either happening, although it did get put into the "Startup" folder. That is so Windows 95ish (just kidding..... Microsoft has so screwed this up that it isn't even funny). I would recommend the registry settings for a number of reasons including the fact that most software puts the startup in that location, even though I personally find the startup folder to be more attractive and how most software on Windows [i]should behave[/i].<br />[/quote]<br />It could go either way. The Startup folder has the advantage that the end user can see it and manually remove it with the regular UI (not regedit) if they already blew away the Bitcoin directory and its uninstaller. Bitcoin will not relentlessly keep re-adding it if you delete it manually.<br /><br />OpenOffice is another example of something that puts its link in the Startup folder. 3323 391 4 1279237283 3323 0 xx 1 Re: "SetIcons(): icon bundle doesn't contain any suitable icon" [quote author=bdonlan link=topic=391.msg3320#msg3320 date=1279236434]<br />in 120DPI mode. <br />[/quote]<br />What is "120DPI mode"? Is that an actual setting somewhere? Sounds like an obscure enough candidate. I suppose it needs twice the resolution icon to fill the size of the upper left corner icon. Only one size is provided. 3339 383 6 1279241072 3339 0 xx 1 Re: 0.3.1 release candidate, please test Run it with the undocumented switch -minimizetotray and the option is available in the options menu.<br /><br />I don't know how to fix it. It's something wrong deep inside wxWidgets or GTK or Gnome. 3350 295 5 1279245727 3350 0 xx 1 Re: Donations to freebitcoins.appspot.com needed! 5 BTC seems like a lot these days, maybe the normal amount should be 1 or 2 BTC.<br /><br />This is an important service so new users can at least get something if generating is too hard. 3362 391 4 1279248209 3362 0 xx 1 Re: "SetIcons(): icon bundle doesn't contain any suitable icon" That must be it then.<br /><br />It must be looking for a larger icon like 20x20 but we don't have one. 3488 43 1 1279291572 3488 0 xx 1 Re: Proof-of-work difficulty increasing The proof-of-work difficulty is currently 45.38. (see http://www.alloscomp.com/bitcoin/calculator.php) <br /><br />It's about to increase again in a few hours. It's only been 3-4 days since the last increase, so I expect it will increase by the max of 4 times, or very nearly the max. That would put it at 181.54.<br /><br />The target time between adjustments is 14 days, 14/3.5 days = 4.0 times increase. 3492 400 4 1279291924 3492 0 xx 1 Re: Assertion Failure - Ubuntu Lucid That's the first time I've seen this error.<br /><br />How many blocks do you have? (in the status bar)<br /><br />You should move your blk*.dat files (in ~/.bitcoin) to another directory and let it start over downloading the block chain again. If you don't mind, could you keep the old blk*.dat files for a little while in case I need to look at them?<br /> 3495 296 4 1279292123 3495 0 xx 1 Re: Fedora 13 libcrypto Please try the 0.3.1 release candidate, it should at least resolve the libcrypto dependency:<br /><br />http://www.bitcoin.org/smf/index.php?topic=383.0<br /><br />Let me know if that works. 3499 303 4 1279292493 3499 0 xx 1 Re: Resending transaction Bitcoin automatically rebroadcasts your transactions if it receives new blocks that don't contain them. It may take about an hour to get rebroadcasted. It is relentless though. It will keep nagging the network forever until your transaction gets into a block. 3505 383 6 1279292999 3505 0 xx 1 Re: 0.3.1 release candidate, please test Because of all the dependencies that different systems don't have. It's easier to just static link what we can. It doesn't increase the size by very much. 3510 393 6 1279294620 3510 0 xx 1 Re: Source code documentation I like that in libraries for the external API's, but you can probably tell from the code that I'm not a fan of it for interior functions. Big obligatory comment headers for each function space out the code and make you hesitate about creating a small little function where the comment header would be bigger than the function. They're some trouble for maintenance, as changes to the function then require duplicate changes in the comment header. I like to keep code compact so you can see more code on the screen at once.<br /><br />To add them now at this point, what would be written would just be what's obvious from looking at the function.<br /><br />The external API we have, in rpc.cpp, the usage documentation is in the help string.<br /><br />Sorry to be a wet blanket. 3520 360 6 1279296833 3520 0 xx 1 Re: Hash() function not secure SHA256 is not like the step from 128 bit to 160 bit.<br /><br />To use an analogy, it's more like the step from 32-bit to 64-bit address space. We quickly ran out of address space with 16-bit computers, we ran out of address space with 32-bit computers at 4GB, that doesn't mean we're going to run out again with 64-bit anytime soon.<br /><br />SHA256 is not going to be broken by Moore's law computational improvements in our lifetimes. If it's going to get broken, it'll be by some breakthrough cracking method. An attack that could so thoroughly vanquish SHA256 to bring it within computationally tractable range has a good chance of clobbering SHA512 too.<br /><br />If we see a weakness in SHA256 coming gradually, we can transition to a new hash function after a certain block number. Everyone would have to upgrade their software by that block number. The new software would keep a new hash of all the old blocks to make sure they're not replaced with another block with the same old hash. 3524 397 6 1279298834 3524 0 xx 1 Re: Request: expected bitcoins per day display Many businesses are like that. For a car salesman, when will the next customer walk in the door?<br /><br />On the OP's question, it's a good feature, but the question is, how would we word it so people don't expect to get something after that specific amount of time? "it said 7 days and I waited more than a week and didn't get anything!" Approx, average, but still they're going to think that way. It can't be a whole sentence, unless we think of somewhere else to put it, but where would that be? Suggestions?<br /><br />The difficulty quadrupled a few minutes ago to 181.54. It's going to take typically about a week to generate now. 3526 43 1 1279299414 3526 0 xx 1 Re: Proof-of-work difficulty increasing It adjusted to 181.54 a few minutes ago. Typical time to get a block is about a week now.<br /><br />The difficulty can adjust down as well as up.<br /><br />The network should be generating close to 6 blocks per hour now. 3534 393 6 1279300547 3534 0 xx 1 Re: Source code documentation It's in init.cpp.<br /><br />It's a wxWidgets app, so it doesn't have a main() function. It may in a little while, since I'm pretty close to making bitcoind build w/o wxBase. (it'll be in init.cpp)<br /><br />Sorry about my choice of the filename "main.cpp", another possible name would have been "core.cpp". It's much too late to change. I still prefer main.cpp.<br /><br />We're still in great need of sample code showing the recommended way to use the JSON-RPC functions, like for a basic account system on a typical storefront website. Using getreceivedbylabel using the username as the label, changing to a new bitcoin address once the stored one for that account gets used. I posted a sample code fragment on the forum somewhere. (search on getreceivedbylabel or getnewaddress) The sample code could be a plain vanilla bank site where you can deposit and send payments. 3536 383 6 1279301177 3536 0 xx 1 Re: 0.3.1 release candidate, please test Good point. If you're going to have more than 8 LAN nodes connect to one gateway node, then you'd better have the gateway node set up so it can receive incoming connections. Otherwise, while the gateway node has 8 or more connections, it will not try to add any more outbound connections. As the outside nodes you're connected to come and go, it doesn't make new outbound connections to replace them. You'll be fine if you can accept incoming connections, then there will be plenty of others connecting to you. 3537 43 1 1279301368 3537 0 xx 1 Re: Proof-of-work difficulty increasing Yes, about 20 hours. (120 conf / 6 blocks per hour = 20 hours) That's the normal length of time before you can spend it. You know long before that that you won one. 3540 378 1 1279302425 3540 0 xx 1 Re: bitcoin trademark? No, not related at all. 3545 403 1 1279303124 3545 0 xx 1 Re: The dollar cost of bitmining energy Neat chart.<br /><br />Difficulty just increased by 4 times, so now your cost is US$0.02/BTC. 3559 364 6 1279304584 3559 0 xx 1 Re: Website integration for bitcoin I've been trying to encourage someone to write and release some sample Python code showing the recommended way to do the typical accounting stuff, but to no avail. It would be nice if you didn't have to re-invent the wheel like you're doing here. Search on getnewaddress and you should find a thread where I gave a small fragment of sample pseudocode. 12368 1013 1 1284138753 12368 0 xx 1 Re: Won't let me send coins because it requires a transaction fee? The fix is in SVN rev 151.<br /><br />You will be able to send your stuck 0.01 (actually 0.01000010) when you next upgrade.<br /> 12372 1007 6 1284142266 12372 0 xx 1 Re: Auto-detect for 128-bit 4-way SSE2 [quote author=teknohog link=topic=1007.msg12336#msg12336 date=1284060725]<br />Since the function CallCPUID function contains x86 assembler, it breaks the build on other architectures. I've changed line 2770 in main.cpp to<br /><br />#if defined(__GNUC__) && defined(CRYPTOPP_X86_ASM_AVAILABLE)<br /><br />to make it compile again, at least on ARM.<br />[/quote]<br />Added in SVN rev 152 12483 589 6 1284313220 12483 0 xx 1 Re: Running on a port other than 8333 [quote author=lachesis link=topic=589.msg8544#msg8544 date=1281453895]<br />[s]Also, does Bitcoin open the BerkeleyDB as exclusive, precluding the need for a file lock?[/s]It does not -- did my own tests.<br />[/quote]<br />Is there a way to open BerkeleyDB exclusive?<br /><br />DB_PRIVATE is the worst of both worlds. DB_PRIVATE is not exclusive, but it does make it get screwed up if another process tries to access it at the same time.<br /><br />I've dropped the DB_PRIVATE flag in rev 153. 12484 920 6 1284314439 12484 1284315904 satoshi xx 1 Re: RFC: remove DB_PRIVATE flag Trying it without the DB_PRIVATE flag in rev 153. We need to keep an eye on what's different.<br /><br />On Windows at least, it creates six __db.001 - __db.006 files with sizes from 24K to 4MB. It doesn't delete them on exit, it just leaves them behind.<br /><br />The docs say it uses memory mapped files. I assume they have the same file permissions as the database files, so the same user access restrictions apply.<br /><br />Tests on Windows private LAN download of 78500 blocks:<br />with DB_PRIVATE 20 minutes 51 seconds<br />without DB_PRIVATE 20 minutes 51 seconds<br /><br />I wasn't expecting them to come out exactly the same. 12494 989 6 1284319493 12494 0 xx 1 Re: Switch to GPL If the only library is closed source, then there's a project to make an open source one.<br /><br />If the only library is GPL, then there's a project to make a non-GPL one.<br /><br />If the best library is MIT, Boost, new-BSD or public domain, then we can stop re-writing it.<br /><br />I don't question that GPL is a good license for operating systems, especially since non-GPL code is allowed to interface with the OS. For smaller projects, I think the fear of a closed-source takeover is overdone.<br /> 13201 1023 4 1284916923 13201 0 xx 1 Re: Memory leak Bouncing between 0 and 2 connections could be if it's connecting to itself. Are you using the "-connect" switch?<br /><br />Did you compile it or is this a release build, and what version? <br /><br />I'm not sure how the 200Kb/sec, since it waits at least a half second between connection attempts. How fast is it flickering between 0 and 2 connections? Faster than twice a second?<br /><br />The wait function on linux is:<br /><br />inline void Sleep(int64 n)<br />{<br /> boost::thread::sleep(boost::get_system_time() + boost::posix_time::milliseconds(n));<br />}<br /><br />If that doesn't work right, then it would be possible for it to spin through the loop as fast as it can. 13206 1034 6 1284922006 13206 1284923076 satoshi xx 1 Re: Issues building bitcoin on Windows 7 The lines it's tripping on:<br />[code]<br />ERROR extern map<string, string> mapAddressBook;<br />ERROR extern CCriticalSection cs_mapAddressBook;<br />ERROR extern vector<unsigned char> vchDefaultKey;<br />OK extern bool fClient;<br />OK extern int nBestHeight;<br /><br /><br />OK extern unsigned int nWalletDBUpdated;<br />ERROR extern DbEnv dbenv;<br />[/code]<br /><br />So it's acting like nothing is defined, not even map and vector.<br /><br />Yet, db.h is included by headers.h (and only there, nowhere else) which includes vector, map, util.h and everything before db.h.<br /><br />Is VC trying to use precompiled headers and screwing it up? Could there be some leftover precompiled header files in your directory from previously failed attempts that it's finding and using?<br /><br />There's an installer package now that makes it really easy to install MinGW. Don't use the latest version 4.5.0, use a few versions back like 4.4.1 (1.908.0) or 1.812.0. A setup program completely installs everything, it's not hard like it used to be. I think the only thing I had to do was rename make*.exe something to make.exe.<br />http://tdm-gcc.tdragon.net/<br /><br />Off topic, but: It would be nice if someone would hack on getting tcatm's 4-way 128-bit SSE2 code working on Windows. There's something with MinGW's optimisation, I'm not sure but maybe a problem with 16-byte alignment on the stack, that makes it segfault. With some fiddling, I was able to get his code to work in a test program, but not in Bitcoin itself for some reason.<br /> 13211 1063 6 1284926291 13211 0 xx 1 Re: Bug? /usr/bin/bitcoind "" I don't know anything about any of the bug trackers. If we were to have one, we would have to make a thoroughly researched choice.<br /><br />We're managing pretty well just using the forum. I'm more likely to see bugs posted in the forum, and I think other users are much more likely to help resolve and ask follow up questions here than if they were in a bug tracker. A key step is other users helping resolve the simple stuff that's not really a bug but some misunderstanding or confusion.<br /><br />I keep a list of all unresolved bugs I've seen on the forum. In some cases, I'm still thinking about the best design for the fix. This isn't the kind of software where we can leave so many unresolved bugs that we need a tracker for them. 13219 1048 6 1284932970 13219 0 xx 1 Re: The case for removing IP transactions Probably best to disable receiving by IP unless you specifically intend to use it. This is a lot of surface area that nobody uses that doesn't need to be open by default.<br /><br />In storefront cases, you would typically only want customers to send payments through your automated system that only hands out bitcoin addresses associated with particular orders and accounts. Random unidentified payments volunteered to the server's IP address would be unhelpful.<br /><br />In general, sending by IP has limited useful cases. If connecting directly without a proxy, the man-in-the-middle risk may be tolerable, but no privacy. If you use a privacy proxy, man-in-the-middle risk is unacceptably high. If we went to all the work of implementing SSL, only large storefronts usually go to the trouble of getting a CA cert, but most of those cases would still be better off to use bitcoin addresses.<br /><br />I uploaded this change to SVN rev 156. The switch to enable is "-allowreceivebyip".<br /><br />Senders with this version will get the error "Recipient is not accepting transactions sent by IP address". Older version senders will get "Transfer was not accepted".<br /><br />I used a different name for the switch because "-allowiptransactions" sounds like it includes sending. If there's a better name for the switch, we can change it again. 13221 1032 1 1284936420 13221 0 xx 1 Re: Message Encryption as a built-in feature? Theymos already said this... ECDSA does not support encrypting messages. Only digital signatures.<br /> 13829 994 1 1285258115 13829 0 xx 1 Re: Always pay transaction fee? [quote author=satoshi link=topic=994.msg12237#msg12237 date=1283967014]<br />The current threshold is 200KB per block, or about 1000 transactions per block. I think it should be lowered to 50KB per block. That would still be more than 100 times the average transactions per block.<br />[/quote]<br />I implemented this change in SVN rev 157.<br /><br />The reason I previously made it so high was to allow very large transactions without hitting the transaction fee. The threshold was around 26,000 BTC for transactions made of 50 BTC generated coins. Even though it was 100 times easier to generate back then, only a few people ever encountered the fee at that level. The new threshold puts it at around 11,000 BTC for sending generated coins. It would mostly only be reached with generated bitcoins. If you bought your bitcoins, they'll be denominated in larger transactions and won't be anywhere near the fee limit, unless you bought them in several hundred separate transactions. Even if you do reach the fee level, you only have to pay it once to bundle your little transactions together. 13831 1269 6 1285258748 13831 0 xx 1 Internal version number In the next release (0.3.13), I'm going to change the format of the internal version number integer from 313 to 31300, for instance 31305 = 0.3.13.5. The last number represents changes on the SVN between releases and ought to be properly represented in the version number. Otherwise, it would be a pain if we had a mistake or something in one of the sub versions that needed to be worked around. 13833 960 4 1285259305 13833 0 xx 1 Re: Warning : Check your system ( Help me ) I don't understand, are you under the impression that the program sets the system clock? It doesn't.<br /><br />[quote author=Cdecker link=topic=960.msg13212#msg13212 date=1284927248]<br />We already have ways to synchronize (approximately) the clients, so why not make use of that?<br />[/quote]<br />We use an internal offset based on the median of other nodes' times, but for security reasons we don't let them offset us by more than an hour. If they indicate we're off by more than an hour, then we resort to alerting the user to fix their clock. 13844 671 7 1285264615 16337 1286660882 satoshi xx 1 Re: Porn Bitcoin would be convenient for people who don't have a credit card or don't want to use the cards they have, either don't want the spouse to see it on the bill or don't trust giving their number to "porn guys", or afraid of recurring billing. 13848 1271 6 1285267196 13848 0 xx 1 Re: How divisible are bitcoins - the technical side I would not encourage using the extra decimal places. They're only intended for future use.<br /><br />You are correct that above 0.01 can still have additional precision, but the recipient won't be able to see it. The UI will show it rounded down. 13849 1269 6 1285267580 13849 0 xx 1 Re: Internal version number I don't think it should cause any problems for version comparisons. 31300 > 312. 14132 1277 3 1285520404 14132 0 xx 1 Re: Un-sticky the "Post your Static IP" thread? Good, it really isn't needed anymore. The old IP's listed aren't known to have -allowreceivebyip so they're not much use, and we're downplaying the send-by-IP option anyway. Laszlo's IRC allows TOR users, and also they can get seeded with the seed nodes, so it's not needed for that anymore either. 14136 1283 6 1285522466 14136 0 xx 1 Re: How To Make a Distributed BitCoin Escrow Service It's not implemented yet, but the network can support a transaction that requires two signatures. It's described here:<br />http://www.bitcoin.org/smf/index.php?topic=750.0<br /><br />It's absolutely safer than a straight payment without escrow, but not as good as a human arbitrated escrow, assuming you trust the human enough.<br /><br />In this kind of escrow, a cheater can't win, but it's still possible for you to lose. It at least takes away the profit motive for cheating you. The seller is assured that the money is reserved for him, while the buyer retains the leverage that the seller hasn't been paid yet until completion.<br /> 14714 1306 6 1285864733 14714 0 xx 1 Re: I broke my wallet, sends never confirm now. As you figured out, the root problem is we shouldn't be counting or spending transactions until they have at least 1 confirmation. 0/unconfirmed transactions are very much second class citizens. At most, they are advice that something has been received, but counting them as balance or spending them is premature.<br /><br />I made changes so they show up in lighter print, with the credit amount in square brackets like [+1.23], and the amount not counted towards your balance and not available for spending. This doesn't apply to transactions you sent, which you implicitly trust, since you wrote them.<br /><br />I didn't make it (+1.23) because parenthesis in accounting means negative. I hope square brackets is different enough to be clear what is meant.<br /><br />The JSON-RPC interface can still see 0/unconfirmed if it wants by specifying 0 confirmations.<br /><br />I uploaded the changes to SVN rev 158. I will post a 0.3.13 RC shortly.<br /><br />If you have any of these transactions in your wallet, do not send any payments until you've upgraded to 0.3.13, which will be coming soon.<br /><br />If you've already sent any of these transactions, or you're the creator of them, then use theymos' patch or make the following change and use it to send your clean transactions to a new wallet to clean things up.<br /><br />change:<br /> if (pcoin->GetDepthInMainChain() < 1 && pcoin->GetDebit() <= 0)<br /> continue;<br />to:<br /> if (pcoin->GetDepthInMainChain() < 1)<br /> continue;<br /> 14720 1306 6 1285865940 14720 0 xx 1 Re: I broke my wallet, sends never confirm now. 0.3.13 release candidate, please test:<br />http://www.bitcoin.org/download/bitcoin-0.3.13-rc1-win32-setup.exe<br /> 14722 1322 6 1285866255 14722 0 xx 1 0.3.13 RC1 for Windows, please test 0.3.13 release candidate, to be released soon so please test:<br />http://www.bitcoin.org/download/bitcoin-0.3.13-rc1-win32-setup.exe<br /><br />- don't count or spend payments until they have 1 confirmation<br /> http://www.bitcoin.org/smf/index.php?topic=1306.0<br />- internal version number from 312 to 31300<br />- only accept transactions sent by IP address if -allowreceivebyip is specified<br />- dropped DB_PRIVATE Berkeley DB flag<br />- fix problem sending the last cent with sub-cent fractional change<br />- auto-detect whether to use 128-bit 4-way SSE2 on Linux<br />Gavin Andresen:<br />- option -rpcallowip= to accept json-rpc connections from another machine<br />- clean shutdown on SIGTERM on Linux<br /> 14729 652 12 1285869032 14729 0 xx 1 Re: BitCoin Wikipedia page DELETED!!! If you do, I think it should be a very brief, single paragraph article like 100 words or less that simply identifies what Bitcoin is.<br /><br />I wish rather than deleting the article, they put a length restriction. If something is not famous enough, there could at least be a stub article identifying what it is. I often come across annoying red links of things that Wiki ought to at least have heard of.<br /><br />The article could be as simple as something like:<br />"Bitcoin is a peer-to-peer decentralised /link/electronic currency/link/."<br /><br />The more standard Wiki thing to do is that we should have a paragraph in one of the more general categories that we are an instance of, like Electronic Currency or Electronic Cash. We can probably establish a paragraph there. Again, keep it short. Just identifying what it is.<br /> 14732 1314 1 1285870316 14769 1285885215 satoshi xx 1 Re: Prioritized transactions, and tx fees It ramps up the fee requirement as the block fills up:<br /><br /><50KB free<br />50KB 0.01<br />250KB 0.02<br />333KB 0.03<br />375KB 0.04<br />etc.<br /><br />It's a typical pricing mechanism. After the first 50KB sells out, the price is raised to 0.01. After 250KB is sold, it goes up to 0.02. At some price, you can pretty much always get in if you're willing to outbid the other customers.<br /><br />Just including the minimum 0.01 goes a long way. 14734 1314 1 1285870942 14734 0 xx 1 Re: Prioritized transactions, and tx fees True, the switch should be something more dynamic that pays per KB. It's harder to think of how to explain it. 14736 1291 4 1285871261 14736 0 xx 1 Re: Remote RPC access It can be safe if you're using it over your own LAN, like if you have multiple servers at a location that talk to each other.<br /><br />0.3.13 RC1 is available for Windows:<br />http://www.bitcoin.org/download/bitcoin-0.3.13-rc1-win32-setup.exe<br /> 14787 1322 6 1285893166 14787 0 xx 1 Re: 0.3.13 RC1 for Windows, please test Too late for 0.3.13, but I'll try to find time to add it to the next version. 14788 1327 6 1285893275 15666 1286383026 satoshi xx 1 Version 0.3.13, please upgrade Version 0.3.13 is now available. You should upgrade to prevent potential problems with 0/unconfirmed transactions. Note: 0.3.13 prevents problems if you haven't already spent a 0/unconfirmed transaction, but if that already happened, you need 0.3.13.2.<br /><br />Changes:<br />- Don't count or spend payments until they have 1 confirmation.<br />- Internal version number from 312 to 31300.<br />- Only accept transactions sent by IP address if -allowreceivebyip is specified.<br />- Dropped DB_PRIVATE Berkeley DB flag.<br />- Fix problem sending the last cent with sub-cent fractional change.<br />- Auto-detect whether to use 128-bit 4-way SSE2 on Linux.<br />Gavin Andresen:<br />- Option -rpcallowip= to accept json-rpc connections from another machine.<br />- Clean shutdown on SIGTERM on Linux.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.13/<br /><br />(Thanks Laszlo for the Mac OSX build!)<br /><br />Note:<br />The SSE2 auto-detect in the Linux 64-bit version doesn't work with AMD in 64-bit mode. Please try this instead and let me know if it gets it right:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.1-specialbuild-linux64.tar.gz<br /><br />You can still control the SSE2 use manually with -4way and -4way=0.<br /><br />Version 0.3.13.2 (SVN rev 161) has improvements for the case where you already had 0/unconfirmed transactions that you might have already spent. Here's a Windows build of it:<br />http://www.bitcoin.org/download/bitcoin-0.3.13.2-win32-setup.exe<br /> 15102 1327 6 1286129826 15102 0 xx 1 Re: Version 0.3.13 [quote author=ShadowOfHarbringer link=topic=1327.msg14997#msg14997 date=1286024407]<br />That's nice, however the automatic 4way detection is not working on my Gentoo AMD 64 version client.<br /><br />I still have to add the "-4way" switch.<br />[/quote]<br />Forgot to say, I suspected the detect might not work on 64-bit AMD. I found it hard to believe but AMD reports a different model number in 64-bit mode.<br /><br />Could you grep CPUID your debug.log and tell me what it says? (and anyone else with 64-bit AMD) And what AMD chip do you have?<br /><br />Do all AMDs that support 64-bit have the better SSE2 hardware also? 15110 1327 6 1286134746 15110 0 xx 1 Re: Version 0.3.13, please upgrade Could a few people please run this special build? It'll amnesty the dust spam transactions, which will clear up the 0/unconfirmed problem for now. We really just need one block letting them through to clear up the previous transactions. Post if you generate a block with this.<br /><br />These are binaries only. The linux version is 64-bit only.<br />http://www.bitcoin.org/download/bitcoin-0.3.13.1-specialbuild-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.13.1-specialbuild-linux64.tar.gz<br /><br />SHA1 fb7c66270281ed058c570627cf7baff0bdc16e5d bitcoin-0.3.13.1-specialbuild-win32.zip<br />SHA1 9fc44ea5f2109618073e2cfd887e2cc266eb31a9 bitcoin-0.3.13.1-specialbuild-linux64.tar.gz<br /><br />The linux 64-bit version includes a change to the cpuid 4-way 128-bit SSE2 autodetect for AMD in 64-bit mode, if you'd like to test that and see if that's better. 15112 1327 6 1286135372 15112 0 xx 1 Re: Version 0.3.13, please upgrade [quote author=tcatm link=topic=1327.msg15111#msg15111 date=1286135145]<br />983 Mhash/s box.<br />[/quote]<br />Seriously? What hardware is that? 15116 1327 6 1286136144 15116 0 xx 1 Re: Version 0.3.13, please upgrade [code]<br />diff -u old\\main.cpp new\\main.cpp<br />--- old\\main.cpp\tSun Oct 03 20:57:20 2010<br />+++ new\\main.cpp\tSun Oct 03 20:57:54 2010<br />@@ -2831,6 +2831,10 @@<br /> bool fUseSSE2 = ((fIntel && nFamily * 10000 + nModel >= 60026) ||<br /> (fAMD && nFamily * 10000 + nModel >= 160010));<br /> <br />+ // AMD reports a lower model number in 64-bit mode<br />+ if (fAMD && sizeof(void*) > 4 && nFamily * 10000 + nModel >= 160004)<br />+ fUseSSE2 = true;<br />+<br /> static bool fPrinted;<br /> if (!fPrinted)<br /> {<br />@@ -2989,6 +2993,17 @@<br /> <br /> // Transaction fee based on block size<br /> int64 nMinFee = tx.GetMinFee(nBlockSize);<br />+ //////// temporary code<br />+ if (nBlockSize < MAX_BLOCK_SIZE_GEN / 10 && GetWarnings("statusbar") == "")<br />+ {<br />+ if (nBestHeight < 91000)<br />+ nMinFee = 0;<br />+ if (nBestHeight < 100000 && nTxSize < 2000)<br />+ nMinFee = 0;<br />+ if (nBestHeight < 110000 && nBestHeight % 10 == 0)<br />+ nMinFee = 0;<br />+ }<br />+ //////// temporary code<br /> <br /> map<uint256, CTxIndex> mapTestPoolTmp(mapTestPool);<br /> if (!tx.ConnectInputs(txdb, mapTestPoolTmp, CDiskTxPos(1,1,1), pindexPrev, nFees, false, true, nMinFee))<br />diff -u old\\serialize.h new\\serialize.h<br />--- old\\serialize.h\tSun Oct 03 20:57:45 2010<br />+++ new\\serialize.h\tSun Oct 03 20:57:54 2010<br />@@ -22,8 +22,8 @@<br /> class CAutoFile;<br /> static const unsigned int MAX_SIZE = 0x02000000;<br /> <br />-static const int VERSION = 31300;<br />-static const char* pszSubVer = "";<br />+static const int VERSION = 31301;<br />+static const char* pszSubVer = " test1";<br />[/code] 15136 1327 6 1286139247 15136 0 xx 1 Re: Version 0.3.13, please upgrade [quote author=theymos link=topic=1327.msg15118#msg15118 date=1286136591]<br />ArtForz is already running with no fees, and he has 20-30% of the network's CPU power. The person who originally sent the broken transactions deleted his wallet, though, and the network has forgotten these historical transactions, so any transactions based on this won't confirm.<br />[/quote]<br />Transactions aren't accepted or displayed as 0/unconfirmed until your node has a path of transactions back to the block chain.<br /><br />Any transactions in your wallet also have bundled with them all unrecorded transactions required to reach the block chain. If you have a transaction that is displayed as 0/unconfirmed, then you have all the previous unrecorded transactions it depends on and you will also rebroadcast those transactions when you rebroadcast yours.<br /><br />If a no-fee block has already been generated and hasn't helped, then I need to look at what's wrong. It's a part of code that doesn't get much use. They should be recorded in the wallets of everyone who has a transaction depending on them.<br /><br />[quote author=theymos link=topic=1327.msg15118#msg15118 date=1286136591]<br />The person who originally sent the broken transactions deleted his wallet<br />[/quote]<br />Sigh... why delete a wallet instead of moving it aside and keeping the old copy just in case? You should never delete a wallet.<br /><br />[quote author=tcatm link=topic=1327.msg15119#msg15119 date=1286136647]<br />It's running. Should find a block within 3 hours.<br />[/quote]<br />It may take a while to collect re-broadcast transactions. It'll help if you can accept inbound connections so you'll be listening to more nodes. Even if you find a block in 3 hours, keep it running continuously for a few days at least.<br /> 15139 1347 6 1286140048 15139 0 xx 1 Re: [PATCH] increase block size limit [quote author=theymos link=topic=1347.msg15126#msg15126 date=1286137719]<br />Applying this patch will make you incompatible with other Bitcoin clients.<br />[/quote]<br />+1 theymos. Don't use this patch, it'll make you incompatible with the network, to your own detriment.<br /><br />We can phase in a change later if we get closer to needing it. 15142 1332 1 1286141404 15171 1286151761 satoshi xx 1 Re: How to overthrow the GPU Oligarchs [quote author=theymos link=topic=1332.msg14966#msg14966 date=1285999871]<br />[quote author=lzsaver link=topic=1332.msg14960#msg14960 date=1285998587]<br />Can you tell more about it:<br />"they have to do weird things with extraNonce, which increases the size of the block header".<br />[/quote]<br />When you generate, you calculate hashes of the block header. Hashing more data is slower than hashing less data, so the block header is critically of a fixed size for everyone, with one exception.[/quote]<br />This is the point of confusion. extraNonce is not part of the block header, it is part of the first transaction. It does not slow down your hashing. It does not change the size of the header.<br /><br />We need to be vigilant and nip in the bud any misconception that the contents of your block slows down your hash speed. It doesn't.<br /><br />extraNonce never needs to be very big. We could reset it every second whenever the time changes if we wanted. Worst case, if you didn't want to keep track of incrementing it, extraNonce could be 4 random bytes and the chance of wasting time from collision would be negligible.<br /><br />Separate machines are automatically collision proof because they have different generated public keys in the first transaction. That also goes for each thread too.<br /> 15147 1327 6 1286142200 15147 0 xx 1 Re: Version 0.3.13, please upgrade ShadowOfHarbringer, is yours faster with -4way?<br /><br />If it is, then I'm thinking that any AMD that supports 64-bit has 128-bit SSE2.<br /><br />The specialbuild version I posted here looks for model 4 or higher. If yours is faster with -4way, then I should change it to always use SSE2 with any AMD with 64-bit.<br /> 15150 1023 4 1286143620 15150 0 xx 1 Re: Memory leak You're connecting to yourself. All 21 connection attempts were to a node with version 31300 (0.3.13). Not everyone has 0.3.13 yet.<br /><br />IRC seems to be working. It ought to have other nodes to try.<br /><br />There may be something I need to do to make sure it doesn't try to connect to itself again right away after disconnecting. I can't see how it's happening though, it should be resetting nLastTry which would put it to the back of the queue, but the log doesn't show it.<br /><br />You can try moving addr.dat aside. Maybe there's something wrong in it.<br /><br />Are you using -addnode? 15167 1327 6 1286149579 15167 0 xx 1 Re: Version 0.3.13, please upgrade Make sure you keep your node online so it'll keep rebroadcasting transaction b412a0. It haven't seen it rebroadcast since 29/09/2010 16:41. 15176 151 6 1286156681 15176 0 xx 1 Re: Website and software translations Thanks eurekafag, Russian translation added to SVN rev 160. 15360 151 6 1286220061 15360 0 xx 1 Re: Website and software translations [quote author=eurekafag link=topic=151.msg15248#msg15248 date=1286189756]<br />Where can I find the latest English .po file to keep the translation up-to-date?<br />[/quote]<br />poedit does it. Either get the src directory from a release, or download instruction that's really slow? I'm not sure how available it is, but I think Intel used to have a profiler for profiling on a per instruction level. I guess if tcatm doesn't have a system with the slow processor to test with, there's not much hope. But it would be really nice if this was working on most CPUs. 8388 753 6 1281379841 8393 1281380890 satoshi xx 1 Re: bitcoin generation broken in 0.3.8? I found that SSE2 only added a slight 2% speedup, which didn't seem worth the incompatibility. I was trying to take the safer option.<br /><br />It doesn't look to me like Crypto++ could be deciding whether to use SSE2 at runtime. There's one place where it detects SSE2 for deciding some block count parameter, but the SSE2 stuff is all #ifdef at compile time and I can't see how that would switch at runtime. Maybe I'm not looking in the right place.<br /><br />Should we enable SSE2 in all the makefiles? It seems like we must in case someone compiles with 64-bit.<br /><br />I will recompile the 64-bit part of the Linux 0.3.8 release. 8402 765 1 1281383218 8402 0 xx 1 Version 0.3.8.1 update for Linux 64-bit When we switched to Crypto++ 5.6.0 SHA-256 in version 0.3.6, generation got broken on the Linux 64-bit build. Version 0.3.8.1 is on SourceForge with the 64-bit binary updated.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.8/bitcoin-0.3.8.1-linux.tar.gz/download<br /><br />Future versions after 0.3.8 will probably require SSE2. Anyone have Pentium 3 or older where this would be a problem? 8413 760 6 1281384806 8413 0 xx 1 Re: What could be the transition plan to Y2038 compliant Bitcoin? [b]unsigned[/b] int is good until 2106. Surely the network will have to be totally revamped at least once by then.<br /><br />There should not be any signed int. If you've found a signed int somewhere, please tell me (within the next 25 years please) and I'll change it to unsigned int. 8417 753 6 1281386046 8417 0 xx 1 Re: bitcoin generation broken in 0.3.8? (64-bit) I uploaded 0.3.8.1 for Linux with re-built 64-bit. I ran a difficulty 1 test with it and it has generated blocks.<br /><br />http://www.bitcoin.org/smf/index.php?topic=765.0<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.8/bitcoin-0.3.8.1-linux.tar.gz/download<br /> 8422 765 1 1281387306 8422 0 xx 1 Re: Version 0.3.8.1 update for Linux 64-bit That's a good point, I believe you could run with generation off if you don't have SSE2.<br /><br />How about add to the top of cryptopp/config.h:<br /><br />#if !defined(_M_X64) && !defined(__x86_64__)<br />#define CRYPTOPP_DISABLE_SSE2 1<br />#endif<br /><br />that would disable SSE2 for 32-bit builds. (at least with GCC or MSVC) 8424 766 6 1281387525 8424 0 xx 1 Connection limits SVN rev 125:<br />- Always make 8 outbound connections even if have 8 inbound<br />- Limit outbound connections to one per a.b.?.? range<br />- Switch -maxconnections=#<br /><br />I added the (currently undocumented) switch -maxconnections=#. You shouldn't use it unless you need to because your router can't maintain a lot of connections, then try -maxconnections=30.<br /><br />I haven't really tested -maxconnections much, could someone test it?<br /> 8431 721 1 1281389319 8431 0 xx 1 Re: Bitcoin minting is thermodynamically perverse The heat from your computer is not wasted if you need to heat your home. If you're using electric heat where you live, then your computer's heat isn't a waste. It's equal cost if you generate the heat with your computer.<br /><br />If you have other cheaper heating than electric, then the waste is only the difference in cost.<br /><br />If it's summer and you're using A/C, then it's twice.<br /><br />Bitcoin generation should end up where it's cheapest. Maybe that will be in cold climates where there's electric heat, where it would be essentially free. 8628 765 1 1281483960 8628 0 xx 1 Re: Version 0.3.8.1 update for Linux 64-bit SVN rev 128: disable SSE2 on 32-bit. This may only disable it for MSVC and GCC. Other compilers might have different 64-bit defines. 8637 770 1 1281485662 8637 0 xx 1 Re: Not a suggestion This is a very interesting topic. If a solution was found, a much better, easier, more convenient implementation of Bitcoin would be possible.<br /><br />Originally, a coin can be just a chain of signatures. With a timestamp service, the old ones could be dropped eventually before there's too much backtrace fan-out, or coins could be kept individually or in denominations. It's the need to check for the absence of double-spends that requires global knowledge of all transactions.<br /><br />The challenge is, how do you prove that no other spends exist? It seems a node must know about all transactions to be able to verify that. If it only knows the hash of the in/outpoints, it can't check the signatures to see if an outpoint has been spent before. Do you have any ideas on this?<br /><br />It's hard to think of how to apply zero-knowledge-proofs in this case.<br /><br />We're trying to prove the absence of something, which seems to require knowing about all and checking that the something isn't included. 8649 750 6 1281490202 8649 0 xx 1 Re: Escrow [quote author=jgarzik link=topic=750.msg8566#msg8566 date=1281466437]<br />Ask some real-world business owners if they want to tell their customers about the chance of the money being lost forever, unrecoverable by either party.<br />[/quote]<br />That makes it sound like it might somehow get lost and the parties can't get it even if they want to cooperate.<br /><br />When you pay for something up front, you can't get it back either. Consumers seem comfortable with that. It's no worse than that.<br /><br />Either party always has the option to release it to the other.<br /><br />[quote author=nelisky link=topic=750.msg8585#msg8585 date=1281471636]<br />But the money burning solution, while great at preventing economically viable fraud, does nothing to prevent revenge and actually makes everyone loose if one side is dishonest. I would certainly not endorse that.<br />[/quote]<br />Then you must also be against the common system of payment up front, where the customer loses.<br /><br />Payment up front: customer loses, and the thief gets the money.<br />Simple escrow: customer loses, but the thief doesn't get the money either.<br /><br />Are you guys saying payment up front is better, because at least the thief gets the money, so at least someone gets it?<br /><br />Imagine someone stole something from you. You can't get it back, but if you could, if it had a kill switch that could be remote triggered, would you do it? Would it be a good thing for thieves to know that everything you own has a kill switch and if they steal it, it'll be useless to them, although you still lose it too? If they give it back, you can re-activate it.<br /><br />Imagine if gold turned to lead when stolen. If the thief gives it back, it turns to gold again.<br /><br />It still seems to me the problem may be one of presenting it the right way. For one thing, not being so blunt about "money burning" for the purposes of game theory discussion. The money is never truly burned. You have the option to release it at any time forever.<br /> 8651 784 6 1281490950 8651 0 xx 1 Re: Compile error in SVN r127 Updated SVN. Thanks.<br /><br />There's little hope of not repeatedly stumbling over that in the future. It doesn't break the compile for me. 8798 770 1 1281560879 8798 0 xx 1 Re: Not a suggestion Still thinking this idea through...<br /><br />The only job the network needs to do is to tell whether a spend of an outpoint is the first or not.<br /><br />If we're willing to have clients keep the history for their own money, then some of the information may not need to be stored by the network, such as:<br />- the value<br />- the association of inpoints and outpoints in one transaction<br /><br />The network would track a bunch of independent outpoints. It doesn't know what transactions or amounts they belong to. A client can find out if an outpoint has been spent, and it can submit a satisfying inpoint to mark it spent. The network keeps the outpoint and the first valid inpoint that proves it spent. The inpoint signs a hash of its associated next outpoint and a salt, so it can privately be shown that the signature signs a particular next outpoint if you know the salt, but publicly the network doesn't know what the next outpoint is.<br /><br />I believe the clients would have to keep the entire history back to the original generated coins. Someone sending a payment would have to send data to the recipient, as well as still communicating with the network to mark outpoints spent and check that the spend is the first spend. Maybe the data transfer could be done as an e-mail attachment.<br /><br />The fact that clients have to keep the entire history reduces the privacy benefit. Someone handling a lot of money still gets to see a lot of transaction history. The way it retrospectively fans out, they might end up seeing a majority of the history. Denominations could be made granular to limit fan-out, but a business handling a lot of money might still end up seeing a lot of the history.<br /> 8803 782 4 1281563211 8803 0 xx 1 Re: Lost large number of bitcoins [quote author=sirius-m link=topic=782.msg8657#msg8657 date=1281492113]<br />I added to the FAQ the warning to back up after each transaction. Is it necessary btw to stop the client before making a backup? That's a bit inconvenient. Automatic backups would be useful indeed.<br />[/quote]<br />You can get away with backing up without stopping the client if you don't do anything or receive a payment within a few seconds before the backup. (like 5 seconds) <br /><br />[quote author=gridecon link=topic=782.msg8795#msg8795 date=1281559568]<br />Wait, I'm confused again. I thought the essence of the surprise was that Bitcoin is programmed to "empty your wallet" for EACH transaction. <br />[/quote]<br />No, it doesn't usually empty your wallet with each transaction. It uses the smallest set of coins it can find to add up to near the amount. In this case, unfortunately, his wallet had a single 9000 BTC bill in it, and it had to break it to get 1 BTC and 8999 BTC change. 8804 788 6 1281566425 8804 0 xx 1 Re: Where is the separate discussion devoted to possible Bitcoin weaknesses. It doesn't have to be such a breaking change. New nodes could accept old transactions for a long time until most nodes have already upgraded before starting to refuse transactions without PoW. Or, they could always accept old transactions, but only a limited number per time period.<br /><br />I've thought about PoW on transactions many times, but usually I end up thinking a 0.01 transaction fee is essentially similar and better. 0.01 is basically a proof of work, but not wasted. But if the problem is validating loads of transactions, then PoW could be checked faster.<br /><br />A more general umbrella partial solution would be to implement the idea where an unlikely dropoff in blocks received is detected. Then an attacker would still need a substantial portion of the network's power to benefit from a DoS attack.<br /><br />[quote author=gavinandresen link=topic=788.msg8761#msg8761 date=1281543056]<br />Bitcoin's p2p network is subject to various kinds of denial of service attacks.<br /><br />There, I said it.<br />[/quote]<br />+1<br /><br />Any demonstration tests at this point would only show what we already know, and divert dev time from strengthening the system to operational fire fighting.<br /> 8810 287 1 1281569330 8810 0 xx 1 Re: Flood attack 0.00000001 BC It would be nice to keep the blk*.dat files small as long as we can.<br /><br />The eventual solution will be to not care how big it gets.<br /><br />But for now, while it's still small, it's nice to keep it small so new users can get going faster. When I eventually implement client-only mode, that won't matter much anymore.<br /><br />There's more work to do on transaction fees. In the event of a flood, you would still be able to jump the queue and get your transactions into the next block by paying a 0.01 transaction fee. However, I haven't had time yet to add that option to the UI.<br /><br />Scale or not, the test network will react in the same ways, but with much less wasted bandwidth and annoyance. 8814 790 6 1281571326 8814 0 xx 1 Re: BSD detection [quote author=dkaparis link=topic=790.msg8807#msg8807 date=1281567616]<br />There is this piece of code in headers.h:<br />[tt]<br />#ifdef __WXMAC_OSX__<br />#define __WXMAC__ 1<br />#define __WXOSX__ 1<br />#define __BSD__ 1<br />#endif<br />#endif<br />[/tt]<br />[/quote]<br />That code was a bad idea anyway, I'm deleting it. Any Mac code should only use __WXMAC_OSX__, not __WXMAC__ or __WXOSX__, and we should stop using __BSD__.<br /><br />[quote]<br />[tt]<br />#if (defined(__unix__) || defined(unix)) && !defined(USG)<br />#include <sys/param.h><br />#endif<br />[/tt]<br />[/quote]<br />Will that definitely cause BSD to be defined on Mac?<br /> 8836 770 1 1281581216 8836 0 xx 1 Re: Not a suggestion [quote author=Red link=topic=770.msg8824#msg8824 date=1281575419]<br />[quote author=satoshi link=topic=770.msg8798#msg8798 date=1281560879]<br />I believe the clients would have to keep the entire history back to the original generated coins. The fact that clients have to keep the entire history reduces the privacy benefit. <br />[/quote]<br /><br />I thought this too at first. But then I convinced myself otherwise.<br />[/quote]<br />Are you back to talking about the existing Bitcoin system here?<br /><br />I was talking about in the hypothetical system I was describing, if the network doesn't know the values and lineage of the transactions, then it can't verify them and vouch for them, so the clients would have to keep the history all the way back.<br /><br />If a client wasn't present until recently, the two ways to convince it that a transaction has a valid past is:<br />1) Show it the entire history back to the original generated coin.<br />2) Show it a history back to a when looking for received payments, and the json-rpc safe mode stops automated websites from making any more trades until they're upgraded.<br /><br />The json-rpc methods that return errors during an alert are:<br />sendtoaddress<br />getbalance<br />getreceivedbyaddress<br />getreceivedbylabel<br />listreceivedbyaddress<br />listreceivedbylabel<br /><br /> 10723 890 6 1282521452 10723 0 xx 1 Re: integrating digital payments into p2p protocols Hey Zooko!<br /><br />I wanted to thank you for posting about Bitcoin on your blog a year or two ago, back when I announced it on the Cryptography mailing list. 11068 820 6 1282689836 11068 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 [quote author=ArtForz link=topic=820.msg10609#msg10609 date=1282409791]<br />[list]<br />[li]AMD K10: 2 128bit units[/li]<br />[li]intel nehalem: 3 128bit units[/li]<br />[/list]<br />[/quote]<br />This probably explains why hyperthreading increases performance with -4way. If three SSE2 units is excessive, then hyperthreading would help keep them all busy. 11074 898 6 1282693872 11150 1282753992 satoshi xx 1 Re: Development of alert system If you're so paranoid that you're getting hysterical over this, then surely you're paranoid enough that if a warning message displays on the status bar, you'll check the website and forum.<br /><br />I think if another bug like the overflow bug occurs, it's important that automated websites stop trading until their admins can check out what's going on and decide what to do. If you decide it's a false alarm and want to take your chances, you can use the "-disablesafemode" switch. 11078 898 6 1282694796 11078 0 xx 1 Re: Development of alert system This is in SVN rev 142 as version 0.3.11. 11150 898 6 1282749457 11150 1282754394 satoshi xx 1 Re: Development of alert system It can't do arbitrary actions remotely. Maybe some of you are responding to other posters who suggested the alert system should do more?<br /><br />If there is an alert, the following json-rpc methods return an error:<br />sendtoaddress<br />getbalance<br />getreceivedbyaddress<br />getreceivedbylabel<br />listreceivedbyaddress<br />listreceivedbylabel<br /><br />The remaining 14 methods function as normal. <br /><br />I believe the safer option should be enabled by default. If you want your server to keep trading and ignore an alert saying the money its receiving might be like the money from the overflow bug, then you can use the switch and not blame anyone else if you lose your money.<br /><br />Worst case if you leave alerts enabled, your site stops trading until you upgrade or add the -disablesafemode switch.<br /><br />Getting surprised by some temporary down time when your node would otherwise be at risk is better than getting surprised by a thief draining all your inventory.<br /><br />Someday when we haven't found any new bugs for a long time and it has been thoroughly security reviewed without finding anything, this can be scaled back. I'm not arguing that this is the permanent way of things forever. It's still beta software.<br /> 11151 898 6 1282754420 11151 0 xx 1 Re: Development of alert system I changed the switch name to -disablesafemode. 11155 898 6 1282755375 11159 1282759524 satoshi xx 1 Re: Development of alert system [quote author=jimbobway link=topic=898.msg11153#msg11153 date=1282754722]<br />[quote author=BioMike link=topic=898.msg10742#msg10742 date=1282540543]<br />@mizerydearia, I think the quote button is easier to find then the reply one. <br /><br />So, theoretical this is a first control system where <some goverment> can arrest satoshi and demand <br />that he hands over his key (or get it from his computer) and shut down the complete network?<br /><br />Or is that not possible? How far would <some goverment> get?<br />[/quote]<br /><br />A few rhetorical questions for satoshi:<br /><br />Can you resist waterboarding?<br />Can you endure electric shock?<br />All forms of torture?<br />Lastly, are you Jack Bauer by any chance? Seriously.<br />[/quote]<br />WRT the alert system, who cares? The most the key can do is temporarily disable six json-rpc commands until the site owners either add the -disablesafemode switch or upgrade. All nodes keep running and generating, the network stays up. If I'm not available, any script kiddie can figure out how to add two characters and make a new version that disables the alert system. It would be a temporary inconvenience only.<br /><br />[quote author=BioMike link=topic=898.msg10742#msg10742 date=1282540543]<br />So, theoretical this is a first control system where <some goverment> can arrest satoshi and demand <br />that he hands over his key (or get it from his computer) and shut down the complete network?<br />[/quote]<br />This is what makes me think the people objecting don't know what they're talking about. It can't "shut down the complete network". <br /><br /> 11158 898 6 1282759170 11158 0 xx 1 Re: Development of alert system [quote author=nelisky link=topic=898.msg11092#msg11092 date=1282699712]<br />So what kind of warning do admins get from bitcoind? Is there something we can grep from debug.log? Or will rpc calls raise some specific error? Is there a way to locally force this to happen, for unittesting services?<br />[/quote]<br />getinfo has a new field that shows any alert messages or other errors that would be displayed on the status bar.<br /><br />The rpc methods return a json-rpc error with the error description "Safe mode: " followed by additional text specified by the alert.<br /><br />I added the switch "-testsafemode" for you. SVN rev 145.<br /><br />This stuff is very new and may still be subject to change.<br /><br />[quote author=mizerydearia link=topic=898.msg11079#msg11079 date=1282695110]<br />I just discovered http://www.bitcoin.org/wiki/doku.php?id=man_page and don't see any reference to -disablesafemode. Perhaps it should be added! Also others liek -4way should be added as well.<br />[/quote]<br />Many switches are intentionally undocumented, like if their functionality is still under construction or I haven't settled on their name yet, or just test code not intended for release.<br /><br />-4way should eventually be replaced by an auto-detect. 11219 898 6 1282781292 11219 0 xx 1 Re: Development of alert system [quote author=BioMike link=topic=898.msg11162#msg11162 date=1282760625]<br />[quote author=satoshi link=topic=898.msg11155#msg11155 date=1282755375]<br />[quote author=BioMike link=topic=898.msg10742#msg10742 date=1282540543]<br />So, theoretical this is a first control system where <some goverment> can arrest satoshi and demand <br />that he hands over his key (or get it from his computer) and shut down the complete network?<br /><br />Or is that not possible? How far would <some goverment> get?<br />[/quote]<br />This is what makes me think the people objecting don't know what they're talking about. It can't "shut down the complete network". <br />[/quote]<br />I've never objected this change/idea, just asking if this was possible and to what extent.<br />What's wrong with getting informed? ;)<br />[/quote]<br />My apologies, your post was indeed a question not a statement.<br /> 11224 920 6 1282782808 11224 0 xx 1 Re: RFC: remove DB_PRIVATE flag Can you provide more details about what removing DB_PRIVATE does?<br /><br />I can't remember if I had a specific reason for DB_PRIVATE, or if I just copied the flags from some example code. Does removing DB_PRIVATE make it safe for other processes to open the database simultaneously? That may be an improvement, depending what the side effects are. Does it substantially reduce performance by making it have to write out every change immediately or do other coordination? Are there additional locking or coordination files then? What else changes? You could test by timing an initial block download with and without DB_PRIVATE, preferably -connect-ing to a local machine so network isn't a factor.<br /><br />Apparently, DB_PRIVATE doesn't do what you would hope it would do, which is prevent other processes from being able to open the database. It still lets them, it just screws up if they do. Another option, if there's a way, would be to make it lock the database files so they can't be accessed by other processes. 11227 873 4 1282783445 11227 0 xx 1 Re: Need a post writing up some things users should know Any backup process/procedure would just be a stopgap until there's time to properly work on coding solutions in software. We can try to use words to help the situation until code gets there.<br /><br />The main backup improvement will be pre-made pool of keys, and a rescan at load to scrape missed transactions from the block history. Then a backup will last forward for a long time.<br /> 11228 921 6 1282784260 11228 0 xx 1 Re: auto backing up of wallet.dat I started posting in the other topic but I'll repeat here, this thread seems more specific to the topic.<br /><br />The main backup improvement will be a pre-generated pool of keys and a rescan at load to scrape missed transactions from the block history. Then a backup will last forward for a long time.<br /><br />I was starting to post the same idea you said nelisky.<br /><br />How about a json-rpc command that locks the wallet, flushes it, copies wallet.dat to a location you specified, then unlocks it? That would be a smaller project than the pooled keys, so maybe it could be done first.<br /><br />What's the simplest portable way to copy a file? Is there something in Boost?<br /><br />What should it be named? maybe:<br />backupwallet <destination><br /><br /> 11342 930 6 1282870183 11342 0 xx 1 Re: Gentoo Linux Ebuild Try -datadir=<br /><br />Last time I tried $(shell /usr/bin/wx-config), there was immediate hollering about build problems with it. There wasn't time to investigate at the time.<br /><br />One problem with $(shell /usr/bin/wx-config) is it will pick up any version (wx 2.8 ) and any configuration (non-UTF-8 ) of wxWidgets that happens to be there. -lwx_gtk2ud-2.9 only matches the right configuration. It fails if wxWidgets was built with the wrong configuration. <br /><br />[quote]<br />Iirc, chatting in #wxwidgets on freenode, the devs there were baffled why that was used.<br />[/quote]<br />Did they say why they were baffled? <br /><br />[quote]<br />This is because on my system the path is /usr/include/wx-2.9/wx/wx.h<br />[/quote]<br />Why is it there? Was it included by the OS, or did you have to build it? If you built it, I wonder why it would put itself in a different place.<br /><br />Has wxWidgets 2.9 finally started to become available as a debian package?<br /><br />Maybe we should do this:<br /><br />INCLUDEPATHS= \\<br /> -I"/usr/local/include/wx-2.9" \\<br /> -I"/usr/local/lib/wx/include/gtk2-unicode-debug-static-2.9" \\<br /> -I"/usr/include/wx-2.9" \\<br /> -I"/usr/lib/wx/include/gtk2-unicode-debug-static-2.9"<br /><br />Again, those paths help make sure it's only 2.9 and will fail with 2.8.<br /><br />wxWidgets 2.8 comes in ANSI and UTF-16, both wrong for us. It's tempting because it's so easily available as a package; a lot of people were frustrated by it until we started hardcoding 2.9 into the makefile.<br /> 11345 921 6 1282871622 11345 0 xx 1 Re: auto backing up of wallet.dat If you read it into memory and write it out, it could fail in tight memory situations. <br /><br />I'm looking for something like copyfile(const char* from, const char* to) or copyfile(path from, path to), preferably something in Boost if it has it. If you find it for me, it's more likely I'll get to implementing it.<br /><br />[quote author=nelisky link=topic=921.msg11232#msg11232 date=1282785717]<br />As for the file copy, why add to the boost dependency? I for one would love to get a core lib with very little deps.<br />[/quote]<br />We require Boost for JSON and a dozen things replacing dependencies on wxWidgets. Boost is good, portable stuff, we should not shy away from it. 11350 921 6 1282877647 11350 0 xx 1 Re: auto backing up of wallet.dat I doubt there's an mmap(2) on Windows. I'd rather call an existing file copy function than make and test my own.<br /><br />[quote author=nelisky link=topic=921.msg11346#msg11346 date=1282872069]<br />But if you are already using features from boost::filesystem you can use copy_file from that. I just think that, if not already required for something else, it's a tad overkill.<br />[/quote]<br />Thanks. I thought it would be in there somewhere.<br /><br />We already use boost::filesystem in a dozen places. It's not a new added dependency. It gives us a lot of portable stuff that we would otherwise have to have a #ifdef for each OS and test everywhere.<br /> 11399 921 6 1282924077 11400 1282925765 satoshi xx 1 Re: auto backing up of wallet.dat Sorry, I've been so busy lately I've been skimming messages and I still can't keep up.<br /><br />We want to avoid Windows API calls whenever possible. They usually take about 6-8 parameters and a lot of testing to get right, it takes a page of code to do something simple.<br /><br />I usually shy away from iostreams. Seems like I too often hit limitations. They kind of botched the C++ streams standard in the 90's, which is too bad, streams can be very powerful and useful when done right. Using it in rpc.cpp may still turn out to be a mistake.<br /><br />Bottom line is I'd rather call an existing file copy function than make and test my own. 11400 928 6 1282925596 11400 0 xx 1 Re: New web service: obtain dump of bitcoin block NNNN That's kind of interesting as an upside-down bar chart of how many blocks were produced each day. The target is 144 blocks per day. 11403 845 7 1282927166 11407 1282932204 satoshi xx 1 Re: Bitcoins are most like shares of common stock Bitcoins have no dividend or potential future dividend, therefore not like a stock.<br /><br />More like a collectible or commodity. 11405 583 7 1282930327 11409 1282933037 satoshi xx 1 Re: Bitcoin does NOT violate Mises' Regression Theorem As a thought experiment, imagine there was a base metal as scarce as gold but with the following properties:<br />- boring grey in colour<br />- not a good conductor of electricity<br />- not particularly strong, but not ductile 5769 461 6 1280094256 5769 0 xx 1 Re: JSON-RPC password [quote author=BitLex link=topic=461.msg5753#msg5753 date=1280090738]<br />i got some problems here too trying to get this run on PHP.<br />so far i had no luck, neither the wiki-sample (jsonRPCClient trying to fopen(http://username:password@localhost:8332/)), nor my curl-sample (using setopt CURLOPT_HTTPAUTH, CURLAUTH_BASIC) seem to work.<br />[/quote]<br />That's strange, didn't someone just say that was supposed to work? (what library was he using?) Post if you figure out what wrong.<br /><br />I hope it's not going to put up this much of a fight for all PHP users.<br /><br />Looks like we've got the Fortran scenario already. 5771 461 6 1280094691 5771 0 xx 1 Re: JSON-RPC password [quote author=gavinandresen link=topic=461.msg5768#msg5768 date=1280093899]<br />Great catch! Simpler fix is to specify the BIO_FLAGS_BASE64_NO_NL in the rpc.cpp/EncodeBase64 function<br />[/quote]<br />SVN rev 111 5772 458 4 1280095617 5772 0 xx 1 Re: md5? For future reference, here's my public key. It's the same one that's been there since the bitcoin.org site first went up in 2008. Grab it now in case you need it later.<br /><br />http://www.bitcoin.org/Satoshi_Nakamoto.asc 5778 571 6 1280096856 5778 0 xx 1 Re: Stealing Coins Sorry, actually it's ECDSA (Elliptic Curve Digital Signature Algorithm) not RSA. I shouldn't have said "prime numbers". ECDSA doesn't take much time to generate a keypair. 5904 576 6 1280165013 5904 0 xx 1 bitcoind without wxWidgets I replaced the last of the few wxBase dependencies in bitcoind.<br /><br />bitcoind now compiles without wxWidgets or wxBase in SVN rev 112.<br /><br />main(int argc, char* argv[]) is added to init.cpp. CMyApp and the Startup folder stuff are moved to ui.cpp. ui.cpp and uibase.cpp aren't linked by bitcoind.<br /><br />The makefiles have -DGUI to control whether the GUI is used.<br /><br />I test compiled MinGW, VC and Ubuntu. I don't know if I broke the Mac OSX build, someone will need to check that.<br /> 5920 501 6 1280169691 5920 0 xx 1 Re: Bitcoin x64 for Windows [quote author=Olipro link=topic=501.msg5815#msg5815 date=1280126357]<br />Credit to tcatm for the caching part of the SHA context - this offers absolutely brilliant performance. Additionally, the Intel compiler really comes into its own here as its parallelisation abilities give a massive performance boost over Visual Studio.<br /><br />Performance: 4700khash/s on 4 cores, I think that speaks for itself.<br /><br />I've included both the VS and Intel build, but there's really no comparison, the Intel build craps all over VS.<br />[/quote]<br />Is that still starting from Crypto++? Lets get this into the main sourcecode. 5978 572 6 1280194182 5978 0 xx 1 Re: Bitcoin x86 for Windows [quote author=Olipro link=topic=572.msg5851#msg5851 date=1280149481]<br />Crypto++ 5.6.0: http://www.cryptopp.com/<br />Cached SHA256: http://pastebin.com/rJAYZJ32 (although I'm pretty sure this is publically submitted elsewhere, I was linked to it on IRC)<br />[/quote]<br />I added the cached SHA256 state idea to the SVN, rev 113. The speedup is about 70%. I credited it to tcatm based on your post in the x64 thread. <br /><br />I can compile the Crypto++ 5.6.0 ASM SHA code with MinGW but as soon as it runs it crashes. It says its for MASM (Microsoft's assembler) and the sample command line they give looks like Visual C++. Does it only work with the MSVC and Intel compilers? 5990 43 1 1280199898 5990 0 xx 1 Re: Proof-of-work difficulty increasing New difficulty factor 244.213223092<br />+35%<br /><br />I updated the first post.<br /><br />date, difficulty factor, % change<br />2009 1.00<br />30/12/2009 1.18 +18%<br />11/01/2010 1.31 +11%<br />25/01/2010 1.34 +2%<br />04/02/2010 1.82 +36%<br />14/02/2010 2.53 +39%<br />24/02/2010 3.78 +49%<br />08/03/2010 4.53 +20%<br />21/03/2010 4.57 +9%<br />01/04/2010 6.09 +33%<br />12/04/2010 7.82 +28%<br />21/04/2010 11.46 +47%<br />04/05/2010 12.85 +12%<br />19/05/2010 11.85 -8%<br />29/05/2010 16.62 +40%<br />11/06/2010 17.38 +5%<br />24/06/2010 19.41 +12%<br />06/07/2010 23.50 +21%<br />13/07/2010 45.38 +93%<br />16/07/2010 181.54 +300%<br />27/07/2010 244.21 +35%<br /> 6069 572 6 1280255250 6082 1280259888 satoshi xx 1 Re: Bitcoin x86 for Windows [quote author=BlackEye link=topic=453.msg5774#msg5774 date=1280095943]<br />I was able to integrate the SHA256 functionality from Crypto++ 5.6.0 into Bitcoin. This is the fastest SHA256 yet using the SSE2 assembly code. Since Bitcoin was sending unaligned data to the block hash function, I had to change the MOVDQA instruction to MOVDQU.<br /><br />I think using the SHA256 functionality from Crypto++ 5.6.0 is the way forward right now.<br />[/quote]<br />I added a subset of the Crypto++ 5.6.0 library to the SVN. I stripped it down to just SHA and 11 general dependency files. There shouldn't be any other crypto in there other than SHA.<br /><br />I aligned the data fields and it worked. The ASM SHA-256 is about 48% faster. The combined speedup is about 2.5x faster than version 0.3.3.<br /><br />I guess it's using SSE2. It automatically sets its build configuration at compile time based on the compiler environment.<br /><br />It looks like it has some SSE2 detection at runtime, but it's hard to tell if it actually uses it to fall back if it's not available. I want the release builds to have SSE2. SSE2 has been around since the first Pentium 4. A Pentium 3 or older would be so slow, you'd be wasting your electricity trying to generate on it anyway.<br /><br />This is SVN rev 114. 6083 572 6 1280260062 6083 0 xx 1 Re: Bitcoin x86 for Windows OK, thanks. I'd also like to know if it runs fine as long as you don't turn on Generate. You'd think as long as it doesn't actually execute any SSE2 instructions, it would still load. At least Pentium 3's could run it without generating. 6268 601 4 1280350706 6268 0 xx 1 Re: Having problems specifing -datadir It was able to reproduce this. The database doesn't like the relative path.<br /><br />"bitcoind -datadir=./subdir getinfo" works against a running daemon, but trying to start the daemon as "bitcoind -datadir=./subdir" gets that exception.<br /><br />I guess we should resolve the full path before passing it to the database.<br /><br />It looks like you were the first one to ever use -datadir with a relative path. 6273 604 6 1280352203 6273 0 xx 1 Re: Build error SVN r115 on my Mac: workaround Was that the only thing I broke in the OSX build?! Does it actually work after just that one change?<br /><br />I had to do that for makefile.vc also. It compiled, but SHA-256 didn't work correctly; it returned the same incorrect hash each time.<br /><br />We'll disable it now, and if anyone figures out how to fix it, we can re-enable it then. It's still 1.7x faster from the midstate optimisation.<br /><br />The Crypto++ ASM SHA-256 works with GCC on Linux and Windows (MinGW).<br /><br />I uploaded this makefile.osx change to SVN. (let me know if that compiles now) 6301 587 6 1280366183 6301 0 xx 1 Re: Difficulty You were looking at the wrong code. Here's the code that applies:<br /><br />[code]<br />bool CBlock::CheckBlock() const<br />{<br />...<br /> // Check timestamp<br /> if (nTime > GetAdjustedTime() + 2 * 60 * 60)<br /> return error("CheckBlock() : block timestamp too far in the future");<br />...<br /><br />bool CBlock::AcceptBlock()<br />{<br /> ...<br /> // Check timestamp against prev<br /> if (nTime <= pindexPrev->GetMedianTimePast())<br /> return error("AcceptBlock() : block's timestamp is too early");<br />[/code]<br /><br />The timestamp is limited to up to 2 hours in the future. It can be earlier than the previous block, but it must be greater than the median of the last 11 blocks. The reason for doing it that way is so the time can get corrected in the next block if the previous block had the time too far in the future, like what happened.<br /><br /> 6306 532 6 1280368838 6306 0 xx 1 Re: Scalability and transaction rate The current system where every user is a network node is not the intended configuration for large scale. That would be like every Usenet user runs their own NNTP server. The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms. The rest will be client nodes that only do transactions and don't generate.<br /><br />[quote author=bytemaster link=topic=532.msg6269#msg6269 date=1280350782]<br />Besides, 10 minutes is too long to verify that payment is good. It needs to be as fast as swiping a credit card is today.<br />[/quote]<br />See the snack machine thread, I outline how a payment processor could verify payments well enough, actually really well (much lower fraud rate than credit cards), in something like 10 seconds or less. If you don't believe me or don't get it, I don't have time to try to convince you, sorry.<br />http://www.bitcoin.org/smf/index.php?topic=423.msg3819#msg3819<br /> 6307 338 4 1280369446 6307 0 xx 1 Re: wiki registration email? WTF? How did we get on that? AFAIK, the only e-mail is if you tell the forum to do notifications, and I guess the wiki registration. I'd consider turning off the forum notification e-mails, I don't know why we have that. 6451 626 1 1280430786 15289 1286199456 satoshi exclamation 1 *** ALERT *** Upgrade to 0.3.6 Please upgrade to 0.3.6 ASAP! We fixed an implementation bug where it was possible that bogus transactions could be displayed as accepted. Do not accept Bitcoin transactions as payment until you upgrade to version 0.3.6!<br /><br />If you can't upgrade to 0.3.6 right away, it's best to shut down your Bitcoin node until you do.<br /><br />Also in 0.3.6, faster hashing:<br />- midstate cache optimisation thanks to tcatm<br />- Crypto++ ASM SHA-256 thanks to BlackEye<br />Total generating speedup 2.4x faster.<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.6/<br /><br />Windows and Linux users: if you got 0.3.5 you still need to upgrade to 0.3.6.<br /> 6469 626 1 1280433351 6469 0 xx 1 Re: *** ALERT *** version 0.3.6 Haven't had time to update the SVN yet. Wait for 0.3.6, I'm building it now. You can shut down your node in the meantime. 6480 626 1 1280435415 6480 0 xx 1 Re: *** ALERT *** version 0.3.6 SVN is updated with version 0.3.6.<br /><br />Uploading Windows build of 0.3.6 to Sourceforge now, then will rebuild linux. 6490 626 1 1280438438 6500 1280439408 satoshi xx 1 Re: *** ALERT *** Upgrade to 0.3.6 ASAP! 0.3.6 Linux build is back to the old makefile.unix. It static links libjpeg so that shouldn't be a problem.<br /><br />Is that working better?<br /><br />If you got 22DbRunRecoveryException and you've used someone else's build before, you may need to delete (or move the files somewhere else) database/log.000000*<br /><br />Windows and Linux users: if you got 0.3.5 you still need to upgrade to 0.3.6. 6502 626 1 1280439795 6502 0 xx 1 Re: *** ALERT *** Upgrade to 0.3.6 ASAP! "./bitcoin: /lib64/libc.so.6: version `GLIBC_2.11' not found (required by ./bitcoin)" isn't a new problem that started with 0.3.6 is it? This was built on the same OS installations as 0.3.0.<br /><br />Unfortunately I upgraded to Ubuntu 10.04 before 0.3.0. I will not upgrade anymore. I don't know when I might have time to reinstall to downgrade, but at least by not upgrading, it'll gradually fix itself. 6508 628 6 1280441055 6508 0 xx 1 Re: Implementation bug prior to 0.3.6 Actually, it works well to just PM me. I'm the one who's going to be fixing it. If you find a security flaw, I would definitely like to hear from you privately to fix it before it goes public. 6512 615 4 1280441311 6512 0 xx 1 Re: Transaction disappeared in the void... If the transaction didn't go out immediately at first, like if you weren't connected at the time, it may take up to 2 hours to resend it. Long term, it does keep relentlessly sending it.<br /><br />I'll shorten that length of time in a future version.<br /><br />You do need to have downloaded the complete block chain (currently 71040 blocks) before you'll see any confirms. Same with the recipient. 6516 612 4 1280441844 6516 0 xx 1 Re: Linux distribution download Yeah, acutely aware that I should have stayed on 9.04 or 9.10. It's a lot more work to downgrade than upgrade and I've been squeezed for time. Ubuntu is the most popular distro, so I'm staying with that. 6542 626 1 1280445132 6542 0 xx 1 Re: *** ALERT *** Upgrade to 0.3.6 ASAP! [quote author=lachesis link=topic=626.msg6515#msg6515 date=1280441676]<br />On Debian testing 32-bit, I get a few build errors, all resembling:<br />[code]script.cpp:114: error: was not declared in this scope[/code]<br />I got these when attempting to "make bitcoind" without "make clean" or "make" first. It looks like the bitcoind build instructions don't compile the headers first, but they also don't delete the headers.h.gch, so the old headers are used if present.<br /><br />If anyone else gets this error, the simplest solution is to "make clean" and retry the build.<br />[/quote]<br />We don't really need pre-compiled header. It only makes it compile slightly faster. I think I'll just get rid of it. Even still, you'd still need to remember to "make -f makefile.unix clean" or delete headers.h.gch one more time to get rid of the leftover file.<br /><br />Damn that GLIBC_2.11. I thought I'd been careful not to accept any of the updates. thoroughly deep block, then trust that if so many nodes all said the history up to then was correct then it must be true.<br /><br />But if the network didn't know all the values and lineage of the transactions, it couldn't do 2), I don't think.<br /> 8919 790 6 1281647660 8919 0 xx 1 Re: BSD detection This is in SVN rev 130. Check that it compiles right.<br /><br />[code]<br />#if (defined(__unix__) || defined(unix)) && !defined(USG)<br />#include <sys/param.h> // to get BSD define<br />#endif<br />#ifdef __WXMAC_OSX__<br />#ifndef BSD<br />#define BSD 1<br />#endif<br />#endif<br />[/code]<br /> 8920 795 6 1281648031 8920 0 xx 1 Bugfixes in SVN rev 130 Misc bugfixes in rev 130:<br /><br />fix -datadir with relative path<br />autostart is now off by default except on windows<br />fix occasional "vector iterator not dereferencable" assertion when compiled with msvc<br />fix readlink compile warning on linux build<br />use sys/param.h and BSD define instead of __BSD__<br />-paytxfee switch, e.g. -paytxfee=0.01 8922 691 6 1281648884 8922 0 xx 1 Re: Bitcoin Watchdog Service True, there would probably be someone with a dial-up modem or satellite dish internet. Rarer would be someone who has both that and the wired internet that has the outage, but if it's a big enough segment to matter, out of a million people there's bound to be a multi-home geek.<br /><br />ISP network cuts are just your local area. If you still have communication with the rest of your area, it would probably be something like 1/1000 of the world or less. Block generation in the segment would take several hours per block.<br /><br />I favour the plan to monitor if the frequency of blocks received drops too slow. That covers a large range of possibilities. 8924 601 4 1281649409 8924 0 xx 1 Re: Having problems specifing -datadir Fixed in SVN rev 130. 8929 648 6 1281650843 8958 1281667996 satoshi xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 That big of a difference in speed, by a factor of 4 or 6, feels like it's likely to be some quirky weak spot or instruction that the old chip is slow with. Unless it's a touted feature of the i5 that they made SSE2 six times faster.<br /><br />A quick summary:<br />Xeon Quad 41% slower<br />Core 2 Duo 55% slower<br />Core 2 Duo same (vess)<br />Core 2 Quad 50% slower<br />Core i5 200% faster (nelisky)<br />Core i5 100% faster (vess)<br />AMD Opteron 105% faster<br /><br />aceat64:<br />My system went from ~7100 to ~4200.<br />This particular system has dual Intel Xeon Quad-Core CPUs (E5335) @ 2.00GHz.<br /><br />impossible7:<br />on an Intel Core 2 Duo T7300 running x86_64 linux it was 55% slower compared to the stock version (r121)<br /><br />nelisky:<br />My Core2Quad (Q6600) slowed down 50%, <br />my i5 improved ~200%, <br /><br />impossible7:<br />on an AMD Opteron 2374 HE running x86_64 linux I got a 105% improvement (!)<br /> 8960 795 6 1281669323 8960 0 xx 1 Re: Bugfixes in SVN rev 130 No, that's not what it is.<br /><br />-paytxfee allows you to include a transaction fee with your transactions. If transaction confirmations become slow, you can get priority by using "-paytxfee=0.01". Any transactions you send would cost an extra 0.01. There's no reason to use more than 0.01.<br /><br />It's just there in case we need it. It probably won't be needed, and it can be explained more if we do. 9041 691 6 1281719367 9041 0 xx 1 Re: Bitcoin Watchdog Service [quote]<br />But there will be no irc server to bootstrap from.<br />[/quote]<br />Which doesn't matter because you can't access sourceforge to download the software either.<br /><br />If you've ever been connected before, you don't need IRC to bootstrap anymore. Even if you haven't, you can bootstrap from seed nodes. IRC is completely redundant since 0.3.0. 9046 806 6 1281721200 9452 1281888021 satoshi xx 1 Version 0.3.9 rc1, please test Here's a test build if you'd like to help test before 0.3.9 is released.<br />(or if you'd rather get upgrading out of the way now instead of waiting)<br /><br />Downloads: (binaries only)<br />http://www.bitcoin.org/download/bitcoin-0.3.9.rc1-win32.zip<br />(http://www.bitcoin.org/download/bitcoin-0.3.9.rc1-linux.tar.gz)<br /><br />SHA1 a36ea00cce27b4b083755df73a3d1e5e5729884e bitcoin-0.3.9.rc1-win32.zip<br />SHA1 bbb333b0ea57302740ad1bb9948520d00f884f9d bitcoin-0.3.9.rc1-linux.tar.gz<br /><br />Edit:<br />Linux please test rc2 instead. This adds a -4way switch for tcatm's 4-way SSE2. This will only be for Linux:<br />http://www.bitcoin.org/download/bitcoin-0.3.9.rc2-linux.tar.gz<br /><br />SHA1 47d9998f7d15fe81234a5c89a542da9d0664df40 bitcoin-0.3.9.rc2-linux.tar.gz<br /><br />Please report back your results<br />http://www.bitcoin.org/smf/index.php?topic=820 9074 770 1 1281727727 9074 0 xx 1 Re: Not a suggestion I'm not grasping your idea yet. Does it hide any information from the public network? What is the advantage?<br /><br />If at least 50% of nodes validated transactions enough that old transactions can be discarded, then everyone saw everything and could keep a record of it.<br /><br />Can public nodes see the values of transactions? Can they see which previous transaction the value came from? If they can, then they know everything. If they can't, then they couldn't verify that the value came from a valid source, so you couldn't take their generated chain as verification of it.<br /><br />Does it hide the bitcoin addresses? Is that it? OK, maybe now I see, if that's it.<br /><br />Crypto may offer a way to do "key blinding". I did some research and it was obscure, but there may be something there. "group signatures" may be related.<br /><br />There's something here in the general area:<br />http://www.users.zetnet.co.uk/hopwood/crypto/rh/<br /><br />What we need is a way to generate additional blinded variations of a public key. The blinded variations would have the same properties as the root public key, such that the private key could generate a signature for any one of them. Others could not tell if a blinded key is related to the root key, or other blinded keys from the same root key. These are the properties of blinding. Blinding, in a nutshell, is x = (x * large_random_int) mod m.<br /><br />When paying to a bitcoin address, you would generate a new blinded key for each use.<br /><br />Then you need to be able to sign a signature such that you can't tell that two signatures came from the same private key. I'm not sure if always signing a different blinded public key would already give you this property. If not, I think that's where group signatures comes in. With group signatures, it is possible for something to be signed but not know who signed it.<br /><br />As an example, say some unpopular military attack has to be ordered, but nobody wants to go down in history as the one who ordered it. If 10 leaders have private keys, one of them could sign the order and you wouldn't know who did it.<br /> 9134 807 6 1281742754 9134 0 xx 1 Re: Proposed change to sendtoaddress API call It's too soon to start junking up the API for backward compatibility at all costs.<br /><br />Just return "<txid>". 9145 648 6 1281746958 9145 0 xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 MinGW on Windows has trouble compiling it:<br /><br />g++ -c -mthreads -O2 -w -Wno-invalid-offsetof -Wformat -g -D__WXDEBUG__ -DWIN32 -D__WXMSW__ -D_WINDOWS -DNOPCH -I"/boost" -I"/db/build_unix" -I"/openssl/include" -I"/wxwidgets/lib/gcc_lib/mswud" -I"/wxwidgets/include" -msse2 -O3 -o obj/sha256.o sha256.cpp<br /><br />sha256.cpp: In function `long long int __vector__ Ch(long long int __vector__, long long int __vector__, long long int __vector__)':<br />sha256.cpp:31: internal compiler error: in perform_integral_promotions, at cp/typeck.c:1454<br />Please submit a full bug report,<br />with preprocessed source if appropriate.<br />See <URL:http://www.mingw.org/bugs.shtml> for instructions.<br />make: *** [obj/sha256.o] Error 1<br /> 9159 648 6 1281759749 9161 1281763550 satoshi xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 If you haven't already, try aligning thash. It might matter. Couldn't hurt.<br /><br />[quote author=tcatm link=topic=648.msg9147#msg9147 date=1281747187]<br />Looks like we're triggering a compiler bug in the tree optimizer. Can you try to compile it -O0?<br />[/quote]<br />No help from -O0, same error.<br /><br />MinGW is GCC 3.4.5. Probably the problem.<br /><br />I'll see if I can get a newer version of MinGW.<br /><br /> 9228 648 6 1281808537 9228 0 xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 Got the test working on 32-bit with MinGW GCC 4.5. Exactly 50% slower than stock with Core 2.<br /> 9278 648 6 1281823573 9359 1281843827 satoshi xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 MinGW GCC 4.5.0:<br />Crypto++ doesn't work, X86_SHA256_HashBlocks() never returns<br />I only got 4-way working with test.cpp but not when called by BitcoinMiner<br /><br />MinGW GCC 4.4.1:<br />Crypto++ works<br />4-way SIGSEGV<br /><br />GCC is definitely not aligning __m128i. <br /><br />Even if we align our own __m128i variables, the compiler may decide to use a __m128i behind the scenes as a temporary variable.<br /><br />By making our __m128i variables aligned and changing these inlines to defines, I was able to get it to work on 4.4.1 with -O0 only:<br />#define Ch(b, c, d) ((b & c) ^ (~b & d))<br />#define Maj(b, c, d) ((b & c) ^ (b & d) ^ (c & d))<br />#define ROTR(x, n) (_mm_srli_epi32(x, n) | _mm_slli_epi32(x, 32 - n))<br />#define SHR(x, n) _mm_srli_epi32(x, n)<br /><br />But that's with -O0.<br /><br /> 9359 648 6 1281843629 9359 0 xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 On both MinGW GCC 4.4.1 and 4.5.0 I have it working with test.cpp but SIGSEGV when called by BitcoinMiner. So now it doesn't look like it's the version of GCC, it's something else, maybe just the luck of how the stack is aligned.<br /><br />I have it working fine on GCC 4.3.3 on Ubuntu 32-bit.<br /><br />I found the problem with Crypto++ on MinGW 4.5.0. Here's the patch for that:<br />[code]<br />--- \\old\\sha.cpp\tMon Jul 26 13:31:11 2010<br />+++ \\new\\sha.cpp\tSat Aug 14 20:21:08 2010<br />@@ -336,7 +336,7 @@<br /> \tROUND(14, 0, eax, ecx, edi, edx)<br /> \tROUND(15, 0, ecx, eax, edx, edi)<br /> <br />-\tASL(1)<br />+ ASL(label1) // Bitcoin: fix for MinGW GCC 4.5<br /> \tAS2(add WORD_REG(si), 4*16)<br /> \tROUND(0, 1, eax, ecx, edi, edx)<br /> \tROUND(1, 1, ecx, eax, edx, edi)<br />@@ -355,7 +355,7 @@<br /> \tROUND(14, 1, eax, ecx, edi, edx)<br /> \tROUND(15, 1, ecx, eax, edx, edi)<br /> \tAS2(\tcmp\t\tWORD_REG(si), K_END)<br />-\tASJ(\tjne,\t1, b)<br />+ ASJ( jne, label1, ) // Bitcoin: fix for MinGW GCC 4.5<br /> <br /> \tAS2(\tmov\t\tWORD_REG(dx), DATA_SAVE)<br /> \tAS2(\tadd\t\tWORD_REG(dx), 64)<br />[/code]<br /> 9452 820 6 1281887529 9653 1281927129 satoshi xx 1 tcatm's 4-way SSE2 for Linux 32/64-bit is in 0.3.10 0.3.10 has tcatm's 4-way SSE2 as an option switch.<br /><br />Use the switch "-4way" to turn it on. Without the switch you get Crypto++ ASM SHA-256.<br /><br />I could only get this working with Linux.<br /><br />Download:<br />Get 0.3.10 from http://www.bitcoin.org/smf/index.php?topic=827.0<br /><br />Please report back your CPU and results! I think it's pretty clear that Core 2 and lower are slower, i5 faster. I don't think we've heard any i7 results yet. We need to know about the different models of AMD or other less common CPUs.<br /> 9454 813 1 1281890236 9454 1281891016 satoshi xx 1 Re: Potential disaster scenario Some places where generation will gravitate to:<br />1) places where it's cheapest or free<br />2) people who want to help for idealogical reasons<br />3) people who want to get some coins without the inconvenience of doing a transaction to buy them<br /><br />There are legitimate places where it's free. Generation is basically free anywhere that has electric heat, since your computer's heat is offsetting your baseboard electric heating. Many small flats have electric heat out of convenience.<br /><br />How expensive is heating oil? With the price of oil so high, if it's actually more expensive than electric, then generating would have negative cost.<br /><br />There's also kids putting it on their parent's power bill, employees their employer, botnets, etc.<br /><br />Case 3 comes into play for small amounts. The overhead of doing an exchange doesn't make sense if you just need a small bit of pocket change for incidental micropayments. I think this is a nice advantage vs fiat currency, instead of all the seigniorage going to one big entity, let it go in convenience amounts to people who need to scrape up a small amount of change.<br /> 9475 806 6 1281895901 9475 0 xx 1 Re: Version 0.3.9 rc1, please test [quote author=jgarzik link=topic=806.msg9467#msg9467 date=1281894387]<br />the extended-help might have been based on my idea, but the code was somewhat different.<br />[/quote]<br />The idea was the main part. When you posted your patch, I realized it should have been done that way instead of "-?". I always had reservations about "-?" because it intrudes on the possible parameter values, and the help response is based on the version of the caller instead of the server. 9478 820 6 1281896606 9478 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2 I hope someone can test an i5 or AMD to check that I built it right. I don't have either to test with.<br /><br />I'm also curious if it performs much worse on 32-bit linux vs 64-bit. 9483 820 6 1281897807 9483 0 xx 1 Re: tcatm's 4-way SSE2 for Linux 32/64-bit 0.3.9 rc2 I just uploaded a quick build so testers can check if I built it right. (I don't have an i5 or AMD) If it checks out, I'll put together the full package and do all the release stuff. 1834 199 6 1277652613 1834 0 xx 1 Re: 1.3 almost ready MinGW still only has good old stable 3.4.5. There's not much reason for them to update it. <br /><br />When I looked at the 3.4.5 compiled SHA disassembly, I couldn't see any room for improvement at all. I can't imagine how 8% more could be squeezed out of it. Is it possible Windows could have 8% more overhead? Not making system calls or anything, just plain busy computational code, could task switching and other housekeeping operations take away that much? 1838 202 7 1277665569 1838 0 xx 1 Re: Major Meltdown Here's an answer to a similar question about how to recover from a major meltdown.<br />https://www.bitcoin.org/smf/index.php?topic=191.msg1585#msg1585<br /><br />[quote author=satoshi link=topic=191.msg1585#msg1585 date=1276547990]<br />If SHA-256 became completely broken, I think we could come to some agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.<br /><br />If the hash breakdown came gradually, we could transition to a new hash in an orderly way. The software would be programmed to start using a new hash after a certain block number. Everyone would have to upgrade by that time. The software could save the new hash of all the old blocks to make sure a different block with the same old hash can't be used. <br />[/quote] 1924 223 6 1278098496 1924 0 xx 1 Re: Feature Request: Limiting Connections Thanks for the feedback on this.<br /><br />One thing we could do is lower the outbound connections from 15 to 10 or maybe even 5. The choice of 15 was arbitrary. It just needs to be enough for redundancy and fast exponential propagation of messages. 10 would still be plenty. 5 should be fine. 10 is good as a nice round number so users can see that it stopped intentionally.<br /><br />It would help to implement UPnP so there would be more inbound accepting nodes. Your number of connections is the ratio of inbound accepting nodes to out-only times 15. We need to encourage more people to accept inbound connections.<br /><br />I will implement a feature to stop accepting inbound connections once you hit a certain number.<br /><br />Which version are you running?<br /><br />Anyone know how many connections typical P2P software like BitTorrent can get up to?<br /><br /> 1926 199 6 1278103037 1926 0 xx 1 Re: 1.3 almost ready [quote author=dkaparis link=topic=199.msg1842#msg1842 date=1277676145]<br />On a related note, is the thing compilable by Visual C++? I'm inclined to give it a try when I get around to it.<br />[/quote]<br />It is, but generating is more than twice as slow. 1927 199 6 1278107865 2006 1278445482 satoshi xx 1 Re: 0.3 almost ready (reverted to rc2)<br /><br />Links removed, 0.3 is now released, so go to http://www.bitcoin.org to download it.<br /> 1928 217 6 1278108221 1928 0 xx 1 Re: Beta? OK, back to 0.3 then.<br /><br />Please download RC4 and check it over as soon as possible. I'd like to release it soon.<br /><br />http://www.bitcoin.org/smf/index.php?topic=199.msg1927#msg1927<br /><br />Other than the version number change, which included changes in readme.txt and setup.nsi, I reduced the maximum number of outbound connections from 15 to 8 so nodes that accept inbound don't get too many connections. 15 was a lot more than needed. 8 is still plenty for redundancy. 1929 223 6 1278109220 1929 1278110023 satoshi xx 1 Re: Feature Request: Limiting Connections I reduced max outbound connections from 15 to 8 in RC4.<br /><br />15 was way more than we needed for redundancy. 8 is still plenty of redundancy.<br /><br />As the nodes upgrade to this version, this will cut in half the number of connections that inbound accepting nodes get.<br /><br />If anyone wants more than 8 connections, they can open port 8333 on their firewall. 1947 199 6 1278280348 1947 0 xx 1 Re: 0.3 almost ready -- please test the Mac version! Laszlo's build is going to be our first Mac release so please test it! 1976 234 1 1278365474 8103 1281199857 satoshi xx 1 Re: Slashdot Submission for 1.0 BTW, I did come to my senses after that brief bout with 1.3, this release is still going to be 0.3 beta not 1.0.<br /><br />I really appreciate the effort, but there are a lot of problems.<br /><br />We don't want to lead with "anonymous". (I've been meaning to edit the homepage)<br /><br />"The developers expect that this will result in a stable-with-respect-to-energy currency outside the reach of any government." -- I am definitely not making an such taunt or assertion. <br /><br />It's not stable-with-respect-to-energy. There was a discussion on this. It's not tied to the cost of energy. NLS's estimate based on energy was a good estimated starting point, but market forces will increasingly dominate. <br /><br />Sorry to be a wet blanket. Writing a description for this thing for general audiences is bloody hard. There's nothing to relate it to. 2004 238 1 1278441155 2007 1278454321 satoshi xx 1 Bitcoin 0.3 released! Announcing version 0.3 of Bitcoin, the P2P cryptocurrency! Bitcoin is a digital currency using cryptography and a distributed network to replace the need for a trusted central server. Escape the arbitrary inflation risk of centrally managed currencies! Bitcoin's total circulation is limited to 21 million coins. The coins are gradually released to the network's nodes based on the CPU power they contribute, so you can get a share of them by contributing your idle CPU time.<br /><br />What's new:<br />- Command line and JSON-RPC control<br />- Includes a daemon version without GUI<br />- Transaction filter tabs<br />- 20% faster hashing<br />- Hashmeter performance display<br />- Mac OS X version (thanks to Laszlo)<br />- German, Dutch and Italian translations (thanks to DataWraith, Xunie and Joozero)<br /><br />Get it at http://www.bitcoin.org or read the forum to find out more. 2006 199 6 1278445398 2006 0 xx 1 Re: 0.3 almost ready -- please test the Mac version! 0.3 released<br />http://www.bitcoin.org/smf/index.php?topic=238.msg2004#msg2004<br /><br /> 2010 84 6 1278466267 2010 0 xx 1 Re: On IRC bootstrapping Everybody needs to connect to the same IRC server and channel so they can find each other.<br /><br />[quote author=Vasiliev link=topic=84.msg1785#msg1785 date=1277509815]<br />You may want to leave Freenode in as a fallback server -- if his server doesn't work, use Freenode's.<br />[/quote]<br />It might not be good if we suddenly rushed freenode with a ton of users all at once.<br /><br />The fallback is our own seed system. <br /><br />irc.lfnet.org is pretty old and has impressive uptime. I think it's going to be fine.<br /><br />We could take IRC out at some point if we want, but I'd rather ease into it and just test our own seed system as a backup for now, and I really like the complementary redundant attributes of the two different systems. 2068 246 4 1278613459 2068 0 xx 1 Re: bitcoin 0.3 win64 - broken access to APPDATA if non-latin characters in username Thanks for finding that. We switched from ANSI in 0.2 to UTF-8 in version 0.3, so it must be related to that.<br /><br />Just to confirm, if you log in with the non-latin character username, not having an appdata/Bitcoin directory yet, and run Bitcoin and let it create the database from scratch, does it work or not? 2071 241 6 1278616320 2071 1278617262 satoshi xx 1 Re: Anonymity It's hard to imagine the Internet getting segmented airtight. It would have to be a country deliberately and totally cutting itself off from the rest of the world.<br /><br />Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone. It would only take one node to do it. Anyone who wants to keep doing business would be motivated.<br /><br />If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks. Their number of confirmations would start over.<br /><br />If anyone took advantage of the segmentation to double-spend, such that there are different spends of the same money on each side, then the double-spends in the shorter fork lose out and go to 0/unconfirmed and stay that way.<br /><br />It wouldn't be easy to take advantage of the segmentation to double-spend. If it's impossible to communicate from one side to the other, how are you going to put a spend on each side? If there is a way, then probably someone else is also using it to flow the block chain over.<br /><br />You would usually know whether you're in the smaller segment. For example, if your country cuts itself off from the rest of the world, the rest of the world is the larger segment. If you're in the smaller segment, you should assume nothing is confirmed. 2077 246 4 1278644495 2077 0 xx 1 Re: bitcoin 0.3 win64 - broken access to APPDATA if non-latin characters in username I think I see where the problem is. Coincidentally, I recently coded a replacement for the function in question which should fix it. It's not enabled yet, but in the SVN version it prints a debug message in debug.log showing the new directory value and old value for comparison. 2078 242 1 1278646126 2078 0 xx 1 Re: BTC Vulnerability? (Massive Attack against BTC system. Is it really?) What the OP described is called "cornering the market". When someone tries to buy all the world's supply of a scarce asset, the more they buy the higher the price goes. At some point, it gets too expensive for them to buy any more. It's great for the people who owned it beforehand because they get to sell it to the corner at crazy high prices. As the price keeps going up and up, some people keep holding out for yet higher prices and refuse to sell.<br /><br />The Hunt brothers famously bankrupted themselves trying to corner the silver market in 1979:<br />"Brothers Nelson Bunker Hunt and Herbert Hunt attempted to corner the world silver markets in the late 1970s and early 1980s, at one stage holding the rights to more than half of the world's deliverable silver.[1] During Hunt's accumulation of the precious metal silver prices rose from $11 an ounce in September 1979 to nearly $50 an ounce in January 1980.[2] Silver prices ultimately collapsed to below $11 an ounce two months later,[2] much of the fall on a single day now known as Silver Thursday, due to changes made to exchange rules regarding the purchase of commodities on margin.[3]"<br /><br />http://en.wikipedia.org/wiki/Cornering_the_market<br /> 2092 246 4 1278689825 2092 0 xx 1 Re: bitcoin 0.3 win64 - broken access to APPDATA if non-latin characters in username I tested this with a non-lower-ASCII account name on XP and confirmed the bug, then tested that the new GetDefaultDataDir fixed it. This change is revision 102 of the SVN. 2132 240 6 1278766682 2132 0 xx 1 Re: Security I'll start thinking about how to do this.<br /><br />At the moment, you can kind of use -connect. You can use -connect to make it connect to local computers on your LAN, like -connect=192.168.0.100. If you start it out blank and don't let it connect to the main network, the difficulty is still at the original low difficulty. If you've port-forwarded though, then outside nodes might still connect inward to you.<br /><br />With -connect it still uses IRC, do you think it shouldn't get on IRC when you're telling it to only connect to specific nodes with -connect? The main scenario for -connect is where you have a server farm, with two connected to the network and the rest connected to the first two. In that case, you wouldn't want the -connect computers on IRC.<br /><br />void ThreadIRCSeed(void* parg)<br />{<br /> if (mapArgs.count("-connect"))<br /> return;<br /> 2133 202 7 1278768977 2133 0 xx 1 Re: Major Meltdown [quote author=llama link=topic=202.msg1920#msg1920 date=1278022907]<br />However, if something happened and the signatures were compromised (perhaps integer factorization is solved, quantum computers?), then even agreeing upon the last valid block would be worthless.<br />[/quote]<br />True, if it happened suddenly. If it happens gradually, we can still transition to something stronger. When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm. (by creating a transaction sending the money to yourself with the stronger sig) 2863 263 3 1279123682 2863 0 xx 1 Re: IRC You shouldn't chat in the #bitcoin room.<br /><br />Do you think it'll gravitate toward #bitcoin-dev on freenode or lfnet? freenode's the better choice because you may get noticed by other people on freenode. 2867 323 4 1279124523 2867 0 xx 1 Re: No blocks downloaded... why? So that was responsible for keeping blocks from downloading?<br /><br />The link: "Win32 CPU Cycles vs 'Live Protection' Engines"<br /><br />For BitcoinFX, Live Protection was keeping it from getting CPU for generating coins. You said your friend was getting 1400-1600 khash/s, so it was getting CPU. I guess Live Protection must have been blocking some other part of the program then? 2871 327 1 1279124979 2871 0 xx 1 Re: resource hog In Windows, you select the process in the task manager, right click, Set Priority. Set it to BelowNormal or Low. That shouldn't make a difference though.<br /><br />If you turn off Generate Coins, does the CPU usage go flat? That would confirm that all the CPU time it's taking is generate, which is idle priority already.<br /><br />It could be it's slow just because you have too many things running at once and you're out of memory. When you switch from one thing to another, it has to page it in from disk. 2880 343 1 1279127042 2880 0 xx 1 Re: stopped prodicing coins Thanks for making that calculator.<br /><br />The difficulty doubled a day or two ago, plus it's just random and you can have surprisingly long dry spells. 2885 298 4 1279128890 2885 0 xx 1 Re: Building Bitcoin 0.3 It doesn't work with wxWidgets 2.8, it needs wxWidgets 2.9. Unfortunately, there isn't a Debian package of wxWidgets 2.9 yet.<br /> 7381 696 1 1280881777 7422 1280891384 satoshi xx 1 Re: Please upgrade to 0.3.8! I guess SourceForge hasn't updated its mirrors yet. The files are there on the admin side, but not on the user side. I have no idea how long that will take. It's always been immediate in the past.<br /><br />Edit: SourceForge is updated now. 7385 635 1 1280882440 7385 0 xx 1 Re: Building initial transaction trust through "coin ripping" The software is designed to support things like this. I was going to post details of the plans for Escrow, but since getting slashdotted I haven't had time. 7524 287 1 1280939136 7676 1281020709 satoshi xx 1 Re: Flood attack 0.00000001 BC [quote author=Insti link=topic=287.msg7498#msg7498 date=1280933911]<br />It seems to do more harm than good because it prevents micropayment implementations such as the one bytemaster is suggesting.[/quote]<br />Bitcoin isn't currently practical for very small micropayments. Not for things like pay per search or per page view without an aggregating mechanism, not things needing to pay less than 0.01. The dust spam limit is a first try at intentionally trying to prevent overly small micropayments like that.<br /><br />Bitcoin is practical for smaller transactions than are practical with existing payment methods. Small enough to include what you might call the top of the micropayment range. But it doesn't claim to be practical for arbitrarily small micropayments. <br /> 7687 287 1 1281024201 7687 0 xx 1 Re: Flood attack 0.00000001 BC Forgot to add the good part about micropayments. While I don't think Bitcoin is practical for smaller micropayments right now, it will eventually be as storage and bandwidth costs continue to fall. If Bitcoin catches on on a big scale, it may already be the case by that time. Another way they can become more practical is if I implement client-only mode and the number of network nodes consolidates into a smaller number of professional server farms. Whatever size micropayments you need will eventually be practical. I think in 5 or 10 years, the bandwidth and storage will seem trivial.<br /><br />I am not claiming that the network is impervious to DoS attack. I think most P2P networks can be DoS attacked in numerous ways. (On a side note, I read that the record companies would like to DoS all the file sharing networks, but they don't want to break the anti-hacking/anti-abuse laws.)<br /><br />If we started getting DoS attacked with loads of wasted transactions back and forth, you would need to start paying a 0.01 minimum transaction fee. 0.1.5 actually had an option to set that, but I took it out to reduce confusion. Free transactions are nice and we can keep it that way if people don't abuse them.<br /><br />That brings up the question: if there was a minimum 0.01 fee for each transaction, should we automatically add the fee if it's just the minimum 0.01? It would be awfully annoying to ask each time. If you have 50.00 and send 10.00, the recipient would get 10.00 and you'd have 39.99 left. I think it should just add it automatically. It's trivial compared to the fees many other types of services add automatically.<br /><br />[quote author=FreeMoney link=topic=287.msg7569#msg7569 date=1280950232]<br />Does including more slow down your hashing rate? <br />[/quote]<br />No, not at all.<br /> 7694 287 1 1281025820 7694 0 xx 1 Re: Flood attack 0.00000001 BC [quote author=bytemaster]<br />Payments would generally be advanced, say 1 BTC at a time and when the connection closes any "change" would be returned. This rule makes it impossible to pay for a simple "search query" with no further transactions.<br />[/quote]<br />One alternative is to use a round-up system. You pay for, say, 1000 pages or images or downloads or searches or whatever at a time. When you've used up your 1000 pages, you pay for another 1000 pages. If you only use 1 page, then you have 999 left that you may never use, but it's not a big deal because the cost per 1000 is still small.<br /><br />Or you could pay per day. The first time you access the site on a given day, you pay for 24 hours of access.<br /><br />Per 1000 or per day may be easier for consumers to get their heads around too. They worry about per item because it's harder to figure if it might add up too fast. Unlimited for 24 hours they know what the cost will be. Or if 1000 seems like plenty, they're not worrying that it's costing more with each click if they figure 1000 is more than they'll probably use. 7696 287 1 1281026398 7696 0 xx 1 Re: Flood attack 0.00000001 BC [quote author=bytemaster link=topic=287.msg7684#msg7684 date=1281022759]<br />The only solution to this problem is to make broadcasting of a transaction "non free". Namely, if you want me to include it you have to pay me. The net (no pun intended) result is that each client would need to pay other clients to whom they even send their transaction, not just the individual who gets it in a block. In this way the laws of economics take over and no one gets a free ride on the transaction broadcast system. <br />[/quote]<br />I don't know a way to implement that. The transaction fee to the block creator uses a special trick to include the transaction fee without any additional size. If there was a transaction for each transaction fee, then what about the transactions fees for the transaction fee's transaction? 7703 704 1 1281027963 7703 0 xx 1 Re: Who's the Spanish jerk draining the Faucet? Silently failing would look bad.<br /><br />[quote author=gavinandresen link=topic=704.msg7575#msg7575 date=1280954455]<br />1. Rate limit based on the first byte of the IP address (79. or 81. in this case).<br />[/quote]<br />Definitely needed. What rate are you thinking of? Ultimately, it's better to rate limit it than to let it all drain out.<br /><br />[quote author=gavinandresen link=topic=704.msg7575#msg7575 date=1280954455]<br />3. Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).<br />[/quote]<br />That might work surprisingly well. If it works, it keeps them from hitting the rate limit, but the rate limit is there as the last line of defence. <br /><br />[quote author=gavinandresen link=topic=704.msg7575#msg7575 date=1280954455]<br />4. Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).<br />[/quote]<br />Definitely time to lower it. <br /> 7705 711 6 1281029320 7705 0 xx 1 Re: bitcoind transaction to ip address It's not implemented.<br /><br />It turned out nobody liked that mode of transfer anyway, so it hasn't had much development attention. 7706 713 6 1281029901 7706 0 xx 1 Re: Transaction Overload Solution I can't think of a way to implement that. All the transaction fees would be additional transactions. What about the transaction fees for the transaction fee's transaction?<br /> 7710 287 1 1281030583 7710 0 xx 1 Re: Flood attack 0.00000001 BC [quote author=bytemaster link=topic=287.msg7699#msg7699 date=1281026812]<br />Right now the transaction fee address is left "blank" and the block generator fills it out.<br />Now you would fill it in with the address of the person you are asking to build the block. <br />[/quote]<br />If you're only going to have one person work on building the block, that could take days. Oh, do you mean send a different variation to each node with the tx fee written to them?<br /><br />The way it is now, it's whoever builds this gets it.<br /><br />If we needed to, we could have a BitTorrent-esque tit-for-tat for transaction broadcast. Relay paying transactions to me, or I won't relay them to you. It probably won't be an actual problem though. It only takes one node relaying like it should to cancel out 7 others greedily not relaying. 7712 645 1 1281031710 7712 0 xx 1 Re: A proposal for a semi-automated Escrow mechanism A transaction can be written that requires two signatures to spend it next. You write a payment that requires the signature of both the recipient and the sender to spend it. To release the escrow, you give the recipient the signature for your half, or the payee can return it by giving you his signed half. There's no mediator in this simple case. The recourse is to refuse to ever release it, essentially burning the money. 8103 723 1 1281198497 8103 0 xx 1 Re: latency and locality Once you get away from a system where each node's influence is proportional to their CPU power, then what else do you use to determine who is (approximately) one person?<br /> 8114 721 1 1281203169 8125 1281205034 satoshi xx 1 Re: Bitcoin minting is thermodynamically perverse It's the same situation as gold and gold mining. The marginal cost of gold mining tends to stay near the price of gold. Gold mining is a waste, but that waste is far less than the utility of having gold available as a medium of exchange.<br /><br />I think the case will be the same for Bitcoin. The utility of the exchanges made possible by Bitcoin will far exceed the cost of electricity used. Therefore, [i]not[/i] having Bitcoin would be the net waste.<br /><br />[quote author=gridecon link=topic=721.msg7889#msg7889 date=1281113280]<br />As an overall point, I also do not agree with the idea that the very high computational burden of coin generation is in fact a necessity of the current system. As I understand it, currency creation is fundamentally metered by TIME - and if that is the fundamental controlling variable, what is the need for everyone to "roll as many dice as posible" within that given time period? The "chain of proof" for coin ownership and transactions doesn't depend on the method for spawning coins. <br />[/quote]<br />Each node's influence on the network is proportional to its CPU power. The only way to show the network how much CPU power you have is to actually use it.<br /><br />If there's something else each person has a finite amount of that we could count for one-person-one-vote, I can't think of it. IP addresses... much easier to get lots of them than CPUs.<br /><br />I suppose it might be possible to measure CPU power [i]at certain times[/i]. For instance, if the CPU power challenge was only run for an average of 1 minute every 10 minutes. You could still prove your total power at given times without running it all the time. I'm not sure how that could be implemented though. There's no way for a node that wasn't present at the time to know that a past chain was actually generated in a duty cycle with 9 minute breaks, not back to back.<br /><br />Proof-of-work has the nice property that it can be relayed through untrusted middlemen. We don't have to worry about a chain of custody of communication. It doesn't matter who tells you a longest chain, the proof-of-work speaks for itself. 8137 645 1 1281211499 8137 0 xx 1 Re: A proposal for a semi-automated Escrow mechanism [quote author=jgarzik link=topic=645.msg7723#msg7723 date=1281034830]<br />Due to that recourse, it is unlikely to be used as an escrow mechanism :)<br />[/quote]<br />Really? Do you think people won't be able to understand the benefit? (If your response is an argument that there's no benefit at all, I guess that will reinforce the case that people won't be able to understand it.) 8140 750 6 1281212032 8140 0 xx 1 Escrow Here's an outline of the kind of escrow transaction that's possible in software. This is not implemented and I probably won't have time to implement it soon, but just to let you know what's possible.<br /><br />The basic escrow: The buyer commits a payment to escrow. The seller receives a transaction with the money in escrow, but he can't spend it until the buyer unlocks it. The buyer can release the payment at any time after that, which could be never. This does not allow the buyer to take the money back, but it does give him the option to burn the money out of spite by never releasing it. The seller has the option to release the money back to the buyer.<br /><br />While this system does not guarantee the parties against loss, it takes the profit out of cheating.<br /><br />If the seller doesn't send the goods, he doesn't get paid. The buyer would still be out the money, but at least the seller has no monetary motivation to stiff him.<br /><br />The buyer can't benefit by failing to pay. He can't get the escrow money back. He can't fail to pay due to lack of funds. The seller can see that the funds are committed to his key and can't be sent to anyone else.<br /><br />Now, an economist would say that a fraudulent seller could start negotiating, such as "release the money and I'll give you half of it back", but at that point, there would be so little trust and so much spite that negotiation is unlikely. Why on earth would the fraudster keep his word and send you half if he's already breaking his word to steal it? I think for modest amounts, almost everyone would refuse on principle alone.<br /> 8145 648 6 1281215761 8145 0 xx 1 Re: 4 hashes parallel on SSE2 CPUs for 0.3.6 [quote author=impossible7 link=topic=648.msg7838#msg7838 date=1281094640]<br />CRITICAL_BLOCK is a macro that contains a for loop. The assertion failure indicates that break has been called inside the body of the loop. The only break statement in this block is in line 2762. In the original source file, there is no break statement in this critical block. I think you must remove lines 2759-2762. The is nothing like that in the original main.cpp.<br />[/quote]<br />Sorry about that. CRITICAL_BLOCK isn't perfect. You have to be careful not to break or continue out of it. There's an assert that catches and warns about break. I can be criticized for using it, but the syntax would be so much more bloated and error prone without it.<br /><br />Is there a chance the SSE2 code is slow on Intel because of some quirk that could be worked around? For instance, if something works but is slow if it's not aligned, or thrashing the cache, or one type of whether to spend your priority now or save it for later. I don't think we'll need to get into that much detail though. There's a wide enough difference between normal users and flooders.<br /><br />Priority doesn't have to do everything. Once you know there's a flood, you can add -paytxfee=0.01. Hopefully with priority, your transactions before that should be at worst slow, not stuck. 22119 1786 6 1289846264 22119 0 xx 1 Re: Need OP_BLOCKNUMBER to allow "time" limited transactions We can't safely do OP_BLOCKNUMBER. In the event of a block chain reorg after a segmentation, transactions need to be able to get into the chain in a later block. The OP_BLOCKNUMBER transaction and all its dependants would become invalid. This wouldn't be fair to later owners of the coins who weren't involved in the time limited transaction.<br /><br />nTimeLock does the reverse. It's an open transaction that can be replaced with new versions until the deadline. It can't be recorded until it locks. The highest version when the deadline hits gets recorded. It could be used, for example, to write an escrow transaction that will automatically permanently lock and go through unless it is revoked before the deadline. The feature isn't enabled or used yet, but the support is there so it could be implemented later.<br /> 22952 1850 6 1290210624 22966 1290215068 satoshi xx 1 Re: Transaction / spam flood attack currently under way [quote author=creighto link=topic=1850.msg22896#msg22896 date=1290198552]<br />Perhaps in addition to the age priority rule recently implimented, there should be a minimum age rule [u]without[/u] a transaction fee. Said another way, perhaps a generation rule that says that a free transaction must be 3 blocks deep before it can be transfered again for free. This will still allow real users to immediately spend new funds if they have to, while still permitting real users to reshuffle funds to suit their needs without an overhead cost. I think that this would significantly inhibit the type of spamming attack that is currently underway.<br />[/quote]<br />I'm doing something like that. Priority is a more formalised version of the concept you're describing.<br /><br />[quote author=FreeMoney link=topic=1842.msg22844#msg22844 date=1290188384]<br />As it stands now 3.15 has a lot of free transaction space and that space is given first to transactions with the highest [age]*[value]/[size] correct? Would it be reasonable to make some arbitrary portion of the free space require [age]*[value]/[size] > C ?<br /><br />Maybe set C so that a standard 1BTC transaction can get into the main free area on the next block. And a .1 can get in after waiting about 10 blocks. And make the area which allows [age]*[value]/[size] < C to let in about a dozen transactions or so.<br />[/quote]<br />Yes, like this. And the no-priority-requirement area is 3K, about a dozen transactions per block.<br /><br />I just uploaded SVN rev 185 which has a minimal priority requirement for free transactions. Transaction floods are made up of coins that are re-spent over and over, so they depend on their own 0 conf transactions repeatedly. 0 conf transactions have 0 priority, so free transactions like that will have to wait for one transaction to get into a block at a time.<br /><br />Version 0.3.15 doesn't write transactions using 0 conf dependencies unless that's all it has left, so normal users shouldn't usually have a problem with this.<br /><br />I think this is a good compromise short of making the default fee 0.01. It's not so much to ask that free transactions can only be used to turn coins over so often. If you're using free transactions, you're taking charity and there has to be some limit on how often you can use it with the same coins.<br /><br />We've always said free transactions may be processed more slowly. You can help ensure your transactions go through quickly by adding -paytxfee=0.01.<br /> 23097 1334 42 1290273860 23100 1290274758 satoshi xx 1 Re: OpenCL miner for the masses [quote author=m0mchil link=topic=1334.msg23018#msg23018 date=1290248179]<br />updated to SVN 186<br />[/quote]<br />Thanks m0mchil for keeping up on the updates!<br /><br />GPU miners, please upgrade as soon as possible to shut down the free transaction abuse! This version has the new priority-based limit on free transaction spam.<br /><br />[quote author=m0mchil link=topic=1334.msg22251#msg22251 date=1289903441]<br />Just updated to SVN 181 and fixed getwork patch to wait 60 seconds between rebuilding the block with new transactions. This is actually the behavior of the original client, was forgotten in the patch by mistake. Fixes heavy CPU usage on every getwork request (this became obvious with recent heavy transaction spam). Please upgrade.<br />[/quote]<br />Before SVN 184, compiling transactions into a block used an n^2 algorithm. The new efficient single-pass algorithm is orders of magnitude quicker. (O(n) vs O(n^2)/2 algorithm, n=200 maybe 10 to 100 times quicker) 23876 1901 6 1290541812 24089 1290617023 satoshi xx 1 New getwork I uploaded a redesign of m0mchil's getwork to SVN rev 189 (version 31601)<br /><br />m0mchil's external bitcoin miner idea has solved a lot of problems. GPU programming is immature and hard to compile, and I didn't want to add additional dependencies to the build. getwork allows these problems to be solved separately, with different programs for different hardware and OSes. It's also convenient that server farms can run a single Bitcoin node and the rest only run getwork clients.<br /><br />The interface has a few changes:<br /><br />getwork [data]<br />If [data] is not specified, returns formatted hash data to work on:<br /> "midstate" : precomputed hash state after hashing the first half of the data<br /> "data" : block data<br /> "hash1" : formatted hash buffer for second hash<br /> "target" : little endian hash target<br />If [data] is specified, tries to solve the block and returns true if it was successful. [data] is the same 128 byte block data that was returned in the "data" field, but with the nonce changed.<br /><br />Notes: <br />- It does not return work when you submit a possible hit, only when called without parameter.<br />- The block field has been separated into data and hash1.<br />- data is 128 bytes, which includes the first half that's already hashed by midstate.<br />- hash1 is always the same, but included for convenience.<br />- Logging of "ThreadRPCServer method=getwork" is disabled, it would be too much junk in the log.<br /> 23891 1901 6 1290545727 23891 0 xx 1 Re: New getwork It's not an exact drop-in replacement. I wanted to clean up the interface a little. It only requires a few changes.<br /><br />ScanHash_ functions aren't going away. BTW, the interface of this is designed to mirror the parameters of that (midstate, data, hash1).<br /> 24095 1901 6 1290619261 24096 1290619891 satoshi xx 1 Re: New getwork [quote author=jgarzik link=topic=1901.msg24008#msg24008 date=1290574062]<br />I suspect something weird going on with ByteReverse (or lack thereof). It's quite unclear whether or not 'data' and 'nonce' must be byte-reversed, and in what way.<br />[/quote]<br />getwork does the byte-reversing. midstate, data and hash1 are already big-endian, and you pass data back still big-endian, so you work in big-endian and don't have to do any byte-reversing. They're the same data that is passed to the ScanHash_ functions. You can take midstate, data and hash1, put them in 16-byte aligned buffers and pass them to a ScanHash_ function, like ScanHash(pmidstate, pdata + 64, phash1, nHashesDone). If a nonce is found, patch it into data and call getwork.<br /><br />I should probably change the ScanHash_ functions to use pdata instead of pdata + 64 so they're consistent.<br /><br />target is little endian, it's supposed to be the same as how m0mchil's did it. (if it's not, then it should be fixed) That's the only case where you would use byte reverse. I think you do it like: if ByteReverse((unsigned int*)hash[6]) < (unsigned int*)target[6].<br /><br />[quote author=DiabloD3 link=topic=1901.msg24050#msg24050 date=1290598271]<br />Satoshi, please fix your implementation of getwork so it complies with m0mchill's specification<br />[/quote]<br />This is the new spec. It shouldn't be hard to update your miner to use it.<br /><br />The changes are:<br />- It does not return work when you submit a possible hit, only when called without parameter.<br />- The block field has been split into data and hash1.<br />- state renamed to midstate for consistency.<br />- extranonce not needed.<br /> 24101 1334 42 1290621189 24101 0 xx 1 Re: OpenCL miner for the masses A revised version of getwork is now in the official client, but the miners need to be updated a little to use it.<br /> 24438 1931 6 1290707499 24438 0 xx 1 Re: RFC: ship block chain 1-74000 with release tarballs? It's not the downloading that takes the time, it's verifying and indexing it.<br /><br />Bandwidthwise, it's more efficient than if you downloaded an archive. Bitcoin only downloads the data in blk0001.dat, which is currently 55MB, and builds blkindex.dat itself, which is 47MB. Building blkindex.dat is what causes all the disk activity.<br /><br />During the block download, it only flushes the database to disk every 500 blocks. You may see the block count pause at ??499 and ??999. That's when it's flushing.<br /><br />Doing your own verifying and indexing is the only way to be sure your index data is secure. If you copy blk0001.dat and blkindex.dat from an untrusted source, there's no way to know if you can trust all the contents in them.<br /><br />Maybe Berkeley DB has some tweaks we can make to enable or increase cache memory.<br /> 24460 1946 6 1290715656 24473 1290718093 satoshi xx 1 Version 0.3.17 Version 0.3.17 is now available. <br /><br />Changes:<br />- new getwork, thanks m0mchil<br />- added transaction fee setting in UI options menu<br />- free transaction limits<br />- sendtoaddress returns transaction id instead of "sent"<br />- getaccountaddress <account><br /><br />The UI transaction fee setting was easy since it was still there from 0.1.5 and all I had to do was re-enable it.<br /><br />The accounts-based commands: move, sendfrom and getbalance <account> will be in the next release. We still have some more changes to make first.<br /><br />Downloads:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.17/<br /> 24662 1931 6 1290792721 24662 0 xx 1 Re: RFC: ship block chain 1-74000 with release tarballs? I tested it on a slow 7 year old drive, where bandwidth and CPU were clearly not the bottleneck. Initial download took 1 hour 20 minutes.<br /><br />If it's taking a lot longer than that, certainly 24 hours, then it must be downloading from a very slow node, or your connection is much slower than around 15KB per sec (120kbps), or something else is wrong. It would be nice to know what appears to be the bottleneck when that happens.<br /><br />Every 10 minutes or so when the latest block is sent, it should have the chance to change to a faster node. When the latest block is broadcast, it requests the next 500 blocks from other nodes, and continues the download from the one that sends it fastest. At least, that's how it should work.<br /><br />[quote author=jgarzik link=topic=1931.msg24522#msg24522 date=1290737263]<br />[quote author=satoshi link=topic=1931.msg24438#msg24438 date=1290707499]<br />Maybe Berkeley DB has some tweaks we can make to enable or increase cache memory.<br />[/quote]<br />Which of the [url=http://en.wikipedia.org/wiki/ACID]ACID[/url] properties do you need, while downloading?<br />[/quote]<br />It may only need more read caching. It has to read randomly all over blk0001.dat and blkindex.dat to index. It can't assume the file is smaller than memory, although it currently still is. Caching would be effective, since most dependencies are recent.<br /><br />Someone should experiment with different Berkeley DB settings and see if there's something that makes the download substantially faster. If something substantial is discovered, then we can work out the particulars.<br /><br />[quote]<br />Adding BDB records is simply appending to a log file, until you issue a checkpoint. The checkpoint then updates the main database file.[/quote]<br />We checkpoint every 500 blocks. 24673 1946 6 1290795810 24673 0 xx 1 Re: Version 0.3.17 Laszlo does them, but I haven't asked him to do one for a while because there wasn't anything major. I'll ask him to do this version. 24708 1901 6 1290807073 24708 0 xx 1 Re: New getwork That's what it does, it returns true/false. 24719 1925 42 1290808961 24719 0 xx 1 Re: New demonstration CPU miner available You should try it with tcatm's 4-way SSE2 SHA in sha256.cpp. It compiles fine as a C file, just rename sha256.cpp to sha256.c. I was able to get it to work in simple tests on Windows, but not when linked in with Bitcoin. It may have a better chance of working as part of a C program instead of C++.<br /><br />Currently it's only enabled in the Linux build, so if you get it to work you could make it available to Windows users. It's about 100% speedup on AMD CPUs. 25119 1976 41 1290960210 25126 1290961520 satoshi xx 1 Re: Cooperative mining ribuck's description is spot on.<br /><br />Pool operators can modify their getwork to take one additional parameter, the address to send your share to.<br /><br />The easy way for the pool operator would be to wait until the next block is found and divy it up proportionally as:<br />user's near-hits/total near-hits from everyone<br /><br />That would be easier and safer to start up. It also has the advantage that multiple hits from the same user can be combined into one transaction. A lot of your hits will usually be from the same people.<br /><br />The instant gratification way would be to pay a fixed amount to the seed nodes, just connect and get the list, so it won't be a burden on them.<br /><br />What do you think, should I go ahead with adding the seeds?<br /><br />It'll still try IRC first. The IRC has the advantage that it lists nodes that are currently online, since they have to stay connected to stay on the list, but the disadvantage that it's a single point of failure. The "addr" system has no single point of failure, but can only tell you what nodes have recently been seen, so it takes a little longer to get connected since some of the nodes you try have gone offline. The combination of the two gets us the best of both worlds and more total robustness.<br /><br />Is there anyone who wants to volunteer to run an IRC server in case freenode gets tired of us? 1582 158 6 1276545224 1582 0 xx 1 Re: Hostnames instead of IP Addresses SirArthur has a good point about the normal online merchant case, which is what the send-by-IP option is more suited to. This is the case where the merchant will have a server on a static IP and their own domain name and SSL cert.<br /><br />Instead of connecting by IP, we can connect to a domain name by SSL, using the existing CA infrastructure to authenticate that you're connected to the owner of that domain.<br /><br />The user would send to domain.com (or www.domain.com is ok too). That would be very natural and users could see and verify that what they entered is who they intend to pay.<br /><br />The SSL also makes it safe for TOR users.<br /><br />Problem is, I think merchants would still prefer to use bitcoin addresses to be certain they know what the payment is for. You simply cannot count on users to enter the right thing in the comment fields to identify the transaction. It would only approach practical if we had a mailto style link that prepopulates the comment field with the order number, but then the link could just as well be a bitcoin address. <br /><br />Just having an open bitcoin server at domain.com that users could send unidentified payments to would be too much of a liability. Regular users aren't used to the idea of having to identify the payment. Merchants would get too many blank payments followed by "I paid you, where's my stuff?!" a week later.<br /><br />The payment sequence does have a step where the receiver verifies the order before accepting it. It can reject the payment and return an error message if it doesn't contain a valid order number. That would require a difficult level of integration of custom code with the bitcoin server though. 1585 191 6 1276547990 1585 0 xx 1 Re: Dealing with SHA-256 Collisions SHA-256 is very strong. It's not like the incremental step from MD5 to SHA1. It can last several decades unless there's some massive breakthrough attack.<br /><br />If SHA-256 became completely broken, I think we could come to some agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.<br /><br />If the hash breakdown came gradually, we could transition to a new hash in an orderly way. The software would be programmed to start using a new hash after a certain block number. Everyone would have to upgrade by that time. The software could save the new hash of all the old blocks to make sure a different block with the same old hash can't be used. 1588 179 6 1276554115 1588 0 xx 1 Re: Technical clarifications 3) Nothing, if sending by bitcoin address<br />5) It is decentralised. After you have connected to the network the first time, you no longer need IRC. 1590 163 6 1276555214 1590 0 xx 1 Re: Can't Build r80 from SVN Sorry, I didn't test compile on linux the last few revisions.<br /><br />Reverted makefile.unix. 1595 165 6 1276645289 1595 0 xx 1 Re: What is the incentive to collect transactions? [quote author=theymos link=topic=165.msg1373#msg1373 date=1275755169]<br />Adding transactions to the block you're working on will slow down your generation rate<br />[/quote]<br />The premise is false. Adding more transactions to the block you're working on does NOT slow down your generation rate. When generate is scanning hashes, it only hashes the header of the block, which is constant size. The header contains a hash of the transactions (the Merkle root) and is only updated occasionally.<br /><br />If necessary I can write code to make nodes prefer not to use a block if it doesn't contain enough of the transactions they know about. A discouraged block would almost always fail to be included in the main chain, but would be accepted if it did get in. I doubt this will be necessary, since there's no real advantage for nodes not to include all transactions. 1596 55 6 1276647347 1596 1276648436 satoshi xx 1 Re: URI-scheme for bitcoin http://127.0.0.1:8330/?to=domain.com&amount=200.00&comment=order_12345<br />or<br />http://127.0.0.1:8330/?to=<bitcoinaddress><separatorchar>1.2.3.4&amount=200.00<br /><br />But as long as the link is already doing the typing for you, I don't see much benefit in using a domain address instead of bitcoin address. With a bitcoin address, the user can't send an unidentified payment. They can't send payment until they've been given a correct bitcoin address to send to.<br /><br />What would be nice about sending by domain is you could visually verify who it's going to.<br /><br /><br />A more crucial issue is what if the browser isn't allowed to connect to 127.0.0.1:<br />http://www.bitcoin.org/smf/index.php?topic=63.msg1589#msg1589<br /><br />and if that's true, then what about that example freenet link that had 127.0.0.1 in it? 1600 151 6 1276707214 1600 0 xx 1 Re: Website translations Thanks DataWraith! The German translation is uploaded to SVN.<br /><br />This is great, we've already got 3 major languages. 1609 184 1 1276794476 1609 0 xx 1 Re: new binary release? I'm working on getting version 0.3 released as soon as I can. Just a last few things left to do. It's been a long time since 0.2 and we need to get a prebuilt bitcoind with command line and JSON-RPC available. This time we'll have both 32-bit and 64-bit linux binaries, and Laszlo is going to build a Mac OSX release. Plus, we'll include the German, Dutch and Italian translations by DataWraith, Xunie and Joozero (thanks you guys!). 1611 195 6 1276800368 1611 0 xx 1 Re: Transactions and Scripts: DUP HASH160 ... EQUALVERIFY CHECKSIG The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime. Because of that, I wanted to design it to support every possible transaction type I could think of. The problem was, each thing required special support code and data fields whether it was used or not, and only covered one special case at a time. It would have been an explosion of special cases. The solution was script, which generalizes the problem so transacting parties can describe their transaction as a predicate that the node network evaluates. The nodes only need to understand the transaction to the extent of evaluating whether the sender's conditions are met.<br /><br />The script is actually a predicate. It's just an equation that evaluates to true or false. Predicate is a long and unfamiliar word so I called it script.<br /><br />The receiver of a payment does a template match on the script. Currently, receivers only accept two templates: direct payment and bitcoin address. Future versions can add templates for more transaction types and nodes running that version or higher will be able to receive them. All versions of nodes in the network can verify and process any new transactions into blocks, even though they may not know how to read them.<br /><br />The design supports a tremendous variety of possible transaction types that I designed years ago. Escrow transactions, bonded contracts, third party arbitration, multi-party signature, etc. If Bitcoin catches on in a big way, these are things we'll want to explore in the future, but they all had to be designed at the beginning to make sure they would be possible later.<br /><br />I don't believe a second, compatible implementation of Bitcoin will ever be a good idea. So much of the design depends on all nodes getting exactly identical results in lockstep that a second implementation would be a menace to the network. The MIT license is compatible with all other licenses and commercial uses, so there is no need to rewrite it from a licensing standpoint. 1617 195 6 1276877834 1617 0 xx 1 Re: Transactions and Scripts: DUP HASH160 ... EQUALVERIFY CHECKSIG A second version would be a massive development and maintenance hassle for me. It's hard enough maintaining backward compatibility while upgrading the network without a second version locking things in. If the second version screwed up, the user experience would reflect badly on both, although it would at least reinforce to users the importance of staying with the official version. If someone was getting ready to fork a second version, I would have to air a lot of disclaimers about the risks of using a minority version. This is a design where the majority version wins if there's any disagreement, and that can be pretty ugly for the minority version and I'd rather not go into it, and I don't have to as long as there's only one version.<br /><br />I know, most developers don't like their software forked, but I have real technical reasons in this case.<br /><br />[quote author=gavinandresen link=topic=195.msg1613#msg1613 date=1276804694]<br />I admire the flexibility of the scripts-in-a-transaction scheme, but my evil little mind immediately starts to think of ways I might abuse it. I could encode all sorts of interesting information in the TxOut script, and if non-hacked clients validated-and-then-ignored those transactions it would be a useful covert broadcast communication channel.<br /><br />That's a cool feature until it gets popular and somebody decides it would be fun to flood the payment network with millions of transactions to transfer the latest Lady Gaga video to all their friends...<br />[/quote]<br />That's one of the reasons for transaction fees. There are other things we can do if necessary.<br /><br />[quote author=laszlo link=topic=195.msg1612#msg1612 date=1276800631]<br />How long have you been working on this design Satoshi? It seems very well thought out, not the kind of thing you just sit down and code up without doing a lot of brainstorming and discussion on it first. Everyone has the obvious questions looking for holes in it but it is holding up well :)<br />[/quote]<br />Since 2007. At some point I became convinced there was a way to do this without any trust required at all and couldn't resist to keep thinking about it. Much more of the work was designing than coding.<br /><br />Fortunately, so far all the issues raised have been things I previously considered and planned for. 1619 84 6 1276882098 1619 0 xx 1 Re: On IRC bootstrapping The SVN version now uses IRC first and if that fails it falls back to a hardcoded list of seed nodes. There are enough seed nodes now that many of them should still be up by the time of the next release. It only briefly connects to a seed node to get the address list and then disconnects, so your connections drop back to zero for while. At that point, be patient. It's only slow to get connected the first time.<br /><br />This means TOR users won't need to -addnode anymore, it'll get connected automatically. 1620 183 5 1276902514 1620 0 xx 1 Re: Get 5 free bitcoins from freebitcoins.appspot.com Excellent choice of a first project, nice work. I had planned to do this exact thing if someone else didn't do it, so when it gets too hard for mortals to generate 50BTC, new users could get some coins to play with right away. Donations should be able to keep it filled. The display showing the balance in the dispenser encourages people to top it up.<br /><br />You should put a donation bitcoin address on the page for those who want to add funds to it, which ideally should update to a new address whenever it receives something. 1646 149 6 1277140821 1646 0 xx 1 Re: Bitcoin in Ubuntu 10.04 [quote author=NewLibertyStandard link=topic=149.msg1203#msg1203 date=1274632092]<br />Bitcoin looks ugly in Ubuntu's new default theme. It seems that some, but not all of the theme settings are being picked up. The unselected file menu should have light text with a dark background, but it incorrectly has light text with a light background. They're similar enough that it's unreadable on my display. It should be fixed before the next stable release.<br />[/quote]<br />This is now fixed in the SVN version.<br />1) Menu bar default color.<br />2) Balance bar not a different color.<br />3) Background behind bitcoin address and balance now the same color as toolbar.<br /><br />I checked all the standard themes and it seems reasonable with all of them.<br /><br />Ubuntu minimize,maximize,close buttons to the right:<br />gconf-editor<br />apps->metacity->general<br />button_layout=menu:minimize,maximize,close<br /><br />They've got it awfully buried considering 9 out of 10 users are used to having it on the right. 1647 198 1 1277142506 1647 0 xx 1 Re: Dying bitcoins Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone.<br /><br />[quote author=laszlo link=topic=198.msg1640#msg1640 date=1277128469]<br />I wonder though, is there a point where the difficulty of generating a new coinbase is so high that it would make more sense to try to recover keys for lost coins or steal other people's coins instead? The difficulty of that is really high so for now it makes a lot more sense to generate but I just wonder what the real figures are.. would that ever become more productive? Maybe Satoshi can address this..<br />[/quote]<br />Computers have to get about 2^200 times faster before that starts to be a problem. Someone with lots of compute power could make more money by generating than by trying to steal. 1648 43 1 1277143757 1648 0 xx 1 Re: Proof-of-work difficulty increasing I integrated the hashmeter idea into the SVN version. It displays khash/s in the left section of the status bar.<br /><br />Two new log messages:<br />21/06/2010 01:23 hashmeter 2 CPUs 799 khash/s<br />21/06/2010 01:23 generated 50.00<br /><br />grep your debug.log for "generated" to see what you've generated, and grep for "hashmeter" to see the performance. On windows, use:<br /> findstr "hashmeter generated" "%appdata%\\bitcoin\\debug.log"<br /><br />I have the hashmeter messages once an hour. How often do you think it should be? 1653 149 6 1277178356 1654 1277179504 satoshi xx 1 Re: Bitcoin in Ubuntu 10.04 On Ubuntu 10.04 it wouldn't remove the taskbar button cleanly, so I made it leave it there.<br /><br />But now that you mention it, it's probably better to have the feature, even if it's messy, than not to have it, though it may confuse a few people when the taskbar button temporarily stays around but disappears if you click on it.<br /><br />Updated SVN.<br /><br />Thanks for testing. 1654 199 6 1277179313 1946 1278280234 satoshi xx 1 0.3 almost ready -- please test the Mac version! I finished everything on my list to do for version 0.3. The code on SVN is about ready to release.<br /><br />Testing at this point is much appreciated. 1656 197 1 1277181326 1656 0 xx 1 Re: How fast do the fastest computers generate bitcoins? I've noticed that hashing performance doesn't vary as much between CPUs as you'd expect. Compared to an old CPU, a newer CPU doesn't show as much of a speedup at hashing as it does on general benchmarks.<br /><br />I guess recent CPU optimizations must have concentrated on things like I/O and branch prediction. Most programs are a bunch of memory access, comparisons and branching, they rarely get down to cranking away at maths for very long.<br /><br />The latest SVN version has a khash/s display. Around 400 khash/s per processor is typical. 1668 149 6 1277224783 1668 0 xx 1 Re: Bitcoin in Ubuntu 10.04 It's too late now for feature changes to 0.3, but I'll add that to the post-0.3 to do list. I never would have noticed that if you hadn't pointed it out. 1669 43 1 1277225474 1669 0 xx 1 Re: Proof-of-work difficulty increasing Agree. Certainly too trivial to clutter the user's attention with.<br /><br />I changed it to every 30 minutes.<br /><br />If I increased it to every 10 minutes, it would still be a small enough presence in the log file. Question is whether that would be more output than the user wants when they grep. 1670 199 6 1277226127 1670 0 xx 1 Re: 0.3 almost ready [quote author=lachesis link=topic=199.msg1658#msg1658 date=1277187602]<br />It would be nice if the listtransactions RPC method were finished before the next release, though. <br />[/quote]<br />My fear is too many programmers would latch onto that for checking for received payments. It can never be reliable that way. The list/getreceivedbyaddress/label functions are the only way to do it reliably.<br /><br />We shouldn't delay forever until every possible feature is done. There's always going to be one more thing to do. 1671 199 6 1277228228 1785 1277510538 satoshi xx 1 Re: 0.3 almost ready Here's RC1 for windows for testing:<br />(removed, see RC2 below)<br /><br />Please only download this if you're going to test and report back whether everything seems fine or not. Make sure to look through the files in "c:\\program files\\bitcoin" 1675 199 6 1277233901 1675 0 xx 1 Re: 0.3 almost ready [quote author=davidonpda link=topic=199.msg1673#msg1673 date=1277231006]<br />EXCEPTION: 22DbRunRecoveryException<br />DBENv::open: DB_RUNRECOVERY: Fatal error, run database recovery<br />C:\\Program Files\\Bitcoin\\bitcoin.exe in OnInit()<br />[/quote]<br />What operating system?<br /><br />Normally when it does that it's because the directory where the data directory should go doesn't exist. See if the "%appdata%" directory exists.<br /><br />Do you get that error with 0.2 also? It's hard to see how you could get that with 0.3 and not with 0.2 since there's nothing different in that regard.<br /> 1677 199 6 1277234713 1677 0 xx 1 Re: 0.3 almost ready davidonpda, were you also running laszlo's build previously?<br /><br />Check if the "%appdata%" directory exists, and "%appdata%\\bitcoin"<br /><br />Try:<br /> rename "%appdata%\\bitcoin" bitcoin2 <br /><br />does it work then? 1679 199 6 1277235983 1679 0 xx 1 Re: 0.3 almost ready You figured it out faster than I could post a reply. :)<br /><br />It looks like laszlo's build of Berkeley DB has database/log.* files that are not compatible with ours. The .dat files are fine, their format shouldn't ever change. All data is stored in the .dat files. All your own data is stored in wallet.dat. If you had waited for it to redownload the block chain, your missing transactions and generateds would have appeared as the block chain reached the point where those transactions were recorded.<br /><br />When you copied the directory except log.0000000002, that's the best solution. You should be good now.<br /><br />The database/log.* files only contain temporary database data. If you exited bitcoin normally the last time, not exited by forced terminating it or crashing, then the database/log.* files can normally be deleted safely. They're only used so that if the database is in the middle of a transaction when the computer crashes or the program is killed or crashes, then it could recover without losing data.<br /><br />Please keep running v0.3 if at all possible, don't go back to v0.2.10.<br /><br />Anyone else who hits this problem, move the database\\log.000000000* files somewhere else. (if it works fine after that, you can delete them later)<br /><br />I'm reluctant to make the installer delete or move those files. If the previous run was stopped by crashing or killed, that would be the wrong thing to do.<br /> 1686 199 6 1277245419 1686 0 xx 1 Re: 0.3 almost ready Laszlo figured out that enabling some more optimisation increased performance about 20%, so 0.3 hashes 20% faster than 0.2.0, but I assume he used that in his own build.<br /><br />30khash increase to what total rate? (to figure the % increase) 1748 199 6 1277401205 1786 1277511267 satoshi xx 1 Re: 0.3 almost ready Here's RC1 for linux for testing:<br />(link removed, see below)<br /><br />It contains both 32-bit and 64-bit binaries.<br /><br />Recent changes:<br /><br />build-unix.txt:<br />- Added instructions for building wxBase, which is needed to compile bitcoind.<br />- The package libboost-dev doesn't install anything anymore, you need to get libboost-all-dev.<br />- Updated version numbers.<br /><br />makefile.unix:<br />- The libboost libraries have removed the "-mt" from their filenames in 1.40. If you're compiling with Boost 1.38 or lower, like on Ubuntu Karmic, you would need to change it back to boost_system-mt and boost_filesystem-mt. 1760 199 6 1277432261 1760 1277434814 satoshi xx 1 Re: 0.3 almost ready I don't know. Maybe someone with more Linux experience knows how to install the library it needs.<br /><br />I built it on Ubuntu 10.04. I hope that wasn't a mistake. Maybe it should have been built on an older version for more backward compatibility. Is this a problem on Linux, that if you build on the latest version, then it has trouble working on older versions? Is there any way I can downgrade to an older version of GCC on 10.04?<br /><br />The 64-bit version shouldn't be any faster than the 32-bit version, but it would be great if someone could do a side-by-side comparison of the two linux versions and check. SHA-256 is a 32-bit algorithm and nothing in BitcoinMiner uses 64-bit at all.<br /><br />We don't need to bother with a 64-bit version for Windows. 32-bit programs work on all versions of Windows. It's not like Linux where the 64-bit OS wants 64-bit programs.<br /><br />I'm also curious if it's a little faster on linux than windows.<br /><br />Do you think I should make the directories:<br />/bin32/<br />/bin64/<br />instead of<br />/bin/32/<br />/bin/64/ 1769 199 6 1277475006 1769 0 xx 1 Re: 0.3 almost ready Thanks virtualcoin, that's a perfect comparison.<br /><br />The 8% speedup from 32-bit Windows (2310k) to 32-bit Linux (2500k) is probably from the newer version of GCC on Linux (4.4.3 vs 3.4.5).<br /><br />The 15% speedup from 32-bit to 64-bit Linux is more of a mystery. The code is completely 32-bit.<br /><br />Hmm, I think the 8 extra registers added by x86-64 must be what's helping. That would make a significant difference to SHA if it could hold most of the 16 state variables in registers. 1779 215 1 1277500515 1779 0 xx 1 Re: Bitcoin clients getting k-lined from the IRC bootstrapping channel We need more details about what happened MadHatter.<br /><br />Both 0.2 and 0.3 have a backup way of getting connected without IRC, it's just slower to get connected.<br /><br />0.2 can find other nodes without IRC if it's ever been connected before, but a new install can't discover the network for the first time without IRC.<br /><br />0.3 can also seed without IRC. It can operate entirely without IRC if it needs to, but it's better having IRC for redundancy. 1781 84 6 1277505647 1781 0 xx 1 Re: On IRC bootstrapping [quote author=laszlo link=topic=84.msg1580#msg1580 date=1276540258]<br />I run an IRC server you can use, it's fairly stable but it's not on redundant connections or anything. It is only two servers right now but we don't mess with it or anything, it just runs.<br /><br />My box is a dedicated irc server:<br /> 2:28PM up 838 days, 20:54, 1 user, load averages: 0.06, 0.08, 0.08<br /><br />You can use irc.lfnet.org to connect.<br />[/quote]<br />This seems like a good idea.<br /><br />What does everyone think, should we make the switch for 0.3? 1787 199 6 1277512329 1805 1277580009 satoshi xx 1 Re: 0.3 almost ready Lets try using Laszlo's irc.lfnet.org instead of freenode. Here's RC2, that's the only change in it:<br /><br />(see below for download links)<br /> 1797 215 1 1277562486 1797 0 xx 1 Re: Bitcoin clients getting k-lined from the IRC bootstrapping channel Freenode is too visible, right in the middle of where all those users and moderators are hanging out. Laszlo's option is a much better fit for us.<br /><br />I made 0.3.0.RC2 available that uses irc.lfnet.org instead of freenode if you want to start switching over:<br />http://www.bitcoin.org/smf/index.php?topic=199.msg1787#msg1787 1800 199 6 1277565010 1800 0 xx 1 Re: 0.3 almost ready The first panel of the status bar is shared with the help description of menu items as you hover over them. Since all our menu item descriptions are blank, it replaces it with blank when you're hovering in a menu. 1803 217 6 1277571763 1803 0 xx 1 Beta? Is it about time we lose the Beta? I would make this release version 1.3. 1806 199 6 1277580065 1926 1278107771 satoshi xx 1 Re: 1.3 almost ready Changed the version number to 1.3 and removed "Beta".<br /><br />(links removed, see below)<br /><br />Uses irc.lfnet.org.<br /> 1814 177 1 1277585906 1814 0 xx 1 Re: Bitcoin mobile. [quote author=sirius-m link=topic=177.msg1452#msg1452 date=1276177876]<br />You can of course use services like vekja.net or mybitcoin.com on a mobile browser, depositing money there to the extent you trust them. <br />[/quote]<br />I think that's the best option right now. Like cash, you don't keep your entire net worth in your pocket, just walking around money for incidental expenses.<br /><br />They could make a smaller version of the site optimized for mobile. If there was an app, it could be a front end to one of those, with the main feature being QR-code reader, or maybe there's already a universal QR-code reading app that web sites can be designed to accept scans from.<br /><br />If there was an iPhone app that was just a front end for vekja or mybitcoin, not a big involved P2P, would apple approve it and if not, on what basis? It could always be an Android app instead. An app is not really necessary though, just a mobile sized website.<br /><br />A web interface to your own Bitcoin server at home wouldn't be a solution for everyone. Most users don't have a static IP, and it's too much trouble to set up port forwarding.<br /> 1815 171 6 1277586366 1815 0 xx 1 Re: Building BitCoin Client completely Headless The linux release candidate in the "1.3 almost ready" thread contains prebuilt bitcoind. 1816 206 5 1277588392 1816 0 xx 1 Re: Bitcoin Faucet changes Many big ISPs give you a new IP every time you connect, usually in the same class B (a.b.?.?). Maybe you should have a minimum time between payments per class-B.<br /><br />If you can't solve the problem, you can always keep lowering the amount of bitcoins given until it's manageable, and always require captcha. 1827 217 6 1277642630 1827 0 xx 1 Re: Beta? But 1.0 sounds like the first release. For some things newness is a virtue but for this type of software, maturity and stability are important. I don't want to put my money in something that's 1.0. 1.0 might be more interesting for a moment, but after that we're still 1.0 and everyone who comes along thinks we just started. This is the third major release and 1.3 reflects that development history. (0.1, 0.2, 1.3) 1828 218 6 1277643758 1828 0 xx 1 Re: IPv6, headless client, and more Welcome, Harry.<br /><br />I hadn't thought about starting out using bitcoind without using bitcoin first. I guess for now, this thread serves as the tutorial. <br /><br />The focus for bitcoind so far has been more on backend support for websites. There's demand for things that would be nice for adminning headless generators like listgenerated. For the moment, you can grep the debug.log file for "generated" and "hashmeter" for some feedback. Generated blocks take about 24 hours before they're credited to your balance. 4037 437 6 1279479501 4037 0 xx 1 Re: Bitcoin 0.3.2 released The change list is basically encompassed by what's listed in the first message. Everyone should upgrade to get the important security improvements.<br /><br />Minimizing to tray had at least 3 different glitches and bugs on Linux, including a crash one, so I disabled it again. You can still re-enable the option with "-minimizetotray" if you want to use it anyway. The bugs/glitches are somewhere in wxWidgets or GTK or Gnome and I don't know how to fix them. Sorry, I just don't know what else to do, it's just too glitchy and buggy to have as a mainline feature. 4059 461 6 1279486162 4059 0 xx 1 JSON-RPC password I uploaded to SVN my changes to add a password to JSON-RPC. If you're set up to build, please test it.<br /><br />The -server switch is replaced with -rpcpw=<password>, which is also used with bitcoind.<br />bitcoin -rpcpw=<password> -- runs with JSON-RPC port open<br />bitcoind -rpcpw=<password> -- daemon with password<br /><br />If you have a better idea for the switch name, let me know, but keep in mind there will eventually be a password for encrypting the database too. I'm not sure but I think they may want to use different passwords for the two.<br /><br />It gives a warning if you don't set a password.<br /><br />All commands now require the password as the first parameter. It'll tell you that if you run "bitcoind help".<br /><br />The central code:<br /><br /> // Check password<br /> if (params.size() < 1 || params[0].type() != str_type)<br /> throw runtime_error("First parameter must be the password.");<br /> if (params[0].get_str() != strRPCPassword)<br /> {<br /> if (strRPCPassword.size() < 15)<br /> Sleep(50);<br /> begin = strRequest.end();<br /> printf("ThreadRPCServer incorrect password attempt\\n");<br /> throw runtime_error("Incorrect password.");<br /> }<br /><br />Any comments on these decisions?<br /><br />1) if (strRPCPassword.size() < 15) Sleep(50); -- this means if it's a short password, it'll wait 50ms after each attempt. This might be used as a DoS attack, but I figured if it's a short password, it's more important to protect against brute force password scan. This may tell outsiders whether the password is less than 15 characters, but less than 15 isn't all that noteworthy, most passwords are less than 15. If you want to close the DoS possibility, just use a password 15 characters or longer.<br /><br />2) begin = strRequest.end(); -- if it's a single request with multiple invocations, I throw away the rest if one has a bad password. This is so you can't stuff it with millions of password attempts in one packet. What do you think, is this the right thing to do? (multiple invocation is probably almost never used anyway)<br /><br />I also fixed the two duplicated commands listed in the help:<br /><br />getaddressesbylabel <pw> <label><br />getbalance <pw><br />getblockcount <pw><br />getblocknumber <pw><br />getconnectioncount <pw><br />getdifficulty <pw><br />getgenerate <pw><br />getinfo <pw><br />getlabel <pw> <bitcoinaddress><br />getnewaddress <pw> [label]<br />getreceivedbyaddress <pw> <bitcoinaddress> [minconf=1]<br />getreceivedbylabel <pw> <label> [minconf=1]<br />help <pw><br />listreceivedbyaddress <pw> [minconf=1] [includeempty=false]<br />listreceivedbylabel <pw> [minconf=1] [includeempty=false]<br />sendtoaddress <pw> <bitcoinaddress> <amount> [comment] [comment-to]<br />setgenerate <pw> <generate> [genproclimit]<br />setlabel <pw> <bitcoinaddress> <label><br />stop <pw><br /> 4068 453 6 1279488249 4071 1279489045 satoshi xx 1 Re: MSVC build & SHA-256 OpenSSL doesn't have any interface for doing just the low level raw block hash part of SHA256. SHA256 begins by wrapping your data in a specially formatted buffer. Setting up the buffer takes an order of magnitude longer than the actual hashing if you're only hashing one or two blocks like we do. It's intended that the time is amortised if you were hashing many KB or MB of data. In BitcoinMiner, we format the buffer once and keep reusing it.<br /><br />If you can find SHA256 code that's faster (with MinGW/GCC) than what we've got, that would be really great! (although, keep licensing in mind) The one we have is the only one I tried, so there's significant chance for improvement. <br /><br />When I wrote it more than 2 years ago, there were screaming hot SHA1 implementations but minimal attention to SHA256. That's a lot of time for them to come up with better stuff. SHA256 was a lot slower than the fastest SHA1 at the time than I thought it should be. Obviously SHA256 should be slower than SHA1 by a certain amount, but not by as much as I saw.<br /><br />(hope you don't mind I renamed your thread, SHA-256 optimisation is something important that I keep forgetting about) 4073 431 1 1279490178 4073 0 xx 1 Re: Nenolod, the guy that wants to prove Bitcoin doesn't work. Typically, over 25,000 BTC. 4095 441 1 1279496127 4095 0 xx 1 Re: Did block generation crawl to a halt? Nice graph! A moving average to smooth it out would be nice.<br /><br />http://nullvoid.org/bitcoin/statistix.php says 212 blocks in the last 24 hours, or 8.8 per hour. 4169 461 6 1279514593 4169 0 xx 1 Re: JSON-RPC password Right, that is quite a bit better. <br /><br />Can you give me any examples of other stuff that does it that way? (and what the command line looks like)<br /><br />The main change you're talking about here is instead of -rpcpw= when you start bitcoind, you'd use a switch that specifies a text file to go and read it from, right? (any ideas what I should name the switch?) 4263 479 1 1279555298 5905 1280165660 satoshi xx 1 Warning: don't use -server or bitcoind where you web browse (v0.3.2 and lower) Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser. It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.<br /><br />We're working on a release soon that puts a password on the JSON-RPC interface, but until then, avoid using the -server switch, and don't web browse on the same machine where bitcoind is running.<br /><br />Update:<br />The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem. 4268 461 6 1279556450 4268 0 xx 1 Re: JSON-RPC password So you drop a settings file in the ~/.bitcoin directory, that sounds better. In the "no password is set" warning, it could tell you where the file is and what to do.<br /><br />What is the most popular and common settings file format?<br /><br />HTTP basic authentication should be considered. In actual practice though, it's more work for web developers to figure out how to specify the password through some extra parameter in the HTTP or JSON-RPC wrapper than to just stick an extra parameter at the beginning of the parameter list. What do you think? Does HTTP basic authentication get us any additional benefits? Moving it off the parameter list but then you still have to specific it in a more esoteric place I'm not sure is a net win. <br /><br />[quote author=gavinandresen link=topic=461.msg4215#msg4215 date=1279540959]<br />I was confused for a bit because the password is given LAST on the command line, but FIRST in the JSON-RPC params list. I agree that reading the command-line password from a file would be more convenient and more secure.<br />[/quote]<br />You're also confusing me, what do you mean? Did I do something unintended? 4508 342 1 1279651108 4934 1279767768 satoshi xx 1 Re: They want to delete the Wikipedia article Bitcoin is an implementation of Wei Dai's b-money proposal http://weidai.com/bmoney.txt on Cypherpunks http://en.wikipedia.org/wiki/Cypherpunks in 1998 and Nick Szabo's Bitgold proposal http://unenumerated.blogspot.com/2005/12/bit-gold.html<br /><br />The timing is strange, just as we are getting a rapid increase in 3rd party coverage after getting slashdotted. I hope there's not a big hurry to wrap the discussion and decide. How long does Wikipedia typically leave a question like that open for comment?<br /><br />It would help to condense the article and make it less promotional sounding as soon as possible. Just letting people know what it is, where it fits into the electronic money space, not trying to convince them that it's good. They probably want something that just generally identifies what it is, not tries to explain all about how it works.<br /><br />If you post in http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Bitcoin please don't say "yeah, but bitcoin is really important and special so the rules shouldn't apply" or argue that the rule is dumb or unfair. That only makes it worse. Try to address how the rule is satisfied.<br /><br />Search "bitcoin" on google and see if you can find more big references in addition to the infoworld and slashdot ones. There may be very recent stuff being written by reporters who heard about it from the slashdot article.<br /><br />I hope it doesn't get deleted. If it does, it'll be hard to overcome the presumption. Institutional momentum is to stick with the last decision. (edit: or at least I assume so, that's how the world usually works, but maybe Wiki is different)<br /> 4577 461 6 1279670720 4577 0 xx 1 Re: JSON-RPC password Still need to know what's the most typical settings file format on Linux. Is there a standard file extension? I've never seen a settings file using JSON, and it doesn't look very human friendly with everything required to be in quotes. I think what I usually see is like:<br /># comment<br />setting=value<br /><br />Is there a settings file thing in Boost?<br /><br />When you're using bitcoind to issue commands from the command line as a client, can we have it get the password from the settings file then too?<br /><br />Gavin pointed out I forgot to increment the column of numbers in CommandLineRPC, so the current -rpcpw= implementation doesn't work right from the command line with non-string parameters. (JSON-RPC is fine) Still under construction. 4646 461 6 1279691494 4646 0 xx 1 Re: JSON-RPC password I was researching config file formats, here's a comparison.<br /><br />YAML is massive. I'm not sure there's a lightweight easy to build library we can integrate into our project. Seems overkill.<br /><br />JSON is tempting and I'm inclined to like it, but two main sticking points:<br />1) No comments! How can you have a config file where you can't comment out a line to disable it?<br />2) Not very user friendly to have to "quote" all the strings, including the keys, and also have to remember the comma at the end of lines.<br />{<br /> "key" : "value",<br />}<br /><br />I suppose we could easily preprocess JSON reading the config file one line at a time, truncate the lines at any # character (and/or "//"?), concatenate them into a string and pass it to JSON, so you could go:<br /># comment<br />"key" : "value", # still have to remember the comma <br />"key2" : "value", // comment like this or both<br /><br />Boost has boost::program_options.<br /><br />We could read lines ourselves and feed them into a map<string, string> mapConfig.<br /><br />while (!eof)<br /> read line<br /> if '#' found, truncate line<br /> split line at first ':' -> key, value<br /> mapConfig.insert(key, value)<br /><br />If we use the syntax:<br /># comment<br />key : value<br /><br />...and don't allow whitespace indenting before the keys, I guess we would be a subset of YAML and could switch to YAML someday if we need more complexity. <br /><br />If we go with self parsed, that doesn't mean we can't use JSON on particular parameter values as needed. If an option needs a list or more structured data, it could always parse its value as json:<br />key : ["item1", "item2", "item3"]<br /><br />Although it has to be all on one line then.<br /><br />I guess I'm leaning towards self parsed mapConfig:<br /># comment<br />key : value<br /> 4758 461 6 1279728477 4758 0 xx 1 Re: JSON-RPC password [quote author=gavinandresen link=topic=461.msg4709#msg4709 date=1279714270]<br />I just did a quick survey of 20 .conf files in /etc on my debian system, and found:<br /> 1 file used "key value"<br /> 5 used "key=value" <br />[/quote]<br />Thanks for that survey!<br /><br />I find "key value" a little unnatural. There ought to be a more definite separator between key and value that suggests assignment. The space people may just be getting lazy using their language's split function.<br />key=some full sentence with spaces in it. # seems more clear<br />key some full sentence with spaces in it. # than this<br /><br />Allright then, lets go with self-parsed mapConfig, syntax:<br /># comment<br />key=value<br /><br />file extension .conf. What's the filename, is it ~/.bitcoin/settings.conf or ~/.bitcoin/bitcoin.conf or what? <br /><br />I think we better strip whitespace at the beginning and end of the key and the value.<br /># user who likes column formatted <br />k = value<br />key = value<br />longerkey = this sentence would be this # "this sentence would be this"<br /> key = value # guess this is ok too<br /> nextkey = value<br /> right = justified<br /><br />The normal syntax should be "key=value", but you can't blame people for the occasional "key = value". 1135 54 4 1274054163 1135 0 xx 1 Re: Setting up multiple bitcoin machines behind NAT At the moment, it always assumes the incoming port is 8333, so it would tell other bitcoin nodes to connect to router:8333 even if you're redirecting from another port number.<br /><br />I'm not in a big hurry to fix this because I can't think of any benefit to having more than one incoming connection port. If you're providing one incoming port, then you've done your bit to help the network. Having two incoming ports to the same person doesn't help redundancy.<br /><br />If you have many computers, then using the -connect switch on most of them to connect locally makes more sense. 1143 112 8 1274151491 1143 0 xx 1 Re: Is there a way to automate bitcoin payments for a website? A little late, but in case anyone else has the same issue. The compile dump had 2 warnings (that were 20 lines long) and 2 link errors. The errors were:<br />[quote]<br />obj/nogui/init.o(.gnu.linkonce.t._ZNK13wxArrayString4ItemEm+0x13): In function `wxArrayString::Item(unsigned long) const':<br />/usr/local/include/wx-2.9/wx/buffer.h:42: undefined reference to `wxTheAssertHandler'<br /><br />obj/nogui/init.o(.gnu.linkonce.t._ZNK13wxArrayString4ItemEm+0x45): In function `wxArrayString::Item(unsigned long) const':<br />/usr/src/bitcoin/trunk/uint256.h:526: undefined reference to `wxOnAssert(char const*, int, char const*, char const*, wchar_t const*)'<br />[/quote]<br /><br />Those are probably due to switching to the release build of wxWidgets instead of debug. They're moving towards only debug build and ditching the release build, so they probably don't care that their release build is broken by referring to non-existent assert stuff. There's nothing to fear about the debug build. It's fully suitable for releases.<br /><br />bitcoind runs as a daemon and can either be controlled by command line or JSON-RPC.<br /><br />Thanks madhatter and generica for detailing the instructions for building on freebsd. 1149 125 4 1274213206 1149 0 xx 1 Re: Ummmm... where did my bitcoins go? It's not the download so much as verifying all the signatures in all the blocks as it downloads that takes a long time.<br /><br />How long is the initial block download typically taking? Does it slow down half way through or is about the same speed the whole way?<br /><br />I've thought about ways to do a more cursory check of most of the chain up to the last few thousand blocks. It is possible, but it's a lot of work, and there are a lot of other higher priority things to work on.<br /><br />Simplified Payment Verification is for lightweight client-only users who only do transactions and don't generate and don't participate in the node network. They wouldn't need to download blocks, just the hash chain, which is currently about 2MB and very quick to verify (less than a second to verify the whole chain). If the network becomes very large, like over 100,000 nodes, this is what we'll use to allow common users to do transactions without being full blown nodes. At that stage, most users should start running client-only software and only the specialist server farms keep running full network nodes, kind of like how the usenet network has consolidated.<br /><br />SPV is not implemented yet, and won't be implemented until far in the future, but all the current implementation is designed around supporting it.<br /><br />In the meantime, sites like [url=http://vekja.net]vekja.net[/url] and [url=http://www.mybitcoin.com]www.mybitcoin.com[/url] have been experimenting with account-based sites. You create an account on a website and hold your bitcoins on account there and transfer in and out. Creating an account on a website is a lot easier than installing and learning to use software, and a more familiar way of doing it for most people. The only disadvantage is that you have to trust the site, but that's fine for pocket change amounts for micropayments and misc expenses. It's an easy way to get started and if you get larger amounts then you can upgrade to the actual bitcoin software. 1169 30 5 1274391822 1169 0 xx 1 Re: We accept Bitcoins [quote author=DataWraith link=topic=30.msg1161#msg1161 date=1274298762]<br />Can I just butt in with a question on why that is? To me it seems that if Bitcoin uses public-key cryptography to transfer ownership of the coins, it should be a trivial matter to include a short message that is only readable by the recipient.<br />[/quote]<br />Almost but not quite. Bitcoin uses EC-DSA, which can only do digital signing, not encryption. RSA can do both, but I didn't use it because it's an order of magnitude bigger and would have been impractical. 1252 157 6 1274898445 1254 1274899988 satoshi xx 1 JSON-RPC programming tips using labels I added label related functions to help with managing multiple addresses per user. New or renamed functions are:<br /> getreceivedbyaddress -- amount received on a single address<br /> getreceivedbylabel -- amount received by all addresses with this label<br /> listreceivedbyaddress -- list addresses and amounts they've received<br /> listreceivedbylabel -- list labels and amounts they've received<br /> setlabel -- misc label functions for completeness<br /> getlabel<br /> getaddressesbylabel<br /><br />For consistency I renamed getamountreceived->getreceivedbyaddress and getallreceived->listreceivedbyaddress. The old names are still there so as not to break existing code, but they're deprecated.<br /><br />The idea is that if you give the username whenever you call getnewaddress, you can get the user's total received across all their addresses using the "bylabel" functions. You can freely change their address without worrying about tracking all their old addresses.<br /><br />A good way to automate changing the user's receiving address: just before displaying their current address, check if it has been used to receive anything, if it has then replace it with a new one:<br /><br />// Get a new address whenever the current one has received anything<br />if (strAddr == "" || getreceivedbyaddress(strAddr) > 0)<br /> strAddr = getnewaddress(strUsername); // Label the address with username<br />Display(strAddr); // Display their current receiving address<br /><br />// Get total received by all the user's addresses<br />getreceivedbylabel(strUsername, 0) // unconfirmed<br />getreceivedbylabel(strUsername, 1) // available balance<br /><br />If you're just getting one particular user's balance, such as in response to a page request by that user, use getreceivedbylabel, but if you're scanning over all users, it's better to use listreceivedbylabel to get the complete list and scan against the result. Scanning users with getreceivedbylabel would be n-squared, using listreceivedbylabel is n-log-n (or n linear).<br /><br />You should only really need to scan all users if you're polling in order to spontaneously take action in response to money received, rather than the user going to a webpage, seeing their balance and telling you what to do with it. It's not necessary to poll very frequently. If you require 1 confirmation, that'll take an average of 10 minutes anyway, so there's no point in polling more often than every few minutes.<br /><br />If you're selling digital goods and services, where you don't lose much if someone gets a free access, and it can't be resold for profit, I think you're fine to accept 0 confirmations.<br /><br />It's mostly only if you were selling gold or currency that you'd need multiple confirmations.<br /> 1254 154 6 1274899864 1254 0 xx 1 Re: Tracing a coin's lineage [quote author=Xunie link=topic=154.msg1242#msg1242 date=1274835004]<br />Can't we force a user to use a new address for receiving payments?<br />Every time a payment is received display another Bitcoin address in the address bar. (only transactions via Bitcoin addresses, NOT IPs of course, since that'd be useless, right?)<br />The actual key would still be kept to ensure that the user would still receive payments of people sending to the same address.<br />[/quote]<br />This is on my list. I will soon make the "Your Bitcoin Address:" window automatically change whenever you receive anything to the address displayed.<br /><br />I'm also recommending this approach for the implementation of web apps. I just posted some sample code showing a suggested way of implementing this.<br /><br />Versions on SVN since 0.2.4 already have a "New..." button next to the address bar to encourage changing it manually too.<br /><br />@theymos: If nothing else, we can fall back on that solution in the future. 1256 145 6 1274904574 1256 0 xx 1 Re: CLI bitcoin generation [quote author=molybdenum link=topic=145.msg1194#msg1194 date=1274553860]<br />An optional parameter to specify the minimum number of blocks after that transaction (getallreceived 1 for current behavior, or just getallreceived, getallreceived 5 for the paranoid, getallreceived 0 for instant confirms)?<br />[/quote]<br />Yeah, that actually is what it is. getallreceived 0 should do what you want. (now it's renamed to listreceivedbyaddress 0) The default is 1 confirmation, but I think in reality most digital goods and services can be 0 confirmations. Like you say, if you need more than 0 confirmations, you could show two numbers, unconfirmed and available balance, so they immediately see their transaction went through.<br /><br />listreceivedbyaddress [minconf=1] [includeempty=false]<br />[minconf] is the minimum number of confirmations before payments are included.<br />[includeempty] whether to include addresses that haven't received any payments.<br />Returns an array of objects containing:<br /> "address" : receiving address<br /> "label" : the label of the receiving address<br /> "amount" : total amount received by the address<br /> "confirmations" : number of confirmations of the most recent transaction included<br /><br />or listreceivedbylabel if you're labelling addresses with their username.<br /><br />So far I've concentrated on functions for web merchants, not so much on stuff for remote management of headless coin generators yet. 1258 153 6 1274906074 1258 0 xx 1 Re: Share database blocks ? It does in fact download 500 blocks at a time, then the counter counts one at a time as it verifies the blocks.<br /><br />The advantage of letting bitcoin download and verify the blocks is that you do not have to trust the person you're downloading them from. If you downloaded the blk*.dat files from some site, you would have to trust that site, since you would be accepting the data without verifying it yourself. If you're copying blk*.dat from another computer of yours, that should be fine.<br /><br />How long is the initial block download taking for you? 1259 151 6 1274908594 3234 1279218020 satoshi xx 1 Re: Website translations Does anyone want to translate the Bitcoin client itself? It would be great to have at least one other language in the 0.3 release.<br /><br />All you have to do is get poedit and translate the po file I'm attaching to this post. It's less than 750 words.<br /><br />Updated bitcoin.po attachment for 0.3.1 1260 141 4 1274909672 1260 0 xx 1 Re: Odd amount of generated coins In the SVN version, if a transaction requires a transaction fee, it says<br />"This transaction is over the size limit. You can still send it for a fee of #,<br />which goes to the nodes that process your transaction and helps to support the network.<br />Do you want to pay the fee?"<br /><br />If you don't have enough money with the fee added, it says<br />"Total exceeds your balance when the # transaction fee is included " 1269 151 6 1274969902 3235 1279218120 satoshi xx 1 Re: Website translations Hurray! We have our first language. I uploaded it to SVN to go in with the 0.3 release.<br /><br /> 1322 158 6 1275502695 1322 0 xx 1 Re: Hostnames instead of IP Addresses The current sending by IP is not very useful: it connects to the IP, so you'd like to use TOR for anonymity, but then it can totally be eavesdropped and man-in-the-middled.<br /><br />The future plan for sending to an IP is to make it a bitcoin address plus IP, like:<br /><br />1auaDZCFYqaGx4FKS5WenNfurk2SkoDu4h<someseparatorcharacter>1.2.3.4<br />or<br />1auaDZCFYqaGx4FKS5WenNfurk2SkoDu4h<someseparatorcharacter>domain.com<br /><br />I need suggestions for the separator character. ":" is a candidate, but IPv6 has : in it and that might get confusing. Something that's allowed in url parameters would be nice.<br /><br />I want to use SSL for the connection, using the bitcoin address' public key as the cert. You would be certain you're connected to who you thought, and safely encrypted. The bitcoin address would not be used for the transaction, only for authentication. A new generated bitcoin address would be sent through the SSL connection.<br /><br />Since it's authenticated, it would then be safe to allow the IP address to be a domain name. Some care taken that if a proxy is used, it uses socks4a instead of DNS lookup. 1323 43 1 1275504338 1323 0 xx 1 Re: Proof-of-work difficulty increasing That's a good idea. I'm not sure where exactly to fit that in, but it could certainly calculate the expected average time between blocks generated, and then people would know what to expect.<br /><br />Every node and each processor has a different public key in its block, so they're guaranteed to be scanning different territory.<br /><br />Whenever the 32-bit nonce starts over at 1, bnExtraNonce gets incremented, which is an arbitrary precision integer. 1324 151 6 1275517089 1324 0 xx 1 Re: Website translations I uploaded the 93% complete Dutch translation to SVN. Thanks! 1579 84 6 1276539201 1580 1276541297 satoshi xx 1 Re: On IRC bootstrapping Bitcoin has its own distributed address directory using the "addr" message. It's about time we coded in a list of the current long running static nodes to seed from. I can add code so new nodes do not preferentially stay connected would be more automation friendly. Or what about an http interface on some port other than 80 to manage it with a browser?<br /><br /> 45 12 6 1260473509 45 0 xx 1 Re: A few suggestions [quote author=madhatter2 link=topic=12.msg44#msg44 date=1260453617]<br />Front ends can also be ran on clients with very low cpu power such as mobile phones. <br />[/quote]<br />That's a good approach for mobile. Programmatic API used by PHP (any language) to present a web UI covers remote admin, mobile and any other client that can't be online all the time with a static IP. It would be like webmail. It would be easier for new users to get started if they only need to create an account on a website, not install software.<br /><br />[quote]<br />The app could be pre-seeded before downloading. Pre-seeding would also cure the TOR+IRC problem. I know that people will want to run this system over I2P+TOR.<br />[/quote]<br />Yeah, we can phase out IRC when there are enough static nodes to preprogram a seed list. Once you get seeded, you don't need IRC.<br /><br />[quote]<br />Also you could pre-seed the blocks so they won't have to be downloaded upon initial run. (Downloading 28,000 blocks on a slower ADSL takes forever I couldn't imagine how long it would take when there are millions of blocks -- a lifetime).<br />[/quote]<br />There were some issues in 0.1.5 where the initial block download could get bogged down. 0.2 has code to make sure it goes smoothly. It ought to take less than an hour, I think. I need to hurry up and get 0.2 out the door.<br /><br />The blocks increase linearly, it'll be decades before it's millions. In theory, the block download time should top out 8 months from now when Moore's Law will be growing faster than the block chain.<br /><br />[quote]<br />Can you give me CVS access or something? (If not, can I send you patches?) I'd like to help out. <br />[/quote]<br />It's SVN on sourceforge. PM or e-mail me your sourceforge account and I'll give you access.<br /><br />[quote]<br />I am mostly a Linux/BSD guy and I would like to lend my expertise in those areas.<br />[/quote]<br />That's great because that's where I have less expertise. For instance, I haven't researched the best way to do the "Start Bitcoin on system startup" feature on Linux. On Windows, the option adds/removes an icon in the Startup folder.<br /> 46 13 1 1260478142 46 1260480802 satoshi xx 1 Re: Questions about Bitcoin 1-3:<br />For that level of anonymity you need to connect through TOR, which will be possible with version 0.2, which is only a few weeks away. I'll post TOR instructions at that time.<br /><br />4:<br />Version 0.1.5: backup the whole %appdata%\\Bitcoin directory.<br />Version 0.2: you can backup just wallet.dat.<br /><br />5:<br />Nope. The whole design is all about preventing that from working.<br /><br />6:<br />Those coins can never be recovered, and the total circulation is less. Since the effective circulation is reduced, all the remaining coins are worth slightly more. It's the opposite of when a government prints money and the value of existing money goes down.<br /><br />7:<br />It's currently 29,296 blocks. The circulation is the number of blocks times 50, so the current circulation is 1,464,800 bc. <br /><br />If you only have 24k blocks, it must not have finished the initial block download. Exit bitcoin and start it again. Version 0.2 is better/faster at the initial block download.<br /><br />8:<br />Typically a few hundred right now. It's easy now but it'll get harder as the network grows.<br /><br />9:<br />Good question, it's TCP. The website needs to be updated to say TCP port 8333.<br /><br />The port forwarding is so other nodes can connect to you, so it helps you stay connected because you are able to be connected with more nodes. You also need it to receive payments by IP address.<br /><br />10:<br />No, the other nodes won't accept that.<br /><br />Being open source means anyone can independently review the code. If it was closed source, nobody could verify the security. I think it's essential for a program of this nature to be open source.<br /><br />11:<br />Slower machines produce fewer coins. It's proportional to CPU speed.<br /><br />12:<br />There are more coming.<br /><br />13:<br />It uses a transactional database called Berkeley DB. It will not lose data in a system crash. Transactions are written to the database immediately when they're received.<br /><br />14:<br />For now, you can just multiply the total blocks by 50. The Bitcoin network has been running for almost a year now. The design and coding started in 2007. 49 13 1 1260554337 49 0 xx 1 Re: Questions about Bitcoin That's true, with the send-to-IP option, you are sending to whoever answers that IP. Sending to a bitcoin address doesn't have that problem.<br /><br />The plan is to implement an IP + bitcoin address option that would have the benefits of both. It would still use a different address for each transaction, but the receiver would sign the one-time-use address with the given bitcoin address to prove it belongs to the intended receiver.<br /> 50 12 6 1260559675 53 1260631982 satoshi xx 1 Re: A few suggestions Right, the SVN has the almost-release-candidate 0.2 source, which can also be built and run on Linux. It hasn't been tested on FreeBSD.<br /><br />[quote author=madhatter2 link=topic=12.msg47#msg47 date=1260507559]<br />If we can get to the point where we have a working backend process that will run on FreeBSD I can run always-on seeds.<br />[/quote]<br />That would be a big help. TOR users wouldn't have to worry about how to get seeded, and we wouldn't depend on IRC.<br /><br />It can be run in a few simple modes without access to the UI if you don't mind a minimized window on the desktop. (0.1.5 doesn't have -min so it would be an open window)<br /><br />To only run a seed:<br />bitcoin -min -gen=0<br /><br />You could sort of monitor it by looking at debug.log. To stop it, kill the process, the database won't mind.<br /><br />To generate:<br />bitcoin -min -gen<br /><br />To get the generated bitcoins, you'd have to copy wallet.dat (with version 0.2) to a machine with a UI, swap in the wallet.dat, run bitcoin and transfer the coins to your main account. (With version 0.1.5 you'd have to copy the whole "%appdata%/Bitcoin" directory.) There is one caveat about copying wallet.dat: if you happened to kill the program at the exact moment that it generated a coin or received a payment, wallet.dat might not work by itself and you'd have to copy the whole directory.<br /><br />[quote]<br />I really think that having the download package contain a daily seed snapshot will improve the bootstrapping. I have seen instances on new test installs here where the application will sit with 0 connections / 1 block. Upon inspecting the debug.log I find that the IRC server (freenode, I believe) claims I am already connected and refuses to let me seed the application. (Just an example).<br />[/quote]<br />I see, that would happen with multiple nodes using the same NAT or VPN or some ISP that funnels everyone through a few proxy servers. I just committed a fix to SVN for this. If it gets "433" name already in use (it was error 433, right?), it'll retry with a non-address random username. <br /><br />[quote]<br />In any event, I would like to help. I have a lot of time and a project like this one is very exciting.<br />[/quote]<br />That's great, any help is really appreciated!<br /> 54 12 6 1260640364 54 0 xx 1 Re: A few suggestions The average total coins generated across the network per day stays the same. Faster machines just get a larger share than slower machines. If everyone bought faster machines, they wouldn't get more coins than before.<br /><br />We should have a gentleman's agreement to postpone the GPU arms race as long as we can for the good of the network. It's much easer to get new users up to speed if they don't have to worry about GPU drivers and compatibility. It's nice how anyone with just a CPU can compete fairly equally right now. 55 12 6 1260641830 55 0 xx 1 Re: A few suggestions [quote author=madhatter2 link=topic=12.msg51#msg51 date=1260599661]<br />I almost have the svn 0.2 compiling on Mac OS X 10.4.11/Intel (I also have a PPC970 machine here as well so a PPC build would be possible as well). The windowing is native carbon too via wxwidgets! It is FAST! ;) I had to create a new makefile (makefile.osx; based on makefile.unix of course.. given any thought to using autoconf?) and put some ifdef's into header.h. I have patches. I will keep toying around. I might try it on FreeBSD next.<br />[/quote]<br />Mac support would be nice. wxWidgets really pays off for cross platform.<br /><br />Please don't try PPC. PPC is big-endian and Bitcoin is little-endian, there would be endless endian bugs making it harder for me to debug the network if there's a potentially byte-swapping node out there. PPC is on its way out anyway.<br /><br />Considered autoconf. Autoconf is a necessity for large projects with a quagmire makefile, but I think we're small enough that it's more optimal without it. I'd rather keep the makefile simple as long as possible.<br /><br />[quote]<br />I think that breaking bitcoin into two apps is ideal. A wxwidgets front end (since it is mostly all there) and a backend that binds to a control TCP socket. I have been reading over the source to see how hard it would be to break it apart and I think it should be fairly simple. Of course an API would have to be developed.<br />[/quote]<br />My head hurts just thinking about that. Funnelling all the UI backend through a TCP connection would make everything twice as hard. There's too much bandwidth between the UI and the internal data structures in order to keep the listview control updated, because of the way the listview control works.<br /><br />I'd rather have command line control, that would get us remote admin and batch automation. 62 12 6 1260723085 62 0 xx 1 Re: A few suggestions There would be a command line switch at runtime to tell it to run without UI. All it needs to do is not create the main window. A simplistic way would be to disable "pframeMain->Show" and "ptaskbaricon->Show" in ui.cpp. The network threads don't care that the UI isn't there. The only other UI is a message box in CheckDiskSpace if it runs out of disk space.<br /><br />Then a separate command line utility to communicate with it to do things. Not sure what it should be named.<br /><br />"natural deflation"... I like that name for it. Yes, there will be natural deflation due to payment mistakes and lost data. Coin creation will eventually get slow enough that it is exceeded by natural deflation and we'll have net deflation. 67 12 6 1260810956 67 1260811634 satoshi xx 1 Re: A few suggestions [quote author=madhatter2 link=topic=12.msg66#msg66 date=1260802899]<br />Can anyone shed some light here?<br /><br />g++ -c -O0 -Wno-invalid-offsetof -Wformat -g -D[b]__WXMAC__[/b] -DNOPCH -DBUILD_MACOSX -I"/usr/include" -I"/usr/local/include/wx-2.8" -I"/usr/local/include" -I"/usr/local/boost_1_41_0" -I"/sw/include/db4" -I"/usr/local/ssl/include" -I"/usr/local/lib/wx/include/mac-ansi-release-2.8" -o headers.h.gch headers.h<br />...<br />ui.h:430: error: no matching function for call to 'wxTextCtrl::SetValue(const [b]std::basic_string[/b]<char, std::char_traits<char>, std::allocator<char> >&)'<br />/usr/local/include/wx-2.8/wx/textctrl.h:303: note: candidates are: virtual void wxTextCtrlBase::SetValue([b]const wxString&[/b])<br />[/quote]<br /><br />It looks like the implicit conversion from std::string to wxString isn't working. That's used everywhere, the conversion needs to work.<br /><br />wxString is complicated by supporting win32's 16-bit wchar and 8-bit ansi dual-compile. You can get that problem on Windows if the "unicode" (meaning wchar) build is used, so that wxString is wchar and std::string is char.<br /><br />It's probably some wxWidgets compile defines or build configuration. What "configure" options did you use?<br /><br />I'm not sure __WXMAC__ is the right define. It may be the Mac Classic support that's complicating wxString, and we only want OSX. Try __WXOSX__ (or see below)<br /><br />http://docs.wxwidgets.org/stable/wx_cppconst.html<br />"There are two wxWidgets ports to Mac OS. One of them, wxMac, exists in two versions: Classic and Carbon. The Classic version is the only one to work on Mac OS version 8. The Carbon version may be built either as CFM or Mach-O (binary format, like ELF) and the former may run under OS 9 while the latter only runs under OS X. Finally, there is a new Cocoa port which can only be used under OS X. To summarize:<br /><br /> * If you want to test for all Mac platforms, classic and OS X, you should test both __WXMAC__ and __WXCOCOA__.<br /> * If you want to test for any GUI Mac port under OS X, use __WXOSX__.<br /> * If you want to test for any port under Mac OS X, including, for example, wxGTK and also wxBase, use __DARWIN__" 70 12 6 1260909452 70 0 xx 1 Re: A few suggestions [quote author=madhatter2 link=topic=12.msg68#msg68 date=1260854469]<br />It is also throwing the same std::string issue on the latest version of Ubuntu Linux.<br />[/quote]<br />Then it must be something you're doing differently with building or configuring wxWidgets.<br /><br />What options did you use on the wxWidgets "configure" script? The options I used are in build-unix.txt.<br /><br />[quote]<br />One question: how do I enable the debug.log? I have tried stopping bitcoin and touching ~/.bitcoin/debug.log and starting bitcoin again. It never seems to write to the file. Am I missing something?<br />[/quote]<br />Never heard of that happening. Is there anything in debug.log? If you touched the file, that sounds like something is there. Does the program have write access to the file? for each near-hit immediately, and the operator takes the risk from randomness of having more or less near-hits before a block is found. <br /><br />Either way, the user who submits the hit that solves the block should get an extra amount off the top, like 10 BTC.<br /><br />New users wouldn't really even need the Bitcoin software. They could download a miner, create an account on mtgox or mybitcoin, enter their deposit address into the miner and point it at anyone's pool server. When the miner says it found something, a while later a few coins show up in their account.<br /><br />Miner writers better make sure they never false-positive near-hits. Users will depend on that to check if the pool operator is cheating them. If the miner wrongly says it found something, users will look in their account, not find anything, and get mad at the pool operator. 25138 1931 6 1290964381 25180 1290974879 satoshi xx 1 Re: RFC: ship block chain 1-74000 with release tarballs? Despite everything else said, the current next step is:<br />[quote]<br />Someone should experiment with different Berkeley DB settings and see if there's something that makes the download substantially faster. If something substantial is discovered, then we can work out the particulars.<br />[/quote]<br />In particular, I suspect that more read caching might help a lot.<br /><br />[quote author=jgarzik link=topic=1931.msg25017#msg25017 date=1290911609]<br />Another new user on IRC, Linux this time, was downloading at a rate of 1 block every 4 seconds -- estimated total download time around 4 days.<br />[/quote]<br />Then something more specific was wrong. That's not due to normal initial download time. Without more details, it can't be diagnosed. If it was due to slow download, did it speed up after 10-20 minutes when the next block broadcast should have made it switch to a faster source? debug.log might have clues. How fast is their Internet connection? Was it steadily slow, or just slow down at one point?<br /><br />[quote]<br />We have the hashes for genesis block through block 74000 hardcoded (compiled) into bitcoin, so there's no reason why we shouldn't be able to automatically download a compressed zipfile of the block database from [i]anywhere[/i], unpack it, verify it, and start running.<br />[/quote]<br />The 74000 checkpoint is not enough to protect you, and does nothing if the download is already past 74000. -checkblocks does more, but is still easily defeated. You still must trust the supplier of the zipfile.<br /><br />If there was a "verify it" step, that would take as long as the current normal initial download, in which it is the indexing, not the data download, that is the bottleneck.<br /><br />[quote author=jgarzik link=topic=1931.msg25058#msg25058 date=1290929635]<br />Presumably at some point there will be a lightweight client that only downloads block headers, but there will still be hundreds of thousands of those...<br />[/quote]<br />80 bytes per header and no indexing work. Might take 1 minute.<br /><br />[quote]<br />uncompressed data using a protocol (bitcoin P2P) that wasn't designed for bulk data transfer.<br />[/quote]<br />The data is mostly hashes and keys and signatures that are uncompressible.<br /><br />The speed of initial download is not a reflection of the bulk data transfer rate of the protocol. The gating factor is the indexing while it downloads.<br /><br /> 25148 1990 3 1290966519 25148 0 xx 1 Disabled "remove topic" for topic starters grondilu deleted the whole "What will governments do against Bitcoin?" thread, which had diverged more into a philosophical debate about politics.<br /><br />I removed the "Remove own topics" permission for regular users. I didn't know they could do that. It would be OK if it only deleted if it only has your own posts in it, like if you accidentally posted in the wrong place.<br /><br />At the same time, I enabled "Move own topic". 25154 1986 1 1290967599 25157 1290968565 satoshi xx 1 Re: Is safe running bitcoins with the same wallet on more computers simultaneously? [quote]<br />Will it be synchronized automatically?<br />[/quote]<br />Very much not. Using multiple copies of wallet.dat is not recommended or supported, in fact all of Bitcoin is designed to defeat that. Both copies will get screwed up.<br /><br />If you're trying to consolidate your generated coins into one wallet, a better solution now is to run getwork miners on the additional systems. jgarzik has a CPU miner, and it supports tcatm's 4-way SSE2, so on Windows it's up to twice as fast as the built-in SHA if you have an AMD or recent Intel (core 3, 5 or 7).<br /><br />New demonstration CPU miner available:<br />http://www.bitcoin.org/smf/index.php?topic=1925.0<br /> 25449 1931 6 1291061952 25461 1291063992 satoshi xx 1 Re: RFC: ship block chain 1-74000 with release tarballs? It seems like you're inclined to assume everything is wrong more than is actually so.<br /><br />Writing the block index is light work. Building the tx index is much more random access per block. I suspect reading all the prev txins is what's slow. Read caching would help that. It's best if the DB does that. Maybe it has a setting for how much cache memory to use.<br /><br />[quote]<br />1) bitcoin should be opening databases, not just environment, at program startup, and closing database at program shutdown. <br />[/quote]<br />Already does that. See CDB. The lifetime of the (for instance) CTxDB object is only to support database transactions and to know if anything is still using the database at shutdown.<br /><br />[quote]<br />And, additionally, bitcoin forces a database checkpoint, pushing all transactions from log into main database.<br />[/quote]<br />If it was doing that it would be much slower. It's supposed to be only once a minute or 500 blocks:<br /><br /> if (strFile == "blkindex.dat" && IsInitialBlockDownload() && nBestHeight % 500 != 0)<br /> nMinutes = 1;<br /> dbenv.txn_checkpoint(0, nMinutes, 0);<br /><br />Probably should add this:<br /> if (!fReadOnly)<br /> dbenv.txn_checkpoint(0, nMinutes, 0);<br /><br />[quote]<br />2) For the initial block download, txn commit should occur once every N records, not every record. I suggest N=1000.<br />[/quote]<br />Does transaction commit imply flush? That seems surprising to me. I assume a database op wrapped in a transaction would be logged like any other database op. Many database applications need to wrap almost every pair of ops in a transaction, such as moving money from one account to another. (debit a, credit b) I can't imagine they're required to batch all their stuff up themselves.<br /><br />In the following cases, would case 1 flush once and case 2 flush twice?<br /><br />case 1:<br />write<br />write<br />write<br />write<br />checkpoint<br /><br />case 2:<br />begin transaction<br />write<br />write<br />commit transaction<br />begin transaction<br />write<br />write<br />commit transaction<br />checkpoint<br /><br />Contorting our database usage will not be the right approach. It's going to be BDB settings and caching. 25799 2007 6 1291143751 25799 0 xx 1 Re: Incompatible wallet format with latest bitcoin-git ? What was this wallet used with? An early accounts patch or git build?<br /><br />It's while loading the wallet. I assume it must be in this:<br /><br /> else if (strType == "acentry")<br /> {<br /> string strAccount;<br /> ssKey >> strAccount;<br /> uint64 nNumber;<br /> ssKey >> nNumber;<br /> if (nNumber > nAccountingEntryNumber)<br /> nAccountingEntryNumber = nNumber;<br /> }<br /><br />You could check that with this:<br /><br /> else if (strType == "acentry")<br /> {<br /> string strAccount;<br /> assert(!ssKey.empty());<br /> ssKey >> strAccount;<br /> uint64 nNumber;<br /> if (ssKey.size() != 8 )<br /> printf("***** %s %d\\n", strAccount.c_str(), ssKey.size());<br /> assert(ssKey.empty() == false);<br /> ssKey >> nNumber;<br /> if (nNumber > nAccountingEntryNumber)<br /> nAccountingEntryNumber = nNumber;<br /> }<br /><br /><br />Was there an interim version of accounts on git at some point that had just ("acentry", "account") for the key?<br /><br />If you have gdb, you could run it in gdb and do a backtrace. <br /><br />gdb --args bitcoin ...<br />run<br />(wait for exception)<br />bt<br /> 26016 1931 6 1291238739 26016 0 xx 1 Re: RFC: ship block chain 1-74000 with release tarballs? That's a good optimisation. I'll add that next time I update SVN.<br /><br />More generally, we could also consider this:<br /><br /> dbenv.set_lk_max_objects(10000);<br /> dbenv.set_errfile(fopen(strErrorFile.c_str(), "a")); /// debug<br /> dbenv.set_flags(DB_AUTO_COMMIT, 1);<br />+ dbenv.set_flags(DB_TXN_NOSYNC, 1);<br /> ret = dbenv.open(strDataDir.c_str(),<br /> DB_CREATE |<br /> DB_INIT_LOCK |<br /> DB_INIT_LOG |<br /><br />We would then rely on dbenv.txn_checkpoint(0, 0, 0) in CDB::Close() to flush after wallet writes.<br /> 26999 1735 12 1291540088 26999 0 xx 1 Re: Wikileaks contact info? [quote author=RHorning link=topic=1735.msg26876#msg26876 date=1291501064]<br />Basically, bring it on. Let's encourage Wikileaks to use Bitcoins and I'm willing to face any risk or fallout from that act.<br />[/quote]<br />No, don't "bring it on".<br /><br />The project needs to grow gradually so the software can be strengthened along the way.<br /><br />I make this appeal to WikiLeaks not to try to use Bitcoin. Bitcoin is a small beta community in its infancy. You would not stand to get more than pocket change, and the heat you would bring would likely destroy us at this stage.<br /> 28228 2151 6 1291839709 28275 1291845280 satoshi xx 1 Re: JSON-RPC method idea: list transactions newer than a given txid It's not safe to use listtransactions this way.<br /><br />I know I've been criticized for being reluctant about listtransactions. Let me explain my reluctance.<br /><br />Transactions are dynamic. Past transactions can become unconfirmed, go away and come back, become invalid and disappear, or be replaced by a different double-spend. Their date can change, their order can change.<br /><br />Programmers are naturally inclined to want to use listtransactions like this: feed me the new transactions since I last asked, and I'll keep my own tally or static record of them. This will seem to work in all regular use, but if you use the amounts for anything, it is highly exploitable:<br />1) How do you know if a past transaction becomes invalid and disappears?<br />2) When there's a block-chain reorg, it would be easy to double-count transactions when they get confirmed again.<br />3) A transaction can be replaced by a double-spend with a different txid. You would count both spends.<br /><br />The model where you assume you only need to see new transactions because you've already seen previous transactions is not true. Old transactions can change at any time.<br /><br />Any time you take an action based on payment amounts received, you always need to go back to bitcoin and ask for a current balance total (or use move or sendfrom), and be ready for the possibility that it can go down.<br /><br />Now that we have the Accounts feature making it easier to do it the right way, we're better prepared to have listtransactions.<br /> 28292 2151 6 1291847805 28292 0 xx 1 Re: JSON-RPC method idea: list transactions newer than a given txid Then how do you cope with the issues I listed in the message you quoted? 28302 2162 6 1291850364 28518 1291902506 satoshi xx 1 Version 0.3.18 Changes:<br />- Fixed a wallet.dat compatibility problem if you downgraded from 0.3.17 and then upgraded again<br />- IsStandard() check to only include known transaction types in blocks<br />- Jgarzik's optimisation to speed up the initial block download a little<br /><br />The main addition in this release is the Accounts-Based JSON-RPC commands that Gavin's been working on (more details at http://www.bitcoin.org/smf/index.php?topic=1886.0). <br />- getaccountaddress<br />- sendfrom<br />- move<br />- getbalance<br />- listtransactions<br /><br />Download:<br />http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.18/<br /> 28313 2151 6 1291853537 28313 0 xx 1 Re: JSON-RPC method idea: list transactions newer than a given txid I'm not talking about the normal risk for a given minconf level, I'm talking about additional pitfalls from listtransactions when used this way.<br /><br />[quote author=satoshi link=topic=2151.msg28292#msg28292 date=1291847805]<br />2) When there's a block-chain reorg, it would be easy to double-count transactions when they get confirmed again.<br />[/quote]<br />The OP's example of listtransactions <account> [count=10] [txid] seems to imply and it would be very easy for programmers to assume that if they pass in the last txid of the previous call to listtransactions, they will never see the same transaction more than once, which is not the case. It would be very easy to double-count payments if you don't maintain your own persistent map or dictionary to track which txid's you've already accepted.<br /><br />It doesn't seem right to have a function that seems tailor made to be used a certain obvious way, and 4775 461 6 1279733469 4775 0 xx 1 Re: JSON-RPC password boost::program_options has the same "key=value" format. Gavin pointed out we can use it in a simple way as a parser without getting into all the esoteric c++ syntax like typed value extraction. We can use more features if we want later.<br /><br />Lets go ahead with HTTP basic authentication instead of password as a parameter. 4928 461 6 1279766063 4928 0 xx 1 Re: JSON-RPC password [quote author=gavinandresen link=topic=461.msg4908#msg4908 date=1279761086]<br />TODO: dialog box or debug.log warning if no rpc.user/rpc.password is set, explaining how to set.<br />[/quote]<br />In many of the contexts of this RPC stuff, you can print to the console with fprintf(stdout, like this:<br />#if defined(__WXMSW__) && wxUSE_GUI<br /> MyMessageBox("Warning: rpc password is blank, use -rpcpw=<password>\\n", "Bitcoin", wxOK | wxICON_EXCLAMATION);<br />#else<br /> fprintf(stdout, "Warning: rpc password is blank, use -rpcpw=<password>\\n");<br />#endif 5337 461 6 1279904860 5337 0 xx 1 Re: JSON-RPC password [quote author=gavinandresen link=topic=461.msg5296#msg5296 date=1279897905]<br />Question for everybody: should I add a section to the wiki page describing, in detail, how to do HTTP Basic authentication? PHP and Python make is really easy-- just use the http://user:pass@host:port/ URL syntax.<br />[/quote]<br />Yes, I think that would be really good so each dev doesn't have to figure it out themselves. We need a simple example for each of Python, PHP and Java importing the json-rpc library and using it to do a getinfo or something, including doing the http authentication part. 5338 461 6 1279905271 5338 0 xx 1 Re: JSON-RPC password Gavin's changes look good. I think everything is complete. Here's a test build, please test it!<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-linux.tar.gz<br /> 5339 548 4 1279905827 5339 0 xx 1 Re: bitcoind not responding to RPC If I recall correctly, 500 is the prescribed status code for JSON-RPC error responses. There is still a JSON response in the body of the reply telling the explanation of the error, which could be something like {"result":"","error":"bitcoin address not found","id":"1"}. 5349 550 6 1279909496 5376 1279915726 satoshi xx 1 Faster initial block download (5x faster) By making some adjustments to the database settings, I was able to make the initial block download about 5 times faster. It downloads in about 30 minutes.<br /><br />The database default had it writing each block to disk synchronously, which is not necessary. I changed the settings to let it cache the changes in memory and write them out in a batch. Blocks are still written transactionally, so either the complete change occurs or none of it does, in either case the data is left in a valid state.<br /><br />I only enabled this change during the initial block download. When you come within 2000 blocks of the latest block, these changes turn off and it slows down to the old way.<br /><br />I built a test build if you'd like to start using it:<br /><br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-linux.tar.gz<br /><br />These binaries also include Gavin Andresen's JSON-RPC HTTP authentication feature and the other important security improvements from 0.3.2.<br /><br />I've been running a test over the last 24 hours that kills and restarts it randomly every 2-60 seconds (poor thing) while it's trying to do an initial block download and it's been fine.<br /><br />There are no changes to the way it handles wallet.dat. This change is only for blk*.dat and the non-critical addr.dat. You can always delete blk*.dat if it gets screwed up and let it re-download.<br /> 5378 550 6 1279916007 5378 0 xx 1 Re: Faster initial block download [quote author=knightmb link=topic=550.msg5369#msg5369 date=1279913578]<br />Is there a safety reason to stop within the last 2000 blocks or can it be tweaked to stop at remaining 500 blocks for example?<br />[/quote]<br />Not really. I'll change it to 1000 next time. 5383 461 6 1279917543 5383 0 xx 1 Re: JSON-RPC password I don't think authentication should be disabled by default if there's no conf file or the config file doesn't contain "rpcpassword", but what if it contains "rpcpassword="?<br /><br />I can see both points.<br /><br />What if the programmer can't figure out how to do HTTP authentication in their language (Fortran or whatever) or it's not even supported by their JSON-RPC library? Should they be able to explicitly disable the password requirement?<br /><br />OTOH, what if there's a template conf file, with<br />rpcpassword= # fill in a password here<br /><br />There are many systems that don't allow you to log in without a password. This forum, for instance. Gavin's point seems stronger.<br /><br />BTW, I haven't tested it, but I hope having rpcpassword= in the conf file is valid. It's only if you use -server or -daemon or bitcoind that it should fail with a warning. If it doesn't need the password, it should be fine. Is that right? 5416 528 4 1279933148 5416 0 xx 1 Re: JSON-RPC Multiple Invocations Obviously it's a bug that it repeats the header.<br /><br />I was trying to follow the 1.0 spec: http://json-rpc.org/wiki/specification It called for multiple invocation.<br /><br />I think they mean it's like this, but I'm not sure:<br /><br />Post:<br />{"method": "postMessage", "params": ["Hello all!"], "id": 99}<br />{"method": "postMessage", "params": ["I have a question:"], "id": 101}<br /><br />Reply:<br />{"result": 1, "error": null, "id": 99}<br />{"result": 1, "error": null, "id": 101}<br /><br />I can't remember where I think I saw that it's supposed to send back HTTP status 500 for an error reply. If it contains multiple responses and one is an error, I wonder if that makes the status 500 for the whole thing, I guess so. Maybe it should always return 200. I think someone sounded like the 500 might be causing a problem.<br /><br />This probably gets fixed after 0.3.3. Until then, just use single invocation. I wonder if any JSON-RPC package even supports multiple invocation, probably not.<br /><br />It would be nice if we could pin down better how multiple-invocation is supposed to work, if at all, before trying to fix it, and whether returning HTTP status 500 for error response is right.<br /><br /> 5419 548 4 1279934158 5419 0 xx 1 Re: bitcoind not responding to RPC Can anyone confirm if JSON-RPC over HTTP is supposed to use status 500 if the reply is an error reply? I can't remember where I picked that up, maybe it's wrong. It seems like 200 would make more sense unless there's something wrong with the mechanics of the HTTP request itself. (and maybe that's what it said and I forgot and spread 500 to all error responses) 5432 479 1 1279938549 5781 1280099585 satoshi xx 1 Re: Warning: don't use -server or bitcoind on a machine where you web browse The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem. 5443 556 1 1279942372 5443 0 xx 1 Version 0.3.2.5 -- please test! Please test 0.3.2.5 in preparation for the 0.3.3 release! This build is looking good and should be the one that goes into 0.3.3. I encourage you to go ahead and upgrade now if you're on Windows or Linux.<br /><br />New features:<br />- Gavin Andresen's HTTP authentication to secure JSON-RPC<br />- 5x faster initial block download, under 30 minutes<br /><br />Download here:<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-win32.zip<br />http://www.bitcoin.org/download/bitcoin-0.3.2.5-linux.tar.gz<br /><br />Thanks! 5450 555 6 1279944260 5450 0 xx 1 Re: Reading/Writing Blocks and FLATDATA FLATDATA was a workaround to serialize a fixed field length array. There was a cleaner way to make it understand how to serialize arrays directly, but MSVC6 couldn't do it and I wanted to keep compatibility with MSVC6 at that time. We don't support MSVC6 anymore because we use something in Boost that doesn't. We lost support for it after 0.2.0. Maybe someday I'll swap in the clean way that just knows how to serialize fixed length arrays without wrapping them in FLATDATA. 5694 567 6 1280069193 5694 0 xx 1 Re: a simple traffic load test run Was that on the test network?<br />http://www.bitcoin.org/smf/index.php?topic=363.0 5698 567 6 1280071792 5698 0 xx 1 Re: a simple traffic load test run Please do these tests on the test network. That's what it's for. Thanks. 5706 569 1 1280076846 5706 0 moved 1 MOVED: a simple traffic load test run This topic has been moved to [url=https://www.bitcoin.org/smf/index.php?board=6]Development & Technical Discussion[/url].<br /><br />[iurl]https://www.bitcoin.org/smf/index.php?topic=567.0[/iurl] 5707 570 1 1280076909 5707 0 xx 1 Bitcoin 0.3.3 released -- PLEASE UPGRADE Please upgrade to 0.3.3! Important security improvements were made in 0.3.2 and 0.3.3.<br /><br />New features:<br />- Gavin Andresen's HTTP authentication to secure JSON-RPC<br />- 5x faster initial block download, under 30 minutes 5712 571 6 1280079922 5712 0 xx 1 Re: Stealing Coins It's best if you tell it to me privately so it can be fixed first.<br /><br />I just e-mailed you my e-mail address. (or you could PM me here) 5724 571 6 1280084783 5724 0 xx 1 Re: Stealing Coins Red, thanks for telling me privately first! Please go ahead and post it (and relieve the suspense for everyone!)<br /><br />His point is that transactions paid to a Bitcoin Address are only as secure as the hash function. To make Bitcoin Addresses short, they are a hash of the public key, not the public key itself. An attacker would only have to break the hash function, not ECDSA. 5740 571 6 1280088100 5740 0 xx 1 Re: Stealing Coins [quote author=knightmb link=topic=571.msg5736#msg5736 date=1280087042]<br />If I figure out that Public Key 123456 generates Hash ABCD<br />and<br />Public Key 654321 also generates Hash ABCD<br />[i]I'm still left without the Private Key.[/i]<br /><br />But from what you are saying, all I need is Public Key 654321 and I can spend coin pretending to be Public Key 123456.<br />[/quote]<br />You would still have to sign it with public key 654321. You need to find a collision using a public key for which you know the private key.<br /><br />When you claim a Bitcoin Address transaction, you give your public key that matches the hash, then you must sign it with that key.<br /><br />Red's point is that it's easy to quickly generate insecure public keys which you could break and find the private key after you find a collision.<br /><br />He points out that if the public key was required to be a secure one, one which must have required significant work to find the prime numbers, that would increase the strength above that of the hash function alone. Someone trying to brute force would have to take time generating a key for each attempt.<br /> 5754 571 6 1280090881 5809 1280114781 satoshi xx 1 Re: Stealing Coins [quote]Here is a paper that claims to find SHA-1 collisions in 2^52 crypto operations. And optimally secure hash would take 2^80 operations. 2^52 time is still large, but it is getting into cluster and botnet range.<br />[/quote]<br />2^80 is if you can use a birthday attack. You can't use a birthday attack for this, so the difficulty is the full 2^160 bits. Although, if you were trying to crack any one of 1 million (2^20) transactions, you could do a partial birthday attack 2^160/2^20 = 2^140.<br /><br />Bitcoin Addresses are the only place where 160-bit hash is used. Everything else is SHA-256. They're calculated as:<br /><br />bitcoinaddress = RIPEMD-160(SHA-256(publickey))<br /><br />Correct me if I'm wrong (please, and I'll gladly eat crow) but I think it would be hard to use an analytical attack on RIPEMD-160 in this case. An analytical attack prescribes a certain range or pattern of inputs to try that will greatly increase your chance of finding a collision. Here, you don't have that kind of control over RIPEMD-160's input, because the input is the output of SHA-256. If an analytical attack helps you find an input to RIPEMD-160 that produces a collision, what are you going to do with it? You still have to get SHA-256 to output that value, so you would still have to break SHA-256 too.<br /><br />For brute force, RIPEMD-160(SHA-256(x)) is no stronger than RIPEMD-160 alone. But for analytical attack, it seems like you must analytical attack both RIPEMD-160 and SHA-256. If I'm wrong, then the strength is the same as RIPEMD-160 and the SHA-256 only serves as one round of key strengthening. 5767 461 6 1280093669 5767 0 xx 1 Re: JSON-RPC password [quote author=lachesis link=topic=461.msg5738#msg5738 date=1280087555]<br />I found what appears to be a bug: with a long enough username and password combination, the base64 encoder in bitcoind produces authorization headers that look like this:<br />[code]<br />...<br />Authorization: Basic YWJiYWJiYWFiYmE6aGVsbG93b3JsZGhlbGxvd29ybGRoZWxsb3dvcmxkaGVsbG93<br />b3JsZGhlbGxvd29ybGRoZWxsb3dvcmxk<br />[/code]<br />It inserts a newline every 64 characters, which obviously breaks the Authorization header, so commands like "bitcoin getinfo" fail. The server still works fine with properly behaving clients.<br /><br />This can be solved by removing the newlines (and maybe '\\r's) from result at the end of the Base64Encode function:<br />[code]<br />result.erase(std::remove(result.begin(), result.end(), '\\n'), result.end());<br />result.erase(std::remove(result.begin(), result.end(), '\\r'), result.end());<br />[/code]<br />[/quote]<br />+1 to you for having such a long password that you found this bug.<br /><br />Uploaded to SVN as rev 110.<br /> I dont know other devs . Gavin has been honest for the 3 years I have followed him he gets my vote permalink save parent report give gold reply ]luckdragon69 -1 points 10 hours ago I like Gavin too, until he start trying to be the boss of the other devs permalink save parent report give gold reply ]xxDan_Evansxx 1 point 21 hours ago I hope the core devs can reach a consensus solution and communicate it to the community soonish. I don't think consensus means that the change should wait until everyone agrees that it is time, otherwise whoever decided the blocksize should be the smallest and/or change the latest would ultimately be in charge of the decision. Similarly, everyone shouldn't have to jump because of whoever says it's time to go the soonest or for the biggest blocksize. Please, talk this out and communicate a consensus solution which will be implemented under whatever timeline you can agree to collectively. I am certain that you can do it. Everyone should offer what they feel is the right solution both now and for the future, then reach a compromise incorporating as many good ideas as possible. Thanks in advance! permalink save report give gold reply ]donbrownmon 1 point 11 hours ago Unfortunately it seems the other core devs with Blockstream have ideas they want to impose that aren't mature and aren't in bitcoin's best interest, so they can make money from related consulting work. permalink save parent report give gold reply ]seweso 1 point 17 hours ago The best solution: 1) put in a 20Mb hard limit which comes in effect in 6 months. 2) Make a soft limit of 1 Mb the default. 3) Begin writing code so that hitting the soft/hard limit doesn't crash any client. 4) Make sure clients can actually increase transaction fees if there is congestion on the network. This means that in normal circumstances nothing would change. But if the shit hits the fan then miners can increase the soft limit. :D permalink save report give gold reply ]ncsakira 1 point 15 hours ago How about a compromise? 20 mb hard limit with 2*last2weeksaveragesize soft limit ? permalink save report give gold reply ]pgrigor 1 point 10 hours ago If you don't like it, found another project. FTFY permalink save report give gold reply ]snaxion 1 point 10 hours ago Gavin, please be our Linus Torvalds (but not quite as rude). :) permalink save report give gold reply ]BlockchainCartman 1 point 10 hours ago https://s-media-cache-ak0.pinimg.com/originals/07/ec/bc/07ecbc4044de89dc2f5c70adf2a82a8e.jpg permalink save report give gold reply ]ganesha1024 1 point 8 hours ago Bitcoin is working and up until now it has behaved like there was no blocksize limit, because demand hasn't filled the blocks. Keeping the limit at 1MB is actually introducing new dynamics into the system by imposing scarcity where previously there was none, once demand fills up the blocks. So raising the block limit seems to be the conservative approach to me. permalink save report give gold reply ]portabello75 1 point 6 hours ago It is seriously concerning that so many core developers act as destructionist based on their involvement in commercial projects. In the "real world" no board member of a chairy would be taken seriously if they were co owners or stake holders In a possibly competing for profit company. permalink save report give gold reply ]DakotaChiliBeans 1 point 4 hours ago Selling pitchforks 500 bits, torches 100 bits, and I have some fair condition slightly used villagers for 2500 bits. Get em while you can. permalink save report give gold reply ]usrn 1 point 23 hours ago Warning: the discussion below is pretty much retarded. It doesn't worth the trouble and time to read through. permalink save report give gold reply ]pointjudith 0 points 13 hours ago Should be top comment. permalink save parent report give gold reply ]coinx-ltc -3 points 1 day ago Bitcoin calls itself decentralised. This is the opposite. Hey basically says that he knows best and doesn't give a shit about other opinions. He should be careful. He won't be able to develop Bitcoin alone with Mike. This is not about the block size increase, it is about how to reach consensus. permalink save report give gold reply ]AmIHigh 11 points 1 day ago* Sometimes consensus can't be reached. If there's no pressure you can wait, like we have for 3 years now. As the pressure builds,at some point, someone needs to make a decision. We could debate if we've reached that time, but Gavin strongly believes we've reached it if we want to leave the proper time for all nodes to upgrade. Given the scenario that Gavin thinks we're in, a decision needs to be made, and he'll make it with or without full consensus and let the network decide. "He's the lead developer on this. Satoshi chose him, he's the right one to make the choice in this scenario. This is exactly what should be happening in a situation like this. permalink save parent report give gold reply ]awemany 2 points 17 hours ago Also, it isn't exactly consensus or decentralized if the other core devs block what a majority of Bitcoiners out there want - or is it? permalink save parent report give gold reply ]amnesiac-eightyfour 0 points 20 hours ago A new Reddit account just to post this? That seems a bit weird... On topic: bigger blocks are needed, if Bitcoin wants to grow in importance; a decision has to be taken by someone at some point. permalink save report give gold reply ]btcdrak 1 point 12 hours ago Yup, he says he threw his weight about over p2sh too and we know how that ended: with a vastly inferior and buggy implementation rather than BIP17 which turned out to be infinitely better. permalink save report give gold reply ]Bitcoin_Error_Log 1 point 8 hours ago Go ahead and throw your weight around, Gavin. You'll learn how much weight you actually carry. permalink save report give gold reply ]romerun 1 point 8 hours ago he spoke as if he were satoshi himself permalink save report give gold reply ]PhiMinD 0 points 1 day ago* Dont forget this gem, https://www.youtube.com/watch?v=RIafZXRDH7w&feature=youtu.be&t=2585 I wonder if Mike Hearn is a anarchist, because his point about "If someone voted for me to jump off a cliff I wouldn't." Explains perfectly why the concept of democracy is absurd and dangerous. permalink save report give gold reply ]luke-jrLuke Dashjr - Bitcoin Expert -1 points 1 day ago There are many possibilities besides democracy... it's not either-that-or-anarchy. permalink save parent report give gold reply ]PhiMinD 1 point 18 hours ago The choice is between monopolized force and voluntary interaction. permalink save parent report give gold reply ]GibbsSamplePlatter -2 points 23 hours ago jerk off motion permalink save report give gold reply ]luckdragon69 -4 points 1 day ago Can we vote President Gavin out of commit access and reinstitute the law of DAC? permalink save report give gold reply ]rydan -1 points 19 hours ago Do it. Allow yourself to become the centralized authority that Bitcoin needs. permalink save report give gold reply ]whipowill -1 points 10 hours ago I've never had confidence in Gavin. I see him as a total liability. He was just in the right place at the right time and fell ass-backwards into his current role. Let the market decide where to take Bitcoin. permalink save report give gold reply ]gr8n8au 0 points 17 hours ago i dont know what is best and cant decide.. i hope the community somehow gets it right.. permalink save report give gold reply ]john_doe_1337 0 points 9 hours ago It is time to replace him. permalink save report give gold reply ]todu -2 points 23 hours ago Today with a block size cap at 1 MB I run a full node on one of my home computers with no problem. If the cap would be raised to 2 MB, I would just as easily be able to run a "50 % node" if my client software would allow me such a configuration setting. This isn't a "full node or no node at all" situation, is it? If the Bitcoin Core client software would offer a settings option for the amount of participation the user would like to contribute, I don't see any dramatic decrease in "full nodes" on the network. If you'd add up all the "half nodes" you'd get just as much "node capacity" overall. Actually, "full" node participation should increase whenever a "participation amount setting" would get implemented in the Bitcoin Core software, because then people who today don't think they have the necessary computer and bandwidth resources to run a full node and therefore don't run a full node at all, would become able to suddenly participate with a "10 %" or maybe even "50 %" node. In the long run, "node participation" would maybe become more centralized, if the bitcoin network usage would grow faster than Moore's Law. But even with a very large amount of "1 (one) % nodes" instead of today's "100 % nodes", I think that the network should always experience having enough nodes to keep functioning smoothly, efficiently and for all practical purposes be enough decentralized to be secure. permalink save report give gold reply ]shesek1 1 point 22 hours ago What you're asking for isn't really possible. With pruning we could only save disk space by not holding all the historical blocks, but every full node would still need to hold the entire UTXO set and mempool (requiring RAM), receive all new transactions/blocks (requiring bandwidth) and validate all the new transactions/blocks (requiring CPU). permalink save parent report give gold reply ]awemany 1 point 9 hours ago What you're asking for isn't really possible. ...yet. Coalescing old UTXOs might in principle constrain the UTXO set long term to basically O(1) (albeit for high values of '1'). Yes, new development, yes, far future, but in principle I do not see any obstacles. And I have seen discussions along these lines in several places. permalink save parent report give gold reply ]DakotaChiliBeans 2 points 15 hours ago you can already do that sort of with max connections in the bitcoin.conf file. permalink save parent report give gold reply [+]meshekk comment score below threshold (3 children) Ibtcchina.com | Never wrestle with a pig. You get dirty & the pig likes it Mined by AntPool usa1 Mined by AntPool bj1.: Mined by glacier2015 Mined by AntPool bj5 u=https://cpr.sm/FwSgjk4Iu2 Mined by AntPool bj6 ASCRIBESPOOLREGISTER ASCRIBESPOOLREPLENISH ASCRIBESPOOLREPLENISH Mined by ss13155612108 ASCRIBESPOOLTRANSFER Mined by AntPool sc182 Mined by AntPool sc182 Kbtcchina.com | Akemi Miyashita & Jon Southurst, Tatsu's parents 2011 Sept 1 736b794e4554Hello World!!! Mined by AntPool bj6 skyNETHello World!!! ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER ASCRIBESPOOLREGISTER Fbtcchina.com | Lightspeed (LSVP.com) believes in the future of Bitcoin 16:14 < ebfull> gavin's got it in bitcoin-git/smartfee branch 16:43 < midnightmagic> gmaxwell: Is this Raoul Raoul? That guy that shows up when I mention his name? https://bitcointalk.org/index.php?action=profile;u=9477 16:49 < midnightmagic> He must not know about this channel yet. 17:15 < adam3us> had a minor thought about slightly improving committed tx: if you want to decommit (reveal the tx to the network), previously it was discussed as sending it to the network, and as i recall people pointed out a risk that the miners could refuse to validate it and therefore you'd be prevented from compacting utxo and have to respend it in committed form 17:17 < adam3us> however replying to mastercoin about their impact on the bitcoin network thread it occurred to me, the full nodes can validate whether the key decommit is valid to relay, they have the committed tx to compare it to, so they dont need miners 17:17 < adam3us> and a decommit is small, its just a sym crypto key and the last txid of the committed spend path 17:20 < gmaxwell> ha! 17:20 < gmaxwell> we don't need to have a consensus about your deleted data... so long as we don't authenticate it. 17:21 < gmaxwell> kinda breaks using a comitted utxo though, alas. 22:41 < gmaxwell> http://www.smbc-comics.com/?id=3175#comic 23:51 < warren> We're getting complaints of MacOS X corruption from several users now. I didn't get around to posting the bounty in public yet. 23:51 < warren> maybe it's time to define it --- Log closed Fri Nov 15 00:00:43 2013 --- Log opened Fri Nov 15 00:00:43 2013 00:49 < BlueMatt> definitely 03:02 < gmaxwell> https://bitcointalk.org/index.php?topic=334316.msg3588908#msg3588908 03:02 < gmaxwell> adam3us: ^ you might like that. 03:37 < warren> are we going to stick with testnet3 for 0.9? 03:38 < warren> there was talk of restart earlier 03:38 < warren> (this matters to test code in other implementations) 05:11 < adam3us> gmaxwell: yes good, i am going to post a cross link on another thread to your reasoned explanation 05:15 < adam3us> gmaxwell: unfortunately (because its more technically challenging) it seems cryptographic anonymity is a better shelling point than mixing - people can look at the mix and see ooh its some % mixed with bad event X - if its mathematically unknowable, they just shrug and say so what its cash, i have identity of my customers, thats all i need to know 05:15 < midnightmagic> You can pretend to say "2% of your coins are tained." 05:15 < adam3us> gmaxwell: but i agree if & until someone figures out how to do that efficiently we need to blur the taint to meaninglessness by default in most clients 05:17 < adam3us> gmaxwell, midnightmagic: the problem is when people like CoinValidation get in the mix, they create counter-veiling and potentially viral counter effect where people avoid mixing, rather than increasing mixing. if that happens it may cause a price run of selling tainted coins at lower & lower is counts. 05:20 < gmaxwell> adam3us: yea, there is a symmetry break we need to have, where either privacy is easy and common, or where privacy is mostly useless and only available at great expense. 05:21 < gmaxwell> If only some people use the privacy stuff then everyone will be driven away from wanting to use it for fear of association. 05:22 < gmaxwell> Theymos announced a match on the CJ bounty. 05:22 < gmaxwell> FWIW. 05:23 < adam3us> gmaxwell: btw yday about computational PIR i meant computational variant of multi-node to reduce bandwidth. where n-1 of the n request strings are RNG seeds (there's a footnote in mojonation tech paper about my having suggested it to them). mojo was an agoric p2p anonymous storage system. ex-mojo people include bram cohen (bittorrent), zooko (tahoe-lafs) they took the bits of mojo and expanded them 05:25 < gmaxwell> adam3us: interesting! I'll look into that. Yea, I'm vaguely familar with mojonation... I know zooko worked on it. (amusingly zooko asked if I knew about it, and I misheard him, and said no, and he looked so crestfallen. :) ) 05:25 < adam3us> gmaxwell: still musing if there is a way to use TD's noisy bloom request to get secure spv searching for sender randomization of static 05:26 < adam3us> gmaxwell: its too simple to read: just instead of sending n random strings that xor to 1 bit remaining, you send n-1 seeds and one random string, no longer info theoretic secure if you can break the stream cipher/rng 05:31 < adam3us> nice matonis (9000 twitter followers) just retweeted via petertodd my rant about coin validation. i think dark wallet are going to reach their funding target. I offered them free crypto advice. 05:34 < petertodd> adam3us: I'm going to their hackathon in a few weeks 05:47 < adam3us> petertodd: cool. people going to vegas conf? 05:47 < petertodd> vegas conf? didn't know there was one 05:52 < warren> I'm considering going to vegas conf. 05:53 < adam3us> http://www.mediabistro.com/insidebitcoins/ i'm not the most in the loop guy - there are 100s of bitcoin conf & I dont know which are the most relevant - just i was going to be in the us anyway so i figured why not 05:53 < warren> not exactly sure how useful it is though 05:53 < warren> quite expensive looking 05:53 < adam3us> warren: hoteil is cheap tho $66 in amsterdam it was $100s for a mediocre 2*! 05:55 < adam3us> warren: yes usefulness - the only recognizable names are reiner/armory and charlie lee's brother from btcchina - someone tell me whats the most useful. i have limited idea. there are loads, there was another one in amsterdam 2months after the previous one - they didnt get critical mass interest so canceled. (they were soliciting speakers) 05:56 < TD> good morning 06:00 < adam3us> we should have a bitcoin wizards BoF: recommended for wizards only - others heads will spin so they wont get much out of it 06:03 < warren> adam3us: the conference sign up fee is rather large 06:04 < gmaxwell> or we just hold our own conference. :P 06:05 < adam3us> warren: it is, yes just meant its offset by the hotel cost. i paid $930 for 4 nights at a bad 2* for the amsterdam conf. their conf hotel is $66/night 06:06 < warren> 2* ? 06:06 < adam3us> gmaxwell: why not. round up the brains lock them in a room, until they fix fungibility :) 06:06 < adam3us> warren: actually i guess it was 3-star, but it was so bad i mentally graded it as a 2-star missold as 3* 06:09 < adam3us> warren: in malta you can stay at a swank 5* around the corner from me for $110/night - amsterdam is too expensive 06:43 < gmaxwell> $450. :P 06:45 < adam3us> gmaxwell: bay area? right expensive. btw https://bitcointalk.org/index.php?topic=333882.msg3590223#msg3590223 link to your post 06:45 < adam3us> gmaxwell: but maybe sleep :) 06:46 < gmaxwell> Bitcoin price, not hotels. 07:02 < wumpus> sigh... http://www.reddit.com/r/Bitcoin/comments/1qnqn1/a_pledge_i_invite_you_to_help_us_stop_the_threats/ :-( 07:03 < wumpus> some people conflate everything 07:19 < TD> a lot of people don't read 07:19 < TD> it's the very nature of a pitchfork-wielding mob 07:19 < TD> i lolled at the "bitcoin developers are too political .... it should be writte in C" post 07:20 < gmaxwell> wumpus: its the sort of thing where you should ignore their words and read their feelings and have sympathy. 07:20 < gmaxwell> This is very important. 07:20 < gmaxwell> ... 07:20 < gmaxwell> Because it's impossible to strangle them over the internet. 07:20 < TD> haha 07:21 * TD is reminded of jwz's "cock shaped sound wave" w.r.t linux video 07:36 < wumpus> watch out we're getting together and going to FORK the project... well wow, yes that's how open source works, go ahead and do some useful work 07:36 < wumpus> hehehe 07:37 < TD> yeah. over time i've come to realise the importance of communicating ideas in as few words as possible, on the internet. because a lot of people just won't read something if it's long, they'll assume you said what they expect you to have said 07:37 < TD> and then their responses won't make any sense. 07:37 < TD> but sometimes it's hard to sum up complicated ideas in a short space 07:38 < wumpus> well the problem is that there are a lot of ideas here, most of them not so much complicated, but a lot of them, and seemingly people conflate them all into one 07:38 < TD> everyone loves the idea of "us vs them". it's just fundamental to human nature. 07:39 < TD> people like to pick sides and feel like they're fighting for their side 07:39 < TD> whether it's us vs the terrorists, west vs east, anarchists vs the foundation, liberals vs conservatives etc. often these fights don't make a ton of sense but they help people feel belonging 07:40 < wumpus> agreed 07:40 < wumpus> but sometimes it does get in my nerves, we're sort of al on the same side here 07:43 < warren> I just convinced mastercoin's lead dev that their design is 1) stupid 2) at risk of being filtered by BTC pools and messed up 3) unnecessarily pays a tax on every MSC tx to benefit a centralized entity that externalizes costs 4) and could be done with two TXO per tx instead of four. 07:46 < wumpus> I haven't looked at mastercoin yet tbh 07:52 < adam3us> warren: go warren :) petettodd claimed otherwise on their thread, but i think if they use eg committed tx and a side-chain they only need a timestamp from bitcoin main 07:53 < adam3us> warren: (i think peter was pointing out without committed tx, chain has no stake or incentive in any direction for msc) 07:55 < warren> hmm, #3 has no technical reason not to fix, except the centralized entity that created Mastercoin wouldn't support a proposal to change the protocol where they lose perpetual tax income. 07:55 < warren> #4 it is actually possible with one TXO 07:55 < Fistful_1f_LTC> could they still move mastercoin to another independant blockchain ? 07:56 < warren> I'm trying to suggest that.... 07:56 < adam3us> Fistful_1f_LTC: I think so ripper123 (mastercoin ceo?) mentioned it himself on the thread 05:25 < adam3us> a real hard problem 05:25 < petertodd> adam3us: ok, so lets bolt-on some anonymity to my txin commitments scheme. heck, with SCIP you'd be done actually - you don't need to show your txins exist, just prove they're real. 05:25 < petertodd> adam3us: remember your comment about how single-coin values would be anonymous... 05:25 < adam3us> petertodd: SCIP might fail the conservative crypto assumption, it seems if you go for it with SCIP there are a lot of options in the SCIP-coin area 05:26 < adam3us> petertodd: yes. got to figure out what structure the private keys need so you can prove ownership of a sub-branch with log (n-k) where n is the number of coins and k the depth of the branch you own 05:27 < adam3us> petertodd: how's ttxin commitment work? did you write about it on forum? 05:27 < petertodd> adam3us: yeah, so lets ditch SCIP and stick with single-coin methods instead. with txin commitments you can roughly bound proof size without fancy math with demurrange, which is probably needed anyway to have a defined incentive to mine. 05:27 < petertodd> adam3us: heh, I've actually got a draft sitting in mutt that I haven't sent yet on it... 05:27 < adam3us> btw another downside of x-prize is people then get all secretive and competitive - i prefer open design 05:27 < petertodd> indeed 05:28 < petertodd> brb, gonna timestamp #bitcoin-wizards into the blockchain for credit :P 05:28 < adam3us> i wouldnt be surprised if that could be net negative 05:28 < petertodd> yeah 05:28 < petertodd> this is stuff where basic ideas are still being researched - it's not like your typical x-prize which is actually more similar to engineering 05:29 < petertodd> adam3us: you going to submit anything to this: http://fc14.ifca.ai/bitcoin/cfp.html ? 05:30 < adam3us> nope i tend not to do formal publictions if i have anything to say i just put a pdf on my website :) also the deadline is quite soon right 05:30 < petertodd> yes, very 05:30 < adam3us> (huge lead time 3months?) 05:31 < petertodd> yeah, and I only found out about it nov 7th myself, which I think would be true of everyone... 05:33 < adam3us> petertodd: the other thing i was wondering is you can still use bloom SPV approach with committed tx 05:34 < petertodd> adam3us: thing with bloom is it makes the assumption that you have this chunk of data, and you scan for txs in it - that's a bad assumption 05:34 < adam3us> petertodd: you just have to dload more; maybe if you put big miners in the payment chain, they can assert to having validated the payment path by their hash 05:35 < petertodd> adam3us: with the original pay-to-ip (or now payment protocol) version of bitcoin you never need to scan the blockchain to find coins (in theory) 05:35 < adam3us> petertodd: because the spender gives them to you 05:36 < petertodd> exactly 05:36 < adam3us> petertodd: well if you're going to do that you can safely use static addresses with a public variant of BIP 32 i posted about. spender adds random value to your address. Q'=yG+Q 05:36 < petertodd> which opens up a tonne of possibilities 05:36 < petertodd> sure, I mentioned a similar idea using the block hash as the nonce 05:37 < adam3us> petertodd: i was thinking a downside of payment protocol is it implies tighter integration between between browser and bitcoin client; browsers are notoriously security buggy 05:38 < petertodd> adam3us: who said a payment protocol needs the browser? 05:38 < adam3us> petertodd: right now you can scan a qr code on a browser 05:38 < petertodd> or just paste a URL into your wallet and let it do the magic 05:38 < adam3us> petertodd: with a smartphone and send the payment via the block chain, malware i the browser cant use the callback as an attack vector on your wallet because it has optical isolation 05:39 < adam3us> petertodd: yes but i mean if the spender has to inform the recipient of the key used because the spender randomized the recipients address (without forcing the recipient to be a full node) 05:40 < petertodd> adam3us: well I'm assuming a payment protocol with positive authentication of who you are sending too 05:40 < adam3us> petertodd: the implication is a send to ip, or hook from wallet to browser http post. send to ip could be ok 05:41 < petertodd> adam3us: yeah, heck, "send via cut-n-paste" 05:41 < petertodd> adam3us: provided the proof of a txin isn't too unweidly, or at worst click and download a file to import to your wallet. It's all less nice than short addresses, but none of it is a showstopper. 05:41 < adam3us> petertodd: yes i am just saying something semi-related that you can convert a static address into a dynamic address if the sender has a way to notify the recipient of the dynamic address 05:43 < petertodd> adam3us: yeah, so use a prefix-filter rather than bloom filter and implement bitmessage - pick your anonymity set based on how much bandwidth for unrelated messages you can tolerate. Of course, sender just sends you the addr 05:43 < adam3us> petertodd: or you could do it anyway via broadcast if the recipient is a full node to trial decrypt all dynamic addr payments; does seem like a waste of bandwidth to communicate via broadcast any bits that dont need miner validation 05:44 < adam3us> petertodd: the only reason to not send it direct is if the recipient is a user, who is not online much; then something like bitmessage is more sensible than full broadcast. i think people may be a bit hungup on broadcast as the most robust distributed delivery 05:44 < adam3us> petertodd: you could even email it to them. it is encrypted. 05:45 < petertodd> adam3us: right, but you see where I'm going with that... so if you assume a prefix-filtered broadast medium, if you just add order to it you've also got txin commitments :P 05:45 < adam3us> petertodd: i think the prefix filter is probably the same thing as what i was calling bloom bait in discussion here with gmaxwell 05:45 < petertodd> adam3us: and yeah, you're totally right that a simple data packet that you send to the receipient, somehow, makes a lot of sense 05:45 < petertodd> adam3us: bloom bait? 05:46 < adam3us> petertodd: eg you put 1 byte of the non-randomized public key as a prefix, then spv clients can ask for such messages from full nodes with some privacy 05:46 < petertodd> adam3us: yeah, exactly that 05:47 < petertodd> adam3us: point is, that's a totally different, and more scalable, mechanism that bloom 05:47 < adam3us> petertodd: bloom bait because the Q'=yG+Q is randomized so badly you have no idea without downloading them all. if you use 1 byte of Q also, your anonymity set is reduced but you reduce your bandwidth by 1/256 05:47 < petertodd> adam3us: also has some potential for attac if not handled well... 05:47 < petertodd> adam3us: yup 05:47 < petertodd> adam3us: and fundementally anonymity sets are about bandwidht anyway, so tht's not a surprising trade-off 05:48 < adam3us> petertodd: eg make an addr with same last byte as your target, and spam it with minimum non-dust payments to sabotage your victims spv ability to find their payment 05:48 < adam3us> petertodd: i was wondering about a multi-node pir solution 05:48 < petertodd> adam3us: yup, which gets to how part of that needs to have clearly defined costs 05:48 < petertodd> adam3us: pir? 05:49 < adam3us> petertodd: private info retrieval ... if you have two machines with a ddatabase, ou can ask one to xor rrandom bits from the db and the other to xor random bits, but with 1 bit different, xor the 2 results and you have your result but each db knows nothing without colluding 05:50 < adam3us> petertodd: you can make one of the bitstrings be a seed to a prng to halve request bandwidth; there is even some funky stuff where you can have single db pir 05:50 < adam3us> petertodd: but its a bit bandwidth heavy and cpu heavy 05:50 < petertodd> adam3us: ahh 05:51 < petertodd> adam3us: IMO better if you aren't thinking in terms of clients and servers anyway 05:51 < adam3us> petertodd: however allt he bandwidth and cpu can be tuned by reducing the anonyity set 05:51 < adam3us> petertodd: yes client is spv client, server is a random selection of full nodes, like spv operatin but a different request privacy mechanism than noisy bloom 05:53 < adam3us> petertodd: single db computational pir is kind of amazing that its possible. works via homomorphically encrypted xor 05:54 < adam3us> petertodd: BUT rsa public key encrypted value PER BIT... jeeze (bandwidth) and public key op per db index bit on the server also, result is compact though one public key value 05:55 < adam3us> petertodd: so txin commitments relates to fidelity bonds at a guess? ;) 05:55 < petertodd> adam3us: when you pick a random full node, how do you know they are independent? :P 05:55 < petertodd> adam3us: no, not at all. txin commitments just means the blockchain exists as a mechanism to commit to the txins of a transaction, and transactions are arranged such that the txouts are committed to by the txins 05:56 < adam3us> petertodd: indeed. however its just address linkability - not security. now they are linkable . if you o that with random nodes, and try to avoid being herded to a hostile group of nodes, its an improvement 05:56 < petertodd> adam3us: here, give me a minute and I'll publish :P 06:00 < petertodd> published! hopefully there weren't any glaring editing mistakes I'd forgotten about... 06:01 < petertodd> adam3us: ok, so remember, the key thing about this is that like committed txs in general, you never have to publish the whole tx publicly 06:01 < adam3us> ok 06:02 < petertodd> adam3us: so it is securety, just not quite as strong as it could be if you used some more fancy crypto 06:02 < adam3us> petertodd: i do like that you dont publish as it simplifies miner validation. seems to me miner validation is a protocol complexity risk 06:03 < adam3us> petertodd: its better if the distributed signature (global hashing) is focussing on something extremely simple - ordering 18:32 < warren> And p2pool would need to accept any share solutions that come in a short while (maybe 2 seconds) after work switches 18:46 < warren> argh, this isn't as easy as I thought --- Log closed Thu Mar 28 00:00:09 2013 --- Log opened Thu Mar 28 00:00:09 2013 01:23 < gmaxwell> I googled for 'access oblivious DHT' and got "Penis Extender With Topical DHT" 01:27 < warren> Keep up with the latest street lingo. 01:57 < amiller> gmaxwell i learned all about oblivious merkle trees, it's really interesting 01:58 < amiller> i tried to think of how that would apply to bitcoin but its strange because it hides access patterns for 'reads' as well as writes 01:58 < amiller> which means every time data is *read* from an untrusted service, it has to be rewritten back as well 01:58 < gmaxwell> yea, "oram" 01:59 < amiller> the data has to be encrypted for hiding the access patterns to make sense 01:59 < gmaxwell> I found a new cake-taker in this subfield for "paper doesn't do what it claims": http://www.cs.stonybrook.edu/~petertw/papers/usable.pir.williams.2008.pdf 02:00 < amiller> but maybe it would make sense for reads to be out of scope 02:01 < amiller> and it would only need to be oblivious regarding writes 02:08 < gmaxwell> (The paper claims that it prevents a system which makes PIR (like ORAM but for a public database) pratical (e.g. cheaper than just sending the whole database) but half way through page 2 you find out that they need a trusted computing oracle (IBM4764) to do it. not at all mentioned in the abstract. 04:59 < gmaxwell> gah. muggle hardly knows how bitcoin works at all, and his first reflex is to use it as a freeking broadcast medium: 04:59 < gmaxwell> 01:57 < Belxjander> topi`: well the only idea I have at the moment is to make an AppEngine python instance where I can pull ticker data from the blockchain... 05:05 < Graet> yeah, interesting concept, but who puts ticker data in for him to pull? 05:06 < gmaxwell> Graet: Where is your robe, wizard hat, and fitting scowl of disapproval? 05:06 < gmaxwell> :P 05:07 < Graet> i have 1 of 3 :P 05:20 < warren> I finally had time to read about the conference. dang. $300 registration fee. 05:20 < warren> roundtrip airfare at that time would be ~$700 right now 05:25 < Graet> only 7 and a bit btc 05:25 < Graet> will cost me ~12 in airfares each way 05:25 < Graet> ;) 05:26 < Graet> but i'd propbly fly in one side of the country and out the other ;) 05:27 < warren> I feel really stupid ... my BTC balance is 0.6 --- Log closed Thu Mar 28 07:23:15 2013 --- Log opened Thu Mar 28 07:23:27 2013 14:39 < gmaxwell> I wonder how two nodes could realize that they're both talking to a common third without disclosing who they're talking to each other. 14:40 < gmaxwell> On the subject of how do you prevent sociopaths from running nodes that connect to every other node simply because its cheap for them to do and may confer some imaginary benefit. 14:45 < petertodd> ..or less than imaginary benefit... 14:46 < petertodd> We've both independently come up with p2pool PoW's, so there is that. 14:53 < petertodd> oh, never mind 14:56 < gmaxwell> p2pool has a much stronger usecase for pows though, and a by-defintion way of geting them cheaply. :P 14:58 < petertodd> yeah, I'll punt and say "WITH SCIENCE! I mean CRYPTO!" 15:04 < warren> (It also helps that p2pool bogs down if you have too many connections.) 15:14 < gmaxwell> warren: the point for p2pool would be an outright attack... at least for a while it was very common for mining pools to get attacked. 15:15 < warren> Happens every day now for litecoin. 15:16 < warren> gmaxwell: I mean, "On the subject of how do you prevent sociopaths from running nodes that connect to every other node simply because its cheap for them to do and may confer some imaginary benefit." p2pool fails badly if you tried to do that. 15:17 < gmaxwell> indeed, fair enough. 15:17 < warren> mostly an implementation issue 15:17 < warren> you can hack it to do more outgoing connections but it bloats and goes haywire 15:17 < warren> and really slow 15:20 < warren> gmaxwell: someone wrote a script that polls the entire p2pool address list and generates a web page that lists all public p2pool nodes and their fees. He's afraid of releasing it though, for fear of making p2pool a DoS target. 15:27 < petertodd> It's not an absolute protection by any means, but a decent protection would be to encourage alternate network transports, including ones that rely on central services. twitter.com/blockheaders is a funny example, but seriously using Amazon EC2 message broadcast facilities and similar methods would be good 15:29 < gmaxwell> petertodd: agreed there that was also a reason I thought a udp transport would be interesting, though it seems jeff's work is still connection oriented. 15:31 < petertodd> gmaxwell: Yeah, I haven't looked at it in detail, but blockheader data seems particularly suited to UDP. 15:32 < petertodd> gmaxwell: The client should be able to store and compute stuff about raw block headers, some kind of "pending tx data" state. 15:33 < gmaxwell> petertodd: "new block with a verification level of 0" 15:33 < gmaxwell> well I suppose 1. Zero would be totally stateless validation I guess. 15:34 < petertodd> gmaxwell: Yup. "unknown chain with 10 bazillion knownwork" 20:04 < warren> "Bitcoin is a hedge against the entire global currency system." -- Bloomberg Businessweek 20:04 < warren> both funny and scary 21:11 < jgarzik> gmaxwell: UDP need not be connection oriented 21:11 < jgarzik> gmaxwell: That was just a convenient way to solve a few problems 21:12 < jgarzik> gmaxwell: UDP would be great for block headers, but you have to figure out how to know the membership list for receiving a broadcast. You have to avoid amplification attacks inherent in many broadcast/subscription setups. 21:12 < jgarzik> petertodd: ^ 21:14 < gmaxwell> jgarzik: sure, you can use cookies to do stateless bidi handshaking to setup an association with no state until the other side has shown its there, for example. 21:14 < jgarzik> gmaxwell: There were also issues with UDP-only CNode's that I did not want to step into, in the current implementation. Needs-TCP-cxn was a cheat way to ensure there is always a CNode, even for UDP. 21:15 < jgarzik> cannot easily feed UDP messages into ProcessMessage() engine without a CNode 21:15 < jgarzik> etc. 21:15 < jgarzik> gmaxwell: agree it's possible, and the UDP implementation actually does a bit with cookies 21:16 < gmaxwell> ::nods:: there should probably be an always up dummy node for "all udp peers" ... though another reason to build the udp stuff as a proxy first. :) 21:19 < BlueMatt> doesnt jgarzik have his own full-node implementation now? why didnt he code udp for that? 21:19 < jgarzik> I was thinking UDP broadcast of: block header + list of transactions 21:19 < BlueMatt> also, wouldnt that have been easier... 21:19 < jgarzik> BlueMatt: because bitcoind is more important? :) 21:19 < BlueMatt> well...ok fair enough 21:32 * BlueMatt seriously wishes the world would move off bitcoind, or...I suppose that the world could move off of bitcoind safely 21:34 < petertodd> jgarzik: bidi == bidirectional? 21:37 < gmaxwell> petertodd: yes. 21:38 < jgarzik> BlueMatt: why? I think bitcoind is the best, most secure full node implementation out there 21:39 < BlueMatt> jgarzik: thats my point, I wish there was a library that was as secure so that we could get eaiser...stuff 21:39 < BlueMatt> something with reasonable code structure 21:39 < jgarzik> BlueMatt: what... stuff do you want? :) 21:40 < jgarzik> Note that Java is no example of reasonable code structure ;p 21:40 < petertodd> ...and spaces apparently. :P 21:40 < sipa> i wonder 21:40 < BlueMatt> jgarzik: hell no, I'd like a C library...anyway, look at how hard it is to write your own network layer for UDP 21:40 < BlueMatt> jgarzik: you have limitations based on existing structure 21:41 < BlueMatt> that means something there is too interconnected 21:41 < BlueMatt> and it shouldnt be 21:41 < BlueMatt> also, yes, can we s/ /\t/ 21:41 < jgarzik> BlueMatt: I had limitations based on what I could do in 30 minutes ;p 21:41 < sipa> wouldn't it be nice to fork bitcoind, and drop wallet and GUI 21:41 < sipa> and clean up the core 21:41 < BlueMatt> sipa: YES! 21:41 < petertodd> sipa: ACK 21:41 < BlueMatt> or...do that wallet protocol shit luke is always talking about 21:42 < sipa> wallet protocol is for talking with a wallet 21:42 < BlueMatt> nfc if its designed well, but implement the idea 21:42 < sipa> i just don't want a wallet in the first place 21:42 < BlueMatt> yes, pull out wallet and then give it a separate wallet 21:42 < petertodd> Everything related to validation and mining should be in one codebase, and nothing else in that codebase. 21:42 < sipa> to focus on what bitcoind imho should be: the core of the network 21:42 < jgarzik> sipa: certainly makes things easier :) That's my goal with "brd", hidden inside picocoin.git 21:42 < gmaxwell> why do you think I keep trying to get etotheipi to hoist armory onto the RPC? ... I want to dump the reference wallet into his lap. :P 21:42 < BlueMatt> yes, and it can also relay lists of txn and blocks so that wallets can attach 21:42 < petertodd> gmaxwell: sssh! he might be listening! 21:42 < sipa> BlueMatt: meh, wallets just do SPV 21:42 < sipa> done 21:42 < BlueMatt> well, ok fine 21:43 < sipa> or listen to events from a trusted bitcoind 21:43 < sipa> i don't care, really 21:43 < petertodd> Main thing wallets need is the searchable UTXO set. hint hint 21:43 < BlueMatt> how pissed would laanjw be if we did that? 21:43 < sipa> petertodd: hell no 21:43 < gmaxwell> There are some stats and such a wallet would want from its parent fullnode. 21:43 < sipa> petertodd: imho a wallet shouldn't need a thing 21:43 < gmaxwell> petertodd: thats SPV incompatible. 21:43 < jgarzik> sounds like an electrum server/client split ;p 21:43 * jgarzik runs 12:06 < gmaxwell> I expect a lot of value can be added by adding a bunch of tinyram specific peephole optimizations (esp if you know the true cost of varrious opcodes) 12:06 < realzies> https://docs.google.com/file/d/0Bx3Ty2UX6yDLSnM3aU04YUFSNU0/edit 12:06 < realzies> mmm indeed 12:20 < gmaxwell> realzies: I wonder why they bother keeping the primary input in a tape when they require to you load it into memory in the preamble? 12:20 < gmaxwell> why not just eliminate the preamble and say that the input is in memory? 12:21 < realzies> mmm I mislinked the other pdf: https://docs.google.com/file/d/0Bx3Ty2UX6yDLeUdVODY4M3M4QWM 12:25 < realzies> gmaxwell: maybe that would make unnecessary requirements for the initial memory 12:25 < realzies> ie. now, perhaps, memory is assumed to initialize all-zero 12:25 < realzies> just a guess? 12:25 < gmaxwell> realzies: the preamble effectively creates that requirement. 12:26 < realzies> yeah just read the "initial state" section 12:26 < gmaxwell> I suppose a different prover that still reads tinyram might have a different preamble requirement. 12:26 < petertodd> realzies: congrats! 12:26 < realzies> petertodd: heh, those go to eli 12:26 < realzies> and his team 12:27 < petertodd> realzies: well, for them I just have stunned wonderment... 12:27 < realzies> :D 12:28 < gmaxwell> So, they said that their proofs are 6156 bits for 80 bit security. 12:29 < petertodd> gmaxwell: I'm not sure if squential vs. parallel is the issue here - the function should be sequential only, but it should also be something where a big table acts as a trap-door 12:29 < petertodd> gmaxwell: sure it's nice if the defender can compute it in parallel too, but that's not the issue - they only have to have one copy of the trap-door table 12:31 < gmaxwell> if the defender only has one table then can't attackers cooperate to store one table themselves? 12:31 < gmaxwell> e.g. defender has 100 MB, and an attacker has 100MB shared by his 1000 sybils. 12:32 < petertodd> Of course, but the only way they can co-operate sufficiently fast is to just be one machine, and we're back to the fact that a single high-speed, high-bandwidth machine can perform a DoS attack. 12:32 < petertodd> (high # of IPs too) 12:33 < petertodd> I'm just trying to prevent someone from attacking multiple targets at once. 12:33 < gmaxwell> realzies: so I think those numbers do suggest that zk-snarks are viable as a SCRIPTSIG in a blockchain currency on bandwidth,storage grounds. 12:34 < gmaxwell> sadly, a botnet actually has surplus computation. :( 12:36 < petertodd> of course, but doing this does force them to use cpu-time/ram, which gets their resource usage to a point higher than the defenders sum resource usage 12:37 < petertodd> We know we can't win against an arbitrarily large attacker, but we can make the minimum attack resources orders of magnitude higher than they are now. 12:38 < petertodd> Right now it looks like a small number of EC2 nodes would make SPV clients unusuable after all... 12:40 < gmaxwell> there are multiple facets of defending against this. 12:41 < gmaxwell> Obviously you can make the attack more expensive. 12:41 < gmaxwell> Another thing would be to make it more easy to moot: 12:41 < gmaxwell> Give every node a second authenticated listening port that you can only connect to if you know some node key. 12:41 < gmaxwell> Give every client the ability to just drop in some addr:node-keys settings. 12:42 < gmaxwell> Then if an attack happens, you obtain keys from a couple friends... 12:42 < gmaxwell> and then you are attackproof 12:42 < gmaxwell> (of course, you could do this before the attack happens too) 12:44 < petertodd> Yeah, you can defend by creating a darknet basically. 12:44 < petertodd> Similarly SPV nodes can simply connect to friends. 12:45 < petertodd> Basically we're just looking for a way to distinguish a valid SPV node from one run by an attacker, and we do that by making it expensive to connect in a way that we can afford. 12:45 < petertodd> You can just as equally ask for SPV nodes to give you a fee-paying transaction, and kick them if it doesn't get mined. 12:46 < gmaxwell> people are spazzy about fees. 12:46 < gmaxwell> I imagine that 10x that _actual_ electricity cost in POW is acceptable over a fee. 12:50 < petertodd> Yeah, but remember we're talking about Android clients here - the cost to do a PoW is huge for them. 12:51 < gmaxwell> I know. 12:53 < realzies> gmaxwell: mmm 12:55 < petertodd> The other nice thing, is if you are thinking about trying to prevent someone from peering with the whole network, you can scale the work/resources required by the % of 1's in the peers bloom filter. (100% if they don't specify one) 12:57 < gmaxwell> sadly, lots of ones in the bloom filter doesn't prevent you from becoming cpu/disk bound. 12:58 < amiller> realzies, any chance you'd share the draft with me 12:58 < amiller> of the tinyram paper 12:58 < amiller> i'll ask permission myself if you don't want to violate implied confidentiality but it shouldn't be a big concern because it has alreay been peer reviewed 12:58 < petertodd> I'm thinking lots of ones means they'll match on a high % of the transactions, and thus give you visibility to the state of the network. 12:59 < petertodd> IE we want it to cost just as much to act as a full peer to snoop the network, as to act as a few SPV nodes to snoop the network. 12:59 < amiller> realzies, i realized you already pasted link to the tinyram spc, but i mean the crypto 2013 paper nsarks for c 13:01 < gmaxwell> amiller: it's the last link. 13:01 < amiller> there's just two link and they're both the same? 13:01 < amiller> except for 'edit' 13:02 < realzies> amiller: I did 13:02 < gmaxwell> 09:21 < realzies> mmm I mislinked the other pdf: https://docs.google.com/file/d/0Bx3Ty2UX6yDLeUdVODY4M3M4QWM 13:03 < realzies> ahh 13:03 < realzies> ^^ 13:03 < amiller> i must have pinged out 13:03 < realzies> ty gmaxwell 13:08 < gmaxwell> So their verifier runs in 50ms for input (number of field elements) size 2^6. 13:10 < gmaxwell> (this is on a multicore 2.4ghz opteron box, but I expect that verification time is not parallel) 13:10 < gmaxwell> the proving is slow though. 13:13 < gmaxwell> For a circuit of size 2*10^6 it takes them 66 minutes (and this box has 48 cores) 13:13 < gmaxwell> The circuit size is effectively 1200 * number of tinyram cycles. 13:14 < gmaxwell> (cycles meaning execution time) 13:22 < amiller> how much is that per proof in EC$ 13:23 < amiller> assuming all of the coordination issues and latency are solved, and you just have to post an appropriate btc bounty to get the horde to work on it, that's still a lot of power 13:23 < gmaxwell> the proving is highly parallel fortunately. 13:23 < amiller> if you can relate the cost of computing a hash to the cost of one of these field ops, you could bound the number of these per day using the current PoW network 13:24 < amiller> you know, in the idealistic unfathomable case that all the network's Work actually coincides with such proving 13:25 < gmaxwell> I'm unsure as to what model you're imaginging where the network is expending computation on proving. 13:26 < gmaxwell> e.g. thats inapplicable to using SCIP as scriptsigs. 13:28 < gmaxwell> I'd say maybe in proving that the transactions in a block are valid... but that has an unfortunate property of making the POW work proportional to the number of transactions in a block... which is undesirable. 13:28 < gmaxwell> though does create some natural bounds on scalablity! 13:28 < gmaxwell> hm.... 13:28 < amiller> i don't think it necessarily has that unfortunate property but it's interesting - anyway still even just with the scriptsig case... 13:29 < amiller> the point is it's a lot of work but it's easy to check, so it would be nice to use bitcoin as a way of outsourcing it to the public 13:29 < amiller> vanity address mining is the closest analogy 13:29 < gmaxwell> petertodd: What would happen to the concerns about the blocksize limit if instead block difficulty were diff*f(transactions) ? 13:29 < gmaxwell> amiller: oh thats irrelevant. 13:30 < petertodd> petertodd: Doesn't change anything IMO because diff has nothing to do with censorship-resistant bandwidth. 13:30 < petertodd> er, gmaxwell: 13:30 < gmaxwell> amiller: you do the work for your vanity generation _outside_ of the SCIP enviroment. Then you use only the SCIP to get a signature of knoweldge for a faithful answer. 13:30 < petertodd> gmaxwell: On the other hand, I *really* like jdillon's voting scheme. 13:31 < gmaxwell> petertodd: F() might as well be a function matching the two. 13:32 < petertodd> gmaxwell: If diff has anything to do with it, people can make it irrelevant by voting with diff taken into account. 13:33 < gmaxwell> petertodd: Was this a proposal to use PoS to vote for parameters like that? 13:33 < petertodd> gmaxwell: Yes, and a very clevery done one that can't be manipulated by miners. 13:34 < gmaxwell> petertodd: the thing I don't like about that (ignoring solving the censorship problems) is, of course, that reduces to "give mtgox or blockchain.info unilateral say". 13:34 < gmaxwell> Current control over funds is not exactly 1:1 with empowering the users of bitcoin. 13:34 < gmaxwell> Uh, but it's probably better than letting miners pick. 13:34 < gmaxwell> How does John solve the problem of miners denying sufferage? 13:34 < petertodd> gmaxwell: Basically, your vote is what *enables* a miner to prove to the world that the people holding Bitcoins want the blocksize to be something. A txout without such a vote is a vote for the status quo, and txouts age over time to account for lost coins. (after one year) 13:35 < petertodd> gmaxwell: Basically the scheme recognizes that miners can always reduce the blocksize limit, but forces them to prove concent of bitcoin holders to raise it. 13:36 < gmaxwell> ah, thats interesting. Making it one-sided removes the censorship risk. 01:26 < adam3us> petertood: so it is an improvement, but one cant use it for bitcoin mining as that is first-past-the post and this has a progress; though it could be ok for other proof of sacrifice 01:27 < petertodd> adam3us: Is it the best known way - in terms of proof-size - to combine multiple proof-of-foo's? 01:27 < adam3us> petertodd: best I've seen yes 01:29 < petertodd> adam3us: OK. See, I've been thinking about proof-of-stake stuff, and it seems to me that one way to give a proof-of-stake-using blockchain SPV verifiability would be to use some kind of proof-of-? combining algorithm. 01:30 < petertodd> adam3us: Proof-of-stake needs a random beacon anyway, so use it to control what part of the merkle tree of previous stake proofs is revealed. 01:31 < adam3us> a space efficient way to prove stake 01:31 < petertodd> Exactly 01:31 < adam3us> petertodd: i guess you need to prove possession of the private keys, and you could just bundle all your money onto one address and then sign with that? 01:32 < petertodd> I've got a tentative design for a way to do distributed consensus based on having nodes pick a subset of the UTXO space to store and verify, and using proof-of-utxo-posession and proof-of-stake combined for the proof-of-? function. 01:32 < jgarzik> petertodd, technically speaking, "fee" can be anyone-can-spend or miner's fee. I'm ok with either. Want to avoid burn-the-money sacrifice. 01:32 < adam3us> petertodd: or if you do it in parts, using this approach, if the number of stakes is not a power of 2 it may not fully accurate (only to the nearest power of 2?) 01:32 < petertodd> jgarzik: yup, so make it anyone-can-spend and we're good and have small proofs. 01:33 < amiller_> adam3us, in that paper the subsolutions have to be computed sequentially 01:33 < adam3us> petertodd: proof of holding the utxo set could be pretty useful to prevent willfully ignorant miners 01:34 < amiller_> the proof is basically a short sample of the work after you've done it 01:34 < petertodd> adam3us: Yes, even Bitcoin is going to need it because with UTXO proofs in the coinbase you can do distributed low-bandwidth mining without verification. 01:35 < petertodd> adam3us: A nice way to mine anonymously regardless of what the blocksize is, but it undermines the 51% attack security badly. 01:35 * jgarzik makes "anyone can spend" explicit 01:36 < amiller_> there's no good proof of holding the utxo set until you build it into the proof-of-lotto-whatever 01:36 < amiller_> if it's separate it will just be cheaper to have someone lie for you 01:36 < adam3us> amiller_: ok, but only to the extent that parents have to be calculated after their children 01:36 < petertodd> adam3us: power of 2? I should be able to modify that paper to allow for uneven proof values 01:36 < petertodd> adam3us: then add zero-value padding or whatever 01:36 < amiller_> adam3us, no you have to do sequentially as well 01:37 < adam3us> petertodd: probably 01:37 * amiller_ rereads more carefully to make sure 01:37 < amiller_> if not then the way i have in mind is better anyway 01:37 < amiller_> basically the leaves have to be computed sequentially 01:37 < amiller_> and you have to build a merkle tree on top of all the leaves 01:37 < amiller_> and then the proof is a sample of those 01:38 < adam3us> amiller_: the leaves are h(i||s) s is service string, i is node number 01:38 < petertodd> amiller_: Yeah, and for my application the proof-of-holding-the-utxo set needs to really be a proof-of-work in itself to serve as a random beacon; kinda like scrypt in a way. 01:39 < petertodd> amiller_: I was thinking at the very bottom of the merkle sum tree for the UTXO set compute H(utxo | H(block header | nonce)) and call that computation the proof-of-work. 01:40 < petertodd> amiller_: s/block header/prevblockhash/ actually 01:40 < adam3us> amiller_: you could force it to be sequential eg h_i = h(h_{i-1}||s) for the leaves 01:40 < adam3us> amiller_: but why? to make it less parallelizable? 01:41 < petertodd> amiller_: likely with an additional scrypt like thing to make nonce sequential and random access in some way 01:41 < petertodd> amiller_: but defeating ASIC UTXO implementations is optional 01:41 < amiller_> yeah to make it less parallelizable i guess 01:41 < amiller_> if less parallelizable is a goal, which is often is for pow 01:42 < petertodd> Given I'm thinking about including proof-of-stake, I'm certainely leaning against ASICs... :) 01:42 < adam3us> amiller_: i figured its a bit unproductive because you can always parallelize non-interactive problem by creating lots of problems and runnng them in parallel 01:43 < adam3us> amiller_: it might make asic a little more difficult 01:44 < amiller_> yeah i think you're right now 01:44 < amiller_> i can't remember what it is i had in mind then. 01:44 < petertodd> adam3us: yeah, a proof-of-work for a crypto coin *must* be parallizable to some degree, or you can't have decentralized mining. But you often want the minimum economic production unit to be "one standard CPU + ram" rather than "250um^2" of silicon 01:44 < amiller_> but yeah the idea (i thought was in this paper) was to reduce variance by having the work involve incremental progress 01:45 < adam3us> amiller_: it could make cheating a bit harder (not compting all nodes) especially if the recipient could expect preimage of leaves randoly also 01:45 < petertodd> amiller_: *while* still keeping proof size small. 01:46 < adam3us> there is progress, and it is partially ordered because of the tree, so the result is reducing variance even tho there is some order flexibiliy 01:47 < amiller_> hmm... so i guess then it's fine just there's no reason to make it sequential since that doesn't really reduce parllelism anyway 01:48 < adam3us> petertodd: its a bit related (asic unfriendly pow) i was thinking eg many hash functions (sha1, ripemd, etc) say 64 hash functions; then selecting which hash function to use based on the beacon, or just based on incrementing counter 01:49 < adam3us> the other thing for asic unfriendly is some dynamic behavior, if which operation to execute is data dependent thats CPU behavior 01:49 < petertodd> adam3us: All that does is changes the minimum economic production unit from, say, 50um^2 to ~1500um^2. If anything it could make the ASIC problem worse by increasing the barriers to entry. 01:49 < adam3us> amiller_: i do like their concept of keeping proof size small, that seems likely reusable 01:49 < amiller_> why not just say you want it to be optimal for intel cpus 01:49 < amiller_> and then find some benchmark for intel x86 cpus 01:50 < amiller_> whatever it is they do that they're best at and optimized for and nothing else can dollar for dollar beat them at 01:50 < amiller_> and then build a proof of work around sampling that functionality 01:50 < amiller_> if that's the goal 01:50 < petertodd> adam3us: I *really* think you want solidly memory hard functions where the vast majority of resources are tied up in silicon to store data. 01:50 < adam3us> i think so yes; eg just choose x86 instructions randomly and execute them, hash the result or soething like that 01:51 < adam3us> but gpus are better cpus - most of the silion in a cpu is wasted on single thread performance optimizations 01:51 < adam3us> so i think maybe better to optimize gpus 01:51 < petertodd> adam3us: At least then the best hashs/$ solutions will be met by implementations that take a bunch of memory and wire it up to many cheap microprocessors - something easily doable on a cottage industry level; PCB design and layout is easy. 01:51 < amiller_> imo the only thing that makes sense is to make the pow exercise some functionality we actually *care* about, which basically means utxo proofs 01:52 < adam3us> memory hard i am not sure; cant an asic include the optimal amount of ram also; or 100-port RAM or something special 01:52 < amiller_> everythign else is goofy 01:52 < petertodd> adam3us: They can, but then the ASIC looks like a memory chip and isn't much cheaper than one. 01:53 < adam3us> petertodd: i was thinking many ported memory could be a problem 01:53 < amiller_> hrm i have no idea how many ported ram works 01:53 < adam3us> petertodd: it allows massive reuse of ram, which normal memory doesnt provide 01:54 < amiller_> what do SSDs perform like, vs many ported ram and 'normal' ram 01:54 < adam3us> amiller_: much video ram is dual ported - two independent access channels 01:54 < petertodd> adam3us: Right, but that's why you want to ensure that the problem is random-access-bandwidth limited. 01:54 < petertodd> adam3us: Reuse doesn't do you any good if the data in ram changes constantly. 01:54 < adam3us> petertodd: well thats my point if a normal ram has 4 channels etc, ok; but if i can access 1024 ports simultaneously 01:55 < amiller_> that's really interesting 01:56 < petertodd> adam3us: Although, for a UTXO proof-of-posession/pow hybrid that's an interesting point... your optimal design would likely be a set of multi-ported ram holding the master copy of the UTXO set, which has multi-port access to the slaves which are changed at every new cycle... hmm... 01:56 < petertodd> adam3us: For a pure scrypt-like it's not an issue, but here it is. 01:56 < adam3us> i guess my meta point is never underestimate hardware guys; you can optimize anything in hardware, and its always possible to do better than software 01:57 < adam3us> i'm not a hardware guy, but i did hear there were people working on scrypt asics 01:57 < petertodd> dam3us: I *am* a hardware guy, and that's just not true, at least if you want a large performance/$ increase. 01:58 < gmaxwell> maybe it would help if you were clear about what kind of performance improvement you're talking about. 01:58 < petertodd> gmaxwell: 10x 01:58 < adam3us> right, the best ou can hope for is the perf/$ increase ismodest 16:57 < ebfull> i'll try changing it to simulate larger miners 16:57 < adam3us> ebfull: sounds good might be interesting to know what gamma is achievable (ratio of race wins) with realistic latency as cribbed from pool operators 16:57 < adam3us> ebfull: i predicted worse than 50% 16:58 < ebfull> what did you write your simulator in? 16:58 < adam3us> ebfull: which makes profitable alpha (hashrate percent) of between 25% and 33% 16:58 < adam3us> ebfull: C 16:58 < adam3us> ebfull: but it sucks so i abandoned it - you really need to consider triple collisions and such things so my structure was bad 16:59 < ebfull> i considered writing one in c, but i wanted other people to be able to rapidly prototype ideas and changes to the simulation 16:59 < ebfull> i can make this javascript one fast enough for smaller simulations but i probably should write a better one 17:00 < ebfull> i also liked being able to throw in d3 (for graph rendering) 17:00 < ebfull> should i continue with this javascript one or work on a new one 17:00 < amiller> i like the javascript one tbh 17:00 < amiller> it's presentable, that's the main advantage and that's huge 17:01 < amiller> i haven't looked at your code to comment on whether it's flexible/maintainable/presentable so i have no idea what the effort is required to add new little features 17:01 < adam3us> ebfull: wow graphics, wasnt expecting that, mine being written by me was unix console app :) 17:01 < ebfull> it's definitely a mess but i can clean it up well 17:01 < ebfull> ya haha 17:02 < ebfull> you can turn them off if you don't care about them though 17:02 < ebfull> they can use up browser memory --- Log closed Sat Nov 09 00:00:49 2013 --- Log opened Sat Nov 09 00:00:49 2013 04:09 < adam3us> gmaxwell: miner can instead try to find p' that satisfies [H(p')+H(p'||2)]*G =? Q' 04:11 < gmaxwell> 01:08 < adam3us> gmaxwell: but i think x=H(p), Q=xG, b=H(p||2), Q'=xG+bG=(x+b)G, is Q itself is grindable and you give Q to the kdf miner 04:12 < gmaxwell> I'm suggesting that the private key is x+b+z 04:13 < gmaxwell> and z is the index found by starting with xG and incrementing until you reach the first distingushed point (By some well known scheme). 04:13 < adam3us> gmaxwell: yes sorry that was incorrectly written 04:14 < gmaxwell> yea, it's not (statistical) zero knoweldge. 04:15 < adam3us> gmaxwell: x=H(p), Q=xG, b=H(p||2), Q'=xG+bG=(x+b)G kdf miner finds Q'+zG/2^k?=0 tells user z 04:16 < adam3us> gmaxwell: seems similar to https://bitcointalk.org/index.php?topic=311000.msg3402287#msg3402287 04:16 < gmaxwell> yea, the downside is that the kdf miner says screw you and searches for your passphrase instead. :P worse, he doesn't have to solve the hardening to do it. 04:16 < gmaxwell> so a system which was randomly blinded and thus zero knoweldge would be better. 04:17 < gmaxwell> e.g. if your passphrase just has 16 bits of entropy, he just searches for a passphrase that gives the right Q' query. 04:17 < adam3us> gmaxwell: that one was one-use is a stretched sig instead of a stretched kdf 04:22 * gmaxwell -> bed 04:23 < adam3us> 'night 08:42 < adam3us> gmaxwell: btw the point of stretched public key / signature in https://bitcointalk.org/index.php?topic=311000.msg3402287#msg3402287 is its offline wallet compatible unlike the blind/unblind there is no unblind step so no need for 3 msg flow (blind, (kdf), unblind, sign), verify, it becomes (sign), kdf/verify the first signature verify is expensive --- Log closed Sun Nov 10 00:00:56 2013 --- Log opened Sun Nov 10 00:00:56 2013 16:23 < adam3us> hmm did people see this comment bytecoins thread about selfish-miners: 16:23 < adam3us> HanSolo said "For block-height ties, prefer the block whose locally-observed arrival time is closest to its internal timestamp." 16:23 < adam3us> that seems quite elegant and simple as a way to frustrate racing 16:25 < adam3us> there is a time in the coinbase, and a side effect of selfish withholding is that the time becomes stale; conversely if a selfish miner tries to correct by putting a futuristic time, it may overshoot and have a not-yet valid time 16:36 < Luke-Jr> indeed, I do like that idea 16:37 < Luke-Jr> but I may be biased since BFGMiner is probably the only miner that actually keeps the ntime header accurate :P 16:37 < adam3us> oh i suppose many f he asic miners load up a static coin base and dont want to reload as they have slow start time and lose mining duty cycle by updating time...hmm thats unfortunate 16:46 < adam3us> think thats fundamental or tough luck? 16:46 < adam3us> a small dis-economy of scale for asic miners 16:48 < gmaxwell> Does it really help that much? it still leaves you with the weird incentive that you can keep mining at the current block and replace a later announcement. 16:49 < gmaxwell> er earlier announcement. 16:49 < gmaxwell> e.g. say the earlier announcement wasn't so close (due to latency, whatever, and you have many observation points) 16:49 < gmaxwell> you're better off keeping mining at this block with your time set somewhat forward and then announcing when you'll nail the time. 16:50 < gmaxwell> plus you create huge incentives to slightly skew nodes times... potentially making the whole network britally dependent on ntp for subsecond accuracy. 16:52 < gmaxwell> oh the memory pool idea is interesting! 17:02 < gavinandresen> yes, very interesting ByteCoin is always worth listening to 17:05 < gavinandresen> If we start relaying all valid chains (not just first one we've seen) then I'm not sure what will happen. There are lots of possible reasonable policies for choosing between two chains of the same height 17:06 < Luke-Jr> adam3us: no, it's mostly a software thing 17:06 < gavinandresen> I could imagine: pick the chain with the most transactions (discourage miners who mine single-transaction blocks). ByteCoin's algorithm. Pick one at random (Eyal/Sirer suggestion). Pick the one you saw first. 17:07 < gavinandresen> My intuition is that decision should be left up to miners, and that it is best if miners are somewhat uncertain what policy or policies other miners are using to decide. 17:07 < Luke-Jr> gavinandresen: might have to write code to fabricate dummy transactions so blocks get priority then.. 17:08 < gmaxwell> Luke-Jr: answered by uncertanty. 17:08 < Luke-Jr> gavinandresen: how about pick the one with the most elevens in the hash? 17:08 < gavinandresen> I know how much engineers LOVE uncertainty 17:08 < gmaxwell> E.g. if the network used most txn than that would be the case, and it would have bad anti-convergence outcomes. If only _some_ miners did, thats another matter. 17:08 < gavinandresen> Oooh! Elevenses! 17:09 < gmaxwell> But I don't think we have enough mining distribution to actually make uncertantly useful... you really only care about the policy of a super majority. 17:09 < Luke-Jr> I suppose realistically, it's a miner-specific policy in the end 17:09 < Luke-Jr> would be nice if there was a way to kick miners who insisted on using "bitcoind defaults" 17:09 < gmaxwell> plus at least today it's very hard to get most miners to adopt non-standard policy. 17:09 < Luke-Jr> force them to make some decisions 17:09 < gavinandresen> gmaxwell: it'd be pretty easy to code up three or four policies and pick one at random in the reference implementation if miner doesn't choose. 17:10 < Luke-Jr> would it be bad to block off getblocktemplate and getwork if the miner didn't set options? 17:10 < gavinandresen> Of course, if there is one we think has the most desirable properties then that could be default 17:10 < gmaxwell> I wish people accepting 1 confirmed transactions didn't seem to be so common now. :( 17:10 < gavinandresen> Forcing miners to choose is something I've been thinking about with respect to minimum acceptable fees/priority, too. 17:10 < gmaxwell> (because this sort of thing will increase the incidence of 1/2 high reorgs) 17:13 < Luke-Jr> gavinandresen: think something like that is simple enough to be merged easily? 17:14 < gavinandresen> something like what? block-tiebreaking logic? The hard bit is relaying orphans depending on how we do it 17:14 < Luke-Jr> gavinandresen: denying GBT/getwork unless the mining options are explicitly set 17:14 < Luke-Jr> maybe with an error message that suggests random values (within reasonable ranges) as an example 17:15 < gavinandresen> Luke-Jr: I'd vote yes for that, I don't think it would be very controversial, it goes along with the whole "dev team shouldn't make policy decisions" notion 17:16 < gavinandresen> recommendations, yes, decisions, no 17:16 < Luke-Jr> as things stand right now with most pools, any recommendations will be decisions in practice :/ 17:17 < gmaxwell> I don't think any tiebreaking schemes should be offered without simulation results showing they don't produce much more/larger reorgs. We can't get away with offering someone that will cause harm saying that we're not making police, since many people will take the fact that we distributed it as proof that its good. 17:17 < midnightmagic> +1 analyses 17:17 < gmaxwell> also, if we're not able to make a strong recommendation, how are those pools to decide? 17:18 < Luke-Jr> we could recommend ranges 17:18 < gmaxwell> Most of the pool operators know less about how this work then we do collectively. (If nothing else, they are one or two man operations who have a lot more to worry about than their bitcoind) 17:18 < gavinandresen> yup, agreed 17:19 < gmaxwell> Luke-Jr: I suspect that would work okay for some things perhaps not others. 17:19 < gavinandresen> all of this is not high on my personal priority list, so I welcome analyses and simulation and debate 17:19 < gavinandresen> as long as it doesn't suck up a ton of my time... 13:48 < amiller_> eh i'm sort of wrong, anyway this is my favorite summary http://emsec.ruhr-uni-bochum.de/media/crypto/attachments/files/2011/04/becker_1.pdf --- Log closed Sun Mar 03 14:17:21 2013 --- Log opened Sun Mar 03 14:17:26 2013 14:17 !niven.freenode.net [freenode-info] channel trolls and no channel staff around to help? please check with freenode support: http://freenode.net/faq.shtml#gettinghelp 14:31 < HM> amiller_: yeah it's interesting 14:31 < HM> blinding is also interesting 14:32 < HM> although i have a crypto scenario i wanted to apply blinding to but apparently can't 14:37 < HM> amiller_: thanks for the merkle paper 14:38 < HM> I think there's a crossover between the SRP protocol and the blinding method on that Kong paper 14:38 < amiller_> np i like dumping links to papers it helps me to keep references cycling in my head 14:39 <@sipa> ha 14:42 < HM> I have a scenario where i thought I could use D-H to establish a shared key, but obviously you need 1 private key available 14:42 < TD> by the way, i was able to obtain something that claims to be a threshold RSA implementation 14:42 < TD> if someone wants to play with splitting of signing keys let me know, otherwise i'll try it at some point 14:43 <@sipa> dobyou have a link, TD? 14:43 <@sipa> do you 14:43 < TD> no 14:43 < TD> it was emailed to me by a researcher i contacted 14:43 < TD> so i'd have to send you the same attachment 14:44 < TD> or i could upload it somewhere 14:44 < TD> even better, it's a subcomponent of a larger codebase, which claims to be a "byzatine fault-tolerant state machine replication system" 14:45 <@sipa> i searched for such a thing, but couldn't find anything about it 14:45 < HM> i thought it'd be possible for Alice to force Bob to compute b*aG, but if they know you're doing so and know aG they can still return b*xG where x is anything of their choosing. 14:45 <@sipa> somehow i'd be surprised that it would be possible on (unmodified) RSA and not be known 14:46 < HM> blinding only works when the blinds (or whatever you call them) are truly random 14:46 < HM> afaict 14:46 < TD> the Shoup paper from 2000 describes how to do transparent threshold RSA 14:46 < TD> so it appears to be an implementation of that 14:47 < TD> hmm 14:47 < TD> actually, the Shoup paper says that whilst the signatures have the same format, there are constraints on the keys 14:47 < TD> which would be problematic for splitting existing code-signing keys 14:47 < TD> let me see 14:56 < TD> academic code. lovely :) 14:58 < TD> i'm being a bit unfair 14:58 < TD> it seems to be fairly well documented, even though the code was clearly written by people who looked at openssl and said "what a fine API, let's copy that" 14:58 <@sipa> haha 14:59 < HM> macro's! what a novel idea! there should be a paper on how to abuse these 14:59 <@sipa> HM: you know repeated application of the c preprocessor is turning comolete :p 14:59 <@sipa> turing 15:00 < TD> you know when all defined structures use single-letter variable names, you're dealing with something a bit retro 15:00 < TD> this is from 2004 though 15:00 < HM> errm, is it? 15:01 < HM> i know C++ templates are but i thought the macro language lacked the necessaries 15:02 < TD> yes 15:02 < TD> it expects to be able to generate its own keys. hmm. 15:04 < TD> annoying. android has no support for key rotation. so it means we'd have to unpublish the old app, publish the new app, notify users to switch and migrate the wallets across 15:10 < TD> hmmm 15:10 < TD> "we do however place some restrictions on the key. it must be a strong prime exceeding l" 15:10 < TD> l is the total number of shares 15:10 < TD> so if there are 5 signers, "a strong prime exceeding 5" would be satisfied by basically any key 15:11 < TD> "the modulus must be the product of two strong primes" 15:11 < TD> isn't this just a statement of requirements on a normal RSA key? 15:17 < HM> sounds like it 15:18 < HM> so this is a public key based secret sharing scheme? 15:27 < TD> HM: yes. http://www.shoup.net/papers/thsig.pdf 15:33 < TD> hmmmm 15:34 < TD> maybe there is a difference 15:34 < HM> does this scheme still require that the entity doing the final sign keep all the shares it handle confidential? 15:34 < TD> modulus = p'q' where p = 2p' + 1 15:34 < TD> same for q 15:34 < TD> HM: no. 15:34 < TD> HM: that's just doing a Shamirs secret share on the private key 15:34 < TD> this is different 15:34 < HM> right. okay 15:35 < TD> you split a key, and then to calculate signatures the private key is never needed to be recombined 15:35 < TD> oh, no, sorry 15:35 < TD> modulus = pq as normal. 15:35 <@sipa> TD: sounds like a Sophie Germaine prime 15:36 < TD> m=p'q' 15:39 < TD> ok, i give up trying to understand the details of this scheme 15:40 < TD> it says at the start it is "exceedingly simple" and then takes nearly 4 pages of dense equations to describe it 15:40 <@sipa> haha, sounds academic :D 15:40 < TD> but anyway, as far as i can tell, any "normal" RSA key can be used and the signatures are normal RSA sigs 15:40 < TD> which is exactly what we need, especially on android 15:40 < TD> super 15:41 < HM> hmm the SRP protocol uses the hash of 2 publicly exchange parameters in the arithmetic 15:41 < HM> I don't understand why 15:43 < TD> SRP? 15:45 < HM> Secure remote password protocol 15:46 < HM> it's a password based mutual authentication scheme 22:32 < nanotube> gmaxwell: i totally am. :) 23:43 < midnightmagic> ... it does exist. --- Log closed Mon Mar 04 00:00:39 2013 --- Log opened Mon Mar 04 00:00:39 2013 00:13 <@gmaxwell> Why do people keep saying that! 00:15 < midnightmagic> I wasn't expecting it to, because you referred to it as just plain "wizards" which suggested it was off-irc. 00:16 < midnightmagic> i took a random stab and voila 00:19 <@gmaxwell> Well, it was mentioned in full in bitcoin-dev... this is where I've shunted the cryptocurrency rocket science discussion which isn't directly related to current bitcoin. (I'm concerned that excessive OT and rocket-science talk in #bitcoin-dev disenfranchises bitcoin users from keeping track of whats being done to their currency) 00:21 < nanotube> i think this channel is a good idea. :) 00:21 <@gmaxwell> there has been some pretty awesome rocket science talk in here too. 00:24 < nanotube> hehe 00:27 < midnightmagic> I recall you mentioned something about shunting it elsewhere. :) 00:27 < midnightmagic> i think it's a good idea fwiw 00:48 <@gmaxwell> It occured to me that for the sum-hash-tree stuff that we're not constrained to any particular binary tree geometry, so we should prefer ones that result in each split having half the coins on each side. This minimizes the amount of balance information leaked. 00:49 <@gmaxwell> But we also don't want any branches becoming too long, since that would make the proofs fat. 00:49 <@gmaxwell> I think this can be used to build a sutiable tree: http://en.wikipedia.org/wiki/Package-merge_algorithm 00:51 <@gmaxwell> The 'alphabet' is the accounts, the probablity of the 'symbols' is balance/total. The length limit would be set to some small multiple of log2(n). The resulting huffman codewords are just the branching decisions in the binary tree. 00:52 <@gmaxwell> amusingly, I saw a nice package-merge implementation a few days ago and thought "what else could I use this for?" 01:23 <@gmaxwell> Another fun thing is that the banks own balance can be split up any number of ways, since the bank doesn't have to worry about producing compact proofs for it... so it could be divided up to fill in any unmatched branches. 01:25 < petertodd> Although by that point, you almost might as well say the banks balance is just whatever is in error in the sum tree. 01:28 <@gmaxwell> ::nods:: sure, just trying to maximally conceal the balance distribution. So grafting on (parts of) the bank balance anywhere in the tree that helps is useful. 01:31 < petertodd> One interesting model, would be if multiple entities held their own private keys, with the bank quickly querying them to do the actual signing, in which case the banks balance is just a set of accounts that happen to have keys associated with them, unlike normal accounts. 01:31 < petertodd> Such entities would have to be on-line to do a trade, but they could provide liquidity basically. 01:31 < petertodd> Might be too complex to explain, but it's interesting. 01:33 <@gmaxwell> (likewise, large accounts which already tend to have short proofs could have their balances split in two, assuming the clients were setup to accept fragmented balance statements) 01:36 <@gmaxwell> (at the limit, you divide every account down to the base units, ... but then the proofs are rather enormous, but you leak nothing under all conditions) 01:39 < petertodd> Yeah, basically the accounts become chaum token amounts... 01:39 < petertodd> Probably simple enough to just have client support for more than one account basically. 01:40 < petertodd> The server doesn't need to know accounts are being split up. 09:35 < HM> ok i've sussed out ECDSA and vaguely key recovery in my head now 09:35 < HM> I'm really enjoying this EC stuff 09:44 < HM> If i'm understanding correctly taking r = (x of kG) mod n means there are 2 possible values of kG for some values of r 09:45 < HM> Still trying to understand how the order of the curves and cofactors and such all tie together 09:45 < HM> but i think this is because the cofactor is 1 for k1 10:06 < HM> sipa's code seems to make sense to me 10:07 <@sipa> wow, you can read that? :p 10:07 < HM> lol 10:07 < HM> despite OpenSSLs api's yes 10:07 <@sipa> i think my implementation of hal's optimization is better openssl-interacting code :) 10:09 < HM> x of (kG) mod N has 2 suitable values on the bitcoin curve. one < n and one > n. so your code uses i to select either r or r+n 10:09 < HM> then computes kG using the curve 10:09 < HM> right? 10:09 < HM> uses 'i' 10:09 < HM> if (!BN_copy(x, order)) { ret=-1; goto err; } 21:51 < BlueMatt> jgarzik: Im seeing lots of dos bans going out on my testnet node as well as a few on my non-listening mainnet node... 21:51 < phantomcircuit> yeah i remember there's one place where mapWallet[] is used and it doesn't check that the transaction is actually in mapWallet 21:51 < gmaxwell> BlueMatt: are they nodes that are sending you empty vins? 21:51 < BlueMatt> gmaxwell: yes 21:52 < gmaxwell> I wish we knew what caused that. Best theory right now is that there is some wallet bug. 21:52 < BlueMatt> did petertodd fix his testnet dnsseed that was apparently broken? 21:52 < BlueMatt> gmaxwell: if only there was a way to message someone based on ip... 21:53 < gmaxwell> BlueMatt: we've actually talked to some people with it, and determined at least one of the people with it had a wallet with a empty transaction in it that it was rebroacasting. 21:53 < BlueMatt> ahh, fun 21:53 < BlueMatt> before I just restarted my node, I had two peers that were doing so (out of 8) 21:54 < BlueMatt> so it doesnt appear to be uncommon 21:59 < phantomcircuit> BlueMatt, in walletdb.cpp line ~240 the "tx" logic 21:59 < phantomcircuit> you can see that if the transaction is corrupted in anyway it will be erased from mapWallet 22:00 < phantomcircuit> im guessing there is something else that fails to check that a tx is in mapWallet before accessing it 22:00 < phantomcircuit> and thus creates a default tx 22:00 < phantomcircuit> which has an empty vin 22:01 < gmaxwell> but then how does that get saved? 22:01 < BlueMatt> maybe its not? 22:01 < gmaxwell> no, I think we know it got saved (e.g. got a wallet file from someone expirencing it) 22:02 < BlueMatt> ok 22:02 < gmaxwell> though perhaps I should grep my logs to be sure. 22:02 < BlueMatt> did you get the actual wallet file, or just reports? 22:02 < phantomcircuit> gmaxwell, when the wallet was flushed all the values in mapWallet are blindly updated i think 22:03 < gmaxwell> BlueMatt: I think sipa got an actual wallet file, but I could be misremembering. 22:03 < phantomcircuit> for example wallet.cpp if(!ExtractDestination(mapWallet[txin.prevout.hash].vout[txin.prevout.n].scriptPubKey, address)) 22:04 < phantomcircuit> that would add a default CTransaction if txin.prevous.hash isn't in the wallet 22:05 < BlueMatt> did anyone file an issue for this? 22:05 < phantomcircuit> BlueMatt, no idea 22:05 * BlueMatt doesnt see one, creating 22:05 < gmaxwell> phantomcircuit: hehe. I bet I added that. 22:06 < phantomcircuit> when i was looking at vtxprev i realized that a bunch of the tx records in the wallet are just the default ctor 22:06 < phantomcircuit> and all the vtxprev values are 22:06 < phantomcircuit> 10254401 (Pieter Wuille 2012-05-14 23:44:52 +0200 603) if (ExtractDestination(txout.scriptPubKey, address) && ::IsMine(*this, address)) 22:06 < phantomcircuit> sipa, ^ 22:06 < phantomcircuit> :) 22:06 < phantomcircuit> fortunately the wallet code is very robust against that type of failure 22:06 < phantomcircuit> so it's not a big deal 22:06 < gmaxwell> yea, well, we're relaying empty txn and our peers disconnect us for that. 22:07 < BlueMatt> should I pull-request a commit to fix 22:07 < BlueMatt> https://github.com/bitcoin/bitcoin/issues/3190 22:07 < gmaxwell> I still don't see how adding empty txn in map wallet should result in that. 22:07 < BlueMatt> oops 22:07 < phantomcircuit> gmaxwell, iirc the resend logic is really simple, it's just, if (tx not confirmed) {send tx} 22:08 < phantomcircuit> it doesn't try to determine whether it's a double spend or invalid or anything 22:08 < BlueMatt> the wallet relay logic specifically prevents the tx from getting verified before relay iirc 22:08 < gmaxwell> yea, we need to improve that generally, as it super highly identifies nodes. 22:08 < BlueMatt> (though somehow I remember removing that and getting it merged, but I dunno) 22:09 < gmaxwell> e.g. if someone sends you an invalid double spend, they're probably the source of the txn. 22:09 < gmaxwell> Or you mutate someone's transaction and then their node will continue to beacon the invalid duplicate forever. 22:09 < phantomcircuit> gmaxwell, or they're the recipient and are the victim 22:09 < gmaxwell> (in fact, the wallet on my laptop is currently doing that) 22:09 < phantomcircuit> either way it means the tx is in their wallet 22:10 < phantomcircuit> brb stealing candy 22:10 < gmaxwell> (because I spent some anyone can spend garbage txn and someone beat me in the race) 22:11 < BlueMatt> phantomcircuit: really? leave the kids alone 22:12 < phantomcircuit> BlueMatt, im taking it from my neighbor 22:12 < gmaxwell> hm actually I have free confirmation 0 txn in my laptop wallet. 22:12 < BlueMatt> is it just me or is 0.8.1 very popular? 22:12 < BlueMatt> is that the version before dust or so? 22:13 < gmaxwell> ah, orphan blocks. :) 22:13 < phantomcircuit> BlueMatt, it's the version which made a significant improvement in performance enough that people stopped noticing 22:13 < gmaxwell> BlueMatt: it's very popular because its what fixed the hardfork 0.8 bug. 22:13 < gmaxwell> 0.8 people moved to for performance, and 0.8.1 people moved to because zomg hardfork. 22:14 < BlueMatt> ahh, and then never upgraded beyond then 22:14 < gmaxwell> If it bothers you, you could resolve that issue with four lines of python ... :( 22:14 < gmaxwell> (it's trivial to crash pre 0.8.4) 22:14 < BlueMatt> wasnt there a security issue or two fixed 22:14 < BlueMatt> yea...thought so... 22:14 < amiller> we did our first run of the entire network connectivity mapper today 22:14 < gmaxwell> double plus if you get a negative nversion txn mined just before, then they won't come back. 22:14 < BlueMatt> you can thank me for that :) 22:14 < amiller> hopefully no one has noticed any weird or hamrful transaction patterns 22:14 < phantomcircuit> gmaxwell, the hard part is actually getting a list of active nodes 22:14 < phantomcircuit> heh 22:15 < gmaxwell> amiller: someone was complaining about their node crashing earlier in #eligius, but I assum it's unrelated. 22:15 < phantomcircuit> amiller, whatcha doin 22:15 < gmaxwell> phantomcircuit: luke provides one. 22:15 < amiller> phantomcircuit, i told you a while ago about the first version of our connectivity tester, it's matured a bit since hten 22:15 < phantomcircuit> ah 22:16 < phantomcircuit> hmm 22:16 < amiller> but basically we want to go through every pair of nodes we can connect to and determine whether they're connected 22:16 < amiller> (or, whether they're connected via a single other node we can't connect to) 22:16 < phantomcircuit> i'd release mine but it's got a bunch of unrelated attack code in it 22:16 < phantomcircuit> too much effort to sanitize 22:16 < gmaxwell> amiller: can you estimate the size of the network you can't connect to? 22:17 < amiller> we could if the kid who is running this did what i asked but i'm not adminning any system to do so 22:17 * BlueMatt ponders the ethicacy of pointing one entry in dnsseed to a amiller-scanning node so they get lots of incoming connections too 22:17 < amiller> basically that would just involve having a bunch of long standing nodes 22:17 < gmaxwell> like, we know the size of the connectable network is frighteningly low, but I have hope that the unconnectable network is reasonably large. 22:17 < gmaxwell> BlueMatt: please never do something like that. 22:17 < BlueMatt> thought so 22:17 < amiller> we've estimated it's 30k which matches what everyone says but it's not a great kind of estimate 22:17 < phantomcircuit> amiller, how can you do that beyond just counting incoming connections and extrapolating? 22:17 < amiller> phantomcircuit, yes that's all we can do 22:18 < BlueMatt> gmaxwell: well, for testnet my "dnsseed" is a static list of {my desktop} 22:18 < gmaxwell> BlueMatt: about the furtherst I'd go is twiddling to get load on a node for development testing. 22:18 < amiller> the best way to do it would be with planetlab or something, start a bunch of nodes and keep them up a lot 22:18 < phantomcircuit> amiller, then it's basically 4 * 30 22:18 < phantomcircuit> thousand 22:18 < gmaxwell> oh well testnet I don't give a shit about, do whatever with that. :P 22:18 < amiller> the more nodes you have up you can infer 22:18 < phantomcircuit> oh /8 22:18 < phantomcircuit> so ~15k 22:18 < amiller> what i want to do is find the smallest cut 22:18 < BlueMatt> gmaxwell: yea, Ive never even done that, nor do I plan on it 22:18 < phantomcircuit> unless the number of connections a listening nodes gets has changed significantly 22:18 < amiller> the smallest number of public nodes needed to crash to actually partition the network 22:18 < amiller> or various other metrics i dunno 22:18 < BlueMatt> oh, no, thats a lie, I wanted to crash my node once to debug a memory issue 22:19 < BlueMatt> well, thats all Ive done 22:19 < amiller> really the point is just that the technique for probing connections is really clever 22:19 < gmaxwell> BlueMatt: yea, I recall you doing that for load, I think thats fine. 22:19 * BlueMatt offers node-crashing service for devs who need it :p 22:19 < phantomcircuit> amiller, the question is what % of the network you need to crash to partition some other % of the network 22:19 < gmaxwell> BlueMatt: esp since if you give bad dns data to bitcoinj nodes its trivial to partition them entirely. :( 22:19 < phantomcircuit> the 500ms connect() timeout should probably be increased actually 22:19 < phantomcircuit> the more i think about that the more i think 3000ms is safer 22:20 < gmaxwell> phantomcircuit: it's high for tor, but making it high has other problems. 22:20 < BlueMatt> gmaxwell: heh, yea, there was a bug the other day that the other testnet dnsseed was down and I was moving my server, so they were stuck unable to connect 22:20 < phantomcircuit> gmaxwell, yeah but im saying to make it even higher 01:20 < petertodd> encryption makes public data private data :) 01:20 < amiller> i want my random strings stored, everywhere, and i'll pay good btc for it! 01:21 < amiller> it's not porn, it's just /dev/urandom's greatest hits vols. 15-22 01:22 < amiller> so yeah, how many copies do you want and what are you willing to pay for it 01:22 < amiller> i don't know how to express that. 01:22 < petertodd> Actually, this is pretty easy: use a non-interactive proof to determine the counter-party actually posesses the data, and have them give it to you encrypted, then hand over the encryption key as part of the scriptSig to prove they can spend the reward transaction. 01:22 < gmaxwell> well, if you wait long enough your data will show up in a storage proof. :P 01:22 < amiller> right, extractability :) 01:22 < gmaxwell> like delay line memory. 01:23 < amiller> (although i might have to get the whole thing and not just a block of my choice at a time) 01:23 < amiller> so one thing i've been thinking about 01:23 < amiller> is that in the real world the way things like this are done is by involving some exclusivity 01:23 < petertodd> gmaxwell: You mean Indiiana Jones style secure government warehouse memory? 01:23 < amiller> like i have a call for proposals that is announced to the public, then i anonymously select the winner 01:24 < amiller> but then the winner and i have an exclusive arrangement 01:24 < amiller> so they don't have to keep competing 01:24 < amiller> this has some advantages and some disadvantages but really several options should be possible 01:24 < amiller> anyway the part i wanted to mention, that relates to SPV security, is this 01:25 < amiller> it would probably be super expensive if i was trying to pay the whole bitcoin network to be ready to validate my custom PoR proofs 01:25 < petertodd> aside: you can use probabalistic payments with the "data hand over" protocol to pay to get data. 01:25 < amiller> petertodd, that's a good idea. 01:26 < petertodd> Makes is cheap to validate them too, amortized. 01:26 < amiller> anyway so it's hard (Without PCP) to fully check the por proof with cryptographic soundness 01:26 < amiller> what's a lot easier is to make an economic argument about work 01:26 < amiller> that if thousands of PoR's are computed 01:26 < petertodd> por==proof-of-reception? 01:26 < petertodd> or proof-of-retainment? 01:26 < amiller> proof of retreival 01:27 < petertodd> IE, por means I prove I can retreive some data? 01:27 < amiller> it's basically just like, select a dozen blocks at random and prove you can fetch them and hash them with something 01:27 < petertodd> Yeah, and you don't need PCP at all for that. 01:28 < petertodd> Heck, you could do it with the current scripting language I think had we not disabled the cool opcodes... 01:28 < petertodd> (oh, you'd need OP_BLOCKHASH) 01:28 < amiller> you do sort of need pcp 01:28 < petertodd> why? 01:28 < petertodd> I'm not computing anything 01:28 < amiller> it's the same thing we talked about at some previous point 01:28 < amiller> where if you want to check some sequential thing 01:28 < amiller> the way to do it efficiently is just to check a small sample 01:29 < amiller> but then there could be a small number of incorrect pieces that you wouldn't have super great chance of detecting 01:29 < amiller> PCP is basically about amplifying those errors such that the small sample catches them anyway 01:29 < petertodd> So what? Store the data in the first place with sufficient error correction. 01:30 < petertodd> Same solution, but applied in a way that's simple rather than black magic. 01:30 < amiller> i need to have a sequential proof though 01:30 < amiller> like 01:30 < amiller> at least some number like k iterations 01:31 < amiller> the reason is that in the "puzzle solving" setting, unlike the ordinary interaction setting, 01:31 < amiller> if you draw a nonce that says "go fetch block X5" and X5 happens to be a block that you are skipming out on by not storing 01:31 < amiller> you can just skip that challenge and go on to the next 01:31 < amiller> you don't have to worry about this in the client server setting because the server has to answer all the client's challenges 01:31 < petertodd> No you don't: if I sample, say, 64 totally random samples of the data I have a 50:50 chance of getting away with fraud if I fail to store roughly 1% of the data. So store the data in the first palce with an error-correction-code that can handle >1% losses. 01:32 < amiller> the way around this is to make the 64 random sampels *sequential* 01:32 < petertodd> That makes things worse, not better. 01:33 < amiller> no because it's rpetty cheap to reroll and ask for a new choice of 64 01:33 < petertodd> If they are sequential I can fail to store more of the data by leaving out larger chunks. 01:33 < amiller> sorry not sequential liek that 01:33 < amiller> i mean 01:33 < amiller> you have to do the first one 01:33 < amiller> take the hash of that data you jsut fetched 01:33 < amiller> use that to compute your next challenge 01:33 < amiller> and so on, 64 times 01:34 < amiller> rather than getting to look at all 64 indexes at the beginning to decide if you want to respond to this challenge or ignore it and ask for a new one 01:34 < petertodd> Ah, but who says it has to be cheap? This is a txout script, it can work by first getting the prevblockhash, using that to select the subset, and if you can provide that proof, you get to spend it. Obviously miners are most likely to be able to actually get the tx mined. 01:34 < amiller> that works just as well i guess 01:34 < petertodd> You only get one roll per block, so if you are a miner you're incentive is to have the data handy to try to put the corresponding txout in your block. 01:34 < amiller> anyway, still, validating 64 chunks of data? 01:35 < amiller> that might not be too expensive 01:35 < petertodd> It's a trade-off between # of txouts you use to pay people vs. txout size vs. chance your data won't actually get stored. 01:36 < amiller> right 01:36 < petertodd> 64 is very conservative, even just proving one is probably fine 01:36 < amiller> but, this is my new thought for tonight.... 01:36 < amiller> SPV suggests an additional way 01:36 < amiller> maybe not everyone has to validate the whole secure PoR 01:36 < petertodd> Although also, multiple proofs in one tx can be more space efficient as the merkle paths share state 01:36 < amiller> for disbursing payment 01:36 < amiller> it may just be enough that you have to do the same amount of work 01:36 < amiller> with a moderate chance of failure 01:37 < petertodd> (merkleized ASTs would be ideal for this you know...) 01:37 < petertodd> yeah, plenty of trade-offs 01:38 < petertodd> the interesting thing is so how many ops do we need to enable/add to make this happen? I'm pretty sure it's just the string manipulation stuff + op_prevblockhash + op_blockheight 01:38 < amiller> good question 01:39 < amiller> (i still don't like the one-try-per-block idea as much as having it be self-selected, but lets assume either case for the sake of this question) 01:40 < amiller> i could do almost the whole thing with just string manipulation and a hash 01:40 < amiller> blockheight or cumulative difficult probably is important yeah 01:40 < petertodd> yeah, you need that PRNG 01:40 < amiller> especially if there's like a time quality to this 01:42 < petertodd> yeah, and that time quality is really useful 01:42 < amiller> so suppose i wanted to use this 01:42 < petertodd> like, I might want to spend a few years in a cave, and come back and stil have my data 01:42 < amiller> yeah 01:42 < amiller> so suppose you preallocate the funds for it 01:42 < amiller> and determine how fast they get spent 01:42 < amiller> it's like setting the puzzle difficulty 01:42 < amiller> do i have a jackpot that rolls over or something 01:43 < petertodd> the txouts act like jackpots kinda, and with op_blockheight their jackpots that unlock 01:43 < petertodd> so make them frequent enough that the future value isn't discounted too much 01:45 < amiller> so how to people decide to participate in this 01:45 < amiller> it's extra work 01:45 < amiller> and it's potentially competitive 01:45 < petertodd> indeed 01:45 < petertodd> well, write good software so it's turnkey :) 01:45 < amiller> i am willing to assume things that like perhaps people have intelligent mining clients that know about many currencies and opprtunities and basically select some portfolio of the best work to engage in 01:46 < petertodd> yeah 01:46 < petertodd> if it's automatic the bar can be relatively low 01:46 < amiller> but what makes a puzzle competitivef 01:46 < amiller> or a good deal 01:46 < amiller> i'm starting to think that being able to win some form of exclusivity might be important 01:46 < petertodd> NO 01:46 < amiller> no? 01:47 < petertodd> you want the competition, so that if any given player drops out, there will be backups 01:47 < amiller> yeah 01:47 < petertodd> point is, make the software easy enough that people run it even when the return isn't very high 01:47 < petertodd> the logic should be "Hey! I can make money with this spare harddrive space!" 01:47 < amiller> that's true but not good enough for my standards 01:48 < amiller> because if that's successful then my competition will be other people who are vying for the same storage space! 01:48 < petertodd> it's a decentralized system, you're not going to get better with software 01:48 < petertodd> yes 01:48 < petertodd> whomever can provide the space the cheapest 01:48 < amiller> no i mean 01:48 < amiller> competition among other puzzle-contract-creators 01:48 < amiller> other people trying to purchase storage 01:48 < amiller> how do i make my tx-contract the most attractive deal 01:49 < petertodd> no, this isn't a zero-sum-game 01:49 < amiller> obviously i can pay more money 01:49 < amiller> that sweetens the deal Mined by f2poolhaobtc Mined by AntPool usa1 ASCRIBESPOOLREGISTER ASCRIBESPOOLREPLENISH ASCRIBESPOOLTRANSFER Mined by AntPool bj7 u=https://cpr.sm/6zQ2jznCJk BTCChina Pool | maicoin.com Mined by AntPool usa1 ASCRIBESPOOLREGISTER Mined by zhengyangww Mined by AntPool sc182 Mined by AntPool bj7 Mined by AntPool sz0 Mined by AntPool usa1 u=http%3A%2F%2Fbit.ly%2F1drFy5R u=http%3A%2F%2Fbit.ly%2F1QmE9zu Lgu=http%3A%2F%2Fbit.ly%2F1QcNaes&sha256=bb2937664e5da32422408dd50956d16a35555d6527909e5e93375136f8e8466euR! Mined by AntPool usa1 ASCRIBESPOOLREGISTER Mined by AntPool sz0 Mined by nanjinghaowei Mined by AntPool usa1 Mined by digcoinwgs3 Mined by AntPool bj6 u=https://cpr.sm/hVrS39_PeQ Mined by AntPool bj5 Mined by AntPool bj7 Mined by florinstefan Mined by AntPool usa1 (j&The Times 03/Jan/2009 Chancellor on...$ Mined by AntPool sc0 u=https://cpr.sm/bcB7xI9Dt38 Mined by AntPool usa1 Mined at GIVE-ME-COINS.comUx Mined by AntPool bj7 Mined by f2poolhaobtc Mined by AntPool bj7 Mined by digcoinwgs3 Mined by zhangzanwen Mined by metabank0050 Mined by btc379057757 Mined by AntPool bj5 2BTCChina Pool | AARON 4 SARAH, NOTTINGHAM, ENGLAND
blk00000.txt blk00001.txt blk00002.txt blk00003.txt blk00004.txt blk00005.txt blk00006.txt blk00007.txt blk00008.txt blk00009.txt blk00010.txt blk00011.txt blk00012.txt blk00013.txt blk00014.txt blk00015.txt blk00016.txt blk00017.txt blk00018.txt blk00019.txt blk00020.txt blk00021.txt blk00022.txt blk00023.txt blk00024.txt blk00025.txt blk00026.txt blk00027.txt blk00028.txt blk00029.txt blk00030.txt blk00031.txt blk00032.txt blk00033.txt blk00034.txt blk00035.txt blk00036.txt blk00037.txt blk00038.txt blk00039.txt blk00040.txt blk00041.txt blk00042.txt blk00043.txt blk00044.txt blk00045.txt blk00046.txt blk00047.txt blk00048.txt blk00049.txt blk00050.txt blk00051.txt blk00052.txt blk00053.txt blk00054.txt blk00055.txt blk00056.txt blk00057.txt blk00058.txt blk00059.txt blk00060.txt blk00061.txt blk00062.txt blk00063.txt blk00064.txt blk00065.txt blk00066.txt blk00067.txt blk00068.txt blk00069.txt blk00070.txt blk00071.txt blk00072.txt blk00073.txt blk00074.txt blk00075.txt blk00076.txt blk00077.txt blk00078.txt blk00079.txt blk00080.txt blk00081.txt blk00082.txt blk00083.txt blk00084.txt blk00085.txt blk00086.txt blk00087.txt blk00088.txt blk00089.txt blk00090.txt blk00091.txt blk00092.txt blk00093.txt blk00094.txt blk00095.txt blk00096.txt blk00097.txt blk00098.txt blk00099.txt blk00100.txt blk00101.txt blk00102.txt blk00103.txt blk00104.txt blk00105.txt blk00106.txt blk00107.txt blk00108.txt blk00109.txt blk00110.txt blk00111.txt blk00112.txt blk00113.txt blk00114.txt blk00115.txt blk00116.txt blk00117.txt blk00118.txt blk00119.txt blk00120.txt blk00121.txt blk00122.txt blk00123.txt blk00124.txt blk00125.txt blk00126.txt blk00127.txt blk00128.txt blk00129.txt blk00130.txt blk00131.txt blk00132.txt blk00133.txt blk00134.txt blk00135.txt blk00136.txt blk00137.txt blk00138.txt blk00139.txt blk00140.txt blk00141.txt blk00142.txt blk00143.txt blk00144.txt blk00145.txt blk00146.txt blk00147.txt blk00148.txt blk00149.txt blk00150.txt blk00151.txt blk00152.txt blk00153.txt blk00154.txt blk00155.txt blk00156.txt blk00157.txt blk00158.txt blk00159.txt blk00160.txt blk00161.txt blk00162.txt blk00163.txt blk00164.txt blk00165.txt blk00166.txt blk00167.txt blk00168.txt blk00169.txt blk00170.txt blk00171.txt blk00172.txt blk00173.txt blk00174.txt blk00175.txt blk00176.txt blk00177.txt blk00178.txt blk00179.txt blk00180.txt blk00181.txt blk00182.txt blk00183.txt blk00184.txt blk00185.txt blk00186.txt blk00187.txt blk00188.txt blk00189.txt blk00190.txt blk00191.txt blk00192.txt blk00193.txt blk00194.txt blk00195.txt blk00196.txt blk00197.txt blk00198.txt blk00199.txt blk00200.txt blk00201.txt blk00202.txt blk00203.txt blk00204.txt blk00205.txt blk00206.txt blk00207.txt blk00208.txt blk00209.txt blk00210.txt blk00211.txt blk00212.txt blk00213.txt blk00214.txt blk00215.txt blk00216.txt blk00217.txt blk00218.txt blk00219.txt blk00220.txt blk00221.txt blk00222.txt blk00223.txt blk00224.txt blk00225.txt blk00226.txt blk00227.txt blk00228.txt blk00229.txt blk00230.txt blk00231.txt blk00232.txt blk00233.txt blk00234.txt blk00235.txt blk00236.txt blk00237.txt blk00238.txt blk00239.txt blk00240.txt blk00241.txt blk00242.txt blk00243.txt blk00244.txt blk00245.txt blk00246.txt blk00247.txt blk00248.txt blk00249.txt blk00250.txt blk00251.txt blk00252.txt blk00253.txt blk00254.txt blk00255.txt blk00256.txt blk00257.txt blk00258.txt blk00259.txt blk00260.txt blk00261.txt blk00262.txt blk00263.txt blk00264.txt blk00265.txt blk00266.txt blk00267.txt blk00268.txt blk00269.txt blk00270.txt blk00271.txt blk00272.txt blk00273.txt blk00274.txt blk00275.txt blk00276.txt blk00277.txt blk00278.txt blk00279.txt blk00280.txt blk00281.txt blk00282.txt blk00283.txt blk00284.txt blk00285.txt blk00286.txt blk00287.txt blk00288.txt blk00289.txt blk00290.txt blk00291.txt blk00292.txt blk00293.txt blk00294.txt blk00295.txt blk00296.txt blk00297.txt blk00298.txt blk00299.txt blk00300.txt blk00301.txt blk00302.txt blk00303.txt blk00304.txt blk00305.txt blk00306.txt blk00307.txt blk00308.txt blk00309.txt blk00310.txt blk00311.txt blk00312.txt blk00313.txt blk00314.txt blk00315.txt blk00316.txt blk00317.txt blk00318.txt blk00319.txt blk00320.txt blk00321.txt blk00322.txt blk00323.txt blk00324.txt blk00325.txt blk00326.txt blk00327.txt blk00328.txt blk00329.txt blk00330.txt blk00331.txt blk00332.txt blk00333.txt blk00334.txt blk00335.txt blk00336.txt blk00337.txt blk00338.txt blk00339.txt blk00340.txt blk00341.txt blk00342.txt blk00343.txt blk00344.txt blk00345.txt blk00346.txt blk00347.txt blk00348.txt blk00349.txt blk00350.txt blk00351.txt blk00352.txt blk00353.txt blk00354.txt blk00355.txt blk00356.txt blk00357.txt blk00358.txt blk00359.txt blk00360.txt blk00361.txt blk00362.txt blk00363.txt blk00364.txt blk00365.txt blk00366.txt blk00367.txt blk00368.txt blk00369.txt blk00370.txt blk00371.txt blk00372.txt blk00373.txt blk00374.txt blk00375.txt blk00376.txt blk00377.txt blk00378.txt blk00379.txt blk00380.txt blk00381.txt blk00382.txt blk00383.txt blk00384.txt blk00385.txt blk00386.txt blk00387.txt blk00388.txt blk00389.txt blk00390.txt blk00391.txt blk00392.txt blk00393.txt blk00394.txt blk00395.txt blk00396.txt blk00397.txt blk00398.txt blk00399.txt blk00400.txt blk00401.txt blk00402.txt blk00403.txt blk00404.txt blk00405.txt blk00406.txt blk00407.txt blk00408.txt blk00409.txt blk00410.txt blk00411.txt blk00412.txt blk00413.txt blk00414.txt blk00415.txt blk00416.txt blk00417.txt blk00418.txt blk00419.txt blk00420.txt blk00421.txt blk00422.txt blk00423.txt blk00424.txt blk00425.txt blk00426.txt blk00427.txt blk00428.txt blk00429.txt blk00430.txt blk00431.txt blk00432.txt blk00433.txt blk00434.txt blk00435.txt blk00436.txt blk00437.txt blk00438.txt blk00439.txt blk00440.txt blk00441.txt blk00442.txt blk00443.txt blk00444.txt blk00445.txt blk00446.txt blk00447.txt blk00448.txt blk00449.txt blk00450.txt blk00451.txt blk00452.txt blk00453.txt blk00454.txt blk00455.txt blk00456.txt blk00457.txt blk00458.txt blk00459.txt blk00460.txt blk00461.txt blk00462.txt blk00463.txt blk00464.txt blk00465.txt blk00466.txt blk00467.txt blk00468.txt blk00469.txt blk00470.txt blk00471.txt blk00472.txt blk00473.txt blk00474.txt blk00475.txt blk00476.txt blk00477.txt blk00478.txt blk00479.txt blk00480.txt blk00481.txt blk00482.txt blk00483.txt blk00484.txt blk00485.txt blk00486.txt blk00487.txt blk00488.txt blk00489.txt blk00490.txt blk00491.txt blk00492.txt blk00493.txt blk00494.txt blk00495.txt blk00496.txt blk00497.txt blk00498.txt blk00499.txt blk00500.txt blk00501.txt blk00502.txt blk00503.txt blk00504.txt blk00505.txt blk00506.txt blk00507.txt blk00508.txt blk00509.txt blk00510.txt blk00511.txt blk00512.txt blk00513.txt blk00514.txt blk00515.txt blk00516.txt blk00517.txt blk00518.txt blk00519.txt blk00520.txt blk00521.txt blk00522.txt blk00523.txt blk00524.txt blk00525.txt blk00526.txt blk00527.txt blk00528.txt blk00529.txt blk00530.txt blk00531.txt blk00532.txt blk00533.txt blk00534.txt blk00535.txt blk00536.txt blk00537.txt blk00538.txt blk00539.txt blk00540.txt blk00541.txt blk00542.txt blk00543.txt blk00544.txt blk00545.txt blk00546.txt blk00547.txt blk00548.txt blk00549.txt blk00550.txt blk00551.txt blk00552.txt blk00553.txt blk00554.txt blk00555.txt blk00556.txt blk00557.txt blk00558.txt blk00559.txt blk00560.txt blk00561.txt blk00562.txt blk00563.txt blk00564.txt blk00565.txt blk00566.txt blk00567.txt blk00568.txt blk00569.txt blk00570.txt blk00571.txt blk00572.txt blk00573.txt blk00574.txt blk00575.txt blk00576.txt blk00577.txt blk00578.txt blk00579.txt blk00580.txt blk00581.txt blk00582.txt blk00583.txt blk00584.txt blk00585.txt blk00586.txt blk00587.txt blk00588.txt blk00589.txt blk00590.txt blk00591.txt blk00592.txt blk00593.txt blk00594.txt blk00595.txt blk00596.txt blk00597.txt blk00598.txt blk00599.txt blk00600.txt blk00601.txt blk00602.txt blk00603.txt blk00604.txt blk00605.txt blk00606.txt blk00607.txt blk00608.txt blk00609.txt blk00610.txt blk00611.txt blk00612.txt blk00613.txt blk00614.txt blk00615.txt blk00616.txt blk00617.txt blk00618.txt blk00619.txt blk00620.txt blk00621.txt blk00622.txt blk00623.txt blk00624.txt blk00625.txt blk00626.txt blk00627.txt blk00628.txt blk00629.txt blk00630.txt blk00631.txt blk00632.txt blk00633.txt blk00634.txt blk00635.txt blk00636.txt blk00637.txt blk00638.txt blk00639.txt blk00640.txt blk00641.txt blk00642.txt blk00643.txt blk00644.txt blk00645.txt blk00646.txt blk00647.txt blk00648.txt blk00649.txt blk00650.txt blk00651.txt blk00652.txt blk00653.txt blk00654.txt blk00655.txt blk00656.txt blk00657.txt blk00658.txt blk00659.txt blk00660.txt blk00661.txt blk00662.txt blk00663.txt blk00664.txt blk00665.txt blk00666.txt blk00667.txt blk00668.txt blk00669.txt blk00670.txt blk00671.txt blk00672.txt blk00673.txt blk00674.txt blk00675.txt blk00676.txt blk00677.txt blk00678.txt blk00679.txt blk00680.txt blk00681.txt blk00682.txt blk00683.txt blk00684.txt blk00685.txt blk00686.txt blk00687.txt blk00688.txt blk00689.txt blk00690.txt blk00691.txt blk00692.txt blk00693.txt blk00694.txt blk00695.txt blk00696.txt blk00697.txt blk00698.txt blk00699.txt blk00700.txt blk00701.txt blk00702.txt blk00703.txt blk00704.txt blk00705.txt blk00706.txt blk00707.txt blk00708.txt blk00709.txt blk00710.txt blk00711.txt blk00712.txt blk00713.txt blk00714.txt blk00715.txt blk00716.txt blk00717.txt blk00718.txt blk00719.txt blk00720.txt blk00721.txt blk00722.txt blk00723.txt blk00724.txt blk00725.txt blk00726.txt blk00727.txt blk00728.txt blk00729.txt blk00730.txt blk00731.txt blk00732.txt blk00733.txt blk00734.txt blk00735.txt blk00736.txt blk00737.txt blk00738.txt blk00739.txt blk00740.txt blk00741.txt blk00742.txt blk00743.txt blk00744.txt blk00745.txt blk00746.txt blk00747.txt blk00748.txt blk00749.txt blk00750.txt blk00751.txt blk00752.txt blk00753.txt blk00754.txt blk00755.txt blk00756.txt blk00757.txt blk00758.txt blk00759.txt blk00760.txt blk00761.txt blk00762.txt blk00763.txt blk00764.txt blk00765.txt blk00766.txt blk00767.txt blk00768.txt blk00769.txt blk00770.txt blk00771.txt blk00772.txt blk00773.txt blk00774.txt blk00775.txt blk00776.txt blk00777.txt blk00778.txt blk00779.txt blk00780.txt blk00781.txt blk00782.txt blk00783.txt blk00784.txt blk00785.txt blk00786.txt blk00787.txt blk00788.txt blk00789.txt blk00790.txt blk00791.txt blk00792.txt blk00793.txt blk00794.txt blk00795.txt blk00796.txt blk00797.txt blk00798.txt blk00799.txt blk00800.txt blk00801.txt blk00802.txt blk00803.txt blk00804.txt blk00805.txt blk00806.txt blk00807.txt blk00808.txt blk00809.txt blk00810.txt blk00811.txt blk00812.txt blk00813.txt blk00814.txt blk00815.txt blk00816.txt blk00817.txt blk00818.txt blk00819.txt blk00820.txt blk00821.txt blk00822.txt blk00823.txt blk00824.txt blk00825.txt blk00826.txt blk00827.txt blk00828.txt blk00829.txt blk00830.txt blk00831.txt blk00832.txt blk00833.txt blk00834.txt blk00835.txt blk00836.txt blk00837.txt blk00838.txt blk00839.txt blk00840.txt blk00841.txt blk00842.txt blk00843.txt blk00844.txt blk00845.txt blk00846.txt blk00847.txt blk00848.txt blk00849.txt blk00850.txt blk00851.txt blk00852.txt blk00853.txt blk00854.txt blk00855.txt blk00856.txt blk00857.txt blk00858.txt blk00859.txt blk00860.txt blk00861.txt blk00862.txt blk00863.txt blk00864.txt blk00865.txt blk00866.txt blk00867.txt blk00868.txt blk00869.txt blk00870.txt blk00871.txt blk00872.txt blk00873.txt blk00874.txt blk00875.txt blk00876.txt blk00877.txt blk00878.txt blk00879.txt blk00880.txt blk00881.txt blk00882.txt blk00883.txt blk00884.txt blk00885.txt blk00886.txt blk00887.txt blk00888.txt blk00889.txt blk00890.txt blk00891.txt blk00892.txt blk00893.txt blk00894.txt blk00895.txt blk00896.txt blk00897.txt blk00898.txt blk00899.txt blk00900.txt blk00901.txt blk00902.txt blk00903.txt blk00904.txt blk00905.txt blk00906.txt blk00907.txt blk00908.txt blk00909.txt blk00910.txt blk00911.txt blk00912.txt blk00913.txt blk00914.txt blk00915.txt blk00916.txt blk00917.txt blk00918.txt blk00919.txt blk00920.txt blk00921.txt blk00922.txt blk00923.txt blk00924.txt blk00925.txt blk00926.txt blk00927.txt blk00928.txt blk00929.txt blk00930.txt blk00931.txt blk00932.txt blk00933.txt blk00934.txt blk00935.txt blk00936.txt blk00937.txt blk00938.txt blk00939.txt blk00940.txt blk00941.txt blk00942.txt blk00943.txt blk00944.txt blk00945.txt blk00946.txt blk00947.txt blk00948.txt blk00949.txt blk00950.txt blk00951.txt blk00952.txt blk00953.txt blk00954.txt blk00955.txt blk00956.txt blk00957.txt blk00958.txt blk00959.txt blk00960.txt blk00961.txt blk00962.txt blk00963.txt blk00964.txt blk00965.txt blk00966.txt blk00967.txt blk00968.txt blk00969.txt blk00970.txt blk00971.txt blk00972.txt blk00973.txt blk00974.txt blk00975.txt blk00976.txt blk00977.txt blk00978.txt blk00979.txt blk00980.txt blk00981.txt blk00982.txt blk00983.txt blk00984.txt blk00985.txt blk00986.txt blk00987.txt blk00988.txt blk00989.txt blk00990.txt blk00991.txt blk00992.txt blk00993.txt blk00994.txt blk00995.txt blk00996.txt blk00997.txt blk00998.txt blk00999.txt blk01000.txt blk01001.txt blk01002.txt blk01003.txt blk01004.txt blk01005.txt blk01006.txt blk01007.txt blk01008.txt blk01009.txt blk01010.txt blk01011.txt blk01012.txt blk01013.txt blk01014.txt blk01015.txt blk01016.txt blk01017.txt blk01018.txt blk01019.txt blk01020.txt blk01021.txt blk01022.txt blk01023.txt blk01024.txt blk01025.txt blk01026.txt blk01027.txt blk01028.txt blk01029.txt blk01030.txt blk01031.txt blk01032.txt blk01033.txt blk01034.txt blk01035.txt blk01036.txt blk01037.txt blk01038.txt blk01039.txt blk01040.txt blk01041.txt blk01042.txt blk01043.txt blk01044.txt blk01045.txt blk01046.txt blk01047.txt blk01048.txt blk01049.txt blk01050.txt blk01051.txt blk01052.txt blk01053.txt blk01054.txt blk01055.txt blk01056.txt blk01057.txt blk01058.txt blk01059.txt blk01060.txt blk01061.txt blk01062.txt blk01063.txt blk01064.txt blk01065.txt blk01066.txt blk01067.txt blk01068.txt blk01069.txt blk01070.txt blk01071.txt blk01072.txt blk01073.txt blk01074.txt blk01075.txt blk01076.txt blk01077.txt blk01078.txt blk01079.txt blk01080.txt blk01081.txt blk01082.txt blk01083.txt blk01084.txt blk01085.txt blk01086.txt blk01087.txt blk01088.txt blk01089.txt blk01090.txt blk01091.txt blk01092.txt blk01093.txt blk01094.txt blk01095.txt blk01096.txt blk01097.txt blk01098.txt blk01099.txt blk01100.txt blk01101.txt blk01102.txt blk01103.txt blk01104.txt blk01105.txt blk01106.txt blk01107.txt blk01108.txt blk01109.txt blk01110.txt blk01111.txt blk01112.txt blk01113.txt blk01114.txt blk01115.txt blk01116.txt blk01117.txt blk01118.txt blk01119.txt blk01120.txt blk01121.txt blk01122.txt blk01123.txt blk01124.txt blk01125.txt blk01126.txt blk01127.txt blk01128.txt blk01129.txt blk01130.txt blk01131.txt blk01132.txt blk01133.txt blk01134.txt blk01135.txt blk01136.txt blk01137.txt blk01138.txt blk01139.txt blk01140.txt blk01141.txt blk01142.txt blk01143.txt blk01144.txt blk01145.txt blk01146.txt blk01147.txt blk01148.txt blk01149.txt blk01150.txt blk01151.txt blk01152.txt blk01153.txt blk01154.txt blk01155.txt blk01156.txt blk01157.txt blk01158.txt blk01159.txt blk01160.txt blk01161.txt blk01162.txt blk01163.txt blk01164.txt blk01165.txt blk01166.txt blk01167.txt blk01168.txt blk01169.txt blk01170.txt blk01171.txt blk01172.txt blk01173.txt blk01174.txt blk01175.txt blk01176.txt blk01177.txt blk01178.txt blk01179.txt blk01180.txt blk01181.txt blk01182.txt blk01183.txt blk01184.txt blk01185.txt blk01186.txt blk01187.txt blk01188.txt blk01189.txt blk01190.txt blk01191.txt blk01192.txt blk01193.txt blk01194.txt blk01195.txt blk01196.txt blk01197.txt blk01198.txt blk01199.txt blk01200.txt blk01201.txt blk01202.txt blk01203.txt blk01204.txt blk01205.txt blk01206.txt blk01207.txt blk01208.txt blk01209.txt blk01210.txt blk01211.txt blk01212.txt blk01213.txt blk01214.txt blk01215.txt blk01216.txt blk01217.txt blk01218.txt blk01219.txt blk01220.txt blk01221.txt blk01222.txt blk01223.txt blk01224.txt blk01225.txt blk01226.txt blk01227.txt blk01228.txt blk01229.txt blk01230.txt blk01231.txt blk01232.txt blk01233.txt blk01234.txt blk01235.txt blk01236.txt blk01237.txt blk01238.txt blk01239.txt blk01240.txt blk01241.txt blk01242.txt blk01243.txt blk01244.txt blk01245.txt blk01246.txt blk01247.txt blk01248.txt blk01249.txt blk01250.txt blk01251.txt blk01252.txt blk01253.txt blk01254.txt blk01255.txt blk01256.txt blk01257.txt blk01258.txt blk01259.txt blk01260.txt blk01261.txt blk01262.txt blk01263.txt blk01264.txt blk01265.txt blk01266.txt blk01267.txt blk01268.txt blk01269.txt blk01270.txt blk01271.txt blk01272.txt blk01273.txt blk01274.txt blk01275.txt blk01276.txt blk01277.txt blk01278.txt blk01279.txt blk01280.txt blk01281.txt blk01282.txt blk01283.txt blk01284.txt blk01285.txt blk01286.txt blk01287.txt blk01288.txt blk01289.txt blk01290.txt blk01291.txt blk01292.txt blk01293.txt blk01294.txt blk01295.txt blk01296.txt blk01297.txt blk01298.txt blk01299.txt blk01300.txt blk01301.txt blk01302.txt blk01303.txt blk01304.txt blk01305.txt blk01306.txt blk01307.txt blk01308.txt blk01309.txt blk01310.txt blk01311.txt blk01312.txt blk01313.txt blk01314.txt blk01315.txt blk01316.txt blk01317.txt blk01318.txt blk01319.txt blk01320.txt blk01321.txt blk01322.txt blk01323.txt blk01324.txt blk01325.txt blk01326.txt blk01327.txt blk01328.txt blk01329.txt blk01330.txt blk01331.txt blk01332.txt blk01333.txt blk01334.txt blk01335.txt blk01336.txt blk01337.txt blk01338.txt blk01339.txt blk01340.txt blk01341.txt blk01342.txt blk01343.txt blk01344.txt blk01345.txt blk01346.txt blk01347.txt blk01348.txt blk01349.txt blk01350.txt blk01351.txt blk01352.txt blk01353.txt blk01354.txt blk01355.txt blk01356.txt blk01357.txt blk01358.txt blk01359.txt blk01360.txt blk01361.txt blk01362.txt blk01363.txt blk01364.txt blk01365.txt blk01366.txt blk01367.txt blk01368.txt blk01369.txt blk01370.txt blk01371.txt blk01372.txt blk01373.txt blk01374.txt blk01375.txt blk01376.txt blk01377.txt blk01378.txt blk01379.txt blk01380.txt blk01381.txt blk01382.txt blk01383.txt blk01384.txt blk01385.txt blk01386.txt blk01387.txt blk01388.txt blk01389.txt blk01390.txt blk01391.txt blk01392.txt blk01393.txt blk01394.txt blk01395.txt blk01396.txt blk01397.txt blk01398.txt blk01399.txt blk01400.txt blk01401.txt blk01402.txt blk01403.txt blk01404.txt blk01405.txt blk01406.txt blk01407.txt blk01408.txt blk01409.txt blk01410.txt blk01411.txt blk01412.txt blk01413.txt blk01414.txt blk01415.txt blk01416.txt blk01417.txt blk01418.txt blk01419.txt blk01420.txt blk01421.txt blk01422.txt blk01423.txt blk01424.txt blk01425.txt blk01426.txt blk01427.txt blk01428.txt blk01429.txt blk01430.txt blk01431.txt blk01432.txt blk01433.txt blk01434.txt blk01435.txt blk01436.txt blk01437.txt blk01438.txt blk01439.txt blk01440.txt blk01441.txt blk01442.txt blk01443.txt blk01444.txt blk01445.txt blk01446.txt blk01447.txt blk01448.txt blk01449.txt blk01450.txt blk01451.txt blk01452.txt blk01453.txt blk01454.txt blk01455.txt blk01456.txt blk01457.txt blk01458.txt blk01459.txt blk01460.txt blk01461.txt blk01462.txt blk01463.txt blk01464.txt blk01465.txt blk01466.txt blk01467.txt blk01468.txt blk01469.txt blk01470.txt blk01471.txt blk01472.txt blk01473.txt blk01474.txt blk01475.txt blk01476.txt blk01477.txt blk01478.txt blk01479.txt blk01480.txt blk01481.txt blk01482.txt blk01483.txt blk01484.txt blk01485.txt blk01486.txt blk01487.txt blk01488.txt blk01489.txt blk01490.txt blk01491.txt blk01492.txt blk01493.txt blk01494.txt blk01495.txt blk01496.txt blk01497.txt blk01498.txt blk01499.txt blk01500.txt blk01501.txt blk01502.txt blk01503.txt blk01504.txt blk01505.txt blk01506.txt blk01507.txt blk01508.txt blk01509.txt blk01510.txt blk01511.txt blk01512.txt blk01513.txt blk01514.txt blk01515.txt blk01516.txt blk01517.txt blk01518.txt blk01519.txt blk01520.txt blk01521.txt blk01522.txt blk01523.txt blk01524.txt blk01525.txt blk01526.txt blk01527.txt blk01528.txt blk01529.txt blk01530.txt blk01531.txt blk01532.txt blk01533.txt blk01534.txt blk01535.txt blk01536.txt blk01537.txt blk01538.txt blk01539.txt blk01540.txt blk01541.txt blk01542.txt blk01543.txt blk01544.txt blk01545.txt blk01546.txt blk01547.txt blk01548.txt blk01549.txt blk01550.txt blk01551.txt blk01552.txt blk01553.txt blk01554.txt blk01555.txt blk01556.txt blk01557.txt blk01558.txt blk01559.txt blk01560.txt blk01561.txt blk01562.txt blk01563.txt blk01564.txt blk01565.txt blk01566.txt blk01567.txt blk01568.txt blk01569.txt blk01570.txt blk01571.txt blk01572.txt blk01573.txt blk01574.txt blk01575.txt blk01576.txt blk01577.txt blk01578.txt blk01579.txt blk01580.txt blk01581.txt blk01582.txt blk01583.txt blk01584.txt blk01585.txt blk01586.txt blk01587.txt blk01588.txt blk01589.txt blk01590.txt blk01591.txt blk01592.txt blk01593.txt blk01594.txt blk01595.txt blk01596.txt blk01597.txt blk01598.txt blk01599.txt blk01600.txt blk01601.txt blk01602.txt blk01603.txt blk01604.txt blk01605.txt blk01606.txt blk01607.txt blk01608.txt blk01609.txt blk01610.txt blk01611.txt blk01612.txt blk01613.txt blk01614.txt blk01615.txt blk01616.txt blk01617.txt blk01618.txt blk01619.txt blk01620.txt blk01621.txt blk01622.txt blk01623.txt blk01624.txt blk01625.txt blk01626.txt blk01627.txt blk01628.txt blk01629.txt blk01630.txt blk01631.txt blk01632.txt blk01633.txt blk01634.txt blk01635.txt blk01636.txt blk01637.txt blk01638.txt blk01639.txt blk01640.txt blk01641.txt blk01642.txt blk01643.txt blk01644.txt blk01645.txt blk01646.txt blk01647.txt blk01648.txt blk01649.txt blk01650.txt blk01651.txt blk01652.txt blk01653.txt blk01654.txt blk01655.txt blk01656.txt blk01657.txt blk01658.txt blk01659.txt blk01660.txt blk01661.txt blk01662.txt blk01663.txt blk01664.txt blk01665.txt blk01666.txt blk01667.txt blk01668.txt blk01669.txt blk01670.txt blk01671.txt blk01672.txt blk01673.txt blk01674.txt blk01675.txt blk01676.txt blk01677.txt blk01678.txt blk01679.txt blk01680.txt blk01681.txt blk01682.txt blk01683.txt blk01684.txt blk01685.txt blk01686.txt blk01687.txt blk01688.txt blk01689.txt blk01690.txt blk01691.txt blk01692.txt blk01693.txt blk01694.txt blk01695.txt blk01696.txt blk01697.txt blk01698.txt blk01699.txt blk01700.txt blk01701.txt blk01702.txt blk01703.txt blk01704.txt blk01705.txt blk01706.txt blk01707.txt blk01708.txt blk01709.txt blk01710.txt blk01711.txt blk01712.txt blk01713.txt blk01714.txt blk01715.txt blk01716.txt blk01717.txt blk01718.txt blk01719.txt blk01720.txt blk01721.txt blk01722.txt blk01723.txt blk01724.txt blk01725.txt blk01726.txt blk01727.txt blk01728.txt blk01729.txt blk01730.txt blk01731.txt blk01732.txt blk01733.txt blk01734.txt blk01735.txt blk01736.txt blk01737.txt blk01738.txt blk01739.txt blk01740.txt blk01741.txt blk01742.txt blk01743.txt blk01744.txt blk01745.txt blk01746.txt blk01747.txt blk01748.txt blk01749.txt blk01750.txt blk01751.txt blk01752.txt blk01753.txt blk01754.txt blk01755.txt blk01756.txt blk01757.txt blk01758.txt blk01759.txt blk01760.txt blk01761.txt blk01762.txt blk01763.txt blk01764.txt blk01765.txt blk01766.txt blk01767.txt blk01768.txt blk01769.txt blk01770.txt blk01771.txt blk01772.txt blk01773.txt blk01774.txt blk01775.txt blk01776.txt blk01777.txt blk01778.txt blk01779.txt blk01780.txt blk01781.txt blk01782.txt blk01783.txt blk01784.txt blk01785.txt blk01786.txt blk01787.txt blk01788.txt blk01789.txt blk01790.txt blk01791.txt blk01792.txt blk01793.txt blk01794.txt blk01795.txt blk01796.txt blk01797.txt blk01798.txt blk01799.txt blk01800.txt blk01801.txt blk01802.txt blk01803.txt blk01804.txt blk01805.txt blk01806.txt blk01807.txt blk01808.txt blk01809.txt blk01810.txt blk01811.txt blk01812.txt blk01813.txt blk01814.txt blk01815.txt blk01816.txt blk01817.txt blk01818.txt blk01819.txt blk01820.txt blk01821.txt blk01822.txt blk01823.txt blk01824.txt blk01825.txt blk01826.txt blk01827.txt blk01828.txt blk01829.txt blk01830.txt blk01831.txt blk01832.txt blk01833.txt blk01834.txt blk01835.txt blk01836.txt blk01837.txt blk01838.txt blk01839.txt blk01840.txt blk01841.txt blk01842.txt blk01843.txt blk01844.txt blk01845.txt blk01846.txt blk01847.txt blk01848.txt blk01849.txt blk01850.txt blk01851.txt blk01852.txt blk01853.txt blk01854.txt blk01855.txt blk01856.txt blk01857.txt blk01858.txt blk01859.txt blk01860.txt blk01861.txt blk01862.txt blk01863.txt blk01864.txt blk01865.txt blk01866.txt blk01867.txt blk01868.txt blk01869.txt blk01870.txt blk01871.txt blk01872.txt blk01873.txt blk01874.txt blk01875.txt blk01876.txt blk01877.txt blk01878.txt blk01879.txt blk01880.txt blk01881.txt blk01882.txt blk01883.txt blk01884.txt blk01885.txt blk01886.txt blk01887.txt blk01888.txt blk01889.txt blk01890.txt blk01891.txt blk01892.txt blk01893.txt blk01894.txt blk01895.txt blk01896.txt blk01897.txt blk01898.txt blk01899.txt blk01900.txt blk01901.txt blk01902.txt blk01903.txt blk01904.txt blk01905.txt blk01906.txt blk01907.txt blk01908.txt blk01909.txt blk01910.txt blk01911.txt blk01912.txt blk01913.txt blk01914.txt blk01915.txt blk01916.txt blk01917.txt blk01918.txt blk01919.txt blk01920.txt blk01921.txt blk01922.txt blk01923.txt blk01924.txt blk01925.txt blk01926.txt blk01927.txt blk01928.txt blk01929.txt blk01930.txt blk01931.txt blk01932.txt blk01933.txt blk01934.txt blk01935.txt blk01936.txt blk01937.txt blk01938.txt blk01939.txt blk01940.txt blk01941.txt blk01942.txt blk01943.txt blk01944.txt blk01945.txt blk01946.txt blk01947.txt blk01948.txt blk01949.txt blk01950.txt blk01951.txt blk01952.txt blk01953.txt blk01954.txt blk01955.txt blk01956.txt blk01957.txt blk01958.txt blk01959.txt blk01960.txt blk01961.txt blk01962.txt blk01963.txt blk01964.txt blk01965.txt blk01966.txt blk01967.txt blk01968.txt blk01969.txt blk01970.txt blk01971.txt blk01972.txt blk01973.txt blk01974.txt blk01975.txt blk01976.txt blk01977.txt blk01978.txt blk01979.txt blk01980.txt blk01981.txt blk01982.txt blk01983.txt blk01984.txt blk01985.txt blk01986.txt blk01987.txt blk01988.txt blk01989.txt blk01990.txt blk01991.txt blk01992.txt blk01993.txt blk01994.txt blk01995.txt blk01996.txt blk01997.txt blk01998.txt blk01999.txt blk02000.txt blk02001.txt blk02002.txt blk02003.txt blk02004.txt blk02005.txt blk02006.txt blk02007.txt blk02008.txt blk02009.txt blk02010.txt blk02011.txt blk02012.txt blk02013.txt blk02014.txt blk02015.txt blk02016.txt blk02017.txt blk02018.txt blk02019.txt blk02020.txt blk02021.txt blk02022.txt blk02023.txt blk02024.txt blk02025.txt blk02026.txt blk02027.txt blk02028.txt blk02029.txt blk02030.txt blk02031.txt blk02032.txt blk02033.txt blk02034.txt blk02035.txt blk02036.txt blk02037.txt blk02038.txt blk02039.txt blk02040.txt blk02041.txt blk02042.txt blk02043.txt blk02044.txt blk02045.txt blk02046.txt blk02047.txt blk02048.txt blk02049.txt blk02050.txt blk02051.txt blk02052.txt blk02053.txt blk02054.txt blk02055.txt blk02056.txt blk02057.txt blk02058.txt blk02059.txt blk02060.txt blk02061.txt blk02062.txt blk02063.txt blk02064.txt blk02065.txt blk02066.txt blk02067.txt blk02068.txt blk02069.txt blk02070.txt blk02071.txt blk02072.txt blk02073.txt blk02074.txt blk02075.txt blk02076.txt blk02077.txt blk02078.txt blk02079.txt blk02080.txt blk02081.txt blk02082.txt blk02083.txt blk02084.txt blk02085.txt blk02086.txt blk02087.txt blk02088.txt blk02089.txt blk02090.txt blk02091.txt blk02092.txt blk02093.txt blk02094.txt blk02095.txt blk02096.txt blk02097.txt blk02098.txt blk02099.txt blk02100.txt blk02101.txt blk02102.txt blk02103.txt blk02104.txt blk02105.txt blk02106.txt blk02107.txt blk02108.txt blk02109.txt blk02110.txt blk02111.txt blk02112.txt blk02113.txt blk02114.txt blk02115.txt blk02116.txt blk02117.txt blk02118.txt blk02119.txt blk02120.txt blk02121.txt blk02122.txt blk02123.txt blk02124.txt blk02125.txt blk02126.txt blk02127.txt blk02128.txt blk02129.txt blk02130.txt blk02131.txt blk02132.txt blk02133.txt blk02134.txt blk02135.txt blk02136.txt blk02137.txt blk02138.txt blk02139.txt blk02140.txt blk02141.txt blk02142.txt blk02143.txt blk02144.txt blk02145.txt blk02146.txt blk02147.txt blk02148.txt blk02149.txt blk02150.txt blk02151.txt blk02152.txt blk02153.txt blk02154.txt blk02155.txt blk02156.txt blk02157.txt blk02158.txt blk02159.txt blk02160.txt blk02161.txt blk02162.txt blk02163.txt blk02164.txt blk02165.txt blk02166.txt blk02167.txt blk02168.txt blk02169.txt blk02170.txt blk02171.txt blk02172.txt blk02173.txt blk02174.txt blk02175.txt blk02176.txt blk02177.txt blk02178.txt blk02179.txt blk02180.txt blk02181.txt blk02182.txt blk02183.txt blk02184.txt blk02185.txt blk02186.txt blk02187.txt blk02188.txt blk02189.txt blk02190.txt blk02191.txt blk02192.txt blk02193.txt blk02194.txt blk02195.txt blk02196.txt blk02197.txt blk02198.txt blk02199.txt blk02200.txt blk02201.txt blk02202.txt blk02203.txt blk02204.txt blk02205.txt blk02206.txt blk02207.txt blk02208.txt blk02209.txt blk02210.txt blk02211.txt blk02212.txt blk02213.txt blk02214.txt blk02215.txt blk02216.txt blk02217.txt blk02218.txt blk02219.txt blk02220.txt blk02221.txt blk02222.txt blk02223.txt blk02224.txt blk02225.txt blk02226.txt blk02227.txt blk02228.txt blk02229.txt blk02230.txt blk02231.txt blk02232.txt blk02233.txt blk02234.txt blk02235.txt blk02236.txt blk02237.txt blk02238.txt blk02239.txt blk02240.txt blk02241.txt blk02242.txt blk02243.txt blk02244.txt blk02245.txt blk02246.txt blk02247.txt blk02248.txt blk02249.txt blk02250.txt blk02251.txt blk02252.txt blk02253.txt blk02254.txt blk02255.txt blk02256.txt blk02257.txt blk02258.txt blk02259.txt blk02260.txt blk02261.txt blk02262.txt blk02263.txt blk02264.txt blk02265.txt blk02266.txt blk02267.txt blk02268.txt blk02269.txt blk02270.txt blk02271.txt blk02272.txt blk02273.txt blk02274.txt blk02275.txt blk02276.txt blk02277.txt blk02278.txt blk02279.txt blk02280.txt blk02281.txt blk02282.txt blk02283.txt blk02284.txt blk02285.txt blk02286.txt blk02287.txt blk02288.txt blk02289.txt blk02290.txt blk02291.txt blk02292.txt blk02293.txt blk02294.txt blk02295.txt blk02296.txt blk02297.txt blk02298.txt blk02299.txt blk02300.txt blk02301.txt blk02302.txt blk02303.txt blk02304.txt blk02305.txt blk02306.txt blk02307.txt blk02308.txt blk02309.txt blk02310.txt blk02311.txt blk02312.txt blk02313.txt blk02314.txt blk02315.txt blk02316.txt blk02317.txt blk02318.txt blk02319.txt blk02320.txt blk02321.txt blk02322.txt blk02323.txt blk02324.txt blk02325.txt blk02326.txt blk02327.txt blk02328.txt blk02329.txt blk02330.txt blk02331.txt blk02332.txt blk02333.txt blk02334.txt blk02335.txt blk02336.txt blk02337.txt blk02338.txt blk02339.txt blk02340.txt blk02341.txt blk02342.txt blk02343.txt blk02344.txt blk02345.txt blk02346.txt blk02347.txt blk02348.txt blk02349.txt blk02350.txt blk02351.txt blk02352.txt blk02353.txt blk02354.txt blk02355.txt blk02356.txt blk02357.txt blk02358.txt blk02359.txt blk02360.txt blk02361.txt blk02362.txt blk02363.txt blk02364.txt blk02365.txt blk02366.txt blk02367.txt blk02368.txt blk02369.txt blk02370.txt blk02371.txt blk02372.txt blk02373.txt blk02374.txt blk02375.txt blk02376.txt blk02377.txt blk02378.txt blk02379.txt blk02380.txt blk02381.txt blk02382.txt blk02383.txt blk02384.txt blk02385.txt blk02386.txt blk02387.txt blk02388.txt blk02389.txt blk02390.txt blk02391.txt blk02392.txt blk02393.txt blk02394.txt blk02395.txt blk02396.txt blk02397.txt blk02398.txt blk02399.txt blk02400.txt blk02401.txt blk02402.txt blk02403.txt blk02404.txt blk02405.txt blk02406.txt blk02407.txt blk02408.txt blk02409.txt blk02410.txt blk02411.txt blk02412.txt blk02413.txt blk02414.txt blk02415.txt blk02416.txt blk02417.txt blk02418.txt blk02419.txt blk02420.txt blk02421.txt blk02422.txt blk02423.txt blk02424.txt blk02425.txt blk02426.txt blk02427.txt blk02428.txt blk02429.txt blk02430.txt blk02431.txt blk02432.txt blk02433.txt blk02434.txt blk02435.txt blk02436.txt blk02437.txt blk02438.txt blk02439.txt blk02440.txt blk02441.txt blk02442.txt blk02443.txt blk02444.txt blk02445.txt blk02446.txt blk02447.txt blk02448.txt blk02449.txt blk02450.txt blk02451.txt blk02452.txt blk02453.txt blk02454.txt blk02455.txt blk02456.txt blk02457.txt blk02458.txt blk02459.txt blk02460.txt blk02461.txt blk02462.txt blk02463.txt blk02464.txt blk02465.txt blk02466.txt blk02467.txt blk02468.txt blk02469.txt blk02470.txt blk02471.txt blk02472.txt blk02473.txt blk02474.txt blk02475.txt blk02476.txt blk02477.txt blk02478.txt blk02479.txt blk02480.txt blk02481.txt blk02482.txt blk02483.txt blk02484.txt blk02485.txt blk02486.txt blk02487.txt blk02488.txt blk02489.txt blk02490.txt blk02491.txt blk02492.txt blk02493.txt blk02494.txt blk02495.txt blk02496.txt blk02497.txt blk02498.txt blk02499.txt blk02500.txt blk02501.txt blk02502.txt blk02503.txt blk02504.txt blk02505.txt blk02506.txt blk02507.txt blk02508.txt blk02509.txt blk02510.txt blk02511.txt blk02512.txt blk02513.txt blk02514.txt blk02515.txt blk02516.txt blk02517.txt blk02518.txt blk02519.txt blk02520.txt blk02521.txt blk02522.txt blk02523.txt blk02524.txt blk02525.txt blk02526.txt blk02527.txt blk02528.txt blk02529.txt blk02530.txt blk02531.txt blk02532.txt blk02533.txt blk02534.txt blk02535.txt blk02536.txt blk02537.txt blk02538.txt blk02539.txt blk02540.txt blk02541.txt blk02542.txt blk02543.txt blk02544.txt blk02545.txt blk02546.txt blk02547.txt blk02548.txt blk02549.txt blk02550.txt blk02551.txt blk02552.txt blk02553.txt blk02554.txt blk02555.txt blk02556.txt blk02557.txt blk02558.txt blk02559.txt blk02560.txt blk02561.txt blk02562.txt blk02563.txt blk02564.txt blk02565.txt blk02566.txt blk02567.txt blk02568.txt blk02569.txt blk02570.txt blk02571.txt blk02572.txt blk02573.txt blk02574.txt blk02575.txt blk02576.txt blk02577.txt blk02578.txt blk02579.txt blk02580.txt blk02581.txt blk02582.txt blk02583.txt blk02584.txt blk02585.txt blk02586.txt blk02587.txt blk02588.txt blk02589.txt blk02590.txt blk02591.txt blk02592.txt blk02593.txt blk02594.txt blk02595.txt blk02596.txt blk02597.txt blk02598.txt blk02599.txt blk02600.txt blk02601.txt blk02602.txt blk02603.txt blk02604.txt blk02605.txt blk02606.txt blk02607.txt blk02608.txt blk02609.txt blk02610.txt blk02611.txt blk02612.txt blk02613.txt blk02614.txt blk02615.txt blk02616.txt blk02617.txt blk02618.txt blk02619.txt blk02620.txt blk02621.txt blk02622.txt blk02623.txt blk02624.txt blk02625.txt blk02626.txt blk02627.txt blk02628.txt blk02629.txt blk02630.txt blk02631.txt blk02632.txt blk02633.txt blk02634.txt blk02635.txt blk02636.txt blk02637.txt blk02638.txt blk02639.txt blk02640.txt blk02641.txt blk02642.txt blk02643.txt blk02644.txt blk02645.txt blk02646.txt blk02647.txt blk02648.txt blk02649.txt blk02650.txt blk02651.txt blk02652.txt blk02653.txt blk02654.txt blk02655.txt blk02656.txt blk02657.txt blk02658.txt blk02659.txt blk02660.txt blk02661.txt blk02662.txt blk02663.txt blk02664.txt blk02665.txt blk02666.txt blk02667.txt blk02668.txt blk02669.txt blk02670.txt blk02671.txt blk02672.txt blk02673.txt blk02674.txt blk02675.txt blk02676.txt blk02677.txt blk02678.txt blk02679.txt blk02680.txt blk02681.txt blk02682.txt blk02683.txt blk02684.txt blk02685.txt blk02686.txt blk02687.txt blk02688.txt blk02689.txt blk02690.txt blk02691.txt blk02692.txt blk02693.txt blk02694.txt blk02695.txt blk02696.txt blk02697.txt blk02698.txt blk02699.txt blk02700.txt blk02701.txt blk02702.txt blk02703.txt blk02704.txt blk02705.txt blk02706.txt blk02707.txt blk02708.txt blk02709.txt blk02710.txt blk02711.txt blk02712.txt blk02713.txt blk02714.txt blk02715.txt blk02716.txt blk02717.txt blk02718.txt blk02719.txt blk02720.txt blk02721.txt blk02722.txt blk02723.txt blk02724.txt blk02725.txt blk02726.txt blk02727.txt blk02728.txt blk02729.txt blk02730.txt blk02731.txt blk02732.txt blk02733.txt blk02734.txt blk02735.txt blk02736.txt blk02737.txt blk02738.txt blk02739.txt blk02740.txt blk02741.txt blk02742.txt blk02743.txt blk02744.txt blk02745.txt blk02746.txt blk02747.txt blk02748.txt blk02749.txt blk02750.txt blk02751.txt blk02752.txt blk02753.txt blk02754.txt blk02755.txt blk02756.txt blk02757.txt blk02758.txt blk02759.txt blk02760.txt blk02761.txt blk02762.txt blk02763.txt blk02764.txt blk02765.txt blk02766.txt blk02767.txt blk02768.txt blk02769.txt blk02770.txt blk02771.txt blk02772.txt blk02773.txt blk02774.txt blk02775.txt blk02776.txt blk02777.txt blk02778.txt blk02779.txt blk02780.txt blk02781.txt blk02782.txt blk02783.txt blk02784.txt blk02785.txt blk02786.txt blk02787.txt blk02788.txt blk02789.txt blk02790.txt blk02791.txt blk02792.txt blk02793.txt blk02794.txt blk02795.txt blk02796.txt blk02797.txt blk02798.txt blk02799.txt blk02800.txt blk02801.txt blk02802.txt blk02803.txt blk02804.txt blk02805.txt blk02806.txt blk02807.txt blk02808.txt blk02809.txt blk02810.txt blk02811.txt blk02812.txt blk02813.txt blk02814.txt blk02815.txt blk02816.txt blk02817.txt blk02818.txt blk02819.txt blk02820.txt blk02821.txt blk02822.txt blk02823.txt blk02824.txt blk02825.txt blk02826.txt blk02827.txt blk02828.txt blk02829.txt blk02830.txt blk02831.txt blk02832.txt blk02833.txt blk02834.txt blk02835.txt blk02836.txt blk02837.txt blk02838.txt blk02839.txt blk02840.txt blk02841.txt blk02842.txt blk02843.txt blk02844.txt blk02845.txt blk02846.txt blk02847.txt blk02848.txt blk02849.txt blk02850.txt blk02851.txt blk02852.txt blk02853.txt blk02854.txt blk02855.txt blk02856.txt blk02857.txt blk02858.txt blk02859.txt blk02860.txt blk02861.txt blk02862.txt blk02863.txt blk02864.txt blk02865.txt blk02866.txt blk02867.txt blk02868.txt blk02869.txt blk02870.txt blk02871.txt blk02872.txt blk02873.txt blk02874.txt blk02875.txt blk02876.txt blk02877.txt blk02878.txt blk02879.txt blk02880.txt blk02881.txt blk02882.txt blk02883.txt blk02884.txt blk02885.txt blk02886.txt blk02887.txt blk02888.txt blk02889.txt blk02890.txt blk02891.txt blk02892.txt blk02893.txt blk02894.txt blk02895.txt blk02896.txt blk02897.txt blk02898.txt blk02899.txt blk02900.txt blk02901.txt blk02902.txt blk02903.txt blk02904.txt blk02905.txt blk02906.txt blk02907.txt blk02908.txt blk02909.txt blk02910.txt blk02911.txt blk02912.txt blk02913.txt blk02914.txt blk02915.txt blk02916.txt blk02917.txt blk02918.txt blk02919.txt blk02920.txt blk02921.txt blk02922.txt blk02923.txt blk02924.txt blk02925.txt blk02926.txt blk02927.txt blk02928.txt blk02929.txt blk02930.txt blk02931.txt blk02932.txt blk02933.txt blk02934.txt blk02935.txt blk02936.txt blk02937.txt blk02938.txt blk02939.txt blk02940.txt blk02941.txt blk02942.txt blk02943.txt blk02944.txt blk02945.txt blk02946.txt blk02947.txt blk02948.txt blk02949.txt blk02950.txt blk02951.txt blk02952.txt blk02953.txt blk02954.txt blk02955.txt blk02956.txt blk02957.txt blk02958.txt blk02959.txt blk02960.txt blk02961.txt blk02962.txt blk02963.txt blk02964.txt blk02965.txt blk02966.txt blk02967.txt blk02968.txt blk02969.txt blk02970.txt blk02971.txt blk02972.txt blk02973.txt blk02974.txt blk02975.txt blk02976.txt blk02977.txt blk02978.txt blk02979.txt blk02980.txt blk02981.txt blk02982.txt blk02983.txt blk02984.txt blk02985.txt blk02986.txt blk02987.txt blk02988.txt blk02989.txt blk02990.txt blk02991.txt blk02992.txt blk02993.txt blk02994.txt blk02995.txt blk02996.txt blk02997.txt blk02998.txt blk02999.txt blk03000.txt blk03001.txt blk03002.txt blk03003.txt blk03004.txt blk03005.txt blk03006.txt blk03007.txt blk03008.txt blk03009.txt blk03010.txt blk03011.txt blk03012.txt blk03013.txt blk03014.txt blk03015.txt blk03016.txt blk03017.txt blk03018.txt blk03019.txt blk03020.txt blk03021.txt blk03022.txt blk03023.txt blk03024.txt blk03025.txt blk03026.txt blk03027.txt blk03028.txt blk03029.txt blk03030.txt blk03031.txt blk03032.txt blk03033.txt blk03034.txt blk03035.txt blk03036.txt blk03037.txt blk03038.txt blk03039.txt blk03040.txt blk03041.txt blk03042.txt blk03043.txt blk03044.txt blk03045.txt blk03046.txt blk03047.txt blk03048.txt blk03049.txt blk03050.txt blk03051.txt blk03052.txt blk03053.txt blk03054.txt blk03055.txt blk03056.txt blk03057.txt blk03058.txt blk03059.txt blk03060.txt blk03061.txt blk03062.txt blk03063.txt blk03064.txt blk03065.txt blk03066.txt blk03067.txt blk03068.txt blk03069.txt blk03070.txt blk03071.txt blk03072.txt blk03073.txt blk03074.txt blk03075.txt blk03076.txt blk03077.txt blk03078.txt blk03079.txt blk03080.txt blk03081.txt blk03082.txt blk03083.txt blk03084.txt blk03085.txt blk03086.txt blk03087.txt blk03088.txt blk03089.txt blk03090.txt blk03091.txt blk03092.txt blk03093.txt blk03094.txt blk03095.txt blk03096.txt blk03097.txt blk03098.txt blk03099.txt blk03100.txt blk03101.txt blk03102.txt blk03103.txt blk03104.txt blk03105.txt blk03106.txt blk03107.txt blk03108.txt blk03109.txt blk03110.txt blk03111.txt blk03112.txt blk03113.txt blk03114.txt blk03115.txt blk03116.txt blk03117.txt blk03118.txt blk03119.txt blk03120.txt blk03121.txt blk03122.txt blk03123.txt blk03124.txt blk03125.txt blk03126.txt blk03127.txt blk03128.txt blk03129.txt blk03130.txt blk03131.txt blk03132.txt blk03133.txt blk03134.txt blk03135.txt blk03136.txt blk03137.txt blk03138.txt blk03139.txt blk03140.txt blk03141.txt blk03142.txt blk03143.txt blk03144.txt blk03145.txt blk03146.txt blk03147.txt blk03148.txt blk03149.txt blk03150.txt blk03151.txt blk03152.txt blk03153.txt blk03154.txt blk03155.txt blk03156.txt blk03157.txt blk03158.txt blk03159.txt blk03160.txt blk03161.txt blk03162.txt blk03163.txt blk03164.txt blk03165.txt blk03166.txt blk03167.txt blk03168.txt blk03169.txt blk03170.txt blk03171.txt blk03172.txt blk03173.txt blk03174.txt blk03175.txt blk03176.txt blk03177.txt blk03178.txt blk03179.txt blk03180.txt blk03181.txt blk03182.txt blk03183.txt blk03184.txt blk03185.txt blk03186.txt blk03187.txt blk03188.txt blk03189.txt blk03190.txt blk03191.txt blk03192.txt blk03193.txt blk03194.txt blk03195.txt blk03196.txt blk03197.txt blk03198.txt blk03199.txt blk03200.txt blk03201.txt blk03202.txt blk03203.txt blk03204.txt blk03205.txt blk03206.txt blk03207.txt blk03208.txt blk03209.txt blk03210.txt blk03211.txt blk03212.txt blk03213.txt blk03214.txt blk03215.txt blk03216.txt blk03217.txt blk03218.txt blk03219.txt blk03220.txt blk03221.txt blk03222.txt blk03223.txt blk03224.txt blk03225.txt blk03226.txt blk03227.txt blk03228.txt blk03229.txt blk03230.txt blk03231.txt blk03232.txt blk03233.txt blk03234.txt blk03235.txt blk03236.txt blk03237.txt blk03238.txt blk03239.txt blk03240.txt blk03241.txt blk03242.txt blk03243.txt blk03244.txt blk03245.txt blk03246.txt blk03247.txt blk03248.txt blk03249.txt blk03250.txt blk03251.txt blk03252.txt blk03253.txt blk03254.txt blk03255.txt blk03256.txt blk03257.txt blk03258.txt blk03259.txt blk03260.txt blk03261.txt blk03262.txt blk03263.txt blk03264.txt blk03265.txt blk03266.txt blk03267.txt blk03268.txt blk03269.txt blk03270.txt blk03271.txt blk03272.txt blk03273.txt blk03274.txt blk03275.txt blk03276.txt blk03277.txt blk03278.txt blk03279.txt blk03280.txt blk03281.txt blk03282.txt blk03283.txt blk03284.txt blk03285.txt blk03286.txt blk03287.txt blk03288.txt blk03289.txt blk03290.txt blk03291.txt blk03292.txt blk03293.txt blk03294.txt blk03295.txt blk03296.txt blk03297.txt blk03298.txt blk03299.txt blk03300.txt blk03301.txt blk03302.txt blk03303.txt blk03304.txt blk03305.txt blk03306.txt blk03307.txt blk03308.txt blk03309.txt blk03310.txt blk03311.txt blk03312.txt blk03313.txt blk03314.txt blk03315.txt blk03316.txt blk03317.txt blk03318.txt blk03319.txt blk03320.txt blk03321.txt blk03322.txt blk03323.txt blk03324.txt blk03325.txt blk03326.txt blk03327.txt blk03328.txt blk03329.txt blk03330.txt blk03331.txt blk03332.txt blk03333.txt blk03334.txt blk03335.txt blk03336.txt blk03337.txt blk03338.txt blk03339.txt blk03340.txt blk03341.txt blk03342.txt blk03343.txt blk03344.txt blk03345.txt blk03346.txt blk03347.txt blk03348.txt blk03349.txt blk03350.txt blk03351.txt blk03352.txt blk03353.txt blk03354.txt blk03355.txt blk03356.txt blk03357.txt blk03358.txt blk03359.txt blk03360.txt blk03361.txt blk03362.txt blk03363.txt blk03364.txt blk03365.txt blk03366.txt blk03367.txt blk03368.txt blk03369.txt blk03370.txt blk03371.txt blk03372.txt blk03373.txt blk03374.txt blk03375.txt blk03376.txt blk03377.txt blk03378.txt blk03379.txt blk03380.txt blk03381.txt blk03382.txt blk03383.txt blk03384.txt blk03385.txt blk03386.txt blk03387.txt blk03388.txt blk03389.txt blk03390.txt blk03391.txt blk03392.txt blk03393.txt blk03394.txt blk03395.txt blk03396.txt blk03397.txt blk03398.txt blk03399.txt blk03400.txt blk03401.txt blk03402.txt blk03403.txt blk03404.txt blk03405.txt blk03406.txt blk03407.txt blk03408.txt blk03409.txt blk03410.txt blk03411.txt blk03412.txt blk03413.txt blk03414.txt blk03415.txt blk03416.txt blk03417.txt blk03418.txt blk03419.txt blk03420.txt blk03421.txt blk03422.txt blk03423.txt blk03424.txt blk03425.txt blk03426.txt blk03427.txt blk03428.txt blk03429.txt blk03430.txt blk03431.txt blk03432.txt blk03433.txt blk03434.txt blk03435.txt blk03436.txt blk03437.txt blk03438.txt blk03439.txt blk03440.txt blk03441.txt blk03442.txt blk03443.txt blk03444.txt blk03445.txt blk03446.txt blk03447.txt blk03448.txt blk03449.txt blk03450.txt blk03451.txt blk03452.txt blk03453.txt blk03454.txt blk03455.txt blk03456.txt blk03457.txt blk03458.txt blk03459.txt blk03460.txt blk03461.txt blk03462.txt blk03463.txt blk03464.txt blk03465.txt blk03466.txt blk03467.txt blk03468.txt blk03469.txt blk03470.txt blk03471.txt blk03472.txt blk03473.txt blk03474.txt blk03475.txt blk03476.txt blk03477.txt blk03478.txt blk03479.txt blk03480.txt blk03481.txt blk03482.txt blk03483.txt blk03484.txt blk03485.txt blk03486.txt blk03487.txt blk03488.txt blk03489.txt blk03490.txt blk03491.txt blk03492.txt blk03493.txt blk03494.txt blk03495.txt blk03496.txt blk03497.txt blk03498.txt blk03499.txt blk03500.txt blk03501.txt blk03502.txt blk03503.txt blk03504.txt blk03505.txt blk03506.txt blk03507.txt blk03508.txt blk03509.txt blk03510.txt blk03511.txt blk03512.txt blk03513.txt blk03514.txt blk03515.txt blk03516.txt blk03517.txt blk03518.txt blk03519.txt blk03520.txt blk03521.txt blk03522.txt blk03523.txt blk03524.txt blk03525.txt blk03526.txt blk03527.txt blk03528.txt blk03529.txt blk03530.txt blk03531.txt blk03532.txt blk03533.txt blk03534.txt blk03535.txt blk03536.txt blk03537.txt blk03538.txt blk03539.txt blk03540.txt blk03541.txt blk03542.txt blk03543.txt blk03544.txt blk03545.txt blk03546.txt blk03547.txt blk03548.txt blk03549.txt blk03550.txt blk03551.txt blk03552.txt blk03553.txt blk03554.txt blk03555.txt blk03556.txt blk03557.txt blk03558.txt blk03559.txt blk03560.txt blk03561.txt blk03562.txt blk03563.txt blk03564.txt blk03565.txt blk03566.txt blk03567.txt blk03568.txt blk03569.txt blk03570.txt blk03571.txt blk03572.txt blk03573.txt blk03574.txt blk03575.txt blk03576.txt blk03577.txt blk03578.txt blk03579.txt blk03580.txt blk03581.txt blk03582.txt blk03583.txt blk03584.txt blk03585.txt blk03586.txt blk03587.txt blk03588.txt blk03589.txt blk03590.txt blk03591.txt blk03592.txt blk03593.txt blk03594.txt blk03595.txt blk03596.txt blk03597.txt blk03598.txt blk03599.txt blk03600.txt blk03601.txt blk03602.txt blk03603.txt blk03604.txt blk03605.txt blk03606.txt blk03607.txt blk03608.txt blk03609.txt blk03610.txt blk03611.txt blk03612.txt blk03613.txt blk03614.txt blk03615.txt blk03616.txt blk03617.txt blk03618.txt blk03619.txt blk03620.txt blk03621.txt blk03622.txt blk03623.txt blk03624.txt blk03625.txt blk03626.txt blk03627.txt blk03628.txt blk03629.txt blk03630.txt blk03631.txt blk03632.txt blk03633.txt blk03634.txt blk03635.txt blk03636.txt blk03637.txt blk03638.txt blk03639.txt blk03640.txt blk03641.txt blk03642.txt blk03643.txt blk03644.txt blk03645.txt blk03646.txt blk03647.txt blk03648.txt blk03649.txt blk03650.txt blk03651.txt blk03652.txt blk03653.txt blk03654.txt blk03655.txt blk03656.txt blk03657.txt blk03658.txt blk03659.txt blk03660.txt blk03661.txt blk03662.txt blk03663.txt blk03664.txt blk03665.txt blk03666.txt blk03667.txt blk03668.txt blk03669.txt blk03670.txt blk03671.txt blk03672.txt blk03673.txt blk03674.txt blk03675.txt blk03676.txt blk03677.txt blk03678.txt blk03679.txt blk03680.txt blk03681.txt blk03682.txt blk03683.txt blk03684.txt blk03685.txt blk03686.txt blk03687.txt blk03688.txt blk03689.txt blk03690.txt blk03691.txt blk03692.txt blk03693.txt blk03694.txt blk03695.txt blk03696.txt blk03697.txt blk03698.txt blk03699.txt blk03700.txt blk03701.txt blk03702.txt blk03703.txt blk03704.txt blk03705.txt blk03706.txt blk03707.txt blk03708.txt blk03709.txt blk03710.txt blk03711.txt blk03712.txt blk03713.txt blk03714.txt blk03715.txt blk03716.txt blk03717.txt blk03718.txt blk03719.txt blk03720.txt blk03721.txt blk03722.txt blk03723.txt blk03724.txt blk03725.txt blk03726.txt blk03727.txt blk03728.txt blk03729.txt blk03730.txt blk03731.txt blk03732.txt blk03733.txt blk03734.txt blk03735.txt blk03736.txt blk03737.txt blk03738.txt blk03739.txt blk03740.txt blk03741.txt blk03742.txt blk03743.txt blk03744.txt blk03745.txt blk03746.txt blk03747.txt blk03748.txt blk03749.txt blk03750.txt blk03751.txt blk03752.txt blk03753.txt blk03754.txt blk03755.txt blk03756.txt blk03757.txt blk03758.txt blk03759.txt blk03760.txt blk03761.txt blk03762.txt blk03763.txt blk03764.txt blk03765.txt blk03766.txt blk03767.txt blk03768.txt blk03769.txt blk03770.txt blk03771.txt blk03772.txt blk03773.txt blk03774.txt blk03775.txt blk03776.txt blk03777.txt blk03778.txt blk03779.txt blk03780.txt blk03781.txt blk03782.txt blk03783.txt blk03784.txt blk03785.txt blk03786.txt blk03787.txt blk03788.txt blk03789.txt blk03790.txt blk03791.txt blk03792.txt blk03793.txt blk03794.txt blk03795.txt blk03796.txt blk03797.txt blk03798.txt blk03799.txt blk03800.txt blk03801.txt blk03802.txt blk03803.txt blk03804.txt blk03805.txt blk03806.txt blk03807.txt blk03808.txt blk03809.txt blk03810.txt blk03811.txt blk03812.txt blk03813.txt blk03814.txt blk03815.txt blk03816.txt blk03817.txt blk03818.txt blk03819.txt blk03820.txt blk03821.txt blk03822.txt blk03823.txt blk03824.txt blk03825.txt blk03826.txt blk03827.txt blk03828.txt blk03829.txt blk03830.txt blk03831.txt blk03832.txt blk03833.txt blk03834.txt blk03835.txt blk03836.txt blk03837.txt blk03838.txt blk03839.txt blk03840.txt blk03841.txt blk03842.txt blk03843.txt blk03844.txt blk03845.txt blk03846.txt blk03847.txt blk03848.txt blk03849.txt blk03850.txt blk03851.txt blk03852.txt blk03853.txt blk03854.txt blk03855.txt blk03856.txt blk03857.txt blk03858.txt blk03859.txt blk03860.txt blk03861.txt blk03862.txt blk03863.txt blk03864.txt blk03865.txt blk03866.txt blk03867.txt blk03868.txt blk03869.txt blk03870.txt blk03871.txt blk03872.txt blk03873.txt blk03874.txt blk03875.txt blk03876.txt blk03877.txt blk03878.txt blk03879.txt blk03880.txt blk03881.txt blk03882.txt blk03883.txt blk03884.txt blk03885.txt blk03886.txt blk03887.txt blk03888.txt blk03889.txt blk03890.txt blk03891.txt blk03892.txt blk03893.txt blk03894.txt blk03895.txt blk03896.txt blk03897.txt blk03898.txt blk03899.txt blk03900.txt blk03901.txt blk03902.txt blk03903.txt blk03904.txt blk03905.txt blk03906.txt blk03907.txt blk03908.txt blk03909.txt blk03910.txt blk03911.txt blk03912.txt blk03913.txt blk03914.txt blk03915.txt blk03916.txt blk03917.txt blk03918.txt blk03919.txt blk03920.txt blk03921.txt blk03922.txt blk03923.txt blk03924.txt blk03925.txt blk03926.txt blk03927.txt blk03928.txt blk03929.txt blk03930.txt blk03931.txt blk03932.txt blk03933.txt blk03934.txt blk03935.txt blk03936.txt blk03937.txt blk03938.txt blk03939.txt blk03940.txt blk03941.txt blk03942.txt blk03943.txt blk03944.txt blk03945.txt blk03946.txt blk03947.txt blk03948.txt blk03949.txt blk03950.txt blk03951.txt blk03952.txt blk03953.txt blk03954.txt blk03955.txt blk03956.txt blk03957.txt blk03958.txt blk03959.txt blk03960.txt blk03961.txt blk03962.txt blk03963.txt blk03964.txt blk03965.txt blk03966.txt blk03967.txt blk03968.txt blk03969.txt blk03970.txt blk03971.txt blk03972.txt blk03973.txt blk03974.txt blk03975.txt blk03976.txt blk03977.txt blk03978.txt blk03979.txt blk03980.txt blk03981.txt blk03982.txt blk03983.txt blk03984.txt blk03985.txt blk03986.txt blk03987.txt blk03988.txt blk03989.txt blk03990.txt blk03991.txt blk03992.txt blk03993.txt blk03994.txt blk03995.txt blk03996.txt blk03997.txt blk03998.txt blk03999.txt blk04000.txt blk04001.txt blk04002.txt blk04003.txt blk04004.txt blk04005.txt blk04006.txt blk04007.txt blk04008.txt blk04009.txt blk04010.txt blk04011.txt blk04012.txt blk04013.txt blk04014.txt blk04015.txt blk04016.txt blk04017.txt blk04018.txt blk04019.txt blk04020.txt blk04021.txt blk04022.txt blk04023.txt blk04024.txt blk04025.txt blk04026.txt blk04027.txt blk04028.txt blk04029.txt blk04030.txt blk04031.txt blk04032.txt blk04033.txt blk04034.txt blk04035.txt blk04036.txt blk04037.txt blk04038.txt blk04039.txt blk04040.txt blk04041.txt blk04042.txt blk04043.txt blk04044.txt blk04045.txt blk04046.txt blk04047.txt blk04048.txt blk04049.txt blk04050.txt blk04051.txt blk04052.txt blk04053.txt blk04054.txt blk04055.txt blk04056.txt blk04057.txt blk04058.txt blk04059.txt blk04060.txt blk04061.txt blk04062.txt blk04063.txt blk04064.txt blk04065.txt blk04066.txt blk04067.txt blk04068.txt blk04069.txt blk04070.txt blk04071.txt blk04072.txt blk04073.txt blk04074.txt blk04075.txt blk04076.txt blk04077.txt blk04078.txt blk04079.txt blk04080.txt blk04081.txt blk04082.txt blk04083.txt blk04084.txt blk04085.txt blk04086.txt blk04087.txt blk04088.txt blk04089.txt blk04090.txt blk04091.txt blk04092.txt blk04093.txt blk04094.txt blk04095.txt blk04096.txt blk04097.txt blk04098.txt blk04099.txt blk04100.txt blk04101.txt blk04102.txt blk04103.txt blk04104.txt blk04105.txt blk04106.txt blk04107.txt blk04108.txt blk04109.txt blk04110.txt blk04111.txt blk04112.txt blk04113.txt blk04114.txt blk04115.txt blk04116.txt blk04117.txt blk04118.txt blk04119.txt blk04120.txt blk04121.txt blk04122.txt blk04123.txt blk04124.txt blk04125.txt blk04126.txt blk04127.txt blk04128.txt blk04129.txt blk04130.txt blk04131.txt blk04132.txt blk04133.txt blk04134.txt blk04135.txt blk04136.txt blk04137.txt blk04138.txt blk04139.txt blk04140.txt blk04141.txt blk04142.txt blk04143.txt blk04144.txt blk04145.txt blk04146.txt blk04147.txt blk04148.txt blk04149.txt blk04150.txt blk04151.txt blk04152.txt blk04153.txt blk04154.txt blk04155.txt blk04156.txt blk04157.txt blk04158.txt blk04159.txt blk04160.txt blk04161.txt blk04162.txt blk04163.txt blk04164.txt blk04165.txt blk04166.txt blk04167.txt blk04168.txt blk04169.txt blk04170.txt blk04171.txt blk04172.txt blk04173.txt blk04174.txt blk04175.txt blk04176.txt blk04177.txt Show all files
Advertisement: